Jump to content

Recommended Posts

Hi! First time poster here. First of all, please excuse my english as is not my usual language.

I'm running Windows 7 SP1 with free Kaspersky Security Cloud and I've been experiencing some issues since a month ago or so, when I started working from home:

- First symptoms I noticed was that some strange-content banners started to be shown in some pages that I visit. After install uBlock Origin for Firefox, obviously stopped showing it, but I could check with the info provided from uBlock that were from a script from addthis.com (https://s7.addthis.com/js/300/addthis_widget.js#pubid=...")

- Nothing appeared in analysis with Malwarebytes, Kaspersky, and other malware detection software.

- Sometimes that kind of banners appears also in the YouTube App of my mobile (not in the browser), that is most of the time connected to my wifi. Usually that banners were from Facebook or TikTok the most, but sometimes they all changes to shown the odd ones (I have turned off all the privacy preferences I can, the ones about suggested advertising too). It seems to recover after delete cache and restart several times the Google ID for ads. Weirdest ones were some shown in different languages (hindi, arabic, nothing about my language and location), and that is important for something I'm going to explain below.

- Around a week ago I received a login notification from India to a Spotify account linked to my email. Maybe sounds strange, but I don't remember to have created an account. There could be a chance that someday (long ago) I registered to try something and I never use it again, but I don't remember that. I contacted Spotify support and they close the account. That email was listed in a security breach from verifications.io and I have changed the password several times.


With all these things in mind and needing it since some time ago, last weekend reinstalled Windows in my PC. And now I am starting to notice again some symptoms:


- The strange banners are shown again in the page where I first noticed that issue (a cycling forum). Also in YouTube App for a couple of days, it seems ok now, don't know for how long...

- Casually I checked the Windows Event Viewer and find several errors that I don't have any idea what means, some of then related to security.


I am pretty worried about all these things and I'm afraid my PC can be exposed or have a major security threat. Any kind of help could be greatly appreciated.

Thank you very much in advance!

Link to post
Share on other sites

Hello Eme and welcome to malwarebytes....

Continue with the following:

If you do not have Malwarebytes installed do the following:

Download Malwarebytes from the following link:

https://www.malwarebytes.com/mwb-download/thankyou/

or,

https://downloads.malwarebytes.com/file/mb4_offline

Double click on the installer and follow the prompts. If necessary select the Blue Help tab for video instructions....

When the install completes or Malwarebytes is already installed do the following:

Open Malwarebytes, select > "settings" > "security tab"

Scroll down to "Scan Options" ensure Scan for Rootkits and Scan within Archives are both on....

Go back to "DashBoard" select the Blue "Scan Now" tab......

When the scan completes quarantine any found entries...

To get the log from Malwarebytes do the following:
 
  • Single click on the target sight above scanner window.
  • In the new window select Report
  • Double click on the Scan log which shows the Date and time of the scan just performed.
  • Click Export > From export you have two options:
    Copy to Clipboard - if seleted right click to your reply and select "Paste" log will be pasted to your reply
    Export toTxt - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply

     
  • Please use "Export to Txt" then attach the log to your reply...


Next,

Download AdwCleaner by Malwarebytes onto your Desktop.

Or from this Mirror
 
  • Right-click on AdwCleaner.exe and select user posted imageRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users)
  • Accept the EULA (I accept), then click on Scan
  • Let the scan complete. Once it's done, make sure that every item listed in the different tabs is checked and click on the Quarantine button. This will kill all the active processes
  • Once the cleaning process is complete, AdwCleaner will ask to restart your computer, do it
  • After the restart, a log will open when logging in. Please copy/paste the content of that log in your next reply


Next,

Download Farbar Recovery Scan Tool and save it to your desktop.

Alternative download option: http://www.techspot.com/downloads/6731-farbar-recovery-scan-tool.html

Note: You need to run the version compatible with your system (32 bit or 64 bit). If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

If your security alerts to FRST either, accept the alert or turn your security off to allow FRST to run. It is not malicious or infected in any way...

Be aware FRST must be run from an account with Administrator status...
 
  • Double-click to run it. When the tool opens click Yes to disclaimer.(Windows 8/10 users will be prompted about Windows SmartScreen protection - click More information and Run.)
  • Make sure Addition.txt is checkmarked under "Optional scans"
    user posted image
     
  • Press Scan button to run the tool....
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The tool will also make a log named (Addition.txt) Please attach that log to your reply.


Let me see those logs in your reply...

Thank you,

Kevin....
Link to post
Share on other sites

Hello again @kevinf80

In addition to the logs, I have found more disturbing info...

Reading about Smart TVs security, I've been redirected to a Samsung website, where my language options to choose from were: INDIA/ENGLISH or SPAIN/SPANISH

What is happening with India??


Checking more info about my IP, I find this website where the data is totally different from any other site:
https://www.elhacker.net/geolocalizacion.html

IP:     <not the one shown usual>
AS Number (ASN):     AS39272 Complex Prime LLC
Organization:     virtual dedicated servers, Moscow
Domain:     
DNS:     78.30.0.110
Country:     Spain
Country code:     es
Flag:     
Region name:     Madrid, Comunidad De
Original country:     Spain
City:     Madrid
ZIP:     28013
Time:     +02:00
Linked Ips:     <not the one shown everywhere>
Whois IP - Dominio:     Ver Whois de <not the one shown everywhere>
Registros DNS:     Not a domain

I removed the IP shown, just in case... But checking the DNS (78.30.0.110) I get different locations depends the site, even shown as a different ISP. What means Moscow here??

Any idea of what is happening? Really worried...

Link to post
Share on other sites

Hiya Eme,

Thanks for those logs, also the extra IP information. DNS:     78.30.0.110 seems to be related to a VPN, Spain is listed as the address, yet in reality the servers are actually located in Moscow (Russia) You did correctly identify and remove that malicious IP address....

Continue:

Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into. "Do not open that file when running FRST fix"
NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

Open FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply.

Next,

Download "Microsoft's Safety Scanner" and save direct to the desktop

Ensure to get the correct version for your system....

https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download


Right click on the Tool, select “Run as Administrator” the tool will expand to the options Window
In the "Scan Type" window, select Quick Scan
Perform a scan and Click Finish when the scan is done.


Retrieve the MSRT log as follows, and post it in your next reply:

1) Select the Windows key and R key together to open the "Run" function
2) Type or Copy/Paste the following command to the "Run Line" and Press Enter:

notepad c:\windows\debug\mrt.log

The log will include log details for each time MSRT has run, we only need the most recent log by date and time....

Next,

user posted imageScan with Autoruns

Please download Sysinternals Autoruns from the following link: https://live.sysinternals.com/autoruns.exe save it to your desktop.

Note: If using Windows Vista, Windows 7, Windows 8/8.1 or Windows 10 then you also need to do the following:
 
  • Right-click on Autoruns.exe and select Properties
  • Click on the Compatibility tab
  • Under Privilege Level check the box next to Run this program as an administrator
  • Click on Apply then click OK
     
  • Double-click Autoruns.exe to run it.
  • Once it starts, please press the Esc key on your keyboard.
  • Now that scanning is stopped, click on the Options button at the top of the program and verify that the following are checked, if they are unchecked, check them:

    Hide empty locations
    Hide Windows entries

     
  • Click on the Options button at the top of the program and select Scan Options... then in the Autoruns Scan Options dialog enable/check the following two options:

    Verify code signatures
    Check VirusTotal.com

     
  • Once that's done click the Rescan button at the bottom of the Autoruns Scan Options dialog and this will start the scan again, this time let it finish.
  • When it's finished and says Ready. on the lower left of the program window, please click on the File button at the top of the program and select Save and save the file to your desktop and close Autoruns.
  • Right click on the file on your desktop that you just saved and hover your mouse over Send To and select Compressed (zipped) Folder
  • Attach the ZIP folder you just created to your next reply

Let me see those logs in your reply...

Thank you,

Kevin...

 

fixlist.txt

Link to post
Share on other sites

More strange things, not sure if it is help or mess:

If I access with my mobile via wifi to https://www.elhacker.net and click on the left side in Servicios>Localizador IP's (that is the same link that in my post: https://www.elhacker.net/geolocalizacion.html ), I get my "real" IP. But if I paste or click the full link, again shows the IP 78.30.0.110.

With my computer both operations get the same result: IP 78.30.0.110.

 

And one more thing, I don't know if I'm already paranoic... When I open every first time Firefox, when it gets maximized shows a quick flick that doesn't happen when opening new tabs or opening Chrome, for example. Should I have a special caution with any process while we are testing the PC?

 

Thanks again.

Link to post
Share on other sites

UPDATE

Kevin, sorry for so many posts, I think it's important that you have all the information before answering.

I tried to access with Chrome to the IP location page and get the same results as with the mobile. Step by step: real IP but if I paste or click, then: 78.30.0.110

Also tried cleaning data and history from Firefox and this time get the same result than with mobile or Chrome, the real one and 78.30.0.110

Any sense??

Link to post
Share on other sites

Hiya Eme,

Post as many replies as you want, information is always useful.... Continue:

Reset your router, instructons available at the following link:

http://setuprouter.com/networking/how-to-reset-your-router/

Follow those instructions very carefully.

Next,

Download and unzip DNSJumper to your Desktop, the tool is portable no installation necessary.

Tool can be downloaded here: http://www.sordum.org/downloads/?dns-jumper
 
  • Right click on Dnsjumper.exe and select "Run as Administrator" to start the tool, For XP just double click to run.
  • From the left hand pane select "Flush DNS"
  • From the main interface select the dropdown under "Choose a DNS Server"
  • From the list select either "Google Public DNS" or "Open DNS"
  • From the left hand pane select "Apply DNS"

When done re-boot your system....

Next,

Run FRST one more time, ensure all boxes are checkmarked under "Whitelist" but only Addition.txt under "Optional scan" Select scan, when done post the new logs. "FRST.txt" and "Addition.txt"

user posted image
 
Thank you,
 
Kevin...
Link to post
Share on other sites

Well, I didn't notice any significative change...

- After flushing DNS, the YouTube App started to change the ads again, not as strange as before. I returned to the Facebook and TikTok ads clearing cache and reseting  Google Ads ID as I use to do before. Let's see how long it last.

- The S7.addthis script is still trying to load if it wasn't for uBlock and find a new one (moatads.com). See a lot of references of both considered as malware, any clue?

But what I am more worried about, by far, is the issue with that IP. I have no idea what could it means but it's quite disturbing... In fact, is the only website when I can see that, I checked a lot of "my ip" sites and all of them shows the "real" IP.

I don't know if is the smartest site or if there is any mistake... With my mobile and without wifi it didn't happen.

Maybe anything related to Kaspersky? After starting, it loads some kind of "secure connection" but I think is not activated. Just wondering... But is also strange that my IP is from one ISP and that other one is from a "low cost" one.

Do you have any idea about this? Could I have any intrusion in my network? Maybe any other device could change anything or be exposed as well?

And what about the results of the logs? Do you thinks is safe to use the computer? I'm very worried and quite afraid of using the computer now...

Link to post
Share on other sites

Hello Eme

Thanks for the update, lets dig a bit deeper...

 
Please download Zemana AntiMalware and save it to your Desktop.
 
  • Install the program and once the installation is complete it will start automatically.
  • Without changing any options, press Scan to begin.
  • After the short scan is finished, if threats are detected press Next to remove them.
    Note: If restart is required to finish the cleaning process, you should click Reboot. If reboot isn't required, please re-boot your computer manually.

    Open Zemana again then do the following to get the latest report

    Open Reports > select the report in question to highlight > select "Ctrl - A" keys together to highlight full report message > then "Ctrl - C" keys to copy to clipboard > then open notepad and select paste to copy the report there, then attach to reply....

    Next,

    Download Sophos Free Virus Removal Tool and save it to your desktop.

    If your security alerts to this scan either accept the alert or turn off your security to allow Sophos to run and complete.....

    Please Do Not use your PC whilst the scan is in progress.... This scan is very thorough so may take several hours...
     
    • Double click the icon and select Run
    • Click Next
    • Select I accept the terms in this license agreement, then click Next twice
    • Click Install
    • Click Finish to launch the program
    • Once the virus database has been updated click Start Scanning
    • If any threats are found click Details, then View log file... (bottom left hand corner)
    • Copy and paste the results in your reply
    • Close the Notepad document, close the Threat Details screen, then click Start cleanup
    • Click Exit to close the program
    • If no threats were found please confirm that result....



    The Virus Removal Tool scans the following areas of your computer:
     
  • Memory, including system memory on 32-bit (x86) versions of Windows
  • The Windows registry
  • All local hard drives, fixed and removable
  • Mapped network drives are not scanned.


Note: If threats are found in the computer memory, the scan stops. This is because further scanning could enable the threat to spread. You will be asked to click Start Cleanup to remove the threats before continuing the scan.

Let me see those logs in your reply...

Thank you,

Kevin

 

Link to post
Share on other sites

Hi Kevin,

Sophos dind't find any threat and This is the report from Zemana:

Scan Information
Product Name    :  Zemana AntiMalware 
Scan Status    :  Completed 
Scan Date    :  7/11/2020 12:25:16 AM 
Scan Type    :  Smart Scan 
Scan Duration    :  00:00:11 
Scanned Objects    :  1632 
Detected Objects    :  1 
Excluded Objects    :  0 
Auto Upload    :  True 
OS    :  Windows 7 x64 
Processor    :  8X Intel(R) Core(TM) i7-6700 CPU @ 3.40GHz 
BIOS Mode    :  Legacy 
Domain Info    :  WORKGROUP,False,NetSetupWorkgroupName 
CUID    :  12CD68F43FFC9B269DDE0E 


Detections
MD5    :   
Status    :  Scanned 
Object    :  c:\users\miguel\appdata\roaming\mozilla\firefox\profiles\aofbcs52.default-release-1594365356134\extensions\light_plugin_b29d4ad94f82454bbc9215bcbd7e80ae@kaspersky.com.xpi 
Publisher    :   
Size    :  0 
Detection    :  HijackExt:FirefoxPlugin/light_plugin_B29D4AD94F82454BBC9215BCBD7E80AE@kaspersky.com 
Action    :  Delete 
----------------------------------------------------------------------- 

I keep on thinking about that IP... What could be the reason for such a result in case it wasn't a mistake? I suppose you can check my IP from this posts and probably it doesn't match that one, no? 

Link to post
Share on other sites

Are you still having issues with DNS settings, FRST log (addition.txt) indicates connections as "DNS Servers: 8.8.8.8 - 8.8.4.4"

Regarding S7.addthis do you need that plugin, can you safely remove it..?

Firefox is indicated as your Default Browser, try Malwarebytes browser guard it is free and will give better protection.

https://addons.mozilla.org/en-US/firefox/addon/malwarebytes/

if you also use Chrome - https://chrome.google.com/webstore/detail/malwarebytes-browser-guar/ihcjicgdanjaechkgeegckofjjedodee

You can also get information here - https://blog.malwarebytes.com/threat-analysis/2018/01/new-chrome-and-firefox-extensions-block-their-removal-to-hijack-browsers/

Link to post
Share on other sites

Hi Kevin,

- About S7.addthis: I am an user warned by uBlock when reading a forum, I don't manage the forum neither any plugin.

-Browser Guard: Last night I installed the addons for Firefox and Chrome before reading your suggestion, looks good.

 

And after that questions, the strange issue of geolocation:

FACTS

- Today I have tried the same page with an iPad through my wifi and get again the same IP: 78.30.0.110.

- That happens when I enter that geolocation subpage or when I paste the link. If I check "My IP" section in the same site seems to be fine, the real IP.

- Below all the information shown of the IP, there is more info about the device that shows Windows 8 / Chrome. Mine is W7 and Firefox (??).

- I have tried dozens of geolocation sites and didn't find any information similar to that page.

- Not sure about the meaning, but seems that is identifying mi IP as the one shown, isn'it? Did you tried the links to be sure if results are right for you?

DOUBTS

- If that IP information was correct, what would it mean to my computer? No idea about these things...

- Is there any way to be sure that the IP shown has no relation at all with me?

- In case this would be an intrusion or something similar, Malware/Antivirus software has something to do with it or I need other kind of solutions?

 

Please, answer this last points to get an idea of what is happening.

 

Thanks a lot for your time!!!

Link to post
Share on other sites

Hiya Eme,

I`ve checked IP Address 78.30.0.110  over the last couple of hours and cannot actually find anything wrong, personally I believe that IP to be legitimate..

I`ve ran it through over 20 different sites, they all comeback as legitimate.

https://whois.domaintools.com/78.30.0.110

https://www.virustotal.com/gui/ip-address/78.30.0.110/detection

https://ip-address-lookup-v4.com/lookup.php?host=ip-address-lookup-v4.com&ip=78.30.0.110&x=75&y=31

https://centralops.net/co/DomainDossier.aspx

Thanks,

Kevin...

 

Link to post
Share on other sites

Hi Kevin

I really appreciate the time you spend with this problem, thank you!

I don't understand too much how these things works, so it will be a great help if you can answer the three questions in my last post to be able to get an overall idea of what is happening and if I am not safe in any way. I can't get the relation between that IP and my IP (different ISPs, don't match browser and OS, those Moscow servers...)

Thank you again and sorry for insisting, but I am very worried.

 

Link to post
Share on other sites

Hi again,

I don't understand anything...

After ansewring last post I checked again the geolocation site, my IP seems to be ok. Then clicked on the link in reply#7, and now the IP shown is 90.167.163.48.

No idea what is happening!

Link to post
Share on other sites

Yep, very odd what is happening with IP settings..

Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into. "Do not open that file when running FRST fix"
NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

Open FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply.

fixlist.txt

Link to post
Share on other sites

You can find attached Fixlog.txt

 

Checking the geolocation site, at first access work fine: real IP. Then, after some clicks here and there, click again in geolocation and then: 78.30.0.110.

 

By the way, I get this message when I login into the forum:

"Sorry, there is a problem

Something went wrong. Please try again.
Error code: 2S119/1"

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.