Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Elex Hijacker sticked to Chrome for good.


  • This topic is locked This topic is locked
16 replies to this topic

#1 Lemur80

Lemur80

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warsaw, Poland
  • Local time:07:33 PM

Posted 09 June 2018 - 03:30 PM

Thanks to JSntgRvr my earlier problem was solved successfully and completely:

 

https://www.bleepingcomputer.com/forums/t/678680/error-a-required-privilege-is-not-held-by-the-client-spyhunter-effect/

 

I have a different problem now. I'm sure my PC was attacked by Elex Hijacker and it probably made some damage already.

 

I wasn't logged in into Google Account for a long time, i logged in today, after solving the first issue. I loggged into my Google Account (Firefox, Chrome) to change security settings. Everything was fine until i ran Malwarebytes scan, then the Elex Hijacker was found, but i thought it was put to quarantine. The same thing happened about 2 years ago, i had the same problem, but it was put into quarantine successfully. Now it's back, it sticked to Chrome/Firefox like a glue.

 

I restarted my PC because i had some pending Windows updates, but after reboot i saw that they haven't been installed (i tried few times). Something was clearly wrong, i tried to run system scan (Bitdefender), but it was unsuccessful ("Starting System scan failed"). I should turned off infected PC, but no, i tried to write a post here and things went south. In my stupidity i ignored pop-up message informing me about  "incorrect page certificate". It was too late after that.

 

When i realized what happened i disconnected internet by pulling out R-45 jack and managed to make FRST logs. I realize that i should wait for instructions, but i hope it will be useful anyway. I saw in "downloads" a file named "epic setup.exe". I launched it and my computer exploded... Just joking:-> The full name of this file is: "Epic Privacy Browser Installer Setup" and the digital signature is "hidden reflex". I know i should delete it, but it would be against the rules, so i left it alone without starting it:-)

 

EDIT: No, i can't attach FRST on the second computer, it may be infected by old old flash plug-in. Complete disaster:/

 

EDIT #2: ...and yet it worked, files are attached.

Attached Files


Edited by Lemur80, 10 June 2018 - 02:13 AM.


BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 40,182 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:33 PM

Posted 10 June 2018 - 08:05 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Press the Windows key + r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.

Please copy the entire contents of the code box below to a new file.
 
Start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

HKLM\...\Policies\Explorer: [NoLowDiskSpaceChecks] 1
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender: Restriction <==== ATTENTION
HKU\S-1-5-21-605226505-453130492-3558279902-1001\...\Policies\Explorer: [NoLowDiskSpaceChecks] 1
CHR StartupUrls: Default -> "hxxp://www.yoursearching.com/?type=hp&ts=1453304070&z=d2fb1efd9e7512558ddfbf0g7z4w1cec7ecz3e3o1c&from=face&uid=SAMSUNGXHD502HJ_S20BJ1VZ400045","hxxps://www.google.com/"

AlternateDataStreams: C:\Users\monke\Documents\Amazon Drive:com.amazon.drive.sync [86]
AlternateDataStreams: C:\Users\monke\Documents\Amazon Drive:com.amazon.drive.sync.root [42]

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Check this this out.
Adware.Elex.ShrtCln keeps returning
https://forums.malwarebytes.com/topic/214325-chrome-secure-preferences-detection-always-comes-back/
===========

Please let me know what problem persists with this computer.
===

p.s
You have these two programs in your Download folder since June 9.
If you did not download them they came with a program you install.
2018-06-09 10:12 - 2018-06-09 10:12 - 001832768 _____ (Epic Privacy Browser) C:\Users\monke\Downloads\epicsetup.exe
2018-06-09 10:11 - 2018-06-09 10:11 - 001646514 _____ C:\Users\monke\Downloads\https-everywhere-latest.xpi

Both are clean.

https://www.epicbrowser.com/
https://https-everywhere.en.lo4d.com/virus-malware-tests
You may decide to install themt. It's your call.

#3 Lemur80

Lemur80
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warsaw, Poland
  • Local time:07:33 PM

Posted 10 June 2018 - 04:01 PM

Hello,

 

Thank you for your response, nasdaq.

 

I will try to do everything strictly according to your instructions. I just can't do it right now. I will let you know about the effects soon (probably tomorrow). Thank you.



#4 Lemur80

Lemur80
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warsaw, Poland
  • Local time:07:33 PM

Posted 11 June 2018 - 12:05 PM

I attached Fixlog.txt for your information.

 

I didn't do anything except FRST procedure.

I have a second, non-infected (i hope) computer, so i copied whole code box and i ran FRST (fix option) on infected PC.

 

I've read everything about Chrome and Elex Hijacker thanks to link that you provided. The procedure is fairly simple, but i didn't do anything with Chrome settings yet. I'm afraid of few things. When my computer was infected i tried to ran other browsers. I launched Microsoft Edge and there was similar message to the Chrome one. It was something like "Someone's trying to fool you":-)), so it clearly was a problem with hijacked webpage on both of these browsers. Is it possible that Elex is "glued" to the EDGE just like it is in Chrome case? Or, it's just how it works? I mean, the "core" of this hijacker exists only in Chrome files, or it exists in the settings of other browsers? Should i change all my passwords after that? I'm a little bit concerned about security after that "attack".

 

I understand that the only way to get rid of this thing permanently, is to follow the instruction malwarebytes forum? Can i enable internet during this procedure?

 

When it comes to these two files, there is high probability that i downloaded them during the search for information about PC security. So, as you said,  they're probably clean, but i won't risk anyway:-)

 

 

Attached Files



#5 nasdaq

nasdaq

  • Malware Response Team
  • 40,182 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:33 PM

Posted 11 June 2018 - 12:36 PM

Hi,
If you sync all your Browsers they may be compromised also.

Start with removing it from Chrome.
Read all the instructions on the link I gave you.
When the Sync is disabled and after a restart of the computer run the Malwarebytes again and clean all the items found.

Restart the computer and check if the problem is solved.

Do not re-sync just yet check the Other browsers.
If Compromised let me know which one.

Wait for further instructions.

#6 Lemur80

Lemur80
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warsaw, Poland
  • Local time:07:33 PM

Posted 11 June 2018 - 02:28 PM

I did everything everything according to instructions (except the instruction that is marked red in the second post there).

 

Malwarebytes didn't found any threats after the restart. So i think, that Chrome is secured (i hope so).

 

I think Opera and Edge are still compromised.

 

Messages like in the attached file occur every time.

Attached Files


Edited by Lemur80, 11 June 2018 - 02:38 PM.


#7 nasdaq

nasdaq

  • Malware Response Team
  • 40,182 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:33 PM

Posted 12 June 2018 - 07:22 AM

Hi,

Use Chrome but do not resync it just yet.

===

These are the instructions for Edge and Opera.

Edge > Syncing issues.

https://www.tenforums.com/tutorials/36286-turn-off-sync-favorites-reading-list-microsoft-edge.html
===

Sync, resync Opera.

http://help.opera.com/opera/Windows/2393/en/sync.html
===

When all is well you an re-sync the browsers, your call.

#8 Lemur80

Lemur80
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warsaw, Poland
  • Local time:07:33 PM

Posted 12 June 2018 - 01:41 PM

Hi,

 

I give up, i used these instructions and the infection is still on Chrome (!), Edge and Opera.

 

I need very strict, specific and targeted instructions, otherwise - it's not gonna happen, i'm sorry.



#9 nasdaq

nasdaq

  • Malware Response Team
  • 40,182 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:33 PM

Posted 13 June 2018 - 06:40 AM

Hi,

Malwarebytes as a blog on it's removal.
Try it.

https://blog.malwarebytes.com/detections/trojan-elex/

#10 Lemur80

Lemur80
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warsaw, Poland
  • Local time:07:33 PM

Posted 13 June 2018 - 01:05 PM

Hi,

 

Don't get me wrong, i really, really appreciate your help, but what are you trying to say by attaching this link?

 

Thanks to the link from post #9 now i know that:

 

- Elex Hijacker is aggressive.

- I can remove it by launching Malwarebytes.

 

 Isn't it something we already know? If you wanted to say something else, please expand your thought.

 

I have other idea. Theoretically, if i desync and delete all accounts settings and then permanently delete all infected accounts, will this permanently remove the problem, or Elex will be still there even if i'll create completely new accounts?

 

EDIT:

 

Can i use infected computer for tasks like gaming, photo editing etc. (except browsing internet), without risk of even bigger disaster? Or, it's not recommended until i get rid of that ugly stuff completely?


Edited by Lemur80, 13 June 2018 - 02:45 PM.


#11 nasdaq

nasdaq

  • Malware Response Team
  • 40,182 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:33 PM

Posted 14 June 2018 - 07:00 AM

Hi,

If you need the internet to run a game you are not secured.
Can i use infected computer for tasks like gaming, photo editing etc. (except browsing internet), without risk of even bigger disaster? Or, it's not recommended until i get rid of that ugly stuff completely?

Please update Malwarebytes and scan the computer.
Post the MBAM log for my review.

#12 Lemur80

Lemur80
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warsaw, Poland
  • Local time:07:33 PM

Posted 14 June 2018 - 12:04 PM

Hi,

 

Ok, here it is.

 

EDIT:

 

No, if i try to upload scan file, i see following message error:

"MBAM SCAN REPORT.txt

Upload Skipped (Error IO)"

 

EDIT #2:

 

Finally, i used basic uploader and the file is attached.

Attached Files


Edited by Lemur80, 14 June 2018 - 12:18 PM.


#13 nasdaq

nasdaq

  • Malware Response Team
  • 40,182 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:33 PM

Posted 14 June 2018 - 12:55 PM

Hi,

It's gone.

Any other issues?

#14 Lemur80

Lemur80
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warsaw, Poland
  • Local time:07:33 PM

Posted 14 June 2018 - 01:56 PM

Hi,

 

I believe in your confidence and experience, but what makes you so certain about it?

 

Do you have 100% assurance that problem is gone?

 

I  thought i got rid of this issue 2 years ago, but it came back.

 

You believe that problem is gone, because Malwarebytes "said so" and that's it?

 

I still have a certificate problem (attachments). It's caused by Bitdefender, or...something else?

 

I don't wanna be rude, but isn't it "let George do it" attitude?

Attached Files



#15 Lemur80

Lemur80
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warsaw, Poland
  • Local time:07:33 PM

Posted 14 June 2018 - 05:18 PM

You were right nasdaq, it's gone (or most part of it). I didn't mean to offend you, i really appreciate your help.

 

Certificate error messages were caused by BitDefender and Malwarebytes didn't find any threats.

 

Thank you nasdaq:-)

 

I think we can close this topic.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users