Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Potential browser download hijacking


  • Please log in to reply
4 replies to this topic

#1 Wasdom_Kung

Wasdom_Kung

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Scotland
  • Local time:03:37 PM

Posted 20 November 2017 - 11:38 AM

Posted from my reddit: 
 
MOVED FROM /r/Computerviruses
 
Hello.
 
Recently, I had a problem with Discord, where it randomly stopped working, would not download without being corrupted and so forth. Thinking this was the only problem and having found backdoors on my system from what I 'thought' was from their website, I cleaned it all off my system, deleted all traces, used Malwarebytes adware and malware scanners and deleted everything I could find.
 
Today having gave up with Discord, went to download my latest BIOS upgrade and found that the issues persists. 
 
In image 1: You can see this strange download screen I get whenever I download a file. I have also tested this in Edge etc. And get the same screen. With all extensions disabled in Chrome too. 
 
https://imgur.com/86EdtXN
 
In image 2: It is worth noting that this file downloads in .RAR despite it being a SINGLE .CPH file, which requries no .RAR/.ZIP storage. Inside these folder formats are .EXE files, which is not what I downloaded.
 
https://imgur.com/WHDse9z
 
Image 3: Malwarebytes has found this, and I believe it to be the cause of these corrupt, dodgy virus and malware infected files. I've cleared this off my system before, but I cannot find any running programs, temp data, or local data that could be causing it.
 
https://imgur.com/UZjuGd3
 
If anyone could give me a hand it'd be much appreciated. 
 
UPDATES AFTER POST:
 

Okay, well I've followed guides. Ran MB Anti-Rootkit, ran malware checks and virus checks and also the chrome adware removal tool and had no detections.
 
I removed WinRAR incase that was somehow infected but it isn't.
 
The new tab with the strange cloud download icon still appears when I download a file, and instead of going to winrar, it's just the .ZIP file with the virus .exe (When you click it, it wants to download files to a location you choose on your PC)
Hmm, it's as if downloads are hijacked but I'm unsure how.

Edited by Budapest, 20 November 2017 - 03:30 PM.
Moved from BSOD ~Budapest


BC AdBot (Login to Remove)

 


#2 Wasdom_Kung

Wasdom_Kung
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Scotland
  • Local time:03:37 PM

Posted 21 November 2017 - 07:12 AM

I've looked into the strange download API to see if there are is any give-away suspicious code. None of them refer to where it may be located, but I will post the link to the images of the code below. 

 

https://imgur.com/a/sVLun


Edited by Wasdom_Kung, 21 November 2017 - 07:15 AM.


#3 Wasdom_Kung

Wasdom_Kung
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Scotland
  • Local time:03:37 PM

Posted 21 November 2017 - 07:51 AM

Okay so after getting rid of everything I found with malwarebytes, norton NPE, and removing all temp items and appdata items. I thought I had fixed the problem, but no, this redirect still happens.
 
Upon inspecting the file it says the language is russian, hmm, hopefully I can work it out without having to reset my OS.
 

Edited by Wasdom_Kung, 21 November 2017 - 07:51 AM.


#4 Wasdom_Kung

Wasdom_Kung
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Scotland
  • Local time:03:37 PM

Posted 21 November 2017 - 09:36 AM

Finally I have found the issue.
 
After countless uses for Malwarebytes, adwCleaner, Anti-Rootkit, spybot, SuperAntiSpyware, Firewall resets and monitoring, reinstalls, temp cleaning, appdata cleaning etc. I ran Zamana Anti-Malware which detected a DNS hijack on my system. This hijacker corrupted files so I couldn't open them if they didn't redirect to the virus API.
 
 
Nothing else had detected this.
 
I am finally pleased to say that this fixed my error and hopefully nobody else runs into this nasty problem.

Edited by Wasdom_Kung, 21 November 2017 - 09:38 AM.


#5 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:37 AM

Posted 22 November 2017 - 08:49 PM

Thanks for posting your solution.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users