Solved oncklds chrome and firefox browser hijacker

[Jemor]

Hi again, It's been a couple of years since this last happened with another browser hijacker. Seems they are never ending.

Anyway, now have this problem with oncklds and desperately need your help once more.

As stated above it only seems to happen when I go to this forum, which has been around for a lot of years and well used. If coming from there I know they wouldn't know about it, but will fix it as soon as they know. Otherwise it's probably just me.

Thanks guys for helping again. I certainly are glad you are still here at least.

 

[TwinHeadedEagle]

Hello,

Fix with Farbar Recovery Scan Tool

This fix was created for this user for use on that particular machine.

Running it on another one may cause damage and render the system unstable.

​

Download attached fixlist.txt file and save it to the Desktop:

Both files, FRST and fixlist.txt have to be in the same location or the fix will not work!

• Right-click on
  
  icon and select
  
  Run as Administrator to start the tool.
  (XP users click run after receipt of Windows Security Warning - Open File).
• Press the Fix button just once and wait.
• If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
• When finishes FRST will generate a log on the Desktop, called Fixlog.txt.

Please attach it to your reply.

 

[Jemor]

Thank you. I did that, however I can't seem to get my chrome extensions back working. I should've updated you since my initial request that I did update chrome before you replied. Sorry if this makes a difference, but when I checked chrome after the update the virus was still there and I still had my couple of extensions then. Can't get any extensions to run now even though they are installed and allowed and I'm logged into chrome.
I'm not too concerned about them, but I was starting to use the Avast password manager for generic passwords etc. I do use keepass for important things and it's safe where it is.
I just checked the website where this virus seems to run after this fix run and it's still there but under a different name now I think...it changed so fast I didn't see exactly before closing the tab.
Awaiting your reply with what to do next with many thanks.

 

[TwinHeadedEagle]

Scan with Farbar Recovery Scan Tool

Please re-run Farbar Recovery Scan Tool to give me a fresh look at your system.

• Right-click on
  
  icon and select
  
  Run as Administrator to start the tool.
  (XP users click run after receipt of Windows Security Warning - Open File).
• Make sure that Addition.txt option is checked.
  
  
  
  
  
• Press Scan button and wait.
• The tool will produce two logfiles on your desktop: FRST.txt and Addition.txt.

Please attach report into your next reply.

 

[Jemor]

Thanks THE, I've installed Glasswire since last post and have done another couple of different scans to no availe. I installed spybot last night but it wouldn't update properly so I couldn't scan and uninstalled it this morning.

I did find in the forum this is happening on has had many complaints about this since 15 April and since my posts seem to be taking it seriously now, but as of last night have not yet announced what they are doing about it or if they found anything. I haven't been in there this morning yet for updates to this. I still feel it is coming from there (for me) and so far I may have stopped it attaching to my pc because it's just not happening anywhere else, but I don't know if it still captures personal information before I close the webpage when it starts to open.

Meanwhile, thanks for all our help.

Sorry for the delayed responses but I'm in bed when your online it seems

 

[TwinHeadedEagle]

In which browser is this happening? Is it happening in every browser or only in Google Chrome?

 

[Jemor]

It started when I was using Comodo browser with Comodo securty, so went to Chrome then Firefox testing for this AV Forum site and happened on all of them. That was the 2nd time I visited the forum. Same with some others in the forum. Some have found Adware Blocker to work it seems. I ditched Comodo browser and security and now back to Avast free. I personally have now found Avasts Safe Browser and have found it works and i can now use the forum freely. I've also decided to use Avasts Safe browser as my default.
I'm not sure I need your help now as I still feel it is coming from the site and all these days I have never had it from anywhere else. The site's admin/webmaster is away at the moment so he is in for a surprise when he returns. I'm happy with Avasts Safe Browser for now and can cope fine.

I do appreciate all you have done so far and if there is anything in my reports amiss please advise me as to what to do. As you would've seen I do use Malwarebytes stuff and have not had any problems for years generally very happy now. I have to re look at Hitman Pro as I'm sure it stopped after 30 days use before.
Anyway, if you feel there is no more to do with this I'm happy for you to close out this session, but as mentioned prior, if you've seen something I need to deal with please advise.

I think I know owe you a carton... as aussie's say

 

[TwinHeadedEagle]

There are 4 possible scenarios for such behavior:

1. Active malware infection that we confirmed doesn't exist with latest FRST reports.
2. Infection from the past that could have poisoned the browser cache but we cleaned the cache.
3. If it isn't happening on every website then it is probably related to the specific site. In that case I am advising you to install uBlock extension.
4. 4th thing is an infected router if this behavior exists on other devices on your network.

What I personally think is that this is the 3rd scenario.

Let me know if uBlock fixed it.

 

[Jemor]

Thanks THE, It is the site and adblockers work, but they still need to get it off their site, if they don't I won't be back their. All is well with me now though, so you could close this. Problem solved I reckon. Thanks again for all your help.