Popups in Chrome


Recommended Posts

One of my users is getting popups in Google Chrome, persistently at 10:02 AM. More accurately, it seems to be a browser hijack that opens various pages, all with popup "warnings" consistently at 10:02 AM. Sites vary, but include "download1291bucket.com" and "lpmxp2171.com".

 

I've tried uninstalling Chrome, deleting all remaining data and reinstalling it. I also checked Scheduled Tasks for anything suspicious scheduled for 10:02.

 

Firefox was exhibiting similar behavior, but a reinstall fixed it.

 

Any suggestions?

 

I'll try to get whatever additional info I can, but its tough to get access. This guy is one of the type that will report the issue, but doesn't like to relinquish control of the computer for me to actually troubleshoot. When I tried to help him yesterday with a procedure I got based on one of his screenshots. He grabbed the pages and then proceeded to look at everything except what the instructions recommended . . . :rolleyes:

Link to comment
Share on other sites

Is he logging into Chrome with an account? If I understand Chrome correctly it will automatically re-load any plugins that were installed for that user, so once Chrome is re-installed and logged in it will automatically re-install plugins and that could be what's causing the issue.

 

Even if not, I would certainly take a look at the plugins/extensions that are enable to see if there is anything obvious in there.

Link to comment
Share on other sites

Is he logging into Chrome with an account? If I understand Chrome correctly it will automatically re-load any plugins that were installed for that user, so once Chrome is re-installed and logged in it will automatically re-install plugins and that could be what's causing the issue.

 

Even if not, I would certainly take a look at the plugins/extensions that are enable to see if there is anything obvious in there.

 

He is using an account, but nothing stood out in his plugins.

Link to comment
Share on other sites

I would go in and check to see what extensions are installed on the browser and see if there are any malicious ones.

Link to comment
Share on other sites

I would go in and check to see what extensions are installed on the browser and see if there are any malicious ones.

I'll take another look, when I can get access.

Link to comment
Share on other sites

Also thinking about it, given it seemed to affect both Firefox and Chrome, it could actually be a locally installed application. Have you checked Programs and Features also? People often get caught out when installing perfectly legitimate software that's bundled with cryptic "additional options" that people agree to thinking they have to but its normally installing some horrible program that you wouldn't ever trust.

Link to comment
Share on other sites

Also thinking about it, given it seemed to affect both Firefox and Chrome, it could actually be a locally installed application. Have you checked Programs and Features also? People often get caught out when installing perfectly legitimate software that's bundled with cryptic "additional options" that people agree to thinking they have to but its normally installing some horrible program that you wouldn't ever trust.

 

Yup, Checked in there. Nothing I didn't expect or out of the ordinary.

Link to comment
Share on other sites

Of course not, that would just make this easy!  :rofl:

 

It would be so nice if malware developers would put in a nice easy uninstall option, but noooooo . . . :rofl:

Link to comment
Share on other sites

have you tried just disabling all the extensions just to check?

 

Not yet. Like I've said, the user is kind of territorial.

Link to comment
Share on other sites

have you tried just disabling all the extensions just to check?

 

I just checked with him, he'd already disabled all extensions - removed them actually, and it still recurred.

Link to comment
Share on other sites

HostsXpert

Malwarebytes

Spybot Search & Destroy

 

Run all of them and uninstall and then reinstall the browsers affected.

 

If I were in charge, that's exactly what I would have done, but my boss prefers I stick to Symantec Endpoint Protection. I'll ask permission when he's in tomorrow.

Link to comment
Share on other sites

If I were in charge, that's exactly what I would have done, but my boss prefers I stick to Symantec Endpoint Protection. I'll ask permission when he's in tomorrow.

 

Seems smart to task someone with fixing something then not allowing them to do their job. If they don't want to enable you to do what you have to do to fix it, then why bother wasting your time?

Link to comment
Share on other sites

If I were in charge, that's exactly what I would have done, but my boss prefers I stick to Symantec Endpoint Protection. I'll ask permission when he's in tomorrow.

 

You don't need to uninstall Symantec AV. 

 

You can fin Malwarebytes and Spybot SD portable versions. HostsXpert is a hostsfile updater that redirects known malware websites to 127.0.0.1, needs not to be installed either.

Link to comment
Share on other sites

Seems smart to task someone with fixing something then not allowing them to do their job. If they don't want to enable you to do what you have to do to fix it, then why bother wasting your time?

 

He prefers to stick to the software that's been purchased, rather than look elsewhere. I've been overridden on alternative programs in the past, so I'm erring on the side of caution.

You don't need to uninstall Symantec AV. 

 

You can fin Malwarebytes and Spybot SD portable versions. HostsXpert is a hostsfile updater that redirects known malware websites to 127.0.0.1, needs not to be installed either.

 

Now that could be useful. I swear by Malwarebytes, but I wasn't aware of a portable version.

Link to comment
Share on other sites

He prefers to stick to the software that's been purchased, rather than look elsewhere. I've been overridden on alternative programs in the past, so I'm erring on the side of caution.

 

Sounds like they need to replace him honestly, as someone else said, those 3 suggested apps would likely have cleaned the system by now and you could be using your time for something productive at this point. :/

Link to comment
Share on other sites

Now that could be useful. I swear by Malwarebytes, but I wasn't aware of a portable version.

there's no "Official" portable version but plenty of people have made it portable. pretty easy to find with a quick google search

 

i always keep a copy (along with a few others) on my portableapps drive :)

Link to comment
Share on other sites

Just installed MBAB on the computer, as I'm tired of p***yfooting around. It already detected the likely culprit. Sometimes you just need to go with what works, and not worry about permission.

 

And the user's gone for the day, so I can do what's needed with no interference.

Link to comment
Share on other sites

I'd lock that system down so tight he'd need permission to reboot, if the user cannot be trusted to not install unnecessary junk, then they lose the privilege but then again our systems disallow all software installs in AD and only specific teams have access rights to install/uninstall

Link to comment
Share on other sites

I'd lock that system down so tight he'd need permission to reboot, if the user cannot be trusted to not install unnecessary junk, then they lose the privilege but then again our systems disallow all software installs in AD and only specific teams have access rights to install/uninstall

 

All of the non-malware stuff is actually needed for his job, including the multiple browsers. Can't lock it down without tying his hands.

Link to comment
Share on other sites

This topic is now closed to further replies.