Jump to content

Adware missed by ADWc and Malwarebytes


Recommended Posts

Hello, Welcome to Malwarebytes.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Remove this program in bold via the Control Panel > Programs > Programs and Features.
Wise Registry Cleaner 9.45 (HKLM-x32\...\Wise Registry Cleaner_is1) (Version: 9.45 - WiseCleaner.com, Inc.)
===

Please download the attached Fixlist.txt file to  the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the FRST.txt log you have submitted.

Run FRST and click Fix only once and wait.

The Computer will restart when the fix is completed.

It will create a log (Fixlog.txt) please post it to your reply.
===

Please post the Fixlog.txt and let me know what problem persists.

fixlist.txt

Link to post
Share on other sites

Thanks nasdaq for your time and work :) 
The instructions were very clear.

Find attached the  Fixlog.txt

I presume that you well understand this AdWare, and the fix will be successful.

Am I right in thinking that the original user will have installed wise registry cleaner using the auto process, rather than custom (to opt out of additional programs)?
IE. Wise registry cleaner did not contain the adware, but that it was the cause of it being installed.

Or...
Was Wise Registry Cleaner integrated with the AdWare?

Link to post
Share on other sites

Hi,

The Wise registry cleaner is a Potentially Unwanted Program.

We always recommend it's removal.

There is no need to clean the Registry.

If however an helper from a forum suggest it because you have issues then follow his directives.

Stay clean.

 

Link to post
Share on other sites

At this moment in time, I have left the adware window running.

It is the top layer of the windows, situated in the bottom right hand corner of the screen.

I'm presuming that ADWc or Malwarebytes might have a better chance of finding it, as it is obviously now a running process in memory.

I'm wondering if it is worth running Malware bytes to see what happens...

FRST.txt Addition.txt

Link to post
Share on other sites

Hi,

Your logs are clean.

Quote

It is the top layer of the windows, situated in the bottom right hand corner of the screen.

This looks like Browser push notifications: 

Follow the directives on this page.

https://blog.malwarebytes.com/security-world/technology/2019/01/browser-push-notifications-feature-asking-abused/

Let me know if the problem is solved.

Link to post
Share on other sites

I've had a thorough look at both chrome and firefox.

Notifications were set to 'Ask' and there are no exceptions listed, other than the usual google sites in chrome.
Pop Ups were set to off.
I ran the chrome malware search ... it found nothing.
Checked all exceptions ... nothing.
Turned off permissions for ads (chrome).

Overall ... other than the 'ads' not being turned off in chrome; nothing indicated bad settings.

From the above; my gut instinct is that, this adware is not 'notification based'  (I could be wrong).

My consideration is that I should :

  1. Interact with the adware, and let it run its course.
    This, to see how it behaves, and potentially to cause it to leave processing tracks.
    From this, we will learn more.
     
  2. Thereafter, run the MBS tool, to perhaps gain a hard copy of that knowledge.

In the meantime, I tried to screen capture the adware window, using snagit.
However, although the image showed in the capture preview ... no image was captured.
Only the typical background squares were captured.

A full screen capture worked, and this is attached.

I have also attached processes and services (in case they list something)

Services_01_2019-09-25_16-03-38.png

Processes_03_2019-09-25_15-57-05.png

Processes_02_2019-09-25_15-56-31.png

Processes_01_2019-09-25_15-55-49.png

Adware_2019-09-25_15-39-58.png

Services_03_2019-09-25_16-05-25.png

Services_02_2019-09-25_16-04-32.png

Link to post
Share on other sites

I interacted with the adware by clicking on it.

I'd set firefox to default, so it opened, and a tab and a variety of dialogue boxes opened rapidly.
Perhaps I should have used a screen video record?

However, I got 2 screenshots, that clearly show target addresses (attached)

MBST was then run (attached) 

I then tried to close firefox, but it won't close.
I can close it by stopping it from running, or rebooting.

Before that, I'll run ADWcleaner to see what it finds, and then Malwarebytes.

I've noted that another thread suggests a kaspersky tool.
I'll download it.
 

Browser_01_2019-09-25_16-16-59.png

Browser_02_2019-09-25_16-20-28.png

mbst-grab-results.zip

Link to post
Share on other sites

Ran:

ADWcleaner 
Malwarebytes
Kapersky TDSSKiller

All returned NO threats...
Yet the adware window is still running, and Firefox is locked.

One minor thing to note, is that when chrome was the default, it loaded chrome.
With Firefox, it loaded firefox.

It seems to be independent of the browser.

Any suggestions as to what I should do now?

 

Link to post
Share on other sites

After the re-boot, I decided to just leave the pc running, and not load a browser, nor anything other than the pre-loads.
I figured that this would eliminate the connection with the browsers.

Damn!
I have just noticed that the adware is back.

The thing is ... it waits for a few hours before appearing.
This is a very good survival mechanism, because each test takes a few hours to run.

You don't know if the problem is solved, until it doesn't appear
... but how long do you wait?

It's not the end of the world.
It can be closed, and with quick use of the mouse, the tabs can be closed ... until the next time.

... but defeat is bitter.

Does anyone have any ideas?

Link to post
Share on other sites

Hi,

This IP number in bold is from France.
Tcpip\Parameters: [DhcpNameServer] 212.27.40.240 212.27.40.241

This one is from the United States.
Tcpip\..\Interfaces\{B799B414-7E95-48A1-B766-7C1E6B467EF7}: [DhcpNameServer] 163.244.76.254 163.244.77.254

Check with your Internet Provider and find out which is good.
Let me know,

===

The URL (images) you posted from multimilltracks.com and gambigambiwinwin.com are phishing attacks.

Read about it.
https://www.malwarebytes.com/phishing/

Do not answer any of their requests.

Let me know if it has stopped.

Link to post
Share on other sites

Two site addresses - One very 'how can I put this' - the other is Dell Inc.
Let's clear Dell first, and then look at the other 'situation'.

163.244.76.254

Quote

NetRange:       163.244.0.0 - 163.244.255.255
CIDR:           163.244.0.0/16
NetName:        NET-DELL-INT
NetHandle:      NET-163-244-0-0-1
Parent:         APNIC-ERX-163 (NET-163-0-0-0-0)
NetType:        Direct Assignment
Organization:   Dell, Inc. (DCC-25)
RegDate:        1992-09-23
Updated:        2018-03-06
Ref:           https://rdap.arin.net/registry/ip/163.244.0.0

This a Dell site
I don't think that there is any reason for the PC to be talking to Dell.
If this is happening via a boot-load, it is better that it is stopped, if only to save resources.

212.27.40.240

Quote

inetnum:        212.27.40.0 - 212.27.40.255
netname:        FR-PROXAD
descr:          Proxad / Free SAS
descr:          Server internal infrastructure
descr:          Paris, France
status:         ASSIGNED PA
mnt-by:         PROXAD-MNT
created:        2003-11-25T18:37:00Z
last-modified:  2003-11-25T18:37:00Z
source:         RIPE
remarks:        INFRA-AW

This is FREE/Iliad (the company) ... or a sub-division ProXad ... or the same (but who knows)

Capitalisation 2017 - €13 billion 
Subscribers 2017 - 20 million

(IE. This is a BIG company)

However, proxad was originally a UK adtech company (the site doesn't load now):

Quote

"Proxad are an Adtech startup which provides an ‘offline retargeting & attribution platform’ - we are able to show online dynamic ads based on a customer’s behaviour in-store i.e. if an individual is looking at a particular pair of Nike shoes (but does not purchase the item) then they may receive an online advert when they return home in the evening & browse a website or check their Facebook account. We are also able to attribute ‘in store’ activity to online ads i.e. If a person receives an advert online, we can then tell if the individual subsequently walks in store."

Archived 2015:
https://web.archive.org/web/20151101025231/http://proxad.com/

IPinfo Lists :

 

There are 2 domain names hosted on this IP address.

The links lead to non-public (I presume) consumer info pages.
Worryingly; cretin in French has the same meaning as in English.

 

Recently a lot of FREE subscribers have had their emails bouncing back, due to blacklisting that leads back to proxad.net (which is now FREE/Iliad).
Many reports indicate zero response from them (re their abuse line).

I know that they got involved with 'in game purchases' without asking permission from the bill payer.
[Can they have stooped so low as to implement what is clearly malware?]

The question also, is whether this type of thing is par for the course, amongst IP providers?

Either way ... what are you seeing?

By this I mean ... what is the function of this line of programming code?

Is this functional to a server login?

Can this be deleted?

Is this adware window being loaded from the cloud ?
... hence no hard disk tracks

But wouldn't it have been caught in the memory search?
... or would that only happen, if the activity was recognised?

One thing is clear ... none of the malware progs identified its activities as a threat
... yet it can lock the browser (not an inconsequential problem).

Because of this lack of identification...
Should this issue should be shared with the malwarebytes dev team.

Other than that, I have done nothing more on this, since my last update
... so the pc will still be infected :(

Perhaps I should run the PC, with wifi disconnected; in order to see if the window still appears.

Link to post
Share on other sites


Hi,

I did the research and all I wanted to know which on to remove.
Your internet provider would have informed you which one to keep if any.

This will remove the 163.244.76.254, let me know if you wish to remove the other one.

Please download the attached Fixlist.txt file to  the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the FRST.txt log you have submitted.

Run FRST and click Fix only once and wait.

The Computer will restart when the fix is completed.

It will create a log (Fixlog.txt) please post it to your reply.
===

fixlist.txt

Edited by nasdaq
Link to post
Share on other sites

Thanks nasdaq,

Currently the laptop has been running for 4 hours, with WiFi disconnected.
I will continue this test overnight, and into tomorrow.

If the malware doesn't return, it will be likely that it is coming from the web.
This should tell us something.

I will then run the fixlist.
Or if it returns, I will run fixlist.


 

Link to post
Share on other sites

Good news - The malware doesn't run, when the laptop is not connected to the web.
Clearly, it is being allowed through my firewall.

I have run the fixlist, and the Dell address 163.244.76.254 has been deleted.
Fixlog attached.

nasdaq ... you ask if I wish to remove the other address 212.27.40.240.

I don't know.
I don't know why it is there, nor what it does.

If it is not needed, then why not remove it?

I will now leave the computer running, with it connected to the internet.
Let us see if the malware shows up.

This may take a few hours.

Fixlog.txt

Link to post
Share on other sites

Also, what about the 'Bogon'  address 172.31.0.50 ?
It is listed in the same section as the other addresses that you mentioned.

This article advises that it is dangerous:

Quote

bogon’s can be used to launch TCP SYN attacks and are used in about 10% of DDoS attacks on the net. Stopping bogons can not only help your enterprise but those you connect to. Bogons can also be used to covertly move information.

It is worth reading the full article!

Can I ask...

Is there any default reason to have any Tcpip address codes listed in the FRST.txt [Internet (white list)] section?

 

Link to post
Share on other sites

Hi,

172.31.0.50

i    s your router.

Please download the attached Fixlist.txt file to  the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the FRST.txt log you have submitted.

Run FRST and click Fix only once and wait.

The Computer will restart when the fix is completed.

It will create a log (Fixlog.txt) please post it to your reply.
===

If the programmpersists Reset your router. It may be infected.

How to Reset a Router Back to the Factory Default Settings
http://www.ehow.com/how_2110924_reset-back-factory-default-settings.html

Then, please reconfigure it back to your preferred setting.. Below is the list of default username and password, should you don't know it ;)

http://www.routerpasswords.com/
http://www.phenoelit-us.org/dpl/dpl.html
===

Reset for Linksys, Netgear, D-Link and Belkin Routers
http://www.techsupportforum.com/2763-reset-for-linksys-netgear-d-link-and-belkin-routers/

====
How to tell if my Wireless is secure.
http://www.ehow.com/how_6775466_tell-wireless-secure_.html

Please post the Fixlog.txt and let me know what problem persists.

 

p.s.

Is there any default reason to have any Tcpip address codes listed in the FRST.txt 

This was set by the owner of the tool.

Link to post
Share on other sites

Hahaha ... Victory!  :D   (phew)

It was the decision to test the PC 'disconnected from the web', that led to the solution.
... when the malware failed to appear; it was clear that they were 'getting through' the firewall.

You could hear the penny drop...

Checking the firewall authorisations, I discovered that they were numerous.
... the suspect ones were 'remote assistance' and 'steam' games.
Removing authorisation (un-ticking the box) on all these suspects ... did the trick   ✌️
(Spotify was also un-ticked). 

I rebooted, and left the laptop running, connected by WiFi to the web (for 20 hours)
No malware.

------------------------

Which authorisation caused the malware?
This may take some time, as I must enable them individually.

But the take-away lesson from this experience is:

"If the anti-malware tools do not stop the malware...
First check the firewall authorisations"

------------------------

Thanks to: The Malwarebytes team, forum members, and particularly 'nasdaq'.

Being able to share such problems, has a very positive effect.
... creating a calm environment, that is advantageous to 'clear thinking'.

Sure ... this can be considered a stupid error on my part (for not checking the firewall first).
However, my guess is that this is typical.

The majority of users (and I'm a long time user), simply aren't on top of all the security risks.
... but we live and learn  :)

"Victory is sweet"

 

 


 

Link to post
Share on other sites

To conclude this affair ... you will be wanting to know which authorisation allowed the malware in.

Ha!
It was 'remote assistance'

I re-authorised it, by clicking the box against its firewall entry.
Within an hour or so, the malware had returned.

I then unauthorised it, rebooted, and re-authorised all the 'Steam' games, and Spotify.
The malware never returned.

Great news for users of 'Steam' and Spotify.

I have no idea whether there is some code residing on the hard drive, associated with this malware,
... just waiting for the firewall authorisation.

However, definitively, the remote assistance has it, the remote assistance has it!

ORDER....

:D

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.