S
StevieGo
Guest
On a trip to mainland China in 2018 Q1, I started getting FF新鮮事 (FFnews)pop ups in a browser window. The pop ups had a red FF新鮮事 logo and a bunch of other stuff in Chinese. The same malware according to this link below appears to have been passed around earlier in 2018 in a release of Adobe Flash:
I don’t believe flash was the source of the malware for me as Adobe Flash wasn’t installed at the time the pop ups started.
The FF新鮮事 / FFnews pop up happens a while after starting my PC (ie the pop doesn't appear immediately after booting up).
After some digging round I believe I have tracked down some relevant diagnostics info:
1) I found this xml file
Here is a copy of the xml text so it shows up should anyone be web searching for other occurrences of this issue:
<?xml version="1.0"?>
<root><item htime="30716431" ltime="2252089424" value="1579669284677|1548066838,1548077362,1548082609,1548133274" name="Hm_lvt_ac8848dc06687b4e8936029238c24f9d"/></root>
2) I did a search of the Windows registry and found these two 2144.com entries under
\HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\DOMstorage\
This is despite not being aware Internet Explorer had software on my PC.
3) In clicking some buttons today, a shortcut has appeared on my desktop. These info in these screenshots may be useful:
--
The second of those screenshots has the file location contained in the shortcut opened in the background
4) A search of my C drive for “FFnews” found numerous files named FFnews.html These are in different folders and not just at the location in the screenshot below
I hope I have included all the required diagnostics info to allow:
a) Someone sort of Microsoft representative to have this picked up for targeting by Windows Defender (I ran a full Windows Defender and it didn't pick up the malware in questions). Can a Microsoft person have this info passed to the people who generate Windows Defender update files please?
b) Anyone else affected by this has a chance of getting rid of this quickly should they need to self troubleshoot.
More...
I don’t believe flash was the source of the malware for me as Adobe Flash wasn’t installed at the time the pop ups started.
The FF新鮮事 / FFnews pop up happens a while after starting my PC (ie the pop doesn't appear immediately after booting up).
After some digging round I believe I have tracked down some relevant diagnostics info:
1) I found this xml file
Here is a copy of the xml text so it shows up should anyone be web searching for other occurrences of this issue:
<?xml version="1.0"?>
<root><item htime="30716431" ltime="2252089424" value="1579669284677|1548066838,1548077362,1548082609,1548133274" name="Hm_lvt_ac8848dc06687b4e8936029238c24f9d"/></root>
2) I did a search of the Windows registry and found these two 2144.com entries under
\HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\DOMstorage\
This is despite not being aware Internet Explorer had software on my PC.
3) In clicking some buttons today, a shortcut has appeared on my desktop. These info in these screenshots may be useful:
--
The second of those screenshots has the file location contained in the shortcut opened in the background
4) A search of my C drive for “FFnews” found numerous files named FFnews.html These are in different folders and not just at the location in the screenshot below
I hope I have included all the required diagnostics info to allow:
a) Someone sort of Microsoft representative to have this picked up for targeting by Windows Defender (I ran a full Windows Defender and it didn't pick up the malware in questions). Can a Microsoft person have this info passed to the people who generate Windows Defender update files please?
b) Anyone else affected by this has a chance of getting rid of this quickly should they need to self troubleshoot.
More...
