Starting today, I keep getting threat detections that seem to source back to Chrome.
Here is a screenshot of 4 of those messages:
http://www.minisgallery.com/avastpics.jpg
Any idea what may be causing this and/or how to fix it? I have run full Avast Scans, full Windows Defender scan and Microsoft’s Malicious Software Removal Tool. None of these are detecting any problems.
Thanks, I will give that a try.
Based on what I am experiencing it sounds like a virus that is in Chrome. I have run both Symantec’s ZeroAccess Fix Tool and Avast’s aswMBR from safemode, but neither detected a problem. I do have all the proper anti-malware settings turned on in both IE and Chrome, so its very odd that I got hit with this.
Just run the tools and attach the logs to your next post.
I think I am good now.
I ran Malwarebytes and it did find several instances which I quarantined. This did not fix the problem though.
I reviewed Google’s tech support site and it suggested “resetting” Chrome’s settings. This did the trick!
attach the logs anyway, we may find more that needs to be removed/corrected.
Not everything is always what the eye sees. 
It appears the threat is not gone and is not limited to Chrome. I was using IE today, and had the same thing happen.
I have now attached the Malwarebytes log from yesterday.
I updated and re-ran Malwarebytes again today, but nothing further was found.
I will now run the other recommended program and post it in a new reply.
Here are the log files from FRST
Hi there, the first thing you must do is uninstall Chrome. You can re-install once we have finished
CAUTION : This fix is only valid for this specific machine, using it on another may break your computer
Open notepad and copy/paste the text in the quotebox below into it:
CreateRestorePoint: CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION BHO: saveorebox -> {a9a3ffad-6404-4943-a984-5ac5bdebfa62} -> C:\Program Files (x86)\saveorebox\TzNxarM9MAiWbW.x64.dll () BHO: saavveernEt -> {baed6ba0-7a36-4f9b-b5ad-811caa93ac77} -> C:\Program Files (x86)\saavveernEt\eK58cG6vPvBh9M.x64.dll () BHO-x32: No Name -> {5C255C8A-E604-49b4-9D64-90988571CECB} -> No File Toolbar: HKLM - No Name - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - No File Toolbar: HKLM - No Name - {CC1A175A-E45B-41ED-A30C-C9B1D7A0C02F} - No File CHR HomePage: Profile 1 -> hxxp://www.google.ca/ CHR StartupUrls: Profile 1 -> "hxxp://www.google.ca/" CHR Plugin: (Widevine Content Decryption Module) - C:\Users\TZ\AppData\Local\Google\Chrome\User Data\WidevineCDM\1.4.6.758\_platform_specific\win_x86\widevinecdmadapter.dll (Google Inc.) CHR Plugin: (Shockwave Flash) - C:\Users\TZ\AppData\Local\Google\Chrome\Application\40.0.2214.111\PepperFlash\pepflashplayer.dll () CHR Plugin: (Chrome Remote Desktop Viewer) - internal-remoting-viewer CHR Plugin: (Native Client) - C:\Users\TZ\AppData\Local\Google\Chrome\Application\40.0.2214.111\internal-nacl-plugin No File CHR Plugin: (Chrome PDF Viewer) - C:\Users\TZ\AppData\Local\Google\Chrome\Application\40.0.2214.111\pdf.dll () CHR Plugin: (Adobe Acrobat) - C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.) CHR Plugin: (ESN Launch Mozilla Plugin) - C:\Program Files (x86)\Battlelog Web Plugins\2.3.0\npesnlaunch.dll (ESN Social Software AB) CHR Plugin: (Battlelog Game Launcher) - C:\Program Files (x86)\Battlelog Web Plugins\2.3.1\npbattlelog.dll (EA Digital Illusions CE AB) CHR Plugin: (ESN Sonar API) - C:\Program Files (x86)\Battlelog Web Plugins\Sonar\0.70.4\npesnsonar.dll (ESN Social Software AB) CHR Plugin: (AdobeAAMDetect) - C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\CCM\Utilities\npAdobeAAMDetect32.dll (Adobe Systems) CHR Plugin: (Java Deployment Toolkit 7.0.600.19) - C:\Program Files (x86)\Java\jre7\bin\dtplugin\npDeployJava1.dll (Oracle Corporation) CHR Plugin: (Java(TM) Platform SE 7 U60) - C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation) CHR Plugin: (Silverlight Plug-In) - C:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\npctrl.dll ( Microsoft Corporation) CHR Plugin: (VLC Web Plugin) - C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll (VideoLAN) CHR Plugin: (Windows Live® Photo Gallery) - C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation) CHR Plugin: (Unity Player) - C:\Users\TZ\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll (Unity Technologies ApS) CHR Plugin: (Google Update) - C:\Users\TZ\AppData\Local\Google\Update\1.3.26.9\npGoogleUpdate3.dll (Google Inc.) CHR Plugin: (Shockwave for Director) - C:\windows\SysWOW64\Adobe\Director\np32dsw_1213153.dll (Adobe Systems, Inc.) CHR Plugin: (Microsoft Office 2010) - D:\PROGRA~1\MICROS~1\Office14\NPAUTHZ.DLL (Microsoft Corporation) CHR Plugin: (Microsoft Office 2010) - D:\PROGRA~1\MICROS~1\Office14\NPSPWRAP.DLL (Microsoft Corporation) CHR Plugin: (ArcPlugin) - D:\Program Files (x86)\Arc\Plugins\npArcPluginFF.dll (Perfect World Entertainment Inc) CHR Plugin: (Shockwave Flash) - D:\Program Files (x86)\Arc\plugins\NPSWF32.dll () CHR Profile: C:\Users\TZ\AppData\Local\Google\Chrome\User Data\Profile 1 CHR Extension: (Google Slides) - C:\Users\TZ\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2015-01-18] CHR Extension: (Google Docs) - C:\Users\TZ\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\aohghmighlieiainnegkcijnfilokake [2015-01-18] CHR Extension: (Google Drive) - C:\Users\TZ\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\apdfllckaahabafndbhieahigkjlhalf [2015-01-18] CHR Extension: (Google Voice Search Hotword (Beta)) - C:\Users\TZ\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\bepbmhgboaologfdajaanbcjmnhjmhfn [2015-01-18] CHR Extension: (YouTube) - C:\Users\TZ\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2015-01-18] CHR Extension: (Google Search) - C:\Users\TZ\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2015-01-18] CHR Extension: (Adobe Acrobat - Create PDF) - C:\Users\TZ\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\efaidnbmnnnibpcajpcglclefindmkaj [2015-01-18] CHR Extension: (Avast SafePrice) - C:\Users\TZ\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\eofcbnmajmjmplflapaojjnihcjkigck [2015-01-20] CHR Extension: (Google Sheets) - C:\Users\TZ\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2015-01-18] CHR Extension: (deealpeaak) - C:\Users\TZ\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\fideenfelnpjpjeebgeknflimjjenaoc [2015-02-13] CHR Extension: (History Button) - C:\Users\TZ\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\fofpnhmbgmmeaialapfddhbhfongoinh [2015-01-18] CHR Extension: (Avast Online Security) - C:\Users\TZ\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\gomekmidlodglbbmalcneegieacbdmki [2015-01-18] CHR Extension: (Google Maps) - C:\Users\TZ\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\lneaknkopdijkpnocmklfnjbeapigfbh [2015-01-18] CHR Extension: (Blipshot one click screenshots) - C:\Users\TZ\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\mdaboflcmhejfihjcbmdiebgfchigjcf [2015-02-13] CHR Extension: (Google Wallet) - C:\Users\TZ\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2015-01-18] CHR Extension: (Gmail) - C:\Users\TZ\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2015-01-18] CHR HKLM-x32\...\Chrome\Extension: [efaidnbmnnnibpcajpcglclefindmkaj] - C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\Browser\WCChromeExtn\WCChromeExtn.crx [2013-12-20] CHR HKLM-x32\...\Chrome\Extension: [eofcbnmajmjmplflapaojjnihcjkigck] - D:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChromeSp.crx [2015-01-15] CHR HKLM-x32\...\Chrome\Extension: [gomekmidlodglbbmalcneegieacbdmki] - D:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChrome.crx [2015-01-15] StartMenuInternet: Google Chrome.OPJ66KLXZ4VN7636VICNRWIN4Q - C:\Users\TZ\AppData\Local\Google\Chrome\Application\chrome.exe S2 5e825ac5; c:\Program Files (x86)\TerminusExtender\TerminusExtender.dll [1539072 2015-02-13] () [File not signed] 2015-02-13 23:47 - 2015-02-13 23:47 - 00000000 ____D () C:\Program Files (x86)\deealpeaak 2015-02-13 23:46 - 2015-02-13 23:47 - 00000000 ____D () C:\ProgramData\5711682634524344753 2015-02-13 23:46 - 2015-02-13 23:47 - 00000000 ____D () C:\Program Files (x86)\realdaeal 2015-02-13 23:46 - 2015-02-13 23:47 - 00000000 ____D () C:\Program Files (x86)\DIscountLOcatuor 2015-02-13 23:46 - 2015-02-13 23:46 - 00000000 ____D () C:\Program Files (x86)\saveorebox 2015-02-13 23:46 - 2015-02-13 23:46 - 00000000 ____D () C:\Program Files (x86)\saavveernEt 2015-02-13 23:46 - 2015-02-13 23:46 - 00000000 ____D () C:\Program Files (x86)\Blipshot one click screenshots 2015-02-13 15:47 - 2015-02-13 15:47 - 00000020 _____ () C:\Users\TZ\AppData\Roaming\appdataFr3.bin 2015-02-13 15:26 - 2015-02-13 15:26 - 00000000 ____D () C:\Program Files (x86)\TerminusExtender 2015-02-13 15:26 - 2015-01-14 09:49 - 00000000 ____D () C:\ProgramData\eaf639800005f46 2014-11-09 14:45 - 2014-05-13 08:15 - 0010240 _____ () C:\Users\TZ\AppData\Local\Z@!-697bae12-7813-4d3e-a8b7-4da8508bd94e.tmp 2014-11-09 14:45 - 2014-05-13 08:15 - 0010240 _____ () C:\Users\TZ\AppData\Local\Z@!-eccc7565-f29c-407e-8355-f6057112bf33.tmp 2014-11-09 14:45 - 2014-05-13 08:15 - 0009216 _____ () C:\Users\TZ\AppData\Local\Z@S!-b629c770-ec20-4923-ae9b-e0990f846c92.tmp Task: {060F524D-B6D6-4BDC-AE90-8500D866DD03} - System32\Tasks\GoogleUpdateTaskUserS-1-5-21-3224736718-1516205740-3094550709-1000UA => C:\Users\TZ\AppData\Local\Google\Update\GoogleUpdate.exe [2012-06-28] (Google Inc.) Task: {8B725BA0-DD75-47BC-968E-82E80514007E} - System32\Tasks\GoogleUpdateTaskUserS-1-5-21-3224736718-1516205740-3094550709-1000Core => C:\Users\TZ\AppData\Local\Google\Update\GoogleUpdate.exe [2012-06-28] (Google Inc.) Task: C:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3224736718-1516205740-3094550709-1000Core.job => C:\Users\TZ\AppData\Local\Google\Update\GoogleUpdate.exe Task: C:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3224736718-1516205740-3094550709-1000UA.job => C:\Users\TZ\AppData\Local\Google\Update\GoogleUpdate.exe C:\Users\TZ\AppData\Local\Google\Chrome EmptyTemp: CMD: bitsadmin /reset /allusers
Save this as fixlist.txt, in the same location as FRST.exe
https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG
Run FRST and press Fix
On completion a log will be generated please post that
THEN
Please download AdwCleaner by Xplode onto your desktop.
[*]Close all open programs and internet browsers.
[*]Double click on AdwCleaner.exe to run the tool.
[*]Click on Scan.
[*]After the scan is complete click on “Clean”
[*]Confirm each time with Ok.
[*]Your computer will be rebooted automatically. A text file will open after the restart.
[*]Please post the content of that logfile with your next answer.
[*]You can find the logfile at C:\AdwCleaner[S1].txt as well.
Thanks. I have now done the fixlist in FRST and run AdwCleaner.
Files are attached. Unfortunately, the problem still exists.
When I open up Chrome, Avast immediately will give me a blocked harmful webpage (always to a different URL). With EI it happens a lot less, but does trigger when I connect to webpage, but only about 2% of the time.
Normally all these programs I have run in Safe Mode. When I just did the FRST fix and AdwCleaner now, I ran these in normal mode… would that matter?
There may be a delay before essexboy can get back to you, it is now 11:46p.m. in the UK, so he is likely to be off-line for the night. He should be back on-line tomorrow.
Normally all these programs I have run in Safe Mode. When I just did the FRST fix and AdwCleaner now, I ran these in normal mode... would that matter?you run them in normal mode ... unless essexboy instruct you to use safe mode
Could I have a fresh FRST scan please. Is Chrome set to sync on start ? If so you may need to delete the synch data as all that does is just bring the adware down again
RE: Chrome sync on start.
I’m not certain what this is. Where would I find this in Chrome? I looked under settings and I don’t see anything that describes “sync on start”.
Latest log is attached.
I suggest you remove Spybot S&D since the detection rate it nowadays has is really bad.
I don’t use it. I just added it yesterday to see if it would help find the problem. I don’t have any of the features activated and will be deleting it along with the 15+ other programs I have downloaded to try to source out this problem.
Did you uninstall Chrome as initially requested ? As you are still showing developer build