Spyware/malware help

[GoNz0]

I have an interesting gremlin I can't nail down. I have noticed when following some links that weirdness happens. If I go to eurocarparts.com for instance I will see the URL change 1st to
http://thetraffic.info/?id=1450447602
then to
http://reprice.us/c/uCRH
and finally with an attached affiliate link it will go to.
http://www.eurocarparts.com/?awc=399...n=Sub+Networks

Considering this is from chrome's homepage I am at a loss, the only thing that tipped me off was the links breaking and instead of taking me to the Asus forums it would drop me on the main support page.

I have kaspersky internet security installed
Malwarebytes found nothing,
adwcleaner found nothing
smitfraudfix = nada
tdsskiller = nope
adaware - zero


so you can see it isn't for trying to remove this barstool!

any ideas?

[virtuo]

Does it do the same on any other computers on your network, or even a different browser?

[jimbouk]

Sounds like url hijacking alright!

http://thetraffic.info is a blank page, no whois info as it's registered by a proxy company. Have a look at your installed programs, something's probably been installed 'legitimately' on the sly as an adware bundle.

[stevie lee]

had something similar a while ago.
there were some registry entries causing redirects to a spoof google home page. no amount of reinstalls of chrome or malware/virus scanning found them. noticed the website redirect showing on the 'status bar' at the bottom. did a registry search for that address and up popped some registry entries. removed them and all was well.

I ended up doing a full reinstall of windows 7 anyway, just because win 10 was about to be released and I didn't fully trust i'd removed all the registry stuff. and it was 5 years since previous reinstall.

you may get away with a registry serach and remove. I would reinstall windows just to be sure though.

[GoNz0]

Laptops being exchanged in about a month so I will track the little bugger down if I can. I think one of my old chrome extensions to blame, I thought it was FDV Speed Dial at 1st but it happened again after I disabled it.
so far (but this can happen at random not every click) with everything disabled in chrome it is behaving.
Now to play the add things back a day at a time game!

[watercooled]

I was asked to sort a friend's laptop doing something similar although IIRC the redirects were to some scareware site. Reinstalling Chrome didn't help as whatever it was was just re-injecting itself upon install. However it was quite some time ago and I'm not sure what exactly I did to get rid of it.

It looks like the reprice link is the villainous one and I found a couple of references to it e.g. https://malwaretips.com/blogs/ads-by-reprice-removal/

If you find out what it is I'd definitely be making some noise to Kaspersky/Malwarebytes/etc about it!

[GoNz0]

yep, not had it return yet so it is looking like a 3rd party plugin I had as i have been adding back the safe bets, google plugins, quidco.


"read and change all your data on the websites you visit" is in so many plugins details tab!

[GoNz0]

well I deleted a couple of unneeded extensions while disabling stuff, foolish as I can't remember what one was called and I think that may have been it as everything's enabled again. My router logs do not show those URLS again but I guess I need a bit longer to be sure it is gone.

[GoNz0]

meh, just happened again, back to square 1!

[GoNz0]

It is looking like this may be the problem https://chrome.google.com/webstore/d...er-info-dialog

Reported this to chrome & kaspersky as it redirected a few minutes after enabling, seems crafty as it won't do it straight away.

[davb]

Seems very crafty, especially as it has decent reviews. If it is the culpript, may be worth changing your Hotmail/live/Outlook.com password - just as a precaution.

[GoNz0]

Seems very crafty, especially as it has decent reviews. If it is the culpript, may be worth changing your Hotmail/live/Outlook.com password - just as a precaution.

You were correct, thankfully I use 2 factor authentication so they didn't get in

Security challenge 12/12/2015 22:41 United States
IP address 137.117.8.203 Device/platform Unknown Browser/application Unknown

[GoNz0]

Confirmed by Kaspersky labs.

Dear customer,

Please accept my apologies for not getting back to you earlier.

The extension provided has been indeed detected as a potential risk program. We have added new detection for it as "Not-a-Virus:AdWare.JS.ChromeExt.a".

No malicious software has been found on the websites provided. The malicious code may have been removed from our mail Anti-Virus server. If you have a local copy of the suspicious file, please send it to me in a password-protected archive, with password 'infected' (without quotes).

1. http://thetraffic.info/?id=1450447602
2. http://reprice.us/c/uCRH

Thank you very much for your feedback.

[Bonebreaker777]

Junkware removal Tool and Malware Bytes had no significant result in safe mode?

[GoNz0]

Junkware removal Tool and Malware Bytes had no significant result in safe mode?

Why would it, I was the 1st to log this and have it confirmed as a new threat, I had already removed it by the time it was added to the database.

[peterb]

Good call, and excellent result to hammer a nail into spamware.