Jump to content

Malware that opens shopping links when browser/pc is inactive


Go to solution Solved by Maurice Naggar,

Recommended Posts

Hi, some sort of malware/adware that opens either an amazon product link or some other flights website. It only does this when my pc is inactive for a short while. I do remember having this same type of malware a while back and i managed to remove it, i have no idea how it came back because i have not downloaded/installed anything new besides one specific thing so i would like to know how to remove it completely and where it came from. Thank you.

 

FRST.txt Addition.txt malwarebytes.txt AdwCleaner[S06].txt SpybotSNDScan Results.210716-2222.txt

Link to post
Share on other sites

Just now, Maurice Naggar said:

Hello @doctordod32   :welcome:

My name is Maurice.  Let me know what nickname you prefer.

Have you emptied all browser cache & history ?   Does any of this happen in Chrome browser ?

I forgot to mention about browsers. When it used to happen before, it would happen with firefox, and since i didn't use firefox it would open by itself and redirect to the link. This time around it's happening on chrome which is the only browser i use. I only have adblock and metamask on chrome as extensions i'm certain these aren't malicious. I would rather keep my browser history.

Link to post
Share on other sites

At least, delete the CACHE on Chrome.  Do as much as possible of these next steps.  These are just a few basics ....before we go further.

[   1   ]

Use Chrome browser   to go to https://www.google.com/settings/chrome/sync and sign into your account.
Scroll down until you see the "reset sync" button and click on the button
At the prompt click on "Ok".

[   2   ]

for Chrome, while Chrome is running:
Press & hold SHIFT+CTRL+Del keys  on keyboard to get menu for clearing browsing data:

Check mark the lined "Cached images and files"
and press Clear Data button  ( in blue )

[   3   ]

After that, make real sure that Chrome is "NOT" set to reload the pages from the last session

Go into the settings menu of Chrome by first clicking  the control icon of Chrome on upper right of the adress bar

Then look deeper in SETTINGS

image.png.9f59b1a99e5e32db2619eeab22b5a72f.png

Make real sure it is "NOT" set to "continue where you left off"

.

[   4   ]

See this article on our Malwarebytes Blog
https://blog.malwarebytes.com/security-world/technology/2019/01/browser-push-notifications-feature-asking-abused/

 

You want to disable the ability of each web browser on this machine from being able to allow "push ads". That means Chrome, Firefox, or Edge browser (on Windows 10), or on Opera.

Scroll down to the tips section "How do I disable them".

 

After you have these completed, let me know.

Link to post
Share on other sites

23 minutes ago, Maurice Naggar said:

At least, delete the CACHE on Chrome.  Do as much as possible of these next steps.  These are just a few basics ....before we go further.

[   1   ]

Use Chrome browser   to go to https://www.google.com/settings/chrome/sync and sign into your account.
Scroll down until you see the "reset sync" button and click on the button
At the prompt click on "Ok".

[   2   ]

for Chrome, while Chrome is running:
Press & hold SHIFT+CTRL+Del keys  on keyboard to get menu for clearing browsing data:

Check mark the lined "Cached images and files"
and press Clear Data button  ( in blue )

[   3   ]

After that, make real sure that Chrome is "NOT" set to reload the pages from the last session

Go into the settings menu of Chrome by first clicking  the control icon of Chrome on upper right of the adress bar

Then look deeper in SETTINGS

image.png.9f59b1a99e5e32db2619eeab22b5a72f.png

Make real sure it is "NOT" set to "continue where you left off"

.

[   4   ]

See this article on our Malwarebytes Blog
https://blog.malwarebytes.com/security-world/technology/2019/01/browser-push-notifications-feature-asking-abused/

 

You want to disable the ability of each web browser on this machine from being able to allow "push ads". That means Chrome, Firefox, or Edge browser (on Windows 10), or on Opera.

Scroll down to the tips section "How do I disable them".

 

After you have these completed, let me know.

I have done all of these except the first one because i use the guest account on chrome and not a gmail account.

Link to post
Share on other sites

There is no need to press the Quote button when you reply.  Just begin a normal reply in the bottom white box at the bottom.  Otherwise you have this thread go miles & miles deeper when we have to review it.

I have sent you a PM about the huge number of administrator accounts on this machine.

Next steps.

Please  set File Explorer to SHOW ALL folders, all files, including Hidden ones.  Use OPTION ONE or TWO of this article

https://www.tenforums.com/tutorials/7078-turn-off-show-all-folders-windows-10-navigation-pane.html

.

[   2    ]

The Microsoft Safety Scanner is a free Microsoft stand-alone virus scanner that can be used to scan for & remove malware or potentially unwanted software from a system. 

The download links & the how-to-run-the tool are at this link at Microsoft 

https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download

 

Look on Scan Options & select FULL scan.

Then start the scan. Have lots of patience. It may take several hours.

 

Let me know the result of this.    This is likely to run for many hours   ( depending on number of files on your machine & the speed of hardware.)

The log is named MSERT.log  

the log will be at  

C:\Windows\debug\msert.log

Please attach that log with your reply.

Edited by Maurice Naggar
Link to post
Share on other sites

It just only found & removed 1 item.     

Found HackTool:Win32/AutoKMS and Removed!

I hope you did not get thrown off by any lines that said "scan error".  Those types of readout are not actual "infection (s)".   In any event, set aside the Safety Scanner.  We will be doing other scans, plus a custom script run.

I have a question for you:

Did you willfully on your own,, set this IP proxy for Firefox ?

NetworkProxy: Mozilla\Firefox\Profiles\39vriizl.default-1531756446066 -> socks", "82.155.28.72"

Please advise.

 

 

Link to post
Share on other sites

When it was scanning, it said infected files found: 75 so how can it now only find 1 after the scan completed? that doesn't make sense but i guess we move on. And yes that was probably me manually inputting a socks proxy into the firefox browser but currently the browser is set to no proxy so it's not using it and i don't use firefox anyhow.

Link to post
Share on other sites

  • Solution

NEXT

The custom script on this post is ONLY for this machine and NO other.   

Please Close / Exit any open work files   ( if you have any ongoing at this point).   Save any work.  Exit out of other open apps that you yourself started at this session.

This procedure will involve a Restart at the end of the run.

Save this scrpt file named FIXLIST.txt  to  Downloads folder

Fixlist.txt

 

Using File Explorer, go to   Downloads folder

  • RIGHT click on  FRST64.exe   and select RUN as Administrator and allow it to proceed.  Reply YES when prompted to allow to run the tool. 
  • If the tool warns you the version is outdated, please download and run the updated version.
  • IF Windows prompts you about running this, select YES to allow it to proceed.

 

  • IF you get a block message from Windows about this tool......

click line More info information on that screen

and click button Run anyway on next screen.

 

Click on FIX button.

frst-fix.jpg.f6a25291b39a03d418acc9a3b7136900.jpg

 

 You will see a green progress bar start. 

If you receive a message that a reboot is required, please make sure you allow it to restart normally.

 

The tool will complete its run after restart.

When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run.

 

Please attach the FIXLOG.txt with your next reply later, at your next opportunity.

There will be more to do after this, so please, stick with me  and as much as possible, stay current with this thread.

I will get back with you as I have the opportunity.  Kindly remember I am a volunteer here.

Link to post
Share on other sites

Hello.  Alright.  Lets get a new report.  This does not make any changes.

I would urge getting a readout report as to update status of some key apps.

Download SecurityCheck by glax24 from here  https://tools.safezone.cc/glax24/SecurityCheck/SecurityCheck.exe

 

and save the tool on the desktop.

  • If Windows's  SmartScreen block that with a message-window, then

Click on the MORE INFO spot and over-ride that and allow it to proceed.

This tool is safe.   Smartscreen is overly sensitive.

  • Right-click  with your mouse on the Securitycheck.exe  and select "Run as administrator"   and reply YES to allow to run & go forward
  • Wait for the scan to finish. It will open in a text file named SecurityType.txt. Close the file.  Attach it with your next reply.

You can find this file in a folder called SecurityCheck, C:\SecurityCheck\SecurityCheck.txt

Link to post
Share on other sites

Pursuent to contents of that report.  You ought to consider getting these hotfixes from Microsoft for your Windows 7 OS
HotFix KB3177467 Warning! Download Update

HotFix KB3125574 Warning! Download Update

HotFix KB4012212 Warning! Download Update

HotFix KB4499175 Warning! Download Update

HotFix KB4474419 Warning! Download Update

HotFix KB4490628 Warning! Download Update

HotFix KB4539602 Warning! Download Update

.
The following apps / programs are flagged as needing to get latest updates.
Sandboxie 5.33.3 (64-bit) v.5.33.3 Warning! Download Update

Notepad++ (64-bit x64) v.7.5.4 Warning! Download Update

VMware Workstation v.11.0.0 Warning! Download Update

Microsoft .NET Framework 4.8 v.4.8.03761 Warning! Download Update

Oracle VM VirtualBox 6.1.14 v.6.1.14 Warning! Download Update

VeraCrypt v.1.22 Warning! Download Update

Python 2.7.14 v.2.7.14150 Warning! Download Update

7-Zip 18.05 (x64) v.18.05 Warning! Download Update
Uninstall old version and install new one.

WinRAR 5.50 (64-bit) v.5.50.0 Warning! Download Update
 
GIMP 2.10.14 v.2.10.14 Warning! Download Update


Pidgin v.2.12.0 Warning! Download Update

Skype version 8.68 v.8.68 Warning! Download Update
 
TunnelBear v.4.4.1.0 Warning! This app can show ads.
 
qBittorrent 3.3.16 v.3.3.16 Warning! Download Update

Java 8 Update 261 (64-bit) v.8.0.2610.12 Warning! Download Update
Uninstall old version and install new one (jre-8u291-windows-x64.exe).
NOTE out of date Java is one potential venue for facilitating exploitation by malware.

VLC media player v.2.2.6 Warning! Download Update
 

Adobe Flash Player 31 NPAPI v.31.0.0.122   Warning! This software is no longer supported. Please uninstall it.

 

Mozilla Firefox 81.0 (x64 en-GB) v.81.0 Warning! Download Update

Pale Moon 28.8.2.1 (x64 en-US) v.28.8.2.1 Warning! Download Update

Mozilla Thunderbird 68.4.2 (x86 en-US) v.68.4.2 Warning! Download Update

Link to post
Share on other sites

Cannot know just how that issue began.  Though the likeliest is while using a browser, while surfing the web, or reading a email. 

Have you applied all updates that I and Ron had suggested ?

That is very important.

Out of date O S & out of date applications are avenues for infiltration by adware & malware.

Q:. Did you want to run another scan with a different security app ?

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.