Go Back   Hardware Canucks > SOFTWARE > O/S's, Drivers & General Software

    
Reply
 
LinkBack Thread Tools Display Modes
  #1 (permalink)  
Old April 10, 2014, 05:07 PM
SKYMTL's Avatar
HardwareCanuck Review Editor
 
Join Date: Feb 2007
Location: Montreal
Posts: 11,827
Default Need Help w/ Possible Virus

This might sound odd but I have no idea what this is. In the image below I have the same site open in two windows. One in Chrome Incognito Mode and the other in Regular mode.

As you can see, in the regular browser I have this odd box (and this happens on EVERY site) which either flashes download / play as seen there or something ridiculous like "Flash needs to be updated" and so on.

This ONLY happens in Chrome. Not in FF or IE.

I have scanned with every virus scanner known to man and they all come up with nothing. Even in Safe Mode.

The odd thing is that I don''t actually visit any sites that may be malicious in any way.

Any ideas? Help would be appreciated.

For those interested I have also included the Element Info below.



__________________
Reply With Quote
  #2 (permalink)  
Old April 10, 2014, 05:10 PM
maverick_brent's Avatar
MVP
 
Join Date: Jun 2008
Location: Nova Scotia
Posts: 469

My System Specs

Default

is there any plugins that installed without your knowledge....easiest way to clean up is to backup your bookmarks, uninstall and cc chome and anyother chrome related folder followed by a fresh install...
Reply With Quote
  #3 (permalink)  
Old April 10, 2014, 05:45 PM
enaberif's Avatar
Hall Of Fame
 
Join Date: Dec 2006
Location: Calgahree, AB
Posts: 10,679
Default

I've had good luck with this guy:
Junkware Removal Tool Download
Reply With Quote
  #4 (permalink)  
Old April 10, 2014, 05:48 PM
SKYMTL's Avatar
HardwareCanuck Review Editor
 
Join Date: Feb 2007
Location: Montreal
Posts: 11,827
Default

Quote:
Originally Posted by maverick_brent View Post
is there any plugins that installed without your knowledge....easiest way to clean up is to backup your bookmarks, uninstall and cc chome and anyother chrome related folder followed by a fresh install...
I thought it might be a plugin too but I selected Block All and it still came up.
__________________
Reply With Quote
  #5 (permalink)  
Old April 10, 2014, 06:00 PM
SKYMTL's Avatar
HardwareCanuck Review Editor
 
Join Date: Feb 2007
Location: Montreal
Posts: 11,827
Default

Quote:
Originally Posted by enaberif View Post
I've had good luck with this guy:
Junkware Removal Tool Download
Yup. Tried him too. Found nothing in Chrome.

Here is the log:

PHP Code:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRTby Thisisu
Version
6.1.4 (04.06.2014:1)
OSWindows 7 Home Premium x64
Ran by Michael on 10
/04/2014 at 19:50:25.52
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




~~~ 
Services

Successfully stopped
: [Servicecltmngsvc 
Successfully deleted
: [Servicecltmngsvc 



~~~ Registry Values

Successfully repaired
: [Registry ValueHKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWindowsAppInit_DLLs



~~~ Registry Keys

Successfully deleted
: [Registry KeyHKEY_CLASSES_ROOTAppIDbho.dll
Successfully deleted
: [Registry KeyHKEY_CURRENT_USERSoftwareyahoopartnertoolbar
Successfully deleted
: [Registry KeyHKEY_LOCAL_MACHINESoftwaresearchprotect
Successfully deleted
: [Registry KeyHKEY_LOCAL_MACHINESoftwareMicrosoftTracingapnstub_rasapi32
Successfully deleted
: [Registry KeyHKEY_LOCAL_MACHINESoftwareMicrosoftTracingapnstub_rasmancs
Successfully deleted
: [Registry KeyHKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionUninstallsearchprotect
Successfully deleted
: [Registry KeyHKEY_LOCAL_MACHINESoftwareMicrosoftTracingAskInstallChecker-1_RASAPI32
Successfully deleted
: [Registry KeyHKEY_LOCAL_MACHINESoftwareMicrosoftTracingAskInstallChecker-1_RASMANCS
Successfully deleted
: [Registry KeyHKEY_LOCAL_MACHINESoftwareWow6432NodeMicrosoftTracingAskInstallChecker-1_RASAPI32
Successfully deleted
: [Registry KeyHKEY_LOCAL_MACHINESoftwareWow6432NodeMicrosoftTracingAskInstallChecker-1_RASMANCS



~~~ Files



~~~ Folders

Successfully deleted
: [Folder"C:\ProgramData\partner"
Successfully deleted: [Folder"C:\Users\Michael\AppData\Roaming\pdfforge"
Successfully deleted: [Folder"C:\Program Files (x86)\searchprotect"



~~~ FireFox

Emptied folder
C:UsersMichaelAppDataRoamingmozillafirefoxprofilesrln190bw.defaultminidumps [2 files]



~~~ 
Event Viewer Logs were cleared





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on 10/04/2014 at 19:58:18.64
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 
__________________
Reply With Quote
  #6 (permalink)  
Old April 10, 2014, 06:10 PM
SKYMTL's Avatar
HardwareCanuck Review Editor
 
Join Date: Feb 2007
Location: Montreal
Posts: 11,827
Default

Looks like it was rooted in Javascript. Whatdayaknow....

I disabled Javascript, added a few exceptions and it was gone.

HOWEVER....how do I find the damn thing??
__________________
Reply With Quote
  #7 (permalink)  
Old April 10, 2014, 06:13 PM
Hall Of Fame
F@H
 
Join Date: Aug 2007
Location: Toronto, ON
Posts: 1,062

My System Specs

Default

Sounds like a Chrome extension to me.

There is a tickbox for "Allow in incognito mode" which would explain why the page is fine in incognito, and not in regular mode.

Uninstall/disable ALL Chrome extensions from chrome://extensions
__________________
heatware
Reply With Quote
  #8 (permalink)  
Old April 10, 2014, 06:15 PM
Caldezar's Avatar
Hall Of Fame
F@H
 
Join Date: Aug 2008
Location: Burnaby
Posts: 1,731
Default

Have you checked the plugins directly rather than from the GUI for Chrome? (chrome://plugins)

It almost sounds like something is screwing with your DNS specific to Chrome. Have you recently updated the firmware on your router? I remember some time ago that a bad version of DDWRT or Tomato was floating around that was designed to mess up peoples DNS.
Reply With Quote
  #9 (permalink)  
Old April 10, 2014, 06:22 PM
Caldezar's Avatar
Hall Of Fame
F@H
 
Join Date: Aug 2008
Location: Burnaby
Posts: 1,731
Default

I found the following thread on Adobe's forums regarding your issue:
Adobe Community: Current Version of Adobe Flash Player is outdated!* Is this a virus or malware?

Seems to point to a security hole in Linksys/Cisco routers' remote management utility. This is being exploited by a worm called the 'moon worm'. If you google 'linksys moon worm' you'll get a lot of hits regarding the issue. Lots of people have had issues identifying it since the symptoms always seem browser based rather than router related. Any chance that you run a Linksys router?
Reply With Quote
  #10 (permalink)  
Old April 10, 2014, 06:45 PM
SKYMTL's Avatar
HardwareCanuck Review Editor
 
Join Date: Feb 2007
Location: Montreal
Posts: 11,827
Default

Nope. ASUS Dark Knight.... stock firmware.

Nothing stands out the in Plugins other than the Widevine Content Decryption Module.

Only other non-stock plugin from the Plugins page is ActiveTouch General Plugin Container which is for Webex.
__________________
Reply With Quote
Reply


Thread Tools
Display Modes

Similar Threads
Thread Thread Starter Forum Replies Last Post
Virus Scanner LionRed Off Topic 17 January 22, 2014 10:04 AM
So... i had a virus? bliz Off Topic 16 October 25, 2012 10:21 AM
Do I have a virus? NineLives Troubleshooting 7 August 25, 2010 01:00 PM
Problems with a virus TimTheEnchanter O/S's, Drivers & General Software 8 May 11, 2009 01:54 PM
New virus redirector 209.85.171.79 Nodscene O/S's, Drivers & General Software 13 April 24, 2009 01:47 PM