Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

random chrome popups hijacked browser symptoms


  • This topic is locked This topic is locked
6 replies to this topic

#1 happpi

happpi

  • Members
  • 4 posts
  • OFFLINE
  •  

Posted 01 January 2017 - 10:46 PM

I can't seem to post, not sure if it's this site the problem or malware trying on another computerAttached File  FRST.txt   857.65KB   4 downloadsAttached File  Addition.txt   59.47KB   1 downloads

Attached Files



BC AdBot (Login to Remove)

 


#2 happpi

happpi
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  

Posted 01 January 2017 - 10:48 PM

I know you're not supposed to attach the FRST file like that but I literally tried this 10 times on 2 different computer and the post just kept timing out.

 

 I'm not even able to post to this forum it seems like this malware is actually smart enough that it's trying to prevent even that.  Trying again in edge browser but a popup came when I opened it as well so..

 
Im getting random popups when browsing web.  I have avira and malwarebytes neither detecting anything.
 
It's hijacked google so I get bing instead on new tab in chrome.
 
I had to rename malwarebytes to reinstall it.  FRST wouldn't run untill I turned off smart screen.
 
HELP!!!


#3 nasdaq

nasdaq

  • Malware Response Team
  • 38,962 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:10 AM

Posted 02 January 2017 - 10:19 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Remove this program in bold via the Control Panel > Programs > Programs and Features.
Download Updater (AOL LLC) (HKLM-x32\...\SoftwareUpdUtility) (Version: - ) <==== ATTENTION
----

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.

Please copy the entire contents of the code box below to a new file.
 
Start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

AutoConfigURL: [S-1-5-21-2160640111-292067240-2760769307-1001] => hxxp://noblocking.net/wpad.dat?8482b77cc9b533934abc7347daeb9af222641312
ManualProxies: 0hxxp://noblocking.net/wpad.dat?8482b77cc9b533934abc7347daeb9af222641312
BHO: No Name -> {13D67BB7-DB5F-48AA-884D-7A5D94168509} -> No File
BHO-x32: No Name -> {13D67BB7-DB5F-48AA-884D-7A5D94168509} -> No File
FF user.js: detected! => C:\Users\Kssd\AppData\Roaming\Mozilla\Firefox\Profiles\XkFQBRkH.default\user.js [2016-07-23]
FF Keyword.URL: Mozilla\Firefox\Profiles\XkFQBRkH.default -> hxxp://slirsredirect.search.aol.com/redirector/sredir?invocationType=bu10aiminstabie7&sredir=2706&query=
CHR Extension: (Avira Browser Safety) - C:\Users\Kssd\AppData\Local\Google\Chrome\User Data\Default\Extensions\flliilndjeohchalpbbcdekjklbdgfkk [2016-12-25]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Kssd\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-12-25]
CHR Extension: (Chrome Media Router) - C:\Users\Kssd\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2016-12-25]
CHR HKLM\...\Chrome\Extension: [flliilndjeohchalpbbcdekjklbdgfkk] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [flliilndjeohchalpbbcdekjklbdgfkk] - hxxps://clients2.google.com/service/update2/crx
Task: {39B45E28-93AA-404F-968A-B962EF3805BD} - System32\Tasks\AutoKMS => C:\WINDOWS\AutoKMS\AutoKMS.exe [2016-07-29] ()
FirewallRules: [{AC7E7B6B-3718-4532-8466-CAEFB59E343C}] => C:\WINDOWS\AutoKMS\AutoKMS.exe
FirewallRules: [{AEEBDE2F-F4E4-4AD2-AB13-088E2874F89F}] => C:\WINDOWS\AutoKMS\AutoKMS.exe
C:\WINDOWS\AutoKMS

RemoveProxy:
Reboot:

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.

You can manually check your present version and update as recommended.
https://www.java.com/en/download/installed.jsp

Be careful not to install malware posing as Java update!
Important read this blog.
http://blog.trendmicro.com/trendlabs-security-intelligence/malware-poses-as-an-update-for-java-0-day-fix/

Quoted from the page.
"In light of the recent events surrounding Java, users must seriously consider their use of Java. Do they really need it? If yes, make sure that users follow the steps we recommended and get the security update directly from the official oracle website." at:
http://www.oracle.com/technetwork/java/javase/downloads/index.html

How to disable Java in your browsers
http://www.infoworld.com/t/web-browsers/how-disable-java-in-your-browsers-210882

If still present after the update you can remove the old version(s) of Java via the Control Panel > Programs and Features.
Java 8 Update 102 (64-bit) (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F64180102F0}) (Version: 8.0.1020.14 - Oracle Corporation)
===

Please let me know what problem persists with this computer.

#4 happpi

happpi
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  

Posted 03 January 2017 - 10:21 AM

Hello, I did all the stuff you said to to do.  I ran FRST when I was leaving for work (I'm leaving for work in a bit I'm a little short on time).  When I got home it was saying that drive "d" wast connected and I had to tell it to "continue" 4 or 5 times for it to finish.  I think because drive D is a usb drive and there was nothing connected to that drive?

Anyway I didn't have a lot of time to try the browser but I did get some time to use it like an hour or 2ish.  I didn't get anymore popups, and also a symptom I didnt mention when I opened thunderbird before it would lag a lot on initial load even asking if I should just terminate it.  This symptom was also gone.  I didn't mention everything because like I said in the initial post I literally had to post like 10 times because it seemed like maybe the malware or this board was preventing me from posting the text of the  FRST.txt into the post and after the 10th time typing stuff out I missed some stuff.

 

I will test it more tonight but it appears to maybe be fixed?  In the past even the 1 or 2 hours I tested it last night would have led to multiple popups of which there were none last night.

 

One thing, not sure if it is malware or not but I keep getting this "secure search" bar on my "new tab" in chrome.  It's not at the top where you expect to normally see a "bar" but in the body of the web page that should be just the google home page.  It disables being able to use google search unless you click an "x" closing it.  Sometimes it's not there.  I tried just now to see it again so I could give the exact details of it but now it's gone.  It seems to come randomly now.  It was definitely still there last night.  Again not sure if this is a malware and I'm not particularly worried about it just trying to give you any details I have in case it's important.

 

I will test more tonight but I think it's gone (crossing fingers).  I will post tonight or tommorow letting you know how it's going.  Thanks so much for your help ;)  I'll be in touch soon.

Attached Files



#5 nasdaq

nasdaq

  • Malware Response Team
  • 38,962 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:10 AM

Posted 03 January 2017 - 11:28 AM


One thing, not sure if it is malware or not but I keep getting this "secure search" bar on my "new tab" in chrome. It's not at the top where you expect to normally see a "bar" but in the body of the web page that should be just the google home page


This Extension may be the reason for the notifications.
CHR Extension: (Avira Browser Safety) - C:\Users\Kssd\AppData\Local\Google\Chrome\User Data\Default\Extensions\flliilndjeohchalpbbcdekjklbdgfkk [2016-12-25]

Disable it in Chrome.

#6 happpi

happpi
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  

Posted 03 January 2017 - 09:48 PM

Ok I had to install it again to remove it, maybe it was already removed or something?  If it's part of avira it's annoying but I'm not too worried about it.  Like I was saying I mostly mentioned in case it gave you some insite into whether the malware was still there or not.  I don't want to waste any of your time on meaningless stuff, it's more than enough that you're spending time trying to get rid of this malware for me.  I am going to try using the browser more tonight and I'll message again in the morning or tomorrow evening with an update.  I can already say though that I would have expected to see at least one if not 30 of the popup tabs I was seeing even in the short time I've tested it and I haven't seen a single one so it sure does seem fixed.  I will message again when I've gotten more testing in.  Thanks so much for the help you've given so far.  I really didn't have time to reinstall windows from scratch like I would have had to without your help.  Since you seem to know what you found do you know why avira and malwarebytes don't see it?  Is it just too new or something?



#7 nasdaq

nasdaq

  • Malware Response Team
  • 38,962 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:10 AM

Posted 04 January 2017 - 09:49 AM

It's not malware just annoying for some.

If you have other browser the notice can be disable.
Check the Add-ons on IE and Firefox.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users