Jump to content

Something is adding cryptojacking to random websites that i visit.

felixfelix
 Share

Recommended Posts

felixfelix

felixfelix

Posted
Posted (edited)

Greetings,

I believe it started somewhere during this week or last, i'm not completely sure. At first i noticed that some of the tabs i was visiting didn't have the page title but the url between quotes. I was busy with work so i ignored it off as a chrome bug or something.

Since i work as a webdeveloper, it's normal for me to sometimes go F12 and check JS console, then i noticed... Sometimes, when i load a website, the website gets loaded on a frameset, with a cryptojacking on the header. Check attached image.

 Thankfully, this alone doesn't do jack to me since i use Minerblock, plus i also have a lot of 0.0.0.0 redirection to known coin miners websites on my hosts file.

At first i thought the obvious: Somehow i've got a rogue extension or cookie, easy. I cleared up chrome using google own instructions. But then i noticed it still happened. Also happens on firefox, IE, every single browser, even steam in-game browser is suffering from this issue.

It IS a problem for mainly 2 reasons:

1) Even if i have the miner blocked, how can i be sure it's not doing something else to my computer, like tracking data before messing with the source code?
2) It's problematic and disruptive. Sometimes, every single connection i make, on a browser, on a game, gets randomly denied. i try again and it works. It's making me unable to do my work correctly;

I tried running Malwarebytes, ADWCleaner, Hitman Pro... Nothing seems to stop this.

Then i proceeded to my router, as it seems to be a networkwide issue;
My ISP uses two DNSs: One of theirs and one from google. I proceeded to remove theirs and use only the google ones. Then i restarted router and PC. Same.

i disabled uPnP, i shut down every port forward  i had. i made sure both router and windows firewall were enabled. I made sure there were no Remote access enabled. I checked if there were rogue users on my router. Nothing.

I have no idea what else to do. I've searched on google, didn't find any results related to what i'm facing specifically. I usually don't go out on forums asking for stuff like this, but honestly, i need help. I have lots of honest work to do and this thing is causing me a hassle bigger than it should.

Extra things to add:

- No, i dont have another computer to test under this network. Later today i'll ask my neighboor to connect to my wi-fi and see if the issue happens in there.

- It seems to happen with every connection, even inside a game or when i'm making an ajax call, it just DIES randomly due to this stupid malware changing the header information;

- SOME websites seem to be "immune" of this: Facebook, Google and Youtube. And no, it's not because https, i've seen it happening with some https websites too.

- Before this happened, i remember my internet having random disconnects, i called my ISP and they said they were making maintenance. i wonder if it is possible for an ISP to do such a thing? And yes, trust me they could easily do it without consequences due it being a local town ISP where most people don't care about security issues. But i dont want to accuse them before being completely sure;

- Everytime i turn on my computer, the connection icon says it's "without internet access" while it clearly works. Then after a few minutes it becomes normal. This wasn't a behaviour i've seen before this issue existed;

- I tried loading my windows on safe mode with network. Same issue happens in there. One extra fun thing: NOW my router admin showed 2 connections on DHCP., Mine and an "Unknown" one. I disabled DHCP. The malware still works.

- Before you ask for my  FRST.txt, i'd rather not to. But if it's REALLY necessary, please provide me somewhere i can post it only for admins. It contains a lot of customer files that were trusted to me and i cannot even let people see their titles. There are too many for me to edit them out too. But if possible, i'd like to not post that.

I believe that's all. Please give something for me to work here. I have no idea what to do.

 

coinhive_issue_.png

Edited by felixfelix
extra info
Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

Hello @felixfelix and :welcome:

We will need your logs in order to determine what's going on. You can send me a private message with the logs.

 

Please run the following steps and post back the logs as an attachment when ready.

STEP 01

  • If you're already running Malwarebytes 3 then open Malwarebytes and check for updates. Then click on the Scan tab and select Threat Scan and click on Start Scan button.
  • If you don't have Malwarebytes 3 installed yet please download it from here and install it.
  • Once installed then open Malwarebytes and check for updates. Then click on the Scan tab and select Threat Scan and click on Start Scan button.
  • Once the scan is completed click on the Export Summary button and save the file as a Text file to your desktop or other location you can find, and attach that log on your next reply.
  • If Malwarebytes won't run then please skip to the next step and let me know on your next reply.

STEP 02

Please download AdwCleaner by Malwarebytes and save the file to your Desktop.

  • Right-click on the program and select RunAsAdmin.jpg Run as Administrator to start the tool.
  • Accept the Terms of use.
  • Wait until the database is updated.
  • Click Scan.
  • When finished, please click Clean.
  • Your PC should reboot now if any items were found.
  • After reboot, a log file will be opened. Copy its content into your next reply.

 

RESTART THE COMPUTER Before running Step 3

STEP 03
Please download the Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system. You can check here if you're not sure if your computer is 32-bit or 64-bit

  • Double-click to run it. When the tool opens, click Yes to disclaimer.
  • Press the Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
  • The first time the tool is run, it also makes another log (Addition.txt). If you've, run the tool before you need to place a check mark here.
  • Please attach the Additions.txt log to your reply as well.

 

Thanks

Ron

 

Link to post
Share on other sites
felixfelix

felixfelix

Posted
  • Author
Posted

Yes i am. I have to work almost everyday, even weekends, and it's hard having some free time on my computer to let all the scanners run again (to create the logs you asked, since there's seemingly nothing else you can suggest me for now)

So it will unfortunately take some time for me to generate the bloody things. My hard drive is over 900gb full and my cpu and ram are ancient.

If there's anything you can suggest me that's possible to do quickly, then by all means please do.

Link to post
Share on other sites
felixfelix

felixfelix

Posted
  • Author
Posted
3 minutes ago, AdvancedSetup said:

In most cases I find that Google Chrome is the culprit for many people. Cleaning up Chrome well will often cure quite a few issues. You can try the following.

 

If that does not help then yes I'll need all the other logs to see what is going on.

Thanks

Ron

 

Thankfully, I don't even have any login on Google chrome. When i try to access that url it just throws me to the default setting one.

Also, not sure if you fully read my issue beforehand, but i remember mentioning i considered the obvious possibility of being a browser malware, although like i said, it happens EVERYwhere. every browser, even on STEAM browser. Everywhere.

It happens on ajax calls too, causing it to fail.

It happens on game connections, cause me to fail connecting to servers.

And yeah i've reseted my router already.

 

2 minutes ago, AdvancedSetup said:

Please note that after Friday I will be going on vacation so if you do need help I'll need logs soon or we'll need to try to get another helper to assist you.

Ron

 

I understand, i'll try to, but i'm being honest, i have to use my pc for work almost all the time, it's hard having time to let a scan run over a whole 900gb filled HD.

Link to post
Share on other sites
  • 2 weeks later...
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

Due to the lack of feedback, this topic is closed to prevent others from posting here.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this topic. Other members who need assistance please start your own topic in a new thread.

Thanks

 

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.

  I accept