Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Clicked suspicious links, Firefox changed theme to default


  • Please log in to reply
8 replies to this topic

#1 NSAER

NSAER

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:46 PM

Posted 03 September 2017 - 11:29 AM

Hello, I am glad to be using this forum with all the experts around :). I hope you can shed some light on my situation.

I don't want to waste your time so let me make this as quick as possible.

 

09-01-2017 (2 days ago) I clicked various suspicious links someone had posted on a forum.

I then closed down the tabs of those links but I did not close Firefox down.

Around 2-3 minutes after closing the tabs my Firefox changed its theme to default (from black to the usual white or bluish whatever). I had made no such changes nor been notified, it just happened out of the blue.

 

My thinking: maybe it was just a Firefox software update, as odd as it is, so I checked my Firefox version: 55.0.3 (32bit).

This Firefox version was supposed to have dropped around 25th of August, so surely it cannot explain this weird phenomenon?

Did any of you receive a Firefox update on the 1st of September?

 

I then immediately put my trusty but crappy Comodo Firewall 10 to suspicious mode, and as usual it went NUTS by giving me popups from every benign system process and software installed, because Comodo is a trusty pile of C.

Anyway, I was forced to shutdown my PC via holding the start button on the box in until it turned off, and start in safe mode. As much as I did not want to restart my PC because it could worsen an infection, Comodo forced me to do it (thanks!). Comodo had simply spazzed out so much that I had no chance of starting it, it even blocked explorer.exe (because the screen was black on the start).

 

I finally resolved the trusty Comodo Firewall crap situation after spending many hours in the late morning without sleep.

 

I tried checking network activity with Comodo and found nothing suspicious. I did a file scan and found no new unrecognized files.

I tried Hitmanpro 3.5 which is my second-in-line in case of an infection, but it detected nothing. I tried all scan options it has.

I ran gmer.exe but it detected all the false positives in the known universe as malware so I shrugged it off for a while.

I ran malwarebytes antivirus and malwarebytes anti-rootkit scans to no avail.

 

I then installed Avast and did a full system scan but again to no avail, no results. Now Avast is blocking gmer.exe from running (downloaded from official site) even if I turn off Avast's "protection" modules. Gee, thanks, might just be what I need in such a dire situation!

 

Here's the bottom line: the machine is pretty much asymptomatic, but I know there's an infection. I am not stupid, I know I clicked a sketchy link and the activity that followed makes it obvious.



BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,537 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:02:46 PM

Posted 03 September 2017 - 07:31 PM

Maybe a file in Firefox became corrupt... UN and reinstall it and see.

You can also run these....

zcMPezJ.pngAdwCleaner
  • Please download AdwCleaner by Xplode and save to your Desktop.
  • Double click on AdwCleaner.exe to run the tool. Vista/Windows 7/8 users right-click and select Run As Administrator
  • Click on the Scan button.
  • AdwCleaner will begin...be patient as the scan may take some time to complete.
  • After the scan has finished, click on the Report button...a logfile (AdwCleaner[R0].txt) will open in Notepad for review.
  • The contents of the log file may be confusing. Unless you see a program name that you know should not be removed, don't worry about it. If you see an entry you want to keep, let me know about it.
  • Copy and paste the contents of that logfile in your next reply.
  • A copy of all logfiles are saved in the C:\AdwCleaner folder which was created when running the tool.
lv0mVRW.pngJunkware Removal Tool
  • Please download Junkware Removal Tool to your desktop.
  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.
And finally I'd like us to scan your machine with ESET OnlineScan:
  • It is recommended to turn off your antivirus program. Click on the E5rfZI9.png button to see which antivirus is currently enabled:
c4VVzVO.png
  • Turn off your antivirus program. See here how to do this.
  • Check the option beside: Enable detection of potentially unwanted applications.
  • Now click on Advanced Settings and make sure that the option Clean threats automatically is NOT checked, and select the following:
Enable detection of potentially unsafe applications
Enable detection of suspicious applications
Scan archives
Enable Anti-Stealth Technology
  • Click on the Change button and select only Operating memory, Autostart locations and drive C:\ to be scanned.
yKulboi.jpg
  • Push the dtoGjAL.png button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
8L8IBHJ.png
  • When the scan completes a list of found threats will open automatically (if any malicious files are found).
imxEgHt.png
  • Push thecRhRYZ8.png button and save the file to your desktop using a unique name, such as ESETScan.txt. Include the contents of this report in your next reply.
  • Push the 9IjfdXq.png button.
  • Check the box beside RHzfZB1.png to uninstall the application when closed.
  • Push Vc3btaC.png and the close the application clicking the X in upper right corner.

Edited by boopme, 03 September 2017 - 07:33 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 NSAER

NSAER
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:46 PM

Posted 04 September 2017 - 10:17 AM

I think I was lucky there, one of those two first tools could potentially have corrupted my PC.

Anyway, as for the results of their scans, I don't know what to say. Let me make it clear, though, I never install unknown software on my system. I have a virtual machine for all files I don't trust so if I was infected it was from a zeroday driveby.

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Malwarebytes
Version: 8.1.4 (07.09.2017)
Operating System: Windows 7
Ran by **** (Administrator) on 04-09-2017 at 16:04:58,61
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
File System: 40
Successfully deleted: C:\Users\\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0PS72R2M (Temporary Internet Files Folder)
Successfully deleted: C:\Users\\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2X2WYOBF (Temporary Internet Files Folder)
Successfully deleted: C:\Users\\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\62AXOPQ5 (Temporary Internet Files Folder)
Successfully deleted: C:\Users\\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6FVYU29C (Temporary Internet Files Folder)
Successfully deleted: C:\Users\\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BXV76QUX (Temporary Internet Files Folder)
Successfully deleted: C:\Users\\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DI39DFWV (Temporary Internet Files Folder)
Successfully deleted: C:\Users\\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FZG8CKJ5 (Temporary Internet Files Folder)
Successfully deleted: C:\Users\\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GUCBVKL6 (Temporary Internet Files Folder)
Successfully deleted: C:\Users\\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H8C4CE1H (Temporary Internet Files Folder)
Successfully deleted: C:\Users\\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\K08CDYDY (Temporary Internet Files Folder)
Successfully deleted: C:\Users\\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\KAR13CR3 (Temporary Internet Files Folder)
Successfully deleted: C:\Users\\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\KNSTPXPN (Temporary Internet Files Folder)
Successfully deleted: C:\Users\\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\KPOIRPYL (Temporary Internet Files Folder)
Successfully deleted: C:\Users\\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\KRRWGF6C (Temporary Internet Files Folder)
Successfully deleted: C:\Users\\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LB3NAEIR (Temporary Internet Files Folder)
Successfully deleted: C:\Users\\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LIXMVQOA (Temporary Internet Files Folder)
Successfully deleted: C:\Users\\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\MOL6XHVE (Temporary Internet Files Folder)
Successfully deleted: C:\Users\\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TN5G7A6M (Temporary Internet Files Folder)
Successfully deleted: C:\Users\\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Z6RQH3I0 (Temporary Internet Files Folder)
Successfully deleted: C:\Users\\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZRYZNNCO (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0PS72R2M (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2X2WYOBF (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\62AXOPQ5 (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6FVYU29C (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BXV76QUX (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DI39DFWV (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FZG8CKJ5 (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GUCBVKL6 (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H8C4CE1H (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\K08CDYDY (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\KAR13CR3 (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\KNSTPXPN (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\KPOIRPYL (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\KRRWGF6C (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LB3NAEIR (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LIXMVQOA (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\MOL6XHVE (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TN5G7A6M (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Z6RQH3I0 (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZRYZNNCO (Temporary Internet Files Folder)
Registry: 0
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on 04-09-2017 at 16:07:14,44
End of JRT log

 

# AdwCleaner 7.0.2.1 - Logfile created on Mon Sep 04 13:44:45 2017
# Updated on 2017/29/08 by Malwarebytes
# Running on Windows 7
# Mode: clean
***** [ Services ] *****
No malicious services deleted.
***** [ Folders ] *****
No malicious folders deleted.
***** [ Files ] *****
Deleted: C:\END
***** [ DLL ] *****
No malicious DLLs cleaned.
***** [ WMI ] *****
No malicious WMI cleaned.
***** [ Shortcuts ] *****
No malicious shortcuts cleaned.
***** [ Tasks ] *****
No malicious tasks deleted.
***** [ Registry ] *****
Deleted: [Key] - HKLM\SOFTWARE\Yahoo\SS
***** [ Firefox (and derivatives) ] *****
No malicious Firefox entries deleted.
***** [ Chromium (and derivatives) ] *****
No malicious Chromium entries deleted.
*************************
::Tracing keys deleted
::Winsock settings cleared
::Additional Actions: 0
*************************
C:/AdwCleaner/AdwCleaner[S0].txt - [974 B] - [2017/9/4 13:41:38]
########## EOF - C:\AdwCleaner\AdwCleaner[C0].txt ##########

 

ESET found nothing. I assume there's no point posting logs if nothing was found.

 

You didn't ask for it but it's interesting so why not include it.

aswMBR version 1.0.1.2290 Copyright© 2014 AVAST Software
Run date: 2017-09-04 17:10:17
-----------------------------
17:10:17.932    OS Version: Windows 7
17:10:17.932    Number of processors: 4 586 0x3A09
17:10:17.932    ComputerName: ****
17:10:19.691    Initialize success
17:10:19.701    VM: initialized successfully
17:10:19.701    VM: Intel CPU supported virtualized
17:10:24.138    VM: supported disk I/O ataport.SYS
17:10:34.139    AVAST engine defs: 17090402
17:10:37.156    Disk 0
17:10:37.156    Disk 0
17:10:37.186    VM: Disk 0 MBR read successfully
17:10:37.186    Disk 0 MBR scan
17:10:37.186    Disk 0 unknown MBR code
17:10:37.406    Disk 0 Partition 1 80 (A) 07      HPFS/NTFS            476938 MB offset 2048
17:10:37.416    Disk 0 Boot Sector hidden 512 bytes @ 0x1
17:10:37.416    Disk 0 BPB Hidden Sectors 88556181
17:10:37.436    Disk 0 sector 88556181 hidden
17:10:37.446    Disk 0 GAPZ@Boot Sector  **INFECTED**
17:10:37.575    Disk 0 statistics 8/0/20869 @ 38,61 MB/s
17:10:37.575    Scan finished successfully

I have VeraCrypt installed to encrypt my harddrive, and it supposedly writes itself to the boot sector so when I start my PC I get a VeraCrypt menu where I have to type in my password to decrypt the harddrive and proceeed.

Could this be what aswMBR is detecting?

 

Edit: After the browser event happened on the 1st of September, I immediately put my Comodo into paranoid mode. However, putting Comodo from paranoid mode and back to safe mode (less sensitive) did not revert the weird overreaction to every system process, so it is possible that this alert (which I get everytime I close down windows) is benign. I also made sure to reset the logs/behavior rules but clearly it did not work in this case.

GNCVz5u.png


 


Edited by NSAER, 04 September 2017 - 11:22 AM.


#4 NSAER

NSAER
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:46 PM

Posted 04 September 2017 - 11:39 AM

After doing a scan with Hitmanpro and reading the log I find many instances of the following under "Forensic Cluster":

C:\Users\\AppData\Local\Mozilla\Firefox\Profiles\ovogspjy.default\cache2\entries\(bunch of random numbers)

Ovogspjy means "this spy" in Bosnian. Is this coincidental? Am I being paranoid?



#5 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,537 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:02:46 PM

Posted 04 September 2017 - 07:16 PM

OK the Boot Sector is infected.

We should get a deeper look. Please follow this Preparation Guide and post in a new topic.
Let me know if all went well..

Edited by boopme, 04 September 2017 - 07:17 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#6 NSAER

NSAER
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:46 PM

Posted 05 September 2017 - 05:22 AM

OK the Boot Sector is infected.

We should get a deeper look. Please follow this Preparation Guide and post in a new topic.
Let me know if all went well..

Did you read my speculation whether it may just be detection of VeraCrypt which writes itself to the boot sector?

If so, what is your thought on that?

(It was an official download).



#7 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,537 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:02:46 PM

Posted 05 September 2017 - 10:41 AM

Yes I did and I think we should get a deeper look to be sure..
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#8 NSAER

NSAER
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:46 PM

Posted 07 September 2017 - 08:03 AM

Oh Lord if I had a penny for every time an anti-malware program has caused me more computer issues than an actual piece of malware, I would have enough money to buy myself a candy bar to soothe the annoyance.

 

I waited for 12 hours for VeraCrypt to decrypt my harddrive. When I came back, Hitmanpro Alert was bugging me about VeraCrypt being malware (it is not). I clicked to mark it as safe or whatever it was, turned off Hitmanpro Alert software's features but it did nothing, the alert simply came back again, VeraCrypt was still unable to write to the bootsector (to detach it). I then tried uninstalling hitmanpro Alert, because what other option is there at this point? And lo and behold I was asked to restart my computer, obviously because it installs low level drivers which cannot just be removed. When my computer was loading up again after the restart VeraCrypt informed me that my bootsector had been corrupted and I needed to insert my VeraCrypt boot recovery cd, which I did not make.

So Hitmanpro Alert, which admittedly seems like a wonderful piece of software considering its features, ruined my boosector.

I ended up having to do a full system reinstall, and wiped my harddrive because I might as well at this point.

 

I had the intention to test if VeraCrypt was causing the detection by decrypting and detaching it and then rescanning, but good luck with that lol



#9 NSAER

NSAER
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:08:46 PM

Posted 07 September 2017 - 08:25 AM

I managed to save my firefox browser folder on a harddrive prior to embarking on the fatal restart.

For any of you researchers who are knowledgeable about browser malware, do you think a piece of malware could hide itself inside the bookmarks part of the firefox folder, or the file that stores my passwords?






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users