Jump to content

Potential Infection through Craigslist


gerik

Recommended Posts

Earlier today my father was on this computer and he went to look at craigslist. He told me later that when he originally tried he somehow got to ebay. When I looked at the history in the browser it appeared he had just gone to ebay and it wasn't a redirection, so I just deleted the ebay entry from the history(He isn't computer savvy so there is no telling what actually happened with that). However, I noticed afterwards that there was an entry in the history for a suspcious url to me from craigslist and here is the link to virustotal scanning it which displays the url in question: https://www.virustotal.com/en/url/b2415619416fe27a2a7a365ab0070f071c88e518c6b1dba666c28aa29b684ff7/analysis/1455908816/ 

 

When I did this I saw that it said there was a file analysed as well with this being the file analysed: https://www.virustotal.com/en/file/7eb70257593da06f682a3ddda54a9d260d4fc514f645237f5ca74b08f8da61a6/analysis/1455908371/

 

Though the page says it's trusted, there are many people voting it down saying it's malicious.

 

I have ran TDSSKILLER, Norton Power Eraser, Norton Quick Scan, Adwcleaner, and Malwarebytes without finding anything.

 

As a note I ran FRST whilst logged onto a non-administrator account but ran it as administrator so hopefully that didn't mess anything up.

 

With all the scans I have ran is it safe to assume that it's clean?

 

Addition.txt

FRST.txt

Link to post
Share on other sites

Hello and welcome to Malwarebytes,

Please be aware the following P2P/Piracy Warning is a standard opening reply made here at Malwarebytes, we make no accusations but do make you aware of Forum Protocol....

If you're using Peer 2 Peer software such as uTorrent, BitTorrent or similar you must either fully uninstall them or completely disable them from running while being assisted here.Failure to remove or disable such software will result in your topic being closed and no further assistance being provided.If you have illegal/cracked software, cracks, keygens etc. on the system, please remove or uninstall them now and read the policy on Piracy.


Anyone other than the original starter of this thread please DO NOT follow the instructions and advice posted as replies here, my help and advice is NOT related to your system and will probably cause more harm than good...
 

I do not see any obvious malware or infection in those logs, run one more scan.....

 

dr_web_cureit_zpse80d87bf.jpg
Download Dr Web Cureit from here http://www.freedrweb.com/cureit save to your desktop. (Scroll to bottom of page)

  • The file will be randomly named
  • Reboot to safe mode <<<<<------------ http://www.computerhope.com/issues/chsafe.htm
  • Run Dr Web
  • Tick the I agree box and select continue
  • Click select objects for scanning


    drwebselect.JPG

  • Tick all boxes as shown
  • Click the wrench and select automatically apply actions to threats


    drwebfolders.JPG

  • Press start scan
  • The scan will now commence


    drwebscan.JPG

  • Once the scan has finished click open report <<<--- Do not miss this step


    drwebscancomplete.JPG

  • A notepad will open
  • Select File > Save as..
  • Save it to your desktop



This log will be excessive,  Please attach it to your next reply…
 

Thank you,

 

Kevin...

Link to post
Share on other sites

Yes when you d/l DrWeb the version is current... I would say your system is clean......

 

Download "Delfix by Xplode" and save it to your desktop.

Or use the following if first link is down:

"Delfix link mirror"

If your security program alerts to Delfix either, accept the alert or turn your security off.

Double Click to start the program. If you are using Vista or higher, please right-click and choose run as administrator

Make Sure the following items are checked:



  •    
  • Remove disinfection tools



Now click on "Run" and wait patiently until the tool has completed.

The tool will create a log when it has completed. We don't need you to post this.

Any remnant files/logs from tools we have used can be deleted…

 

Next,

 

Read the following links to fully understand PC Security and Best Practices, you may find them useful....

Answers to Common Security Questions and best Practices

Do I need a Registry Cleaner?

Take care and surf safe

Kevin...  busy.gif


 

Link to post
Share on other sites

Thank you for your help. I have run Delfix, and deleted the remnant files. All I can do now is monitor whether or not the craigslist-ebay redirection event occurs again and have my dad show me when it happens so I can look into if to see if there is a problem or what exactly happened with that.

Link to post
Share on other sites

Ok i`ll leave the thread open for another 5 days, post back if the issue returns..... An excellent link checker for the default browser is DrWeb Anti-Virus link checker, available at the following link:

 

http://free.drweb-av.es/linkchecker/internet+explorer/?lng=en

 

I recommend that extension for all browsers.....

 

Kevin..

Link to post
Share on other sites

I was poking around in my router settings today and I checked the logs which I rarely do and I saw some strange entries. I researched them but I'm still not sure whether to worry about them or not. Since the time they say I haven't seen them again but I will probably checked for a couple of days to see if they return.

Do you think this is something to worry about?

 

Here is the log entries in question.

 

[self2WAN ICMP type b Detected!] To prevent from revealing router's activity, this packet is droppe Friday, Feb 19,2016 08:55:36
[self2WAN ICMP type b Detected!] To prevent from revealing router's activity, this packet is droppe Friday, Feb 19,2016 08:55:18
[self2WAN ICMP type b Detected!] To prevent from revealing router's activity, this packet is droppe Friday, Feb 19,2016 08:54:55
[self2WAN ICMP type b Detected!] To prevent from revealing router's activity, this packet is droppe Friday, Feb 19,2016 08:52:52
[self2WAN ICMP type b Detected!] To prevent from revealing router's activity, this packet is droppe Friday, Feb 19,2016 08:52:27
[self2WAN ICMP type b Detected!] To prevent from revealing router's activity, this packet is droppe Friday, Feb 19,2016 08:52:01
[self2WAN ICMP type b Detected!] To prevent from revealing router's activity, this packet is droppe Friday, Feb 19,2016 08:51:12
[self2WAN ICMP type b Detected!] To prevent from revealing router's activity, this packet is droppe Friday, Feb 19,2016 08:50:46
[self2WAN ICMP type b Detected!] To prevent from revealing router's activity, this packet is droppe Friday, Feb 19,2016 08:50:21
[self2WAN ICMP type b Detected!] To prevent from revealing router's activity, this packet is droppe Friday, Feb 19,2016 08:49:57
[self2WAN ICMP type b Detected!] To prevent from revealing router's activity, this packet is droppe Friday, Feb 19,2016 08:49:31
[self2WAN ICMP type b Detected!] To prevent from revealing router's activity, this packet is droppe Friday, Feb 19,2016 08:49:07
[self2WAN ICMP type b Detected!] To prevent from revealing router's activity, this packet is droppe Friday, Feb 19,2016 08:48:42
[self2WAN ICMP type b Detected!] To prevent from revealing router's activity, this packet is droppe Friday, Feb 19,2016 08:48:17
[self2WAN ICMP type b Detected!] To prevent from revealing router's activity, this packet is droppe Friday, Feb 19,2016 08:47:52
[self2WAN ICMP type b Detected!] To prevent from revealing router's activity, this packet is droppe Friday, Feb 19,2016 08:47:25
[self2WAN ICMP type b Detected!] To prevent from revealing router's activity, this packet is droppe Friday, Feb 19,2016 08:47:01
[self2WAN ICMP type b Detected!] To prevent from revealing router's activity, this packet is droppe Friday, Feb 19,2016 08:46:11
[self2WAN ICMP type b Detected!] To prevent from revealing router's activity, this packet is droppe Friday, Feb 19,2016 08:45:46
[self2WAN ICMP type b Detected!] To prevent from revealing router's activity, this packet is droppe Friday, Feb 19,2016 08:45:21
[self2WAN ICMP type b Detected!] To prevent from revealing router's activity, this packet is droppe Friday, Feb 19,2016 08:44:56
[self2WAN ICMP type b Detected!] To prevent from revealing router's activity, this packet is droppe Friday, Feb 19,2016 08:44:31
[self2WAN ICMP type b Detected!] To prevent from revealing router's activity, this packet is droppe Friday, Feb 19,2016 08:44:07
[self2WAN ICMP type b Detected!] To prevent from revealing router's activity, this packet is droppe Friday, Feb 19,2016 08:43:26
[self2WAN ICMP type b Detected!] To prevent from revealing router's activity, this packet is droppe Friday, Feb 19,2016 08:43:01
[self2WAN ICMP type b Detected!] To prevent from revealing router's activity, this packet is droppe Friday, Feb 19,2016 08:41:50
[self2WAN ICMP type b Detected!] To prevent from revealing router's activity, this packet is droppe Friday, Feb 19,2016 08:40:50
[self2WAN ICMP type b Detected!] To prevent from revealing router's activity, this packet is droppe Friday, Feb 19,2016 08:39:00
[self2WAN ICMP type b Detected!] To prevent from revealing router's activity, this packet is droppe Friday, Feb 19,2016 08:38:28
[self2WAN ICMP type b Detected!] To prevent from revealing router's activity, this packet is droppe Friday, Feb 19,2016 08:38:13
[self2WAN ICMP type b Detected!] To prevent from revealing router's activity, this packet is droppe Friday, Feb 19,2016 08:37:43
[self2WAN ICMP type b Detected!] To prevent from revealing router's activity, this packet is droppe Friday, Feb 19,2016 08:37:15
[self2WAN ICMP type b Detected!] To prevent from revealing router's activity, this packet is droppe Friday, Feb 19,2016 08:36:59
Link to post
Share on other sites

Also when I looked further at the logs I saw what the highest IP was and tried to account for all of them however I had a apparent .8 ip address missing (as in like *.*.*.8). I have accounted for all but it. I have addresses higher than .8 accounted for, though I haven't seen an actual .8 in the logs. I have two theories, however one is a laptop that I took out of commission over a year ago my router shouldn't be giving out higher ip addresses than it without replacing the ip. The other is a family members smartphone however I believe it has been over a month since their last visit. Would my router when it reaches its 1 month ip address leases renew an ip of like .9 to a device that was using it over giving it a lower unused one? The devices are setup for automatic ip address. Otherwise it may be possible someone accessed my wireless network without my knowledge. In any case I have changed the wireless password so if there was they can't anymore.

Link to post
Share on other sites

I remembered another old device and hooked it up and it took over it's old preferred IP and the device that was using that IP last night became .8 when accessing the router this morning so I believe I got that predicament taken care of. That leaves whether or not the self2wan should be considered a concern or not. I checked the logs this morning and it hadn't occured.

Link to post
Share on other sites

Sorry to keep bothering you, but I had a couple more questions. One a general question and the other concerning what you think was going on with the craigslist thing.

 

I tested a couple of more URLS through Virustotal and they came back with the same results saying the same file was downloaded. (Though earlier in the week the file name changed to being settings.ini and gave the same results, but it's now back to the random name).

https://www.virustotal.com/en/url/3e4283ac17a1b0c129b80710761e511310399abd508e819f369a22357f3b2c09/analysis/1456203554/

https://www.virustotal.com/en/url/7a5c889c2ea1abda973f3dec5afd30a6388ba8fe85774b34a486398cca9518a2/analysis/1456203678/

 

Do you have any idea of what is going on with that?

 

My other question is that sometimes I see if websites are safe by using Google Safe Browsing, and they changed it last year and the results are confusing now. Use to they said when the last time they saw something malicious on the site. However, they don't any longer. My question is concerning results like below:

https://www.google.com/transparencyreport/safebrowsing/diagnostic/#url=netgear.com

 

At the top it says Not Dangerous and that they hadn't seen malicious content recently. However just below that it says "Some pages install malware." "Some pages send you to dangerous sites" "Some dangerous sites send users here." Which is confusing as it says above that it's Not Dangerous yet there it says it's. Does this mean that the site still contains something malicious?

Link to post
Share on other sites

The problem with website access (such as craiglist) is having the correct address (url) lets say you want to find Craiglist website, you do a Google search. The list that Google puts up may include or probably will include infected or exploited sites aswell as good sites. It is imperative to know which is which, if you choose an exploited site then problems happen..

 

Your Browser should have protection in place to avoid connecting to a poisoned site.... My security is Kaspersky, it automatically checks sites for me in a Google site list. So the google produced list will have a green KIS sign at the end if the entries are safe. I also use Web of Trust (WOT)  it puts a small circle at the end of an entry. Both give color identification Green is good, Amber is suspect, Red is exploited and or dangerous. There is also a grey color for unknown.

 

I`ve attached a portion image of a Google search list for Craiglist, notice the green symbols.....

 

i also have DrWeb Anti-Virus Link Checker running for all browsers, another protection level....

 

Web of Trust - https://www.mywot.com/en/download

 

DrWeb AV link Check - http://free.drweb.com/linkchecker/?lng=en

 

Regarding the Google safe browsing, I guess they are just reminding you that at present that site is clean, but may have in the past been exploited. Also some sites accessed may show as clean, however when the site is opened a backdoor exploit can kick in and take you somewhere totally different....

 

I can at times visit known exploited sites, I always open such sites safely with a program called Sandboxie. Have a look here: http://www.sandboxie.com/

 

Does that help you.

 

Kevin...

post-3601-0-86037400-1456228322_thumb.pn

Link to post
Share on other sites

My antivirus is Norton and the link checking and showing if safe is kept behind the use of their toolbar. So if I want that I will have to let my homepage and search results be hijacked to ask. However, as far as I know it should still protect me from opening malicious sites and some exploited sites without the use of the toolbar. I do make use of adblock and MBAE to protect against malicious ads and iframe redirects.

Link to post
Share on other sites

If any software that I want to use includes anything to do with ASK I remove or do not allow it to install. Totally a "not wanted" option to endure for the use of any software... Software developers use such bundled adware to generate payment to cover the costs of freeware...

 

What is the current status of your system, do you have any remaining issues or concerns...

 

Cheers,

 

Kevin

Link to post
Share on other sites

Yea, that is why I don't allow Norton Toolbar on my browsers. My father is the one who looks through craigslist and he hasn't been over since the scare. I did setup a bookmark for it for him to go straight there to prevent whatever he did to go to ebay when trying for craigslist. Though I'm still unsure of what is going on with virustotal saying all those craigslist pages are downloading the same file. I guess I just have to hope it's nothing malicious and will just need to continue with doing my normal antivirus and antimalware scans and lookout for any signs of malware.

Link to post
Share on other sites

  • 2 weeks later...
  • Root Admin

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.