Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Some kind of infection ? (Windows 8, Firefox)


  • Please log in to reply
11 replies to this topic

#1 Magnus975

Magnus975

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:26 AM

Posted 19 May 2016 - 06:30 AM

Hi all,
 
First of all, thanks to anyone taking the time to read this ! I'm quite stressed out now as I have a bad situation already (health & financial) and it seems I have some kind of virus / malware infection on top of it all, so I would really appreciate any help in getting sorted out.
I am admin of a few facebook groups with several thousand members, and one of my tasks is reviewing what is posted - so unfortunately I am a bit exposed when it comes to malicious webpages/content.
 
I run Windows 8 (64 bit) and it seems I have an infection (at least one), which may have come from a malicious webpage (was clicking a link on Facebook with Firefox 46.0.1).
 
The infection started to show itself as a "proxy"/"redirection" thing, where it seems that (maybe) some valid URLs, and/or maybe URLs that should result in 404's on various websites instead redirected to a separate site (something called "rose.dntrx.com", and possibly also "verify.info4security.org" & "www.cshtrk.com"). I'm hoping it is a simple adware/ad-hijacking thing, and not some evil advanced virus.
 
I tried to inactivate most of the unknown plugins etc in firefox, and also set the networksettings in FF to use "no proxy" instead of "use system settings for proxy" - also did a scan with Malwarebytes (see below) - and after that it seems the infection isnt triggered as before...
 
So, a few questions:
 
1) How do I best check what I have been infected with - and if I am STILL infected ?
- I have FSecure 16.2, with an active sub - didn't report anythng
- and I did dl & run Malwarebytes Antimalware
(gave me this log, is in swedish but if you know the software, you can probably fighure it out :) )

<logs removed at OP's request>


2) Is there any general removal-softwares that are recommended for Win 8 (64 bit) ? ...or is it too specific & need to follow the actual infection ?
 
3) How / where can I check if the infection manipulated my proxy-settings ? ... and how to clear that ?
 
4) Is it likely that it is an advanced virus ? (deploying rootkit & secondary layers of infections/reroutings/trojans/hijacks/keyloggers etc) ... or is it most likely a "simple one" ?
 
Thanks again for taking the time to read through this & any help you can provide !
 
/Magnus

BC AdBot (Login to Remove)

 


#2 buddy215

buddy215

  • Moderator
  • 13,324 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:03:26 AM

Posted 19 May 2016 - 06:58 AM

Check further for more adware and malware.

 

Use CCleaner to remove Temporary files, program caches, cookies, logs, etc. Use the Default settings. No need to use the

Registry Cleaning Tool...risky. Pay close attention while installing and UNcheck offers of toolbars....especially Google.

After install, open CCleaner and run by clicking on the Run Cleaner button in the bottom right corner.

CCleaner - PC Optimization and Cleaning - Free Download

 

Download AdwCleaner by Xplode onto your desktop.

  • Close all open programs and internet browsers.
  • Double click on adwcleaner.exe to run the tool.
  • Click on Scan button.
  • When the scan has finished click on Clean button.
  • Your computer will be rebooted automatically. A text file will open after the restart.
  • Please post the contents of that logfile with your next reply.
  • You can find the logfile at C:\AdwCleaner[S1].txt as well.
  • download Junkware Removal Tool to your desktop.
  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message
  • Hold down Control and click on this link to open ESET OnlineScan in a new window.
  • Click the esetonlinebtn.png button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
  • Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
  • Double click on the esetsmartinstaller_enu.png icon on your desktop.
  • Check "YES, I accept the Terms of Use."
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Under scan settings, check "Scan Archives" and "Remove found threats"
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click List Threats
  • Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Click the Back button.
  • Click the Finish button.
  • NOTE:Sometimes if ESET finds no infections it will not create a log.

“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#3 Magnus975

Magnus975
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:26 AM

Posted 19 May 2016 - 08:00 AM

Hi again & thanks for help so far...
 
I installed & ran CCleaner, and it had a long list of fixes & files it wanted to remove (many of them I know of not being malicious - but I removed them anyway), and a long list of registry-changes which have all been done now.
Here is the log from AdwCleaner

<logs removed at OP's request>

Back to my questions - is it possible the whole problem I had was a result of PUP.Optional.InstallCore ? ... or does anything else in my logs indicate suspicious stuff ?

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,492 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:26 AM

Posted 19 May 2016 - 09:34 AM

Hi not here to take over topic , but did you run ESET.

As to your install core question, yes it is possible.
PUP.Optional.InstallCore is deemed as potentially unwanted program that performs malicious actions once installed on the computer. This detection by Malwarebytes Anti-Malware program is given to specific software that user may optionally install together with third-party application.

Possible you installed this as a bundled software. It came hidden in another install. I always choose the Custom install and not the Recommended install. Then you can see what is going in.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 buddy215

buddy215

  • Moderator
  • 13,324 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:03:26 AM

Posted 19 May 2016 - 10:04 AM

CCleaner if used per instructions would of cleaned out temporary files, cookies, logs and program caches. Note

that I mentioned no need to use Registry cleaner and it was risky to do. CCleaner does not specifically target adware and malware.

It is not a security program.

 

After posting Eset Online Scan results, please do this:

 

Post the three lists mentioned below using CCleaner.

Open CCleaner and click on Tools. Choose Startups. On that page you will see a list of Windows Startups and at the top tabs for each browser and Scheduled Tasks.

At the bottom right of that page you will see a button when clicked will allow you to Copy and Paste the list of Windows Startups and Scheduled Tasks into your next

post. Please do that.

 

Open CCleaner and click on Tools. Choose Uninstall. On that page you will see a list of programs installed on your computer and at the bottom right of that page you

will see a button when clicked will allow you to Copy and Paste that list in your next post. Please do that.


“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#6 Magnus975

Magnus975
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:26 AM

Posted 19 May 2016 - 12:41 PM

Hi again, Eset took a looong time (I have many files on the computer) and actually gave 6 infections - but those are files I have never executed on this computer - or any other probably - (came as reference to a programming book)

 

D:\....\Reference\Programming Windows\Chap11\Colors2\Release\Colors2.exe    Win32/Bifrose.NCQ trojan    cleaned by deleting
D:\....\Reference\Programming Windows\Chap17\ChosFont\Release\ChosFont.exe    a variant of Win32/Kryptik.EDMU trojan    cleaned by deleting
D:\....\Reference\Programming Windows\Chap18\Emf1\Release\Emf1.exe    a variant of Win32/Kryptik.BGSN trojan    cleaned by deleting
D:\....\Backup 130416\Development\Reference\Programming Windows\Chap11\Colors2\Release\Colors2.exe    Win32/Bifrose.NCQ trojan    cleaned by deleting
D:\....\Backup 130416\Development\Reference\Programming Windows\Chap17\ChosFont\Release\ChosFont.exe    a variant of Win32/Kryptik.EDMU trojan    cleaned by deleting
D:\....\Backup 130416\Development\Reference\Programming Windows\Chap18\Emf1\Release\Emf1.exe    a variant of Win32/Kryptik.BGSN trojan    cleaned by deleting
 

So... I'm hoping that these are "old spooks" - but I'm afraid it might be a "hidingplace" for an active, morphing & advanced virus... anyone who could weigh in on "old harmless" vs "new advanced hidingplace" ?

Since it had affected TWO files (same file but different instance of an old backup, located in different folders) for each trojan I'm guessing it is NOT a "new superadvanced hidingalgorithm", as such a solution would proably go for one file or several different files.


Edited by Magnus975, 19 May 2016 - 12:42 PM.


#7 Magnus975

Magnus975
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:26 AM

Posted 19 May 2016 - 12:51 PM

Here are the lists from CCleaner
 
<logs removed at OP's request>

Installed programs is a big one, and I'll see if I can attach it somehow.

#8 Magnus975

Magnus975
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:26 AM

Posted 19 May 2016 - 12:59 PM

Couldn't find an attach button in a reply, so I'll post it here... it's a pretty massive list as the computer is a combo of development / video-editing / DAW studio computer, with games & stuff on...
 
CCleaner install-list

<logs removed at OP's request>

#9 Magnus975

Magnus975
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:26 AM

Posted 19 May 2016 - 01:10 PM

So, trying to summarize...

1) is there a way I can see if any program has manipulated my proxy-settings ?

 

2) is there a way to commonly trigger "redirection- / proxy-changing / browser-hijacking" malware/viruses - to see if I still have a problem ?

 

3) are there any "red lights" from the lists I've posted that look suspicious ?

 

4) how can I verify I've cleaned out the infection ? is the above programs enough - or is there more analysis that needs to be done / more lists to post ?

 

With a computer/workstation with this much software on - it is too much work to follow the regular "wipe & reinstall"-recommendation - as reinstall & reconfig would take weeks. Sadly I'm not in a position of either health (to deal with this myself) or funds (have no money to hire someone to set up a properly shielded/protected solution) - so I'm hoping the problem will just go away, for me to focus on recovery of life in general rather than some virus / hijacking nastyness :-(



#10 buddy215

buddy215

  • Moderator
  • 13,324 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:03:26 AM

Posted 19 May 2016 - 02:39 PM

Have any idea why some of your Windows programs show an install date of 1970?

Examples: Väder    Microsoft Corporation    1970-01-01        2.0.0.310, Video    Microsoft Corporation    1970-01-01        1.5.41.0

 

Suggest you Disable these Windows Startups: Use CCleaner by clicking on each item and choosing Disable on the right.

Yes    HKCU:Run    AdobeBridge        
Yes    HKCU:Run    CCleaner Monitoring    Piriform Ltd    "C:\Program Files\CCleaner\CCleaner64.exe" /MONITOR

Yes    HKCU:Run    Spotify Web Helper    Spotify Ltd    "C:\Users\Magnus\AppData\Roaming\Spotify\SpotifyWebHelper.exe"
Yes    HKCU:Run    Steam    Valve Corporation    "D:\Games\Steam\steam.exe" -silent

Yes    HKLM:Run    APSDaemon    Apple Inc.    "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"

Yes    HKLM:Run    BlueStacks Agent    BlueStack Systems, Inc.    C:\Program Files (x86)\BlueStacks\HD-Agent.exe

Yes    HKLM:Run    Command Center    MSI    C:\Program Files (x86)\MSI\Command Center\StartCommandCenter.exe
Yes    HKLM:Run    ControlCenter3        C:\Program Files (x86)\Brother\ControlCenter3\brctrcen.exe /autorun

Yes    HKLM:Run    iTunesHelper    Apple Inc.    "C:\Program Files\iTunes\iTunesHelper.exe"

 

Disable these Tasks: Use CCleaner by clicking on each item and choosing Disable on the right.

Yes    Task    CreateChoiceProcessTask    Microsoft Corporation    C:\Windows\BrowserChoice\browserchoice.exe /launch
Yes    Task    GoogleUpdateTaskMachineCore        C:\Program Files (x86)\Google\Update\GoogleUpdate.exe /c
Yes    Task    GoogleUpdateTaskMachineUA        C:\Program Files (x86)\Google\Update\GoogleUpdate.exe /ua /installsource scheduler

 

Uninstall these programs:

Bing    Microsoft Corporation    1970-01-01        1.5.1.259

ESET Online Scanner v3        2016-05-19    

Java 7 Update 60 (64-bit)    Oracle    2014-06-17    118 MB    7.0.600

Mozilla Firefox 25.0.1 (x86 sv-SE)    Mozilla    2013-12-01    49,3 MB    25.0.1

Mozilla Maintenance Service    Mozilla    2013-12-01    221 KB    25.0.1

QuickTime 7    Apple Inc.    2016-02-17    69,1 MB    7.79.80.95 (No longer supported in Windows...risky to keep...up to you. )

 

I noticed that in your MBAM scan log that Scan for Rootkits was not enabled. Please follow the directions below for using MBAM

and be sure to enable Scan For Rootkits.

 

  • Once MBAM opens, when it says Your databases are out of date, click the Fix Now button.
  • Click the Settings tab at the top, and then in the left column, select Detections and Protections, and if not already checked place a checkmark in the selection box for Scan for rootkits.
  • Click the Scan tab at the top of the program window, select Threat Scan and click the Scan Now button.
  • If you receive a message that updates are available, click the Update Now button (the update will be downloaded, installed, and the scan will start).
  • When MBAM is finished scanning it will display a screen that displays any malware that it has detected.
  • Click the Remove Selected button.
  • MBAM will now delete all of the files and registry keys and add them to the programs quarantine. When removing the files, MBAM may require a reboot in order to remove some of them. If it displays a message stating that it needs to reboot, please allow it to do so.
  • While still on the Scan tab, click the link for View detailed log, and in the window that opens click the Export button, select Text file (*.txt), and save the log to your Desktop.
  • The log is automatically saved by MBAM and can also be viewed by clicking the History tab and then selecting Application Logs.

POST THE LOG FOR  REVIEW.


“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#11 Magnus975

Magnus975
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:26 AM

Posted 20 May 2016 - 09:52 AM

Hi again Buddy215 and thanks for your time trying to help !
 
I did some of the steps you suggest (some are not good to do as it removes functionality needed), and the Mozilla 25 is a weird one as it points to the 46.x installation (and probably would uninstall the main Mozilla ?)
 
I did a long scan with MBAM last night (incl rootkits) and no more threats were found, so I'm hoping the state of the machine is ok now...
see log here

<logs removed at OP's request>

I also tried to check any "system proxy settings" & the hosts file, and found nothing weird (at least where I looked)...
 
Haven't seen any symptoms of malware / virus last day so maybe I'm in the clear ?

Edited by quietman7, 22 May 2016 - 06:22 PM.


#12 buddy215

buddy215

  • Moderator
  • 13,324 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:03:26 AM

Posted 20 May 2016 - 01:05 PM

Yeah...I was wondering how the old Firefox was still showing in the list. I would leave it alone since it

is not causing any problem.

 

I see no symptom or suggestion that there is malware. I think you are good to go....


“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users