Malbert Posted August 2, 2018 ID:1261069 Share Posted August 2, 2018 I was using AVG anti virus and mb3-setup-consumer-3.1.2.1733.exe Mouse behaviour If left untouched for a period, my mouse needed a button click in order to function. It seemed to be moving slowly, and would drift upwards, when hovering over a link. Modded the setup to max speed, but it still wasn't right. (In all my decades of computing, I've never experienced this mouse behaviour) I had watched F1 via a stream - many such streams launch an advert new window if the stream page is clicked. This would be a good way of forcing the user to click the page. Opening a new firefox tab : unknown software exception (0xc0000409) occurred in the application at location 0x00406b64 Malwarebytes scan Tried to run a Malwarebytes scan, but it wouldn't run. Spybot found nothing threatening. Installed super antispyware - it found no threats. Chameleon Ran chameleon - option 2 worked - it suggested that I upgrade, which I did to 3.5.1 However, 3.5 wouldn't launch. Uninstalled it and reinstalled 3.1 Option 2 no longer worked ... I think it was option 8 that worked ... I ran a scan ... zero threats. Note: each time an option wouldn't work, it would stop at 'enabling driver' requiring a reboot every time. Testing the 13 options took a long time. 3.5.1 Reinstalled 3.5.1 - it wouldn't launch, but it did launch the following day (maybe it needed a reboot). Ran a scan - zero threats. ------------------------ I finally finished a big report last night. Today, booted the PC ... Malwarebytes blocked 198.134.112.243 (outbound) - I hadn't launched a connection to that site. I am alerted at regular intervals of this site being blocked. -Blocked Website Details- Malicious Website: 1 , , Blocked, [-1], [-1],0.0.0 -Website Data- Category: Unspecified Domain: IP Address: 198.134.112.243 Port: [0] Type: Outbound File: Loaded scanurl.net in Firefox - https crossed out, and the url input box did not display. Loaded scanurl.net in Chrome - https displayed - the url input boxes appeared momentarily, then disappeared, and were inaccessible. Checked the site in google transparency and phishtank - result : clean I noticed that the mouse was now functioning correctly!!! ------------ What to do? Is it possible that malware can be switched on and off? Does anybody recognise this strange mouse behaviour? Might the mouse be working correctly because 198.134.112.243 is now being blocked? Could this be simple suppression - general time-wasting aspect of a varied package of measures? Link to post Share on other sites More sharing options...
Malbert Posted August 2, 2018 Author ID:1261147 Share Posted August 2, 2018 (edited) On another thread, I noted that someone had identified a threat by using ESET scanner. I researched this app ... apparently it can give a false positive (to get you to buy), but otherwise it was stated to be a superior malware scanner, as compared to the free scanners. How true this statement is, I obviously don't know ... but I gave it a whirl. Here is what it found (after other apps had declared the system clear): Win32/CNETInstaller.B potentially unwanted application C:\Documents and Settings\Ace Administrator\Application Data\Sun\Java\jre1.7.0_51\java_sp.dll a variant of Win32/Bundled.Toolbar.Ask.F potentially unsafe application C:\Documents and Settings\Ace Administrator\Desktop\Unused Desktop Shortcuts\Old Firefox Data\extensions\4fdacf00-e9c4-4ad5-b4cf-bf9800f184f6@36857116-74e0-4973-936f-860cd2a102a9.com\chrome\content\core\delegate.js JS/Toolbar.Crossrider.AS potentially unwanted application C:\Documents and Settings\Ace Administrator\Desktop\Unused Desktop Shortcuts\Old Firefox Data\extensions\4fdacf00-e9c4-4ad5-b4cf-bf9800f184f6@36857116-74e0-4973-936f-860cd2a102a9.com\chrome\content\core\xhr.js JS/Toolbar.Crossrider.G potentially unwanted application C:\Documents and Settings\Ace Administrator\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\hcimhbfpiofdihhdnofbdlhjcmjopilp\1.0_0\popup.js JS/Adware.Laitis.A application C:\Documents and Settings\Ace Administrator\My Documents\Downloads\cbsidlm-cbsi134-Clean_Disk_Security-ORG-10052111.exe a variant of Win32/CNETInstaller.B potentially unwanted application C:\Documents and Settings\Ace Administrator\My Documents\Downloads\cbsidlm-cbsi134-HD_Tune-ORG-10974407.exe a variant of Win32/CNETInstaller.B potentially unwanted application C:\Documents and Settings\Ace Administrator\My Documents\Downloads\cbsidlm-cbsi145-Freemake_Video_Converter-ORG-75218346.exe a variant of Win32/CNETInstaller.B potentially unwanted application C:\Documents and Settings\Ace Administrator\My Documents\Downloads\cbsidlm-cbsi145-Free_MOV_to_WMV_Converter-ORG-75894393.exe a variant of Win32/CNETInstaller.B potentially unwanted application C:\Documents and Settings\Ace Administrator\My Documents\Downloads\cbsidlm-cbsi145-Photo_Pos_Pro-BP-10264444.exe a variant of Win32/CNETInstaller.B potentially unwanted application C:\Documents and Settings\Ace Administrator\My Documents\Downloads\cbsidlm-cbsi145-VSDC_Free_Video_Editor-ORG-75764187.exe a variant of Win32/CNETInstaller.B potentially unwanted application C:\Documents and Settings\Ace Administrator\My Documents\Downloads\ccsetup405.exe Win32/Bundled.Toolbar.Google.D potentially unsafe application C:\Documents and Settings\Ace Administrator\My Documents\Downloads\ccsetup531.exe Win32/Bundled.Toolbar.Google.D potentially unsafe application C:\Documents and Settings\Ace Administrator\My Documents\Downloads\cdbxp_setup_4.5.8.6795.exe a variant of Win32/FusionCore.Q potentially unwanted application,a variant of Win32/FusionCore.T potentially unwanted application C:\Documents and Settings\Ace Administrator\My Documents\Downloads\dfsetup218.exe Win32/Bundled.Toolbar.Google.D potentially unsafe application C:\Documents and Settings\Ace Administrator\My Documents\Downloads\dfsetup219.exe Win32/Bundled.Toolbar.Google.D potentially unsafe application C:\Documents and Settings\Ace Administrator\My Documents\Downloads\dfsetup221 (1).exe Win32/Bundled.Toolbar.Google.D potentially unsafe application C:\Documents and Settings\Ace Administrator\My Documents\Downloads\dfsetup221.exe Win32/Bundled.Toolbar.Google.D potentially unsafe application C:\Documents and Settings\Ace Administrator\My Documents\Downloads\firebug.exe a variant of Win32/DownloadSponsor.C potentially unwanted application C:\Documents and Settings\Ace Administrator\My Documents\Downloads\Flash-2017.zip JS/TrojanDownloader.Nemucod.CWZ trojan C:\Documents and Settings\Ace Administrator\My Documents\Downloads\notepad.exe a variant of Win32/DownloadSponsor.C potentially unwanted application C:\Documents and Settings\Ace Administrator\My Documents\Downloads\tb_free.exe a variant of Win32/FusionCore.L potentially unwanted application C:\Documents and Settings\Khaled Shbib\My Documents\Downloads\cbsidlm-cbsi118-Wise_Disk_Cleaner-ORG-10613345.exe a variant of Win32/CNETInstaller.B potentially unwanted application C:\Documents and Settings\Khaled Shbib\My Documents\Downloads\dfsetup214.exe Win32/Bundled.Toolbar.Google.E potentially unsafe application C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\8PIRC5AV\wajam_update[1].exe Win32/Adware.Wajam.BE application C:\Endoscope\DriverInstall_IncludeDX9.0c.rar Win32/Agent.RNS trojan C:\Program Files\Freemake\Freemake Video Converter\SetupUpdate.exe a variant of Win32/Freemake.A potentially unwanted application,a variant of Win32/OpenCandy.A potentially unsafe application C:\ZZ_Oli_usb\General Folder\cbsidlm-cbsi188-EaseUS_Partition_Master_Free_Edition-ORG-10863346.exe a variant of Win32/CNETInstaller.B potentially unwanted application After examining the list, I decided to clean them all. Most were potentially unwanted or unsafe. A couple of trojans in zip files, and some browser related adware and pop ups Nothing jumped out at me as being a serious active risk (what do I know ??), but I must presume that it eliminated some dodgy software Post Quarantine Before closing the ESET scan window (as advised), I loaded firefox and chrome, to confirm that they still worked. I then rebooted. Opening a new firefox tab : unknown software exception (0xc0000409) occurred in the application at location 0x00406b64 Malwarebytes blocked 198.134.112.243 (outbound) Ha! So this hasn't changed. Maybe I need to force an update for Firefox ... just had a quick look, and didn't see such an option, but I'll look closer. Mouse It's still working fine. Conclusion It's still a fog, regarding what happened with the mouse. ... why it suddenly began working fine. Any independent engineer possessing 'concept to production' capabilities, will recognise and appreciate coincidental 'detrimental action/effects on an ongoing basis'. The difficulty is in seperating genuine coincidence from standard practice. In many cases, malpractice is evident and repeatably testable ... but it is not always the case. The firefox software exception and the Malwarebytes blocking of 198.134.112.243 (outbound) does appear to be linked, but this may simply be a coincidence. Does anybody have any thoughts? ... and what is this site 198.134.112.243 (that firefox is trying to connect to)? Edit: Just checked, and Firefox is set to auto update. Maybe I must reinstall, but that's always a worry ........ Edited August 2, 2018 by Malbert Link to post Share on other sites More sharing options...
Malbert Posted August 3, 2018 Author ID:1261256 Share Posted August 3, 2018 Malwarebytes blocked 198.134.112.243 (outbound) I got this checked on scanurl.net and the result was that it is not a valid URL. So Malwarebytes is identifying a malicious website, but I am struggling to know what it is, and why Firefox is trying to connect to it. Also, the software that is causing the connection, hasn't been picked up as malicious. Does anybody have any thoughts on this conundrum? Link to post Share on other sites More sharing options...
Malbert Posted August 3, 2018 Author ID:1261267 Share Posted August 3, 2018 Opening a new firefox tab : unknown software exception (0xc0000409) occurred in the application at location 0x00406b64 I appear to have fixed this problem, by disabling 'HTML5 video everywhere'. However, Malwarebytes is still blocking 198.134.112.243 (outbound) What is causing this connection I wonder. Link to post Share on other sites More sharing options...
Malbert Posted August 3, 2018 Author ID:1261328 Share Posted August 3, 2018 Refreshed firefox 52.9 (rather than re-install, as it was suggested that refresh should fix the problems). Ran IP Location Find: Geolocation data from ipinfo.io (Product: API, real-time) IP Address Country Region City 198.134.112.243 United States New York Westbury ISP Organization Latitude Longitude Webair Internet Development Company Inc. Webair Internet Development Company Inc. 40.7570 -73.5814 AND New tab in Firefox is still displaying: unknown software exception (0xc0000409) occurred in the application at location 0x00406b64 So far, a lot of work, but no success. Maybe I must try a reinstall of Firefox. Has anyone gone through this problem? Link to post Share on other sites More sharing options...
Malbert Posted August 3, 2018 Author ID:1261371 Share Posted August 3, 2018 Progress (perhaps) Searching ipinfo.io I found this: https://ipinfo.io/198.134.112.242 Route 198.134.112.0/20 This was the closest to 198.134.112.243 I presume that it is in the block of 98 addresses 198.134.112.242 putrr18.com 98 Upon searching putrr18.com I found lots of links to removing it as a virus. I reckon that this must be it ? ------------ Further ... I note that Malwarebytes is blocking addresses: 241 242 243 244 IE. it is not just .243 ---------- I ran a search on files containing the words putrr18.com - nothing found. I'm now trying a search for 198.134.112.243 It showed up ... but only in a question that I put to Mozilla :( ----------- This site http://greatis.com/blog/howto/remove-putrr18-com-forever.htm claims that an app UnHackMe will remove the putrr18.com virus, but it may be out of date, as the new virus doesn't mention the site name. This site https://malwaretips.com/blogs/remove-putrr18-com/ suggests using Malwarebytes, Hitman, and Zemana (as a last resort) Does anyone have any knowledge of these tools unhackme and zemana? ---------- Clearly this malware is very well hidden. Link to post Share on other sites More sharing options...
Malbert Posted August 3, 2018 Author ID:1261400 Share Posted August 3, 2018 VICTORY! The remnants of the malware remained in the Firefox tiles! When cleaning out the system, I made the very useful error, when I failed to clear history. I didn't imagine that the problem would lie there. It was a Firefox helper who suggested that it could be the tiles ( jscher2000 ). ... and it was. Firefox Application Error unknown software exception (0xc0000409) occurred in the application at location 0x00406b64 This still exists. Whether it is a leftover of malware removal ... maybe we'll never know. I guess that I must bite the bullet and go for a re-install. However, the malware connection to the bad ip address is gone. That's the victory :) Ha! bloody marvelous ? Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted August 16, 2018 Root Admin ID:1263745 Share Posted August 16, 2018 Hello @Malbert and Very sorry for the delay. It looks like with all the replies that others thought you were already being helped. Do you still need help with this? Thanks Ron Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted September 1, 2018 Root Admin ID:1266889 Share Posted September 1, 2018 Due to the lack of feedback, this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request. This applies only to the originator of this topic. Other members who need assistance please start your own topic in a new thread. Thanks Link to post Share on other sites More sharing options...
Recommended Posts