Jump to content

Potential Browser Hijacker keeps me from loading certain webpages properly


Go to solution Solved by Maurice Naggar,

Recommended Posts

Hi , I'd like your help if possible .

I was trying to access the site HumbleBundle.com (a site under which my browser has saved credit card credentials )and get the summer sales but as you can see in the attached photo it refuses to load properly and i get that page instead , where nothing was clickable except for the support tab which later became inaccessible (had the same look) as the site's home page .

I have reason to suspect i'm dealing with browser hijacker software transfered after a recent file was received by an employer

I tried :

-I run windows Defender scan

-clearing the cache and deleting all humble bundle history entries

-installing adwCleaner 8.2 which detected some PUPS and deleted the quarantined elements

-installed roguekiller and yielded no detections

-I deleted the files that my employer gave me (at my own responsability)

-tried to access the site from my android phone which was synched to my pc through gmail and there it refused to load and when i switched to desktop version of the site i got the same result

-I installed Malwarebytes trial License and did a full scan which detected a trojan dropper and PUPS which i deleted

-I reset my hosts file to windows 10 version and set it to read-only(despite not noticing any differences of what was there and what i copied in to reset it)

-I ran a hitmanPro scan and found more files that i deleted

-I went on safe-mode with network access and performed a scan there then emptied my cache and reset all my microsoft edge parameters and deleted passwords , favourites .... everything . I even found the reset to "factory-defualt" settings

- I desynched my gmail and logged off

-I tried installing chrome which would show a message in bottom left of the screen while loading saying "Loading accessible connection interface" and keeps loading until without end

-I tried installing mozilla firefox and the malwarebytes guard add-on

-I went back to safe-mode and and redid the same steps as before + a malwarebytes scan and adwcleaner scan

at times I'd see that some pages are replaced with a lousy imitation like Google.com having weird interface

after each 1 or 2 steps i'd check back on humble bundle and find that it's still cursed with monkey-tier css.

now i'm here with no idea what to do and with all files that i doubted being corrupt permanently deleted and this can be not a browser hijacker for all i know please help me , i'm open to downloading teamviewer and talking to a support expert at this point .

I'd like to avoid any option requiring me to format my hard drive as the ammount of academic material I have on me isn't easily transferable to an external drive.and if you think of something please help me with my android too

it feels like the malware is spreading going from humblebundle main page to it's support and this morning found the steam page became infected . I'm limiting access to everyting and avoiding entering my CVV code from my credit card or using passwords that i use on my than one account.

HELP !1951537420_Sanstitre.thumb.png.6d6e57e38c9b504decfce94ea526010f.png

Sans titre.png

Link to post
Share on other sites

Hello :welcome:

My name is Maurice. I will guide you,  Please always arrach files / reports as we go along.

I need a report set for review.   This is a report only.

Please download MBST Support Tool

 

Once you start it click Advanced > Gather Logs

 

Upload an archive once it is done. Attach the mbst-grab-results.zip from the Desktop.

 

  • Please attach  mbst-grab-results.zip    to your reply , like displayed here.
  • To send  ( upload)   attachments please click the link as shown below. Then browse to where your file is located and select it and click the Open button.

_mb_attach.jpg

  • Like 1
Link to post
Share on other sites

Hi.  I got your report file.  I will review & get back to you.

Meantime do not get any other tools, nor make any further changes on your own.  That especially means do not run or get "security" or "fix" tools on your own.

If you have questions, kindly ask me first.

You described already running Malwarebytes for Windows, Malwarebytes Adwcleaner, Roguekiller & Hitman.     

Is "humblebundle" a game website ?

NOTE:  What I will help you on is to help & guide to check for malware infection on your Windows machine.  Anything else beyond that, I would refer you to other venues.

  • Like 1
Link to post
Share on other sites

Thanks Maurice and I understand perfectly 

humblebundle is a site that groups games , books or digital assets and sells them in discounted bundles . sort of like a charitable medium between a player and developers/companies . 

The things I tried were purely me googling my own research and googling solution for people who had a similer problem and some even came up in your forum . the order however is mostly me panicking but I tried to log everything i did in order (maybe more detail would have been better) but currently i'l let you investigate the possibility of ransomeware , spyware , keyloggers or whatever mallicious script is ruining my html display and maybe redirecting me to non-existant sites.

thank you for your patience and consideration and i'll be in your care . i'm checking up on this page every half hour so if you have any more questions just shoot :)

I'm contacting support sites one by one so that no one sites' investigation interfers with another .(you guys are my first and hopefully my last)

I'm helping you help me afterall

Link to post
Share on other sites

This here is the next suggested step   (  it does not take much time.)

Start Malwarebytes. Click Settings ( gear ) icon. Next, lets make real sure that Malwarebytes does NOT register with Windows Security Center 

 

Click the Security Tab. Scroll down to 

"Windows Security Center"

 

Click the selection to the left  for the line "Always register Malwarebytes in the Windows Security Center".

 

{ We want that to be set as Off   .... be sure that line's  radio-button selection is all the way to the Left.  thanks. }

This will not affect any real-time protection of the Malwarebytes trial.

Now Close   ( exit ) Malwarebytes.

[    2    ]

Microsoft Safety Scanner

 

The Microsoft Safety Scanner is a free Microsoft stand-alone virus scanner that can be used to scan for & remove malware or potentially unwanted software from a system.

  • The download links & the how-to-run-the tool are at this link at Microsoft:

 

https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download

 

  • Please let me know the results of this scan.
  • The log is named MSERT.log
  • the log will be at  %SYSTEMROOT%\debug\msert.log   which in most cases is C:\Windows\debug\msert.log
  • Please attach that log with your next reply.
  • Like 1
Link to post
Share on other sites

Good morning Maurice , 

As i approach the 19 hour of letting this scan go on .I was wondering if this long duration was normal for a PC with 800Gb of data and if there's a way i can give you a premature version of the log without stopping the scan . here's a screenshot of the progress I found this morning for my timezone.

The display bar is obviously a bit meaningless but i'm glad i might be closing on the final stretch of what you described as being "does not take much time."

I will update you when i have the full results regardless

aa.png

Link to post
Share on other sites

Hello.

The Safety Scanner found 1 trojan classified as Win32/Occamy.C.

 Proceed with different scan now.

  • I would suggest a free scan with the ESET Online Scanner  to check for viruses, trojans, potentially unwanted add-ons  

Go to https://download.eset.com/com/eset/tools/online_scanner/latest/esetonlinescanner.exe

 

It will start a download of "esetonlinescanner.exe"

  • Save the file to your system, such as the Downloads folder, or else to the Desktop.
  • Go to the saved file, and double click it to get it started.
  • When presented with the initial ESET options, click on "Computer Scan".
  • Next, when prompted by Windows, allow it to start by clicking Yes
  • When prompted for scan type, Click on Full scan
  • Look at & tick ( select ) the radio selection "Enable ESET to detect and quarantine potentially unwanted applications" and click on Start scan button.

Have patience. The entire process may take an hour or more. There is an initial update download.

There is a progress window display.

You should ignore all prompts to get the ESET antivirus software program. ( e.g. their standard program). You do not need to buy or get or install anything else.

  • When the scan is completed, if something was found, it will show a screen with the number of detected items. If so, click the button marked “View detected results”.
  • Click The blue “Save scan log” to save the log.

If something was removed and you know it is a false finding, you may click on the blue ”Restore cleaned files” ( in blue, at bottom).

Press Continue when all done. You should click to off the offer for “periodic scanning”.

  • Thanks 1
Link to post
Share on other sites

The ESET Online Scanner tool removed 6 threats.

Next, I suggest we do one additional scan.

Please read all this before-hand.

  • I suggest you do a free scan with the Kaspersky Virus Removal Tool.
  • Please download and run the following Kaspersky antivirus scanner to remove any found threats
  • Kaspersky Virus Removal Tool    
  • There is a how-to run guide on that page & a download link. Be sure you save the file to your system before running it.
  • Close all work applications & all web browsers before pressing "Start Scan" in Kaspersky KVRT.

When presented with "Settings" option screen as to what to scan,
just TICK these

System Memory
Startup objects
Boot sectors
System drive

 

Then click the OK button.

  • Let me know if it finds anything or not
  • You want to start the Scan  & then let it do its thing.
  • There will be more to do.
  • Like 1
Link to post
Share on other sites

Good morning.  Thank you for the results.   Let me know, How is the situation with the browser ?

Let me suggest that you get your browsers each, as applicable, to have the Malwarebytes Browser Guard.

See Support article how-to

https://support.malwarebytes.com/hc/en-us/articles/360038520374-Install-Malwarebytes-Browser-Guard

 

Note: If your pc has Opera or Brave or Vivaldi browser, or the Windows 10 EDGE browser, you can install the Chrome version of the Malwarebytes Browser Guard.
Mozilla Firefox has a separate Browser Guard  ( see page above ).

.

Thus far no confirmed malware.

.

In Malwarebytes for Windows program, we want to do a special scan.

Click Settings ( gear icon)   at the top right of Malwarebytes window.   We want to see the SETTINGS window.

Then click the Security tab.   

Scroll down and lets be sure the line in SCAN OPTIONs for "Scan for rootkits" is ON        👈

Click it to get it ON  if it does not show a blue-color

.

Next, click the small x on the Settings line   to go to the main Malwarebytes Window.

 

Next click the blue button marked Scan.

When the scan phase is done, be real sure you Review and have all detected lines items check-marked on each line on the left. That too is very critical.

You can actually click  ( tick )   the topmost left  check-box  on the very top line to get ALL lines  ticked   ( all selected).    👈

🔻

MB4_scan_tick_ALL2.jpg.e8a7f94bceca3237b7dbe17faacfa577.jpg

 

 

Then click on Quarantine selected.

MB4_scan_all_Quarantine2.jpg.dd0e7b543cdb7c69c37bcf14f0e5b9d1.jpg

 

Then, locate the Scan run report;  export out a copy;  & then attach in with your  reply.

See https://support.malwarebytes.com/hc/en-us/articles/360038479194-View-Reports-and-History-in-Malwarebytes-for-Windows-v4

  • Like 1
Link to post
Share on other sites

Hello.   

I am glad to have worked with you.

We can proceed with cleanup of tools we used.

To remove the FRST tool & its work files, do this. Go to your Downloads folder. Do a RIGHT-click on FRSTENGLISH.exe & select RENAME & then change it to

UNINSTALL.exe

.
Then run that ( double click on it) to begin the cleanup process.

Delete msert.exe

Delete esetonlinescanner.exe

Delete KVRT.exe    ( Kaspersky tool)

Delete mbst-grab-results.zip

Delete mb-support-1.8.4.896.exe   on Desktop

 

Any other download file I had you download, you may delete. I wish you all the best. Stay safe.

[ BEST PRACTICES ]

Backup is your best friend. Keep backups of your system on a regular basis to offline storage & keep those safe. https://forums.malwarebytes.com/topic/136226-backup-software/

 

 

It is not enough to just have a security program installed. Each pc user needs to practice daily safe computer and internet use.

 

Best practices & malware prevention:

  • Follow best practices when browsing the Internet, especially on opening links coming from untrusted sources.
  • First rule of internet safety: slow down & think before you "click".
  • Never click links without first hovering your mouse over the link and seeing if it is going to an odd address ( one that does not fit or is odd looking or has typos).
  •  
  • Free games & free programs are like "candy". We do not accept them from "strangers".
  •  
  • Never open attachments that come with unexpected ( out of the blue ) email no matter how enticing.
  • Never open attachments from the email itself. Do not double click in the email. Always Save first and then scan with antivirus program.
  • Pay close attention when installing 3rd-party programs. It is important that you pay attention to the license agreements and installation screens when installing anything off of the Internet. If an installation screen offers you Custom or Advanced installation options, it is a good idea to select these as they will typically disclose what other 3rd party software will also be installed.
  • Take great care in every stage of the process and every offer screen, and make sure you know what it is you're agreeing to before you click "Next".
  •  
  • Use a Standard user account rather than an administrator-rights account when "surfing" the web.
  • See more info on Corrine's SecurityGarden Blog http://securitygarden.blogspot.com/p/blog-page_7.html
  • Don't remove your current login. Just use the new Standard-user-level one for everyday use while on the internet.
  •  
  • Do a Windows Update.
  •  
  • Make certain that Automatic Updates is enabled.
  • https://support.microsoft.com/en-us/help/12373/windows-update-faq
  •  
  • Keep your system and programs up to date. Several programs release security updates on a regular basis to patch vulnerabilities. Keeping your software patched up prevents attackers from being able to exploit them to drop malware.
  •  
  • For other added tips, read "10 easy ways to prevent malware infection"

https://blog.malwarebytes.com/101/2016/08/10-easy-ways-to-prevent-malware-infection/

 

Stay safe.  I wish you all the best.

Maurice

  • Thanks 1
Link to post
Share on other sites

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Please review the following for Tips to help protect from infection

Thank you

 

 

Link to post
Share on other sites

Good morning.  I have your reports. The Malwarebytes for Windows scan for 9 July, 2021 reports no malware.  Be sure you know that the Malwarebytes for Windows continues to be able to be used to scan & if any malware is found, it will remove that malware.  Meaning, the program can clean, even if the trial period ( 14 days ) expires.

While we work this case, it is very important that you keep me advised & if you will be gone for more than 4 days in a row, you let me know that in advance.  In other words, keep current on the case and keep me advised.

I need fresh diagnostic reports plus, I need fresh detail on

A:  Which web browser is this that you have issues with ?   Chrome ?  Edge ? or another ?

Next Actions:

[    1    ]

As a next basic step, Please  set File Explorer to SHOW ALL folders, all files, including Hidden ones.  Use OPTION ONE or TWO of this article

https://www.tenforums.com/tutorials/7078-turn-off-show-all-folders-windows-10-navigation-pane.html

[    2    ]

In order to resume to help you properly, we will need a diagnostic report in order to review & diagnose.
Specifically the FRST Farbar diagnostic report.  It is safe to get & use.
https://support.malwarebytes.com/hc/en-us/articles/360039025013-Run-Farbar-Recovery-Scan-Tool-to-gather-logs

Attach FRST.txt + Addition.txt with your reply.  You may if you wish, ZIP the 2 into a zip file & then attach.
{ just please do not copy, paste their contents in main body of reply box here.)
 

 

 

 

Link to post
Share on other sites

20 hours ago, Maurice Naggar said:

We can proceed with cleanup of tools we used.

To remove the FRST tool & its work files, do this. Go to your Downloads folder. Do a RIGHT-click on FRSTENGLISH.exe & select RENAME & then change it to

UNINSTALL.exe

.
Then run that ( double click on it) to begin the cleanup process.

 

Hi

While i wait for the FRST and malwarebytes i'd like to clarify some things .

A) the browser in question is Microsoft Edge  Version 91.0.864.64 

B)during our entire session we never installed FRST tool and yet you're requesing it's deletion as part of cleaning up our tools .I'm wondering if you might have confused my case with another

C) clicking the second link return me to my own post , i'm not sure that was intended but no problem i found the newest version of FRST tool on my own and it's scanning

1 hour ago, Maurice Naggar said:

A:  Which web browser is this that you have issues with ?   Chrome ?  Edge ? or another ?

Next Actions:

[    1    ]

As a next basic step, Please  set File Explorer to SHOW ALL folders, all files, including Hidden ones.  Use OPTION ONE or TWO of this article

https://www.tenforums.com/tutorials/7078-turn-off-show-all-folders-windows-10-navigation-pane.html

[    2    ]

In order to resume to help you properly, we will need a diagnostic report in order to review & diagnose.
Specifically the FRST Farbar diagnostic report.  It is safe to get & use.
https://support.malwarebytes.com/hc/en-us/articles/360039025013-Run-Farbar-Recovery-Scan-Tool-to-gather-logs

D) the site in question this time is https://euw.op.gg/multi/query= and i will attach a peculiar setting in microsoft edge that might explain the behavour of my pages (sorry if the language is set to french , i'll send you the english version with the logs)

Edge privacy settings saying it allows minimalist page customization.rar

Link to post
Share on other sites

The latest Malwarebytes scan result is perfect.  No malware.

Quote

Objets analysés: 392998
Menaces détectées: 0

I can assure you that I am not confusing your case with another.  On a presumption that you may have cleaned up the tools like I posted before, I thought it best to get a new FRST for reporting.  ( FRST is included when you do the support tool report like you did at start of case.)

Have no fear that I got you mixed up with another.

.

Today, what I am understanding you to say is that, on the Edge browser, some other site is not "loading" or behaving as expected.

Do keep in mind, that web browsers can get odd at times & that it does not necessarily involve a malware infection.

.

This first step is simply just housekeeping so that Microsoft Defender antivirus is allowed to be re-Enabled on the Windows Security Center.

This here is the next suggested step   (  it does not take much time.)

Start Malwarebytes. Click Settings ( gear ) icon. Next, lets make real sure that Malwarebytes does NOT register with Windows Security Center 

 

Click the Security Tab. Scroll down to 

"Windows Security Center"

 

Click the selection to the left  for the line "Always register Malwarebytes in the Windows Security Center".

 

{ We want that to be set as Off   .... be sure that line's  radio-button selection is all the way to the Left.  thanks. }

This will not affect any real-time protection of the Malwarebytes.

Now Close   ( exit ) Malwarebytes.

[    2    ]

NOTES for your attention.

( 2A ) Microsoft Defender antivirus has several notations that it considers this file a threat

C:\Users\Aymen\Downloads\DriverPack-17-Online.exe

Pour plus d’informations, reportez-vous aux éléments suivants :
https://go.microsoft.com/fwlink/?linkid=37020&name=Misleading:Win32/Lodi&threatid=240849&enterprise=0
Nom : Misleading:Win32/Lodi

You should consider to delete it. 

( 2 B )It is possible the issue of the web browser is due to a issue with "TLS" Transport Layer Service

Error: (07/10/2021 02:51:41 PM) (Source: Schannel) (EventID: 4103) (User: AUTORITE NT)
Description: Une erreur irrécupérable s'est produite lors de la création des informations d'identification client pour TLS. État d'erreur interne : 10013.

.

Suggest you  perform these steps and check.

  1. Press Windows key + R to open Run window.

  2. Type 

    inetcpl.cpl 

    press Enter-key to open

    Quote

    Internet Properties

    .

  3. Click on the Advanced tab.

  4. Now under Security please check the box to enable Use SSL 3.0, Use TLS 1.0, 1.2 and 1.3

 

Next, Restart Windows.   After it has restarted & is loaded & ready. then delete the cache & history on Edge browser.

see guide  https://support.microsoft.com/fr-fr/microsoft-edge/afficher-et-supprimer-l-historique-du-navigateur-dans-microsoft-edge-00cf7943-a9e1-975a-a33d-ac10ce454ca4

After this, let me know if this has better results with Edge.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.