Chrome Hijack on a Windows 7 Laptop

[Asrial]

I have a customer that uses Chrome and it keeps warning about her being taken to the wrong websites.

What I'm after is some ideas on other places to check.

My next step is to get more aggressive with virus/spyware removal scans.

Things I've verified...

- router DNS settings

- all network adapter TCP/IP DNS settings

- ipconfig /flushdns

- hosts file

- Internet Explorer lan settings

- Google Chrome settings and extensions (even uninstalled Chrome and re-installed it)

- TDSS Killer with 0 hits

- Malwarebytes full scan with various miscellaneous things detected and removed (I only ran it once so I intend to run it again)

In general, I can't find anything abnormal. All the startup entries are sound, task scheduler, browser addons. No running processes seem abnormal and the ones I'm unsure about pass a VirusTotal check.

 

[ABTECH]

You can try RKill and I have had success with the Windows Defender Offline Boot Disk. It has found Malware that Malwarebytes has not found.

 

[NYJimbo]

Combofix, Roguekiller, etc..

 

[Asrial]

Forgot to mention.. I've also run HijackThis and nothing abnormal was detected.

What's frustrating me about this is USUALLY, unless it's a rootkit, you can see evidence of something going on.

Running process.. browser addons.. startup entry.. maybe a scheduled task.

..but here, nada.

 

[NYJimbo]

Forgot to mention.. I've also run HijackThis and nothing abnormal was detected.

What's frustrating me about this is USUALLY, unless it's a rootkit, you can see evidence of something going on.

Running process.. browser addons.. startup entry.. maybe a scheduled task.

..but here, nada.

You got to run more modern and more powerful tools. Hijackthis is outdated and shouldn't be used at all.

 

[Xander]

Malwarebyte Anti-Rootkit
ADWcleaner (might not be viral at all)
use Revo to remove Chrome thoroughly and reinstall it.

 

[angry_geek]

If on chrome 29, click settings, scroll to bottom, click show advanced settings, click reset browser settings.

If you intend to fully reinstall chrome, you must also delete the chrome folder in appdata/local/Google. Just uninstalling and reinstalling won't do a thing.


Forgot to mention: I'm betting on conduit or remnants.

 

[Asrial]

The biggest problem is.. I can't really reproduce it. I've seen it, I know it's there, but it's so random and rare..

RKILL -- nothing

Windows Defender Boot Disk -- can't run currently as this is a remote service

ComboFix -- there's stuff in the log, but nothing looks abnormal (though I'm not an expert at deciphering it)

RogueKiller -- a couple of registry keys that seem misleading (hide desktop items, disable registry tools and set program access and defaults)

MBAM AR -- nothing; thanks for pointing this one out.. adding it to my TDSS Killer routine for sure

ADWCleaner -- this found a handful of lingering folders and registry entries; hard to tell if the entries have any relevance to Chrome / IE / etc

Back to my comment at the top of this post.. since getting back in and doing further investigations, I have not once been able to get Chrome to act up. Am I fixing something? Is there even a problem anymore? Who knows.

Thanks for the suggestions everyone.. think I'm going to let it rest as is for a while, and cross my fingers there's no further issues.

.

Here's the registry keys deleted by AdwCleaner... I'm not proficient enough with the registry to tell what's a broken piece of data, and what's something actually being run.

Key Deleted : HKLM\SOFTWARE\Classes\AppGraffiti.AppGraffitiJS
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\ConduitInstaller_RASAPI32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\ConduitInstaller_RASMANCS
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{3C471948-F874-49F5-B338-4F214A2EE0B1}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{94496571-6AC5-4836-82D5-D46260C44B17}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{BC9FD17D-30F6-4464-9E53-596A90AFF023}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{CC5AD34C-6F10-4CB3-B74A-C2DD4D5060A3}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{CC99A798-FD3D-4AB4-969E-6071612524F9}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{DE9028D0-5FFA-4E69-94E3-89EE8741F468}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{03E2A1F3-4402-4121-8B35-733216D61217}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{9E3B11F6-4179-4603-A71B-A55F4BCB0BEC}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{6C1B9042-3D32-49A1-916B-0AA3A9CDDFD6}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\CLSID\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{612AD33D-9824-4E87-8396-92374E91C4BB}
Key Deleted : HKCU\Software\AppGraffiti
Key Deleted : HKCU\Software\YahooPartnerToolbar
Key Deleted : HKCU\Software\AppDataLow\Software\ConduitSearchScopes
Key Deleted : HKCU\Software\AppDataLow\Software\Crossrider
Key Deleted : HKCU\Software\AppDataLow\Software\PriceGong
Key Deleted : HKCU\Software\AppDataLow\Software\SmartBar
Key Deleted : HKLM\Software\AppGraffiti
Key Deleted : HKLM\Software\Conduit
Key Deleted : HKLM\Software\systweak

 

[Asrial]

Going to keep editing my above post as I run scans.

However, another thought here...

The only website I've seen this happen with is PayPal. The first error was with PayPalObjects.com and the second was some ad website (didn't catch the full name).

..but now I'm wondering if this is a false positive with PayPal..

As far as I can tell PayPalObjects is legitimate.

 

[Cambridge PC Support]

Try Superantispyware and Bleeping Computer's JRT.

 

[Kitten Kong]

I would also run a OTL scan.

 

[angry_geek]

See my above post. Then read the last 8 or so registry keys deleted in your log

 

[nlinecomputers]

See my above post. Then read the last 8 or so registry keys deleted in your log

Yep. Conduit. Looks like it has been removed. You are probably clean at this point.

 

[Asrial]

See my above post. Then read the last 8 or so registry keys deleted in your log

I already knew it had Conduit on it.

This isn't me coming in and going, "Hey guys, this computer just randomly started doing this, what should I do?"

I already ran my removal processes and was wanting to know further areas of investigation (such as checking the router DNS settings when your browser is hijacked). It may actually just be a false positive by Chrome and PayPal (I've yet to talk to the customer to find out if it was just PayPal or other websites too).

Also, those registry entries make me think of remaining locations and not actual content (IE: an empty folder, but still something that triggers a spyware detection/warning), but again, I'm not an expert at reading the finer details of those locations.

If my customer continues to have issues (or if they confirm it's just PayPal doing it) I'll come back and post more (and also the results of OTL, JRT and SAS).

[EDIT: My customer said that it happens with other websites, so we'll see. I tried PayPal 40-50 times the other night, and also all the general browsing and going to the websites to get the software you all recommended, and it didn't act up once for me.]

 

[B Trevathan]

EDIT: My customer said that it happens with other websites, so we'll see. I tried PayPal 40-50 times the other night, and also all the general browsing and going to the websites to get the software you all recommended, and it didn't act up once for me.

Could it be that they are thinking about it WAS happening, sometimes you have to drag the facts out, and it is always about the third or fourth time you talk with people they say oh yeah I meant it was doing that before you worked on it but now its not doing that anymore.

Maybe it is a PUP, have you check the installed programs to see if anything looks like it shouldn't be there.
Why some PUP's are not considered malware is beyond me, I see those ads on TV you know for like PC-fixthat or PC-fixthis or PC-speeditup and I think how are they allowed to advertise this stuff, the people buying these programs don't know what their in for.

Have you tried just changing the DNS to something like Google's public DNS or OpenDNS?

Are any other browsers affected are is it just Chrome? Any other computers affected are just the one?

I know you said "uninstalled Chrome and re-installed it" but I would also reset it like angry_geek said.

Did you use the newest AdwCleaner version 3.001? If your running AdwCleaner I would run JRT also.

Have you tried running GMER?

Are you also cleaning the temp files using TFC or CCleaner?

Anything at all look abnormal in Process Explorer?

Any abnormal connections in TCPView?

HijackThis?? wow please checkout OTL by OldTimer.

Three other programs you might find helpful sometime with internet/network problems are MiniToolBox by Farbar and Rizone Complete Internet Repair and Farbar Service Scanner.

 

[ComputerRepairTech]

Keep us posted.

...also forget about all these toys, just get something to record the information like a packet sniffer or something and hope you get it to duplicate. Perhaps something in the chrome dev tools may also help..i dont use those enough myself.