I've been hit by the Partner18mydomainadvisor malware...

[m654321]

My LL 2.0 has just been hit by the parner18.mydomainadvisor malware.  I have Firefox as web-browser and Google as search engine.
This is despite having ESET antivirus for Linux (paid subscription) on my laptop, as well as being up-to-date with all my LL2 updates.
It has already attacked my wife's Windows 8 on her computing and appears to be doing odd things to our mailbox.

Help !!!
What can I do?  I have seen some websites declaring that you can download their software to remove partner18, but how do I know they are genuine and not malicious?

Mike

[Scott(0)]

Hi m654321,

I feel for you, malware is never a good thing.

Until your post I've never heard of parner18.mydomainadvisor malware. My last windows laptop died about 9 months ago so I can't test anything first hand but I did Google around and found this from Malwarebytes for the Windows side of things.

https://forums.malwarebytes.org/index.ph...edirected/

Still looking for references to this malware on Linux. If I find anything I'll make a separate post.

~Scott

[rokytnji]

If this is one of those drive by surfing malware thingies just for windows. If concerned.
You can compare your ~/.mozilla folder contents with mine to see if any
~/.mozilla folder contents to mine. See if anything stands out to you.
Mine is malware free.

Code:

harry@biker1:~$ cd .mozilla
harry@biker1:~/.mozilla$ ls
extensions  firefox
harry@biker1:~/.mozilla$ cd firefox
harry@biker1:~/.mozilla/firefox$ ls
026tshko.default  Crash Reports  profiles.ini
harry@biker1:~/.mozilla/firefox$ cd 026tshko.default
harry@biker1:~/.mozilla/firefox/026tshko.default$ ls
adblockedge           healthreport             places.sqlite-wal
addons.json           healthreport.sqlite      pluginreg.dat
blocklist.xml         healthreport.sqlite-shm  prefs.js
bookmarkbackups       healthreport.sqlite-wal  search.json
cert8.db              key3.db                  secmod.db
compatibility.ini     lightweighttheme-footer  sessionCheckpoints.json
content-prefs.sqlite  lightweighttheme-header  sessionstore.bak
cookies.sqlite        localstore.rdf           sessionstore.js
cookies.sqlite-shm    lock                     signons.sqlite
cookies.sqlite-wal    logins.json              storage
crashes               lwtheme                  times.json
extensions            mimeTypes.rdf            useragentswitcher
extensions.ini        minidumps                webapps
extensions.json       netpredictions.sqlite    webappsstore.sqlite
fftmp                 permissions.sqlite       webappsstore.sqlite-shm
formhistory.sqlite    places.sqlite            webappsstore.sqlite-wal
gm_scripts            places.sqlite-shm        WOT
harry@biker1:~/.mozilla/firefox/026tshko.default$

Also my /home folder.

Code:

harry@biker1:~$ ls -a
.                    .dbus            icons         screeny
..                   Desktop          .icons        Templates
.adobe               .dmrc            Images        .themes
.asoundrc            Documents        isos          .thumbnails
.audacity-data       Downloads        .lastpass     Videos
.bash_history        .fonts           .local        Wallpaper
.bashrc              .gconf           .macromedia   .weather.sh
Books                .gimp-2.8        .moc          .Xauthority
.cache               .gksu.lock       .mozilla      .xscreensaver
ChromeOS_recoverysh  .gstreamer-0.10  .mp3splt-gtk  .xsession-errors
.config              .gtk-bookmarks   Music         .xsession-errors.old
.conkyrc             .gtkrc-2.0       Pictures
.conkyrcbk           .I

Honestly. I don't think your malware what ever can get past /home to / root but that is just my opinion being unfamiliar with this malware.

[N4RPS]

Hello!

For the Windows box, Junkware Removal Tool (JRT) and AdwCleaner are both available from

[url]http://www.bleepingcomputer.com

Those two should take care of the issue. If not, Malwarebytes (which you can try for free to clean your infection) will remove it.

NEVER PAY *ANYONE* for utilities to clean your infected PC. There ARE some good ones, but most are bogus. With the right tools, you can clean and optimize your own Windows PC for free - AND/OR make a buck or few off the poor souls who still use Windows.

Keep us posted on how to deal with this junkware on Linux, as this is THE first time I've heard of a Linux machine being infected with ANYTHING malicious...

73 DE N4RPS
Rob

[ohjrson]

Yes please keep us informed about this threat. My Understanding is that web browsers and Search engines operate slightly different when on Linux. So I would be very interested to know what your Linux Lite OS is doing as a result of this malware. Please give details.

[Valtam]

My LL 2.0 has just been hit by the parner18.mydomainadvisor malware.

Could you please explain how your Linux Lite has been 'hit' by this. How does this infect Linux Lite? It's important to explain this to people as these kind of thread titles can stir up unnecessary paranoia.

[Wirezfree]

Hi

I just helped a friend with a similar "Browser Hijack" situation on Chrome.
Which is what I suspect Partner18 is.
((Though you may have 2 issues, if one of the supposed fixes, added something else.?))

In Chrome, click on the "Options", top right 3 parallel bars,
Select "Settings", near bottom of drop down list.
That will now bring up a Chrome Settings screen.
Top Left, Click on "Extensions".
That will list all the extensions currently installed on Chrome.

Unless you recognise anything you have installed yourself.?
Click on the "Trash Can" next to each of them and remove from Chrome
re-start Chrome.

If no extensions present.?, I'm not sure what next, sorry.?

There was(in Windows) a bogus program doing the rounds "Anti Phishing Domain Advisor"
That manifested itself with Browser re-directs, and oddities if you used Web based email.
Can be easily removed, Add/Remove programs, but that wont get onto Linux.

Dave

[ohjrson]

Hmm ok I am not a programmer by any right but I just looked at a site called http://wikimalware.com/how-to-remove-new...ompletely/ and judging from what it says it looks like this is geared for a Microsoft product. So therefore Linux cannot be infected. However it does give you what I think is a name to look for. It is called "random.exe" Again a windows executable. I seriously am beginning to think that this should not be effecting a linux based system But I could be wrong.

Have a look Valtam if you have not already figured it out. Let me know what you think.
Ohjrson

[elija]

Could these run under Wine perhaps?

[m654321]

More details about what happened...

My wife's Windows 8.1 laptop got infected initially.  She is unable to work out how or when exactly this happened. 

What I could find out about this malware is that it appears to latch itself on to the Google Chrome browser, and can do damage by stealing passwords, etc.  I noticed whenever my wife went to her TalkTalk webmail account, the 'partner18' link would appear on the bottom left of the screen, which would then flick through a variety of website links in rapid succession (some of these were apparently African & Asian), before finally arriving at TalkTalk. Strangely, when my wife arrived at TalkTalk, she often had difficulties logging into the webmail account, and strangely TalkTalk would suggest non-existent TalkTalk account names for her to type in.

Using my LL2 laptop, I wanted to look up 'partner18mydomainadvisor' malware on the internet to get some further information, but inadvertently arrived at their .com website.  However their website showed as a black screen, LL2 flickered a few times, and I noticed RAM consumption shot up from around 0.4-0.5 GB to about 1.1 GB, out of a total of 3.8. Clearly, there was something wrong.  Even in Win8.1 there appears to be no effective tool from Microsoft to get rid of this - I'd imagine even less in Linux - I only found some quite complicated work to do in the registry to get rid of it (I am not experienced in this area at all), and didn't trust the one or two sites I saw that purported to have a free downloadable software tool for partner18 removal. 

So, in the end, the easiest solution was a fresh clean-install on both laptops and the problem appears to have now gone.
And... under the Firefox browser I have changed the search engine from Google to Bing, just to be on the safe side !

Regards
Mike