Malware: "clickeu.datropy.com" and "Plus HD.8"

A relative is having some browser problems.   The complaint is of excessive pop-up adverts, so I initially suggested AdBlock Plus for Firefox, and headed to the Add-Ons tab to find it.  While checking to find out what “acceptable ads” meant, and wondering whether I should care that blocking adverts is going to bring Internet advertising firms to their knees (I really don’t), I found a new tab opened by itself and tried to direct me to a site called clickeu.datropy.com.   A few moments later a dialogue opened up asking me to run setup.exe, a file of about 175kb.

Standard procedure under these circumstances is “Sod This For A Game Of Soldiers”.  I killed the browser process with Task Manager – rather than click anywhere on the window, and set about running some searches to find out what datropy.com is.

Oddly enough, there are very few results.  There are references to the domain on virus-related sites – but I don’t recognise any of them as safe sites, so I’m not going there.  A forum in Dutch, translated through Chrome, refers to a similar problem with the datropy.com domain, but garners only basic advice to run anti-malware tools. InterNIC shows datropy.com registered through GoDaddy; GoDaddy refers me to Domains By Proxy, which is my dead end.  There are legitimate reasons for wanting to hide your identity on your domain registration; but there are also reasons like “you’re a scamming fuckbucket trying to avoid detection”.

A scan with MalwareBytes detected 68 threats but most, so I thought, were tracking cookies and none seemed obviously related to datropy. I also ran a Windows Explorer search on the word ‘datropy’. I found one match, which was in the file sessionstore.js, which was located in Firefox’s profiles folder. Checking the folder I found sessionstore.js and two other similar files, which I shredded.  (sessionstore.js is a file Firefox creates when it isn’t closed properly – presumably created when I killed the process earlier, and referencing datropy.com because one of my browser tabs had been trying to connect to that site at the time.)

Having deleted that I ran Firefox for a little while to see if anything else happened, and noticed a banner ad appear at the bottom of the screen: a series of images tagged, “Ads by Plus HD.8”.

This, it turns out, was what my relative had been referring to in the first place: apparently these banners and windows were popping up all over the place while she tried to browse the net.  Checking MalwareBytes’ results, I found a number of matches relating to Plus HD.8: this is a piece of malware which uses browser surveillance and aggressive advert placement to foist coupons on users.  Checking Firefox’s add-ons tab, I found there was indeed an entry for Plus HD.8.

I removed this add-on, deleted the files MalwareBytes had found, including everything I could find relating to Plus HD.8, and restarted the system.   I’m kicking myself that I didn’t notice the Plus HD.8 entries on MalwareBytes’ results list straight away, but amongst the various other rubbish they sneaked by me – at least until I had an idea what I was actually looking for.

Still, for now, everything seems to be back to normal.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s