Welcome guest. Before posting on our computer help forum, you must register. Click here it's easy and free.

Author Topic: Firefox Browser Hijacker - Not Detected by Malwarebytes! - Removal Process  (Read 1620 times)

0 Members and 1 Guest are viewing this topic.

DaveLembke

    Topic Starter


    Sage
  • Inventor of the Magna-Broom 3000 =)
  • Thanked: 636
  • Certifications: List
  • Computer: Specs
  • Experience: Expert
  • OS: Windows 10
Sharing this here in case anyone else gets hit with this one. I was surfing the web today and this one struck. Normally these hijackers get detected and cleaned out by malwarebytes but this one is able to hide somehow.

The website was a https:// secured http site named Lomotilnew with .xyz vs .com or .net etc and it targeted Firefox with /WindowsFirefox/ at the end of its URL path. ( There may be variant browser targets to target other browsers, but I'm not going to look for them )  ;D NOTE: Do not assemble that URL path and go there because it will likely take your browser hostage!  ::) However the majority of the ones I have seen in the past have random alphanumeric URL paths that are 1 shots, where the path is temporary to try to get people to contact them and infect further or pay ransom money, but hides itself from being reported and pointed out to shut the website down because going back to the website would then show a blank white page vs the alert. This one is a different level of these in that the URL path appears to be functional to repeat visits or so the browser displays which could be a locally cached session that it reloads on session restore.

In the tab name of the window it displayed as  Call+1(877)334-1444  *Note: Highly advised "NOT" to call that number or you could then start getting scam spammed. Too bad pay phones dont exist in my area as for I'd like to see who answers.  ;D

A Pop up box asking for a Username and Password is shown and you cant close or minimize and the entire system is locked with exception to CTRL + ALT + DELETE function and ability to type into this pop up box which might be trying to farm peoples username and passwords if anything is entered there. * Note: I didn't type anything into the 2 fields and went immediately to killing it off and removing it.

Looped was audio ( in a male text to voice ) that stated:

Quote
Critical Alert ... Your Computer has alerted us that it is infected with a virus and spyware.

Please call us immediately at the toll free number listed so that our support engineers can walk you through the removal process over .... ( Note the audio stops and loop repeats back from the beginning without saying "The Phone".)

Malwarebytes with the latest definitions does not catch this which is amazing. All others I have come across get flagged and caught in memory as the hijacker is running from a temp location. This one though Malwarebytes says your computer is clean 0 problems detected.

So I had to go through this process below to clean my system of it. Simply bringing up task manager and ending firefox process and then relaunching firefox does not fix this as Firefox wants to run to the last page that was open as part of its crash recovery process which was triggered by ending the process tree for firefox in task manager.

Quote
So here is the fix:

1.) End Firefox in Task Manager which you will need to get there through CTRL + ALT + DELETE because the browser is locked and it wont let you minimize it to get back to desktop.

2.) From Task Manager end the Firefox Process Tree. ( Firefox will close )

3.) Now open up command shell by running CMD in the Start RUN or by typing CMD into the "Type here to search" box of Windows 10 lower left.

4.) With command shell now open enter START FIREFOX WWW.GOOGLE.COM (Note: This will force Firefox to open Google and not the last session website(s) which the hijacker is at )

5.) You might see a tab to the left of the new www.google.com tab that says Session Restore. Ignore this! Go to History of Firefox and select Clear Recent History. A pop up box will now ask for the Time Range to clear. It might be default of "Today" leave it as "Today" and then click on CLEAR NOW. Your browser history for today is now clear so that hijack website is gone from any prior sessions.

6.) Close Firefox browser and it might warn you if you want to Confirm Close. Click on CLOSE TABS.

7.) Firefox closes. Now open Firefox and it will open clean to Google or whatever Homepage you have Firefox set to.

Hopefully Malwarebytes will eventually update their definitions to catch this one. But right now its undetected and it takes almost complete control of the computer with only option to getting out of it to CTRL + ALT + DELETE and go through this process to wipe out the last session through clearing the history and starting fresh.

BC_Programmer


    Mastermind
  • Typing is no substitute for thinking.
  • Thanked: 1109
    • Yes
    • Yes
    • BC-Programming.com
  • Certifications: List
  • Computer: Specs
  • Experience: Beginner
  • OS: Windows 8
Re: Firefox Browser Hijacker - Not Detected by Malwarebytes! - Removal Process
« Reply #1 on: September 11, 2018, 01:24:54 PM »
Quote
NOTE: Do not assemble that URL path and go there because it will likely take your browser hostage!
I did anyway- I get the dialog you mentioned but I don't get any looped audio or anything. It only affected that browser tab. I pressed escape on the dialog and escape to "stop" the page and nothing else happened.

I have very pessimistic default options, however, and NoScript probably blocked some of it as well.

Also it looks like it's gone now- It only gives a cpanel error.



I was trying to dereference Null Pointers before it was cool.

SuperDave

  • Malware Removal Specialist
  • Moderator


  • Genius
  • Thanked: 998
  • Certifications: List
  • Experience: Expert
  • OS: Windows 8
Re: Firefox Browser Hijacker - Not Detected by Malwarebytes! - Removal Process
« Reply #2 on: September 11, 2018, 05:48:46 PM »
Good information. Thanks for the warning.
Intel(R) Core (TM) i3-3220 CPU 3.30 GHz 8.0 Gb RAM Windows 8.1 with a dual boot to Windows XP  Home with SP3, Comodo  with Windows Firewall & Windows Defender