URL: Mal on every page, only when signed in to chrome

Viruses and worms
1

Hi all,

I keep getting this message whenever I launch Chrome, open a new tab or click to a new page within an already open tab:

avast! Web Shield has blocked a harmful webpage or file.

Object: hxxp://cdneurope.com/tr/contentTrActive.json
Infection: URL:Mal
Process: C:\Progarm Files (x86).…\chrome.exe

This only happens in Chrome, and only when I’m signed into Chrome (no warnings when I go incognito).

I’ve run scans with malwarebytes anti-malware that came out clean.

Any help appreciated!

2

Follow instructions https://forum.avast.com/index.php?topic=53253.0

3

Logs attached. Thank you in advance!

4

Let me know if this kills it

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

CHR Extension: (Save to Pocket) - C:\Users\Tami\AppData\Local\Google\Chrome\User Data\Default\Extensions\niloccemoadcdkdjlinkgdfekeahmflj [2014-07-11] CMD:ipconfig /release CMD:netsh int ip reset CMD:ipconfig /renew CMD: DEL %TEMP%\*.* /F /S /Q CMD: RD /S /Q %TEMP% REBOOT:

Save this as fixlist.txt, in the same location as FRST.exe
Run FRST and press Fix
On completion a log will be generated please post that

5

Thanks essexboy - fixlog attached.

The problem persists.

6

Could you run chrome in incognito mode https://support.google.com/chrome/answer/95464?hl=en-GB and let me know if the alert still appears

7

No, the alert doesn’t appear in incognito mode.

One of the things I tried to do (before giving up and posting here), was to rename the User Data folder (under “%LOCALAPPDATA%\Google\Chrome”), and when I did I was able to start Chrome in normal mode without getting the alert as well, but as soon as I signed into Chrome with my Google account the alert came back.

8

OK what is happening there is that the malware is backed up in your sync folders, you will need to reset those
I would suggest that you delete the synch data, reset chrome and then re-enable synch
Unfortunately I do not use chrome so I do not know how to do that but I believe that there is a delete button on the dashboard

9

Thanks essexboy. I traced the problem to a chrome extension. Posting my experience so it might help someone else with the same symptoms:

I deleted the sync data, reset chrome, then signed in again. The problem came back, but there were a few seconds of quiet while my info was being loaded (between the time I signed in and the time the first alert sounded), which led me to believe it was one of the chrome extensions that was triggering the alert. I disabled all extensions and verified that I could surf with no alerts, and then re-enabled extensions one at a time to identify the culprit.

The chrome extension that was triggering mal:url alerts was “Orbvious Interest 1.9” (“Mark pages to read later. The fastest and most reliable Pocket (Read It Later) extension for Google Chrome”). I had used it for years with no incident so I suspect this may be an avast false positive, but I use “Save to Pocket 1.9.1” now so I had no problem getting rid of the old one.

10

Thanks for the update