Has anybody had this on Google Chrome?

[REDACTED]

While I was traveling last week, I noticed that AVAST! would keep ringing in every time I went to Google search on Chrome on my netbook!!

NOW, that I am home, I keep getting the same warnings from AVAST! on my desktop computer! 

I am thinking that either Chrome, or (most likely) my entire Google account has been hacked!

The warnings come from BOTH - something labeled "jaoohqvqda.ru" AND ALSO an IP (that is prolly masked) of 88.208.7.204

ANY advice as to WHAT this is and HOW I can remove it is greatly appreciated!

MANY thanks!!

[Pondus]

What is the full message from avast ..... you may attach a screenshot

[polonus]

Hi Pondus,

You should read that here (5 hours ago) -> http://www.sweclockers.com/forum/22-microsoft-windows/1324472-blir-galen-jaoohqvqda-ru-cookie-eller-virus/  (You are the Viking among us  ).
Not predicting  much good here:  tracking going on from jaoohqvqda dot .ru -> http://totalhash.com/network/ip:88.208.7.204

Waiting for more explicit info from the victim indeed,

hej hej,

polonus

[Eddy]

P&P ,
it would not surprise me if it is part of the RBN.

Nowfreespeech,
please follow the instructions and attach the logs :
https://forum.avast.com/index.php?topic=53253.0

[polonus]

Ha Eddy,

Delving in the direction you pointed at and yes Artemis botnet C&C probably comes in view.

Server nginx/1.4.4 on that website jaoohqvqda dot ru is vulnerable to conditional redirects.

The WOT rep of the Cert. hoster, megasml dot ru is very low - Trustworthiness   Very Poor (15/100)
04/14/2014   SURBL   Site blacklisted at ws.surbl.org (sa-blacklist web sites). [link]

htxp://jaoohqvqda.ru/ -> something bad out there, the host you provided doesn't allow incoming HTTP HEAD requests.
web bug results:
HTTP/1.1 403 Forbidden
Server: nginx/1.4.4
Date: Tue, 30 Sep 2014 22:16:43 GMT
Content-Type: text/html
Content-Length: 168
Connection: close
Vary: Accept-Encoding

<html>
<head><title>403 Forbidden</title></head>
<body bgcolor="white">
<center><h1>403 Forbidden</h1></center>
<hr><center>nginx/1.4.4</center>
</body>

On that Autonomous System:
AS39572
AS Name: ADVANCEDHOSTERS-AS ADVANCEDHOSTERS LIMITED
IPs allocated: 34816
Blacklisted URLs: 730

Hosts...
...malicious URLs? Yes 
...badware? Yes 
...botnet C&C servers? Yes 
...exploit servers? No 
...Zeus botnet servers? No 
...Current Events? Yes 
...phishing servers? No 
...spam servers? No 
...spam bots? No 
...spam activity? No 

This domain was hosted in the Netherlands and here, Eddy, you could be right:

https://www.virustotal.com/nl/domain/cnt1.xhamster.com/information/
See: http://urlquery.net/report.php?id=1412105524298
Asprox Criminal botnet for Artemis, see: https://www.virustotal.com/nl/file/5fd0c62db91b93bf5630838a66635a5516fd8863e06db036d0ca2dae2983de58/analysis/

polonus

[Pondus]

from the swedish forum Polonus posted ...... case solved by removing Ace stream /  magic player from chrome

[polonus]

Thanks, Pondus, for that reply,

pol

[REDACTED]

Really, Pondus??  Removing AceStream player cleared it up??  Damm....I LOVE my AceStream player :-(

Damm.....I removed and re-installed Chrome TWICE, changed passwords twice, and dumped all cookies and browsing history since the beginning of time!!  WHY does it still keep bothering ME?

But AVAST! DOES KEEP SHOWING (and, presumebly, stopping) IT....so does it mean that I have CAUGHT some malware or virus?  Or does it mean that it keeps trying and that AVAST! keeps stopping it??

[polonus]

Hi nowfreespeech,

The only way to know that for sure is just going through the routine as prescribed here:
https://forum.avast.com/index.php?topic=53253.0
Provide us with the logs and wait for a qualified removal expert here to go over them.

polonus

[REDACTED]

Regretfully.....I am EXTREMELY computer illiterate......so, Polonus, I am just going to do step-by-step-by-step the procedures on that thread - I'll post what I get back on the log here!  Downloading MalwareBytes now -

Many thanks again!

FIRST OFF, however....I trashed the AS Magic Player extension on Chrome.....lessee if THAT does anything......

[polonus]

Well, nowfreespeech, we understand that and the qualified remover will take you by the hand and gently will tip-toe with you through the necessary steps of the cleansing routine and explain everything in detail so you will feel completely comfortable. They know what they are supposed to do. You should not worry one bit. Believe me.

polonus


P.S. A malware remover has been notified, wait for his arrival in this thread.

[REDACTED]

Hi,

I am Valinorum and I will be your helper for this issue. Please attach the logs when done and we will go on from there. If you have any questions or do not understand anything, stop and ask.

Thank you.

[REDACTED]

My Internet Connection here in South East Asia is almost TOTALLY down (The A.A.G. Cable breakage ensures that it'll be at dial-up speeds for at least one week) so I couldn't do the update.  But I DID run the scan - here is what it says:



Proceeding to NOW re-boot and continue with the rest of the steps on that thread!

Really can't thank you folks enough!  REALLY 'ppreciate all your help!!

[REDACTED]

Acknowledged. I will try to make sure the tools use minimal bandwidth as possible.

[REDACTED]

Broadband High-Speed Internet came back BRIEFLY - was able to update MalwareBytes and do a re-scan!

WHAT THE HECK is "Installmate" 

I can guarantee that I didn't KNOWINGLY download THAT!

Re-booting now and then going to run Fabar Recovery Scan Tool!

Thanks so much again!!!