Jump to content
dpipswich

friteem.com trojan not removed

Recommended Posts

Posted (edited)


I am having the same problem with the trojan advertising redirect friteem.com that other users have reported.

When I do a Google search in Chrome, It is detected and blocked by Malwarebytes, all good. But how the heck do I get rid of it?
Ideally I'd like to see Malwarebytes quarantine and then exterminate it, but I don't see any way to do that.
I'm still on the free trial version. I'd be much more willing to pay for a product that would squash this nasty thing rather than simply block it.
Any ideas?

 

image.png

 

Edited by AdvancedSetup
corrected font issue

Share this post


Link to post
Share on other sites

Hello, Welcome to Malwarebytes.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

This may be the solution to your issue.

If the problem persists and Chrome is Synced with other Devices reset it.

https://forums.malwarebytes.com/topic/214325-chrome-secure-preferences-detection-always-comes-back/
https://support.google.com/chrome/answer/185277

Execute the suggested fix.

Restart the computer normally.
===========

Please let me know if the problem is solved.

Share this post


Link to post
Share on other sites

Nasdaq, thank you for your quick reply. I'm sorry, but when I click on your first link, #214325, it says, "Sorry, we could not find that." Did it move somewhere else, or is it possibly the malware blocking an attempt to remove it?

Share this post


Link to post
Share on other sites
Posted (edited)

Hello dpipswich.

The block event is all about "  friteem.com  "   when Chrome is in use.

The block notice is a way that the program's web protection is letting you know that it STOPPED  any potential harm.   period.

the block is about stuff that is EXTERNAL.

It is not about anything on-board.

 

For Your Information:

The Block notices from Malwarebytes web protection do mean that Malwarebytes is keeping your pc safe from potential harm.

The website  Block message indicates that a potential risk was blocked by the malicious website protection. 

.

I would suggest these steps if Chrome is still having the same block notices.

[   1   ]

Use Chrome browser   to go to https://www.google.com/settings/chrome/sync and sign into your account.
Scroll down until you see the "reset sync" button and click on the button
At the prompt click on "Ok".

 

[   2   ]

for Chrome, while Chrome is running:
Press & hold SHIFT+CTRL+Del keys  on keyboard to get menu for clearing browsing data:

Check mark the line  "Browsing history"

Check mark the line "Download history"

Check mark the lined "Cached images and files"
and press Clear Data button  ( in blue )

 

[   3   ]

After that, make real sure that Chrome is "NOT" set to reload the pages from the last session

Go into the settings menu of Chrome by first clicking  the control icon of Chrome on upper right of the adress bar

Then look deeper in SETTINGS

 

image.png.a9d7082c3fd03e68500743e67d71b6db.png

 

Make real sure it is "NOT" set to "continue where you left off"

 

[   4   ]

See this article on our Malwarebytes Blog
https://blog.malwarebytes.com/security-world/technology/2019/01/browser-push-notifications-feature-asking-abused/

You want to disable the ability of each web browser on this machine from being able to allow "push ads". That means Chrome, Firefox, or Edge browser (on Windows 10), or on Opera.

Scroll down to the tips section "How do I disable them".

 

[   5   ]

I suggest you install the Malwarebytes Browser guard for Chrome.

To get & install the Malwarebytes Browser Guard extension for Chrome,

Open this link in your Chrome   browser: 

https://chrome.google.com/webstore/detail/malwarebytes/ihcjicgdanjaechkgeegckofjjedodee

Then proceed with the setup.

[   6    ]

I  would suggest to download, Save, and then run Malwarebytes ADWCLEANER.

 

Please close Chrome and all other open web browsers after you have saved the Adwcleaner and before you start Adwcleaner scan.

 

Adwcleaner  detects factory Preinstalled applications too!

Please download  Malwarebytes AdwCleaner  https://downloads.malwarebytes.com/file/adwcleaner
 

Be sure to Save the file first, to your system.  Saving to the Downloads folder should be the default on your system.

Go to the folder where you saved Adwcleaner. Double click Adwcleaner  to start it.

 

At the prompt for license agreement, review and then click on I agree.

You will then see a main screen for Adwcleaner. ( if you do not see it right away, minimized the other open windows, so you can see Adwcleaner).

 

Then click on Dashboard button.

Click the blue button "Scan Now".

allow it a few minutes to finish the Scan.   Let it remove what it finds.

 

NOTE:  When it comes to the section "

Pre-installed application

You can skip that.

 

Please find and send the Adwcleaner "C" clean report.

In Adwcleaner, click the "Reports" button.  Look at the list of reports for the latest date & type "Clean".

 

Double Click that line & it will open in Notepad.   Save the file to your system and then Attach that with your reply.

 

That C clean report will be the one with the most recent Date and time at folder  C:\AdwCleaner\Logs

Thanks. 

Edited by AdvancedSetup
corrected font issue

Share this post


Link to post
Share on other sites

I understand that the notification box is Malware Bytes working correctly and shielding me from the actions of this bad whatever-it-is. I am glad to be shielded from it. But what I'd like to know is what this bad thing is that is making this spurious request, how it got here, and most important, how do I get rid of the damn thing? 

I tried all the steps above, several times, and I still have the problem. Does anyone know how to get rid of this blasted thing without completely repaving my computer? 

Share this post


Link to post
Share on other sites

"Repaving" the system is not needed at all.

and since you are running the 'trial mode", turning off the notification will reduce annoyance.

Did you run the Adwcleaner ?  yes or no ?   If yes, please attach the log-report from Adwcleaner.

 

Adjust malwarebytes:   Start Malwarebytes.  Click Settings icon  ( gear icon).

Click the Notifications tab.

Look for "Show all notifications in the Windows notification area"   and click that to the Left.   That is to set that to Off position.

NEXT

[   2   ]

Do have patience while the report tool runs.  It may take several minutes.  Just let it run & take its time.  You may want to close your other open windows so that there is a clear field of view.
Download Malwarebytes Support Tool
    
   
    Once the file is downloaded, open your Downloads folder/location of the downloaded file
    Double-click mb-support-1.6.0.774.exe  to run the report
        You may be prompted by User Account Control (UAC) to allow changes to be made to your computer. Click Yes to consent.
        
    Place a checkmark next to Accept License Agreement and click Next
Now click the left-hand side pane "I do not have an open support ticket"

    You will be presented with a page stating, "Get Started!"
    Do NOT use the button “Start repair” !   But look instead at the far-left options list in black.

    Click the Advanced tab on the left column
    
    Click the Gather Logs button
    
    A progress bar will appear and the program will proceed with getting logs from your computer.  Please do have patience.  It takes several minutes to gather.
   
    Upon completion, click a file named mbst-grab-results.zip will be saved to your Desktop. Click OK
    Please attach the ZIP file in your next reply.
 

 

Share this post


Link to post
Share on other sites

I ran the adware cleaner, log attached. It didn't find anything except pre-installed software, which it said was benign.  I ran the reporting tool .zip file attached.

It's not the annoyance of the notification box that is leading me towards repaving. It is the fact that somehow I've gotten something nasty on my system. It is being blocked for now by Malwarebytes, but who knows what other kind of bad stuff it might be doing, or might start doing? To allow it to remain would be "normalization of deviance", the form of denial that killed both Space Shuttles. "Well, we know the O-rings are eroding (or ice from the fuel tank is hitting the tiles), and that's not supposed to happen, but it hasn't hurt anything yet, so it seems to be OK." And it was, until it wasn't. I'm not going to do that with my computer. 

FWIW, Norton can't find or get rid of this one either. I'm surprised that neither commercial tool seems to recognize this thing. They're usually pretty good about keeping up to date with new threats. Got any other ideas? 

AdwCleaner[S02].txt mbst-grab-results.zip

Share this post


Link to post
Share on other sites
Posted (edited)

Thanks for the reports.   We here rely on those as a first source to look for "malware", and we rely on known security tools to determine if there is actually "malware" or "adware" on-board.

The Chrome browser on this machine has a "no name" extension just very recently added on the 26th & is suspect.  Thus the custom script here for its removal.

 

Please Close and Save any open work you may have open.
Please close as many un-needed app-windows that you yourself may have open at this point.   So you can have a clear field of view.

This custom script is for  dpipswich    only / for this machine only.
Close and save any open work files before starting this procedure. 

Please Close and save any open work files before you start this next step.  It will involve a Windows Restart at the end of it.
I am sending a   custom Fix script which is going to be used by the FRSTENGLISH tool. They will both work together as a pair.

Please RIGHT-click the (attached file named) FIXLIST and select SAVE  link AS and save it directly ( as is) to the  Downloads  folder

The tool named FRSTENGLISH.exe   tool    is already on the Downloads folder
Start the Windows Explorer and then, to the Downloads folder.


RIGHT click on  FRSTENGLISH    and select RUN as Administrator and allow it to proceed.  Reply YES when prompted to allow to run.
  to run the tool. If the tool warns you the version is outdated, please download and run the updated version.
IF Windows prompts you about running this, select YES to allow it to proceed.

IF you get a block message from Windows about this tool......
click line More info information on that screen
and click button Run anyway on next screen.

on the FRSTENGLISH window:
Click the Fix button just once, and wait.

frst-fix.jpg.f6a25291b39a03d418acc9a3b7136900.jpg
 
PLEASE have lots and lots of patience when this starts. You will see a green progress bar start. Lots of patience. This run here should be fairly quick.
If you receive a message that a reboot is required, please make sure you allow it to restart normally.
The tool will complete its run after restart.
When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run.

Please attach the FIXLOG.txt with your next reply later, at your next opportunity   

 

NEXT    [    2   ]

I would suggest a free scan with the ESET Online Scanner
Go to https://www.eset.com/us/home/online-scanner/

Look on the right side of the page.  Click Scan Now

It will start a download of "esetonlinescanner_enu.exe"

Save the file to your system, such as the Downloads folder, or else to the Desktop.
Go to the saved file, and double click it to get it started.

When presented with the initial ESET options, click on "Computer Scan".
Next, when prompted by Windows, allow it to start by clicking Yes
When prompted for scan type, Click on Full scan

Look at & tick  ( select )   the radio selection "Enable ESET to detect and quarantine potentially unwanted applications"   and click on Start scan button.

Have patience.  The entire process may take an hour or more. There is an initial update download.

There is a progress window display.
You should ignore all prompts to get the ESET antivirus software program.   ( e.g.  their standard program).   You do not need to buy or get or install anything else.
When the scan is completed, if something was found, it will show a screen with the number of detected items.  If so, click the button marked “View detected results”.
Click The blue “Save scan log” to save the log.

If something was removed and you know it is a false finding, you may click on the blue ”Restore cleaned files”  ( in blue, at bottom).
Press Continue when all done.  You should click to off the offer for “periodic scanning”.
 

Fixlist.txt

Edited by AdvancedSetup
corrected font issue

Share this post


Link to post
Share on other sites
Posted (edited)

I do need to point out  ( one more ) some things about a Block notice   like this

image.png.4d442070afebe3b40ccd88673d6ad50c.png

The green check mark is a way to visually indicate that the blocking STOPPED  anything from completing any connection to the address displayed.

It has & is keeping your pc safe from harm.

The threat is EXTERNAL from your system.  Any potential booger is at the IP 104.27.168.26   &  not on this computer.

Chrome was stopped from making any connection to the link cited in the message.

You should just let the message time out.   OR just click the X button  ( or the CLOSE button)   and keep working on what it is you need to do.

One is curious as to what website ( if any)  Chrome was on when that notice came up.    But the likelyhood here is that this Chrome had a suspect Chrome extension.

.

For Your Information:

The Block notices from Malwarebytes web protection do mean that Malwarebytes Premium is keeping your pc safe from potential harm.

The Malwarebytes web protection, by default, will always show each  block occurrence.
The Malwarebytes Webs protection feature will advise customers when a known or suspected malicious IP is attempted to be reached (outgoing) or is trying access your PC.
 
See our info page https://www.malwarebytes.com/lp/ip-blocking/?ipblock=true
 
Incoming block notice can be ignored, our software is blocking the threat and there is nothing more that can be done.
On Outbound blocks, any attempted connection was stopped.
 
No action is required unless you’re also experiencing malware symptoms or there are multiple (different) IPs (ex;123.23.34 and 4.44.56).
 A browser is not required to be running, just an active Internet connection with processes running,
such as Instant messenger clients, SKYPE or Peer-to-peer software, to trigger these alerts.

These may  also be triggered by banner ads running on websites which is the most common form of alert.  These may perhaps happen when reading emails that happen to have embedded links to ads, or malvertising.
.

Edited by AdvancedSetup
corrected font issue

Share this post


Link to post
Share on other sites

Sorry, tried that scheme, and I still get the same problem. Fixlog attached. 

It happens any time I do a Google search in Chrome. For example, seaching for Walmart Market Share. Before Malware Bytes blocked it, it would replace the top of the results screen with a bunch of non-Google ads. Clearly, something got planted on my machine that shouldn't be there. I agree with your thought that it is probably a Chrome extension of some kind. On checking the previous scan log, the unnamed Chrome extension, which I agree looked suspicious, was dated 4-26, but in 2019, not 2020. So I'm doubtful on that one. 

I don't want this thing on my computer that is messing with my Google searches. I'm glad Malware Bytes is blocking it, but I don't want it on my computer. 

Ran eset. It deleted a couple of files that had nothing wrong with them, but which I didn't need. Log attached. 

Any other ideas? 

scanlog.txt Fixlog.txt

Share this post


Link to post
Share on other sites

It is possible that the Chrome browser will need to be uninstalled & rebuilt.   We could do that at a later point. Or else, switch to the BRAVE browser  ( which is much better than Chrome).

 

The following are a pair of checkup tools to scan your system by other means.
The Microsoft Safety Scanner  is a free Microsoft stand-alone virus scanner that  can be used to scan for & remove malware or potentially unwanted software from a system. 
The download links & the how-to-run-the tool are at this link at Microsoft 
https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download
  
Let me know the result of this.
The log is named MSERT.log  
the log will be at  %SYSTEMROOT%\debug\msert.log   which in most cases is
C:\Windows\debug\msert.log
Please attach that log with your reply.
 
[    2    ]

TrendMicro HouseCall scan
https://www.trendmicro.com/en_us/forHome/products/housecall.html

First, Download & Save to your Downloads folder the appropriate HouseCallLauncher

Once the download is complete, go to where the Housecalllauncher is saved & double-click it to start it.
The program will check with TrendMicro & do a update run.

Next it will show the Disclosure window.
Click Next to proceed.

The end user license agreement is presented.   Click the Accept radio button & click Next to proceed.

IF you wish a Full scan or a Custom scan, first click on the Settings
then you can select which drives you want to include in the scan.
The default is a Quick scan.
Click Scan now when ready.

The scan progress will then be displayed.   Monitor the progress or just leave it alone until it finishes this phase.

When the scan phase has completed, if any items are tagged, you will see a list, showing  the file & its location, the classification of the threat, the type, risk, and Action option.
If you see an item that you know is safe, you can click the Action  , and select Ignore.
When all done & ready, click the Fix now button.

Share this post


Link to post
Share on other sites

Due to the lack of feedback, this topic is closed to prevent others from posting here.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this topic. Other members who need assistance please start your own topic in a new thread.

Tips to help protect from infection

Thanks

 

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.