You are Here:
Linux Lite 6.6 FINAL Released - Support for 22 Languages Added - See Release Announcement Section



I've been hit by the Partner18mydomainadvisor malware...

Author (Read 6474 times)

0 Members and 1 Guest are viewing this topic.

Re: I've been hit by the Partner18mydomainadvisor malware...
« Reply #13 on: September 21, 2014, 05:59:01 AM »
 

elija

  • Guest
Thanks Elija for your reply - I note the search engine you recommend - I think duckduckgo is used in the Midori web browser?
Do you have any opinion on  'Bing' as a search engine?  I have found it to be fine, and hopefully is safer than Google...

Regards
Mike

I can't say I've ever used it but I believe it is by Microsoft so don't imagine it would respect your privacy much more than Google does.
 

Re: I've been hit by the Partner18mydomainadvisor malware...
« Reply #12 on: September 21, 2014, 04:28:14 AM »
 

m654321

  • Gold Level Poster
  • *******
  • 891
    Posts
  • Reputation: 86
  • Linux Lite Member, 'Advocate' & Donator
    • View Profile

  • CPU: Intel Pentium [email protected] (2cores) on an Asus X71Q

  • MEMORY: 4Gb

  • VIDEO CARD: Intel GM45 Express Chipset

  • Kernel: 4.x
Thanks Elija for your reply - I note the search engine you recommend - I think duckduckgo is used in the Midori web browser?
Do you have any opinion on  'Bing' as a search engine?  I have found it to be fine, and hopefully is safer than Google...

Regards
Mike
64bit OS (32-bit on Samsung netbook) installed in Legacy mode on MBR-formatted SSDs (except pi which uses a micro SDHC card):
2017 - Raspberry pi 3B (4cores) ~ [email protected] - LibreElec, used for upgrading our Samsung TV (excellent for the task)  
2012 - Lenovo G580 2689 (2cores; 4threads] ~ [email protected] - LL3.8/Win8.1 dual-boot (LL working smoothly)
2011 - Samsung NP-N145 Plus (1core; 2threads) ~ Intel Atom [email protected] - LL 3.8 32-bit (64-bit too 'laggy')
2008 - Asus X71Q (2cores) ~ Intel [email protected] - LL4.6/Win8.1 dual-boot, LL works fine with kernel 4.15
2007 - Dell Latitude D630 (2cores) ~ Intel [email protected] - LL4.6, works well with kernel 4.4; 4.15 doesn't work
 

Re: I've been hit by the Partner18mydomainadvisor malware...
« Reply #11 on: September 21, 2014, 04:11:50 AM »
 

elija

  • Guest
It sounds like you hit by a malicious javascript. Use Firefox on both computer and install the Noscript security suite add on to protect yourself. It disables all javascripts and allows you only enable the one you need on sites you trust. You should avoid enabling third party scripts where possible.

For a search Engine, I used to recommend startpage.com as they respect your privacy and use Google but it looks like Google may be messing with results returned to it based on my entirely unscientific experiments. Now I recommend duckduckgo.com
 

Re: I've been hit by the Partner18mydomainadvisor malware...
« Reply #10 on: September 21, 2014, 02:37:55 AM »
 

m654321

  • Gold Level Poster
  • *******
  • 891
    Posts
  • Reputation: 86
  • Linux Lite Member, 'Advocate' & Donator
    • View Profile

  • CPU: Intel Pentium [email protected] (2cores) on an Asus X71Q

  • MEMORY: 4Gb

  • VIDEO CARD: Intel GM45 Express Chipset

  • Kernel: 4.x
More details about what happened...

My wife's Windows 8.1 laptop got infected initially.  She is unable to work out how or when exactly this happened. 

What I could find out about this malware is that it appears to latch itself on to the Google Chrome browser, and can do damage by stealing passwords, etc.  I noticed whenever my wife went to her TalkTalk webmail account, the 'partner18' link would appear on the bottom left of the screen, which would then flick through a variety of website links in rapid succession (some of these were apparently African & Asian), before finally arriving at TalkTalk. Strangely, when my wife arrived at TalkTalk, she often had difficulties logging into the webmail account, and strangely TalkTalk would suggest non-existent TalkTalk account names for her to type in.

Using my LL2 laptop, I wanted to look up 'partner18mydomainadvisor' malware on the internet to get some further information, but inadvertently arrived at their .com website.  However their website showed as a black screen, LL2 flickered a few times, and I noticed RAM consumption shot up from around 0.4-0.5 GB to about 1.1 GB, out of a total of 3.8. Clearly, there was something wrong.  Even in Win8.1 there appears to be no effective tool from Microsoft to get rid of this - I'd imagine even less in Linux - I only found some quite complicated work to do in the registry to get rid of it (I am not experienced in this area at all), and didn't trust the one or two sites I saw that purported to have a free downloadable software tool for partner18 removal. 

So, in the end, the easiest solution was a fresh clean-install on both laptops and the problem appears to have now gone.
And... under the Firefox browser I have changed the search engine from Google to Bing, just to be on the safe side !

Regards
Mike
« Last Edit: September 21, 2014, 04:24:15 AM by m654321 »
64bit OS (32-bit on Samsung netbook) installed in Legacy mode on MBR-formatted SSDs (except pi which uses a micro SDHC card):
2017 - Raspberry pi 3B (4cores) ~ [email protected] - LibreElec, used for upgrading our Samsung TV (excellent for the task)  
2012 - Lenovo G580 2689 (2cores; 4threads] ~ [email protected] - LL3.8/Win8.1 dual-boot (LL working smoothly)
2011 - Samsung NP-N145 Plus (1core; 2threads) ~ Intel Atom [email protected] - LL 3.8 32-bit (64-bit too 'laggy')
2008 - Asus X71Q (2cores) ~ Intel [email protected] - LL4.6/Win8.1 dual-boot, LL works fine with kernel 4.15
2007 - Dell Latitude D630 (2cores) ~ Intel [email protected] - LL4.6, works well with kernel 4.4; 4.15 doesn't work
 

Re: I've been hit by the Partner18mydomainadvisor malware...
« Reply #9 on: September 18, 2014, 08:21:22 AM »
 

elija

  • Guest
Could these run under Wine perhaps?
 

Re: I've been hit by the Partner18mydomainadvisor malware...
« Reply #8 on: September 15, 2014, 04:17:17 PM »
 

ohjrson

  • I know enough to get into trouble
  • Forum Regular
  • ***
  • 186
    Posts
  • Reputation: 12
  • Linux Lite Member
    • View Profile

  • CPU: Quad core

  • MEMORY: 32Gb

  • Kernel: 4.x
Hmm ok I am not a programmer by any right but I just looked at a site called http://wikimalware.com/how-to-remove-newsfudge-com-virus-completely/ and judging from what it says it looks like this is geared for a Microsoft product. So therefore Linux cannot be infected. However it does give you what I think is a name to look for. It is called "random.exe" Again a windows executable. I seriously am beginning to think that this should not be effecting a linux based system But I could be wrong.

Have a look Valtam if you have not already figured it out. Let me know what you think.
Ohjrson
LL 6.2 Dell Power Edge T310 Quad core 32g
LL 4.8 Acer E5-722-49HD A4-7210 Quad core
LL 6.2 Acer AX3812-E9502 intel Quad core
LL 6.2 Dell Optiplex 755 intel Core 2 duo
LL 3.8 Acer Aspire 3000 AMD processor
Simple, Fast, Efficient, Free, and Beats Windows all to hell.
 

Re: I've been hit by the Partner18mydomainadvisor malware...
« Reply #7 on: September 15, 2014, 06:49:42 AM »
 

Wirezfree

  • PayPal Supporter
  • Platinum Level Poster
  • *****
  • 1484
    Posts
  • Reputation: 405
  • Linux Lite "Advocate"
    • View Profile

  • CPU: i7-4790S

  • MEMORY: 16Gb

  • VIDEO CARD: Intel HD4600 (Integrated)
Hi

I just helped a friend with a similar "Browser Hijack" situation on Chrome.
Which is what I suspect Partner18 is.
((Though you may have 2 issues, if one of the supposed fixes, added something else.?))

In Chrome, click on the "Options", top right 3 parallel bars,
Select "Settings", near bottom of drop down list.
That will now bring up a Chrome Settings screen.
Top Left, Click on "Extensions".
That will list all the extensions currently installed on Chrome.

Unless you recognise anything you have installed yourself.?
Click on the "Trash Can" next to each of them and remove from Chrome
re-start Chrome.

If no extensions present.?, I'm not sure what next, sorry.?

There was(in Windows) a bogus program doing the rounds "Anti Phishing Domain Advisor"
That manifested itself with Browser re-directs, and oddities if you used Web based email.
Can be easily removed, Add/Remove programs, but that wont get onto Linux.

Dave
Upgrades WIP 2.6 to 2.8 - (6 X 2.6 to 2.8 completed on: 20/02/16 All O.K )
Linux Lite 3.0 Humming on a ASRock N3070 Mobo ~ btrfs RAID 10 Install on 4 Disks :)

Computers Early days:
ZX Spectrum(1982) , HP-150 MS-DOS(1983) , Amstrad CPC464(1984) ,  BBC Micro B+64(1985) , My First PC HP-Vectra(1987)
 

Re: I've been hit by the Partner18mydomainadvisor malware...
« Reply #6 on: September 15, 2014, 05:59:23 AM »
 

Jerry

  • Linux Lite Creator
  • Administrator
  • Platinum Level Poster
  • *****
  • 8753
    Posts
  • Reputation: 797
  • Linux Lite Member
    • View Profile
    • Linux Lite OS

  • CPU: Intel Core i9-10850K CPU @ 3.60GHz

  • MEMORY: 32Gb

  • VIDEO CARD: nVidia GeForce GTX 1650

  • Kernel: 5.x
My LL 2.0 has just been hit by the parner18.mydomainadvisor malware.

Could you please explain how your Linux Lite has been 'hit' by this. How does this infect Linux Lite? It's important to explain this to people as these kind of thread titles can stir up unnecessary paranoia.
 

Re: I've been hit by the Partner18mydomainadvisor malware...
« Reply #5 on: September 15, 2014, 01:31:24 AM »
 

ohjrson

  • I know enough to get into trouble
  • Forum Regular
  • ***
  • 186
    Posts
  • Reputation: 12
  • Linux Lite Member
    • View Profile

  • CPU: Quad core

  • MEMORY: 32Gb

  • Kernel: 4.x
Yes please keep us informed about this threat. My Understanding is that web browsers and Search engines operate slightly different when on Linux. So I would be very interested to know what your Linux Lite OS is doing as a result of this malware. Please give details.
LL 6.2 Dell Power Edge T310 Quad core 32g
LL 4.8 Acer E5-722-49HD A4-7210 Quad core
LL 6.2 Acer AX3812-E9502 intel Quad core
LL 6.2 Dell Optiplex 755 intel Core 2 duo
LL 3.8 Acer Aspire 3000 AMD processor
Simple, Fast, Efficient, Free, and Beats Windows all to hell.
 

Re: I've been hit by the Partner18mydomainadvisor malware...
« Reply #4 on: September 09, 2014, 10:49:16 PM »
 

N4RPS

  • Donator
  • Platinum Level Poster
  • **********
  • 1149
    Posts
  • Reputation: 155
  • Knows JUST ENOUGH Linux to be DANGEROUS
    • View Profile
    • Orphans for Christ, Self Advocates of Mecklenburg

  • CPU: Several Different 32-bit & 64-bit CPUs, 2-8 GB RAM

  • MEMORY: 8Gb

  • VIDEO CARD: Several Different AMD and Intel GPUs
Hello!

For the Windows box, Junkware Removal Tool (JRT) and AdwCleaner are both available from

[url]http://www.bleepingcomputer.com

Those two should take care of the issue. If not, Malwarebytes (which you can try for free to clean your infection) will remove it.

NEVER PAY *ANYONE* for utilities to clean your infected PC. There ARE some good ones, but most are bogus. With the right tools, you can clean and optimize your own Windows PC for free - AND/OR make a buck or few off the poor souls who still use Windows.

Keep us posted on how to deal with this junkware on Linux, as this is THE first time I've heard of a Linux machine being infected with ANYTHING malicious...

73 DE N4RPS
Rob


A gun in your hand is worth more than a whole police force on the phone.
 

Re: I've been hit by the Partner18mydomainadvisor malware...
« Reply #3 on: September 09, 2014, 05:48:54 PM »
 

rokytnji

  • Friganeer
  • Platinum Level Poster
  • **********
  • 1255
    Posts
  • Reputation: 138
    • View Profile

  • CPU: Intel Core2 Duo U9600

  • MEMORY: 4Gb

  • VIDEO CARD: Intel Mobile 4
If this is one of those drive by surfing malware thingies just for windows. If concerned.
You can compare your ~/.mozilla folder contents with mine to see if any
~/.mozilla folder contents to mine. See if anything stands out to you.
Mine is malware free.

Code: [Select]
harry@biker1:~$ cd .mozilla
harry@biker1:~/.mozilla$ ls
extensions  firefox
harry@biker1:~/.mozilla$ cd firefox
harry@biker1:~/.mozilla/firefox$ ls
026tshko.default  Crash Reports  profiles.ini
harry@biker1:~/.mozilla/firefox$ cd 026tshko.default
harry@biker1:~/.mozilla/firefox/026tshko.default$ ls
adblockedge           healthreport             places.sqlite-wal
addons.json           healthreport.sqlite      pluginreg.dat
blocklist.xml         healthreport.sqlite-shm  prefs.js
bookmarkbackups       healthreport.sqlite-wal  search.json
cert8.db              key3.db                  secmod.db
compatibility.ini     lightweighttheme-footer  sessionCheckpoints.json
content-prefs.sqlite  lightweighttheme-header  sessionstore.bak
cookies.sqlite        localstore.rdf           sessionstore.js
cookies.sqlite-shm    lock                     signons.sqlite
cookies.sqlite-wal    logins.json              storage
crashes               lwtheme                  times.json
extensions            mimeTypes.rdf            useragentswitcher
extensions.ini        minidumps                webapps
extensions.json       netpredictions.sqlite    webappsstore.sqlite
fftmp                 permissions.sqlite       webappsstore.sqlite-shm
formhistory.sqlite    places.sqlite            webappsstore.sqlite-wal
gm_scripts            places.sqlite-shm        WOT
harry@biker1:~/.mozilla/firefox/026tshko.default$

Also my /home folder.

Code: [Select]
harry@biker1:~$ ls -a
.                    .dbus            icons         screeny
..                   Desktop          .icons        Templates
.adobe               .dmrc            Images        .themes
.asoundrc            Documents        isos          .thumbnails
.audacity-data       Downloads        .lastpass     Videos
.bash_history        .fonts           .local        Wallpaper
.bashrc              .gconf           .macromedia   .weather.sh
Books                .gimp-2.8        .moc          .Xauthority
.cache               .gksu.lock       .mozilla      .xscreensaver
ChromeOS_recoverysh  .gstreamer-0.10  .mp3splt-gtk  .xsession-errors
.config              .gtk-bookmarks   Music         .xsession-errors.old
.conkyrc             .gtkrc-2.0       Pictures
.conkyrcbk           .I

Honestly. I don't think your malware what ever can get past /home to / root but that is just my opinion being unfamiliar with this malware.
LL 3.6,2.8
Dell XT2 > Touchscreen Laptop
Dell 755 > Desktop
Acer 150 > Desktop
I am who I am. Your approval is not needed.
 

Re: I've been hit by the Partner18mydomainadvisor malware...
« Reply #2 on: September 09, 2014, 04:21:40 PM »
 

Scott

  • Global Moderator
  • Gold Level Poster
  • *****
  • 857
    Posts
  • Reputation: 186
  • Linux Lite Member
    • View Profile

  • CPU: Dual core Intel Core i3 M 330

  • MEMORY: 6Gb

  • VIDEO CARD: Intel Integrated Graphics
Hi m654321,

I feel for you, malware is never a good thing.

Until your post I've never heard of parner18.mydomainadvisor malware. My last windows laptop died about 9 months ago so I can't test anything first hand but I did Google around and found this from Malwarebytes for the Windows side of things.

https://forums.malwarebytes.org/index.php?/topic/153204-being-redirected/

Still looking for references to this malware on Linux. If I find anything I'll make a separate post.

~Scott
 

I've been hit by the Partner18mydomainadvisor malware...
« Reply #1 on: September 09, 2014, 03:13:17 PM »
 

m654321

  • Gold Level Poster
  • *******
  • 891
    Posts
  • Reputation: 86
  • Linux Lite Member, 'Advocate' & Donator
    • View Profile

  • CPU: Intel Pentium [email protected] (2cores) on an Asus X71Q

  • MEMORY: 4Gb

  • VIDEO CARD: Intel GM45 Express Chipset

  • Kernel: 4.x
My LL 2.0 has just been hit by the parner18.mydomainadvisor malware.  I have Firefox as web-browser and Google as search engine.
This is despite having ESET antivirus for Linux (paid subscription) on my laptop, as well as being up-to-date with all my LL2 updates.
It has already attacked my wife's Windows 8 on her computing and appears to be doing odd things to our mailbox.

Help !!!
What can I do?  I have seen some websites declaring that you can download their software to remove partner18, but how do I know they are genuine and not malicious?

Mike
64bit OS (32-bit on Samsung netbook) installed in Legacy mode on MBR-formatted SSDs (except pi which uses a micro SDHC card):
2017 - Raspberry pi 3B (4cores) ~ [email protected] - LibreElec, used for upgrading our Samsung TV (excellent for the task)  
2012 - Lenovo G580 2689 (2cores; 4threads] ~ [email protected] - LL3.8/Win8.1 dual-boot (LL working smoothly)
2011 - Samsung NP-N145 Plus (1core; 2threads) ~ Intel Atom [email protected] - LL 3.8 32-bit (64-bit too 'laggy')
2008 - Asus X71Q (2cores) ~ Intel [email protected] - LL4.6/Win8.1 dual-boot, LL works fine with kernel 4.15
2007 - Dell Latitude D630 (2cores) ~ Intel [email protected] - LL4.6, works well with kernel 4.4; 4.15 doesn't work
 

 

-->
X Close Ad

Linux Lite 6.6 FINAL Released - Support for 22 Languages Added - See Release Announcement Section