Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

"SWF.BD.Virus" Message; Browser Slows & Crashes; Continuing Adware Issue?


  • This topic is locked This topic is locked
10 replies to this topic

#1 techgnosis

techgnosis

  • Members
  • 66 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York City Area
  • Local time:04:22 PM

Posted 29 September 2016 - 07:11 PM

This is a follow up from this thread:

 

http://www.bleepingcomputer.com/forums/t/627745/pop-up-says-exploitswfbd-virus-has-infiltrated-ask-to-call-844-471-7727/#entry4093256

 

Initially, I was getting this message: 

 

Windows Firewall Security Damaged by Exploit.SWF.bd Virus

Please visit your nearest Windows Service Center or call Microsoft Windows Help Desk Now.

Customer Service:  1-844-471-7727 (toll free)

 

That was clearly some kind of virus or ransomware residing in my system.  

 

Also, I noticed my Opera browser is downloading zipped setup folders to my C;\Users\Download folder.  I submitted that to the Virustotal site and found that it's some kind of adware.

 

 

Ran CCleaner, installed ad blocks for Chrome and Firefox, disabled some programs, got rid of Opera, installed Firefox.  But I was still getting some adware messages like this from ESET:

 

Time;URL;Status;Application;User;IP address;Threat

9/28/2016 10:40:08 PM;http://widgets.outbrain.com/outbrain.js; Blocked by internal IP blacklist;C:\Program Files (x86)\Mozilla

 

Firefox\firefox.exe;RANDLESTER\Sklel;193.238.153.10;

9/28/2016 10:40:07 PM;http://widgets.outbrain.com/outbrain.js; Blocked by internal IP blacklist;C:\Program Files (x86)\Mozilla

 

Firefox\firefox.exe;RANDLESTER\Sklel;193.238.153.10;

9/28/2016 10:39:54 PM;http://cdn.engine.4dsply.com/Scripts/infinity.js.aspx?guid=b10a68e0-0178-42b1-a256-afeb4b619d52;Blocked by internal IP blacklist;C:\Program

 

Files (x86)\Mozilla Firefox\firefox.exe;RANDLESTER\Sklel;193.238.153.10;

9/28/2016 8:38:07 PM;http://widgets.outbrain.com/images/widgetIcons/play_100x100.png;Blocked by internal IP blacklist;C:\Program Files

 

So far, no ransomware message but the system does crash (either Chrome or Firefox) often.  My best guess is that I may have downloaded some adware or spyware through Adobe Shockwave, which was crashing often before and I tried to update those features.

 

I use Windows 8.1, run Eset, ran Hitman Pro, also ran AdwCleaner and Junkware Removal Tool:  nothing shown. Was getting 

 

"Pup.optional.terraclicks.shrtcln"

 

files which have been quarantined by Malware Bytes.  Subsequent runs didn't show any more.

Attached Files


Edited by techgnosis, 29 September 2016 - 07:12 PM.


BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 40,490 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:22 PM

Posted 01 October 2016 - 09:12 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

--RogueKiller--
  • Download & SAVE to your Desktop Download RogueKiller
  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or above, right-click the program file and select "Run as Administrator"
  • Accept the user agreements.
  • Execute the scan and wait until it has finished.
  • If a Windows opens to explain what [PUM's] are, read about it.
  • Click the RoguKiller icon on your taksbar to return to the report.
  • Click open the Report
  • Click Export TXT button
  • Save the file as ReportRogue.txt
  • Click the Remove button to delete the items in RED
  • Click Finish and close the program.
  • Locate the ReportRogue.txt file on your Desktop and copy/paste the contents in your next.
=======

Temporarily disable your AV program so it does not interfere.
Info on how to disable your security applications How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs - Security Mini-Guides.

Download Zoek tool from here

When the download appears, save to the Desktop.
On the Desktop, right-click the Zoek.exe file and select: Run as Administrator
(Give it a few seconds to appear.)

Next, copy/paste the entire script inside the code box below to the input field of Zoek:
createsrpoint;
autoclean;
emptyclsid;
emptyffcache;
FFdefaults;
emptyiecache;
iedefaults;
emptychrcache;
CHRdefaults;
emptyalltemp;
emptyfolderscheck;delete
ipconfig /flushdns;b
Now...
Close any open Browsers.
Click the Run script button, and wait. It takes a few minutes to run all the script.

When the tool finishes, the zoek-results.log is opened in Notepad.
The log is also found on the systemdrive, normally C:\
If a reboot is needed, the log is opened after the reboot.

Please attach the zoek-results.log in your reply.
===

Also, please provide an update on how the computer is behaving after running the above script.

P.S.
Was any COMODO software installed on this computer and was removed?

#3 techgnosis

techgnosis
  • Topic Starter

  • Members
  • 66 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York City Area
  • Local time:04:22 PM

Posted 02 October 2016 - 04:25 PM

Hi, thanks so much.  I've just finished it. Yes, was using Comodo with Kaspersky (it's compatible once you install Kaspersky first).  Was told don't need Comodo.  Not sure if I completely uninstalled it.

 

Haven't checked the performance yet.  Usually I know fairly quickly.  

Attached Files



#4 nasdaq

nasdaq

  • Malware Response Team
  • 40,490 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:22 PM

Posted 03 October 2016 - 08:43 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.
 
start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} =>  No File
URLSearchHook: [S-1-5-21-2767479305-1133554152-2264245223-1001] ATTENTION => Default URLSearchHook is missing
DPF: HKLM-x32 {8AD9C840-044E-11D1-B3E9-00805F499D93} hxxp://javadl-esd.oracle.com/update/1.4.1/jinstall-1_4_1-windows-i586.cab
CHR Plugin: (Native Client) - C:\Program Files (x86)\Google\Chrome\Application\53.0.2785.116\ppGoogleNaClPluginChrome.dll => No File
CHR Plugin: (Chrome PDF Viewer) - C:\Program Files (x86)\Google\Chrome\Application\53.0.2785.116\pdf.dll => No File
CHR Plugin: (Google Update) - C:\Program Files (x86)\Google\Update\1.3.21.145\npGoogleUpdate3.dll => No File
CHR Plugin: (McAfee SecurityCenter) - c:\PROGRA~2\mcafee\msc\NPMCSN~1.DLL => No File
CHR Extension: (Chrome Web Store Payments) - C:\Users\Sklel\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-04-02]
CHR HKLM-x32\...\Chrome\Extension: [aaffhmecfaelkngcbnfdkcckmillnoki] - hxxps://clients2.google.com/service/update2/crx

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Attention. From your FRST log.
C:\WINDOWS\System32\InputMethod\KOR\KorIME.exe

Check this article. If you have any difficulties with your Operating system download and run the fix.
http://www.microsoftfixit.net/microsoft-windows-8-korime-exe/

===


Let me know what problem persists,

#5 techgnosis

techgnosis
  • Topic Starter

  • Members
  • 66 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York City Area
  • Local time:04:22 PM

Posted 03 October 2016 - 12:54 PM

Ok, here's the run:

 

 

Attached Files



#6 nasdaq

nasdaq

  • Malware Response Team
  • 40,490 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:22 PM

Posted 04 October 2016 - 08:09 AM

Any remaining issues?

#7 techgnosis

techgnosis
  • Topic Starter

  • Members
  • 66 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York City Area
  • Local time:04:22 PM

Posted 04 October 2016 - 11:14 PM

I still get messages about filtered websites which are blocked by my ESET.  It's for sites like widgets.outbrain and cdn.taboola.com.  Is this normal?

 

10/3/2016 11:37:23 PM;http://widgets.outbrain.com/nanoWidget/externals/obFrame/obFrame.htm;Blocked by internal IP blacklist;C:\Program Files (x86)\Google\Chrome\Application\chrome.exe;Randlester\Sklel;193.238.153.10;

10/3/2016 11:37:23 PM;http://widgets.outbrain.com/images/widgetIcons/ob_logo_16x16.png;Blocked by internal IP blacklist;C:\Program Files (x86)\Google\Chrome\Application\chrome.exe;Randlester\Sklel;193.238.153.10;

10/3/2016 11:36:56 PM;http://widgets.outbrain.com/nanoWidget/externals/obFrame/obFrame.htm;Blocked by internal IP blacklist;C:\Program Files (x86)\Google\Chrome\Application\chrome.exe;Randlester\Sklel;193.238.153.10;

10/3/2016 11:36:30 PM;http://widgets.outbrain.com/nanoWidget/externals/obFrame/obFrame.htm;Blocked by internal IP blacklist;C:\Program Files (x86)\Google\Chrome\Application\chrome.exe;Randlester\Sklel;193.238.153.10;

10/3/2016 10:41:21 PM;http://widgets.outbrain.com/nanoWidget/externals/obFrame/obFrame.htm;Blocked by internal IP blacklist;C:\Program Files (x86)\Google\Chrome\Application\chrome.exe;Randlester\Sklel;193.238.153.10;

10/3/2016 10:39:32 PM;http://widgets.outbrain.com/nanoWidget/externals/obFrame/obFrame.htm;Blocked by internal IP blacklist;C:\Program Files (x86)\Google\Chrome\Application\chrome.exe;Randlester\Sklel;193.238.153.10;

10/3/2016 10:38:43 PM;http://widgets.outbrain.com/nanoWidget/externals/obFrame/obFrame.htm;Blocked by internal IP blacklist;C:\Program Files (x86)\Google\Chrome\Application\chrome.exe;Randlester\Sklel;193.238.153.10;

10/3/2016 10:38:42 PM;http://widgets.outbrain.com/nanoWidget/externals/obFrame/obFrame.htm;Blocked by internal IP blacklist;C:\Program Files (x86)\Google\Chrome\Application\chrome.exe;Randlester\Sklel;193.238.153.10;

10/3/2016 9:59:45 PM;http://widgets.outbrain.com/obtp.js;Blocked by internal IP blacklist;C:\Program Files (x86)\Google\Chrome\Application\chrome.exe;Randlester\Sklel;193.238.153.10;

10/3/2016 9:54:41 PM;http://widgets.outbrain.com/obtp.js;Blocked by internal IP blacklist;C:\Program Files (x86)\Google\Chrome\Application\chrome.exe;Randlester\Sklel;193.238.153.10;

10/3/2016 2:24:05 AM;http://widgets.outbrain.com/outbrain.js;Blocked by internal IP blacklist;C:\Program Files (x86)\Google\Chrome\Application\chrome.exe;Randlester\Sklel;193.238.153.10;

10/3/2016 1:45:17 AM;http://widgets.outbrain.com/outbrain.js;Blocked by internal IP blacklist;C:\Program Files (x86)\Google\Chrome\Application\chrome.exe;Randlester\Sklel;193.238.153.10;

10/2/2016 7:00:32 PM;http://widgets.outbrain.com/outbrain.js;Blocked by internal IP blacklist;C:\Program Files (x86)\Google\Chrome\Application\chrome.exe;Randlester\Sklel;193.238.153.10;

10/2/2016 6:57:07 PM;http://widgets.outbrain.com/outbrain.js;Blocked by internal IP blacklist;C:\Program Files (x86)\Google\Chrome\Application\chrome.exe;Randlester\Sklel;193.238.153.10;

10/2/2016 6:34:03 PM;http://widgets.outbrain.com/outbrain.js;Blocked by internal IP blacklist;C:\Program Files (x86)\Google\Chrome\Application\chrome.exe;Randlester\Sklel;193.238.153.10;

10/2/2016 6:12:39 PM;http://widgets.outbrain.com/outbrain.js?_=1475446357967;Blocked by internal IP blacklist;C:\Program Files (x86)\Google\Chrome\Application\chrome.exe;Randlester\Sklel;193.238.153.10;

10/2/2016 10:46:18 AM;http://cdn.taboola.com/libtrc/nationalinterest/loader.js;Blocked by internal IP blacklist;C:\Program Files (x86)\Google\Chrome\Application\chrome.exe;Randlester\Sklel;193.238.153.10;

10/2/2016 10:42:02 AM;http://cdn.taboola.com/libtrc/nationalinterest/loader.js;Blocked by internal IP blacklist;C:\Program Files (x86)\Google\Chrome\Application\chrome.exe;Randlester\Sklel;193.238.153.10;

10/2/2016 2:47:48 AM;http://cdn.taboola.com/libtrc/nbcuniversal-cnbc-makeit/loader.js;Blocked by internal IP blacklist;C:\Program Files 



#8 nasdaq

nasdaq

  • Malware Response Team
  • 40,490 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:22 PM

Posted 05 October 2016 - 09:21 AM


Looks like e-set is doing it's job.

Disable E-set notification.

http://support.eset.com/kb2148/?locale=en_US

Let me know if it helps.
===

#9 techgnosis

techgnosis
  • Topic Starter

  • Members
  • 66 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York City Area
  • Local time:04:22 PM

Posted 05 October 2016 - 11:01 AM

Ok, thanks so much.  Haven't seen the SWF.BD ransom message yet.  Just curious, what did RogueKiller and FRST runs find?  



#10 nasdaq

nasdaq

  • Malware Response Team
  • 40,490 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:22 PM

Posted 06 October 2016 - 08:34 AM

Nothing malicious. Just some annoying settings.

If all is well.

To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/

#11 techgnosis

techgnosis
  • Topic Starter

  • Members
  • 66 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York City Area
  • Local time:04:22 PM

Posted 06 October 2016 - 04:41 PM

Ok, thank you so much for your help. No problem so far so I think it has been successful.  Thanks again.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users