Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected by Rvzr-a.akamaihd.net ?


  • Please log in to reply
13 replies to this topic

#1 REM05

REM05

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:03:09 AM

Posted 08 February 2014 - 08:11 PM

Good day all,

 

This really nasty bug showed up on my computer recently. Google Chrome is loaded with ads. However nothing shows up under extensions in the settings. I tried junkware removal tool, adwcleaner and malwarebytes, but nothing helps. I tried rename profile for Google Chrome, but once I re-start computer, it shows up again.

Can anybody help?

 

Thanks

 



BC AdBot (Login to Remove)

 


#2 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:06:09 PM

Posted 08 February 2014 - 08:23 PM

Hello -

Please note that this is not an "infection" but it is a Rotten Pest

You have installed it with another program, and you may not know it yet.

 

Please read This topic.and pay attention to how it is now an Extension on Chrome.

 

1. Open your browser and disable (uncheck) all extensions. Make a list, then one by one, re-enable each extension to see if the pop-ups start appearing again with that particular extension. Once you identify the responsible extension...permanently remove it but let me know which one it was so I can update the above list.
* How to Disable Extensions in Google Chrome - How to Uninstall Extensions in Google Chrome
* How to Disable Extensions and Plugins in Firefox - How to Remove Extensions/Uninstall Plugins in Firefox
* How to Disable Extensions in Internet Explorer
* How to Disable Add-ons/Extensions in Internet Explorer, Firefox and Google Chrome
* How to Disable all add-ons in Firefox, Internet Explorer

2. Create a new browser user profile.
* How to Create a new browser user profile in Google Chrome
* How to Create a new browser user profile in Firefox
* How to Create a new browser user profile in Opera, Internet Explorer, Firefox, Chrome          

 

Clean out your Chrome (and other browsers) as directed above, and it will be gone -



#3 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,390 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:09 AM

Posted 08 February 2014 - 08:36 PM

I am subscribing to this topic so I can add the offending program/extension to my list once it is identified.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#4 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:06:09 PM

Posted 08 February 2014 - 10:44 PM

Hi -

quietman7 wrote the original page I linked you to, so he will be very interested in the steps you follow and your results.

 

Please keep us informed and please ask extra questions if needed.

 

If this solution is not helping, we do have other tools to help you.

You may note that the post solved Rvzr-a.akamaihd.net, in the linked topic.

 

There is also a full description of the problem, and where it is from.



#5 REM05

REM05
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:03:09 AM

Posted 09 February 2014 - 12:25 PM

Hi,

 

I tried all, but it didn't work.

The only extension shows up in Google Chrome is "Media Player 1.1. But I cannot disable it, as it greyed out and says "installed by enterprise policy".

 

Renaming user profile in Google Chrome also doesn't change anything.

 

Anything else I should try?

 

Thanks

 



#6 Quads

Quads

  • Members
  • 86 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:CHCH New Zealand
  • Local time:08:09 PM

Posted 09 February 2014 - 01:10 PM

If the same one I have found in a users logs for Chrome     For Reference purposes

 

FRST entry

 

CHR Extension: (Media Player) - C:\Users\[USER]\AppData\Local\Google\Chrome\User Data\Default\Extensions\naaaefjdlbejbglenfklnkfdhapdfohp [2014-02-03]

 

OTL

 

CHR - Extension: Media Player = C:\Users\[USER]\AppData\Local\Google\Chrome\User Data\Default\Extensions\naaaefjdlbejbglenfklnkfdhapdfohp\1.1_0\

 

 

Quads



#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,390 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:09 AM

Posted 09 February 2014 - 03:10 PM

I tried all, but it didn't work.
The only extension shows up in Google Chrome is "Media Player 1.1

Check all browsers installed, regardless of how often you use them.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#8 REM05

REM05
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Local time:03:09 AM

Posted 10 February 2014 - 09:20 PM

I have these in "C:\  \AppData\Local\Google\Chrome\User Data\Default\Extensions:

 

C:\Users\\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake
C:\Users\\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf
C:\Users\\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo
C:\Users\\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf
C:\Users\\AppData\Local\Google\Chrome\User Data\Default\Extensions\dhjckpnmmojagnihejckacbbahpbmbkp
C:\Users\\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda
C:\Users\\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia

 

Should I delete them from "Default", I don't see any extensions through browser settings.

 

Thanks



#9 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:06:09 PM

Posted 10 February 2014 - 09:29 PM

Hi -

If you do not know what these are (and I could not find them) please delete them.

 

You can slowly start to add KNOWN extensions only, and remove unknown ones.



#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,390 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:09 AM

Posted 11 February 2014 - 05:37 PM

If you have a problem with deletion, see this topic: How To Disable Individual Plug-ins in Google Chrome
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#11 Quads

Quads

  • Members
  • 86 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:CHCH New Zealand
  • Local time:08:09 PM

Posted 11 February 2014 - 09:01 PM

Surely Logging should be asked for so that a log will help pin point which one?? (and which ones are OK).

 

Quads



#12 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,390 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:09 AM

Posted 11 February 2014 - 09:45 PM

DDS, OTL, RSIT, FRST and ComboFix logs are not permitted in this forum.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#13 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,390 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:09 AM

Posted 11 February 2014 - 10:19 PM

I forgot to add that referrals are made to the Virus, Trojan, Spyware, and Malware Removal Logs forum if we cannot assist here or more powerful tools are required. The Malware Response Team members are all volunteers who contribute to helping members as time permits but currently there is a backup and members may have to wait several days for assistance.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#14 Quads

Quads

  • Members
  • 86 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:CHCH New Zealand
  • Local time:08:09 PM

Posted 13 February 2014 - 09:44 PM

Even after removing the extension causing the popups and webpage loading  the listing of the extension can still be listed in Chrome, and the Policy.

 

I ended up finding a installer (I don't know how many variants there are) and installing it on my system to end up with the below also that need removing or the gpt.ini modified back.

 

I have added variables instead of the actual characters to to changing from install to install,  I suggest users getting help for it.

 

 

 C:\Windows\System32\GroupPolicy\gpt.ini
 
gpt.ini has added line of
 
gPCMachineExtensionNames=[{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{8FC0B734-A0E1-11D1-A7D3-0000F87571E3}]
Version=3
 
File
 
C:\Windows\System32\GroupPolicy\Machine\Registry.pol) has inside
 
PReg   [ S o f t w a r e \ P o l i c i e s \ G o o g l e \ C h r o m e \ E x t e n s i o n I n s t a l l F o r c e l i s t ......[Characters for extension]....
 
and 
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome\ExtensionInstallForcelist]
 
 
Reference only
 
Quads

Edited by Quads, 13 February 2014 - 09:45 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users