Author Topic: [SOLVED !!!] Possible Chrome Trojan - HTML:Includer-AW[Trj]  (Read 7880 times)

0 Members and 1 Guest are viewing this topic.

Offline rednevals

  • Newbie
  • *
  • Posts: 8
[SOLVED !!!] Possible Chrome Trojan - HTML:Includer-AW[Trj]
« on: February 21, 2014, 08:39:55 PM »
I've been getting this pop up when launching Chrome. I have searched extensively and have not found any info on this possible Trojan. Any ideas where to look, or hat to do about it?

Late 2013 MacBook Pro 15" + Maverics

See attached screen shot...
« Last Edit: March 22, 2014, 04:48:30 PM by rednevals »

Offline krahulik

  • Avast team
  • Sr. Member
  • *
  • Posts: 277
Re: Possible Chrome Trojan - HTML:Includer-AW[Trj]
« Reply #1 on: March 13, 2014, 03:21:25 PM »
Hello,
  clean the cache of the Chrome. If you would chest/delete the file directly, make sure the Chrome browser is not running.

Martin

Offline rednevals

  • Newbie
  • *
  • Posts: 8
Re: Possible Chrome Trojan - HTML:Includer-AW[Trj]
« Reply #2 on: March 14, 2014, 04:48:31 PM »
Sees like a catch-22 situation....

I closed/quit chrome. The file is not present: /Users/scott/Library/Application Support/Google/Chrome/Default/History Provider Cache

When I start Chrome, the Avast infection popup appears, telling me that it detected this trojan/virus, and has moved the file into the Chest. So, I never have an opportunity to remove the offending file. This is indicating to me that there is an active trojan that is running, trying to install this file when Chrome is launched. I also occasionally see this message when Chrome is being closed.

Does that make sense? How can I scan for this Trojan? Or is this some kind of false alarm? :'(

Offline rednevals

  • Newbie
  • *
  • Posts: 8
Re: Possible Chrome Trojan - HTML:Includer-AW[Trj]
« Reply #3 on: March 19, 2014, 03:51:16 AM »
I tried removing Chrome and reinstalling, including removing the applications support folder. Now I get the attached two popups when starting Chrome.

Offline krahulik

  • Avast team
  • Sr. Member
  • *
  • Posts: 277
Re: Possible Chrome Trojan - HTML:Includer-AW[Trj]
« Reply #4 on: March 20, 2014, 01:26:53 PM »
Hello,
  the last two messages are from a File System Field that has isolated suspicious files. If this would repeat and you would like to completely remove Chrome and install it from the fresh, here are the terminal commands:

sudo rm -rf /Applications/Google\ Chrome.app
sudo rm -rf /Library/Google/Google*
sudo rm -rf /Library/Application\ Support/Google/RLZ
sudo rm -rf /Library/Application\ Support/Google/Chrome
rm -rf ~/Library/Google/Google*
rm -rf ~/Library/Application\ Support/Google/RLZ
rm -rf ~/Library/Application\ Support/Google/Chrome

Martin

Offline rednevals

  • Newbie
  • *
  • Posts: 8
Re: Possible Chrome Trojan - HTML:Includer-AW[Trj]
« Reply #5 on: March 21, 2014, 01:43:27 AM »
Excellent! That worked. Thank you so much... :)

Offline rednevals

  • Newbie
  • *
  • Posts: 8
Re: Possible Chrome Trojan - HTML:Includer-AW[Trj]
« Reply #6 on: March 21, 2014, 01:55:52 AM »
Actually, it didn't. I performed those commands and reinstalled Chrome. It appeared to work. After I logged into my Google account, and synched my bookmarks bar, the issue is back. See attached screen shots, which occur every time I start Chrome.

Offline specimen9999

  • Sr. Member
  • ****
  • Posts: 349
Re: Possible Chrome Trojan - HTML:Includer-AW[Trj]
« Reply #7 on: March 21, 2014, 07:39:45 PM »
Maybe you should try to empty your history and cache?

Offline rednevals

  • Newbie
  • *
  • Posts: 8
Re: Possible Chrome Trojan - HTML:Includer-AW[Trj]
« Reply #8 on: March 22, 2014, 12:56:29 AM »
I have...  :)

Actually, the commands mentioned above remove that:

Code: [Select]
rm -rf ~/Library/Application\ Support/Google/Chrome
Maybe this is coming from a synch of my Google account history. I'll try this again and avoid logging into my Google account for a while to see if it happens again.
« Last Edit: March 22, 2014, 02:04:19 PM by rednevals »

Offline rednevals

  • Newbie
  • *
  • Posts: 8
Re: Possible Chrome Trojan - HTML:Includer-AW[Trj]
« Reply #9 on: March 22, 2014, 04:47:44 PM »
Ok, I think I may have licked this one...

The clue was that when I removed and re-installed Chrome, the issue seemed to go away. It returned as soon as I logged into Google and synched. This pulls in lots of data that is shared across all of my devices. This includes a Windows 7 PC, as well as my iPhone. The nice thing about this is that I have a single place for bookmarks, history, login's, etc. The downside is that this added something that Avast detected as a possible Trojan in this shared history.

The solution was to run the commands to remove Chrome and reinstall. But, before logging into Google, I went to my PC, and purged all history and browser cache. Then, when I logged into Google on my Mac and synched the issue did not occur.

I hope that this helps anyone else that may run into this in the future.

P.S: The weird thing is that Avast on my Windows 7 PC did not complain about it.
« Last Edit: March 22, 2014, 05:18:57 PM by rednevals »