ublock log (trying to get to the bottom of some adware)

grumpycrab

ublock log linked; really struggling to find some Malware on a neighbours computer (would have been much easier to clean install but its not going to beat me). Done all the usual checks including root scan. Kaspersky Internet Security is installed - you can see it kicking in at various points in the log.

What happens? (Randomly, starting at the bottom of the log file) type bbc.co.uk in Firefox and a new adware tab opens - freelotto.com - in this case. (top of log)
https://expirebox.com/download/378342b0fac1ea7343459ea09fdaa0e8.html

debitcardmayhem

Have you checked the Hosts file / and DNS ? I take they don't have noscript enabled ?
Can't see much wrong with the BBC story source

grumpycrab

I've got their laptop at my house; DNS all normal (as far as I can see); adapter set to default (no DNS set); adapter DNS -> router; router DNS set to 8.8.8.8 (google); hosts file n/a (all lines commented out).
I've never had the need to use noscript (and am java/script ignorant) but seeing all those .js files in the ublock log has me thinking I cannot ignore it.
One problem is the randomness of the adware; its very difficult to repeat.

Things start to go wrong (I think) when the following scripts are run
http://service.maxymiser.net/cdn/mbbccoUK/js/mmcore.js
http://b.scorecardresearch.com/beacon.js
which I'll look up now.

debitcardmayhem

I have also got a MVPS provided hostfile which has
service.mymaxymiser.net as 0.0.0.0 (ie black hole)
ditto b.scorecardresearch.com
so i don't see anything like that

try copying this in the hosts and retry

0.0.0.0 b.scorecardresearch.com
0.0.0.0 service.mymaxymiser.net

grumpycrab

debitcardmayhem wrote: »

I have also got a MVPS provided hostfile

This is starting to get a bit heavy... and also just reading about DNSchangers.

debitcardmayhem

grumpycrab wrote: »

This is starting to get a bit heavy... and also just reading about DNSchangers.

I updated my post re-read and try myy suggestions it is possible it's one of those ... but I have been known to be wrong:p

were

no proxy settings on the browser? it could also be a plugin? Free vpn software?

Process explorer also reveals hidden software. Also look under the virusTotal column and the company, path and verified signer columns for rougues.

to be honest I would install another browser like my favorite slimjet, just to isolate if it is a pc/dns, or browser issue

this may help, but may not too http://www.nirsoft.net/utils/tcp_log_view.html and expand the window

System

Hi

Part of my hosts file looks like this

# [Doubleclick (Google)]
0.0.0.0 ad-g.doubleclick.net
0.0.0.0 ad.doubleclick.net
0.0.0.0 ad.mo.doubleclick.net
0.0.0.0 doubleclick.net
0.0.0.0 googleads.g.doubleclick.net

and it seems to help. Therefore I may be proactive and add freelotto.

Try typing directly:-
212.58.244.67
for the BBC, and it should go there directly, albeit to a page you dont want. Avoiding some of the lookup and mis-direction.

grumpycrab

Thanks. The ublock log is much shorter with a few extra entries in the hosts file. But this is not really stuff that your average punter is going to be playing with. I'll look at noscript next. See how "average punter" friendly it is.
I haven't been able to repeat the issue. Still getting these for bbc:-
(which may be normal)
http://service.maxymiser.net/cdn/mbbccoUK/js/mmcore.js
http://static.chartbeat.com/js/chartbeat.js
http://edigitalsurvey.com/l.php

forgotmyname

NoScript is very good.

I had Adblock Plus and NoScript for years and only just swapped to uBlock which is wow... Why didnt i try it sooner?

I do wonder if uBlock makes Noscript worthless though?

EdwardB

I think the first thing you need to do is

Run adwcleaner

https://www.malwarebytes.com/adwcleaner/

Check report is not picking up any false positive and nuke away when done.

Install another browser
Create a new username and see if it does same thing
disable all add ons in firefox and see if remains

Good luck!