2

I have something injecting a script into all web browsers that I have tried - Firefox, IE, Edge, Chrome - and it doesn't look like an extension (since it is doing so in different web browsers). I suspect it's either a process injection or some silent process doing the work, but cannot pinpoint it. Can anyone advise what I should look for?

It appears it does an injection into newtab-serviceworker.js as well, changing its search form to its own. Bugga! This is the code from that file:

var EXTRA_FILES = [
  "/xjs/_/js/k=xjs.ntp.en_US.iCI9PQB5wew.O/m=jsa,ntp,d,csi/am=BA/rt=j/d=1/t=zcms/rs=ACT90oFcUbquz13KP289MZy7OI9wPcMXiA",
];
var CHECKSUM = "r4v3sd";

var BLACKLIST = [
  '/gen_204\?',
  '/async/',
];

var FILES = [
  '/images/srpr/logo11w.png',
  '/images/srpr/chrome_ntp_white_logo2.png',
      '/' + '/ssl.gstatic.com/chrome/components/doodle-notifier-01.html'
].concat(EXTRA_FILES || []);

var CACHENAME = 'newtab-static-' + CHECKSUM;

self.addEventListener('install', function(event) {
  event.waitUntil(caches.open(CACHENAME).then(function(cache) {
    return cache.addAll(FILES);
  }));
});
700 Software
  • 13,807
  • 3
  • 52
  • 82
Daniel Protopopov
  • 161
  • 1
  • 8
  • 1
    It is the code you are [showing us via pastebin](http://pastebin.com/p0RiPd1C) that concerns me. `var ad = response.ad; var ad_token = response.ad_token; ...` – 700 Software Jul 13 '16 at 12:07
  • What exactly concerns you there? It's a script (or rather a base of scripts) that highjack page' links, opening doorways with ads and promotions designed for clicking-off on the ads. – Daniel Protopopov Jul 13 '16 at 12:18
  • Of course it is concerning to have 3rd-party code in your everyday websites as it could be doing much more than inserting ads! I commented because the code you entered above is different from the code in your pastebin account, and I want to be sure that other answerers will notice. – 700 Software Jul 13 '16 at 12:24
  • 1
    That code is indeed different since it's from another file (Chrome's virtual machine), my bad - I forgot to mention it – Daniel Protopopov Jul 13 '16 at 12:32
  • Try running free Panda Antivirus scan. It has very high detection ratio, better than most other solutions, and it provides free scan and it checks with checksums in cloud. It's really nice. – Aria Jul 13 '16 at 14:20
  • It would help to clarify a bit what the question is. Remember we don't do tech support for malware on this site. If you are asking "what is this malware and how did I get it?", it's much less acceptable / actionable than "how can someone, at the OS-level, modify browsers' files to inject some third-party javascript to pages?". This is also primarily a Windows question, ultimately. Maybe one better suited for superuser or the sysadmin SE, since the knowledge required applies to non-security scenarios. Anyway I guess that's what is meant by the people who started a close vote on this question. – Steve Dodier-Lazaro Aug 22 '16 at 12:28

2 Answers2

4

I've figured out that it was an in-built Chrome search toolbar that was enabled, that I have mistakenly taken for a virus/malware. Thanks out to those who deserve it.

Daniel Protopopov
  • 161
  • 1
  • 8
0

Some viruses will inject themselves into each major browser, by extension or other means, as each browser operates differently. Seeing ads on pages where they don't belong (i.e. your New Tab page should not have any ads, neither should many major websites) is a clue that you may have a virus on your computer.

If you cannot come up with a legitimate explanation for this happening (i.e. you installed an extension in just one browser), you should assume you have a virus.

It is possible the virus is doing other things as well. (i.e. logging any credit card numbers you type in, or spamming all your friends email accounts) It is also possible that the virus will be commanded to take further action at a later time. (ransom-ware)

The best way to eliminate viruses is to completely wipe the operating system.
(backup your personal files first!)

A less thorough approach is to simply install and run an anti-virus program. However (unlike a complete wipe of the OS) an anti-virus program cannot guarantee complete successful removal of the virus.

If you have been using a non-administrative user account on your computer, it is possible the virus is contained in that account and you can simply switch to a new account. However, this is not the default setup for most people.

700 Software
  • 13,807
  • 3
  • 52
  • 82
  • That's quite obvious, I was looking for someone who can give pointers where to look towards to have it eliminated. Having OS wiped out is the easiest choice, though, along with running livecd with the AV on it to inspect disk's contents. However, these days most of malware is encrypted and decrypted of the fly, so it's difficult for AVs to search for signatures. – Daniel Protopopov Jul 13 '16 at 12:20
  • 1
    In Chrome, start with chrome://serviceworker-internals/, disable suspicious workers – Alexei Danchenkov Jun 24 '17 at 19:30