Has anybody had this on Google Chrome?

While I was traveling last week, I noticed that AVAST! would keep ringing in every time I went to Google search on Chrome on my netbook!!

NOW, that I am home, I keep getting the same warnings from AVAST! on my desktop computer!

I am thinking that either Chrome, or (most likely) my entire Google account has been hacked!

The warnings come from BOTH - something labeled “jaoohqvqda.ru” AND ALSO an IP (that is prolly masked) of 88.208.7.204

ANY advice as to WHAT this is and HOW I can remove it is greatly appreciated!

MANY thanks!!

What is the full message from avast … you may attach a screenshot

Hi Pondus,

You should read that here (5 hours ago) → http://www.sweclockers.com/forum/22-microsoft-windows/1324472-blir-galen-jaoohqvqda-ru-cookie-eller-virus/ (You are the Viking among us :wink: ).
Not predicting much good here: tracking going on from jaoohqvqda dot .ru → http://totalhash.com/network/ip:88.208.7.204

Waiting for more explicit info from the victim indeed,

hej hej,

polonus

P&P ;D,
it would not surprise me if it is part of the RBN.

Nowfreespeech,
please follow the instructions and attach the logs :
https://forum.avast.com/index.php?topic=53253.0

Ha Eddy,

Delving in the direction you pointed at and yes Artemis botnet C&C probably comes in view.

Server nginx/1.4.4 on that website jaoohqvqda dot ru is vulnerable to conditional redirects.

The WOT rep of the Cert. hoster, megasml dot ru is very low - Trustworthiness Very Poor (15/100)
04/14/2014 SURBL Site blacklisted at ws.surbl.org (sa-blacklist web sites). [link]

htxp://jaoohqvqda.ru/ → something bad out there, the host you provided doesn’t allow incoming HTTP HEAD requests.
web bug results:
HTTP/1.1 403 Forbidden
Server: nginx/1.4.4
Date: Tue, 30 Sep 2014 22:16:43 GMT
Content-Type: text/html
Content-Length: 168
Connection: close
Vary: Accept-Encoding

403 Forbidden

403 Forbidden


nginx/1.4.4

On that Autonomous System:
AS39572
AS Name: ADVANCEDHOSTERS-AS ADVANCEDHOSTERS LIMITED
IPs allocated: 34816
Blacklisted URLs: 730

Hosts…
…malicious URLs? Yes
…badware? Yes
…botnet C&C servers? Yes
…exploit servers? No
…Zeus botnet servers? No
…Current Events? Yes
…phishing servers? No
…spam servers? No
…spam bots? No
…spam activity? No

This domain was hosted in the Netherlands and here, Eddy, you could be right:

https://www.virustotal.com/nl/domain/cnt1.xhamster.com/information/
See: http://urlquery.net/report.php?id=1412105524298
Asprox Criminal botnet for Artemis, see: https://www.virustotal.com/nl/file/5fd0c62db91b93bf5630838a66635a5516fd8863e06db036d0ca2dae2983de58/analysis/

polonus

from the swedish forum Polonus posted … case solved by removing Ace stream / magic player from chrome

Thanks, Pondus, for that reply,

pol

Really, Pondus?? Removing AceStream player cleared it up?? Damm…I LOVE my AceStream player :frowning:

Damm…I removed and re-installed Chrome TWICE, changed passwords twice, and dumped all cookies and browsing history since the beginning of time!! WHY does it still keep bothering ME?

But AVAST! DOES KEEP SHOWING (and, presumebly, stopping) IT…so does it mean that I have CAUGHT some malware or virus? Or does it mean that it keeps trying and that AVAST! keeps stopping it??

Hi nowfreespeech,

The only way to know that for sure is just going through the routine as prescribed here:
https://forum.avast.com/index.php?topic=53253.0
Provide us with the logs and wait for a qualified removal expert here to go over them.

polonus

Regretfully…I am EXTREMELY computer illiterate…so, Polonus, I am just going to do step-by-step-by-step the procedures on that thread - I’ll post what I get back on the log here! Downloading MalwareBytes now -

Many thanks again!

FIRST OFF, however…I trashed the AS Magic Player extension on Chrome…lessee if THAT does anything…

Well, nowfreespeech, we understand that and the qualified remover will take you by the hand and gently will tip-toe with you through the necessary steps of the cleansing routine and explain everything in detail so you will feel completely comfortable. They know what they are supposed to do. You should not worry one bit. Believe me.

polonus

P.S. A malware remover has been notified, wait for his arrival in this thread.

Hi,

I am Valinorum and I will be your helper for this issue. Please attach the logs when done and we will go on from there. If you have any questions or do not understand anything, stop and ask.

Thank you.

My Internet Connection here in South East Asia is almost TOTALLY down (The A.A.G. Cable breakage ensures that it’ll be at dial-up speeds for at least one week) so I couldn’t do the update. But I DID run the scan - here is what it says:

Proceeding to NOW re-boot and continue with the rest of the steps on that thread!

Really can’t thank you folks enough! REALLY 'ppreciate all your help!!

Acknowledged. I will try to make sure the tools use minimal bandwidth as possible.

Broadband High-Speed Internet came back BRIEFLY - was able to update MalwareBytes and do a re-scan!

WHAT THE HECK is “Installmate”???

I can guarantee that I didn’t KNOWINGLY download THAT!

Re-booting now and then going to run Fabar Recovery Scan Tool!

Thanks so much again!!!

WHAT THE HECK is "Installmate"
you mean [b]PUP.Optional.InstalleRex.A[/b]
PUP.Optional.InstalleRex got on your computer after you have installed a freeware software (video recording/streaming, download-managers or PDF creators) that had bundled into their installation this browser hijacker. This Potentially Unwanted Program is also bundled within the custom installer on many download sites (examples: CNET, Brothersoft or Softonic), so if you have downloaded a software from these websites, chances are that PUP.Optional.InstalleRex was installed during the software setup process.
The PUP.Optional.InstalleRex infection is used to boost advertising revenue, as in the use of blackhat SEO, to inflate a site’s page ranking in search results.

Fabar scan results -

Thanks, Pondus…THAT is kinda unnerving! You say it COULD come packaged INTO “(video recording/streaming, download-managers or PDF creators)”…

WONDER if, as others have suggested, the AceStream program is the carrier??

NOW - I keep getting THIS every five seconds -

Infection blocked
URL hxxps://codegv.ru
Infection URL:Mal

WHY are they picking on ME?? LOL!

ASWMBR log

I have tried everything on the thread about Logs to assist in cleaning Malware! I just now uninstalled AceStream Player and re-booted!

AND NOW - EVERY SINGLE TIME I go to ANY webpage, I get the AVAST! warning -

Infection blocked
URL hxxps://codegv.ru
Infection URL:Mal

HOWEVER - I get NO warnings at all on Internet Explorer!!

Which tends to make me believe that either my Google Chrome browser has been hacked, AND/OR (probably), my entire Google account has been hacked!

I am VERY happy that AVAST! is stopping these hack attempts every time I go to ANY webpage…but does anybody have even a GUESS as to WHAT this thing is??

ANY advice?

Thank you all again so much - you’ve been really patient with me! This is just really frustrating :frowning: