How can I detect what causes Chrome to open a tab for "http://eaes.2track.info/" each time I search something in the address bar?

Question

Interestingly this only happens for the first few searches I do after starting the Windows. Afterward it doesn't open a tab for "http://eaes.2track.info/" anymore.

Some details:

I use Windows 7 SP1 x64 Ultimate.
I don't see anything suspicious in Control Panel\All Control Panel Items\Programs and Features. Only Chrome is affected: Internet Explorer and Firefox are fine. Chrome with incognito mode is also working fine.
Avast isn't complaining about anything
Looking at chrome://settings/searchEngines, the address bar uses Google with {google:baseURL}search?q=%s&{google:RLZ}{google:originalQueryForSuggestion}{google:assistedQueryStats}{google:searchFieldtrialParameter}{google:iOSSearchLanguage}{google:searchClient}{google:sourceId}{google:contextualSearchVersion}ie={inputEncoding}, which seems fine to me.
I have noticed a few bookmark icons changing to (WM is expected, but the icon before it changed).
Running chrome://settings/safetyCheck doesn't show any issue with the extensions.
C:\Windows\System32\drivers\etc just contains one line of NUL characters (probably got nuked by some non-malicious crapware some time ago).
I have the extension "Auto Refresh" (ID=ifooldnmmcmlbdennkpdnlnbgbmfalko) but it isn't loaded. I assume this means it doesn't run.

Please see this link for information about "eaes.2track.info" at __symantec.com__ https://safeweb.symantec.com/report/show?url=eaes.2track.info You can also run another queary yourself, for other sites too. Of course, the real judge is you. — vssher, Jun 11 '20 at 00:31

score 8 · Accepted Answer · answered Jun 10 '20 at 20:11

8

Same thing happened to me, apparently the extension "Auto Refresh" is malware.

answered Jun 10 '20 at 20:11

Guest

96
1

Thanks, interesting, I do have extension "Auto Refresh" but it isn't loaded. I had assumed this means it doesn't run. Let me try to remove it to see if it fixes the issue. – Franck Dernoncourt Jun 10 '20 at 20:13
Looks like this fixed the issue. I'll wait a few days before accepting to check if the issue is gone for good – Franck Dernoncourt Jun 10 '20 at 20:20
Follow-up question: [Does disabling a Google Chrome extension prevent any code of the extension from being executed?](https://superuser.com/q/1559709/116475) – Franck Dernoncourt Jun 11 '20 at 00:51
For Chrome extensions, Disabling isn't the same as removing... I don't know why this is the case because it should be.... – Dave Jun 11 '20 at 06:01
same happened to me and in office :( – dasfdsa Jun 12 '20 at 16:39

score 3 · Answer 2 · answered Jun 12 '20 at 17:16

3

malicious code is in its background.js You can read about it in this reddit thread: https://www.reddit.com/r/chrome/comments/gg2nii/auto_refresh_extension_now_malware/fql6uds/

Also these guys have create multiple other extensions for chrome and ff. example: https://chrome.google.com/webstore/detail/page-refresh/hmooaemjmediafeacjplpbpenjnpcneg

Be careful while installing extensions.

answered Jun 12 '20 at 17:16

dasfdsa

131
2

Thanks. Does Chrome runs `background.js` even when the extension is disabled? – Franck Dernoncourt Jun 12 '20 at 17:19
no. it runs only when enabled – dasfdsa Jun 12 '20 at 17:20
Was there research done about the extent of the damage for this extension? Was it just a deliverer or was it a keylogger too? – Isa Jun 19 '20 at 15:32

How can I detect what causes Chrome to open a tab for "http://eaes.2track.info/" each time I search something in the address bar?

2 Answers2

Linked