Google Browser Redirect "Internet Security Alert"

This is an update to a previous post "Scam-Microsoft Security Alert" posted on 2/15/18

I have a client that continues to get a Google Browser redirect, she told me it popped up on her desktop but she finally sent me a picture. It does not appear to happen when she goes to a particular website but I will ask her and look at her history.

Scam-Browser-Redirect.jpeg
She has the newest Windows 10 and this is a laptop.

She has Malwarebytes Pro along with Windows Defender. Malwarebytes has quarantined the PUP spigot.generic google chrome on three different occasion but it has not reappeared since major scans in early December. I ran the full gamut at the end of January after she got the Security alert popup once again.

The scans I have run...some multiple times
Malwarebytes, SUPERAnitSpyware, Rkill, AdwCleaner, JRT, RogueKiller, Hitman Pro, Eset, Emsisoft, Dr.Web Cureit and Sophos and finally CCleaner.

Since I now know that this is a Google Redirect the things I know to do in Google Chrome are
Reset
Clear browsing data - all time
run CCleaner

Should I also do a complete uninstall and reinstall of Google Chrome in the control panel or run Google's uninstaller? Are there settings in App Data or anywhere else (the registry?) other than Program Files (x86) that need to be removed?

Anything else? Malware scans have been run but this continues to popup in Google Chrome...she is not using other browsers at this time.
Thanks,
Mags
MagsOwnerAsked:
Who is Participating?
 
Andrew LeniartConnect With a Mentor Senior EditorCommented:
One other thing I'd suggest. Delete everything in the %temp% folder (enter that in the Windows+R run box and hit enter) That's where a lot of malware tends to hide.
0
 
AlanConsultantCommented:
Hi Mags,

Just reposting here too:

Please can you confirm if this also happens when she tries going to the same site using IE / Edge?  That will tell us with fair certainty whether this is a browser issue, or something else.

Thanks,

Alan.
1
 
MagsOwnerAuthor Commented:
Hi Alan,
     It happens every couple of weeks or so. It doesn't seem to happen when she goes to a particular site but arbitrarily. I will ask her tomorrow.
Thanks,
Mags
0
Simple Misconfiguration =Network Vulnerability

In this technical webinar, AlgoSec will present several examples of common misconfigurations; including a basic device change, business application connectivity changes, and data center migrations. Learn best practices to protect your business from attack.

 
AlanConsultantCommented:
Okay - The question is whether this is a Chrome issue or something else in Windows.

If it happens in IE / Edge too, then it is not likely anything to do with Chrome.

Thanks,

Alan.
1
 
Andrew LeniartSenior EditorCommented:
This sounds to me like there is a yet undiscovered rootkit on the computer somewhere that is spawning a redirect at random times.

The scans you've already done are excellent, but I'd also recommend a close inspection of what processes are running on the machine.

Also, when you did the Malwarebytes scan, did you do a "Custom" scan and configure it to scan All Files on the C: drive, as well as check for rootkits in the scan? Or was it just a Threat Scan? The one I've described takes a lot longer to complete, however is a lot more thorough.

Hope that's helpful.

Regards, Andrew
0
 
JohnBusiness Consultant (Owner)Commented:
Malwarebytes has quarantined the PUP

Try the following:   Download, install and run Process Explorer from Microsoft SysInternals. Look for a strange (alphanumeric) process under Explorer.  Kill the process, do not restart, run Malwarebytes again to clean up, then restart and test.

Also run TDSS Killer to check for Root Kit viruses (suggested above).
0
 
MagsOwnerAuthor Commented:
Andrew I will run a custom scan...and will check to scan for rootkits. Quick question. I always thought that the threat scan was as deep as the custom scan, especially if rootkits is selected in settings. Is that correct or does custom go deeper? I will also empty the temp folder...I don't believe I have done that yet.

Hi John...if you recall we did that earlier and found nothing unusual. I will check again as this just popped up today. I will run TDSS killer as well.

Thanks guys...until tomorrow.
Mags
1
 
Andrew LeniartSenior EditorCommented:
Hi Mags,

does custom go deeper?

A custom scan will scan all areas of the Hard Drive (if so selected) as well as every single file on the disk. That's why it takes much longer. A threat scan on the other hand only scans memory and the most common areas malware tends to hide in. Threat scans are usually sufficient, however when faced with unexplainable behaviour such as you've described, then custom scans are employed because they are more thorough.

I will also empty the temp folder

It's usually the first thing I do, though I generally leave it all in Recycle until I finish with my scans to see if anything is picked up by the scanning tools. Clearing the Temp folder is a quick way to remove any threats hiding there as just about everything will recreate and those folders that are needed won't allow you to delete them anyway as there will be a file lock on them.

Hope that's helpful.

Regards, Andrew
0
 
serialbandCommented:
Install and adblocker and you'll stop getting those. It's coming from evil advertisement channels.
0
 
nobusCommented:
did you run adaware yet?  http://www.lavasoft.com/
0
 
MagsOwnerAuthor Commented:
Malwarebytes custom...took hours. I will respond tomorrow...thanks for all the suggestions!
Mags
0
 
MagsOwnerAuthor Commented:
Finished up -

Andrew - Malwarebytes custom scan found nothing. Deleted everything out of the temp folder except for "aria,debug.10856.log" as it said it was open in OneDrive. Concerned?

John - Ran Process Explorer and nothing unusual was found and I had already run TDSS Killer

Serialband - Installed Adblocker Plus in Google Chrome

Nobus - forgot all about Adaware, thanks. Ran but found nothing

I uninstalled (then deleted any info related to it), ran CCleaner and reinstalled Google Chrome

By George...I hope we got it!!
Thanks,
Mags
0
 
JohnBusiness Consultant (Owner)Commented:
Hopefully that was it and so keep us posted
1
 
Andrew LeniartSenior EditorCommented:
except for "aria,debug.10856.log" as it said it was open in OneDrive. Concerned?
Nope, not at all. That file will be harmless.

Hope it's sorted now Mags. Will be looking forward to an update. :)
1
 
MagsOwnerAuthor Commented:
Shall I wait to close until we see if the popup resurfaces or now?
Thanks again guys!
Mags
0
 
JohnBusiness Consultant (Owner)Commented:
That is up to you, but it does seem the issue is resolved.
0
 
Andrew LeniartSenior EditorCommented:
Shall I wait to close until we see if the popup resurfaces or now?

I'd suggest only closing if you're feeling confident that you've eliminated any possible infection on the users drive. It appears that way to me, given the thoroughness of all the scans made, but that's totally up to you.

If the problem recurs now, it will almost certainly be a result of a website being visited that's spawning that particular redirection, rather than a local infection. I'd then start monitoring the users surfing habits. Often people are reluctant to disclose some of the sites they like to visit ;)

Regards, Andrew
0
 
AlanConsultantCommented:
Hi Mags,

I would wait - I'm not sure that any of the above scans have fixed the problem, and we still don't know whether it is a Chrome browser issue, or something else?

Alan.
0
 
serialbandCommented:
If you're not finding it with the scanners, then it may have just been a popup ad.  Otherwise, if it appears again, then the malware scanners haven't caught up to some new 0-day.
0
 
MagsOwnerAuthor Commented:
I will wait...fingers crossed that we finally got rid of the scam popup. I will keep you posted.
Thanks,
Mags
0
 
Andrew LeniartSenior EditorCommented:
Any news on this issue Mags. If it is resolved, please consider closing the question.

Best regards,

Andrew
1
 
MagsOwnerAuthor Commented:
I'll be checking in with her this week...will be closing the 2nd of April...should know by then.
Thanks,
Mags
0
 
MagsOwnerAuthor Commented:
So far no more popups - serialband's suggestion was also a great one - added Adblock Plus - as was Andrew's suggestion to run MBAM in custom mode. Also I believe uninstalling Google Chrome (and deleting any info related to it), running CCleaner and reinstalling Google Chrome helped a bunch.

Hoping I can spread the points...this is a new format.
Thanks,
Mags
0
 
MagsOwnerAuthor Commented:
Don't see how to spread points??
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.