Jump to content

MarcoBytes

Members
  • Content Count

    22
  • Joined

  • Last visited

About MarcoBytes

  • Rank
    New Member
  1. To conclude this affair ... you will be wanting to know which authorisation allowed the malware in. Ha! It was 'remote assistance' I re-authorised it, by clicking the box against its firewall entry. Within an hour or so, the malware had returned. I then unauthorised it, rebooted, and re-authorised all the 'Steam' games, and Spotify. The malware never returned. Great news for users of 'Steam' and Spotify. I have no idea whether there is some code residing on the hard drive, associated with this malware, ... just waiting for the firewall authorisation. However, definitively, the remote assistance has it, the remote assistance has it! ORDER....
  2. Hahaha ... Victory! (phew) It was the decision to test the PC 'disconnected from the web', that led to the solution. ... when the malware failed to appear; it was clear that they were 'getting through' the firewall. You could hear the penny drop... Checking the firewall authorisations, I discovered that they were numerous. ... the suspect ones were 'remote assistance' and 'steam' games. Removing authorisation (un-ticking the box) on all these suspects ... did the trick ✌️ (Spotify was also un-ticked). I rebooted, and left the laptop running, connected by WiFi to the web (for 20 hours) No malware. ------------------------ Which authorisation caused the malware? This may take some time, as I must enable them individually. But the take-away lesson from this experience is: "If the anti-malware tools do not stop the malware... First check the firewall authorisations" ------------------------ Thanks to: The Malwarebytes team, forum members, and particularly 'nasdaq'. Being able to share such problems, has a very positive effect. ... creating a calm environment, that is advantageous to 'clear thinking'. Sure ... this can be considered a stupid error on my part (for not checking the firewall first). However, my guess is that this is typical. The majority of users (and I'm a long time user), simply aren't on top of all the security risks. ... but we live and learn "Victory is sweet"
  3. Also, what about the 'Bogon' address 172.31.0.50 ? It is listed in the same section as the other addresses that you mentioned. This article advises that it is dangerous: It is worth reading the full article! Can I ask... Is there any default reason to have any Tcpip address codes listed in the FRST.txt [Internet (white list)] section?
  4. It has just returned now. I guess we need to remove the other address.
  5. Good news - The malware doesn't run, when the laptop is not connected to the web. Clearly, it is being allowed through my firewall. I have run the fixlist, and the Dell address 163.244.76.254 has been deleted. Fixlog attached. nasdaq ... you ask if I wish to remove the other address 212.27.40.240. I don't know. I don't know why it is there, nor what it does. If it is not needed, then why not remove it? I will now leave the computer running, with it connected to the internet. Let us see if the malware shows up. This may take a few hours. Fixlog.txt
  6. Thanks nasdaq, Currently the laptop has been running for 4 hours, with WiFi disconnected. I will continue this test overnight, and into tomorrow. If the malware doesn't return, it will be likely that it is coming from the web. This should tell us something. I will then run the fixlist. Or if it returns, I will run fixlist.
  7. Two site addresses - One very 'how can I put this' - the other is Dell Inc. Let's clear Dell first, and then look at the other 'situation'. 163.244.76.254 This a Dell site I don't think that there is any reason for the PC to be talking to Dell. If this is happening via a boot-load, it is better that it is stopped, if only to save resources. 212.27.40.240 This is FREE/Iliad (the company) ... or a sub-division ProXad ... or the same (but who knows) Capitalisation 2017 - €13 billion Subscribers 2017 - 20 million (IE. This is a BIG company) However, proxad was originally a UK adtech company (the site doesn't load now): Recently a lot of FREE subscribers have had their emails bouncing back, due to blacklisting that leads back to proxad.net (which is now FREE/Iliad). Many reports indicate zero response from them (re their abuse line). I know that they got involved with 'in game purchases' without asking permission from the bill payer. [Can they have stooped so low as to implement what is clearly malware?] The question also, is whether this type of thing is par for the course, amongst IP providers? Either way ... what are you seeing? By this I mean ... what is the function of this line of programming code? Is this functional to a server login? Can this be deleted? Is this adware window being loaded from the cloud ? ... hence no hard disk tracks But wouldn't it have been caught in the memory search? ... or would that only happen, if the activity was recognised? One thing is clear ... none of the malware progs identified its activities as a threat ... yet it can lock the browser (not an inconsequential problem). Because of this lack of identification... Should this issue should be shared with the malwarebytes dev team. Other than that, I have done nothing more on this, since my last update ... so the pc will still be infected Perhaps I should run the PC, with wifi disconnected; in order to see if the window still appears.
  8. After the re-boot, I decided to just leave the pc running, and not load a browser, nor anything other than the pre-loads. I figured that this would eliminate the connection with the browsers. Damn! I have just noticed that the adware is back. The thing is ... it waits for a few hours before appearing. This is a very good survival mechanism, because each test takes a few hours to run. You don't know if the problem is solved, until it doesn't appear ... but how long do you wait? It's not the end of the world. It can be closed, and with quick use of the mouse, the tabs can be closed ... until the next time. ... but defeat is bitter. Does anyone have any ideas?
  9. Ran: ADWcleaner Malwarebytes Kapersky TDSSKiller All returned NO threats... Yet the adware window is still running, and Firefox is locked. One minor thing to note, is that when chrome was the default, it loaded chrome. With Firefox, it loaded firefox. It seems to be independent of the browser. Any suggestions as to what I should do now?
  10. I interacted with the adware by clicking on it. I'd set firefox to default, so it opened, and a tab and a variety of dialogue boxes opened rapidly. Perhaps I should have used a screen video record? However, I got 2 screenshots, that clearly show target addresses (attached) MBST was then run (attached) I then tried to close firefox, but it won't close. I can close it by stopping it from running, or rebooting. Before that, I'll run ADWcleaner to see what it finds, and then Malwarebytes. I've noted that another thread suggests a kaspersky tool. I'll download it. mbst-grab-results.zip
  11. I've had a thorough look at both chrome and firefox. Notifications were set to 'Ask' and there are no exceptions listed, other than the usual google sites in chrome. Pop Ups were set to off. I ran the chrome malware search ... it found nothing. Checked all exceptions ... nothing. Turned off permissions for ads (chrome). Overall ... other than the 'ads' not being turned off in chrome; nothing indicated bad settings. From the above; my gut instinct is that, this adware is not 'notification based' (I could be wrong). My consideration is that I should : Interact with the adware, and let it run its course. This, to see how it behaves, and potentially to cause it to leave processing tracks. From this, we will learn more. Thereafter, run the MBS tool, to perhaps gain a hard copy of that knowledge. In the meantime, I tried to screen capture the adware window, using snagit. However, although the image showed in the capture preview ... no image was captured. Only the typical background squares were captured. A full screen capture worked, and this is attached. I have also attached processes and services (in case they list something)
  12. Had a quick look at other peoples problems, and noted that they had been asked to use mb-support-1.5.1.681.exe. Consequently I downloaded, and ran it. Results attached. mbst-grab-results.zip
  13. At this moment in time, I have left the adware window running. It is the top layer of the windows, situated in the bottom right hand corner of the screen. I'm presuming that ADWc or Malwarebytes might have a better chance of finding it, as it is obviously now a running process in memory. I'm wondering if it is worth running Malware bytes to see what happens... FRST.txt Addition.txt
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.