Solved Undetected chrome malware.

Status
Not open for further replies.

Javal

New Member
Thread author
May 16, 2016
9
As stated in description about month ago or so popups in chrome started even tho i have kaspersky internet serurity and ad block on all the time, im also not pirating any programs or games and in that time i installed 1-2 games from STEAM.

In the beginning popups were rare, from time to time either new page pop up or the page i was on redirected, i don't see the pattern here it looks like random ads mostly porn and casinos but even local clothes shops etc so i doubt we can find the source by redirect links.

Lately its getting heavier and heaver. Every 3-5 clicks i have redirect or popup and even when googling by url bar it sometimes redirects me to google.com with extra toolbar on top and not searching my results.

Also lately it started changing random text on sites into links to search engine. The search engine is foryourweb dot net

I have tried all the basic moves like checking "add or remove" tool to clear everything (not much up there beside couple of games). Checking chrome extensions, uninstalling and installing chrome back. Full scan on KiS, scanning with over 10 + malware removal programs. Not a single one detected anything.

I think the problem is with all browsers but im not sure, was using fire fox and it happened from time to time but that could be just ads from sites so it might be only chrome problem.

Im including FRST logs as you asked in guide, but in guide step 1 is FRST logs step 2 is "ADD LOGS FROM 2 TOOLS" lil bit confused as i don't see other tool mentioned there, but maybe im blind, ask for any logs will include asap.
 

Attachments

  • Addition.txt
    33.7 KB · Views: 6
  • FRST.txt
    21.5 KB · Views: 3

Javal

New Member
Thread author
May 16, 2016
9
Not very polite of me, forgot to say Hello and thanks in advance for any help. Sorry for spam but i don't see the edit button.
 

TwinHeadedEagle

Level 41
Verified
Mar 8, 2013
22,627
Hello and welcome,



Please download Zemana AntiMalware and save it to your Desktop.
  • Install the program and once the installation is complete it will start automatically.
  • Without changing any options, press Scan to begin.
  • After the short scan is finished, if threats are detected press Next to remove them.
Note: If restart is required to finish the cleaning process, you should click Reboot. If reboot isn't required, please restart your computer manually.
  • Open Zemana AntiMalware again.
  • Click on
    4zu6vb.jpg
    icon and double click the latest report.
  • Now click File > Save As and choose your Desktop before pressing Save.
  • The only left thing is to attach saved report in your next message.
 

Javal

New Member
Thread author
May 16, 2016
9
Ok so i did the scan clean and restart but unfortunetaly only after that i notice that tool set the language automatically to polish (my mother language) and report is in polish as well. Will try to translate as second scan shows nothing - thus no report.
Report file is uploaded but will copy it here and will try to translate.

Zemana AntiMalware 2.20.2.613 (wersja instalacyjna)

-------------------------------------------------------
Wynik skanowania (scan resoults) : Zakończone (finished)
Data skanowania : 2016-5-22
System operacyjny : Windows 7 64-bit
Procesor : 4X AMD Phenom(tm) II X4 965 Processor
Tryb BIOS-u : Legacy
CUID : 003A833D37267844CBC19D
Typ skanowania : Inteligentny skan (smart scan)
Czas trwania : 0m 52s
Zeskanowane obiekty : 11811
Wykryte obiekty : 11
Wykluczone obiekty : 0
Poziom odczytu : SCSI
Automatyczne wysyłanie : Włączone
Wykrywanie wszystkich rozszerzeń : Wyłączone
Skanowanie dokumentów : Wyłączone
Dane domeny : WORKGROUP,0,2

Wykryte zagrożenia
-------------------------------------------------------

Internet Explorer Shortcut
Stan : Zeskanowano
Ścieżka dostępu : "Homepage"
MD5 : -
Wydawca : -
Rozmiar : -
Wersja : -
Zagrożenie (risk) : Podejrzane ustawienie przeglądarki (Suspicious browser setting)
Działanie (Action) : Napraw (repair)
Powiązane obiekty (Related objects) : Ustawienie przeglądarki (browser setting) - Internet Explorer Shortcut

Internet Explorer Shortcut
Stan : Zeskanowano
Ścieżka dostępu : "Homepage"
MD5 : -
Wydawca : -
Rozmiar : -
Wersja : -
Zagrożenie (risk) : Podejrzane ustawienie przeglądarki (Suspicious browser setting)
Działanie (Action) : Napraw (repair)
Powiązane obiekty (Related objects) : Ustawienie przeglądarki (browser setting) - Internet Explorer Shortcut

Internet Explorer Shortcut
Stan : Zeskanowano
Ścieżka dostępu : "Homepage"
MD5 : -
Wydawca : -
Rozmiar : -
Wersja : -
Zagrożenie (risk) : Podejrzane ustawienie przeglądarki (Suspicious browser setting)
Działanie (Action) : Napraw (repair)
Powiązane obiekty (Related objects) : Ustawienie przeglądarki (browser setting) -Internet Explorer Shortcut

Internet Explorer Shortcut
Stan : Zeskanowano
Ścieżka dostępu : "Homepage"
MD5 : -
Wydawca : -
Rozmiar : -
Wersja : -
Zagrożenie (risk) : Podejrzane ustawienie przeglądarki (Suspicious browser setting)
Działanie (Action) : Napraw (repair)
Powiązane obiekty (Related objects) : Ustawienie przeglądarki (browser setting) -
Ustawienie przeglądarki - Internet Explorer Shortcut

Firefox Shortcut
Stan : Zeskanowano
Ścieżka dostępu : "Homepage"
MD5 : -
Wydawca : -
Rozmiar : -
Wersja : -
Zagrożenie : Podejrzane ustawienie przeglądarki
Zagrożenie (risk) : Podejrzane ustawienie przeglądarki (Suspicious browser setting)
Działanie (Action) : Napraw (repair)
Powiązane obiekty (Related objects) : Ustawienie przeglądarki (browser setting) -
Firefox Shortcut

Firefox Shortcut
Stan : Zeskanowano
Ścieżka dostępu : "Homepage"
MD5 : -
Wydawca : -
Rozmiar : -
Wersja : -
Zagrożenie (risk) : Podejrzane ustawienie przeglądarki (Suspicious browser setting)
Działanie (Action) : Napraw (repair)
Powiązane obiekty (Related objects) : Ustawienie przeglądarki (browser setting) -
- Firefox Shortcut

Firefox Shortcut
Stan : Zeskanowano
Ścieżka dostępu : "Homepage"
MD5 : -
Wydawca : -
Rozmiar : -
Wersja : -
Zagrożenie (risk) : Podejrzane ustawienie przeglądarki (Suspicious browser setting)
Działanie (Action) : Napraw (repair)
Powiązane obiekty (Related objects) : Ustawienie przeglądarki (browser setting) -
Firefox Shortcut

Firefox Search
Stan : Zeskanowano
Ścieżka dostępu : Wolne Lektury - Biblioteka internetowa Wolne Lektury
MD5 : -
Wydawca : -
Rozmiar : -
Wersja : -
Zagrożenie (risk) : Podejrzane ustawienie przeglądarki (Suspicious browser setting)
Działanie (Action) : Napraw (repair)
Powiązane obiekty (Related objects) : Ustawienie przeglądarki (browser setting) -
Firefox Search

Firefox Search
Stan : Zeskanowano
Ścieżka dostępu : Wolne Lektury - Biblioteka internetowa Wolne Lektury
MD5 : -
Wydawca : -
Rozmiar : -
Wersja : -
Zagrożenie (risk) : Podejrzane ustawienie przeglądarki (Suspicious browser setting)
Działanie (Action) : Napraw (repair)
Powiązane obiekty (Related objects) : Ustawienie przeglądarki (browser setting) -
Firefox Search

Firefox Search
Stan : Zeskanowano
Ścieżka dostępu : Encyklopedia PWN - Encyklopedia PWN - źródło wiarygodnej i rzetelnej wiedzy
MD5 : -
Wydawca : -
Rozmiar : -
Wersja : -
Zagrożenie (risk) : Podejrzane ustawienie przeglądarki (Suspicious browser setting)
Działanie (Action) : Napraw (repair)
Powiązane obiekty (Related objects) : Ustawienie przeglądarki (browser setting) -
Firefox Search

unstops.net
Stan : Zeskanowano
Ścieżka dostępu : HKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\C91118139C08E54C0DB5F7FFC6252BF51F42D854\Blob
MD5 : -
Wydawca : -
Rozmiar : -
Wersja : -
Zagrożenie (Risk) : Podejrzany certyfikat główny (Suspect root/system certificate)
Działanie (action) : Usuń (delete)
Powiązane obiekty :
Wpis rejestru (registry entry) - HKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\C91118139C08E54C0DB5F7FFC6252BF51F42D854\Blob = 1900000001000000100000001B0295E58D41C297E5225198B8692DA20F00000001000000200000005BA6CBBCB6BEA088499CDC0C28A9186ACC3C5B21D0006451CDC0E08748FD645D030000000100000014000000C91118139C08E54C0DB5F7FFC6252BF51F42D8541400000001000000140000002E47FA21985F16943D8821630780810E3D2A7B2920000000010000002F0300003082032B30820213A003020102020900E8E726E170DD4E03300D06092A864886F70D01010B0500302C3114301206035504030C0B756E73746F70732E6E657431143012060355040A0C0B756E73746F70732E6E6574301E170D3136303431383134303235385A170D3236303431363134303235385A302C3114301206035504030C0B756E73746F70732E6E657431143012060355040A0C0B756E73746F70732E6E657430820122300D06092A864886F70D01010105000382010F003082010A0282010100C55788A6848D487EDFB6B28D0959C3F3F14330E924D55C33D8A0A27A9F9BE0D9F3DF99B547B2126BB0B55744FC6EC5AB796DA466D2041670F7D0F8AD9EAC290FFE7B9D873ACF60F55AA18714F615551035CC712184FDC9D07D6FCCA9E331CB9CB1F762AFD028C64FFB6997E5A8B05028ACFA97D0E196587D88713F83F0681D668ED00E7BEB36A23298F57EBD0781FF9EF4216B13DB924F38467D7749FF7EEB2CB223546C27653C6288E6DBE4B2EA3AA5C649EA2C2316E07E7BBA2D06962612B33BC1F6CA88DB75E4587721C95D3C6D2B2AD7996D2EE20A84EABE6CEA82E27F01FC9A9C34FDB6ECAFB6842218FFA241D6429F9D427FD4DA288E3836F3D4287B1B0203010001A350304E301D0603551D0E041604142E47FA21985F16943D8821630780810E3D2A7B29301F0603551D230418301680142E47FA21985F16943D8821630780810E3D2A7B29300C0603551D13040530030101FF300D06092A864886F70D01010B050003820101001EFCAFF964E8A1665503C8ABB6B3AFDA6DE369E6F51AD4400541EDD7194010E682B80F7EC4EB09C20A06D6349A596B7C19FAEFB15F36900FD4EF3A69917E8D0E585F2F8A4C81510D65B9E220A63F071DE0FC0AFC8495531C1997CED310C8B5F429A3D9774D043877813C95D9EFBAAED865B43680E41570366C1BAA3C0D872D8E7BEE6945B1E61FB8FD2F0588A639942A4DA641447A39F7BDB65BA346F9E1EB48B6C6289076EE1716DCBE05DA900D6E5972E6CBB4005970F08E9BBA9865C6E747E2C895D388BC8B2D1F36706387AD3FECB86012E6CD5ECA323B136E4FB3340D03071A5FFBC52C840282C7D6907F677ECBF5AA3D44E9812B1E1BCDB60B2F567F71


Wyniki usuwania
-------------------------------------------------------
Pomyślnie usunięte : 11
Zgłoszone jako nieszkodliwe : 0
Nie usunięte pomyślnie : 0



I think there is no reason translating everything a specialy that you know the logs and probably can even work with Polish ones :). So far 5 min of testing and it seems to be ok, will report later/tomorrow if problem is gone.

Btw i have problem with second computer and not sure if i should post here (create new topic) cause i cant install antywirus (KiS) and any other, im mailing with KiS support for past 2 months and they can't help me.
 

Attachments

  • 2016.05.22-21.38.53-i0-t92-d11.txt
    8.9 KB · Views: 2

TwinHeadedEagle

Level 41
Verified
Mar 8, 2013
22,627
FRST.gif
Scan with Farbar Recovery Scan Tool

Please re-run Farbar Recovery Scan Tool to give me a fresh look at your system.
  • Right-click on
    FRST.gif
    icon and select
    RunAsAdmin.jpg
    Run as Administrator to start the tool.
    (XP users click run after receipt of Windows Security Warning - Open File).
  • Make sure that Addition.txt option is checked.

    2873ryc.png

  • Press Scan button and wait.
  • The tool will produce two logfiles on your desktop: FRST.txt and Addition.txt.
Please attach report into your next reply.
 

Javal

New Member
Thread author
May 16, 2016
9
Here are logs you asked for.
 

Attachments

  • Addition.txt
    32 KB · Views: 4
  • FRST.txt
    23 KB · Views: 4

Javal

New Member
Thread author
May 16, 2016
9
Should i include some other logs? Or my case is hopeless and all is left is win re instal?:)
 

TwinHeadedEagle

Level 41
Verified
Mar 8, 2013
22,627
FRST.gif
Fix with Farbar Recovery Scan Tool

icon_exclaim.gif
This fix was created for this user for use on that particular machine.
icon_exclaim.gif

icon_exclaim.gif
Running it on another one may cause damage and render the system unstable.
icon_exclaim.gif

Download attached fixlist.txt file and save it to the Desktop:

Both files, FRST and fixlist.txt have to be in the same location or the fix will not work!

  • Right-click on
    FRST.gif
    icon and select
    RunAsAdmin.jpg
    Run as Administrator to start the tool.
    (XP users click run after receipt of Windows Security Warning - Open File).
  • Press the Fix button just once and wait.
  • If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
  • When finishes FRST will generate a log on the Desktop, called Fixlog.txt.

Please attach it to your reply.
 

Attachments

  • fixlist.txt
    759 bytes · Views: 5

Javal

New Member
Thread author
May 16, 2016
9
So far it restart my browser settings so that might worked, will post later if problem still occure. Attaching log. Thanks for your time!
 

Attachments

  • Fixlog.txt
    2.8 KB · Views: 2

Javal

New Member
Thread author
May 16, 2016
9
After 2 days i can 100% comfirm that everything is back to normal, thank you for your time and help!
 
  • Like
Reactions: Noxx

Jose T.

New Member
Jul 13, 2016
1
Hi, the description of his problem is exactly the same as mine, is it not possible for me to use this solution?
 

Javal

New Member
Thread author
May 16, 2016
9
I think this solution /files were adjusted to my spec/problems and as rules state you should open your own threat and wait for some one to help you.
 
Status
Not open for further replies.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top