Malbert
-
Posts
10 -
Joined
-
Last visited
Content Type
Events
Profiles
Forums
Posts posted by Malbert
-
-
VICTORY!
The remnants of the malware remained in the Firefox tiles!
When cleaning out the system, I made the very useful error, when I failed to clear history.
I didn't imagine that the problem would lie there.
It was a Firefox helper who suggested that it could be the tiles ( jscher2000 ).
... and it was.Firefox Application Error
unknown software exception (0xc0000409) occurred in the application at location 0x00406b64
This still exists.
Whether it is a leftover of malware removal ... maybe we'll never know.
I guess that I must bite the bullet and go for a re-install.
However, the malware connection to the bad ip address is gone.
That's the victory :)
Ha!
bloody marvelous ? -
Hello everybody ... I have a suggestion.
I am currently working on cracking some malware that has escaped identification by AVG real time, and subsequently by Malwarebytes, SpyBot, Superantispyware, ETES, Hitman.
The initial tags were based upon what I knew at the time of first posting.
However ... knowledge has been gained.I've tracked the source of the malware down to (I am almost certain) putrr18.com.
Searching putrr18.com brings lots of malware reports, and how to get rid of it.
It no longer identifies the domain name.
Instead it uses IP addresses :
198.134.112.241
198.134.112.242
198.134.112.243
198.134.112.244Either way, it might be best if the tags could be edited, to include the new tag search information.
You can see the evolution of knowledge acquisition in my thread:
What it shows, is that there could be reason for editing the tags, to home in on relevance.
It's a thought
RE the malware ... I haven't cracked it yet ... but good proress has been made.
If anybody reading this, thinks that they can help
... we have the possibility to defeat malware that is currently defeating everybody.That would be a win ?
-
Progress (perhaps)
Searching ipinfo.io I found this:
https://ipinfo.io/198.134.112.242
Route 198.134.112.0/20 This was the closest to 198.134.112.243
I presume that it is in the block of 98 addresses
198.134.112.242 putrr18.com 98
Upon searching putrr18.com I found lots of links to removing it as a virus.
I reckon that this must be it ?
------------
Further ... I note that Malwarebytes is blocking addresses:
241
242
243
244IE. it is not just .243
----------
I ran a search on files containing the words putrr18.com - nothing found.
I'm now trying a search for 198.134.112.243
It showed up ... but only in a question that I put to Mozilla :(
-----------
This site http://greatis.com/blog/howto/remove-putrr18-com-forever.htm
claims that an app UnHackMe will remove the putrr18.com virus, but it may be out of date, as the new virus doesn't mention the site name.
This site https://malwaretips.com/blogs/remove-putrr18-com/
suggests using Malwarebytes, Hitman, and Zemana (as a last resort)
Does anyone have any knowledge of these tools unhackme and zemana?
----------
Clearly this malware is very well hidden.
-
Refreshed firefox 52.9 (rather than re-install, as it was suggested that refresh should fix the problems).
Ran IP Location Find:
Geolocation data from ipinfo.io (Product: API, real-time)IP Address Country Region City 198.134.112.243 United States New York Westbury ISP Organization Latitude Longitude Webair Internet Development Company Inc. Webair Internet Development Company Inc. 40.7570 -73.5814
AND
New tab in Firefox is still displaying:
unknown software exception (0xc0000409) occurred in the application at location 0x00406b64
So far, a lot of work, but no success.
Maybe I must try a reinstall of Firefox.
Has anyone gone through this problem? -
Opening a new firefox tab :
unknown software exception (0xc0000409) occurred in the application at location 0x00406b64
I appear to have fixed this problem, by disabling 'HTML5 video everywhere'.
However, Malwarebytes is still blocking 198.134.112.243 (outbound)
What is causing this connection I wonder.
-
Malwarebytes blocked 198.134.112.243 (outbound)
I got this checked on scanurl.net and the result was that it is not a valid URL.
So Malwarebytes is identifying a malicious website, but I am struggling to know what it is, and why Firefox is trying to connect to it.
Also, the software that is causing the connection, hasn't been picked up as malicious.
Does anybody have any thoughts on this conundrum?
-
On another thread, I noted that someone had identified a threat by using ESET scanner.
I researched this app ... apparently it can give a false positive (to get you to buy), but otherwise it was stated to be a superior malware scanner, as compared to the free scanners.How true this statement is, I obviously don't know ... but I gave it a whirl.
Here is what it found (after other apps had declared the system clear):
Win32/CNETInstaller.B potentially unwanted application
C:\Documents and Settings\Ace Administrator\Application Data\Sun\Java\jre1.7.0_51\java_sp.dll a variant of Win32/Bundled.Toolbar.Ask.F potentially unsafe application
C:\Documents and Settings\Ace Administrator\Desktop\Unused Desktop Shortcuts\Old Firefox Data\extensions\4fdacf00-e9c4-4ad5-b4cf-bf9800f184f6@36857116-74e0-4973-936f-860cd2a102a9.com\chrome\content\core\delegate.js JS/Toolbar.Crossrider.AS potentially unwanted application
C:\Documents and Settings\Ace Administrator\Desktop\Unused Desktop Shortcuts\Old Firefox Data\extensions\4fdacf00-e9c4-4ad5-b4cf-bf9800f184f6@36857116-74e0-4973-936f-860cd2a102a9.com\chrome\content\core\xhr.js JS/Toolbar.Crossrider.G potentially unwanted application
C:\Documents and Settings\Ace Administrator\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\hcimhbfpiofdihhdnofbdlhjcmjopilp\1.0_0\popup.js JS/Adware.Laitis.A application
C:\Documents and Settings\Ace Administrator\My Documents\Downloads\cbsidlm-cbsi134-Clean_Disk_Security-ORG-10052111.exe a variant of Win32/CNETInstaller.B potentially unwanted application
C:\Documents and Settings\Ace Administrator\My Documents\Downloads\cbsidlm-cbsi134-HD_Tune-ORG-10974407.exe a variant of Win32/CNETInstaller.B potentially unwanted application
C:\Documents and Settings\Ace Administrator\My Documents\Downloads\cbsidlm-cbsi145-Freemake_Video_Converter-ORG-75218346.exe a variant of Win32/CNETInstaller.B potentially unwanted application
C:\Documents and Settings\Ace Administrator\My Documents\Downloads\cbsidlm-cbsi145-Free_MOV_to_WMV_Converter-ORG-75894393.exe a variant of Win32/CNETInstaller.B potentially unwanted application
C:\Documents and Settings\Ace Administrator\My Documents\Downloads\cbsidlm-cbsi145-Photo_Pos_Pro-BP-10264444.exe a variant of Win32/CNETInstaller.B potentially unwanted application
C:\Documents and Settings\Ace Administrator\My Documents\Downloads\cbsidlm-cbsi145-VSDC_Free_Video_Editor-ORG-75764187.exe a variant of Win32/CNETInstaller.B potentially unwanted application
C:\Documents and Settings\Ace Administrator\My Documents\Downloads\ccsetup405.exe Win32/Bundled.Toolbar.Google.D potentially unsafe application
C:\Documents and Settings\Ace Administrator\My Documents\Downloads\ccsetup531.exe Win32/Bundled.Toolbar.Google.D potentially unsafe application
C:\Documents and Settings\Ace Administrator\My Documents\Downloads\cdbxp_setup_4.5.8.6795.exe a variant of Win32/FusionCore.Q potentially unwanted application,a variant of Win32/FusionCore.T potentially unwanted application
C:\Documents and Settings\Ace Administrator\My Documents\Downloads\dfsetup218.exe Win32/Bundled.Toolbar.Google.D potentially unsafe application
C:\Documents and Settings\Ace Administrator\My Documents\Downloads\dfsetup219.exe Win32/Bundled.Toolbar.Google.D potentially unsafe application
C:\Documents and Settings\Ace Administrator\My Documents\Downloads\dfsetup221 (1).exe Win32/Bundled.Toolbar.Google.D potentially unsafe application
C:\Documents and Settings\Ace Administrator\My Documents\Downloads\dfsetup221.exe Win32/Bundled.Toolbar.Google.D potentially unsafe application
C:\Documents and Settings\Ace Administrator\My Documents\Downloads\firebug.exe a variant of Win32/DownloadSponsor.C potentially unwanted application
C:\Documents and Settings\Ace Administrator\My Documents\Downloads\Flash-2017.zip JS/TrojanDownloader.Nemucod.CWZ trojan
C:\Documents and Settings\Ace Administrator\My Documents\Downloads\notepad.exe a variant of Win32/DownloadSponsor.C potentially unwanted application
C:\Documents and Settings\Ace Administrator\My Documents\Downloads\tb_free.exe a variant of Win32/FusionCore.L potentially unwanted application
C:\Documents and Settings\Khaled Shbib\My Documents\Downloads\cbsidlm-cbsi118-Wise_Disk_Cleaner-ORG-10613345.exe a variant of Win32/CNETInstaller.B potentially unwanted application
C:\Documents and Settings\Khaled Shbib\My Documents\Downloads\dfsetup214.exe Win32/Bundled.Toolbar.Google.E potentially unsafe application
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\8PIRC5AV\wajam_update[1].exe Win32/Adware.Wajam.BE application
C:\Endoscope\DriverInstall_IncludeDX9.0c.rar Win32/Agent.RNS trojan
C:\Program Files\Freemake\Freemake Video Converter\SetupUpdate.exe a variant of Win32/Freemake.A potentially unwanted application,a variant of Win32/OpenCandy.A potentially unsafe application
C:\ZZ_Oli_usb\General Folder\cbsidlm-cbsi188-EaseUS_Partition_Master_Free_Edition-ORG-10863346.exe a variant of Win32/CNETInstaller.B potentially unwanted applicationAfter examining the list, I decided to clean them all.
Most were potentially unwanted or unsafe.
A couple of trojans in zip files, and some browser related adware and pop upsNothing jumped out at me as being a serious active risk (what do I know ??), but I must presume that it eliminated some dodgy software
Post Quarantine
Before closing the ESET scan window (as advised), I loaded firefox and chrome, to confirm that they still worked.
I then rebooted.Opening a new firefox tab :
unknown software exception (0xc0000409) occurred in the application at location 0x00406b64
Malwarebytes blocked 198.134.112.243 (outbound)
Ha!
So this hasn't changed.
Maybe I need to force an update for Firefox ... just had a quick look, and didn't see such an option, but I'll look closer.
Mouse
It's still working fine.
Conclusion
It's still a fog, regarding what happened with the mouse.
... why it suddenly began working fine.Any independent engineer possessing 'concept to production' capabilities, will recognise and appreciate coincidental 'detrimental action/effects on an ongoing basis'.
The difficulty is in seperating genuine coincidence from standard practice.
In many cases, malpractice is evident and repeatably testable ... but it is not always the case.The firefox software exception and the Malwarebytes blocking of 198.134.112.243 (outbound) does appear to be linked, but this may simply be a coincidence.
Does anybody have any thoughts?
... and what is this site 198.134.112.243 (that firefox is trying to connect to)?Edit:
Just checked, and Firefox is set to auto update.
Maybe I must reinstall, but that's always a worry ........
-
I was using AVG anti virus and mb3-setup-consumer-3.1.2.1733.exe
Mouse behaviour
If left untouched for a period, my mouse needed a button click in order to function.
It seemed to be moving slowly, and would drift upwards, when hovering over a link.Modded the setup to max speed, but it still wasn't right.
(In all my decades of computing, I've never experienced this mouse behaviour)I had watched F1 via a stream - many such streams launch an advert new window if the stream page is clicked.
This would be a good way of forcing the user to click the page.Opening a new firefox tab :
unknown software exception (0xc0000409) occurred in the application at location 0x00406b64
Malwarebytes scan
Tried to run a Malwarebytes scan, but it wouldn't run.
Spybot found nothing threatening.
Installed super antispyware - it found no threats.Chameleon
Ran chameleon - option 2 worked - it suggested that I upgrade, which I did to 3.5.1
However, 3.5 wouldn't launch.Uninstalled it and reinstalled 3.1
Option 2 no longer worked ... I think it was option 8 that worked ... I ran a scan ... zero threats.Note: each time an option wouldn't work, it would stop at 'enabling driver' requiring a reboot every time.
Testing the 13 options took a long time.3.5.1
Reinstalled 3.5.1 - it wouldn't launch, but it did launch the following day (maybe it needed a reboot).
Ran a scan - zero threats.------------------------
I finally finished a big report last night.
Today, booted the PC ... Malwarebytes blocked 198.134.112.243 (outbound) - I hadn't launched a connection to that site.
I am alerted at regular intervals of this site being blocked.
-Blocked Website Details- Malicious Website: 1 , , Blocked, [-1], [-1],0.0.0 -Website Data- Category: Unspecified Domain: IP Address: 198.134.112.243 Port: [0] Type: Outbound File:
Loaded scanurl.net in Firefox -
httpscrossed out, and the url input box did not display.Loaded scanurl.net in Chrome - https displayed - the url input boxes appeared momentarily, then disappeared, and were inaccessible.
Checked the site in google transparency and phishtank - result : clean
I noticed that the mouse was now functioning correctly!!!
------------
What to do?
Is it possible that malware can be switched on and off?
Does anybody recognise this strange mouse behaviour?
Might the mouse be working correctly because 198.134.112.243 is now being blocked?
Could this be simple suppression - general time-wasting aspect of a varied package of measures?
Editing tags when new relevance is discovered
in Forums Announcements & Feedback
Posted
Also, I can't find a way to mark the thread as solved.
Yes .... victory!