Jump to content

Malwarebytes wouldn't scan and unusual PC behaviour


Recommended Posts

I was using AVG anti virus and mb3-setup-consumer-3.1.2.1733.exe

Mouse behaviour

If left untouched for a period, my mouse needed a button click in order to function.
It seemed to be moving slowly, and would drift upwards, when hovering over a link.

Modded the setup to max speed, but it still wasn't right.
(In all my decades of computing, I've never experienced this mouse behaviour)

I had watched F1 via a stream - many such streams launch an advert new window if the stream page is clicked.
This would be a good way of forcing the user to click the page.

Opening a new firefox tab :

unknown software exception (0xc0000409) occurred in the application at location 0x00406b64

Malwarebytes scan

Tried to run a Malwarebytes scan, but it wouldn't run.

Spybot found nothing threatening.
Installed super antispyware - it found no threats.

Chameleon

Ran chameleon - option 2 worked - it suggested that I upgrade, which I did to 3.5.1
However, 3.5 wouldn't launch.

Uninstalled it and reinstalled 3.1
Option 2 no longer worked ... I think it was option 8 that worked ... I ran a scan ... zero threats.

Note: each time an option wouldn't work, it would stop at 'enabling driver' requiring a reboot every time.
Testing the 13 options took a long time.

3.5.1

Reinstalled 3.5.1 - it wouldn't launch, but it did launch the following day (maybe it needed a reboot).
Ran a scan - zero threats.

------------------------

I finally finished a big report last night.

Today, booted the PC ... Malwarebytes blocked 198.134.112.243 (outbound) - I hadn't launched a connection to that site.

I am alerted at regular intervals of this site being blocked.

-Blocked Website Details-
Malicious Website: 1
, , Blocked, [-1], [-1],0.0.0

-Website Data-
Category: Unspecified
Domain:
IP Address: 198.134.112.243
Port: [0]
Type: Outbound
File:

Loaded scanurl.net in Firefox - https crossed out, and the url input box did not display.

Loaded scanurl.net in Chrome - https displayed - the url input boxes appeared momentarily, then disappeared, and were inaccessible.

Checked the site in google transparency and phishtank - result : clean

I noticed that the mouse was now functioning correctly!!!

------------

What to do?

Is it possible that malware can be switched on and off?

Does anybody recognise this strange mouse behaviour?

Might the mouse be working correctly because 198.134.112.243 is now being blocked?

Could this be simple suppression - general time-wasting aspect of a varied package of measures?

 

 

Link to post
Share on other sites

On another thread, I noted that someone had identified a threat by using ESET scanner.
I researched this app ... apparently it can give a false positive (to get you to buy), but otherwise it was stated to be a superior malware scanner, as compared to the free scanners.

How true this statement is, I obviously don't know ... but I gave it a whirl.

Here is what it found (after other apps had declared the system clear):

Win32/CNETInstaller.B potentially unwanted application    
C:\Documents and Settings\Ace Administrator\Application Data\Sun\Java\jre1.7.0_51\java_sp.dll    a variant of Win32/Bundled.Toolbar.Ask.F potentially unsafe application    
C:\Documents and Settings\Ace Administrator\Desktop\Unused Desktop Shortcuts\Old Firefox Data\extensions\4fdacf00-e9c4-4ad5-b4cf-bf9800f184f6@36857116-74e0-4973-936f-860cd2a102a9.com\chrome\content\core\delegate.js    JS/Toolbar.Crossrider.AS potentially unwanted application    
C:\Documents and Settings\Ace Administrator\Desktop\Unused Desktop Shortcuts\Old Firefox Data\extensions\4fdacf00-e9c4-4ad5-b4cf-bf9800f184f6@36857116-74e0-4973-936f-860cd2a102a9.com\chrome\content\core\xhr.js    JS/Toolbar.Crossrider.G potentially unwanted application    
C:\Documents and Settings\Ace Administrator\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\hcimhbfpiofdihhdnofbdlhjcmjopilp\1.0_0\popup.js    JS/Adware.Laitis.A application    
C:\Documents and Settings\Ace Administrator\My Documents\Downloads\cbsidlm-cbsi134-Clean_Disk_Security-ORG-10052111.exe    a variant of Win32/CNETInstaller.B potentially unwanted application    
C:\Documents and Settings\Ace Administrator\My Documents\Downloads\cbsidlm-cbsi134-HD_Tune-ORG-10974407.exe    a variant of Win32/CNETInstaller.B potentially unwanted application    
C:\Documents and Settings\Ace Administrator\My Documents\Downloads\cbsidlm-cbsi145-Freemake_Video_Converter-ORG-75218346.exe    a variant of Win32/CNETInstaller.B potentially unwanted application    
C:\Documents and Settings\Ace Administrator\My Documents\Downloads\cbsidlm-cbsi145-Free_MOV_to_WMV_Converter-ORG-75894393.exe    a variant of Win32/CNETInstaller.B potentially unwanted application    
C:\Documents and Settings\Ace Administrator\My Documents\Downloads\cbsidlm-cbsi145-Photo_Pos_Pro-BP-10264444.exe    a variant of Win32/CNETInstaller.B potentially unwanted application    
C:\Documents and Settings\Ace Administrator\My Documents\Downloads\cbsidlm-cbsi145-VSDC_Free_Video_Editor-ORG-75764187.exe    a variant of Win32/CNETInstaller.B potentially unwanted application    
C:\Documents and Settings\Ace Administrator\My Documents\Downloads\ccsetup405.exe    Win32/Bundled.Toolbar.Google.D potentially unsafe application    
C:\Documents and Settings\Ace Administrator\My Documents\Downloads\ccsetup531.exe    Win32/Bundled.Toolbar.Google.D potentially unsafe application    
C:\Documents and Settings\Ace Administrator\My Documents\Downloads\cdbxp_setup_4.5.8.6795.exe    a variant of Win32/FusionCore.Q potentially unwanted application,a variant of Win32/FusionCore.T potentially unwanted application    
C:\Documents and Settings\Ace Administrator\My Documents\Downloads\dfsetup218.exe    Win32/Bundled.Toolbar.Google.D potentially unsafe application    
C:\Documents and Settings\Ace Administrator\My Documents\Downloads\dfsetup219.exe    Win32/Bundled.Toolbar.Google.D potentially unsafe application    
C:\Documents and Settings\Ace Administrator\My Documents\Downloads\dfsetup221 (1).exe    Win32/Bundled.Toolbar.Google.D potentially unsafe application    
C:\Documents and Settings\Ace Administrator\My Documents\Downloads\dfsetup221.exe    Win32/Bundled.Toolbar.Google.D potentially unsafe application    
C:\Documents and Settings\Ace Administrator\My Documents\Downloads\firebug.exe    a variant of Win32/DownloadSponsor.C potentially unwanted application    
C:\Documents and Settings\Ace Administrator\My Documents\Downloads\Flash-2017.zip    JS/TrojanDownloader.Nemucod.CWZ trojan    
C:\Documents and Settings\Ace Administrator\My Documents\Downloads\notepad.exe    a variant of Win32/DownloadSponsor.C potentially unwanted application    
C:\Documents and Settings\Ace Administrator\My Documents\Downloads\tb_free.exe    a variant of Win32/FusionCore.L potentially unwanted application    
C:\Documents and Settings\Khaled Shbib\My Documents\Downloads\cbsidlm-cbsi118-Wise_Disk_Cleaner-ORG-10613345.exe    a variant of Win32/CNETInstaller.B potentially unwanted application    
C:\Documents and Settings\Khaled Shbib\My Documents\Downloads\dfsetup214.exe    Win32/Bundled.Toolbar.Google.E potentially unsafe application    
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\8PIRC5AV\wajam_update[1].exe    Win32/Adware.Wajam.BE application    
C:\Endoscope\DriverInstall_IncludeDX9.0c.rar    Win32/Agent.RNS trojan    
C:\Program Files\Freemake\Freemake Video Converter\SetupUpdate.exe    a variant of Win32/Freemake.A potentially unwanted application,a variant of Win32/OpenCandy.A potentially unsafe application    
C:\ZZ_Oli_usb\General Folder\cbsidlm-cbsi188-EaseUS_Partition_Master_Free_Edition-ORG-10863346.exe    a variant of Win32/CNETInstaller.B potentially unwanted application    

After examining the list, I decided to clean them all.

Most were potentially unwanted or unsafe.
A couple of trojans in zip files, and some browser related adware and pop ups

Nothing jumped out at me as being a serious active risk (what do I know ??), but I must presume that it eliminated some dodgy software

Post Quarantine

Before closing the ESET scan window (as advised), I loaded firefox and chrome, to confirm that they still worked.
I then rebooted.

Opening a new firefox tab :

unknown software exception (0xc0000409) occurred in the application at location 0x00406b64

Malwarebytes blocked 198.134.112.243 (outbound)

Ha!

So this hasn't changed.

Maybe I need to force an update for Firefox ... just had a quick look, and didn't see such an option, but I'll look closer.

Mouse

It's still working fine.

Conclusion

It's still a fog, regarding what happened with the mouse.
... why it suddenly began working fine.

Any independent engineer possessing 'concept to production' capabilities, will recognise and appreciate coincidental 'detrimental action/effects on an ongoing basis'.
The difficulty is in seperating genuine coincidence from standard practice.
In many cases, malpractice is evident and repeatably testable ... but it is not always the case.

The firefox software exception and the Malwarebytes blocking of 198.134.112.243 (outbound) does appear to be linked, but this may simply be a coincidence.

Does anybody have any thoughts?
... and what is this site 198.134.112.243 (that firefox is trying to connect to)?

Edit:

Just checked, and Firefox is set to auto update.

Maybe I must reinstall, but that's always a worry ........

 

 

Edited by Malbert
Link to post
Share on other sites

Malwarebytes blocked 198.134.112.243 (outbound)

I got this checked on scanurl.net and the result was that it is not a valid URL.

So Malwarebytes is identifying a malicious website, but I am struggling to know what it is, and why Firefox is trying to connect to it.

Also, the software that is causing the connection, hasn't been picked up as malicious.

Does anybody have any thoughts on this conundrum?

Link to post
Share on other sites

Opening a new firefox tab :

unknown software exception (0xc0000409) occurred in the application at location 0x00406b64

I appear to have fixed this problem, by disabling 'HTML5 video everywhere'.
 

However, Malwarebytes is still blocking 198.134.112.243 (outbound)

What is causing this connection I wonder.

Link to post
Share on other sites

Refreshed firefox 52.9 (rather than re-install, as it was suggested that refresh should fix the problems).

Ran IP Location Find:
Geolocation data from ipinfo.io (Product: API, real-time)

IP Address         Country           Region      City
198.134.112.243    United States     New York    Westbury

ISP                                         Organization                                 Latitude   Longitude
Webair Internet Development Company Inc.    Webair Internet Development Company Inc.     40.7570    -73.5814

AND

New tab in Firefox is still displaying:

unknown software exception (0xc0000409) occurred in the application at location 0x00406b64 

So far, a lot of work, but no success.

Maybe I must try a reinstall of Firefox.
Has anyone gone through this problem?

Link to post
Share on other sites

Progress (perhaps)

Searching ipinfo.io I found this:

https://ipinfo.io/198.134.112.242

Route 198.134.112.0/20

This was the closest to 198.134.112.243

I presume that it is in the block of 98 addresses

198.134.112.242       putrr18.com            98

Upon searching putrr18.com I found lots of links to removing it as a virus.

I reckon that this must be it  ?

------------

Further ... I note that Malwarebytes is blocking addresses:

241
242
243
244

IE. it is not just .243

----------

I ran a search on files containing the words putrr18.com - nothing found.

I'm now trying a search for 198.134.112.243

It showed up ... but only in a question that I put to Mozilla :(

-----------

This site http://greatis.com/blog/howto/remove-putrr18-com-forever.htm

claims that an app UnHackMe will remove the putrr18.com virus, but it may be out of date, as the new virus doesn't mention the site name.

This site https://malwaretips.com/blogs/remove-putrr18-com/

suggests using Malwarebytes, Hitman, and Zemana (as a last resort)

Does anyone have any knowledge of these tools unhackme and zemana?

----------

Clearly this malware is very well hidden.

 

 

 

     
Link to post
Share on other sites

VICTORY!

The remnants of the malware remained in the Firefox tiles!

When cleaning out the system, I made the very useful error, when I failed to clear history.

I didn't imagine that the problem would lie there.

It was a Firefox helper who suggested that it could be the tiles ( jscher2000 ).
... and it was.

Firefox Application Error

unknown software exception (0xc0000409) occurred in the application at location 0x00406b64 

This still exists.

Whether it is a leftover of malware removal ... maybe we'll never know.

I guess that I must bite the bullet and go for a re-install.

However, the malware connection to the bad ip address is gone.

That's the victory :)

Ha!
bloody marvelous ?

 

 

Link to post
Share on other sites

  • 2 weeks later...
  • 3 weeks later...
  • Root Admin

Due to the lack of feedback, this topic is closed to prevent others from posting here.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this topic. Other members who need assistance please start your own topic in a new thread.

Thanks

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.