both browsers hijacked and malwarebytes won't detect anything

[egon]

Hi all,

I recently had a serious infection due to a trojan hidden in a canon photography forum download.

Malwarebytes apparently cleaned most of it all nicely, ( russian stuff)  but now Chroma nand Firefox both have redirection hijacks that won't get detected or deleted by malwarebytes.

How is that even possible with presumed state pof the art protection software? Not sure I want to buy a license if it cannot neutralize hijacks...

What should I do next to get rid of the hijack?

Thanks!

Here's one:

Malwarebytes
www.malwarebytes.com

-Log Details-
Protection Event Date: 6/29/19
Protection Event Time: 8:32 PM
Log File: 4c9235f6-9a9c-11e9-99f2-c48508caa750.json

-Software Information-
Version: 3.7.1.2839
Components Version: 1.0.586
Update Package Version: 1.0.11318
License: Trial

-System Information-
OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: System

-Blocked Website Details-
Malicious Website: 1
, , Blocked, [-1], [-1],0.0.0

-Website Data-
Category: Hijack
Domain: deloplen.com
IP Address: 206.54.165.2
Port: [49304]
Type: Outbound
File: C:\Program Files (x86)\Mozilla Firefox\firefox.exe

 

(end)

[Maurice Naggar]

Hi, Egon.   

My name is Maurice. I will be helping and guiding you, going forward on this case.

You did not mention what site Chrome is hjacked to;  what Firefox is hijacked to.

The website block report you copies is showing that the website protection is protecting this pc.  You are running Malwarebytes in Trial mode.  The website protection is keeping you safe from  deloplen.com

 

For Your Information:

The website  Block message indicates that a potential risk was blocked by the malicious website protection. 

The Malwarebytes web protection, by default, will always show each IP block occurrence.

The Malwarebytes Webs protection feature will advise customers when a known or suspected malicious IP is attempted to be reached (outgoing) or is trying access your PC.

 

See our info page https://www.malwarebytes.com/lp/ip-blocking/?ipblock=true

 

Incoming block notice can be ignored, our software is blocking the threat and there is nothing more that can be done.

On Outbound blocks, any attempted connection was stopped.

 

No action is required unless you’re also experiencing malware symptoms or there are multiple (different) IPs (ex;123.23.34 and 4.44.56).

.

We need to get information from this machine in order to have the proper detail to help you forward.
 NOTE: The tools and the information obtained is safe and not harmful to your privacy or your computer, please allow the programs to run if blocked by your system.

    Download Malwarebytes Support Tool
    
    
    Once the file is downloaded, open your Downloads folder/location of the downloaded file
    Double-click mb-support-1.4.0.615.exe to run the report
        You may be prompted by User Account Control (UAC) to allow changes to be made to your computer. Click Yes to consent.
        
    Place a checkmark next to Accept License Agreement and click Next
    You will be presented with a page stating, "Get Started!"

    Do NOT use the button “Start repair” !
    Click the Advanced tab on the left column
    
    Click the Gather Logs button
    
    A progress bar will appear and the program will proceed with getting logs from your computer
   
    Upon completion, click a file named mbst-grab-results.zip will be saved to your Desktop. Click OK
    Please attach the ZIP file in your next reply.

 

Thank you.

 

Edited June 29, 2019 by Maurice Naggar

[egon]

Thanks Maurice,

I'll follow your instructions asap.
In the meantime, both browsers keep being redirected to https://lp.searchmulty.com/9/?v=399#

and also another site posing as post office Luxembourg to win an iphone .

Nalwarebytes sometimes intercepts the hijack, sometimes not.

That's all I can tell you until I did your test .

Cheers!

 

[Maurice Naggar]

OK.  I look forward to you running & sending the Support tool report.  That only takes a few minutes.

[egon]

Thank you Maurice,

here's the file.

mbst-grab-results.zip

[Maurice Naggar]

Thanks for the report.  The next first thing I suggest is to get the update to Malwarebytes version 3.83

You should close all of the program windows that you started, just in case a Windows Restart is needed.

 

Start Malwarebytes.
Click Settings.
Look at the section  "Application Updates"
click the grey button "Install Application Updates".

When prompted to allow the Upgrade for new version, click the YES button and follow the prompts.

Have patience during all this.

 

[ 2 ]

Please Close and save any open work files before you start this next step.  It may involve a Windows Restart at the end of it.

I am sending a   custom Fix script which is going to be used by the FRST tool. They will both work together as a pair.

Please RIGHT-click the (attached file named) FIXLIST and select SAVE AS and save it directly ( as is) in the Downloads folder 

The tool named FRSTENGLISH.exe  is already on the Downloads folder.

Start the Windows Explorer and then, open the Downloads folder.


Double click FRSTENGLISH  to run the tool. If the tool warns you the version is outdated, please download and run the updated version.
Click the Fix button just once, and wait.

 

 

 

PLEASE have lots and lots of patience when this starts. You will see a green progress bar start. Lots of patience. Some machines take longer than others.
If you receive a message that a reboot is required, please make sure you allow it to restart normally.
The tool will complete its run after restart.
When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run.

 

[ 3 ]

Let's do one new run with Malwarebytes for Windows.

Start Malwarebytes for Windows.

Click Settings. Click Protection tab & scroll down to Scan options.

On the section "Potential Threat Protection"
look down at the one "Potentially Unwanted Programs (PUPs)" look and make sure it is set to
"Always detect PUPS ".

and

look down at the one "Potential Unwanted Modifications (PUM)" look and make sure it is set to
"Always detect PUM ".

and
scroll all the way down to the section Automatic Quarantine
On the line "Automatically quarantine detected malware" be sure it is ON



Then once all set there, click on SCAN button
Then insure Threat scan has a check mark. Then click Start scan.
Review the results list.
Then I would suggest you make sure all lines have a check mark

To that end, if you click the very top left checkbox you can force all detected lines ( if any are detected)  to be selected for removal. Be sure each line is checked.

Then you can proceed to click on the blue button Quarantine selected.

In Malwarebytes.
Click the Reports button ( on the left )
Look for the "Scan Report" that has the most recent Date and time.

When located, click the check box for it and click on View Report.
Then click the Export button at the bottom left.
Then select Text File (*.txt)

Put in a name for that file and remember where the file is created.

Then attach that file with your next reply 

Also, attach the Fixlog.txt with your next reply. 

Thanks for your patience.

 

fixlist.txt

[egon]

Thanks Maurice for your elaborate reply.

I precisely followed your instructions, but again, no threads wre detected. As Malwarebytes did not detect anything, there was no quarantine and no report, hence the one from yesterday.

Here are the files:

Fixlog.txtreport29.6..txt

[egon]

I just realized by looking at the fixlog that there definitely were browser overrides removed, so it seems it has worked!

So...If I'm not mistaken, thanks a lot for your help Maurice!

Best,

egon

[egon]

Sorry, as there is no way to delete my previous post - the hijack is still there in chrome:

https://lp.searchmulty.com/9/?v=399#

[egon]

also https://generalships.club/ab11/lu/s10/post/index1.html?sxid=61r3ck0nqov5&ck=169277199453532554&c=0.001423&target=2678515&i=post+luxembourg&l=en#

[egon]

https://worldvictory.vip/lu/1s/postt/?osv=Windows 7&isp=POST Luxembourg&ip=88.207.194.33&key=eyJ0aW1lc3RhbXAiOiIxNTYxOTIyNTMwIiwiaGFzaCI6Ijc5ZDgzMDg5NDdiZjA2MzQ1Yjg2ODQxMmI1ZjU0NTFiZjIyMGFkZTIifQ%3D%3D&bemobdata=c%3D69f687a7-dbfc-46a4-a4f0-367258e48e5a..a%3D1..b%3D0..z%3D0.007021..c1%3D792658..c2%3D2288193..c3%3D169277936694727094..c4%3D3336253

[Maurice Naggar]

I would point back to #3 above in my preceding reply .....  for the special Malwarebytes for Windows SCAN.

Please be sure you do that and send me the scan log.

.

As to the volume of replies, there is no rush.  Take your time  and collect all your issues/remarks and send.

i.e.  Lets not treat this as a chat session.

Question to you:  Where and how did you see those 2 URL addresses?

and are they opened pages/tabs on Chrome ?

[egon]

Ok I repeatd the whole procedure, same thing. Here are the files:newreport.txtFixlog.txt

The URLs I posted are the tabs in chrome that the hijack opened. I copied them.

 

[Maurice Naggar]

You only needed to run the Fix just one time.  Lets not run the FRST fix anymore.

I was looking for the Malwarebytes scan report.  Thanks for sending it.  Malwarebytes for Windows version 3.8.3 reports no active malware;  no active P U P.

By the way, whether in Chrome or in any other browser, if you see a unwanted tab window..... you can use the special Windows keyboard shortcut keys to Force the tab(s) to CLOSE.

press and hold CTRL key on keyboard and then tap W key. CTRL + W 
 

That should close the Tab page of the web browser in the foreground.
You can repeat as needed.

[ 2 ]

Next

I would suggest to download, Save, and then run Malwarebytes ADWCLEANER.

Please close Chrome and all other open web browsers after you have saved the Adwcleaner and before you start Adwcleaner.

 

Please download the  Malwarebytes AdwCleaner from here:
Click the blue Download button.   ( do not pay attention to the other text displayed on that screen).

Be sure to Save the file first, to your system.  Saving to the Downloads folder should be the default on your system.

 

Go to the folder where you saved Adwcleaner. Double click AdwcleanerGUI  to start it.

At the prompt for license agreement, review and then click on I agree.

 

You will then see a main screen for Adwcleaner. ( if you do not see it right away, minimized the other open windows, so you can see Adwcleaner).

Then click on Dashboard button.

Click the blue button "Scan Now".

 

allow it a few minutes to finish the Scan.   Let it remove what it finds.

NOTE:  When it comes to the section "

Pre-installed applications

You can skip that.

Please find and send the Adwcleaner "C" clean report.

In Adwcleaner, click the "Reports" button.  Look at the list of reports for the latest date & type "Clean".

Double Click that line & it will open in Notepad.   Save the file to your system and then Attach that with your reply.

Thanks.  Keep me advised.

On the next round or so, I can guide you to beefing up Chrome  ( and Firefox if you have it).

[egon]

Thanks again Maurice.

Here's the file result of the Adwcleaner: I hope it's the right one.

AdwCleaner[S00].txt

 

 

[Maurice Naggar]

Hi,

It found a number of P U P

I would like to know that they were removed.   Look for the 'C' report   .....C indicates   'C' lean

Look for  AdwCleaner[C00].txt

And further to that,  Is the browser hijack issue gone away now ?

Sincerely,

[egon]

Hi Maurice,

there unfortunately is no other logfile, as something weird happened yesterday. While putting all the malware into quarantine, the programm sort of crashed at about 65% of the progress bar and stayed there without any movement for about 3 hours, after which I turned off the pc.

Te hijacks are still there in Chrome, but I ran adwcleaner several more times now but strangely,  it does not detect them anymore.

[Maurice Naggar]

Lets stop running any more Adwcleaner.  And lets get a fresh new readout by doing a new run of the Support tool.

By the way, please use any other browser  besides Chrome   ( for the time being).

open your Downloads folder/location of the downloaded file
    Double-click mb-support-1.4.0.615.exe to run the report
        You may be prompted by User Account Control (UAC) to allow changes to be made to your computer. Click Yes to consent.
        
    Place a checkmark next to Accept License Agreement and click Next
    You will be presented with a page stating, "Get Started!"

    Do NOT use the button “Start repair” !
    Click the Advanced tab on the left column
    
    Click the Gather Logs button
    
    A progress bar will appear and the program will proceed with getting logs from your computer
   
    Upon completion, click a file named mbst-grab-results.zip will be saved to your Desktop. Click OK
    Please attach the ZIP file in your next reply.

[egon]

Thanks Maurice, sory for the delayed response. Here's the file:

mbst-grab-results.zip

[Maurice Naggar]

Thank you for the Support tool report.  The Adwcleaner had found no malicious adware items.

The last Malwarebytes scan run dated July 2 found no malware & no P U P.

The blocknotice event(s) are when Chrome was in use.

The IP cited in the block is 206.54.165.2

"processPath" : "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe",
"url" : "deloplen.com"

.

I would suggest to be sure to turn off the Google Chrome "Sync" feature.

Please use Chrome  to go to https://www.google.com/settings/chrome/sync and sign into your account.
Scroll down until you see the "reset sync" button and click on the button
At the prompt click on "Ok".

.

[ 2 ]

See this article on our Malwarebytes Blog
https://blog.malwarebytes.com/security-world/technology/2019/01/browser-push-notifications-feature-asking-abused/

 

You want to disable the ability of each web browser on this machine from being able to allow "push ads". That means Chrome, Firefox, or Edge browser (on Windows 10), or on Opera.

Scroll down to the tips section "How do I disable them".

also, if you use Chrome or Firefox browser, install the Malwarebytes beta browser extension.  There is one for Chrome & another for Firefox.

To get & install the Malwarebytes beta Chrome extension,

Open this link in your Chrome browser: https://chrome.google.com/webstore/detail/malwarebytes/ihcjicgdanjaechkgeegckofjjedodee

Then proceed with the setup.

 

To get & install the Malwarebytes beta Firefox extension.

Open this link in your Firefox browser: https://addons.mozilla.org/en-US/firefox/addon/malwarebytes/

Then proceed with the setup.

[egon]

the extension seems to have done the trick. Thanks Maurice.

[Maurice Naggar]

That is good to know.  Thanks for the status update.  I will tag this case for closure.  If you need something else at this point, let me know.

 

practices & malware prevention:
Follow best practices when browsing the Internet, especially on opening links coming from untrusted sources.
First rule of internet safety: slow down & think before you "click".
Free games & free programs are like "candy". We do not accept them from "strangers".

Never open attachments that come with unexpected ( out of the blue ) email no matter how enticing.
Never open attachments from the email itself. Do not double click in the email. Always Save first and then scan with antivirus program.

Never click links without first hovering your mouse over the link and seeing if it is going to an odd address ( one that does not fit or is odd looking or has typos).

 

Pay close attention when installing 3rd-party programs. It is important that you pay attention to the license agreements and installation screens when installing anything off of the Internet. If an installation screen offers you Custom or Advanced installation options, it is a good idea to select these as they will typically disclose what other 3rd party software will also be installed.
Take great care in every stage of the process and every offer screen, and make sure you know what it is you're agreeing to before you click "Next".

Use a Standard user account rather than an administrator-rights account when "surfing" the web.
See more info on Corrine's SecurityGarden Blog http://securitygarden.blogspot.com/p/blog-page_7.html
Dont remove your current login. Just use the new Standard-user-level one for everyday use while on the internet.


Check in at http://windowsupdate.microsoft.com 
Windows Update and install any Important Updates offered.

Make certain that Automatic Updates is enabled.
https://support.microsoft.com/en-us/help/12373/windows-update-faq

Keep your system and programs up to date. Several programs release security updates on a regular basis to patch vulnerabilities. Keeping your software patched up prevents attackers from being able to exploit them to drop malware.

For other added tips, read "10 easy ways to prevent malware infection"

.All the best,

Maurice

[AdvancedSetup]

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Thanks