Google Browser Redirect "Internet Security Alert"
This is an update to a previous post "Scam-Microsoft Security Alert" posted on 2/15/18
I have a client that continues to get a Google Browser redirect, she told me it popped up on her desktop but she finally sent me a picture. It does not appear to happen when she goes to a particular website but I will ask her and look at her history.
She has the newest Windows 10 and this is a laptop.
She has Malwarebytes Pro along with Windows Defender. Malwarebytes has quarantined the PUP spigot.generic google chrome on three different occasion but it has not reappeared since major scans in early December. I ran the full gamut at the end of January after she got the Security alert popup once again.
The scans I have run...some multiple times
Malwarebytes, SUPERAnitSpyware, Rkill, AdwCleaner, JRT, RogueKiller, Hitman Pro, Eset, Emsisoft, Dr.Web Cureit and Sophos and finally CCleaner.
Since I now know that this is a Google Redirect the things I know to do in Google Chrome are
Reset
Clear browsing data - all time
run CCleaner
Should I also do a complete uninstall and reinstall of Google Chrome in the control panel or run Google's uninstaller? Are there settings in App Data or anywhere else (the registry?) other than Program Files (x86) that need to be removed?
Anything else? Malware scans have been run but this continues to popup in Google Chrome...she is not using other browsers at this time.
Thanks,
Mags
I have a client that continues to get a Google Browser redirect, she told me it popped up on her desktop but she finally sent me a picture. It does not appear to happen when she goes to a particular website but I will ask her and look at her history.
She has the newest Windows 10 and this is a laptop.
She has Malwarebytes Pro along with Windows Defender. Malwarebytes has quarantined the PUP spigot.generic google chrome on three different occasion but it has not reappeared since major scans in early December. I ran the full gamut at the end of January after she got the Security alert popup once again.
The scans I have run...some multiple times
Malwarebytes, SUPERAnitSpyware, Rkill, AdwCleaner, JRT, RogueKiller, Hitman Pro, Eset, Emsisoft, Dr.Web Cureit and Sophos and finally CCleaner.
Since I now know that this is a Google Redirect the things I know to do in Google Chrome are
Reset
Clear browsing data - all time
run CCleaner
Should I also do a complete uninstall and reinstall of Google Chrome in the control panel or run Google's uninstaller? Are there settings in App Data or anywhere else (the registry?) other than Program Files (x86) that need to be removed?
Anything else? Malware scans have been run but this continues to popup in Google Chrome...she is not using other browsers at this time.
Thanks,
Mags
ASKER
Hi Alan,
It happens every couple of weeks or so. It doesn't seem to happen when she goes to a particular site but arbitrarily. I will ask her tomorrow.
Thanks,
Mags
It happens every couple of weeks or so. It doesn't seem to happen when she goes to a particular site but arbitrarily. I will ask her tomorrow.
Thanks,
Mags
Okay - The question is whether this is a Chrome issue or something else in Windows.
If it happens in IE / Edge too, then it is not likely anything to do with Chrome.
Thanks,
Alan.
If it happens in IE / Edge too, then it is not likely anything to do with Chrome.
Thanks,
Alan.
This sounds to me like there is a yet undiscovered rootkit on the computer somewhere that is spawning a redirect at random times.
The scans you've already done are excellent, but I'd also recommend a close inspection of what processes are running on the machine.
Also, when you did the Malwarebytes scan, did you do a "Custom" scan and configure it to scan All Files on the C: drive, as well as check for rootkits in the scan? Or was it just a Threat Scan? The one I've described takes a lot longer to complete, however is a lot more thorough.
Hope that's helpful.
Regards, Andrew
The scans you've already done are excellent, but I'd also recommend a close inspection of what processes are running on the machine.
Also, when you did the Malwarebytes scan, did you do a "Custom" scan and configure it to scan All Files on the C: drive, as well as check for rootkits in the scan? Or was it just a Threat Scan? The one I've described takes a lot longer to complete, however is a lot more thorough.
Hope that's helpful.
Regards, Andrew
Malwarebytes has quarantined the PUP
Try the following: Download, install and run Process Explorer from Microsoft SysInternals. Look for a strange (alphanumeric) process under Explorer. Kill the process, do not restart, run Malwarebytes again to clean up, then restart and test.
Also run TDSS Killer to check for Root Kit viruses (suggested above).
Try the following: Download, install and run Process Explorer from Microsoft SysInternals. Look for a strange (alphanumeric) process under Explorer. Kill the process, do not restart, run Malwarebytes again to clean up, then restart and test.
Also run TDSS Killer to check for Root Kit viruses (suggested above).
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Andrew I will run a custom scan...and will check to scan for rootkits. Quick question. I always thought that the threat scan was as deep as the custom scan, especially if rootkits is selected in settings. Is that correct or does custom go deeper? I will also empty the temp folder...I don't believe I have done that yet.
Hi John...if you recall we did that earlier and found nothing unusual. I will check again as this just popped up today. I will run TDSS killer as well.
Thanks guys...until tomorrow.
Mags
Hi John...if you recall we did that earlier and found nothing unusual. I will check again as this just popped up today. I will run TDSS killer as well.
Thanks guys...until tomorrow.
Mags
Hi Mags,
A custom scan will scan all areas of the Hard Drive (if so selected) as well as every single file on the disk. That's why it takes much longer. A threat scan on the other hand only scans memory and the most common areas malware tends to hide in. Threat scans are usually sufficient, however when faced with unexplainable behaviour such as you've described, then custom scans are employed because they are more thorough.
It's usually the first thing I do, though I generally leave it all in Recycle until I finish with my scans to see if anything is picked up by the scanning tools. Clearing the Temp folder is a quick way to remove any threats hiding there as just about everything will recreate and those folders that are needed won't allow you to delete them anyway as there will be a file lock on them.
Hope that's helpful.
Regards, Andrew
does custom go deeper?
A custom scan will scan all areas of the Hard Drive (if so selected) as well as every single file on the disk. That's why it takes much longer. A threat scan on the other hand only scans memory and the most common areas malware tends to hide in. Threat scans are usually sufficient, however when faced with unexplainable behaviour such as you've described, then custom scans are employed because they are more thorough.
I will also empty the temp folder
It's usually the first thing I do, though I generally leave it all in Recycle until I finish with my scans to see if anything is picked up by the scanning tools. Clearing the Temp folder is a quick way to remove any threats hiding there as just about everything will recreate and those folders that are needed won't allow you to delete them anyway as there will be a file lock on them.
Hope that's helpful.
Regards, Andrew
Install and adblocker and you'll stop getting those. It's coming from evil advertisement channels.
did you run adaware yet? http://www.lavasoft.com/
ASKER
Malwarebytes custom...took hours. I will respond tomorrow...thanks for all the suggestions!
Mags
Mags
ASKER
Finished up -
Andrew - Malwarebytes custom scan found nothing. Deleted everything out of the temp folder except for "aria,debug.10856.log" as it said it was open in OneDrive. Concerned?
John - Ran Process Explorer and nothing unusual was found and I had already run TDSS Killer
Serialband - Installed Adblocker Plus in Google Chrome
Nobus - forgot all about Adaware, thanks. Ran but found nothing
I uninstalled (then deleted any info related to it), ran CCleaner and reinstalled Google Chrome
By George...I hope we got it!!
Thanks,
Mags
Andrew - Malwarebytes custom scan found nothing. Deleted everything out of the temp folder except for "aria,debug.10856.log" as it said it was open in OneDrive. Concerned?
John - Ran Process Explorer and nothing unusual was found and I had already run TDSS Killer
Serialband - Installed Adblocker Plus in Google Chrome
Nobus - forgot all about Adaware, thanks. Ran but found nothing
I uninstalled (then deleted any info related to it), ran CCleaner and reinstalled Google Chrome
By George...I hope we got it!!
Thanks,
Mags
Hopefully that was it and so keep us posted
except for "aria,debug.10856.log" as it said it was open in OneDrive. Concerned?Nope, not at all. That file will be harmless.
Hope it's sorted now Mags. Will be looking forward to an update. :)
ASKER
Shall I wait to close until we see if the popup resurfaces or now?
Thanks again guys!
Mags
Thanks again guys!
Mags
That is up to you, but it does seem the issue is resolved.
Shall I wait to close until we see if the popup resurfaces or now?
I'd suggest only closing if you're feeling confident that you've eliminated any possible infection on the users drive. It appears that way to me, given the thoroughness of all the scans made, but that's totally up to you.
If the problem recurs now, it will almost certainly be a result of a website being visited that's spawning that particular redirection, rather than a local infection. I'd then start monitoring the users surfing habits. Often people are reluctant to disclose some of the sites they like to visit ;)
Regards, Andrew
Hi Mags,
I would wait - I'm not sure that any of the above scans have fixed the problem, and we still don't know whether it is a Chrome browser issue, or something else?
Alan.
I would wait - I'm not sure that any of the above scans have fixed the problem, and we still don't know whether it is a Chrome browser issue, or something else?
Alan.
If you're not finding it with the scanners, then it may have just been a popup ad. Otherwise, if it appears again, then the malware scanners haven't caught up to some new 0-day.
ASKER
I will wait...fingers crossed that we finally got rid of the scam popup. I will keep you posted.
Thanks,
Mags
Thanks,
Mags
Any news on this issue Mags. If it is resolved, please consider closing the question.
Best regards,
Andrew
Best regards,
Andrew
ASKER
I'll be checking in with her this week...will be closing the 2nd of April...should know by then.
Thanks,
Mags
Thanks,
Mags
ASKER
So far no more popups - serialband's suggestion was also a great one - added Adblock Plus - as was Andrew's suggestion to run MBAM in custom mode. Also I believe uninstalling Google Chrome (and deleting any info related to it), running CCleaner and reinstalling Google Chrome helped a bunch.
Hoping I can spread the points...this is a new format.
Thanks,
Mags
Hoping I can spread the points...this is a new format.
Thanks,
Mags
ASKER
Don't see how to spread points??
Just reposting here too:
Please can you confirm if this also happens when she tries going to the same site using IE / Edge? That will tell us with fair certainty whether this is a browser issue, or something else.
Thanks,
Alan.