arstechnica.com
Open in
urlscan Pro
18.188.68.231
Public Scan
URL:
https://arstechnica.com/civis/threads/known-adware-malware-infection-notification-helper.1471829/
Submission: On September 27 via manual from US — Scanned from DE
Submission: On September 27 via manual from US — Scanned from DE
Form analysis
7 forms found in the DOMPOST /civis/search/search
<form action="/civis/search/search" method="post" class="uix_searchForm" data-xf-init="quick-search">
<a class="uix_search--close">
<i class="fa--xf far fa-window-close" aria-hidden="true"></i>
</a>
<input type="text" class="input js-uix_syncValue uix_searchInput uix_searchDropdown__trigger" autocomplete="off" data-uixsync="search" name="keywords" placeholder="Search…" aria-label="Search" data-menu-autofocus="true">
<a href="/civis/search/" class="uix_search--settings u-ripple rippleButton" data-xf-key="/" aria-label="Search" aria-expanded="false" aria-haspopup="true" title="Search">
<i class="fa--xf far fa-cog" aria-hidden="true"></i>
</a>
<span class=" uix_searchIcon">
<i class="fa--xf far fa-search" aria-hidden="true"></i>
</span>
<input type="hidden" name="_xfToken" value="1727462272,52e3d9d9ab1de7299691a416ec8403e0">
</form>
POST /civis/search/search
<form action="/civis/search/search" method="post" class="menu-content" data-xf-init="quick-search">
<h3 class="menu-header">Search</h3>
<div class="menu-row">
<div class="inputGroup inputGroup--joined">
<input type="text" class="input js-uix_syncValue" name="keywords" data-uixsync="search" placeholder="Search…" aria-label="Search" data-menu-autofocus="true">
<select name="constraints" class="js-quickSearch-constraint input" aria-label="Search within" style="width: 101px; flex-grow: 0; flex-shrink: 0;">
<option value="">Everywhere</option>
<option value="{"search_type":"post"}">Threads</option>
<option value="{"search_type":"post","c":{"nodes":[15],"child_nodes":1}}">This forum</option>
<option value="{"search_type":"post","c":{"thread":1471829}}">This thread</option>
</select>
</div>
</div>
<div class="menu-row">
<label class="iconic"><input type="checkbox" name="c[title_only]" value="1"><i aria-hidden="true"></i><span class="iconic-label">Search titles only <span tabindex="0" role="button" data-xf-init="tooltip" data-trigger="hover focus click"
data-original-title="Tags will also be searched" aria-label="Tags will also be searched" id="js-XFUniqueId1">
<i class="fa--xf far fa-question-circle u-muted u-smaller" aria-hidden="true"></i>
</span></span></label>
</div>
<div class="menu-row">
<div class="inputGroup">
<span class="inputGroup-text" id="ctrl_search_menu_by_member">By:</span>
<input type="text" class="input" name="c[users]" data-xf-init="auto-complete" placeholder="Member" aria-labelledby="ctrl_search_menu_by_member" autocomplete="off">
</div>
</div>
<div class="menu-footer">
<span class="menu-footer-controls">
<button type="submit" class="button--primary button button--icon button--icon--search rippleButton"><span class="button-text">Search</span></button>
<a href="/civis/search/" class="button rippleButton"><span class="button-text">Advanced search…</span></a>
</span>
</div>
<input type="hidden" name="_xfToken" value="1727462272,52e3d9d9ab1de7299691a416ec8403e0">
</form>
POST /civis/search/search
<form action="/civis/search/search" method="post" class="menu-content" data-xf-init="quick-search">
<div class="menu-row">
<div class="inputGroup">
<input name="keywords" class="js-uix_syncValue" data-uixsync="search" placeholder="Search…" aria-label="Search" type="hidden">
<select name="constraints" class="js-quickSearch-constraint input" aria-label="Search within" style="width: 101px; flex-grow: 0; flex-shrink: 0;">
<option value="">Everywhere</option>
<option value="{"search_type":"post"}">Threads</option>
<option value="{"search_type":"post","c":{"nodes":[15],"child_nodes":1}}">This forum</option>
<option value="{"search_type":"post","c":{"thread":1471829}}">This thread</option>
</select>
</div>
</div>
<div class="menu-row">
<label class="iconic"><input type="checkbox" name="c[title_only]" value="1"><i aria-hidden="true"></i><span class="iconic-label">Search titles only <span tabindex="0" role="button" data-xf-init="tooltip" data-trigger="hover focus click"
data-original-title="Tags will also be searched" aria-label="Tags will also be searched" id="js-XFUniqueId2">
<i class="fa--xf far fa-question-circle u-muted u-smaller" aria-hidden="true"></i>
</span></span></label>
</div>
<div class="menu-row">
<div class="inputGroup">
<span class="inputGroup-text">By:</span>
<input class="input" name="c[users]" data-xf-init="auto-complete" placeholder="Member" autocomplete="off">
</div>
</div>
<div class="menu-footer">
<span class="menu-footer-controls">
<button type="submit" class="button--primary button button--icon button--icon--search rippleButton"><span class="button-text">Search</span></button>
<a href="/civis/search/" class="button rippleButton" rel="nofollow"><span class="button-text">Advanced…</span></a>
</span>
</div>
<input type="hidden" name="_xfToken" value="1727462272,52e3d9d9ab1de7299691a416ec8403e0">
</form>
POST /civis/search/search
<form action="/civis/search/search" method="post" class="uix_searchForm" data-xf-init="quick-search">
<a class="uix_search--close">
<i class="fa--xf far fa-window-close" aria-hidden="true"></i>
</a>
<input type="text" class="input js-uix_syncValue uix_searchInput uix_searchDropdown__trigger" autocomplete="off" data-uixsync="search" name="keywords" placeholder="Search…" aria-label="Search" data-menu-autofocus="true">
<a href="/civis/search/" class="uix_search--settings u-ripple rippleButton" data-xf-key="/" aria-label="Search" aria-expanded="false" aria-haspopup="true" title="Search">
<i class="fa--xf far fa-cog" aria-hidden="true"></i>
</a>
<span class=" uix_searchIcon">
<i class="fa--xf far fa-search" aria-hidden="true"></i>
</span>
<input type="hidden" name="_xfToken" value="1727462272,52e3d9d9ab1de7299691a416ec8403e0">
</form>
POST /civis/search/search
<form action="/civis/search/search" method="post" class="menu-content" data-xf-init="quick-search">
<h3 class="menu-header">Search</h3>
<div class="menu-row">
<div class="inputGroup inputGroup--joined">
<input type="text" class="input js-uix_syncValue" name="keywords" data-uixsync="search" placeholder="Search…" aria-label="Search" data-menu-autofocus="true">
<select name="constraints" class="js-quickSearch-constraint input" aria-label="Search within" style="width: 101px; flex-grow: 0; flex-shrink: 0;">
<option value="">Everywhere</option>
<option value="{"search_type":"post"}">Threads</option>
<option value="{"search_type":"post","c":{"nodes":[15],"child_nodes":1}}">This forum</option>
<option value="{"search_type":"post","c":{"thread":1471829}}">This thread</option>
</select>
</div>
</div>
<div class="menu-row">
<label class="iconic"><input type="checkbox" name="c[title_only]" value="1"><i aria-hidden="true"></i><span class="iconic-label">Search titles only <span tabindex="0" role="button" data-xf-init="tooltip" data-trigger="hover focus click"
data-original-title="Tags will also be searched" aria-label="Tags will also be searched" id="js-XFUniqueId3">
<i class="fa--xf far fa-question-circle u-muted u-smaller" aria-hidden="true"></i>
</span></span></label>
</div>
<div class="menu-row">
<div class="inputGroup">
<span class="inputGroup-text" id="ctrl_search_menu_by_member">By:</span>
<input type="text" class="input" name="c[users]" data-xf-init="auto-complete" placeholder="Member" aria-labelledby="ctrl_search_menu_by_member" autocomplete="off">
</div>
</div>
<div class="menu-footer">
<span class="menu-footer-controls">
<button type="submit" class="button--primary button button--icon button--icon--search rippleButton"><span class="button-text">Search</span></button>
<a href="/civis/search/" class="button rippleButton"><span class="button-text">Advanced search…</span></a>
</span>
</div>
<input type="hidden" name="_xfToken" value="1727462272,52e3d9d9ab1de7299691a416ec8403e0">
</form>
POST /civis/search/search
<form action="/civis/search/search" method="post" class="menu-content" data-xf-init="quick-search">
<div class="menu-row">
<div class="inputGroup">
<input name="keywords" class="js-uix_syncValue" data-uixsync="search" placeholder="Search…" aria-label="Search" type="hidden">
<select name="constraints" class="js-quickSearch-constraint input" aria-label="Search within" style="width: 101px; flex-grow: 0; flex-shrink: 0;">
<option value="">Everywhere</option>
<option value="{"search_type":"post"}">Threads</option>
<option value="{"search_type":"post","c":{"nodes":[15],"child_nodes":1}}">This forum</option>
<option value="{"search_type":"post","c":{"thread":1471829}}">This thread</option>
</select>
</div>
</div>
<div class="menu-row">
<label class="iconic"><input type="checkbox" name="c[title_only]" value="1"><i aria-hidden="true"></i><span class="iconic-label">Search titles only <span tabindex="0" role="button" data-xf-init="tooltip" data-trigger="hover focus click"
data-original-title="Tags will also be searched" aria-label="Tags will also be searched" id="js-XFUniqueId4">
<i class="fa--xf far fa-question-circle u-muted u-smaller" aria-hidden="true"></i>
</span></span></label>
</div>
<div class="menu-row">
<div class="inputGroup">
<span class="inputGroup-text">By:</span>
<input class="input" name="c[users]" data-xf-init="auto-complete" placeholder="Member" autocomplete="off">
</div>
</div>
<div class="menu-footer">
<span class="menu-footer-controls">
<button type="submit" class="button--primary button button--icon button--icon--search rippleButton"><span class="button-text">Search</span></button>
<a href="/civis/search/" class="button rippleButton" rel="nofollow"><span class="button-text">Advanced…</span></a>
</span>
</div>
<input type="hidden" name="_xfToken" value="1727462272,52e3d9d9ab1de7299691a416ec8403e0">
</form>
<form style="display:none" hidden="hidden">
<input type="text" name="_xfClientLoadTime" value="" id="_xfClientLoadTime" title="_xfClientLoadTime" tabindex="-1">
</form>
Text Content
Log in Register SEARCH Everywhere Threads This forum This thread Search titles only By: Search Advanced search… Everywhere Threads This forum This thread Search titles only By: Search Advanced… * Front Page * Forums * New posts * Subscribe Log in Register SEARCH Everywhere Threads This forum This thread Search titles only By: Search Advanced search… Everywhere Threads This forum This thread Search titles only By: Search Advanced… MORE OPTIONS Toggle width Menu Install the app Install * Forums * Operating Systems & Software * Microsoft OS & Software Colloquium JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding. KNOWN ADWARE / MALWARE INFECTION... (NOTIFICATION HELPER) * Thread starter Deleted member 4603 * Start date Nov 10, 2020 Jump to latest Follow Reply Status Not open for further replies. D DELETED MEMBER 4603 GUEST Nov 10, 2020 #1 * Nov 10, 2020 * Add bookmark * * #1 Every 7.5 minutes or so, this guy gets an alert from Windows alerts & notifications, saying "Norton $19.99 - Your special price is valid today only. routerlogin.dev" with install / open buttons. So I know he has something. I think it started when he tried to go to routerlogin.com for his new netgear router, and typed it in wrong, but not sure on that. MBAM finds nothing, nor does Cisco AMP or McAfee. Any ideas? ••• MORE OPTIONS Report Add bookmark Share Quote Report PALADIN ARS LEGATUS LEGIONIS 23y 32,774 Subscriptor Nov 10, 2020 #2 * Nov 10, 2020 * Add bookmark * * #2 Check the startup and apps lists and uninstall anything suspicious. It's not necessarily malware if he installed it willingly. ••• MORE OPTIONS Report Add bookmark Share Quote Report D DELETED MEMBER 4603 GUEST Nov 10, 2020 #3 * Nov 10, 2020 * Add bookmark * * #3 > Paladin said: > Check the startup and apps lists and uninstall anything suspicious. > It's not necessarily malware if he installed it willingly. > Click to expand... Nothing. Our laptops are fairly well locked down, users can't install anything. Well, a handful of things install to the profile and ignore such restrictions, but I'm not seeing any such culprit. "Yet." ••• MORE OPTIONS Report Add bookmark Share Quote Report D DELETED MEMBER 4603 GUEST Nov 10, 2020 #4 * Nov 10, 2020 * Add bookmark * * #4 Found it. CProgram Files (x86)\Google\Chrome\Application\86.0.4240.75\ notification_helper.exe CommandLine: "CProgram Files (x86)\Google\Chrome\Application\chrome.exe" --notification-launch-id=0|0|Default|0|https://routerlogin.dev/|p#https://routerlogin.dev/#010062 Very strange that none of our tools found this on full scans. ••• MORE OPTIONS Report Add bookmark Share Quote Report PALADIN ARS LEGATUS LEGIONIS 23y 32,774 Subscriptor Nov 10, 2020 #5 * Nov 10, 2020 * Add bookmark * * #5 Might have installed as an extension originally and somehow wiggled in as a chrome update or something. Extensions can sometimes to naughty things if the user clicks ok. ••• MORE OPTIONS Report Add bookmark Share Quote Report D DELETED MEMBER 4603 GUEST Nov 10, 2020 #6 * Nov 10, 2020 * Add bookmark * * #6 > Paladin said: > Might have installed as an extension originally and somehow wiggled in as a > chrome update or something. Extensions can sometimes to naughty things if the > user clicks ok. > Click to expand... Sure, still weird that three separate products failed to detect it... ••• MORE OPTIONS Report Add bookmark Share Quote Report PALADIN ARS LEGATUS LEGIONIS 23y 32,774 Subscriptor Nov 10, 2020 #7 * Nov 10, 2020 * Add bookmark * * #7 Yeah, could be a 0-day kind of thing. Maybe no one has reported it or not enough have. ••• MORE OPTIONS Report Add bookmark Share Quote Report D DELETED MEMBER 4603 GUEST Nov 10, 2020 #8 * Nov 10, 2020 * Add bookmark * * #8 > Paladin said: > Yeah, could be a 0-day kind of thing. Maybe no one has reported it or not > enough have. > Click to expand... MBAM, at least, has specific logic to look for Chrome extension pointers and such. It isn't even itself malware nor is it exploiting any vulnerability. Though, I'm imagining it would *install* malware if you click either the open or install link. We... declined to test that aspect ••• MORE OPTIONS Report Add bookmark Share Quote Report S@NDOK@N ARS LEGATUS LEGIONIS 23y 16,362 Subscriptor Nov 11, 2020 #9 * Nov 11, 2020 * Add bookmark * * #9 IMO the problem was that when visiting the site the user inadvertently hit "yes" on "allow notifications from this site". When that happens no scanner will find the culprit...because the culprit is the user. Those PEBKAC issues are the hardest to detect. ••• MORE OPTIONS Report Add bookmark Share Quote Report H HAT MONSTER ARS LEGATUS LEGIONIS 23y 47,680 Subscriptor Nov 11, 2020 #10 * Nov 11, 2020 * Add bookmark * * #10 This isn't malware. It isn't adware. It's user-requested behaviour. Chrome, and Edge, and all other Chromium browsers support push notifications, via the notification_helper.exe process. I just had one appear about the Apple M1 chip. It isn't malware. It's a deliberate user subscription. The browser even warns "xxx.site wants to show notifications", with [Allow] [Block]. Deleting or disabling the notification process will just cause them to come back when the browser updates. See here: https://support.google.com/chrome/answe ... ktop&hl=en ••• MORE OPTIONS Report Add bookmark Share Quote Report D DELETED MEMBER 4603 GUEST Nov 11, 2020 #11 * Nov 11, 2020 * Add bookmark * * #11 > Hat Monster said: > This isn't malware. It isn't adware. It's user-requested behaviour. > > Chrome, and Edge, and all other Chromium browsers support push notifications, > via the notification_helper.exe process. I just had one appear about the Apple > M1 chip. > > It isn't malware. It's a deliberate user subscription. The browser even warns > "xxx.site wants to show notifications", with [Allow] [Block]. Deleting or > disabling the notification process will just cause them to come back when the > browser updates. > > See here: > https://support.google.com/chrome/answe ... ktop&hl=en > Click to expand... Well, then Google needs to make it easier to see that this is the cause, and to disable this feature for given sites if accidentally enabled. That was the first thing I checked; Events & Notifications. And we know for sure that the notification would lead to a malicious site if the user had clicked anything on the notification and not been blocked by our security systems. The only fix we found, was to remove the executable. ••• MORE OPTIONS Report Add bookmark Share Quote Report DCOOK32P ARS SCHOLAE PALATINAE 24y 1,053 Nov 11, 2020 #12 * Nov 11, 2020 * Add bookmark * * #12 Settings > Site Permissions > Notifications didn't show it? ••• MORE OPTIONS Report Add bookmark Share Quote Report D DELETED MEMBER 4603 GUEST Nov 11, 2020 #13 * Nov 11, 2020 * Add bookmark * * #13 > dcook32p said: > Settings > Site Permissions > Notifications didn't show it? > Click to expand... Nope. ••• MORE OPTIONS Report Add bookmark Share Quote Report DCOOK32P ARS SCHOLAE PALATINAE 24y 1,053 Nov 17, 2020 #14 * Nov 17, 2020 * Add bookmark * * #14 Brian Krebs posted a writeup on this today. https://krebsonsecurity.com/2020/11/be- ... fications/ ••• MORE OPTIONS Report Add bookmark Share Quote Report D DELETED MEMBER 4603 GUEST Nov 17, 2020 #15 * Nov 17, 2020 * Add bookmark * * #15 > dcook32p said: > Brian Krebs posted a writeup on this today. > > https://krebsonsecurity.com/2020/11/be- ... fications/ > Click to expand... Oh, nice, thanks! ••• MORE OPTIONS Report Add bookmark Share Quote Report S@NDOK@N ARS LEGATUS LEGIONIS 23y 16,362 Subscriptor Nov 19, 2020 #16 * Nov 19, 2020 * Add bookmark * * #16 Here's a comprehensive guide to blocking/etc, Notifications In Chrome, Firefox, Opera And Vivaldi. https://www.itechtics.com/block-push-no ... -browsers/ Latest Vivaldi build is even simpler. Just open Settings > Webpages > edit Default Permissions. Done. ••• MORE OPTIONS Report Add bookmark Share Quote Report T TECHUNSAVY9 SMACK-FU MASTER, IN TRAINING 1y 2 Apr 19, 2023 #17 * Apr 19, 2023 * Add bookmark * * #17 Hey I know this thread is old but is this just a adware? I stumble across this same stupid site thinking it’s router login.net and my a/v blocked a connection reason url blacklist. Did scans with a/v and malware byte and both couldn’t find anything. Should I be concerned something is lurking somewhere in my pc? Let me know thanks! ••• MORE OPTIONS Report Add bookmark Share Quote Report SKOOP ARS LEGATUS LEGIONIS 24y 32,629 Moderator Apr 19, 2023 #18 * Apr 19, 2023 * Add bookmark * * #18 Please don't revive ancient threads. Start a new one, and provide more relevant info. What site? What are you doing that gets flagged? etc ••• MORE OPTIONS Report Add bookmark Share Quote Report Status Not open for further replies. * Forums * Operating Systems & Software * Microsoft OS & Software Colloquium * * Light theme * * Contact us * Posting guidelines * Terms and rules * Privacy policy * Help * * RSS Community platform by XenForo® © 2010-2021 XenForo Ltd. Jump to latest Follow Reply Jump to latest Follow Reply WE CARE ABOUT YOUR PRIVACY We and our 184 partners store and/or access information on a device, such as unique IDs in cookies to process personal data. You may accept or manage your choices by clicking below, including your right to object where legitimate interest is used, or at any time in the privacy policy page. These choices will be signaled to our partners and will not affect browsing data.More information about your privacy WE AND OUR PARTNERS PROCESS DATA TO PROVIDE: Use precise geolocation data. Actively scan device characteristics for identification. Store and/or access information on a device. Personalised advertising and content, advertising and content measurement, audience research and services development. List of Partners (vendors) I Accept Your Privacy Choices