Assigned Malware redirects every Google domain from my browsers

This thread is being handled by a member of the staff.
Status
Not open for further replies.

jeremycards

New Member
Thread author
Apr 4, 2022
10
Hello, so i've been having a weird problem since yesterday, every time i try to enter gmail, google maps, or even just do a google search from any of my browsers URL bar, i get a privacy breach error. This happens on all of my browsers.

So i ran Malwarebytes and it indeed found a redirect malware on my pc, so i proceeded to quarentine them all, but the problem persists... further scans with both Malwarebytes and Avira have no new results.

My guess is that some hosts file remain changed despite the virus being gone, but i have no idea how to find it or fix it... so, help?
attached are the files in quarentine, the error i get in Opera (tough i get the same in chrome or firefox) and the FRST file as requested. Thanks in advance for the help!

(Edit: Ok i can't attach the FRST file for the life of me, also wont let me post it in code or spoiler tags =/)
 

Attachments

  • 1.png
    1.png
    53.1 KB · Views: 27
  • 2.png
    2.png
    55.2 KB · Views: 24
  • 3.png
    3.png
    30.8 KB · Views: 24

jeremycards

New Member
Thread author
Apr 4, 2022
10
Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 01-04-2022
Ran by Jeremy (administrator) on ENDING_SEKAI (Gigabyte Technology Co., Ltd. H170M-DS3H) (04-04-2022 21:04:56)
Running from C:\Users\Jeremy\Desktop
Loaded Profiles: Jeremy
Platform: Microsoft Windows 10 Pro Version 21H1 19043.1620 (X64) Language: English (United States)
Default browser: Opera
Boot Mode: Normal

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(C:\Program Files (x86)\Avira\Antivirus\avguard.exe ->) (Avira Operations GmbH & Co. KG -> Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\Antivirus\avshadow.exe
(C:\Program Files (x86)\CCleaner Browser\Update\CCleanerBrowserUpdate.exe ->) (Piriform Software Ltd -> Piriform Software) C:\Program Files (x86)\CCleaner Browser\Update\1.8.1067.0\CCleanerBrowserCrashHandler.exe
(C:\Program Files (x86)\CCleaner Browser\Update\CCleanerBrowserUpdate.exe ->) (Piriform Software Ltd -> Piriform Software) C:\Program Files (x86)\CCleaner Browser\Update\1.8.1067.0\CCleanerBrowserCrashHandler64.exe
(C:\Program Files (x86)\Dropbox\Client\Dropbox.exe ->) (Dropbox, Inc -> The Qt Company Ltd.) C:\Program Files (x86)\Dropbox\Client\145.4.4921\QtWebEngineProcess.exe <3>
(C:\Program Files (x86)\Google\Update\GoogleUpdate.exe ->) (Google LLC -> Google LLC) C:\Program Files (x86)\Google\Update\1.3.36.122\GoogleCrashHandler.exe
(C:\Program Files (x86)\Google\Update\GoogleUpdate.exe ->) (Google LLC -> Google LLC) C:\Program Files (x86)\Google\Update\1.3.36.122\GoogleCrashHandler64.exe
(C:\Program Files (x86)\Razer\Synapse3\Service\Razer Synapse Service.exe ->) (Razer USA Ltd. -> ) C:\Program Files (x86)\Razer\Synapse3\UserProcess\Razer Synapse Service Process.exe
(C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe ->) (Malwarebytes Inc -> Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe
(C:\Users\Jeremy\AppData\Local\Programs\Opera GX\opera.exe ->) (Opera Software AS -> Opera Software) C:\Users\Jeremy\AppData\Local\Programs\Opera GX\84.0.4316.52\opera_crashreporter.exe
(Dropbox, Inc -> Dropbox, Inc.) C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe
(explorer.exe ->) (Google LLC -> ) C:\Program Files\Google\Drive File Stream\56.0.7.0\crashpad_handler.exe <2>
(explorer.exe ->) (Google LLC -> Google, Inc.) C:\Program Files\Google\Drive File Stream\56.0.7.0\GoogleDriveFS.exe <8>
(explorer.exe ->) (Valve Corp. -> Valve Corporation) F:\Steam\steam.exe
(F:\Steam\steam.exe ->) (Valve Corp. -> Valve Corporation) F:\Steam\bin\cef\cef.win7x64\steamwebhelper.exe <8>
(F:\SteamLibrary\steamapps\common\wallpaper_engine\wallpaper32.exe ->) (Skutta, Kristjan -> ) F:\SteamLibrary\steamapps\common\wallpaper_engine\bin\webwallpaper32.exe <6>
(Google Inc -> Google Inc.) C:\Program Files (x86)\Google\Update\GoogleUpdate.exe <2>
(Microsoft Windows -> Microsoft Corporation) C:\Windows\System32\SppExtComObj.Exe
(Opera Software AS -> Opera Software) C:\Users\Jeremy\AppData\Local\Programs\Opera GX\opera.exe <19>
(Piriform Software Ltd -> Piriform Software Ltd) C:\Program Files\CCleaner\CCleaner64.exe
(Piriform Software Ltd -> Piriform Software) C:\Program Files (x86)\CCleaner Browser\Update\CCleanerBrowserUpdate.exe
(services.exe ->) (Adobe Inc. -> Adobe Inc.) C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
(services.exe ->) (Adobe Systems Incorporated -> Adobe Systems Incorporated) C:\Program Files (x86)\Common Files\Adobe\Adobe Desktop Common\ElevationManager\AdobeUpdateService.exe
(services.exe ->) (Avira Operations GmbH & Co. KG -> Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\Antivirus\avguard.exe
(services.exe ->) (Avira Operations GmbH & Co. KG -> Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\Antivirus\avmailc7.exe
(services.exe ->) (Avira Operations GmbH & Co. KG -> Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\Antivirus\avwebg7.exe
(services.exe ->) (Avira Operations GmbH & Co. KG -> Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\Antivirus\protectedservice.exe
(services.exe ->) (Avira Operations GmbH & Co. KG -> Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\Antivirus\sched.exe
(services.exe ->) (Avira Operations GmbH & Co. KG -> Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\Optimizer Host\Avira.OptimizerHost.exe
(services.exe ->) (Avira Operations GmbH & Co. KG -> Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\Security\Avira.Spotlight.Service.exe
(services.exe ->) (Avira Operations GmbH & Co. KG -> Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\SoftwareUpdater\Avira.SoftwareUpdater.ServiceHost.exe
(services.exe ->) (Avira Operations GmbH & Co. KG -> Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\VPN\Avira.VpnService.exe
(services.exe ->) (Dropbox, Inc -> Dropbox, Inc.) C:\Windows\System32\DbxSvc.exe
(services.exe ->) (Flexera Software LLC -> Flexera) C:\Program Files (x86)\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
(services.exe ->) (Malwarebytes Inc -> Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe
(services.exe ->) (Microsoft Corporation -> Microsoft Corporation) C:\Program Files (x86)\Common Files\Microsoft Shared\Phone Tools\CoreCon\11.0\bin\IpOverUsbSvc.exe
(services.exe ->) (Microsoft Corporation -> Microsoft Corporation) C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
(services.exe ->) (Microsoft Corporation -> Microsoft Corporation) C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
(services.exe ->) (Microsoft Corporation) C:\Program Files\WindowsApps\Microsoft.GamingServices_3.63.22003.0_x64__8wekyb3d8bbwe\gamingservices.exe
(services.exe ->) (Microsoft Corporation) C:\Program Files\WindowsApps\Microsoft.GamingServices_3.63.22003.0_x64__8wekyb3d8bbwe\gamingservicesnet.exe
(services.exe ->) (NVIDIA Corporation -> NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\NvContainer\nvcontainer.exe <2>
(services.exe ->) (Nvidia Corporation -> NVIDIA Corporation) C:\Windows\System32\DriverStore\FileRepository\nv_dispi.inf_amd64_015fa42d67826549\Display.NvContainer\NVDisplay.Container.exe <2>
(services.exe ->) (Popcorn Time) [File not signed] C:\Program Files (x86)\Popcorn Time\Updater.exe
(services.exe ->) (Razer USA Ltd. -> Razer Inc) C:\Program Files (x86)\Razer\Razer Services\GMS\GameManagerService.exe
(services.exe ->) (Razer USA Ltd. -> Razer Inc.) C:\Program Files (x86)\Razer\Razer Services\Razer Central\RazerCentralService.exe
(services.exe ->) (Razer USA Ltd. -> Razer Inc.) C:\Program Files (x86)\Razer\Synapse3\Service\Razer Synapse Service.exe
(services.exe ->) (Realtek Semiconductor Corp. -> Realtek Semiconductor) C:\Windows\System32\RtkAudUService64.exe <2>
(services.exe ->) (Valve Corp. -> Valve Corporation) C:\Program Files (x86)\Common Files\Steam\SteamService.exe
(svchost.exe ->) (Avira Operations GmbH & Co. KG -> Avira Operations GmbH & Co. KG) C:\Program Files (x86)\Avira\Security\Avira.Spotlight.Systray.Application.exe
(svchost.exe ->) (Dropbox, Inc -> Dropbox, Inc.) C:\Program Files (x86)\Dropbox\Client\Dropbox.exe <3>
(svchost.exe ->) (Microsoft Windows -> Microsoft Corporation) C:\Windows\ImmersiveControlPanel\SystemSettings.exe
(svchost.exe ->) (Microsoft Windows -> Microsoft Corporation) C:\Windows\System32\dllhost.exe
(svchost.exe ->) (Microsoft Windows -> Microsoft Corporation) C:\Windows\System32\MoUsoCoreWorker.exe
(svchost.exe ->) (Microsoft Windows -> Microsoft Corporation) C:\Windows\System32\pacjsworker.exe
(svchost.exe ->) (Skutta, Kristjan -> ) F:\SteamLibrary\steamapps\common\wallpaper_engine\wallpaper32.exe

Ok i keep trying to post more parts to this in replies but i keep getting an error :S let me know if there's a better way to share this file plz.
 
Last edited:

nasdaq

Moderator
Verified
Staff member
Nov 5, 2019
745
Hello, Welcome to MalwareTips.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Let's check it out.


Download the Farbar Recovery Scan Tool (FRST).
Choose the 32 or 64 bit version for your system.
and save it to a folder on your computer's Desktop.
Ensure that you are in an Administrator Account
Double-click to run it. When the tool opens click Yes to disclaimer.
Check the boxes as seen here:
L7kNU5y.jpg

Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

How to attach a file to your reply:
In the Reply section in the bottom of the topic Click the "more reply Options" button.
[img=[URL]http://deeprybka.trojaner-board.de/eset/eng/attachlogs.png[/URL]]

Attach the file(s). A 2 Steps process.
Reply to this topic.
Select the "Choose a File" navigate to the location of the File.
Click the file you wish to Attach. <- Step 1.
Click Attach this file. <- Step 2.
Click the Add reply button.

Please post the logs for my review.

Let me know what problems persists.

Wait for further instructions

p.s.

The Farbar program is updated often.
If it's identified as suspicious by your Anti-Virus program trust it if Downloaded from the link I provided.
You should restore the program from the Quarantine folder.
<<<>>>
 

jeremycards

New Member
Thread author
Apr 4, 2022
10
Ok let me try again...

Edit: Ok, it just wont work... i attach the file but once i send the reply the file dosn't show up, i guess i'll just post screenshots of the txt file since images is the only thing its allowing :S Sorry for the inconvenience, i tried on different browsers but its the same in all.
 

Attachments

  • 4.png
    4.png
    166.8 KB · Views: 19
  • 6.png
    6.png
    153.3 KB · Views: 18
  • 5.png
    5.png
    179.5 KB · Views: 19
  • 7.png
    7.png
    177 KB · Views: 17
  • 8.png
    8.png
    176 KB · Views: 16
  • 9.png
    9.png
    167.7 KB · Views: 15
  • 10.png
    10.png
    129.4 KB · Views: 15
  • 11.png
    11.png
    123.3 KB · Views: 15
  • 12.png
    12.png
    142.1 KB · Views: 15
  • 13.png
    13.png
    136.2 KB · Views: 19
Last edited:

jeremycards

New Member
Thread author
Apr 4, 2022
10
just in case, here's the .txt attached to this reply.

No dice... i click save and it ends up like the post above. I hope the screenshots are good enough :S
 

Attachments

  • 14.png
    14.png
    28.6 KB · Views: 21

nasdaq

Moderator
Verified
Staff member
Nov 5, 2019
745
Hi,

That's nor working for me.

In your next reply attach the logs to this topic.

How to:

In the reply box select the Upload files button on the bottom letf.

Select the file and click attach

Do this for the 2 files that were created by the Farbar program.

Save the topic and post it.
 

jeremycards

New Member
Thread author
Apr 4, 2022
10
i'll try again....... Ok, wow, i finally made it. Aparently there were 3 lines in particular that for some reason wouldn't let me upload the file. I had to remove them from the txt and if i copy them in this message it wont even let me post it for some reason... they were in the "registry whitelisted" part where i left a blank, i'll put a screenshot of what it was just in case.
 

Attachments

  • excluded.png
    excluded.png
    20.1 KB · Views: 19
  • FRST.txt
    53.5 KB · Views: 21
  • Addition.txt
    63.5 KB · Views: 16

nasdaq

Moderator
Verified
Staff member
Nov 5, 2019
745
Hi,

Please download the attached Fixlist.txt file to the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the FRST.txt log you have submitted.

Run FRST and click Fix only once and wait.

The Computer will restart when the fix is completed.

It will create a log (Fixlog.txt) please post it to your reply.
===

Please Attach the Fixlog.txt and let me know what problem persists.
 

Attachments

  • fixlist.txt
    4.6 KB · Views: 17

nasdaq

Moderator
Verified
Staff member
Nov 5, 2019
745
Hi,

Google security breach.

Follow the directives on this page to find out what may cause this error.



To check your passwords for security breach use this link.


Hope that helps.

p.s.

If the problem persists and Opera is synchronized between your devices, I suggest you Sign out.
Refer to this topic

Follow the instructions under the Sync Section.

When done restart Opera.

Restart the computer normally.

You can Sign in after the test if all is well.
<<<>>>
 

jeremycards

New Member
Thread author
Apr 4, 2022
10
Ah yes, i was aware of that data breach, has been a headache for a while, but i've been changing all my passwords to unique ones for a while now, the one i use right now for google is quite recent and unique so i'm fairly certain its not breached, the "i have been pwned" site seems to confirm that.

So i doubt the redirection problem is due to that, i changed my passwords a few months ago and i can enter normally from cellphones or my laptop.
 

nasdaq

Moderator
Verified
Staff member
Nov 5, 2019
745
Hi,

Try this fix.

Please download the attached Fixlist.txt file to the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the FRST.txt log you have submitted.

Run FRST and click Fix only once and wait.

The Computer will restart when the fix is completed.

It will create a log (Fixlog.txt) please post it to your reply.
===

If the problem persists Clear Chrome Browsing Data:

Open Chrome settings > More Tools > Clear Browsing data

Be careful what you select.

I normally only delete the browsing History, The Download history, Cached images and files.

If the problem persists Clean the passwords ... this will mean that you will have to re-enter the password when you go to sites requesting a password.

Please post the Fixlog.txt and let me know what problem persists.
 

Attachments

  • fixlist.txt
    1.3 KB · Views: 16

jeremycards

New Member
Thread author
Apr 4, 2022
10
Alright, done, the problem persist so i deleted all the browsing data in chrome, i even restored it to default since its not the browser i normally use, but it still persist :S
 

Attachments

  • Fixlog.txt
    3.2 KB · Views: 13

jeremycards

New Member
Thread author
Apr 4, 2022
10
Hi,

Are you possibly using the same password on various sites?

This may be the only way to clear the password issue.

You could try by changing you passwords for the compromised sites.


Well when i found out about the data breach i started changing passwords to unique ones in every important page i could think of, and also checked the list that google gives you. Since these are passwords that i had for decades by now, there were hundreds of pages i had to change, so i ignored the ones without any sensitive information or where there couldn't do any damage, so technically those are still there. But i'd imagine if that was the issue it would happen on my laptop too at least, but i can do searches and everything there with the same account with no problem... wich leads me to believe the issue was something the malware did on this pc.
 

nasdaq

Moderator
Verified
Staff member
Nov 5, 2019
745
Hi,

Are you always using the Same Profile (Account)?
If not some of the others could be compromised. (not sure)

Was Opera Synced with other devices as I previous posted in post no. 10.

Have a look at this Malwarebytes's topic.

Resetting Google Chrome to clear unexpected issues

Hope that helps.
 

jeremycards

New Member
Thread author
Apr 4, 2022
10
Hi,

Are you always using the Same Profile (Account)?
If not some of the others could be compromised. (not sure)

Was Opera Synced with other devices as I previous posted in post no. 10.

Have a look at this Malwarebytes's topic.

Resetting Google Chrome to clear unexpected issues

Hope that helps.
Yes, in chrome and such i always use the same account, tho i have 3 gmail accounts for other purpouses. At least in my laptop and cell phone i don't have these problems when logged in with that same account.

Opera was synced with the mobile app, at least there im not having this issue either, in fact i usually do my searches there and share them with the pc browser with the flow option that Opera has.

Tried everything on that link, cleared the sync data and ran malwarebytes again with no detections... the problem persists =/

I'm starting to think i'll proceed with formatting the pc, some other problems are starting to pile up, like the start button only working on full screen mode and the search bar not working at all, been years since my last formatting so maybe it's time... Thanks a lot for your help! i've been asking around and nobody is able to fix the problem, so it seems i got something quite complicated going on, i hope formatting fixes everything. I really appreciate your time and effort! you guys are doing a great job at this forum, so thanks again!
 

nasdaq

Moderator
Verified
Staff member
Nov 5, 2019
745
Hi,

If I'm not too late I can give you instructions to remove Chrome Completely.
You will have to reinstall it after.
 
Status
Not open for further replies.