DConnell Member Posted September 17, 2014 Member Share Posted September 17, 2014 One of my users is getting popups in Google Chrome, persistently at 10:02 AM. More accurately, it seems to be a browser hijack that opens various pages, all with popup "warnings" consistently at 10:02 AM. Sites vary, but include "download1291bucket.com" and "lpmxp2171.com". I've tried uninstalling Chrome, deleting all remaining data and reinstalling it. I also checked Scheduled Tasks for anything suspicious scheduled for 10:02. Firefox was exhibiting similar behavior, but a reinstall fixed it. Any suggestions? I'll try to get whatever additional info I can, but its tough to get access. This guy is one of the type that will report the issue, but doesn't like to relinquish control of the computer for me to actually troubleshoot. When I tried to help him yesterday with a procedure I got based on one of his screenshots. He grabbed the pages and then proceeded to look at everything except what the instructions recommended . . . :rolleyes: Link to comment Share on other sites More sharing options...
Skiver Veteran Posted September 17, 2014 Veteran Share Posted September 17, 2014 Is he logging into Chrome with an account? If I understand Chrome correctly it will automatically re-load any plugins that were installed for that user, so once Chrome is re-installed and logged in it will automatically re-install plugins and that could be what's causing the issue. Even if not, I would certainly take a look at the plugins/extensions that are enable to see if there is anything obvious in there. Link to comment Share on other sites More sharing options...
DConnell Member Posted September 17, 2014 Author Member Share Posted September 17, 2014 Is he logging into Chrome with an account? If I understand Chrome correctly it will automatically re-load any plugins that were installed for that user, so once Chrome is re-installed and logged in it will automatically re-install plugins and that could be what's causing the issue. Even if not, I would certainly take a look at the plugins/extensions that are enable to see if there is anything obvious in there. He is using an account, but nothing stood out in his plugins. Link to comment Share on other sites More sharing options...
LittleNeutrino Veteran Posted September 17, 2014 Veteran Share Posted September 17, 2014 I would go in and check to see what extensions are installed on the browser and see if there are any malicious ones. Link to comment Share on other sites More sharing options...
DConnell Member Posted September 17, 2014 Author Member Share Posted September 17, 2014 I would go in and check to see what extensions are installed on the browser and see if there are any malicious ones. I'll take another look, when I can get access. Link to comment Share on other sites More sharing options...
Skiver Veteran Posted September 17, 2014 Veteran Share Posted September 17, 2014 Also thinking about it, given it seemed to affect both Firefox and Chrome, it could actually be a locally installed application. Have you checked Programs and Features also? People often get caught out when installing perfectly legitimate software that's bundled with cryptic "additional options" that people agree to thinking they have to but its normally installing some horrible program that you wouldn't ever trust. Link to comment Share on other sites More sharing options...
DConnell Member Posted September 17, 2014 Author Member Share Posted September 17, 2014 Also thinking about it, given it seemed to affect both Firefox and Chrome, it could actually be a locally installed application. Have you checked Programs and Features also? People often get caught out when installing perfectly legitimate software that's bundled with cryptic "additional options" that people agree to thinking they have to but its normally installing some horrible program that you wouldn't ever trust. Yup, Checked in there. Nothing I didn't expect or out of the ordinary. Link to comment Share on other sites More sharing options...
Skiver Veteran Posted September 17, 2014 Veteran Share Posted September 17, 2014 Yup, Checked in there. Nothing I didn't expect or out of the ordinary. Of course not, that would just make this easy! :rofl: Link to comment Share on other sites More sharing options...
DConnell Member Posted September 17, 2014 Author Member Share Posted September 17, 2014 Of course not, that would just make this easy! :rofl: It would be so nice if malware developers would put in a nice easy uninstall option, but noooooo . . . :rofl: Link to comment Share on other sites More sharing options...
LittleNeutrino Veteran Posted September 17, 2014 Veteran Share Posted September 17, 2014 have you tried just disabling all the extensions just to check? Link to comment Share on other sites More sharing options...
DConnell Member Posted September 17, 2014 Author Member Share Posted September 17, 2014 have you tried just disabling all the extensions just to check? Not yet. Like I've said, the user is kind of territorial. Link to comment Share on other sites More sharing options...
DConnell Member Posted September 17, 2014 Author Member Share Posted September 17, 2014 have you tried just disabling all the extensions just to check? I just checked with him, he'd already disabled all extensions - removed them actually, and it still recurred. Link to comment Share on other sites More sharing options...
kukubau Posted September 17, 2014 Share Posted September 17, 2014 HostsXpert Malwarebytes Spybot Search & Destroy Run all of them and uninstall and then reinstall the browsers affected. Link to comment Share on other sites More sharing options...
DConnell Member Posted September 17, 2014 Author Member Share Posted September 17, 2014 HostsXpert Malwarebytes Spybot Search & Destroy Run all of them and uninstall and then reinstall the browsers affected. If I were in charge, that's exactly what I would have done, but my boss prefers I stick to Symantec Endpoint Protection. I'll ask permission when he's in tomorrow. Link to comment Share on other sites More sharing options...
xendrome Posted September 17, 2014 Share Posted September 17, 2014 If I were in charge, that's exactly what I would have done, but my boss prefers I stick to Symantec Endpoint Protection. I'll ask permission when he's in tomorrow. Seems smart to task someone with fixing something then not allowing them to do their job. If they don't want to enable you to do what you have to do to fix it, then why bother wasting your time? Link to comment Share on other sites More sharing options...
LittleNeutrino Veteran Posted September 17, 2014 Veteran Share Posted September 17, 2014 yeah i would start looking for malware now. Link to comment Share on other sites More sharing options...
kukubau Posted September 17, 2014 Share Posted September 17, 2014 If I were in charge, that's exactly what I would have done, but my boss prefers I stick to Symantec Endpoint Protection. I'll ask permission when he's in tomorrow. You don't need to uninstall Symantec AV. You can fin Malwarebytes and Spybot SD portable versions. HostsXpert is a hostsfile updater that redirects known malware websites to 127.0.0.1, needs not to be installed either. Link to comment Share on other sites More sharing options...
DConnell Member Posted September 17, 2014 Author Member Share Posted September 17, 2014 Seems smart to task someone with fixing something then not allowing them to do their job. If they don't want to enable you to do what you have to do to fix it, then why bother wasting your time? He prefers to stick to the software that's been purchased, rather than look elsewhere. I've been overridden on alternative programs in the past, so I'm erring on the side of caution. You don't need to uninstall Symantec AV. You can fin Malwarebytes and Spybot SD portable versions. HostsXpert is a hostsfile updater that redirects known malware websites to 127.0.0.1, needs not to be installed either. Now that could be useful. I swear by Malwarebytes, but I wasn't aware of a portable version. Link to comment Share on other sites More sharing options...
xendrome Posted September 17, 2014 Share Posted September 17, 2014 He prefers to stick to the software that's been purchased, rather than look elsewhere. I've been overridden on alternative programs in the past, so I'm erring on the side of caution. Sounds like they need to replace him honestly, as someone else said, those 3 suggested apps would likely have cleaned the system by now and you could be using your time for something productive at this point. :/ Link to comment Share on other sites More sharing options...
Brandon H Supervisor Posted September 17, 2014 Supervisor Share Posted September 17, 2014 Now that could be useful. I swear by Malwarebytes, but I wasn't aware of a portable version. there's no "Official" portable version but plenty of people have made it portable. pretty easy to find with a quick google search i always keep a copy (along with a few others) on my portableapps drive :) DConnell 1 Share Link to comment Share on other sites More sharing options...
DConnell Member Posted September 17, 2014 Author Member Share Posted September 17, 2014 Just installed MBAB on the computer, as I'm tired of p***yfooting around. It already detected the likely culprit. Sometimes you just need to go with what works, and not worry about permission. And the user's gone for the day, so I can do what's needed with no interference. Brandon H 1 Share Link to comment Share on other sites More sharing options...
Anibal P Posted September 21, 2014 Share Posted September 21, 2014 I'd lock that system down so tight he'd need permission to reboot, if the user cannot be trusted to not install unnecessary junk, then they lose the privilege but then again our systems disallow all software installs in AD and only specific teams have access rights to install/uninstall Link to comment Share on other sites More sharing options...
DConnell Member Posted September 21, 2014 Author Member Share Posted September 21, 2014 I'd lock that system down so tight he'd need permission to reboot, if the user cannot be trusted to not install unnecessary junk, then they lose the privilege but then again our systems disallow all software installs in AD and only specific teams have access rights to install/uninstall All of the non-malware stuff is actually needed for his job, including the multiple browsers. Can't lock it down without tying his hands. Link to comment Share on other sites More sharing options...
Recommended Posts