Need Help w/ Possible Virus

[SKYMTL]

This might sound odd but I have no idea what this is. In the image below I have the same site open in two windows. One in Chrome Incognito Mode and the other in Regular mode.

As you can see, in the regular browser I have this odd box (and this happens on EVERY site) which either flashes download / play as seen there or something ridiculous like "Flash needs to be updated" and so on.

This ONLY happens in Chrome. Not in FF or IE.

I have scanned with every virus scanner known to man and they all come up with nothing. Even in Safe Mode.

The odd thing is that I don''t actually visit any sites that may be malicious in any way.

Any ideas? Help would be appreciated.

For those interested I have also included the Element Info below.

[maverick_brent]

is there any plugins that installed without your knowledge....easiest way to clean up is to backup your bookmarks, uninstall and cc chome and anyother chrome related folder followed by a fresh install...

[enaberif]

I've had good luck with this guy:
Junkware Removal Tool Download

[SKYMTL]

Quote:

Originally Posted by maverick_brent

is there any plugins that installed without your knowledge....easiest way to clean up is to backup your bookmarks, uninstall and cc chome and anyother chrome related folder followed by a fresh install...

I thought it might be a plugin too but I selected Block All and it still came up.

[SKYMTL]

Quote:

Originally Posted by enaberif

I've had good luck with this guy:
Junkware Removal Tool Download

Yup. Tried him too. Found nothing in Chrome.

Here is the log:

PHP Code:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.1.4 (04.06.2014:1)
OS: Windows 7 Home Premium x64
Ran by Michael on 10/04/2014 at 19:50:25.52
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




~~~ Services

Successfully stopped: [Service] cltmngsvc 
Successfully deleted: [Service] cltmngsvc 



~~~ Registry Values

Successfully repaired: [Registry Value] HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWindowsAppInit_DLLs



~~~ Registry Keys

Successfully deleted: [Registry Key] HKEY_CLASSES_ROOTAppIDbho.dll
Successfully deleted: [Registry Key] HKEY_CURRENT_USERSoftwareyahoopartnertoolbar
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINESoftwaresearchprotect
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINESoftwareMicrosoftTracingapnstub_rasapi32
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINESoftwareMicrosoftTracingapnstub_rasmancs
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionUninstallsearchprotect
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINESoftwareMicrosoftTracingAskInstallChecker-1_RASAPI32
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINESoftwareMicrosoftTracingAskInstallChecker-1_RASMANCS
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINESoftwareWow6432NodeMicrosoftTracingAskInstallChecker-1_RASAPI32
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINESoftwareWow6432NodeMicrosoftTracingAskInstallChecker-1_RASMANCS



~~~ Files



~~~ Folders

Successfully deleted: [Folder] "C:\ProgramData\partner"
Successfully deleted: [Folder] "C:\Users\Michael\AppData\Roaming\pdfforge"
Successfully deleted: [Folder] "C:\Program Files (x86)\searchprotect"



~~~ FireFox

Emptied folder: C:UsersMichaelAppDataRoamingmozillafirefoxprofilesrln190bw.defaultminidumps [2 files]



~~~ Event Viewer Logs were cleared





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on 10/04/2014 at 19:58:18.64
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 


[SKYMTL]

Looks like it was rooted in Javascript. Whatdayaknow....

I disabled Javascript, added a few exceptions and it was gone.

HOWEVER....how do I find the damn thing??

[zoob]

Sounds like a Chrome extension to me.

There is a tickbox for "Allow in incognito mode" which would explain why the page is fine in incognito, and not in regular mode.

Uninstall/disable ALL Chrome extensions from chrome://extensions

[Caldezar]

Have you checked the plugins directly rather than from the GUI for Chrome? (chrome://plugins)

It almost sounds like something is screwing with your DNS specific to Chrome. Have you recently updated the firmware on your router? I remember some time ago that a bad version of DDWRT or Tomato was floating around that was designed to mess up peoples DNS.

[Caldezar]

I found the following thread on Adobe's forums regarding your issue:
Adobe Community: Current Version of Adobe Flash Player is outdated!* Is this a virus or malware?

Seems to point to a security hole in Linksys/Cisco routers' remote management utility. This is being exploited by a worm called the 'moon worm'. If you google 'linksys moon worm' you'll get a lot of hits regarding the issue. Lots of people have had issues identifying it since the symptoms always seem browser based rather than router related. Any chance that you run a Linksys router?

[SKYMTL]

Nope. ASUS Dark Knight.... stock firmware.

Nothing stands out the in Plugins other than the Widevine Content Decryption Module.

Only other non-stock plugin from the Plugins page is ActiveTouch General Plugin Container which is for Webex.