Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Browser hijacker (only?) or also SysWOW64


  • This topic is locked This topic is locked
10 replies to this topic

#1 tgeor

tgeor

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:14 AM

Posted 31 March 2016 - 07:01 PM

A couple of days ago my browser (firefox) was hijacked... When starting firefox, besides opening a tab with my home page, it was also opening a tab to trustedsurf.com and at random (?) times during browsing, new tabs opened that redirected me to various other pages...

 

I downloaded and run the latest version of Malwarebytes Anti-Malware 2.2.1, which did a clean up in my PC and I also manually edited and removed the "redirect" to trustedsurf.com in the shortcuts of Firefox (and Chrome as well). The log of this job (and what it removed) can be found here --> Attached File  antimalware 2903016.txt   5.27KB   2 downloads

 

I was under the impression that this was it, since I didn't have any new incidents of random tabs, but I kept Anti-Malware 2.2.1 running anyway and perform another scan. Even though the new scan came back negative (0 threats), when I was browsing through a popular news site in my country (www.in.gr) I kept getting the Malicious website blocked from Anti-Malware... (note that when I closed the tab of www.in.gr while keeping the firefox open these messages stopped). Interesting enough it was only the following two sites that were blocked: onhax.net and cdn.adstract.com. I'm hoping they have to do with advertisements in the www.in.gr than anything else...

 

Nevertheless, the above made me download and run the Junkware Removal Tool (here is the respective log --> Attached File  JRT.txt   7.65KB   1 downloads) and Roguekiller Anti-Malware, and even though I got only a couple of reg key warnings, Roguekiller did produce a [Hidden.ADS][Stream] C:\Windows\SysWOW64:Win32App_1 message, noting that this should be removed immediately. I'm not sure if this is false positive or it is something related to the previous behavior of my browser... In any case I did NOT proceed with removing this or any other action requested by Roguekiller Anti-Malware... The respective log can be found here --> Attached File  rk_C413.txt   4.75KB   2 downloads.

 

To speed up a possible debugging procedure I tried to follow (as much as possible) the instructions in the following thread http://www.bleepingcomputer.com/forums/t/608178/possible-rogue-malware/ and here are the log files so far (I haven't run all tools yet, e.g. no adwcleaner job).

 

Run Security Check, log file --> Attached File  checkup.txt   1.18KB   0 downloads

Run Farbar Service Scanner (FSS), log file --> Attached File  FSS.txt   2.91KB   1 downloads

Run MiniToolBox, log file --> Attached File  MTB.txt   47.87KB   0 downloads

Run once more, Malwarebytes Anti-Malware 2.2.1, log file --> Attached File  antimalware 310316.txt   1.03KB   0 downloads

Run Malwarebytes Anti-RootKit (MBAR), nothing found as can be seen in the picture  --> Attached File  MBAR_result.jpg   49.91KB   0 downloads

 

 

So even though nothing found so far... I'm not sure how to interpret the results of Roguekiller and if I have a real issue or not.

Any help is greatly appreciated.

 

Thank you.

 

PS: Note that I'm using Win10 and I also use Norton as my default antivirus (which didn't help at all in this case) :unsure:



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 40,171 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:14 AM

Posted 01 April 2016 - 08:28 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===


Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Click the LogFile button and the report will open in Notepad.
IMPORTANT
  • If you click the Clean button all items listed in the report will be removed.
If you find some false positive items or programs that you wish to keep, Close the AdwCleaner windows.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Check off the element(s) you wish to keep.
  • Click on the Clean button follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleanerCx.txt (x is a number).
===

Download the version of this tool for your operating system.
Farbar Recovery Scan Tool (64 bit)
Farbar Recovery Scan Tool (32 bit)
and save it to a folder on your computer's Desktop.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

How to attach a file to your reply:
In the Reply section in the bottom of the topic Click the "more reply Options" button.
attachlogs.png

Attach the file.
Select the "Choose a File" navigate to the location of the File.
Click the file you wish to Attach.

Click the Add reply button.
===


Please post the logs.

Wait for further instructions.

#3 tgeor

tgeor
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:14 AM

Posted 01 April 2016 - 06:18 PM

Hello nasdaq and thank you for helping me with this...

 

Below are the logs you are asking for...

 

The results of AdwCleaner after cleaning can be found here --> Attached File  AdwCleanerC1.txt   9.21KB   1 downloads, while the scan logs of Farbar Recovery Scan Tool can be found here (FRST.txt) --> Attached File  FRST.txt   90.75KB   1 downloads and here (Addition.txt) --> Attached File  Addition.txt   60.47KB   1 downloads

 

I'll wait your feedback on how to proceed from here.

 

 



#4 nasdaq

nasdaq

  • Malware Response Team
  • 40,171 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:14 AM

Posted 02 April 2016 - 08:39 AM


Remove this program in bold via the Control Panel > Programs > Programs and Features applet.
Popcorn Time Offical version 0.8.0.4 (HKLM-x32\...\{8F38178C-CFE2-476C-9DC8-F4203C2395FF}_is1) (Version: 0.8.0.4 - Popcorn Time Offical)

===

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.

Please copy the entire contents of the code box below to a new file.


Start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

(Popcorn Time) C:\Program Files (x86)\Popcorn Time\Updater.exe
HKLM-x32\...\Run: [] => [X]
Winlogon\Notify\SDWinLogon-x32: SDWinLogon.dll [X]
GroupPolicyUsers\S-1-5-21-2367532783-3725018919-2220000620-1005\User: Restriction <======= ATTENTION
GroupPolicyUsers\S-1-5-21-2367532783-3725018919-2220000620-1004\User: Restriction <======= ATTENTION
HKU\S-1-5-21-2367532783-3725018919-2220000620-1000\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = hxxp://www.google.com/ie
SearchScopes: HKLM-x32 -> DefaultScope value is missing
BHO: HP Network Check Helper -> {E76FD755-C1BA-4DCB-9F13-99BD91223ADE} -> No File
BHO-x32: Norton Vulnerability Protection -> {6D53EC84-6AAE-4787-AEEE-F4628F01010C} -> No File
FF Plugin-x32: @real.com/nprpchromebrowserrecordext;version=15.0.6.14 -> C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprpchromebrowserrecordext.dll [No File]
FF Plugin-x32: @real.com/nprphtml5videoshim;version=15.0.6.14 -> C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll [No File]
FF Plugin-x32: @videolan.org/vlc,version=2.1.0 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [No File]
FF Plugin-x32: @videolan.org/vlc,version=2.1.1 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [No File]
FF Plugin-x32: @videolan.org/vlc,version=2.1.2 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [No File]
FF Plugin-x32: @videolan.org/vlc,version=2.1.3 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [No File]
FF HKLM-x32\...\Firefox\Extensions: [{6D5C8FC4-DE46-41bf-9092-93F0F78E9115}] - C:\ProgramData\Norton\{78CA3BF0-9C3B-40e1-B46D-38C877EF059A}\NSM_2.9.0.21\coFFFw => not found
FF HKLM-x32\...\Firefox\Extensions: [{ABDE892B-13A8-4d1b-88E6-365A6E755758}] - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\Firefox\Ext => not found
FF HKLM-x32\...\Firefox\Extensions: [fmdownloader@gmail.com] - C:\Program Files (x86)\Freemake\Freemake Video Downloader\BrowserPlugin\Firefox\fmdownloader@gmail.com
FF Extension: Freemake Video Downloader Plugin - C:\Program Files (x86)\Freemake\Freemake Video Downloader\BrowserPlugin\Firefox\fmdownloader@gmail.com [2014-06-12] [not signed]
FF HKLM-x32\...\Firefox\Extensions: [ytfmdownloader@gmail.com] - C:\Program Files (x86)\Freemake\Freemake Video Downloader\BrowserPlugin\Firefox\ytfmdownloader@gmail.com
FF Extension: Freemake Youtube Download Button - C:\Program Files (x86)\Freemake\Freemake Video Downloader\BrowserPlugin\Firefox\ytfmdownloader@gmail.com [2014-06-12] [not signed]
CHR Extension: (Freemake Video Downloader) - C:\Users\theo\AppData\Local\Google\Chrome\User Data\Default\Extensions\bpegkgagfojjbcpkihigfmkojdmmimdf [2014-06-12]
CHR Extension: (Norton Security Toolbar) - C:\Users\theo\AppData\Local\Google\Chrome\User Data\Default\Extensions\cjabmdjcfcfdmffimndhafhblfmpjdpe [2016-02-27]
CHR Extension: (Chrome Web Store Payments) - C:\Users\theo\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2015-10-17]
CHR HKLM-x32\...\Chrome\Extension: [bpegkgagfojjbcpkihigfmkojdmmimdf] - C:\Program Files (x86)\Freemake\Freemake Video Downloader\BrowserPlugin\Chrome\Freemake.Plugin.Chrome.crx [2013-07-26]
R2 Update service; C:\Program Files (x86)\Popcorn Time\Updater.exe [339968 2015-10-19] (Popcorn Time) [File not signed]
S2 HPSLPSVC; C:\Users\theo\AppData\Local\Temp\7zS3FA9\hpslpsvc64.dll [X]
U3 idsvc; no ImagePath
U3 wpcsvc; no ImagePath
C:\Program Files (x86)\Popcorn Time
Task: {1D94D2A3-EADD-4895-B64E-0AFFF7C977AA} - \Microsoft\Windows\Setup\GWXTriggers\MachineUnlock-5d -> No File <==== ATTENTION
Task: {4AEDE1F0-17D3-4D8E-A268-8B802979C0F1} - \Microsoft\Windows\Setup\GWXTriggers\OutOfIdle-5d -> No File <==== ATTENTION
Task: {4EFAA580-42C9-4B6B-B621-5CD8E35FC114} - \Microsoft\Windows\Setup\GWXTriggers\Time-5d -> No File <==== ATTENTION
Task: {62807749-4341-4188-A134-5787F4A15405} - \Microsoft\Windows\Setup\gwx\refreshgwxconfigandcontent -> No File <==== ATTENTION
Task: {6D4B8DBA-6A67-449E-9CF7-4193518FD2E3} - \Microsoft\Windows\Setup\GWXTriggers\Logon-URT -> No File <==== ATTENTION
Task: {7505224D-F52D-42EB-BB8E-B8FCA03BA65B} - \Microsoft\Windows\Setup\gwx\refreshgwxcontent -> No File <==== ATTENTION
Task: {8AA93D76-84FC-4C5D-B9A2-F62F57854CCB} - \Microsoft\Windows\Setup\GWXTriggers\ScheduleUpgradeReminderTime -> No File <==== ATTENTION
Task: {AB5F8C63-08AE-4693-8864-9A0F98CDA1CD} - \Microsoft\Windows\Setup\GWXTriggers\ScheduleUpgradeTime -> No File <==== ATTENTION
Task: {AD4E3FE1-CB26-452D-81C2-40356E552164} - \Microsoft\Windows\Setup\gwx\refreshgwxconfig -> No File <==== ATTENTION
Task: {B18CAC73-1DC1-4F3B-AA3C-4E05CF5DA800} - \Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B -> No File <==== ATTENTION
Task: {B88E53D7-015E-422B-81DF-F581EFFA68C6} - \Microsoft\Windows\Setup\GWXTriggers\OutOfSleep-5d -> No File <==== ATTENTION
Task: {C14AC4FA-A4EA-4FDE-9939-EEBA019D95B4} - \Microsoft\Windows\Setup\gwx\launchtrayprocess -> No File <==== ATTENTION
Task: {F4220884-FED8-4E0C-B7B1-4BDC8586D77E} - \Microsoft\Windows\Setup\GWXTriggers\Logon-5d -> No File <==== ATTENTION

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.

You can manually check your present version and update as recommended.
https://www.java.com/en/download/installed.jsp

Be careful not to install malware posing as Java update!
Important read this blog.
http://blog.trendmicro.com/trendlabs-security-intelligence/malware-poses-as-an-update-for-java-0-day-fix/

Quoted from the page.
"In light of the recent events surrounding Java, users must seriously consider their use of Java. Do they really need it? If yes, make sure that users follow the steps we recommended and get the security update directly from the official oracle website." at:
http://www.oracle.com/technetwork/java/javase/downloads/index.html

How to disable Java in your browsers
http://www.infoworld.com/t/web-browsers/how-disable-java-in-your-browsers-210882

If still present after the update you can remove the old version(s) of Java via the Control Panel > Programs and Features applet.
Java 8 Update 73 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F83218073F0}) (Version: 8.0.730.2 - Oracle Corporation)

===

There could be some remnant items.

Run an online scan with Eset (easiest with Internet Explorer): http://www.eset.com/onlinescan/
To shorten the scanning time disable your antivirus program while scanning.

Select Enable detection of potentially unwanted applications.
Click Advanced Settings.

Select:
Scan Archives
Scan for potentially unsafe applications
Enable Anti-Stealth Technology


Click Start.

When the scan is finished, click on List of found threats and then Export to text file. Copy the content of the text file and paste its content in your reply.

This may take awhile, run it when you know you will not need the computer for an hour or two.
<<<>>>

Please post the logs and let me know what problem persists.

#5 tgeor

tgeor
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:14 AM

Posted 03 April 2016 - 08:22 AM

Hello nasdaq

 

here is an update on the actions you asked for

 

  • I removed Popcorn Time Offical version 0.8.0.4 through the Control Panel > Programs > Programs and Features applet.
  • I run FRST and Fix. The log file (Fixlog.txt) can be found here --> Attached File  Fixlog.txt   15.15KB   0 downloads
  • I completely removed (uninstalled) Java since I'm now using Firefox-64 where Java is not currently supported.
  • I run an online scan with Eset, but I opted NOT to fix any errors before hearing back from you. The ESET log can be found here --> Attached File  ESET_scan_160403.txt   13.2KB   1 downloads

Regarding any issues when browsing, the problem with random tabs opening in the browser seems to have been solved! However, from time to time I still get some pop up warnings from Malwarebytes Anti-Malware regarding Malicious website blocked that are mainly referring to the following two sites: onhax.net and cdn.adstract.com. I have also seen a similar Malicious website blocked pop-up at least one time regarding a site (qustodio) that I'm using for parental protection/monitor in my laptop. So, I'm not sure if the (pop-up) references to sites like onhax.net, for example, is something that I need to worry about (?).

 

Finally, I run once more Roguekiller Anti-Malware and the results were pretty much the same as the ones I had initially (some days ago) when I started this thread. In other words I still get the  [Hidden.ADS][Stream] C:\Windows\SysWOW64:Win32App_1 message, noting that this should be removed immediately. I tend to believe that this is a false positive given all the other scan results so far. The Roguekiller scan log can be found here --> Attached File  rk_27C2.txt   4.51KB   1 downloads

 

Let me know if I should go ahead and fix the errors produced by Eset and any other steps required.

 

Regards



#6 nasdaq

nasdaq

  • Malware Response Team
  • 40,171 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:14 AM

Posted 03 April 2016 - 10:32 AM

Run the RogueKiller and fix/remove everything was is found.
Settings that are required will be reset.


I would also clean everything found by the E-scan.

How is the computer running now?

#7 tgeor

tgeor
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:14 AM

Posted 03 April 2016 - 11:31 AM

Thank you, will fix/remove whatever RogueKiller and E-scan has found and will update you.

Up to now, everything looks/work fine, with the exception of the occasional website blocked pop-ups from Malwarebytes Anti-Malware...



#8 nasdaq

nasdaq

  • Malware Response Team
  • 40,171 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:14 AM

Posted 03 April 2016 - 12:34 PM

Try this.
How do I disable notifications when Malwarebytes Anti-Malware blocks a file or website?

https://support.malwarebytes.org/customer/portal/articles/1835324-how-do-i-disable-notifications-when-malwarebytes-anti-malware-blocks-a-file-or-website-?b_id=6438

#9 tgeor

tgeor
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:14 AM

Posted 05 April 2016 - 09:18 AM

Hello nasdaq

 

I have removed all threads identified from RogueKiller and E-scan. Up to now everything looks normal except from the occasional website blocked pop-ups from Malwarebytes Anti-Malware. If they become an annoyance I will follow the procedure described above .. but for now I let them as is...

 

Hopefully I don't have any issues now

 

Thank you for your help on this... :thumbup2:



#10 nasdaq

nasdaq

  • Malware Response Team
  • 40,171 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:14 AM

Posted 06 April 2016 - 07:04 AM

If all is well.

To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/

Disable the notifications from MBAM. If you miss them then enable it.

#11 nasdaq

nasdaq

  • Malware Response Team
  • 40,171 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:14 AM

Posted 11 April 2016 - 08:59 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users