What is this Chinese website?
May 19, 2015 12:52 PM   Subscribe

When I click on the 'Manage Account' button in the Account settings menu in my copy of Word 365, it launches a new web page - stores.office.com - where I can then log-in to my account. All straightforward. But at the same time a separate tab is also launched for the site www.59e.com, which is all in Chinese. What is this? I'm in the UK, using Firefox.
posted by srednivashtar to Computers & Internet (12 answers total)
It looks like a spam page. My guess is there's malware on your system, possibly unrelated to Word 365, that opens the tab when you open the browser. Is this a legit copy of Windows/Word 365, or did you purchase it from ebay, in which case it might be a Chinese counterfeit? Either way I recommend a full malware scan.
posted by bluecore at 1:01 PM on May 19, 2015

Response by poster: Totally legit, all bought via microsoft.com. This is a Lenovo machine though, so it's highly likely to be something dodgy. A Malwarebytes scan has thrown up nothing. I can't replicate the site's appearance just by entering the URL in a browser - it only comes up through Word itself.
posted by srednivashtar at 1:28 PM on May 19, 2015

There's a known security flaw in Lenovo machines that could possibly allow the installation of malware. Make sure your machine is up to date with all patches (the linked article includes a link to Lenovo's website where you can download the patch, if you haven't done so already).
posted by inky_the_pinky at 1:55 PM on May 19, 2015

Response by poster: Thanks, I installed that but of course the site still comes up. Will run Malwarebytes again. Microsoft's response was 'use Internet Explorer'.
posted by srednivashtar at 2:38 PM on May 19, 2015

www.59e.com appears to be the home page of a cryptocoin mining assistant, for remote management of bitcoin or other cryptocurrency mining agents. It's called Xiao Niu, or baby cow. (source: I read Chinese).

To me, this suggests either a malware infection, or a tag-along piece of software that some disreputable game or utility installer put in. I very much doubt it has anything to do with Office.
posted by zjacreman at 2:53 PM on May 19, 2015

Response by poster: Thanks. So why does it only open the site when I click on the 'Manage Account' button within Office? Two Malware scans have thrown up nothing.
posted by srednivashtar at 3:00 PM on May 19, 2015

Have you actually checked to make sure that the site hasn't been added to your Firefox home page tab list? Have you tried opening links from other applications to verify that it's only Office that's doing this?

Malwarebytes isn't foolproof, and in my experience has not kept up well with the state of the art in malware obfuscation. Have you tried another scanner?
posted by zjacreman at 3:39 PM on May 19, 2015

Response by poster: Firefox seems to be the problem, as the 59e.com site doesn't show up when I follow the same path in IE. But then I reinstalled Firefox and it's still there. I've tried opening links in three other applications and none of them open 59e.com as well. Any recommendations for other scanners?
posted by srednivashtar at 3:48 PM on May 19, 2015

Deezil's profile has a full malware scan protocol that's often recommended.
posted by bluecore at 4:32 PM on May 19, 2015

I reinstalled Firefox and it's still there

Reinstalling Firefox won't fix a corrupted Firefox profile, and your profile is where Firefox extensions are stored.

Try closing Firefox and opening a Windows Explorer file browser window. In the address bar, type exactly %APPDATA% and hit Enter. Rename the Mozilla folder to Mozilla-renamed and then start Firefox again.

This will force Firefox to build you a completely fresh user profile. Pay attention if it asks you whether to allow the use of pre-installed extensions; if so, deny all of them. Then check for the reappearance of 59e.com.

If that does indeed fix it, you can be pretty sure that a rogue Firefox extension was the cause.

To get your original Firefox profile back, close Firefox and return to the %APPDATA% window. Rename the Mozilla folder to Mozilla-clean (or delete it; there won't be anything in there that you can't easily recreate) and rename Mozilla-renamed to Mozilla.

If in fact you are dealing with a rogue extension, you should then be able to get rid of it via Firefox's Addons page.
posted by flabdablet at 6:14 PM on May 19, 2015

Response by poster: Thanks flabdablet, great advice. Didn't make any difference unfortunately - the website still appears even when I have a 'clean' Firefox profile. Oddly, the other buttons that launch the browser on my Account page don't bring up the rogue website, just the 'Manage Account' button. I've selectively disabled and enabled all the add-ons, but that makes no difference either. Microsoft are recommending I buy one of their support subscriptions and they can then remotely dive in and sort it out themselves. Anyone have any experience of this?
posted by srednivashtar at 12:15 AM on May 20, 2015

Before you even contemplate paying out good money for badly scripted level 1 support, I recommend you do the following things:

1. Work carefully through the manual process for Superfish removal and see if that clears the thing up.

2. Go full Deezil.
posted by flabdablet at 1:35 AM on May 20, 2015

« Older Pocket Projectors: latest and greatest   |   How does a relatively new to US sports fan become... Newer »
This thread is closed to new comments.