Jump to content
nickybee123

Infected - malware seems to affect Chrome/IE - nothing removes it fully

Recommended Posts

Posted (edited)

Apologies for not posting correctly - (admins please delete duplicate post here

Addition.txt + FRST.txt + MalwareBytes threat scan attached to this post.

Extra NOTES:

Here's the details - yesterday morning suddenly noticed odd results popping up at the top of Google search listings. (a screen full of ads etc) and immediately suspected a PUP was at work.

I did the usual basics, check extensions etc - and nothing there.

Ran Malwarebytes (Premium - new license) and ADWcleaner - found nothing

Ran Sophos VRT - found nothing.

Finally I install Zemana AntiMalware (as a result of something I read about on this forum) and lo-and-behold it finds unusual entries in three places.

Here's the report from Zemana:

Quote

 

MD5           : 
Status        : Scanned
Object        : software\microsoft\windows\currentversion\internet settings\connections
Publisher     : 
Size          : 0
Detection     : MaliciousSetting f
Action        : Delete


MD5           : 
Status        : Scanned
Object        : software\policies\microsoft\internet explorer\control panel
Publisher     : 
Size          : 0
Detection     : MaliciousSetting
Action        : Delete


MD5           : 
Status        : Scanned
Object        : software\wow6432node\policies\microsoft\internet explorer\control panel
Publisher     : 
Size          : 0
Detection     : MaliciousSetting
Action        : Delete

 

Other facts of note: This happens on every reboot - and it's always the same three things found - and only Zemana can seem to even find them.

But even Zemana cannot find the culprit of the insertions.

Hope someone can help - thanks @pondus for setting me straight on how to start a post.

Addition.txt FRST.txt threat_scan_malwarebytes_premium.txt

Edited by AdvancedSetup
corrected font issue

Share this post


Link to post
Share on other sites
Hello nickybee123 and welcome to Malwarebytes,

Continue as follows please:

Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into. "Do not open that file when running FRST fix"
NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

Open FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply.

user posted image

Next,

Open Malwarebytes, select > "settings" > "security tab"

Scroll down to "Scan Options" ensure Scan for Rootkits and Scan within Archives are both on....

Go back to "DashBoard" select the Blue "Scan Now" tab......

When the scan completes quarantine any found entries...

To get the log from Malwarebytes do the following:
 
  • Single click on the target sight above scanner window.
  • In the new window select Report
  • Double click on the Scan log which shows the Date and time of the scan just performed.
  • Click Export > From export you have two options:
    Copy to Clipboard - if seleted right click to your reply and select "Paste" log will be pasted to your reply
    Export toTxt - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply

     
  • Please use "Export to Txt" then attach the log to your reply...


Next,

Download AdwCleaner by Malwarebytes onto your Desktop.

Or from this Mirror
 
  • Right-click on AdwCleaner.exe and select user posted imageRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users)
  • Accept the EULA (I accept), then click on Scan
  • Let the scan complete. Once it's done, make sure that every item listed in the different tabs is checked and click on the Quarantine button. This will kill all the active processes
  • Once the cleaning process is complete, AdwCleaner will ask to restart your computer, do it
  • After the restart, a log will open when logging in. Please copy/paste the content of that log in your next reply


Next,

Download "Microsoft's Safety Scanner" and save direct to the desktop

Ensure to get the correct version for your system....

https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download


Right click on the Tool, select “Run as Administrator” the tool will expand to the options Window
In the "Scan Type" window, select Quick Scan
Perform a scan and Click Finish when the scan is done.


Retrieve the MSRT log as follows, and post it in your next reply:

1) Select the Windows key and R key together to open the "Run" function
2) Type or Copy/Paste the following command to the "Run Line" and Press Enter:

notepad c:\windows\debug\mrt.log

The log will include log details for each time MSRT has run, we only need the most recent log by date and time....

Let me see those logs in your reply, also tell me if there are any remaining issues or concerns...

Thank you,

Kevin

fixlist.txt

Share this post


Link to post
Share on other sites

Thanks Kevin.

Please find attached 

  • FRST fixlog
  • MalwareBytes output (it found nothing)
  • ADWcleaner output (it found only one pre-installed-package which is likely redundant but I quarantined it anyway)
  • MSRT log

As far as updates go. Problem is still here. Let me clarify four key things

1. The cause of the problem are the changes to those settings as per original post I made (internet settings etc)

2. The only thing that seems to detect the symptoms (i.e. those "changes") is Zemana AntiMalware

3. Nothing (so far) detects the cause of the problem

4. It reappears after every reboot - it (fingers crossed) doesn't appear to be ultra malicious - but at the same time who knows what they're doing with all the data (I can't tell whether this is a fake proxy on ALL internet traffic and therefore whether it's eavesdropping on all my personal data including passwords etc - or whether it's just inserting Ads)

Lastly - I am scared to run the computer WITHOUT cleaning out those settings using Zemana - so I would do the following procedure

Step 1: Reboot computer

Step 2: Run Zemana to "find" those settings and clean them

Step 3: Do all the other scans + log generation as you asked

If this is a new kind of Adware - then perhaps this could be useful for others as it could improve Malwarebytes/ADWCleaner

Nick

mrt.log AdwCleaner.txt Log_from_malwarebytes.txt Fixlog.txt

Share this post


Link to post
Share on other sites

The only thing I can pull out of the Zemana is what they call a "Scan Report" but it has pretty much the same information as the stuff I posted in the original message to open this thread (with some extra header information on top)

I assume this is a browser hijacker since that's all the "damage" that can be found repeatedly - I just have no idea what is causing it

"

Scan Information

Product Name    :  Zemana AntiMalware
Scan Status    :  Completed
Scan Date    :  5/19/2020 9:56:39 AM
Scan Type    :  Smart Scan
Scan Duration    :  00:00:13
Scanned Objects    :  1906
Detected Objects    :  3
Excluded Objects    :  0
Auto Upload    :  True
OS    :  Windows 10 x64
Processor    :  12X Intel(R) Core(TM) i7-8750H CPU @ 2.20GHz
BIOS Mode    :  UEFI
Domain Info    :  DAHOUSE,False,NetSetupWorkgroupName
CUID    :  12DD681C032D972FB15B30

 

Detections

MD5    :
Status    :  Scanned
Object    :  software\microsoft\windows\currentversion\internet settings\connections
Publisher    :
Size    :  0
Detection    :  MaliciousSetting f
Action    :  Delete
-----------------------------------------------------------------------
MD5    :
Status    :  Scanned
Object    :  software\policies\microsoft\internet explorer\control panel
Publisher    :
Size    :  0
Detection    :  MaliciousSetting
Action    :  Delete
-----------------------------------------------------------------------
MD5    :
Status    :  Scanned
Object    :  software\wow6432node\policies\microsoft\internet explorer\control panel
Publisher    :
Size    :  0
Detection    :  MaliciousSetting
Action    :  Delete
-----------------------------------------------------------------------"

Share this post


Link to post
Share on other sites
Run FRST one more time, ensure all boxes are checkmarked under "Whitelist" but only Addition.txt under "Optional scan" Select scan, when done post the new logs. "FRST.txt" and "Addition.txt"

user posted image

Share this post


Link to post
Share on other sites

Very odd, proxy server is back again after removal with FRST fix....

Continue:

Set windows up for "Clean Boot" mode, full instructions here: https://support.microsoft.com/en-gb/kb/929135

Basically all none MS services are disabled, see how your system runs in that mode. Obviously 3rd party services that affect security or internet connection can be left active.
 
When that completes run frst fix:
 
Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into. "Do not open that file when running FRST fix"
NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

Open FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply.

user posted image

 

Next,

Leave system in clean boot..

Run FRST one more time, ensure all boxes are checkmarked under "Whitelist" but only Addition.txt under "Optional scan" Select scan, when done post the new logs. "FRST.txt" and "Addition.txt"

user posted image

Thanks...

fixlist.txt

Share this post


Link to post
Share on other sites

Hello again nickybee123,

I`ve just been checking through installed software that you use, one program does or can install and use a proxy server. Let me know if you really need this software, also why do you let it it run at boot...

HKLM-x32\...\Run: [Endicia] => C:\Program Files (x86)\Endicia Connect\EndiciaPlugin.exe [4727296 2019-06-19] (Endicia Inc.) [File not signed]

Thank you,

Kevin..

Share this post


Link to post
Share on other sites

Hey Kevin - two things for you

1. Here's the attached files you asked for in the previous reply

Hope it helps a bit - FWIW I did check and the Proxy is still present. As before I can only detect it with Zemana (and the quickest "fix" is Zemana) but even a full clean boot (I double checked that no non MSFT services were running - the only one was actually Malwarebytes itself)

2. As for your question about  Endicia - I use endicia's dazzle software to print labels (for Ebay sales and such) - but when I checked the Task Manager list of services is it was not enabled to run on boot. I don't think the Endicia Connect is an ultra necessary part of the software though so I could try disabling it explicitly see if it helps. 

Why do you think it runs on boot?

Addition.txt FRST.txt Fixlog.txt

Share this post


Link to post
Share on other sites

Hello nickbee123,

The program does run at boot and its plugin starts, It shows in the FRST logs

HKLM-x32\...\Run: [Endicia] => C:\Program Files (x86)\Endicia Connect\EndiciaPlugin.exe [4727296 2019-06-19] (Endicia Inc.) [File not signed]

Share this post


Link to post
Share on other sites

Hello again nickybee123,

Ignore Endicia for now and run the following fix for me, after reboot does the proxy still return..?

Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into. "Do not open that file when running FRST fix"
NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

Open FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply.

user posted image
 
Thanks,
 
Kevin

fixlist.txt

Share this post


Link to post
Share on other sites

No dice.

Fixlog attached. interestingly your fixlist forced a reboot without prompting. It was a little freaky. As it happens I wasn't doing anything at the time but it was certainly unexpected...

Fixlog.txt

Share this post


Link to post
Share on other sites

Can you try Uninstalling Endicia, reboot. Remove any proxies that may remain with Zemana, reboot. Does the proxy return..?

I`ve got to go out on a call, be back in approx 90 mins...

Share this post


Link to post
Share on other sites

Just uninstalled Endicia Connect. I removed Dazzle for good measure also.

Interestingly Endicia Connect wouldn't uninstall through add/remove programs - so I forcibly removed the entire folder in Program Files (x86)

aaand - no difference. Proxy is still there after reboot.

What's our next move ;)

 

Share this post


Link to post
Share on other sites
Run FRST one more time, ensure all boxes are checkmarked under "Whitelist" but only Addition.txt under "Optional scan" Select scan, when done post the new logs. "FRST.txt" and "Addition.txt"

user posted image

Share this post


Link to post
Share on other sites

Endicia is still showing in FRST log..

HKLM-x32\...\Run: [Endicia] => C:\Program Files (x86)\Endicia Connect\EndiciaPlugin.exe

Lets try this:

Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into. "Do not open that file when running FRST fix"
NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

Open FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply.

user posted image

 

fixlist.txt

Share this post


Link to post
Share on other sites

Did as you suggested - fixlog attached.

EndiciaPlugin.exe is being reported as not found in the fixlog - which is to be expected as....it ain't there ;)

However the proxy...sadly...is still there (post reboot)

 

Fixlog.txt

Share this post


Link to post
Share on other sites

put some stuff in PP - I know it's not much but you're putting in a lot of time and I wanted to acknowledge that

Share this post


Link to post
Share on other sites
Posted (edited)

Hello again nickybee123,

This frustrating for sure, it would seem you have some kind of AutoConfigURL Hijack. Usually both Malwarebytes and Zemana would fix that issue after a scan by removing the hijack and resetting registry entries etc..

In your case Malwarebytes does not see it, Zemana kills the Hijack but, unfortunately it returns after a reboot... Try this:

Type or copy/paste Internet Options into the search function bottom left corner of desktop, then hit enter.

In the window that opens select "Connections" tab,  then "Lan Settings" tab

Lan settings window opens, "Automatically Detect Settings" should be checkmarked and "Proxy Server" should not be checkmarked

Are yours listed correctly..?

Next,

Run FRST one more time:

Type the following in the edit box after "Search:".

{6BFFB413-E7AB-4EB4-B5DA-94027CEBECF5}

Click Search Registry button and post the log it makes (SearchReg.txt) to your reply.
 
Thanks for the donation, very much appreciated....
 
Kevin

IP1.JPG

IP2.JPG

Edited by kevinf80
typo

Share this post


Link to post
Share on other sites

ok - well at least we're zeroing in on exactly what's happening - we just dunno what's doing it...

In any case here's the result.

attached is the searchreg.txt you asked for and two screenshots of the internet properties connections tab.

Lan settings look like it should (DHCP turned on, no proxies) - but ONLY AFTER ZEMANA cleans it

Prior to Zemana cleaning it - the LAN settings button is greyed out. (checked that by rebooting)

One thing that is worrying is the "some setting are managed by your administrator" - this is my personal laptop and there's only one account on it and that's me. (I am indeed an Admin account) - so whatever is changing those policies is likely our culprit...

 

 

internet_properties.jpg

internet_properties_afterboot_pre_zemana.jpg

SearchReg.txt

Share this post


Link to post
Share on other sites

Hello nickbee123,

Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into. "Do not open that file when running FRST fix"
NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

Open FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply.


Windows will reboot after that fix completes...

Thanks,

Kevin...

fixlist.txt

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.