Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Website Redirect Infection Started, Still Affected?


  • Please log in to reply
5 replies to this topic

#1 DVideo

DVideo

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:08:04 AM

Posted 01 December 2017 - 07:42 AM

Yesterday visited a music artist website that had been compromised. You can see the malware installed on the site by viewing Surcuri Site Check's scan: https://sitecheck.sucuri.net/results/jodymcbrayer.com. Looks like an exploit kit but not sure.

 

So when I went to an interior page it redirected to a site that looked like ransomware and a voice said they had taken my Facebook and other passwords. I did not click any buttons on the screen, but it would not let me X out of Firefox 57.0.1. So I went immediately to Task Manager and forced it to close. I should have unplugged from internet first.

 

This is a Windows 10 64bit system

 

Then both Windows Fax and Microsoft Upload Center programs opened on their own. Which freaked me out. I believe I closed them before anything uploaded. When I looked to see what had already uploaded it was blank as if nothing did.

 

I noticed Windows Defender protection was turned off which I did not have turned off before.

 

I do not have Java installed on the machine. (A target of exploit kits)

 

I do not have Adobe Reader installed on the machine (a target of exploit kits) but I have Acrobat Professional which is up to date.

 

I re-installed Adobe Flash. (A target of exploit kits)

 

I refreshed Firefox.

 

I downloaded Malwarebytes and Norton Security Suite. Ran them both and they found nothing. Ran them both in Safe Mode, found nothing. Then I ran Malwarebytes again with rootkit checked and it found a .JPG file it said was actually an .exe. I quarantined it and later deleted it. Subsequent scans in safe mode with rootkit checked have found nothing.

 

So, my question is, do you think this machine is OK? What else should I do or look for?

 

I do notice two weird entries in Task Scheduler: User_Feed_Synchronization and DataSenseLiveTileTask but they may be legit.

 

Should I disable Windows Fax and the Microsoft Upload Center programs? Should I change any key passwords?

 

Thanks.


Edited by DVideo, 01 December 2017 - 07:51 AM.


BC AdBot (Login to Remove)

 


#2 buddy215

buddy215

  • Moderator
  • 13,133 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:08:04 AM

Posted 01 December 2017 - 10:14 AM

That Microsoft Upload Center opening is a bit suspect.  The article in link below  gives some good info on what it does,

how it got on your machine and a way to get rid of it if you want to. What may of been cached is what is in question.

Microsoft Upload Center - what is it, why do I want it and what if I don't?

 

Your questions....my answer: no way to know at this point whether that was a bluff or not concerning theft of passwords.

If you do decide to change them....you should change any other info required by the sites to send you a new password when one is lost.


“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#3 DVideo

DVideo
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:08:04 AM

Posted 01 December 2017 - 11:59 AM

Thanks, I renamed MSOSYNC.EXE to MSOSYNC.NO! per that article recommendation.

 

I do notice there are two xmls files related to that with updates yesterday but can't tell from the contents if anything is malicious or they just got dated because the app was opened.

 

Changed any passwords to things I might have had opened at the time in the browser.

 

If Malwarebytes and Norton run clean in Safe Mode would you be concerned about any remnants?

 

Should I go to Device Manager and remove the Fax since I never use it?

 

Thanks again.



#4 buddy215

buddy215

  • Moderator
  • 13,133 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:08:04 AM

Posted 01 December 2017 - 12:19 PM

  1. Click Start, click All Programs, click Microsoft Office, click Microsoft Office 2010 Tools, and then click Microsoft Office 2010 Upload Center.
  2. In Upload Center, click Settings.
  3. Under Cached Settings, click Delete cached files.
  4. When you are prompted, click Delete cached information.

If you don't use the Fax...then I see no harm in removing/ disabling it.

 

You can scan the computer with another free program such as the Eset Online Scanner. It is a very good scanner and will take more than an hour

depending on size of data stored and computer's resources. Since Malwarebytes found something then it would be a good idea to scan with its

AntiRootkit scanner, too. I know you checked that option originally but I have see this scanner to find more.

 

Use CCleaner to remove Temporary files, program caches, cookies, logs, etc. Use the Default settings. No need to use the

Registry Cleaning Tool...risky. Pay close attention while installing and UNcheck offers of toolbars....especially Google.

After install, open CCleaner and run by clicking on the Run Cleaner button in the bottom right corner.

CCleaner - PC Optimization and Cleaning - Free Download

 

Download and run the FREE online scanner from Free Virus Scan | Online Virus Scan from ESET | ESET

  • Place a checkmark in YES, I accept the Terms of Use, then click Start. Wait for ESET Online Scanner to load its components.
  • Select Enable detection of potentially unwanted applications.
  • Click Advanced Settings, then place a checkmark in the following:
    • Remove found threats
    • Scan archives
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • Click Start to begin scanning.
  • ESET Online Scanner will start downloading signatures and scan. Please be patient, as this scan can take quite some time.
  • When the scan is done, click List threats (only available if ESET Online Scanner found something).
  • Click Export, then save the file to your desktop.
  • Click Back, then Finish to exit ESET Online Scanner.

Download 51a5f31352b88-icon_MBAR.pngMalwarebytes Anti-Rootkit (MBAR) to your desktop.

  • Warning! Malwarebytes Anti-Rootkit needs to be run from an account with administrator rights.
  • Double click on downloaded file. OK self extracting prompt.
  • MBAR will start. Click "Next" to continue.
  • Click in the following screen "Update" to obtain the latest malware definitions.
  • Once the update is complete select "Next" and click "Scan".
  • When the scan is finished and no malware has been found select "Exit".
  • If malware was detected, make sure to check all the items and click "Cleanup". Reboot your computer.
  • Open the MBAR folder located on your Desktop and paste the content of the following files in your next reply:
  • "mbar-log-{date} (xx-xx-xx).txt"

“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#5 DVideo

DVideo
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:08:04 AM

Posted 01 December 2017 - 02:09 PM

BC Advisor. Thanks so much.

 

OK, did all that. ESET and Malwarebytes Antirootkit both 100% clear. Relieved.

 

Noticing these strange entries in "Uninstall or change a program" and can't seem to find anything on Google...

 

Microsoft Office Famille et Petite Entreprise 2016 - fr-fr

Microsoft Office Hogar y Empresas 2016 - es-es

 

Are those legit?

 

I did find a way through "Uninstall or change a program" to "Turn Windows features on or off" for Windows fax and scan.



#6 buddy215

buddy215

  • Moderator
  • 13,133 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:08:04 AM

Posted 01 December 2017 - 02:45 PM

This is the Google translation page...French to English for Microsoft Office Famille et Petite Entreprise 2016 - fr-fr

Google Translate   The other is the same but in Spanish. Google Translate

 

I don't see anything malicious....

 

You're welcome...happy surfin'


“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users