Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Browser Hijack ab4hr.com - Malwarebytes Blocked it, But where is it?


  • Please log in to reply
9 replies to this topic

#1 MorDi33

MorDi33

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:11:52 PM

Posted 18 December 2016 - 03:39 PM

Hey guys.

 

Got your help two years back and you seriously rock!!!

 

Sadly, I am back for more help.

 

I use Malwarebytes and get a notification when I visit Facebook (with Firefox) stating that it has stopped me from the site ab4hr.com

 

"Malicious website blocked"

 

I am unsure of how I got the virus/malware etc...

 

Could be a faulty click on a url when I was working a bit too fast. But where that was I cannot recall.

I use WOT ALWAYS as a pinpoint before looking into a site.

 

Anyways...The hunt began...

 

I used Malwarebytes but it found nothing. Also in safe mode. Used safe mode on everything as I can recall in addition to regular mode.

I used Adwcleaner, with the same result.

I used Hitman Pro.  - Did not find anything.

Also used is Avast. - Nothing

And Zemana Antimalware. - Nothing

Then I tried Adguard - Not even sure if it is relevant on this list as it seems to be just a Guard to stop ads... Not a cleaner.

 

And a tool called Unhack me. It seemed to find a lot of issues.

So I took action on them.

 

Sadly I have no log of these as it won't let me copy it from the admin panel of the software.

 

It did find files which I was unsure of like firefox profiles with a "isghosdighsgih" type of name.

Deleted them.

 

And 4 lookinglink files.

 

So a total of 68 give or take files were spotted for me to go over and check.

I took action on what I recognized as not needed and weird and/or proven bad files.

 

About ab4hr... I read about it and it is vicious. - Guess you know about it.

Found it to have a connection to "lookinglink" (site and/or file)

Which was one of the files I managed to delete with Unhack me, still it persists.

 

Problem is still there.

 

I am using a Win 7 Ultimate, Service pack 1

 

ANY help is greatly appreciated.

 

I thought I could handle this by myself this time... But the level of information regarding it (ab4hr removal ) online is not enough.

I have gone trough the hoops and tested any variation as there has been a few different programs and fixes that has been claimed to work.

This has been the likes of using Malwarebytes and other software and also resetting browsers.

 

So if you can help me shed som elight to this and perhaps even get it cleared I will be very happy!

 

Thanks



BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,068 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:52 PM

Posted 18 December 2016 - 04:40 PM

What does it mean when I get an alert that Malwarebytes has blocked a malicious site?

Malwarebytes Anti-Malware will alert users when network traffic is blocked to a website, URL, or IP address that has been found to host malicious content. Since the network traffic is blocked, the malicious IP address is unable to connect to your computer - In most cases nothing needs be done, our protection has blocked the threat from infecting you.

 

Malicious Website Blocking (IP Protection) is part of the Protection Module in the Premium version and works after it is enabled. When attempting to go to a potential malicious website, Malwarebytes will block the attempt and provide an alert.

An outgoing IP alert indicates that a process on your system (typically your browser) tried to access a known malicious IP address or IP range and was prevented from loading content onto your system. When your browser attempts to connect to a website, Windows uses Domain Name System (DNS) or the HOSTS file to query and convert the domain name into it's corresponding IP address. Malwarebytes intercepts the communications in order to determine whether or not the IP address is known for malicious activity. If confirmed as a known malicious site, Malwarebytes blocks the connection, notifies you and stores that information into it's protection log.

IP alerts may be triggered by banner ads appearing on websites since in some case these ads are malicious. Notification that an outgoing IP address has been blocked does not necessarily mean the computer is infected. Other legitimate programs on your computer (i.e. iTunes, Instant Messenger client, SKYPE, P2P software) have access to the Internet and that action can trigger an IP alert if it tried to access a malicious IP address. No action is required unless you're also experiencing obvious indications (signs of infection and malware symptoms) that something is wrong or there are multiple IPs. Your firewall should be able to give you a list of such programs so you can confirm if they are legitimate.

IP Protection is also designed to block incoming connections (communications) it determines to be malicious and you did not request from entering your computer. it determines to be malicious. Hackers use "port scanning", a popular reconnaissance technique, to search for vulnerable computers with open ports using IP addresses or a group of random IP address ranges so they can break in and install malicious programs. Botnets and Zombie computers scour the net, randomly scanning a block of IP addresses, searching for for vulnerable ports (commonly probed ports) and make repeated attempts to access them.

Malwarebytes is doing its job by blocking this kind of traffic and alerting you about these intrusion attempts.

For information about Malicious Website Protection (IP Protection), please refer to:


.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 MorDi33

MorDi33
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:11:52 PM

Posted 19 December 2016 - 05:22 AM

Hi..

 

Thanks for your reply.

 

There are a few things that I don't  "get" with this response...

 

You state: "When attempting to go to a potential malicious website, Malwarebytes will block the attempt and provide an alert."

This is true.

Still I am going to Facebook. And I have cleared cache and cookies so if it was the ads then they would rotate around and I would not get that message from Malwarebytes every time.

Also FB is very strict on their ads. So an ad showing on their site in general can only be redirected to a good page, and only if an action is taken on that page it can redirect me further to i.e ab4hr.com.

So it is not the ads. I work with marketing so I know that the ads work like this. Malwarebytes do not read an ad and also read the next page of it does it?

I find it hard to believe that this is the case.

I could be wrong but as stated I think there is something else also.

 

Here is the log for the event in Malwarebytes:

 

Malwarebytes Anti-Malware
www.malwarebytes.org


Protection, 12/18/2016 7:33 PM, SYSTEM, RUNESTASJON-PC, Protection, Malware Protection, Starting,
Protection, 12/18/2016 7:33 PM, SYSTEM, RUNESTASJON-PC, Protection, Malware Protection, Started,
Protection, 12/18/2016 7:33 PM, SYSTEM, RUNESTASJON-PC, Protection, Malicious Website Protection, Starting,
Update, 12/18/2016 7:33 PM, SYSTEM, RUNESTASJON-PC, Scheduler, IP Database, 2016.12.14.2, 2016.12.18.1,
Protection, 12/18/2016 7:34 PM, SYSTEM, RUNESTASJON-PC, Protection, Malicious Website Protection, Started,
Update, 12/18/2016 7:34 PM, SYSTEM, RUNESTASJON-PC, Scheduler, Domain Database, 2016.12.17.2, 2016.12.18.2,
Update, 12/18/2016 7:34 PM, SYSTEM, RUNESTASJON-PC, Scheduler, Malware Database, 2016.12.17.5, 2016.12.18.4,
Protection, 12/18/2016 7:34 PM, SYSTEM, RUNESTASJON-PC, Protection, Refresh, Starting,
Protection, 12/18/2016 7:34 PM, SYSTEM, RUNESTASJON-PC, Protection, Malicious Website Protection, Stopping,
Protection, 12/18/2016 7:34 PM, SYSTEM, RUNESTASJON-PC, Protection, Malicious Website Protection, Stopped,
Protection, 12/18/2016 7:34 PM, SYSTEM, RUNESTASJON-PC, Protection, Refresh, Success,
Protection, 12/18/2016 7:34 PM, SYSTEM, RUNESTASJON-PC, Protection, Malicious Website Protection, Starting,
Protection, 12/18/2016 7:34 PM, SYSTEM, RUNESTASJON-PC, Protection, Malicious Website Protection, Started,
Detection, 12/18/2016 7:34 PM, SYSTEM, RUNESTASJON-PC, Protection, Malicious Website Protection, Domain, 52.5.47.11, ab4hr.com, 49731, Outbound, C:\Program Files (x86)\Mozilla Firefox\firefox.exe,
Detection, 12/18/2016 7:34 PM, SYSTEM, RUNESTASJON-PC, Protection, Malicious Website Protection, Domain, 52.5.47.11, ab4hr.com, 49731, Outbound, C:\Program Files (x86)\Mozilla Firefox\firefox.exe,
Detection, 12/18/2016 7:34 PM, SYSTEM, RUNESTASJON-PC, Protection, Malicious Website Protection, Domain, 52.5.47.11, ab4hr.com, 49733, Outbound, C:\Program Files (x86)\Mozilla Firefox\firefox.exe,
Scan, 12/18/2016 7:42 PM, SYSTEM, RUNESTASJON-PC, Context, Start:12/18/2016 7:34 PM, Duration:8 min 20 sec, Threat Scan, Completed, 0 Malware Detections, 0 Non-Malware Detections,
Detection, 12/18/2016 8:19 PM, SYSTEM, RUNESTASJON-PC, Protection, Malicious Website Protection, Domain, 52.5.47.11, ab4hr.com, 52754, Outbound, C:\Program Files (x86)\Mozilla Firefox\firefox.exe,
Detection, 12/18/2016 8:19 PM, SYSTEM, RUNESTASJON-PC, Protection, Malicious Website Protection, Domain, 52.5.47.11, ab4hr.com, 52754, Outbound, C:\Program Files (x86)\Mozilla Firefox\firefox.exe,
Detection, 12/18/2016 8:19 PM, SYSTEM, RUNESTASJON-PC, Protection, Malicious Website Protection, Domain, 52.5.47.11, ab4hr.com, 52759, Outbound, C:\Program Files (x86)\Mozilla Firefox\firefox.exe,
Update, 12/18/2016 9:54 PM, SYSTEM, RUNESTASJON-PC, Manual, Domain Database, 2016.12.18.2, 2016.12.18.3,
Update, 12/18/2016 9:54 PM, SYSTEM, RUNESTASJON-PC, Manual, Malware Database, 2016.12.18.4, 2016.12.18.5,
Scan, 12/18/2016 10:01 PM, SYSTEM, RUNESTASJON-PC, Manual, Start:12/18/2016 9:54 PM, Duration:6 min 51 sec, Threat Scan, Completed, 0 Malware Detections, 0 Non-Malware Detections,
Protection, 12/18/2016 10:06 PM, SYSTEM, RUNESTASJON-PC, Protection, Malware Protection, Starting,
Protection, 12/18/2016 10:06 PM, SYSTEM, RUNESTASJON-PC, Protection, Malware Protection, Started,
Protection, 12/18/2016 10:06 PM, SYSTEM, RUNESTASJON-PC, Protection, Malicious Website Protection, Starting,
Protection, 12/18/2016 10:06 PM, SYSTEM, RUNESTASJON-PC, Protection, Malicious Website Protection, Started,
Detection, 12/18/2016 10:06 PM, SYSTEM, RUNESTASJON-PC, Protection, Malicious Website Protection, Domain, 52.5.47.11, ab4hr.com, 49381, Outbound, C:\Program Files (x86)\Mozilla Firefox\firefox.exe,
Detection, 12/18/2016 10:06 PM, SYSTEM, RUNESTASJON-PC, Protection, Malicious Website Protection, Domain, 52.5.47.11, ab4hr.com, 49381, Outbound, C:\Program Files (x86)\Mozilla Firefox\firefox.exe,
Detection, 12/18/2016 10:06 PM, SYSTEM, RUNESTASJON-PC, Protection, Malicious Website Protection, Domain, 52.5.47.11, ab4hr.com, 49383, Outbound, C:\Program Files (x86)\Mozilla Firefox\firefox.exe,

(end)

 

Also the information that is online about ab4hr is not to be neglected in my opinion:

This is from http://greatis.com/blog/search-redirect/delete-ab4hr-com-virus.htm

 

AB4HR.COM ads are displayed as large blocks of content and imagery, intrusive pop-ups, gutter ads, distracting click-bait and suggestive content that is usually unrelated to the content of the Web site you are browsing.

Ads by AB4HR.COM

While many Web surfers tend to dislike AB4HR.COM ads for being intrusive and suggestive, these ads may present a real problem when they are served by a hidden browser plugin. If this is the case, users report problems connecting to certain Web sites.

 

.............................

There is more info on it online. They all state that this is an installed software of some sort, be it browser plugin or malware, virus, etc.

 

Can you please guide me though some steps to ensure that this is at least checked?

Thanks



#4 buddy215

buddy215

  • Moderator
  • 13,501 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:05:52 PM

Posted 19 December 2016 - 05:58 AM

Detection, 12/18/2016 10:06 PM, SYSTEM, RUNESTASJON-PC, Protection, Malicious Website Protection, Domain, 52.5.47.11, ab4hr.com, 49381, Outbound, C:\Program Files (x86)\Mozilla Firefox\firefox.exe,

 

Try doing a clean uninstall of Firefox....that means deleting your Firefox profile, too. You can save your bookmarks before

doing that or import them from another browser that has the same list of bookmarks.

 

First run the uninstaller from the list of installed programs. Then do a search for Mozilla Firefox to find and delete all including your Firefox profile.

Reboot the computer, download and reinstall Firefox. Let me know if MBAM is still blocking the adware.

Download Firefox — Free Web Browser — Mozilla


“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#5 MorDi33

MorDi33
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:11:52 PM

Posted 19 December 2016 - 11:30 AM

Hey again.

 

After a clean install and opening up Firefox for the first time I get two tabs open.

In the first one there is this error message:

 

Your connection is not secure.

The owner of accounts.firefox.com has configureed their website improperly. To protect your information from being stolen, Firefox has not connected to this website.

This site uses HTTPS Strict Transport Security (HSTS) To specify that firefox may only connect to it securely. As a result, it is not possible to add an exception for this website.

Learn more... <---(clickable link)

 

And in the second tab where you have the option of just using a search, as normal it is nothing. BUT when I click on the search after typing anything I get the same message.

 

Reading up on the issue I find several people in the same position.

I uninstalled Adguard - And when I did it opened up a tab - In Firefox. So the issue there was Adguard. At least it works right now.

 

Going to Facebook...

 

No issue now.

 

Was that it?

 

Thanks for your help mr Buddy215 AKA Bleeping GOOROO Wizard.

 

 

---------------------------------------

On another strange, possibly unreletad note:

 

Just after I did this I got a call from +358505281200 Which I did not answer!!!

 

I never answer unexpected calls from a foreign Country.

 

Telephone number is not providing any details to owner when searching. It came from Finland though. 

 

In my head, someone may have wanted to "get back to me" if I was indeed a victim of a personal information theft... Still I have no clue.

 

Again. Thanks for your help.

 

Is there anything else I should do ?

 

Thanks



#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,068 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:52 PM

Posted 19 December 2016 - 11:52 AM

I tried and uninstalled Adguard a long time ago. IMO uBlock Origin is much better.

As for the foreign phone number, it could have been related to one of those Tech Support Scams so not answering was a wise thing to do.

Your computer does not have to be compromised for a scammer to call you. Most computers and laptops are purchased at retail stores or online come from well known OEM computer system manufacturers like Dell, Hewlett-Packard (HP), Acer, Gateway, Packard Bell, etc. If their customer data bases are hacked by cyber-criminals, the scammers may have access to all sorts of customer personal information to include name, address, phone numbers, credit card numbers and what computer make or model they purchased. These are a few examples.If you have not done so already, you may want to read: Beware of Phony Emails & Tech Support Scams
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 buddy215

buddy215

  • Moderator
  • 13,501 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:05:52 PM

Posted 19 December 2016 - 11:54 AM

Adblock Plus :: Add-ons for Firefox is what I have used for years in Firefox...never a problem. It is customizable, too.

If you choose to install it...click on its ABP icon and choose Filter Preferences. UNcheck box next to Allow some non-intrusive advertisements.

 

Some adware often creeps back in...if it does...let me know.

 

Block third party cookies...aka ad/ tracking cookies...from installing. Once blocked use CCleaner to remove the existing ones along with other temporary files.

How to disable third-party cookies in all major web browsers

 

Use CCleaner to remove Temporary files, program caches, cookies, logs, etc. Use the Default settings. No need to use the

Registry Cleaning Tool...risky. Pay close attention while installing and UNcheck offers of toolbars....especially Google.

After install, open CCleaner and run by clicking on the Run Cleaner button in the bottom right corner.

CCleaner - PC Optimization and Cleaning - Free Download


Edited by buddy215, 19 December 2016 - 12:04 PM.

“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#8 MorDi33

MorDi33
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:11:52 PM

Posted 19 December 2016 - 02:35 PM

Hehehe ;) 

 

Thanks guys, I appreciate your commitment towards anything I address.

 

Makes me feel good inside =)   You know, you care =)

 

Adguard was there for a test only. 

And Ccleaner is in the arsenal already.

 

And again, thanks for your replies and inputs. It really matters to me, of course to get things fixed, but also that you are genuinly out to help people.

 

Buddy215: Love this ;)

“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”

 

From your latest replies I conclude the case solved.

 

Have a good one guys and/or gals.

 

Blessings
― Lawrence M. Krauss



#9 buddy215

buddy215

  • Moderator
  • 13,501 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:05:52 PM

Posted 19 December 2016 - 02:54 PM

Yeah...it's food for thought and enlightening.

 

You're welcome...happy surfin'


“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,068 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:52 PM

Posted 19 December 2016 - 04:33 PM

:thumbup2:
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users