Secunia CSI7
Advisories
Research
Forums
Create Profile
Our Commitment
PSI
PSI API
CSI
OSI
xSI
Vulnerabilities
Programs
Open Discussions
My Threads
Create Thread
Statistics
About

Forum Thread: Please help! VERY suspicious Google Chome "fix"

You are currently viewing a forum thread in the Secunia Community Forum. Please note that opinions expressed here are not of Secunia but solely reflect those of the user who wrote it.

This thread was submitted in the following forum:
PSI

This thread has been marked as resolved.
TT193 Please help! VERY suspicious Google Chome "fix"
Member 5th Mar, 2012 20:52
Ranking: 0
Posts: 12
User Since: 5th Mar, 2012
System Score: N/A
Location: US
I ran PSI this morning, and PSI told me Google Chrome was out of date (even though Chrome itself told me it was up to date in the "About Me" menu option).

I decided to trust PSI, and told it to fix my supposedly outdated version of Chrome, and update it to 17.0.963.65. I downloaded and executed the installer.

That's when things got REALLY suspicious. The installer was called an "installerer", and it had what I believe was German writing and buttons. I tried to cancel the install, but it just kept on going.

After the install was completed, Windows told me that Google Chrome had been installed by an administrator, whereas my previous version had been installed by a User (even though both had been installed under my login). My old Chrome taskbar icon doesn't work now either.

Something seems very strange here, mostly because of the German writing and poor grammar. Did I just unwittingly download and install malware? Where does Secunia PSI get its patched software from, that I just downloaded and installed?

Recommendations? Kinda concerned...

Thanks all.


Post "RE: Please help! VERY suspicious Google Chome "fix"" has been selected as an answer.
mogs RE: Please help! VERY suspicious Google Chome "fix"
Expert Contributor 5th Mar, 2012 21:10
Score: 2265
Posts: 6,266
User Since: 22nd Apr 2009
System Score: 100%
Location: UK
@TT193

I had a little trouble with the Stable update to Chrome....tho' I'd discovered the new version before psi made me aware.The update server wasn't working....in that case I update from here :-
http://www.chromium.org/getting-involved/dev-chann... Stable channel for Windows.

If you decide to follow that method ......check for any other versions installed and delete. I doubt there is need to be concerned about Secunia's offering, but if you are still concerned run your security software.....hope the foregoing is of some help........regards,

--
Was this reply relevant?
+1
-0
Anthony Wells RE: Please help! VERY suspicious Google Chome "fix"
Expert Contributor 5th Mar, 2012 21:30
Score: 2445
Posts: 3,334
User Since: 19th Dec 2007
System Score: N/A
Location: N/A
Last edited on 5th Mar, 2012 21:44
HI ,

I personally would need to know exactly why/how PSI gave a link to an apparently German language installer .

You don't say which language you were expecting nor which version of the PSI you are using . It sounds like you used the install solution rather than any "auto-update" ; whichever , if it were me , if support do not pick up here tomorrow (CET) , I would contact them by email at support@secunia.com .

Let us know how you get on .

Anthony

EDIT: "installerer" is more likely Danish or Norwegian than German .

--


It always seems impossible until its done.
Nelson Mandela
Was this reply relevant?
+0
-0
TT193 RE: Please help! VERY suspicious Google Chome "fix"
Member 5th Mar, 2012 21:55
Score: 0
Posts: 12
User Since: 5th Mar 2012
System Score: N/A
Location: US
Thanks both for the prompt replies.

@Anthony
I was expecting an English version of Chrome. I have Secunia PSI 2.0.0.4003 installed.

Yes, I think I used the "install" solution as you mention. I ran PSI manually, and then manually clicked "fix" (or whatever the name of the button was that alerts you when you have an insecure version of something). This started the "Google_Chrome_17.0.963.65.exe" download to my desktop, which I then ran after the download completed.

All my menu options in Chrome are in English... even though the installer was in another language and seemed suspicious.

Does it sound like the installer was a legitimate update, and I just received the wrong language version? Or do you think there's cause for concern?

Please let me know if you need any additional info.
Was this reply relevant?
+0
-0
Anthony Wells RE: Please help! VERY suspicious Google Chome "fix"
Expert Contributor 5th Mar, 2012 22:38
Score: 2445
Posts: 3,334
User Since: 19th Dec 2007
System Score: N/A
Location: N/A

Hi ,

Your info is what I was guessing it would be .

It is "bizarre" and there is always a possibility of you having been redirected to a bad guy site , but that would likely need your computer to have been infected before you tried to update Chrome .

If you still have the "installerer" on your desktop , right click it and look in "properties" or it's equivalent in Norwegian ("eiendommer") or some such . A proper Secunia sourced installer should be signed , I believe . An old Chrome installer I have on my system is digitally signed by Google .

Do you have that ??

Anthony



--


It always seems impossible until its done.
Nelson Mandela
Was this reply relevant?
+0
-0
TT193 RE: Please help! VERY suspicious Google Chome "fix"
Member 5th Mar, 2012 23:00
Score: 0
Posts: 12
User Since: 5th Mar 2012
System Score: N/A
Location: US
The Chrome installer from PSI today does not have the Digital Signatures tab in the Properties window, and I couldn't find anything else referring to a Digital Signature in any of the other tabs.... so I'm guessing it's unsigned.

Also, not sure if this is important, but "installerer" and the foreign language didn't show up until the installation was underway.

This is getting stranger and stranger... I wish someone from PSI would post something and tell me where exactly this file came from... I'm still nervous about it.



Was this reply relevant?
+0
-0
Anthony Wells RE: Please help! VERY suspicious Google Chome "fix"
Expert Contributor 5th Mar, 2012 23:17
Score: 2445
Posts: 3,334
User Since: 19th Dec 2007
System Score: N/A
Location: N/A

Hello again ,

Secunia support staff will not be back before tomorrow morning Central European Time (CET) , so you will need to be patient until then for a reply ; of course you could send an email prior to that to be waiting for them in view your time difference .

You might try to download and save (not run as of now) ) the Google installer direct from Mogs' link and compare the properties and see if it is signed or not .

There were problems with the Chrome silent update/server earlier today , as Mogs pointed out , so that could be a source of the problem .

Your concern is quite normal , so do run whatever security software you have and maybe limit any "confidential" doings on your computer for now ,

It is getting late for me , but Mogs is still likely to be around , so let us know how you are getting on .

Anthony

--


It always seems impossible until its done.
Nelson Mandela
Was this reply relevant?
+0
-0
TT193 RE: Please help! VERY suspicious Google Chome "fix"
Member 5th Mar, 2012 23:25
Score: 0
Posts: 12
User Since: 5th Mar 2012
System Score: N/A
Location: US
Thanks for the help today guys. I emailed Secunia customer support, so hopefully we'll get a response from them on this board soon.

I followed the link mogs posted, and downloaded the file. It's a Chrome setup file which is about 700 kilobytes, and is signed. The file that Secunia had me download earlier today looks like it's the full Chrome installer, since it's 24.6 megabytes.

Have a good night!
Was this reply relevant?
+0
-0
jckinnick RE: Please help! VERY suspicious Google Chome "fix"
Member 6th Mar, 2012 03:50
Score: 6
Posts: 143
User Since: 21st May 2010
System Score: N/A
Location: N/A
I was having trouble with Chrome updating File Hippo and Major Geeks said there was an update available to the .65 version but whenever i ran the update i kept staying the same old .56 version. I scanned with PSI and tried the update solution they offered and my virus protection came up and said malicious i went ahead and downloaded it but its still the .56 version, and also PSI is now at 100% instead of 99%. It also says business beside the Chrome version i have now in the PSI results.
Was this reply relevant?
+0
-0
jckinnick RE: Please help! VERY suspicious Google Chome "fix"
Member 6th Mar, 2012 03:55
Score: 6
Posts: 143
User Since: 21st May 2010
System Score: N/A
Location: N/A
on 5th Mar, 2012 23:25, TT193 wrote:
Thanks for the help today guys. I emailed Secunia customer support, so hopefully we'll get a response from them on this board soon.

I followed the link mogs posted, and downloaded the file. It's a Chrome setup file which is about 700 kilobytes, and is signed. The file that Secunia had me download earlier today looks like it's the full Chrome installer, since it's 24.6 megabytes.

Have a good night!



So its not malicious?
Was this reply relevant?
+0
-0
TT193 RE: Please help! VERY suspicious Google Chome "fix"
Member 6th Mar, 2012 04:29
Score: 0
Posts: 12
User Since: 5th Mar 2012
System Score: N/A
Location: US
@jckinnick

I still don't know if it's malicious. I'm hoping Secunia will reply on this thread tomorrow.

Did you download the same "Google_Chrome_17.0.963.65.exe" 24.6 meg file that I did, using PSI to start the download?

Which virus program identified it as malicious? I have Kaspersky, and it hasn't flagged it... but I still have my doubts.
Was this reply relevant?
+0
-0
jckinnick RE: Please help! VERY suspicious Google Chome "fix"
Member 6th Mar, 2012 04:32
Score: 6
Posts: 143
User Since: 21st May 2010
System Score: N/A
Location: N/A
Yeah i downloaded it first from File Hippo then from Major Geeks and from the actual Chrome website, but those just plain didn't work no foreign language. It wasn't until i tried PSI last and downloaded like you did with the fix solution that it showed the foreign language.
Was this reply relevant?
+0
-0
TT193 RE: Please help! VERY suspicious Google Chome "fix"
Member 6th Mar, 2012 04:56
Score: 0
Posts: 12
User Since: 5th Mar 2012
System Score: N/A
Location: US
Well, at least it's reassuring that neither of us is alone in that it happened to us.

Does your Chrome now show that you are on version 17.0.963.65? Mine does, but sometimes it shows puts an "m" after the version number. Very strange...

I assume your version of PSI should have downloaded the U.S. version of Chrome, correct?

Was this reply relevant?
+0
-0
jckinnick RE: Please help! VERY suspicious Google Chome "fix"
Member 6th Mar, 2012 05:00
Score: 6
Posts: 143
User Since: 21st May 2010
System Score: N/A
Location: N/A
I never could get my chrome to show 65 its still showing 56.
Was this reply relevant?
+0
-0
TT193 RE: Please help! VERY suspicious Google Chome "fix"
Member 6th Mar, 2012 05:16
Score: 0
Posts: 12
User Since: 5th Mar 2012
System Score: N/A
Location: US
Did you run the version downloaded from PSI?
Was this reply relevant?
+0
-0
Anthony Wells RE: Please help! VERY suspicious Google Chome "fix"
Expert Contributor 6th Mar, 2012 14:56
Score: 2445
Posts: 3,334
User Since: 19th Dec 2007
System Score: N/A
Location: N/A
Last edited on 6th Mar, 2012 17:53
Hi ,

.56 (Business) relates to Chrome Frame and not the Chrome browser . On my system it is yet to be updated so the PSI displays it as .56 and up to date .

What is the "detected instance" pathway showing for it ??

Do you have another instance of .65 loaded somewhere ?? if so what is the pathway ??

Anthony

EDIT:My system now has updated to .65(Business) but has left the .56 folder behind (normal Google Chrome update procedure) ; an individual programme re-scan was needed in order to recognise the update .

--


It always seems impossible until its done.
Nelson Mandela
Was this reply relevant?
+1
-0
TT193 RE: Please help! VERY suspicious Google Chome "fix"
Member 6th Mar, 2012 21:16
Score: 0
Posts: 12
User Since: 5th Mar 2012
System Score: N/A
Location: US
@Anthony

PSI shows Chrome's version as "17.0.963.65 (Business)". The file is located at C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

I don't think I have another instance of .65 somewhere. It also doesn't look like it saved the .56 folder (or at least it's not in the \Google\Chrome directory)

What is this difference between the Chrome Frame and Chrome Browser? Which one of these did my update modify?
Was this reply relevant?
+0
-0
Anthony Wells RE: Please help! VERY suspicious Google Chome "fix"
Expert Contributor 7th Mar, 2012 00:36
Score: 2445
Posts: 3,334
User Since: 19th Dec 2007
System Score: N/A
Location: N/A

Hi ,

It is late so I will be brief :-

1)I have Chrome browser Dev Channel and Canary versions not detected by the PSI on my XP SP3 system . Their default location is :-

C:\Documents and Settings\MyName\LocalSettings\ApplicationData\Goog le\Chrome\Application\versionnumber .

The Google folder also has a Chrome Frame folder which is just a data file .

2)Chrome Frame which is a BHO for IE has the default :-

C:\Program Files\Google\Chrome Frame\Application\chrome.exe, version 17.0.963.65 (Business) .

3)you can see if you have Chrome Frame installed if you go IE ->Tools ->Manage addons ->tolbars and Extensions -> google inc .

4)The PSI does not differentiate between the Browser and Frame and so any/all up to date instances will be detected in the same Scan Results entry of Google Chrome 17.x . How many detected instances can you find ?? there could be up to four .

5)If you look in this thread , you will see that the PSI suggested download link is not the regular browser installer :-

http://secunia.com/community/forum/thread/show/122...

Either it is Frame or a non-standard location of the Browser and the PSI has added the (Business) tag found with Frame .

Let me know what you find and I will look in again tomorrow .

Anthony

--


It always seems impossible until its done.
Nelson Mandela
Was this reply relevant?
+1
-0
jckinnick RE: Please help! VERY suspicious Google Chome "fix"
Member 7th Mar, 2012 02:35
Score: 6
Posts: 143
User Since: 21st May 2010
System Score: N/A
Location: N/A
So is there still reason to worry about anything malicious?


Today chrome updated its self when i went to the about page in chrome(the way i usually update chrome) but now i have the 66 version. I did a scan on PSI and it checked out 100% and a little later a pop up said PSI deleted the zombie file or something. However when i do a file hippo scan it says i now have the 65 version instead of the old 56 version but chrome says im up to date with the 66 version if that makes any sense.
Was this reply relevant?
+0
-0
TT193 RE: Please help! VERY suspicious Google Chome "fix"
Member 7th Mar, 2012 09:08
Score: 0
Posts: 12
User Since: 5th Mar 2012
System Score: N/A
Location: US
@ Anthony

Good to hear back from you.

1. I searched for about 10 minutes and couldn't locate this file path. Perhaps this is because you have Windows XP and I have Windows 7?

2. Followed this file path. My chrome.exe is now 17.0.963.66 (more to follow in next post)

3. I checked both my 32 and 64 bit versions of Internet Explorer. Neither has the Chrome Frame installed when I check the Manage Add ons section

4. I'm not quite sure if I fully understand this portion of your post. I just re-scanned with PSI. "Google Chrome 17.x" shows up only once in the list, and when I double click the row, under "detected instances" there is only one file path listed: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe, version 17.0.963.66 (Business). I guess this means I have only one instance?

5. I followed this link, but I'm not quite sure what it means when you say it's not the "regular browser installer." Does Secunia change the installer or something? Is it not an official piece of Google software? Remember, the installer I downloaded isn't "signed" by Google. And what is BHO?




Was this reply relevant?
+0
-0
TT193 RE: Please help! VERY suspicious Google Chome "fix"
Member 7th Mar, 2012 09:12
Score: 0
Posts: 12
User Since: 5th Mar 2012
System Score: N/A
Location: US
@jckinnick

I guess PSI updated my Chrome sometime today, too. My chrome now shows that it's at .66 within the chrome About menu. PSI shows it as .66 (business).

My chrome folder for .65 was retained in the same directory as .66. Kinda strange, because no other folders of versions before .65 were retained...


Was this reply relevant?
+0
-0
Anthony Wells RE: Please help! VERY suspicious Google Chome "fix"
Expert Contributor 7th Mar, 2012 21:08
Score: 2445
Posts: 3,334
User Since: 19th Dec 2007
System Score: N/A
Location: N/A

Hello again ,

As you are using Windows 7 and the detected instance path is ProgramFiles(x86) you must be also 64 bit ; this is probably your default location for the Chrome Browser and nothing to do with Chrome Frame . The PSI may be adding the (Business) tag which tends to associated with this location .

Whichever , you don't have Frame , only the Browser . If you only have one entry then possibly the previos/old version is being removed during install (not usual if you use silent update) or simply the PSI is not displaying it as a "zombie" . I only have one entry in my scan results detected instace of Frame but the old version is still in the folder . I have two versions loaded in my Dev Channel and Canary versions of the Browser .

As you (both) are you are you seem to be correctly installed with simply the Browser version ..66 and up to date .

Perhaps someone with knowledge of Windows 7 32 and 64 bit can confirm/explain your default location .

I never use anything other than the Chrome internal silent update ; in this case with the server fault then the link provided by Mogs is the other option ; if those fail try the PSI's manual link , I would definitely advise against the auto-update option in it's current state .

You will need to push support (they are very , very busy) if you still want a reply about your Norwegian Blue . Two having the same problem points to a Secunia fault rather than the bad guys ; but ..

PS: BHO means Browser Helper Object :-

http://en.wikipedia.org/wiki/Browser_Helper_Object

Take care

Anthony



--


It always seems impossible until its done.
Nelson Mandela
Was this reply relevant?
+1
-0
TT193 RE: Please help! VERY suspicious Google Chome "fix"
Member 7th Mar, 2012 21:32
Score: 0
Posts: 12
User Since: 5th Mar 2012
System Score: N/A
Location: US
Hey guys,

I received an email back from Customer Support. It sounds like the software was legitimate, only I got the wrong language.

It's really strange though because everything in Chrome as far as I've seen (menus, etc.) is still in English... any idea why this would be?

At this point I don't see any reason to uninstall, and then install the "correct" version... let me know if your opinion differs.


Here's what Support said:
"Unfortunately, the link for Google Chrome was by mistake set to another language than English. This has now been fixed.
So it wasn't the wrong software but the wrong language."
Was this reply relevant?
+0
-0
Anthony Wells RE: Please help! VERY suspicious Google Chome "fix"
Expert Contributor 7th Mar, 2012 22:20
Score: 2445
Posts: 3,334
User Since: 19th Dec 2007
System Score: N/A
Location: N/A

Looks like you got lucky and your previous English language settings carried over in English .

All set and good to go .

Take care

Anthony

--


It always seems impossible until its done.
Nelson Mandela
Was this reply relevant?
+0
-0
TT193 RE: Please help! VERY suspicious Google Chome "fix"
Member 7th Mar, 2012 22:27
Score: 0
Posts: 12
User Since: 5th Mar 2012
System Score: N/A
Location: US
Thanks, man. I appreciated your feedback over the last couple of days. Take care.
Was this reply relevant?
+0
-0

This thread has been marked as locked.


 Products Solutions Customers Partner Resources Company
 
 Corporate
Vulnerability Intelligence Manager (VIM)
Corporate Software Inspector (CSI)
Consumer
Personal Software Inspector (PSI)
Online Software Inspector (OSI)
 Industry
Compliance
Technology
Integration
 Customers
Testimonials
 VARS
MSSP
Technology Partners
References
 Reports
Webinars
Events
 About us
Careers
Memberships
Newsroom


 
© 2002-2014 Secunia ApS - Rued Langgaards Vej 8, 4th floor, DK-2300 Copenhagen, Denmark - +45 7020 5144
Terms & Conditions and Copyright - Privacy - Report Vulnerability - Disclaimer