Author Topic: clients2.googleusercontent.com (Read 7988 times)

Mwyarm · « **on:** January 08, 2020, 01:02:12 AM »

2-3 days ago I started getting an Avast pop-up warning of an aborted connection to:
clients2.googleusercontent.com because it was infected with Other:Malware-gen [Trj]
It states it was found in chrome.exe process. Snapshot of message attached.

I uninstalled Chrome and reinstalled and pop-ups continued.

I download malwarebytes yesterday before finding this forum and ran 2 scans which found some items but did not appear to be related - 29 items were sent to quarantine. Afterwards, the pop-up occurred shortly after.

Today, before finding this forum, I searched the registry and found 2 values under Chrome Extensions pointing to the url noted. I backed up the registry and deleted the 2 extension values, performed a reset of chrome and searched for harmful files. Confirmed the extensions were also deleted in the WIN 10 folder for Chrome. Rebooted and the pop-up occurred again.

I also searched all files\folders under WIN C and I cannot find any reference to URL>
Found this forum and attaching the suggested documents:
MBAM Search Results 3.tx
First.txt
Addition.txt

I cannot seem to find where such redirects are occurring.

Mwyarm · « **Reply #1 on:** January 09, 2020, 04:57:26 PM »

Any suggestions or ideas beyond a full wipe of the partition and reinstalling windows and all required applications?

Sass Drake · « **Reply #2 on:** January 09, 2020, 10:32:29 PM »

Open Notepad (click Start button -> type notepad.exe -> press Enter)
Copy text from code block below and paste it into Notepad

Code: [Select]

FF HKLM\SOFTWARE\Policies\Mozilla\Firefox: Restriction <==== ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Restriction <==== ATTENTION

Go to File -> Save As
Make sure that UTF-8 is selected as Encoding (left side of Save button)
Save it as fixlist.txt on Desktop
Open again FRST and click on button Fix
Wait until FRST finishes
fixlog.txt should be genereted and opened. Attach it your post and wait further instructions.

Mwyarm · « **Reply #3 on:** January 10, 2020, 12:04:49 AM »

Fixlog.txt is attached

polonus · « **Reply #4 on:** January 10, 2020, 05:22:31 PM »

Hi Mwyarn,

Before a qualified remover is to dive into your log txt, just read this in the mean time:

https://webcookies.org/ssl/report/clients2.googleusercontent.com/191677

We were there before: https://forum.avast.com/index.php?topic=210556.0

Success,

polonus

Sass Drake · « **Reply #5 on:** January 10, 2020, 05:28:27 PM »

What is system status now?

Mwyarm · « **Reply #6 on:** January 10, 2020, 06:41:08 PM »

Status is the same. I tried uninstalling Chrome, restarting PC, reinstalled Chrome and I have the same results. It does not happen on Firefox, just Chrome as it referenced in the picture I posted where Avast was able to circumvent the redirect and points to the path of Chrome.exe.

I have tried previously disabling all extensions, include a second pass at removing them completely. That did not work.

I am at a loss of what to try next.

Sass Drake · « **Reply #7 on:** January 11, 2020, 11:35:49 AM »

It might be Avast false positive. Can you contact their support nad asj them to analyze it?

Mwyarm · « **Reply #8 on:** January 11, 2020, 06:08:43 PM »

I am sorry but what is nad and asj?

rocksteady · « **Reply #9 on:** January 11, 2020, 06:43:57 PM »

I think they are just simple typo's
nad = and
asj = ask

So maybe should read as this:
Can you contact their support and ask them to analyze it?

Sass Drake · « **Reply #10 on:** January 11, 2020, 10:01:46 PM »

rocksteady is right, it was typo. :/

Mwyarm · « **Reply #11 on:** January 13, 2020, 06:47:25 PM »

I could not find a help number with Avast so I downloaded and installed ZoneAlarm. Although I was planning to use their tool for access monitoring, they also have a virus shield. I ran it and it found 2 extensions where it detected malware. It automatically went into an advanced repair including rebooting the PC. I then did a second scan to complete a full scan and it found 2 other viruses which it also quarantined. After using my pc yesterday evening and off and on today I have not had any additional occurrences. I don't believe one day is a true test so I will post again in 3-4 days.

That said, each time Avast aborted the connection it would prompt for an upgrade but it never attempted to do a repair - it always asked to click for a paid upgrade. I cannot fault them for wanting a paid subscription as they are not in the business to give everything away for free. I suppose ZoneAlarm will do the same over time. However, since ZoneAlarm found the additional viruses I have decided to trust them more, at least for now. I know everyone speaks highly of Avast Free but it has not served me well. After almost a week of installing and uninstalling many different things, researching the web for how others have solved, I have lost confidence in Avast.

Will post back in 2 days with another update.

Author Topic: clients2.googleusercontent.com (Read 7988 times)

Mwyarm

clients2.googleusercontent.com

Mwyarm

Re: clients2.googleusercontent.com

Sass Drake

Re: clients2.googleusercontent.com

Mwyarm

Re: clients2.googleusercontent.com

polonus

Re: clients2.googleusercontent.com

Sass Drake

Re: clients2.googleusercontent.com

Mwyarm

Re: clients2.googleusercontent.com

Sass Drake

Re: clients2.googleusercontent.com

Mwyarm

Re: clients2.googleusercontent.com

rocksteady

Re: clients2.googleusercontent.com

Sass Drake

Re: clients2.googleusercontent.com

Mwyarm

Re: clients2.googleusercontent.com