Jump to content

Infected with eu.consumertjava.xyz


Recommended Posts

Thank you for the FRST reports.

[     1    ]

The Microsoft Safety Scanner  is a free Microsoft stand-alone virus scanner that  can be used to scan for & remove malware or potentially unwanted software from a system. 
The download links & the how-to-run-the tool are at this link at Microsoft 
https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download
  
Let me know the result of this.
The log is named MSERT.log  
the log will be at  %SYSTEMROOT%\debug\msert.log   which in most cases is
C:\Windows\debug\msert.log
Please attach that log with your reply.
 

[    2    ]

NEXT

I would suggest a free scan with the ESET Online Scanner
Go to https://www.eset.com/us/home/online-scanner/

Look on the right side of the page.  Click Scan Now

It will start a download of "esetonlinescanner_enu.exe"

Save the file to your system, such as the Downloads folder, or else to the Desktop.

Go to the saved file, and double click it to get it started.

When presented with the initial ESET options, click on "Computer Scan".
Next, when prompted by Windows, allow it to start by clicking Yes
When prompted for scan type, Click on Full scan

Look at & tick  ( select )   the radio selection "Enable ESET to detect and quarantine potentially unwanted applications"   and click on Start scan button.

Have patience.  The entire process may take an hour or more. There is an initial update download.
There is a progress window display.
You should ignore all prompts to get the ESET antivirus software program.   ( e.g.  their standard program).   You do not need to buy or get or install anything else.
When the scan is completed, if something was found, it will show a screen with the number of detected items.  If so, click the button marked “View detected results”.
Click The blue “Save scan log” to save the log.

If something was removed and you know it is a false finding, you may click on the blue ”Restore cleaned files”  ( in blue, at bottom).
Press Continue when all done.  

You should click to off the offer for “periodic scanning”.

Link to post
Share on other sites

I'm currently running the MRT, I also ran a program called "HitmanPro" that detected tracking cookies in my firefox profile (I'm not sure what those are), I deleted them, and in the last 2 hours the tabs didn't change to the adware tabs, could that have been the malware? (the cookies) or am I just lucky and still infected?

I will attached the logs once the scan is done.

Link to post
Share on other sites

The adware is still there sadly. I have deleted my entire Firefox profile only backing up my bookmarks, I also wonder if it could have taken control over my router or something like that, since the site that shows up in the opened tabs shows an ad related to my internet provider (and my router belongs to it).

Link to post
Share on other sites

Another update, even after contacting my internet provider and deleting my entire Firefox profile, my computer is still infected with this adware. It shows up with different adresses all starting with eu. and ending with .xyz

I have no idea what to do.

Link to post
Share on other sites

As far as the hardware router,  I have never in all my years  heard of a confirmed actual  hardware router "infection".   That said, check with your internet service provider if you must about how to Reset the router,  and check for router-manufacturer hardware updates,  and change the password to the router.   Get help from your ISP.

Find out the make / model of the router.  Go to the manufacture's site  and find out how to do a RESET on the router.

Routers have a button on their housing for that purpose.

.

You can find the model information of a router from the sticker on its bottom or back of the router. In most cases it will be labeled as “Model”. You can also find the product model number on the router’s online administration page.

.

Please try the following. Shut down the computer and unplug the power cord for at least 2 minutes.

Unplug the power cord on your router and / or modem as well for at least 2 minutes

Then after a couple minutes Power Up your router / modem  

Find the RESET button on the housing of the router and press that per the directions from the maker of the router.

 

Then plug your PC power back in and start the computer back up into Normal Mode.

.

Thank you for the scan logs.   Below are some other scans to do.

[     1      ]

At this point, a different tool to scan the pc for viruses & other malware  ( if any ).

Do not click on the small popup mini-window that shows up.   Look for the green color button that says "Download Dr.Web CureIt"  with the down-arrow icon

image.png.89e510f058b59b38d7abd400ffb3f917.png

 

Download Dr.Web CureIt to the desktop. 
The download is nearly 208  MB in size

 

After the download is completed, then close the browser and all other web browsers too.

Use the Windows File Explorer to go to the Downloads folder.

 

doubleclick on  the download file file to start the tool.     ( drweb will randomize the name of the file when you download it )

 


⦁    You will see a screen similar to this:

drweb-1.jpg.d19c089d11f5b87d91965b11ad62ca17.jpg


 
Click the checkbox to participate, and then click on Continue button.

 


⦁    Next

drweb-2.jpg.d5bdb76dc769a35fe9b643c90dddb7b0.jpg


 
Click on Select objects for scanning
⦁    Next

drweb-3.jpg.2b2fa047cb9a0e7fcbdd5c69a73fa694.jpg
 
Put a checkmark by clicking on all the boxes    EXCEPT for

"Temporary files"

"System restore points"


Do not select Temporary files or System Restore points.


Then click on Start scanning button

⦁    The scan in progress will be shown like this

 

drweb-4.jpg.6f5db8bfbc2db1162e72a626053fe62a.jpg


⦁    IF something is detected, you will see a screen similar to this

 

image.png.75d975285e7cd0b1ea4d39b61fca8f9a.png


 
For each item "detected", click on the Action column down arrow, like this
 

image.png.5c1e515f37a43ca9a954c0ee5f4b0f4c.png

Your options will be Cure or Ignore

IF you see an item that you are very sure is ok, then un-check the checkbox for that item.
Typically, you will keep the Cure default.

Then click on the Neutralize button.

 

⦁    When the actions are completed, you will see this

image.png.248b34e853c772318a415fb88ef452b4.png


 
⦁    Click on the green Open Report line. It will pop-up the report in NOTEPAD.
Save the report to your desktop. The report will be called Cureit.log
⦁    Close Dr.Web Cureit. 
⦁    Reboot your computer to allow files that were in use to be moved/deleted during reboot. 
⦁    After reboot, attach the log Cureit.log you saved previously in your next reply. 

 

Have patience in all this. 

NEXT

[      2     ]

SecurityCheck by glax24    

I would like you to run a tool named SecurityCheck to inquire on the current-security-update  status  of some applications.
Download SecurityCheck by glax24 from here  https://tools.safezone.cc/glax24/SecurityCheck/SecurityCheck.exe
and save the tool on the desktop.

If Windows's  SmartScreen block that with a message-window, then

Click on the MORE INFO spot and over-ride that and allow it to proceed.

This tool is safe.   Smartscreen is overly sensitive.

Right-click  with your mouse on the Securitycheck.exe  and select "Run as administrator"   and reply YES to allow to run & go forward

Wait for the scan to finish. It will open in a text file named SecurityType.txt. Close the file.  Attach it with your next reply.
You can find this file in a folder called SecurityCheck, C:\SecurityCheck\SecurityCheck.txt
 

NEXT

[    3   ]

I would appreciate  getting some key details from this machine in order to help you forward.
 NOTE: The tools and the information obtained is safe and not harmful to your privacy or your computer, please allow the programs to run if blocked by your system.

Do have patience while the report tool runs.  It may take several minutes.  Just let it run & take its time.  You may want to close your other open windows so that there is a clear field of view.
Download Malwarebytes Support Tool 

    Once the file is downloaded, open your Downloads folder/location of the downloaded file
    Double-click mb-support-1.6.0.774.exe  to run the report
        You may be prompted by User Account Control (UAC) to allow changes to be made to your computer. Click Yes to consent.
        
    Place a checkmark next to Accept License Agreement and click Next
Now click the left-hand side pane "I do not have an open support ticket"

    You will be presented with a page stating, "Get Started!"
    Do NOT use the button “Start repair” !   But look instead at the far-left options list in black.

    Click the Advanced tab on the left column
    
    Click the Gather Logs button
    
    A progress bar will appear and the program will proceed with getting logs from your computer.  Please do have patience.  It takes several minutes to gather.
   
    Upon completion, click a file named mbst-grab-results.zip will be saved to your Desktop. Click OK
    Please attach the ZIP file in your next reply.

Link to post
Share on other sites

Additional note:   I noticed that there have been recent hangs of the Firefox browser, like this:

Quote

Error: (05/02/2020 10:29:35 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: The program firefox.exe version 75.0.0.7398 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Security and Maintenance control panel.

Process ID: 2dd0

Start Time: 01d620b52e111a50

Termination Time: 4294967295

Application Path: C:\Program Files (x86)\Mozilla Firefox\firefox.exe

Report Id: 29e462fd-e0a1-4c28-aac4-a3f986c4bc85

Faulting package full name: 

Faulting package-relative application ID: 

Hang type: Top level window is idle

 

If those are still happening, Close Firefox   ( you may use Task Manager to End the Task for firefox.exe )

and then if you must use FF,  do so using its Safe mode.

https://support.mozilla.org/en-US/kb/troubleshoot-firefox-issues-using-safe-mode

Edited by Maurice Naggar
Link to post
Share on other sites

Sorry for the late reply I was buys with work. I'm attaching the files you requested. I also want to let you know that I had to uninstall firefox from my computer as other ad sites started to open up (that dont end with .xyz) after I tried a clean installation of it (deleted the folder from program files and from %appdata).

I think that it only affects Firefox (I'm using chrome atm and no hijacks/redirects occur atm), but I can't be sure. I'm also not sure what I can do on my computer and how exposed it is. Can this thing also be a trojan/keylogger and steal information and passwords from me or do other bad things?

SecurityCheck.txt mbst-grab-results.zip cureit.log

Link to post
Share on other sites

There is no basis for assuming a "trojan"  or "keylogger".   Malwarebytes for Windows will detect if there are malicious types around.

I always advise everyone to not jump to conclusions.   I always want security-check tools to determine the status of things.

By the way, this PC has ESET Security antivirus.   At some point, make the time, to first Close all web browsers & then do a thorough scan with your own ESET Security !

.

Thanks for providing the reports, especially the Support-tool report.   That showed that Chrome & Firefox had been each having Block event notices.

Some of the blocks were about  "crwmqldwc.com"  with Chrome

& "lux.superlinks.org"   &   "dprtb.com"       with Firefox 

In each of those block events, the Malwarebytes Trial mode web protection  ( the same as in premium) is protecting the pc from any harm.

Any attempt to connect to those potential harmful sites was STOPPED.

The fact of having a block notice window does NOT mean that there is a malware on-board.

.

Lets go ahead and do some strengthening on Chrome & Firefox  & Edge.

[    1     ]

See this article on our Malwarebytes Blog   to  help prevent "push ads"
https://blog.malwarebytes.com/security-world/technology/2019/01/browser-push-notifications-feature-asking-abused/
  
You want to disable the ability of each web browser on this machine from being able to allow "push ads". That means Chrome, Firefox, or Edge browser (on Windows 10), or on Opera. 
Scroll down to the tips section "How do I disable them". 
 

[   2   ]

Turn off Google SYNC

Please use Chrome  to go to https://www.google.com/settings/chrome/sync    and sign into your account.
Scroll down until you see the "reset sync" button and click on the button
At the prompt click on "Ok".

 

[    3    ]

for Chrome, while Chrome is running:
Press & hold SHIFT+CTRL+Del keys  on keyboard to get menu for clearing browsing data:

Check mark the line  "Browsing history" 
Check mark the line "Download history" 
Check mark the lined "Cached images and files"
and press Clear Data button  ( in blue ) 

 

[   4   ] 
After that, make real sure that Chrome is "NOT" set to reload the pages from the last session 
Go into the settings menu of Chrome by first clicking  the control icon of Chrome on upper right of the adress bar 
Then look deeper in SETTINGS 
 
  image.png.651d8bd36b1bd2bbf425760b3b8150fc.png
Make real sure it is "NOT" set to "continue where you left off" 

 

[    5    ]
I suggest you install the Malwarebytes Browser guard for Chrome. 
To get & install the Malwarebytes Browser Guard extension for Chrome, 
  
Open this link in your Chrome   browser:  
https://chrome.google.com/webstore/detail/malwarebytes/ihcjicgdanjaechkgeegckofjjedodee
  
Then proceed with the setup. 
  
[   6    ] 
get & install the Malwarebytes Browser Guard  Firefox extension. 
Open this link in your Firefox browser:    
https://addons.mozilla.org/en-US/firefox/addon/malwarebytes/


Then proceed with the setup. 
That link is for English US.   There are other language version.  Just go to the very bottom right of the page and look at “Change language” list drop down.
 

[  7   ]

Delete Cache, cookies & browser history on Firefox browser

See   https://support.mozilla.org/en-US/kb/how-clear-firefox-cache

 

All the steps above ought to get your web browsers in a better & more secure state.

 

[  8   

These are some utilities that you need to check with the publisher  and get the latest updates.

7-Zip     16.04 (x64) v.16.04 Warning! Download Update
Uninstall old version and install new one.

WinRAR     5.01 (64-bit) v.5.01.0 Warning! Download Update
 
Skype  7.37 v.7.37.103 Warning! Download Update

 

Link to post
Share on other sites

I just want to ask, all these methods of installing ad blockers and guards are good, but if my tabs are being hijacked that means that there is something on my computer thats doing that, right? They aren't removing it, just preventing it from redirecting my tabs to websites. Where could that malware be hiding? and how can I remove it?

I don't want to be in constant fear that there is something hidden on my machine.

 

Link to post
Share on other sites

There is not a actual infection on your machine.  This is sometimes hard to convey to folks because they get a Block notice  & then jump to a assumption that there could be some thing on their box.

This is where I remind folks that a Block notice has STOPPED  any attempt  /  the Block is protecting your machine.

I have had you run several check tools.

The Microsoft Safety Scanner

The ESET online scanner.

Dr.Web CureIt  antivirus

.

Now then, this pc has installed the excellent ESET Security antivirus.   Use that and do a Full scan of this system.   Let me know the result.

.

.

For Your Information:

The Block notices from Malwarebytes web protection do mean that Malwarebytes is keeping your pc safe from potential harm.
A block notice is an advisory of the "block".
A "malicious website blocked" is entirely different from a "malware detected" event.

The website  Block message indicates that a potential risk was blocked by the malicious website protection. 
The Malwarebytes web protection, by default, will always show each IP block occurrence.
The Malwarebytes Webs protection feature will advise customers when a known or suspected malicious IP is attempted to be reached (outgoing) or is trying access your PC.
 
See our info page https://www.malwarebytes.com/lp/ip-blocking/?ipblock=true 
Incoming block notice can be ignored, our software is blocking the threat and there is nothing more that can be done.
On Outbound blocks, any attempted connection was stopped.
 
No action is required unless you’re also experiencing malware symptoms or there are multiple (different) IPs (ex;123.23.34 and 4.44.56).
 A browser is not required to be running, just an active Internet connection with processes running,
such as Instant messenger clients, SKYPE or Peer-to-peer software, to trigger these alerts.

These are also triggered by banner ads running on websites which is the most common form of alert.
.
 

Link to post
Share on other sites

It can be due to attempts to do advertising.   If you want to consider uninstalling  & then re-installing the web browser,   let me know.  That procedure has helped others.

FIRST,  I need for you to scan your system with the installed ESET Security.

That is an excellent program  & would provide a "second" opinion.

Link to post
Share on other sites

What "full clean install"  do you mean ?

 

I have to convey these bits of information.   For Your Information:

The Block notices from Malwarebytes web protection do mean that Malwarebytes is keeping your pc safe from potential harm.
A block notice is an advisory of the "block".
A "malicious website blocked" is entirely different from a "malware detected" event.

The website  Block message indicates that a potential risk was blocked by the malicious website protection. 
The Malwarebytes web protection, by default, will always show each IP block occurrence.
The Malwarebytes Webs protection feature will advise customers when a known or suspected malicious IP is attempted to be reached (outgoing) or is trying access your PC.
 
See our info page https://www.malwarebytes.com/lp/ip-blocking/?ipblock=true
 
Incoming block notice can be ignored, our software is blocking the threat and there is nothing more that can be done.
On Outbound blocks, any attempted connection was stopped.
 
No action is required unless you’re also experiencing malware symptoms or there are multiple (different) IPs (ex;123.23.34 and 4.44.56).
 A browser is not required to be running, just an active Internet connection with processes running,
such as Instant messenger clients, SKYPE or Peer-to-peer software, to trigger these alerts.

These are also triggered by banner ads running on websites which is the most common form of alert.
.
[    2     ]

Please download RogueKiller (x64) using the link below.
→ http://download.adlice.com/api?action=download&app=roguekiller&type=x64
⦁    
⦁    Save the file first,
⦁    Close any running programs that you started on your own ( if any).
⦁    Please disconnect any USB or external drives from the computer before you run this scan!

Double-click  RogueKillerx64.exe to run the program.
Follow the prompts. If a browser window opens, close the window.

In the HOME tab, click Scan button
Next, on the Quick scan pane, click om the Start button to proceed.
.
Upon completion, a browser window may open. Close this window.
 Important: Please do not have RogueKiller remove any detected items.

Click the HISTORY tab followed by Scan Reports.
Double-click the scan log. Click Export TXT, enter a filename and save the file to your Desktop.
Please attach the file in your next reply.
 

Link to post
Share on other sites

Thanks for the RogueKiller report.   That reports no suspicious entries or files.

To date, we have run many tools:

Malwarebytes for Windows scans

Adwcleaner

The ESET Online scanner

I suggested you scan with your own ESET NOD32 antivirus

Dr.Web Cure-It

Microsoft Safety Scanner

I also suggested you add the Malwarebytes Browser Guard for Chrome +  also for Firefox

.

There is no on-board malware on this machine.   and the Malwarebytes web protection  is STOPPING  any connection to the domain  consumertjava.xyz

The 'booger"  is out there external of your machine   at  consumertjava.xyz

There is noting on this machine itself.

Further to that,  the Malwarebytes for Windows should be blocking the entire top-level domain .XYZ

.

For Your Information:

The Block notices from Malwarebytes web protection do mean that Malwarebytes is keeping your pc safe from potential harm.
A block notice is an advisory of the "block".
A "malicious website blocked" is entirely different from a "malware detected" event.

The website  Block message indicates that a potential risk was blocked by the malicious website protection. 
The Malwarebytes web protection, by default, will always show each IP block occurrence.
The Malwarebytes Webs protection feature will advise customers when a known or suspected malicious IP is attempted to be reached (outgoing) or is trying access your PC.
 
See our info page https://www.malwarebytes.com/lp/ip-blocking/?ipblock=true
 
Incoming block notice can be ignored, our software is blocking the threat and there is nothing more that can be done.
On Outbound blocks, any attempted connection was stopped.
 
No action is required unless you’re also experiencing malware symptoms or there are multiple (different) IPs (ex;123.23.34 and 4.44.56).
 A browser is not required to be running, just an active Internet connection with processes running,
such as Instant messenger clients, SKYPE or Peer-to-peer software, to trigger these alerts.

These are also triggered by banner ads running on websites which is the most common form of alert.
.

We may do the following procedure to get the site totally blocked using the following procedure.

Start NOTEPAD { you can press Windows-key+R keys to get the RUN option
and then type in

NOTEPAD.exe

and press Enter key to start NOTEPAD.

Check and make sure "word wrap" is off. 
From Notepad main menu bar, Select F (format) and make sure Word Wrap is NOT checked.
IF it -is- checkmarked, click that one time so that it is un-checked.

Please copy/paste the lines below to Notepad:


@Echo on
pushd\windows\system32\drivers\etc
attrib -h -s -r hosts
echo 127.0.0.1 localhost>HOSTS

echo ::1 localhost>>HOSTS

echo 0.0.0.0 consumertjava.xyz>>HOSTS
attrib +r +h +s hosts
popd
ipconfig /release
ipconfig /renew
ipconfig /flushdns
netsh winsock reset all
netsh int ip reset resetlog.log
shutdown -r -t 1
del %0

now Save as flush.bat to your desktop.
Double-click flush.bat file to run it.

Your computer will reboot.
.
 

 

Link to post
Share on other sites

I'm still not using Firefox, I'm still afraid I have something on my pc. I have not ran the script you gave me because back when I was getting the hijacks (when I used FF), there were other addresses for ad sites in addition to consumertjava.xyz, like others that end with .xyz and also some with different names alltogether (not related to .xyz).

So I still don't know what to do.

Link to post
Share on other sites

Hi.

A )  I encourage you to do what I last outlined.   Lets do that to get the pc in better overall shape.

It is very important to do my prior suggestion because that is going to help a lot.   The rest we can deal with, one at a time.

Then

after that,

B )

Do a new report-run using the Malwarebytes Support tool which you already have.

open your Downloads folder/location of the downloaded file
    Double-click mb-support-1.6.0.774.exe  to run the report
        You may be prompted by User Account Control (UAC) to allow changes to be made to your computer. Click Yes to consent.
        
    Place a checkmark next to Accept License Agreement and click Next
Now click the left-hand side pane "I do not have an open support ticket"

    You will be presented with a page stating, "Get Started!"
    Do NOT use the button “Start repair” !   But look instead at the far-left options list in black.

    Click the Advanced tab on the left column
    
    Click the Gather Logs button
    
    A progress bar will appear and the program will proceed with getting logs from your computer.  Please do have patience.  It takes several minutes to gather.
   
    Upon completion, click a file named mbst-grab-results.zip will be saved to your Desktop. Click OK
    Please attach the ZIP file in your next reply.

Edited by Maurice Naggar
Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.