Chrome "redirector" (adware related)

[jbleck]

following jordan4x's advice and creating a new thread after posting this problem in my status update a couple of times without any response...

 

trying to get rid of my Chrome "redirector"... it sometimes starts when clicking on some link... other times starts directly from the adress bar when i try to reach some site (www.microsoft.com for example).

the only tool that discovered some registry entry is adwcleaner... the others claim i'm clean (MalwareBytes, Hitman, MSRT)...

i did a fresh windows install and problem is still there... is Chrome syncing malware too?

how do i clean my account (only this redirector/s)?

 

yesterday's "adventure":

 

today's "adventure":

 

my Chrome extensions: Google Docs, Google Docs Offline, Google Mail Checker, Google Play Music, Google Sheets, Google Slides, WOT, IDM, Tampermonkey (no userscripts), OFFLINE Vkontakte Music Player.

[Kalju]

• What's your default browser?
• When did you last deleted all user data? Usually they are in %LocalAppData%\Google\Chrome\User Data  (if You haven't select any other place)
   (You can only maintain Favourites)

[AlienForce1]

This litle program might be the sollution to your problem : 

 

AdwCleaner 5.102

 

Quote

AdwCleaner is a free removal tool for :

• Adware (ads softwares)
• PUP/LPI (Potentially Undesirable Program)
• Toolbars
• Hijacker (Hijack of the browser's homepage)

It comes with both "Scan" and "Clean" mode. It can be easily uninstalled using the "Uninstall" button.

Compatible with Windows XP, Vista, 7, 8, 8.1, 10 in 32 & 64 bits

 

[jbleck]

 

39 minutes ago, Kalju said:

• What's your default browser?
• When did you last deleted all user data? Usually they are in %LocalAppData%\Google\Chrome\User Data  (if You haven't select any other place)
   (You can only maintain Favourites)

• Chrome
• Daily... and almost monthly a fresh Windows install

4 minutes ago, AlienForce1 said:

This litle program might be the sollution to your problem : 

 

AdwCleaner 5.102

 

 

as i mentioned... i already did and it's the only tool that found something... it doesn't anymore though and my problem is still present.

 

---

this thing occasionally bothers me ... some days i don't see it... some days happens more then once.

it only redirects me once... if i click the same link/adress again it takes me where it supposed to.

[AlienForce1]

If AdwCleaner didn`t solve your problem , then maybe you should reset your Chrome 

 

Another possible solution could be to delete .temp files - CCleaner is a very good one for this task .

[jbleck]

 

12 minutes ago, AlienForce1 said:

If AdwCleaner didn`t solve your problem , then maybe you should reset your Chrome 

 

i'll keep this as a last resort... was wondering if there's a way to discover the root of it.

wasn't sure if it's Windows or some external program that added some "tweak" to Chrome or if it's Chrome itself with it's synced data... i fresh installed Windows with WFC and AdGuard first and then Chrome and signed in with my account... problem still present.

 

[AlienForce1]

This article might help you ->  Chrome redirect virus. How to Remove? (Uninstall Guide)

[AlienForce1]

You should also check your hosts file - if it`s not like this , then that`s your problem (hosts file can be used by viruses to redirect your searches to another sites)

 

[jbleck]

25 minutes ago, AlienForce1 said:

This article might help you ->  Chrome redirect virus. How to Remove? (Uninstall Guide)

it has the symptoms described there... they are exagerating about the influence this problem has over the system and don't provide an answer that helps me though... 

11 minutes ago, AlienForce1 said:

You should also check your hosts file - if it`s not like this , then that`s your problem (hosts file can be used by viruses to redirect your searches to another sites)

 

if it was the hosts file then my problem would be easy... i only occasionally encounter this, not always and only with Chrome... it's not a system wide problem.

[jbleck]

again just now... from the address bar:

---

[AlienForce1]

Did you remove the .temp files from your PC (especially Chrome ? )

[unknownasphyxiated]

16 hours ago, jbleck said:

i fresh installed Windows with WFC and AdGuard first and then Chrome and signed in with my account... problem still present.

try using the chrome without sign-in to your account

check your chrome search engine setting

and check for unknown software that run in the background

[jbleck]

i did as AllienForce1 suggested and i'ts been 4 days since my last "adventure":

 

couldn't find the root of it though (the exact "setting")...

all the malware removal tools, cleaners and antiviruses i scanned my PC with (MBAM, AdwCleaner, Hitman, Windows Defender, BitDefender, CCleaner, Privacy Eraser) claimed i was clean... this might've been true at some point as i think the source of my problem was on some Google server (the one i uploaded it to without knowing that my settings are tampered with)... and i kept syncing with it thinking that Google is safe and they'll auto clean some crap...

 

lesson learned: the Cloud is foggy (can't walk through it as i would like to) ... i tested it ... both sides (device and the cloud) must be clean in order to escape some bug: clean your device and erase the cloud.

[jbleck]

i readded a Chrome extension i had and the problem resurfaced.

had a look at some of the files of the extension and found this part of code inside a .js file:

function checkIfNeedDisable(url)
{
  var reg = /^https?:\/\/(www\.)?(searchengines\.ru|searchengines\.guru|kote\.ws|forum\.antichat\.ru|webmasters\.ru|master-x\.com|gofuckbiz\.com|blackseo\.com|prosperent\.com\/account|members\.cj\.com|cpatext\.ru\/account|affiliates\.big-bang-ads\.com\/publisher|affiliates\.big-bang-ads\.com\/advertiser|login\.clickdealer\.com\/affiliates|publishers\.ytz\.com|affiliate\.trk4\.com\/logged\.php|v2\.propellerads\.com\/#\/admin\/dashboard|portals\.aliexpress\.com|popshops\.com\/dashboard|leadsgate\.com\/admin|clickbank\.com\/account|clicksure\.com\/affiliate|digiresults\.com\/users|warriorplus\.com\/wso|publisher\.zanox\.com|jvzoo\.com\/dashboard|ads\.alibaba\.com\/home|publisher\.ebaypartnernetwork\.com|affiliate-program\.amazon\.com|publishers\.viglink\.com\/dashboard|hubtraffic\.com\/profile|affiliate\.itunes\.apple\.com|affiliates\.bulltrax\.com\/publisher|leadsbox\.com\/publisher|login\.linkshare\.com|jvnewswatch\.com\/account|hub\.skimlinks\.com|publisher\.flexoffers\.com|maxbounty\.com\/index\.cfm|affili\.net\/de\/Home\.aspx|web\.ad2games\.com|cityads\.ru|cityads\.com|cityads\.com\/webmaster|admitad\.com\/ru\/webmaster|gdeslon\.ru\/dashboard|office\.ad1\.ru|mixmarket\.biz\/pmain|kma\.biz\/stat|kma\.biz\/offers|actionads\.ru\/aff|my\.leadgid\.ru|aff\.primelead\.com\.ua|webmasteractionpay\.ru\/en\/dashboard|actionpay\.ru\/ru\/dashboard|shakes\.pro\/index\.php|cpagetti\.com\/admin|ctr\.ru\/?event|advertstar\.net\/webmaster|webmaster\.tradeleads\.su|leadtrade\.ru\/webmaster|luckypartners\.com\/stats|qxplus\.ru\/affiliates|salesdoubler\.com\.ua\/affiliate|adinfo\.ru\/adminuser|m1-shop\.ru\/referral|affiliates\.adwad\.ru|afrek\.ru\/office|exelo\.ru\/office|7offers\.ru\/publisher|everad\.ru\/dashboard|affiliate\.tradetracker\.com|mastertarget\.ru\/affiliates|webmaster\.leads\.su|advaction\.ru\/partner|leadpays\.com\/promo|masterads\.ru\/webmaster|login\.tradedoubler\.com\/publisher|my\.biznip\.com\/affiliate|elonleads\.ru\/statistics|himba\.ru\/statistic|partner\.eviton\.ru|my\.clobucks\.com|affiliates\.cpaua\.com\.ua|pap\.prc-a\.com\/affiliates|inetrek\.com\/?page|pp1\.ru\/aff|cpapolice\.biz\/statistics|adsleader\.ru\/webmasters|hotpartner\.biz\/parthners|profile\.lead-r\.ru|advertise\.ru\/webmaster|cpapartner\.ru\/webmaster|booksharks\.ru\/user|websharks\.ru\/user|adcenter\.cpaplanet\.net\/publisher|my\.biggon\.net|adpro\.ru\/wm\/member\.php|epn\.bz\/ru\/cabinet|epn\.bz\/en\/cabinet|motiv8\.ru\/webmaster|thor-cpa\.com\/partner|cosmoleads\.ru\/affiliate|monetti\.ru\/office|my\.unileadnetwork\.com|welcomepartners\.com\/webmaster|partners\.gemwork\.biz|monsterleads\.pro\/cabinet|ppas\.ru\/webmaster|adspay\.ru\/webmaster|leadpays\.com\/stat|intpn\.com\/user|arbitrage\.top\/user|arbitrage\.top\/offers|gamblingattack\.com\/webmaster|affiliate\.leadspartner\.ru|poshfriends\.com\/stats|office\.partnerearn\.net|azartcash\.com\/dashboard|twistcash\.com\/members|babki-online\.ru\/publishers\.php|elonleads\.ru\/campaigns|leads3\.com\/stat|leads3\.com\/offer|convertit\.biz\/user|convertit\.biz\/statistics|approve\.kz\/webmaster|leadprom\.ru\/panel|mastertraf\.com\/stats\.php|mastertraf\.com\/offers\.php|moneytizer\.ru\/offer|gambling-partners\.com\/dashboard|rocketprofit\.ru\/offers|rocketprofit\.ru\/statApproved|my\.eviton\.ru|leetero\.ru\/offers|leetero\.ru\/statistics|cpa\.proffi\.co\/affiliates|oxcpa\.ru\/pages|travelpayouts\.com\/dashboard|affiliate\.olymptrade\.com|affiliates\.firstbinaryoption\.com|partner\.binaryoptions-affiliate\.com|alkodiscount\.ru\/account\/?user|wm\.liveberries\.com|partnerka\.kolorado\.ru|account\.shareasale\.com|affiliate\.iqoption\.com\/stats)\b/gi;
  if (reg.test(url))
  {
    disabled4 = true;
    localStorage["disabled4"] = true;
  }
  return disabled4;
}

i renamed that file, restarted Chrome and the extension is still functional... waiting to see if i my redirect thing happens again.

 

am i on to something here?... i'm not a coder...