Jump to content
SnarkySneaks

Hijacked Malwarebytes download?

Recommended Posts

Let me preface this by saying that I managed to remove the associated Malware (and even did a Windows 10 fresh start) and thus, I cannot get any log files.

So yesterday, around 4PM (gmt+2), I got a popup (as in, the same kind of popup that you get when you finish a scan) that Malwarebytes wanted to update, so I installed it. I noticed a random redirect, so I ran a normal Malwarebytes scan which found nothing. Apparently, it installed search engines like Yahoo and Jeeves (what year is it again?) to Chrome and Firefox. I managed to do an advanced scan, which removed a "machine learning" anomaly that added itself to Firefox. Deleting this made the Yahoo extension stop automatically adding itself to Chrome, but AdwCleaner and Rkill couldn't get rid of the Yahoo extension itself (trying to remove it makes it try to install itself on Chrome again). It ultimately disappeared after I did a Windows 10 fresh start (for unrelated reasons). 

Does anyone know what could have caused the update popup hijack?

 

Also, I wasn't sure if it belonged here, since I managed to remove the malware itself and just need some clarification.

Edited by SnarkySneaks

Share this post


Link to post
Share on other sites

***This is an automated reply***

Hi,

Thanks for posting in the Malwarebytes 3 Help forum.

 

If you are having technical issues with our Windows product, please do the following: 

Spoiler

If you haven't done so already, please run these two tools and then attach the logs in your next reply:

NOTE: The tools and the information obtained is safe and not harmful to your privacy or your computer, please allow the programs to run if blocked by your system.

  • Farbar Recovery Scan Tool (FRST)
    1. Download FRST and save it to your desktop
      Note: You need to run the version compatible with your system. You can check here if you're not sure if your computer is 32-bit or 64-bit
    2. Double-click to run FRST and when the tool opens click "Yes" to the disclaimer
    3. Press the "Scan" button
    4. This will produce two files in the same location (directory) as FRST: FRST.txt and Addition.txt
      • Leave the log files in the current location, they will be automatically collected by mb-check once you complete the next set of instructions
  • MB-Check
    1. Download MB-Check and save to your desktop
    2. Double-click to run MB-Check and within a few second the command window will open, press "Enter" to accept the EULA then click "OK" 
    3. This will produce one log file on your desktop: mb-check-results.zip
      • This file will include the FRST logs generated from the previous set of instructions
      • Attach this file to your forum post by clicking on the "Drag files here to attach, or choose files..." or simply drag the file to the attachment area

One of our experts will be able to assist you shortly.

 

If you are having licensing issues, please do the following: 

Spoiler

For any of these issues:

  • Renewals
  • Refunds (including double billing)
  • Cancellations
  • Update Billing Info
  • Multiple Transactions
  • Consumer Purchases
  • Transaction Receipt

Please contact our support team at https://support.malwarebytes.com/community/consumer/pages/contact-us to get help

If you need help looking up your license details, please head here: https://support.malwarebytes.com/docs/DOC-1264 

 

Thanks in advance for your patience.

-The Malwarebytes Forum Team

Share this post


Link to post
Share on other sites

It shouldn't be possible for anyone to hijack the Malwarebytes update servers.  They get checked with hashed, encrypted config files protected by Malwarebytes on your system and all connections use encrypted HTTPS for any updates/checks/downloads.  That said, it is possible that if something was already on your system that it may have displayed a fake Malwarebytes update pop-up and that's how it got in, but otherwise I'd suggest checking any other software you might have installed recently because it sounds a lot like either a bundled installer or even perhaps one of the newer Trojans (which sometimes include a rootkit component) that have been installing PUPs (Potentially Unwanted Programs, i.e. adware, toolbars, search hijackers etc.).

It might be a good idea to turn on the Scan for rootkits option in Malwarebytes under Settings>Protection in the Scan Options section and then perform a Threat scan to make sure there are no rootkits on the system.

You should also probably run ADWCleaner just in case any PUP components are left behind that Malwarebytes doesn't detect (ADWCleaner is a complement to Malwarebytes as each is capable of detecting/removing certain things that the other does not).

Share this post


Link to post
Share on other sites
28 minutes ago, exile360 said:

It shouldn't be possible for anyone to hijack the Malwarebytes update servers.  They get checked with hashed, encrypted config files protected by Malwarebytes on your system and all connections use encrypted HTTPS for any updates/checks/downloads.  That said, it is possible that if something was already on your system that it may have displayed a fake Malwarebytes update pop-up and that's how it got in, but otherwise I'd suggest checking any other software you might have installed recently because it sounds a lot like either a bundled installer or even perhaps one of the newer Trojans (which sometimes include a rootkit component) that have been installing PUPs (Potentially Unwanted Programs, i.e. adware, toolbars, search hijackers etc.).

It might be a good idea to turn on the Scan for rootkits option in Malwarebytes under Settings>Protection in the Scan Options section and then perform a Threat scan to make sure there are no rootkits on the system.

You should also probably run ADWCleaner just in case any PUP components are left behind that Malwarebytes doesn't detect (ADWCleaner is a complement to Malwarebytes as each is capable of detecting/removing certain things that the other does not).

I have already scanned for rootkits and used ADWCleaner, which removed the components. I was just checking if anyone else had this issue.

Thanks for your reply, though!

Edited by SnarkySneaks

Share this post


Link to post
Share on other sites

Excellent, you should be in good shape then as long as nothing else is acting weird and there are no further detections.  By the way, just for future reference sometimes items installed into Chrome might persist/return after being removed.  This happens because of the cloud sync and cache features built into the browser and can be overcome by following these steps in the exact order they're written (if not followed explicitly it might not work).

Anyway, if there's anything else we might help you with or questions we can answer for you please don't hesitate to let us know.

Thanks :) 

Share this post


Link to post
Share on other sites
1 minute ago, exile360 said:

Excellent, you should be in good shape then as long as nothing else is acting weird and there are no further detections.  By the way, just for future reference sometimes items installed into Chrome might persist/return after being removed.  This happens because of the cloud sync and cache features built into the browser and can be overcome by following these steps in the exact order they're written (if not followed explicitly it might not work).

Anyway, if there's anything else we might help you with or questions we can answer for you please don't hesitate to let us know.

Thanks :) 

Way ahead on you again, friend! I already figured that google's sync might have been causing ADWcleaner to be unable to uninstall some malware so I'll turn it off (and keep it turned off. I don't have much to sync anyway).

Share this post


Link to post
Share on other sites
23 minutes ago, exile360 said:

Excellent, you should be in good shape then as long as nothing else is acting weird and there are no further detections.  By the way, just for future reference sometimes items installed into Chrome might persist/return after being removed.  This happens because of the cloud sync and cache features built into the browser and can be overcome by following these steps in the exact order they're written (if not followed explicitly it might not work).

Anyway, if there's anything else we might help you with or questions we can answer for you please don't hesitate to let us know.

Thanks :) 

Actually: I have one more question for you: If I disable Google Sync on this PC, does it only not sync things that happen on this PC/IP or will it also not receive any synced data from other machines that I log into on Chrome?

Share this post


Link to post
Share on other sites

Even with sync off, it can still bring items back sometimes unfortunately.  I've seen it happen and it's quite frustrating because you'd think turning it off would prevent it, but sadly no.

With regards to Google sync, I'm honestly not sure as I never use it myself.  I tend to stick to SRWare Iron which, even though it is compatible with everything that Chrome is since they're based on the same source, doesn't include any of Googles built-in tracking/advertising features, but it does support logging into your Google account to sync your settings/bookmarks etc., I just tend not to use it.  I bet one or both of us can find out though.  I'll check around and see what I can learn for you.

Share this post


Link to post
Share on other sites

If you turn off Google Sync in your browser, you will not upload data, but it will also not download data from other browsers.

Share this post


Link to post
Share on other sites

OK, I found this and while I'm not certain about whether or not it is from the most recent version of Chrome, I would speculate that whatever is listed will not be synchronized between systems/browsers if sync is turned off:

sync.png.9a54afe61fd8c9b2d861590a099435bc.png

Share this post


Link to post
Share on other sites
7 minutes ago, exile360 said:

OK, I found this and while I'm not certain about whether or not it is from the most recent version of Chrome, I would speculate that whatever is listed will not be synchronized between systems/browsers if sync is turned off:

sync.png.9a54afe61fd8c9b2d861590a099435bc.png

Where did you find this menu? 

Share this post


Link to post
Share on other sites

You have to go to Settings then sign in to Chrome/Google and it should present you with the option to turn on sync and display the sync settings as listed above (or something similar to it, again, depending on the version of Chrome etc.).

If you're already signed in, then I would assume that it would be wherever the option to turn sync on/off is, perhaps nested beneath an Advanced menu or link or perhaps an expandable > arrow type menu.

Share this post


Link to post
Share on other sites
28 minutes ago, exile360 said:

You have to go to Settings then sign in to Chrome/Google and it should present you with the option to turn on sync and display the sync settings as listed above (or something similar to it, again, depending on the version of Chrome etc.).

If you're already signed in, then I would assume that it would be wherever the option to turn sync on/off is, perhaps nested beneath an Advanced menu or link or perhaps an expandable > arrow type menu.

Nope. I'm signed into Chrome and there is no such menu. Thanks for trying, though.

Share this post


Link to post
Share on other sites

Ah, well according to the article I found, it's supposed to show up when you first sign in and set up syncing so you might need to access the sync settings for your account on Google's site or something.

Share this post


Link to post
Share on other sites

Sounds good.  Were you able to find the settings?  Were they under your Google account settings on their site as I suggested?  If it's of any use to you, the article I found that image in is here (I'd advise using an ad-blocker if you visit CNET, the site I linked to, as they tend to have more than a few ads on their site).

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.