Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

CouponDropDown Infested Webpage but not the Computer/Browser


  • This topic is locked This topic is locked
4 replies to this topic

#1 WhiskerWow

WhiskerWow

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:12:25 AM

Posted 16 June 2017 - 12:21 AM

Hello! I hope this is the right forums for something like this. When I was younger, I accidently installed something bad and got the CouponDropDown malware. I removed it after some searching the web and a lot of deleting/uninstalling of programs. Years have passed and I have gotten a new computer. However, the CouponDropDown malware has appeared to have infested my Tumblr blog, and specifically that page. It does not matter if I view it from a different web browser or computer; the page still gets the annoying advertisements. If I view it on my phone, I get a warning for popups and if I give permission to them, it opens up so many pop-ups that I can't browse the page. If I don't allow it, the webpage has no problems at all.

 

I've tried changing the theme of the blog, but it doesn't help anything. In the theme preview, nothing of the malware shows up.

 

Sorry if this is the wrong forums for this type of question, but I really want help! If you need anything for me to provide, please tell me. Thank you in advance for your time!

 

EDIT: I figured out what was causing the problems! The malware wrote code into the posts written on the blog, making it so the pop-ups would show up. Going through each post and re-saving them on a malware-free computer removed the code. Thank you nasdaq for your time.


Edited by WhiskerWow, 16 June 2017 - 06:12 PM.


BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 38,936 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:25 AM

Posted 16 June 2017 - 08:52 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===


Please download Malwarebytes Anti-Malware from here
  • Right-click on the MBAM icon and select Run as administrator to run the tool.
  • Click Yes to accept any security warnings that may appear.
  • Once the MBAM dashboard opens, on the right detail pane click on the word "Current" under the Scan Status to update the tool database.
  • On the left menu pane click the Settings tab, and then select the Protection tab on the top.
  • Under the Scan Options, turn on the button Scan for rootkits and Scan within archives.
  • Click the Scan tab on the right detail pane, select Threat Scan and click the Start Scan button
  • Note: The scan may take some time to finish, so please be patient.
  • If potential threats are detected, ensure to checkmark all the listed items, and click the Quarantine Selected button.
  • While still on the Scan tab, click the View Report button, and in the window that opens click the Export button, select Text file (*.txt), and save the log to your Desktop.
  • The log can also be viewed by clicking the log to select it, then clicking the View Report button.
Please post the log for my review.

Note: If asked to restart the computer, please do so immediately.
===

Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Click the LogFile button and the report will open in Notepad.
IMPORTANT
  • If you click the Clean button all items listed in the report will be removed.
If you find some false positive items or programs that you wish to keep, Close the AdwCleaner windows.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Check off the element(s) you wish to keep.
  • Click on the Clean button follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleanerCx.txt (x is a number).
===

Download the version of this tool for your operating system.
Farbar Recovery Scan Tool (64 bit)
Farbar Recovery Scan Tool (32 bit)
and save it to a folder on your computer's Desktop.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

How to attach a file to your reply:
In the Reply section in the bottom of the topic Click the "more reply Options" button.
attachlogs.png

Attach the file.
Select the "Choose a File" navigate to the location of the File.
Click the file you wish to Attach.
Click Attach this file.
Click the Add reply button.
===


Please post the logs.

Let me know what problems persists.
==============================

#3 WhiskerWow

WhiskerWow
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:12:25 AM

Posted 16 June 2017 - 12:39 PM

I have solved the problem! After digging around some more online, I found out that there was malicious code embedded into the posts on the blog (not the html). The virus must have written those in while I was posting. Thanks for your time!

Attached Files


Edited by WhiskerWow, 16 June 2017 - 06:10 PM.


#4 nasdaq

nasdaq

  • Malware Response Team
  • 38,936 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:25 AM

Posted 17 June 2017 - 07:15 AM



Hi,

Remove this program in bold via the Control Panel > Programs > Programs and Features.
Unity Web Player (HKU\S-1-5-21-2073529712-1714409664-1672547969-1001\...\UnityWebPlayer) (Version: 4.6.1f1 - Unity Technologies ApS)
===

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.

Please copy the entire contents of the code box below to a new file.


Start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

GroupPolicyUsers\S-1-5-21-2073529712-1714409664-1672547969-1001\User: Restriction <======= ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Restriction <======= ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
BHO: Webroot Vault -> {c8d5d964-2be8-4c5b-8cf5-6e975aa88504} -> C:\ProgramData\WRData\pkg\LPBar64.dll => No File
BHO-x32: Webroot Vault -> {c8d5d964-2be8-4c5b-8cf5-6e975aa88504} -> C:\ProgramData\WRData\pkg\LPBar.dll => No File
Toolbar: HKLM - Webroot Toolbar - {97ab88ef-346b-4179-a0b1-7445896547a5} - C:\ProgramData\WRData\pkg\LPBar64.dll No File
Toolbar: HKLM-x32 - Webroot Toolbar - {97ab88ef-346b-4179-a0b1-7445896547a5} - C:\ProgramData\WRData\pkg\LPBar.dll No File
FF Plugin HKU\S-1-5-21-2073529712-1714409664-1672547969-1001: @unity3d.com/UnityPlayer,version=1.0 -> C:\Users\whisk_000\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll [2015-08-20] (Unity Technologies ApS)
CHR Extension: (Chrome Web Store Payments) - C:\Users\whisk_000\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-04-09]
CHR Extension: (Chrome Media Router) - C:\Users\whisk_000\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2016-11-05]
Task: {06D6F586-716A-463A-8174-69F138E81F77} - \Microsoft\Windows\Setup\gwx\refreshgwxconfig -> No File <==== ATTENTION
Task: {0AB587DA-549E-4AD2-A9CE-B22C5F262CF3} - \Microsoft\Windows\Setup\GWXTriggers\MachineUnlock-5d -> No File <==== ATTENTION
Task: {2CC26067-4520-487C-81BF-8CA65B755351} - \Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B -> No File <==== ATTENTION
Task: {3FD66E45-DD6E-4567-B124-4F44B95596B9} - \Microsoft\Windows\Setup\gwx\refreshgwxconfigandcontent -> No File <==== ATTENTION
Task: {4C6F234A-A487-4696-BBED-6991ECA3F9E6} - \Microsoft\Windows\Setup\GWXTriggers\Time-5d -> No File <==== ATTENTION
Task: {51A69E2E-BF3C-4CA2-93C4-D1933B2FFD48} - \Microsoft\Windows\Setup\GWXTriggers\Logon-5d -> No File <==== ATTENTION
Task: {8523E125-A890-4C48-9D21-FB5B9E9A1B73} - \Microsoft\Windows\Setup\gwx\refreshgwxcontent -> No File <==== ATTENTION
Task: {99D320F0-AB3B-483A-931C-DF8F7DE0C384} - \Microsoft\Windows\Setup\GWXTriggers\OutOfIdle-5d -> No File <==== ATTENTION
Task: {C2B44EB3-1467-4075-8376-E6D982905DFA} - \Microsoft\Windows\Setup\GWXTriggers\Telemetry-4xd -> No File <==== ATTENTION
Task: {C9BEF2C2-95F6-460C-B218-251424C1498F} - \Microsoft\Windows\Setup\gwx\launchtrayprocess -> No File <==== ATTENTION
Task: {F314883B-E86D-4B16-82DF-63DC6F0EEC7D} - \Microsoft\Windows\Setup\GWXTriggers\OutOfSleep-5d -> No File <==== ATTENTION

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.

===

Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.

You can manually check your present version and update as recommended.
https://www.java.com/en/download/installed.jsp

Be careful not to install malware posing as Java update!
Important read this blog.
http://blog.trendmicro.com/trendlabs-security-intelligence/malware-poses-as-an-update-for-java-0-day-fix/

Quoted from the page.
"In light of the recent events surrounding Java, users must seriously consider their use of Java. Do they really need it? If yes, make sure that users follow the steps we recommended and get the security update directly from the official oracle website." at:
http://www.oracle.com/technetwork/java/javase/downloads/index.html

How to disable Java in your browsers
http://www.infoworld.com/t/web-browsers/how-disable-java-in-your-browsers-210882

If still present after the update you can remove the old versions of Java via the Control Panel > Programs > Programs and Features.
Java 8 Update 101 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F32180101F0}) (Version: 8.0.1010.13 - Oracle Corporation)
===

Please let me know what problem persists with this computer.

#5 nasdaq

nasdaq

  • Malware Response Team
  • 38,936 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:25 AM

Posted 23 June 2017 - 08:18 AM

Are you still with me?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users