Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

sync-eu.exe.bid - what is this and why is Malwarebytes stopping it?


  • Please log in to reply
17 replies to this topic

#1 pkoryn

pkoryn

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:28 AM

Posted 04 February 2017 - 06:39 AM

Hi! For the last 24 hours I've been getting a notice from Malwarebytes that it is blocking something called  sync-eu.exe.bid .  The block is outgoing.  I'm not real computer savvy - what is this and is there some way I can remove it from my computer?  I looked online (and on Malwarebytes forums)  but can't seem to find much of anything about this.  Appreciate any help you can offer.


Edited by hamluis, 04 February 2017 - 06:46 AM.
Moved from MRL to Am I Infected - Hamluis.


BC AdBot (Login to Remove)

 


#2 buddy215

buddy215

  • Moderator
  • 13,508 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:02:28 AM

Posted 04 February 2017 - 03:57 PM

Probably some adware or maybe even a tracking cookie trying to call home.  Use the programs below to clean, remove adware and remove malware. I know you have MBAM installed but

run a scan using it per instructions and post its log.

 

Use CCleaner to remove Temporary files, program caches, cookies, logs, etc. Use the Default settings. No need to use the

Registry Cleaning Tool...risky. Pay close attention while installing and UNcheck offers of toolbars....especially Google.

After install, open CCleaner and run by clicking on the Run Cleaner button in the bottom right corner.

CCleaner - PC Optimization and Cleaning - Free Download

 

MBAM INSTRUCTIONS

  • Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu.
  • If another update of the definitions is available, it will be implemented before the rest of the scanning procedure.
  • When the scan is complete, make sure that all Threats are selected, and click Remove Selected.
  • Restart your computer when prompted to do so.
  • The Scan log is available throughout History ->Application logs. Please post it contents in your next reply.

Download AdwCleaner by Xplode onto your desktop.

  • Close all open programs and internet browsers.
  • Double click on adwcleaner.exe to run the tool.
  • Click on Scan button.
  • When the scan has finished click on Clean button.
  • Your computer will be rebooted automatically. A text file will open after the restart.
  • Please post the contents of that logfile with your next reply.
  • You can find the logfile at C:\AdwCleaner[S1].txt as well.
  • download Junkware Removal Tool to your desktop.
  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message
  • Hold down Control and click on this link to open ESET OnlineScan in a new window.
  • Click the esetonlinebtn.png button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
  • Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
  • Double click on the esetsmartinstaller_enu.png icon on your desktop.
  • Check "YES, I accept the Terms of Use."
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Under scan settings, check "Scan Archives" and "Remove found threats"
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click List Threats
  • Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Click the Back button.
  • Click the Finish button.
  • NOTE:Sometimes if ESET finds no infections it will not create a log.

Block third party cookies from installing. Once they are blocked, run CCleaner again to remove the existing ones.

How to disable third-party cookies in all major web browsers


“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#3 RonBoyd

RonBoyd

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:28 AM

Posted 04 February 2017 - 05:33 PM

I have had the same experience. I was  able, with Malwarebytes, to determine that it was coming from 136.243.131.41.

 

136.243.131.41 IP address Information

The IP address 136.243.131.41 was found in Germany. It is allocated to Server Block. Additional IP location information, as well as network tools are available below.

 

IP address: 136.243.131.41 hostname: prod-hzeu-exebid-lba-1.dca-ops.tech ISP: Server Block Country: Germany (DE) de.gif latitude: 51.2993 longitude: 9.491

 

 

 

 

 

 

NetRange: 136.243.0.0 - 136.243.255.255
CIDR: 136.243.0.0/16
NetName: RIPE-ERX-136-243-0-0
NetHandle: NET-136-243-0-0-1
Parent: NET136 (NET-136-0-0-0-0)
NetType: Early Registrations, Transferred to RIPE NCC
OriginAS:
Organization: RIPE Network Coordination Centre (RIPE)
RegDate: 2004-04-14
Updated: 2004-04-14
Ref: https://whois.arin.net/rest/net/NET-136-243-0-0-1

ResourceLink: https://apps.db.ripe.net/search/query.html
ResourceLink: whois.ripe.net

OrgName: RIPE Network Coordination Centre
OrgId: RIPE
Address: P.O. Box 10096
City: Amsterdam
StateProv:
PostalCode: 1001EB
Country: NL
RegDate:
Updated: 2013-07-29
Ref: https://whois.arin.net/rest/org/RIPE

ReferralServer: whois://whois.ripe.net
ResourceLink: https://apps.db.ripe.net/search/query.html

OrgTechHandle: RNO29-ARIN
OrgTechName: RIPE NCC Operations
OrgTechPhone: +31 20 535 4444
OrgTechEmail: hostmaster@ripe.net
OrgTechRef: https://whois.arin.net/rest/poc/RNO29-ARIN

OrgAbuseHandle: ABUSE3850-ARIN
OrgAbuseName: Abuse Contact
OrgAbusePhone: +31205354444
OrgAbuseEmail: abuse@ripe.net
OrgAbuseRef: https://whois.arin.net/rest/poc/ABUSE3850-ARIN
 
Now, I don't know what to do from this point.


#4 buddy215

buddy215

  • Moderator
  • 13,508 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:02:28 AM

Posted 04 February 2017 - 07:57 PM

RonBoyd...welcome to BC

 

I suggest you start your own topic in this forum...which is the Am I Infected What do I do forum.

It gets a bit too confusing for me trying to work with two or more members in one topic. Thanks for your cooperation.


“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#5 RonBoyd

RonBoyd

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:28 AM

Posted 04 February 2017 - 08:36 PM

Huh? I thought I was adding to this thread. I am sorry if I overwhelmed you. I deeply apologize.



#6 buddy215

buddy215

  • Moderator
  • 13,508 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:02:28 AM

Posted 05 February 2017 - 08:26 AM

RonBoyd...Like I said...start your own topic in this forum.

I also suggest you run the scans mentioned in my first post in this topic and post the results of those scans in your new topic.

 

I see this topic has attracted a lot of attention from the web. The sooner you or this topic starter runs those scans the sooner

this will be resolved.


“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#7 pkoryn

pkoryn
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:28 AM

Posted 05 February 2017 - 12:51 PM

buddy 215 - One question for you, in your response you stated "when scan is complete make sure ALL THREATS is selected and click REMOVE SELECTED.  When my scan finishes - there are no threats found - there is nothing that allows me to select anything - just a box that says FINISHED.

 

I can see where the scan log is available but am unsure how to go about saving it so that I can post it here.  Could you please explain the process and I'll be happy to provide it.



#8 RonBoyd

RonBoyd

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:28 AM

Posted 05 February 2017 - 01:17 PM

Yeah, that is why I posted the "offensive" post above. The problem doesn't seem to be from within my computer but has more to do with the German company at the indicated address -- it appears that they are trying to communicate with my computer in some manner. But what do I know?



#9 buddy215

buddy215

  • Moderator
  • 13,508 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:02:28 AM

Posted 05 February 2017 - 01:17 PM

If you are sure that MBAM found nothing then please go on with the next scans. From looking around for info on the sync-eu.exe.bid

I see you have also posted in another forum at MBAM. Looking around this "threat" is something new. So, it is possible that the scanners

won't detect it. But that remains to be seen.


“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#10 meridius123

meridius123

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:02:28 AM

Posted 05 February 2017 - 05:18 PM

I've spent countless hours on this issue and believe the answer to the O.P.'s question is NOT to waste time running a bunch of virus searches.

 

It looks very much like there are http requests embedded in ads served in frames labelled AdChoices that are asking the sync-eu.exe.bid site for (something -- maybe an image or maybe one of the many java scripts that are downloaded by these ad servers). The http request often includes parameters like /falktech1 or other words that I don't recall.

 

I've been able to replicate the problem repeatedly and see the http requests in the chrome console.

 

One very common offender is this page: http://www.inquisitr.com/3945227/vikings-season-4-finale-what-does-the-word-written-on-heahmunds-sword-mean/

 

When you visit it, you won't always get the "malwarebytes blocked" alert. Try reloading the page and/or scrolling down on the page and as soon as an offending frame comes into view, the alert is triggered. Also on this page: there is currently an AdChoices frame that has five individual frames embedded within (each links to some weird sensational content, e.g., "Man who predicted Trump win has another prediction"). That frame appears at the top but usually loads last and when it does, every once in a while the malwarebytes alert appears, coincident with the display of the frame. The sync-eu.exe.bid request could be embedded in any javascript that is loaded in any of those frames.

 

Further, when you use chrome's Inspect tool to look at the source script for these frames, you see a truly amazing amount of code that includes a maze of scripts which call other scripts, etc., and they all generate an enormous number of requests to various ad servers. The offending call might not even be present in the script you see at first review -- it could exist in another script that was called by another script, etc.  

 

My theory: the ad server behind all this is seeding the sync-eu.exe.bid in nested scripts in different frames at different times. So, you might inspect the script on a frame and not see the sync-eu request, but then when you reload it the request appears. At one time the sync-eu request appeared in a console in association with one of the iframe labels within the script. That's what convinced me that this all originates with the ad server.

 

The alert also appears when viewing the "weirdo list" pages like "check out these 25 embarrassing moments" or "you won't believe what these child stars are doing now" like poplyft or viralmoon or detonate or whatever.  I've been able to replicate the problem on a few of those.  When you do these tests: BE SURE TO CLOSE OTHER OFFENDING PAGES.  For example, if you generate the alerts on the inquisitr page, be sure to close the page before looking at another page in a different tab.

 

I'm not sure if this is an effort by the ad servers to track user activity or something more sinister (I suspect it is) and I further don't know why Google, with all its sophistication, doesn't block it when the User config includes "don't track me." But I could be wrong about that.

 

I further don't understand why the so-called expert on this site mindlessly told the inquiring user to spend a lot of time downloading and running various utilities without even understanding the problem or its source. And when another user added info to the thread, the so-called expert chases him off with an order to "start your own topic."  Then when the would-be helper said "hey just trying to help" the so-called expert repeated his order to go away and also told HIM to spend a lot of time downloading and running various utilities.  Are you freaking kidding me!?!?!?!???????

 

Finally: I have to admit I could be all wrong about this. I don't have the expertise to collect every java script that is downloaded over a period of time, so that I could inspect it to eventually find the http requests for sync-eu.exe.bid. But even if I'm wrong, I hope the so-called expert doesn't give me condescending orders to go away and/or spend a lot of time running virus tools because, without any investigation, he has decided that this is "probably some adware or a tracking cookie" and because that guess came to his mind, the rest of us should start downloading an array of unfamiliar tools and wasting an enormous amount of time running them without getting any result or answer for the problem.

 

I have spent hours on end over several days chasing this problem, and it started with a lot of worthless virus scanning because of this kind of mindless advice. I wouldn't troll the guy for possibly being wrong, but when he got crappy towards somebody that was trying to help, he earned it, imho.

 

 

 

.



#11 buddy215

buddy215

  • Moderator
  • 13,508 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:02:28 AM

Posted 05 February 2017 - 05:45 PM

meridius123...Welcome to BC

If that is the case then I suggest installing an ad blocker such as Adblock Plus. Once installed, click on the ABP icon at the top of

the browsers it is installed on and choose Filter Preferences. UNcheck the box next to Allow some non-intrusive advertisements.

Adblock Plus :: Add-ons for Firefox   Adblock Plus - Chrome Web Store   Adblock Plus for Edge browser

Adblock Plus for IE

 

Block Third party (ad/ tracking) cookies from installing. Once blocked,  run CCleaner to delete the existing ones.

How to disable third-party cookies in all major web browsers

 

Use CCleaner to remove Temporary files, program caches, cookies, logs, etc. Use the Default settings. No need to use the

Registry Cleaning Tool...risky. Pay close attention while installing and UNcheck offers of toolbars....especially Google.

After install, open CCleaner and run by clicking on the Run Cleaner button in the bottom right corner.

CCleaner - PC Optimization and Cleaning - Free Download


Edited by buddy215, 07 February 2017 - 06:21 AM.

“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#12 RonBoyd

RonBoyd

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:01:28 AM

Posted 05 February 2017 - 05:51 PM

I further don't understand why the so-called expert on this site mindlessly told the inquiring user to spend a lot of time downloading and running various utilities without even understanding the problem or its source. And when another user added info to the thread, the so-called expert chases him off with an order to "start your own topic."  Then when the would-be helper said "hey just trying to help" the so-called expert repeated his order to go away and also told HIM to spend a lot of time downloading and running various utilities.  Are you freaking kidding me!?!?!?!???????

 

Finally: I have to admit I could be all wrong about this. I don't have the expertise to collect every java script that is downloaded over a period of time, so that I could inspect it to eventually find the http requests for sync-eu.exe.bid. But even if I'm wrong, I hope the so-called expert doesn't give me condescending orders to go away and/or spend a lot of time running virus tools because, without any investigation, he has decided that this is "probably some adware or a tracking cookie" and because that guess came to his mind, the rest of us should start downloading an array of unfamiliar tools and wasting an enormous amount of time running them without getting any result or answer for the problem.

 

I have spent hours on end over several days chasing this problem, and it started with a lot of worthless virus scanning because of this kind of mindless advice. I wouldn't troll the guy for possibly being wrong, but when he got crappy towards somebody that was trying to help, he earned it, imho.

 

 

 

.

Thank you.


Edited by RonBoyd, 05 February 2017 - 05:54 PM.


#13 meridius123

meridius123

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:02:28 AM

Posted 05 February 2017 - 06:13 PM

The new suggestion further validates the theory and solves the problem.  By adding the Chrome extension "Ad-Blocker Plus" and unchecking "allow some intrusive ads" the problem is solved. I reloaded the inquisitr page several times and the offending frames never display, the "malicious site blocked" alert never appears, and the ad-blocker count immediately ran to "14 ads blocked on this page"

 

RonBoyd: you're welcome

 

I don't know how to mark a post as "this is the answer to the o.p.'s problem but if there's a way to tag this one it's worth doing.  The rest of the advice about ccleaner and third party cookies doesn't directly relate to this problem because as I saw, it originates in served ads, not anything on our machine.



#14 buddy215

buddy215

  • Moderator
  • 13,508 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:02:28 AM

Posted 05 February 2017 - 07:04 PM

Adsense is a google product. MBAM blocking the server....assuming it is a "legit" ad server...is an error/ false positive. I suggest to check

the responses at the MBAM forum for a definite answer as to whether it is a false positive or something else.

 

For those using Firefox...I will suggest another add-on...NoScript. It takes some time to learn to use it properly but it is an excellent add-on.

NoScript Security Suite :: Add-ons for Firefox


“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#15 pkoryn

pkoryn
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:28 AM

Posted 06 February 2017 - 06:46 AM

Meridius 123 - I can't thank you enough for figuring this out.  I will get the Chrome extension AdBlock Plus installed and see if that takes care of the problem.  I hadn't started all the various scans that were mentioned (seemed like a lot of work as you pointed out), so I'm very grateful for your efforts.  






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users