Kaspersky
Solved

Web Antivirus - xmr.omine.org [Solved][Closed]

  • 4 May 2019
  • 5 replies
  • 1542 views

Hello guys,

Please, can you help me found whats is in my computer? Some sites i try to access the Kaspersky Total Security perform a block by Web AV to this site, doesn't matter the site, its random. So, I suppose, there something in my PC or in browsers.

I already executed a full scan with Total Security and with Malwarebytes.
How can I solve this?

I attached two screens, at iracing.com I noticed a white border when KTS block the malicious .js

Feel free to request to some logs and send procedures.

Thanks in advance.

icon

Best answer by pedrohenriquegs 5 May 2019, 18:13

Guys,



I've found the issue, was the LastPass Chrome extension, after removing it the malicious site stopped to be accessed. I got that in debug log from Google Chrome.



the line if the information, the confirmation come with the extension ID



code:
[12472:14916:0505/090143.618:VERBOSE1:network_delegate.cc(32)] NetworkDelegate::NotifyBeforeURLRequest: https:// xmr.omine. org/assets/v7.js
[12472:14916:0505/090143.618:VERBOSE1:network_delegate.cc(32)] NetworkDelegate::NotifyBeforeURLRequest: https:// xmr.omine. org/assets/v7.js
[11324:19096:0505/090143.626:VERBOSE1:dispatcher.cc(493)] Num tracked contexts: 3
[7376:9500:0505/090143.627:VERBOSE1:v8_context_snapshot.cc(152)] A context is created from snapshot for non-main world
[7376:9500:0505/090143.627:VERBOSE1:script_context.cc(94)] Created context:
extension id: hdokiejnpimakedhajhdlcegeplioahd
frame: 000018AF11903160
URL:
context_type: CONTENT_SCRIPT
effective extension id: hdokiejnpimakedhajhdlcegeplioahd
effective context type: CONTENT_SCRIPT
[7376:9500:0505/090143.627:VERBOSE1:script_context.cc(94)] Created context:
extension id: (none)
frame: 0000000000000000
URL:
context_type: UNSPECIFIED
effective extension id: (none)
effective context type: UNSPECIFIED
View original

This topic has been closed for comments

5 replies

Userlevel 7
Badge +4
Welcome. Kaspersky Settings > Additional > Threats and exclusions > Detection types > enable Detect Other Software.
and do a databases update > reboot, then do a scan.

Clear the contents of your Temp folder, instructions: http://support.kaspersky.com/1161 and then reboot.

After that, uninstall any recently installed junk > reboot.

After that, uninstall any and all junk toolbars > reboot.

Uninstall/disable any and all junk browser add-ons and extensions and plugins in all of your browsers.

Remove the junk argument from the target field of the browser shortcut properties.

Remove any and all junk search providers in all of your browsers.

Then if need be, change your home page, in all of your browsers.

How to clean up your browsers: http://support.kaspersky.com/us/viruses/solutions/10319

If you are using a router, reset the router, change the router password to a strong password, enter the correct information according to your internet providers instructions, then clear browser cache and cookies, reboot.

Any better after that?

If still no go, Please post your GetSystemInfo report link, instructions: https://support.kaspersky.com/common/diagnostics/3632
I already perfomed all actions, the URL keep trying to be open.

Attached my GSI in this link: https://www.sendspace.com/file/u39b0n
Userlevel 7
Badge +9
Hello, @pedrohenriquegs
Try to use the recommendations of this article https://support.kaspersky.com/common/start/13985
Please upload the report GetSystemInfo here https://anonfile.com/
Userlevel 7
Badge +8
@pedrohenriquegs

Here is your GSI link : https://www.getsysteminfo.com/report/32edef4097faa1a8575e32409d656507

Please wait for additional suggestions.
Guys,

I've found the issue, was the LastPass Chrome extension, after removing it the malicious site stopped to be accessed. I got that in debug log from Google Chrome.

the line if the information, the confirmation come with the extension ID

code:
[12472:14916:0505/090143.618:VERBOSE1:network_delegate.cc(32)] NetworkDelegate::NotifyBeforeURLRequest: https:// xmr.omine. org/assets/v7.js
[12472:14916:0505/090143.618:VERBOSE1:network_delegate.cc(32)] NetworkDelegate::NotifyBeforeURLRequest: https:// xmr.omine. org/assets/v7.js
[11324:19096:0505/090143.626:VERBOSE1:dispatcher.cc(493)] Num tracked contexts: 3
[7376:9500:0505/090143.627:VERBOSE1:v8_context_snapshot.cc(152)] A context is created from snapshot for non-main world
[7376:9500:0505/090143.627:VERBOSE1:script_context.cc(94)] Created context:
extension id: hdokiejnpimakedhajhdlcegeplioahd
frame: 000018AF11903160
URL:
context_type: CONTENT_SCRIPT
effective extension id: hdokiejnpimakedhajhdlcegeplioahd
effective context type: CONTENT_SCRIPT
[7376:9500:0505/090143.627:VERBOSE1:script_context.cc(94)] Created context:
extension id: (none)
frame: 0000000000000000
URL:
context_type: UNSPECIFIED
effective extension id: (none)
effective context type: UNSPECIFIED