ublock log (trying to get to the bottom of some adware)

in Techie Stuff
15 replies 2.6K views
grumpycrabgrumpycrab Forumite
4.9K Posts
Part of the Furniture 1,000 Posts Name Dropper Bake Off Boss!
Forumite
ublock log linked; really struggling to find some Malware on a neighbours computer (would have been much easier to clean install but its not going to beat me). Done all the usual checks including root scan. Kaspersky Internet Security is installed - you can see it kicking in at various points in the log.

What happens? (Randomly, starting at the bottom of the log file) type bbc.co.uk in Firefox and a new adware tab opens - freelotto.com - in this case. (top of log)
https://expirebox.com/download/378342b0fac1ea7343459ea09fdaa0e8.html
If you put your general location in your Profile, somebody here may be able to come and help you.
«1

Replies

  • debitcardmayhemdebitcardmayhem Forumite
    11.3K Posts
    Part of the Furniture 10,000 Posts Name Dropper Photogenic
    Forumite
    Have you checked the Hosts file / and DNS ? I take they don't have noscript enabled ?
    Can't see much wrong with the BBC story source
    🍺 😎 Still grumpy, and No, Cloudflare I am NOT a robot 🤖
  • edited 27 February 2017 at 10:04PM
    grumpycrabgrumpycrab Forumite
    4.9K Posts
    Part of the Furniture 1,000 Posts Name Dropper Bake Off Boss!
    Forumite
    edited 27 February 2017 at 10:04PM
    I've got their laptop at my house; DNS all normal (as far as I can see); adapter set to default (no DNS set); adapter DNS -> router; router DNS set to 8.8.8.8 (google); hosts file n/a (all lines commented out).
    I've never had the need to use noscript (and am java/script ignorant) but seeing all those .js files in the ublock log has me thinking I cannot ignore it.
    One problem is the randomness of the adware; its very difficult to repeat.

    Things start to go wrong (I think) when the following scripts are run
    http://service.maxymiser.net/cdn/mbbccoUK/js/mmcore.js
    http://b.scorecardresearch.com/beacon.js
    which I'll look up now.
    If you put your general location in your Profile, somebody here may be able to come and help you.
  • debitcardmayhemdebitcardmayhem Forumite
    11.3K Posts
    Part of the Furniture 10,000 Posts Name Dropper Photogenic
    Forumite
    I have also got a MVPS provided hostfile which has
    service.mymaxymiser.net as 0.0.0.0 (ie black hole)
    ditto b.scorecardresearch.com
    so i don't see anything like that

    try copying this in the hosts and retry
    0.0.0.0 b.scorecardresearch.com
    0.0.0.0 service.mymaxymiser.net
    
    🍺 😎 Still grumpy, and No, Cloudflare I am NOT a robot 🤖
  • grumpycrabgrumpycrab Forumite
    4.9K Posts
    Part of the Furniture 1,000 Posts Name Dropper Bake Off Boss!
    Forumite
    I have also got a MVPS provided hostfile
    This is starting to get a bit heavy... and also just reading about DNSchangers.
    If you put your general location in your Profile, somebody here may be able to come and help you.
  • debitcardmayhemdebitcardmayhem Forumite
    11.3K Posts
    Part of the Furniture 10,000 Posts Name Dropper Photogenic
    Forumite
    grumpycrab wrote: »
    This is starting to get a bit heavy... and also just reading about DNSchangers.
    I updated my post re-read and try myy suggestions it is possible it's one of those ... but I have been known to be wrong:p
    🍺 😎 Still grumpy, and No, Cloudflare I am NOT a robot 🤖
  • edited 28 February 2017 at 7:08AM
    werewere Forumite
    632 Posts
    Forumite
    edited 28 February 2017 at 7:08AM
    no proxy settings on the browser? it could also be a plugin? Free vpn software?

    Process explorer also reveals hidden software. Also look under the virusTotal column and the company, path and verified signer columns for rougues.

    to be honest I would install another browser like my favorite slimjet, just to isolate if it is a pc/dns, or browser issue

    this may help, but may not too http://www.nirsoft.net/utils/tcp_log_view.html and expand the window
  • SystemSystem Forumite, Community Admin
    177.9K Posts
    10,000 Posts Photogenic Name Dropper
    Community Admin
    Hi

    Part of my hosts file looks like this

    # [Doubleclick (Google)]
    0.0.0.0 ad-g.doubleclick.net
    0.0.0.0 ad.doubleclick.net
    0.0.0.0 ad.mo.doubleclick.net
    0.0.0.0 doubleclick.net
    0.0.0.0 googleads.g.doubleclick.net

    and it seems to help. Therefore I may be proactive and add freelotto.

    Try typing directly:-
    212.58.244.67
    for the BBC, and it should go there directly, albeit to a page you dont want. Avoiding some of the lookup and mis-direction.

  • grumpycrabgrumpycrab Forumite
    4.9K Posts
    Part of the Furniture 1,000 Posts Name Dropper Bake Off Boss!
    Forumite
    Thanks. The ublock log is much shorter with a few extra entries in the hosts file. But this is not really stuff that your average punter is going to be playing with. I'll look at noscript next. See how "average punter" friendly it is.
    I haven't been able to repeat the issue. Still getting these for bbc:-
    (which may be normal)
    http://service.maxymiser.net/cdn/mbbccoUK/js/mmcore.js
    http://static.chartbeat.com/js/chartbeat.js
    http://edigitalsurvey.com/l.php
    If you put your general location in your Profile, somebody here may be able to come and help you.
  • forgotmynameforgotmyname Forumite
    32.1K Posts
    Part of the Furniture 10,000 Posts Name Dropper
    Forumite
    NoScript is very good.

    I had Adblock Plus and NoScript for years and only just swapped to uBlock which is wow... Why didnt i try it sooner?

    I do wonder if uBlock makes Noscript worthless though?
    Censorship Reigns Supreme in Troll City...

  • EdwardBEdwardB Forumite
    443 Posts
    Seventh Anniversary 100 Posts
    Forumite
    I think the first thing you need to do is

    Run adwcleaner

    https://www.malwarebytes.com/adwcleaner/

    Check report is not picking up any false positive and nuke away when done.

    Install another browser
    Create a new username and see if it does same thing
    disable all add ons in firefox and see if remains

    Good luck!
    Please be nice to all MoneySavers. That’s the forum motto. Remember, the prime aim is to help provide info and resources. If you don’t like someone, their situation, their question or feel they’re intruding on ‘your board’ then please bite the bullet and think of the bigger issue. :cool::)
This discussion has been closed.
Latest MSE News and Guides

Boost your Nectar points

Get up to £25 in bonus points

MSE News

Ask an Expert: Scams

Watch MSE Katie's answers to your questions

MSE Forum

Hot Diamonds 40% off code

Including already-reduced outlet stock

MSE Deals