Malvertising

[ReuMen]

Hi, everyone
A window opens in Malwarebytes and pops up a message  Every few minutes when the browser is open, when the browser is closed no messages pop up :

"-Website Data-
Category: Malvertising
Domain:
IP Address: 163.172.20.152
Port: 80
Type: Outbound
File: C:\Program Files\Waterfox\waterfox.exe "

This has been happening for several days.
What I've done so far:
The Waterfox browser is up to date and yet I did a cookie and cache cleanup, and later a new, clean install.
I checked and updated the Windows 10 Pro.
And after that I did sfc / scannow
I checked and made an update to Windows Defender Antivirus and after that a regular scan and scan in Offline
I did a scan by Malicious Software Removal Tool x64.
I did a scan by Esetonlinescanner_enu

Everything is clean and yet the message continues to pop up :
"-Website Data-
Category: Malvertising
Domain:
IP Address: 163.172.20.152
Port: 80
Type: Outbound
File: 😄 \ Program Files \ Waterfox \ waterfox.exe "

I did a test by FRST64 and the test results are attached:

Thanks in advance for your help .
Regards,
Reuven

FRST.txt Report Blocked website.txt Addition.txt

[AdvancedSetup]

Hello @ReuMen

You have old compromised versions of Java on the system. Please uninstall all versions of Java. If you really have to have Java then make sure you keep it up to date at all times.

The logs show that your Waterfox has not been properly cleaned and is using an extensive list of extensions any one of those extensions could be causing the block alert.

 

Please download the attached fixlist.txt file and save it to the Desktop.
NOTE. It's important that both files, FRST or FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system.

Run FRST or FRST64 and press the Fix button just once and wait.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Desktop (Fixlog.txt). Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

fixlist.txt

Thanks

 

[ReuMen]

 

First of all, good morning and thank you very much 🙂

This morning I received an automatic update to Java and the update was done.

I started FRST64 after downloading your file, the software worked, repaired and asked to restart,
After restarting, I saw that he had scanned the disk and after which the computer came up normal.

Attached Fixlog and after scan file and you can see that the window continues to pop up as before scanning.

Appreciate your help and hope for a solution.
Many thanks and good day to you.

Fixlog.txt After scanning.txt

[ReuMen]

8 hours ago, ReuMen said:

 

First of all, good morning and thank you very much 🙂

This morning I received an automatic update to Java and the update was done.

I started FRST64 after downloading your file, the software worked, repaired and asked to restart,
After restarting, I saw that he had scanned the disk and after which the computer came up normal.

Attached Fixlog and after scan file and you can see that the window continues to pop up as before scanning.

Appreciate your help and hope for a solution.
Many thanks and good day to you.

Fixlog.txt 31.81 kB · 1 download After scanning.txt 679 B · 0 downloads

  Hey ,

While waiting for your answer, I decided to review your offer:

@Waterfox has not been properly cleaned and is using an extensive list of extensions any one of those extensions could be causing the block alert. @

I canceled all the extensions and actually just like you wrote
The window no longer pops ........ Amazing, well done.
I'm now returning extensions one after the other, waiting and checking to make sure the window doesn't pop up again.

According to Murphy's Laws "You will always find something in the last place you look."

So I'm waiting for an answer and I hope before I get to the last one 🙂

Of course I will also update at the end,
  Thanks.

[ReuMen]

Good morning and thank you AdvancedSetup,

The script you created and the suggestion of the extensions.
Indeed, the first part really cleaned up what was needed and the second part about the plugins, I found the rogue plugin, it was a Google Translight plugin (S3), I stopped it and for almost 24 hours no window pops up and no message about Malvertising.
Thank you very much, you are the best.

Regards,
Reuven .

[AdvancedSetup]

Great, glad to hear that you were able to find the extension causing it and all is doing well once again.  A lot of work but in the end it pays off. I'll go ahead then and close your topic and leave you with some information to help you protect your data and privacy

 

If you're not backing up your data and you're still using Google Chrome then you're just not serious about Privacy, Safety, and protecting your data. Malwarebytes is a fantastic program but you still need to back up your data and you still need to block scripts and Ads in your browser. 
If you're still using Google Chrome I would highly suggest you consider using Firefox instead. For more advanced users you might consider installing NoScript as well (it does have a higher learning curve though)

PrivacyTools - Encryption, and tools to protect against global mass surveillance - https://www.privacytools.io

Help Secure your browsers
 
You may be interested in using our new Malwarebytes Browser Guard to help protect your browser from items that uBlock or others don't target.

Please install uBlock Origin for your browsers to better protect your system.

FireFox, Chrome, Opera , Safari, Microsoft Edge
AdBlock Plus for Internet Explorer

How to use uBlock Origin to protect your online privacy and security | uBlock Origin tutorial 2018
This video tutorial above explains how to use uBlock Origin in advanced user mode and all the advanced settings to protect your online privacy and help prevent unwanted sites from changing your browser settings

Delete Cookies Automatically

Cookie AutoDelete plugin
Chrome  | Firefox 

Browser push notifications: a feature asking to be abused
HTTPS Everywhere
NOTHING TO HIDE documentary

Review your email and Office choices

Quit Gmail for free encrypted email - Tutanota
Why ProtonMail Is More Secure Than Gmail
LibreOffice - Free and open source office suite

Use Password Management software

Bitwarden
KeePass Password Safe

Make sure you use a strong master password
Then set the key transformation settings (the link below helps provide information on how to choose good settings)
https://pthree.org/2016/06/29/further-investigation-into-scrypt-and-argon2-password-hashing
KeePass Password Manager: Full Detailed Setup (good YouTube video on setup and using Keepass but choose the Argon2 method for Key transformation)

Encrypted Instant Messenger and Voice Calls

Please review the following site for a breakdown of features of different Messenger applications.

SafeSwiss
Riot
Signal
Wire     
NOTE: Recent news of Wire having new investors and moving to the United States.
Wickr Me

Follow-up Reading

Everything you need to know about cybercrime
10 easy ways to prevent malware infection 
Keep your data backed up

Thank you for choosing Malwarebytes as your preferred security protection software and tell your friends and family too. We're here to help.

 

 

[AdvancedSetup]

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Thanks