sarah_sakura Posted April 20, 2021 ID:1452413 Share Posted April 20, 2021 Hi all, would really appreciate your help with this! I have been getting notifications by Avast of 6 variations of "lunrac" related malware everytime I start up Firefox for the past week now. The only thing I remember out of the norm was installing an adblock extension through the Mozilla add-on. I've tried to uninstall, re-scan, reboot my pc and reinstall Firefox but they still PERSIST!! I've also used Avast, Malwarebytes and AdwCleaner but nothing seems to be working. I've disabled and uninstalled the ad-ons as well. I'm not sure how else to remove the malwares because it seems to be running from "C:\Program Files\Mozilla Firefox\firefox.exe". Looking forward to your kind advice. Link to post Share on other sites More sharing options...
kevinf80 Posted April 20, 2021 ID:1452419 Share Posted April 20, 2021 Hello sarah_sakura and welcome to Malwarebytes, Continue with the following: If you do not have Malwarebytes installed do the following: Download Malwarebytes version 4 from the following link:https://www.malwarebytes.com/mwb-download/thankyou/ Double click on the installer and follow the prompts. When the install completes or Malwarebytes is already installed do the following: Open Malwarebytes, select > small cog wheel top right hand corner, that will open "settings" from there select "Security" tab. Scroll down to "Scan Options" ensure Scan for Rootkits and Scan within Archives are both on.... Close out the settings window, this will take you back to "DashBoard" select the Blue "Scan Now" tab...... When the scan completes quarantine any found entries... To get the log from Malwarebytes do the following: Click on the Detection History tab > from main interface. Then click on "History" that will open to a historical list Double click on the Scan log which shows the Date and time of the scan just performed. Click Export > From export you have two options:Copy to Clipboard - if seleted right click to your reply and select "Paste" log will be pasted to your replyText file (*.txt) - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply Please use "Copy to Clipboard, then Right click to your reply > select "Paste" that will copy the log to your reply… Next, Download AdwCleaner by Malwarebytes onto your Desktop. Or from this Mirror Right-click on AdwCleaner.exe and select http://i.imgur.com/Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users) Accept the EULA (I accept), then click on Scan Let the scan complete. Once it's done, make sure that every item listed in the different tabs is checked and click on the Quarantine button. This will kill all the active processes Once the cleaning process is complete, AdwCleaner will ask to restart your computer, do it After the restart, a log will open when logging in. Please copy/paste the content of that log in your next reply Next, Download Farbar Recovery Scan Tool and save it to your desktop. Alternative download option: http://www.techspot.com/downloads/6731-farbar-recovery-scan-tool.htmlNote: You need to run the version compatible with your system (32 bit or 64 bit). If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version. If your security alerts to FRST either, accept the alert or turn your security off to allow FRST to run. It is not malicious or infected in any way... Be aware FRST must be run from an account with Administrator status... If English is not your primary language Right click on FRST/FRST64 and rename FRSTEnglish/FRST64English Double-click to run it. When the tool opens click Yes to disclaimer.(Windows 8/10 users will be prompted about Windows SmartScreen protection - click More information and Run.) Make sure Addition.txt is checkmarked under "Optional scans" Press Scan button to run the tool.... It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply. The tool will also make a log named (Addition.txt) Please attach that log to your reply. Let me see those logs in your reply... Thank you, Kevin.... Link to post Share on other sites More sharing options...
sarah_sakura Posted April 21, 2021 Author ID:1452424 Share Posted April 21, 2021 Hi Kevin, Please find the requested logs, as attached. Many thanks FRST.txt Addition.txt AdwCleaner[S00].txt MALWARE SCAN Result 20.04.2021.txt Link to post Share on other sites More sharing options...
kevinf80 Posted April 21, 2021 ID:1452467 Share Posted April 21, 2021 Hiya sarah_sakura, Thanks for those logs, did you also run the clean option with AdwCleaner...? Also do you know of and trust the following Proxyserver setting...? Quote ProxyServer: [S-1-5-21-2550221519-1311832130-477289342-1001] => 127.0.0.1:8080 Thank you, Kevin.. Link to post Share on other sites More sharing options...
sarah_sakura Posted April 21, 2021 Author ID:1452533 Share Posted April 21, 2021 Hi Kevin! Yes I ran the clean option with AdwCleaner and found a trojan (I believe this has been removed now) - so far look's like issue has been solved, no more malware pop-ups. I am not too sure how to determine what this proxyserver relates to.. 9 hours ago, kevinf80 said: ProxyServer: [S-1-5-21-2550221519-1311832130-477289342-1001] => 127.0.0.1:8080 BW, Sarah Link to post Share on other sites More sharing options...
Solution kevinf80 Posted April 21, 2021 Solution ID:1452555 Share Posted April 21, 2021 Hello Sarah, If you do not know why that setting is on your system then I suspect it to be malicious. [S-1-5-21-2550221519-1311832130-477289342-1001] is a user SID (security identifier) In this case web traffic from that user is being "looped back" through port 8080, that port is by default used for http transfers, such requests are initiated by the recipient, meaning without your knowledge... Continue: Please download the attached fixlist.txt file and save it to the Desktop or location where you ran FRST from.NOTE. It's important that both files, FRST or FRSTEnglish, and fixlist.txt are in the same location or the fix will not work.NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system that cannot be undone. Run FRST or FRST64 and press the Fix button just once and wait. If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart. The tool will make a log on the Desktop (Fixlog.txt) or wherever you ran FRST from. Please attach or post it to your next reply.Note: If the tool warned you about an outdated version please download and run the updated version.NOTE-1: This fix will run a scan to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files.NOTE-2: As part of this fix all temporary files will be removed. If you have any open web pages that have not been bookmarked please make sure you bookmark them now as all open applications will be automatically closed. Also, make sure you know the passwords for all websites as cookies will also be removed. The following directories are emptied: Windows Temp Users Temp folders Edge, IE, FF, Chrome and Opera caches, HTML5 storages, Cookies and History Recently opened files cache Flash Player cache Java cache Steam HTML cache Explorer thumbnail and icon cache BITS transfer queue (qmgr*.dat files) Recycle Bin Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix. The system will be rebooted after the fix has run. Next, Download "Microsoft's Safety Scanner" and save direct to the desktop Ensure to get the correct version for your system....https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download Right click on the Tool, select Run as Administrator the tool will expand to the options Window In the "Scan Type" window, select Quick Scan Perform a scan and Click Finish when the scan is done. Retrieve the MSRT log as follows, and post it in your next reply: 1) Select the Windows key and R key together to open the "Run" function 2) Type or Copy/Paste the following command to the "Run Line" and Press Enter: notepad c:\windows\debug\msert.log The log will include log details for each time MSRT has run, we only need the most recent log by date and time.... Let me see those logs in your reply.... Thank you, Kevin.. fixlist.txt Link to post Share on other sites More sharing options...
sarah_sakura Posted April 21, 2021 Author ID:1452584 Share Posted April 21, 2021 Hi Kevin, I've followed the steps outlined and attached the logs per request. p.s I was wondering how I could restrict the files shared for privacy? Fixlog.txt msert log.txt Link to post Share on other sites More sharing options...
kevinf80 Posted April 22, 2021 ID:1452644 Share Posted April 22, 2021 Hiya Sarah, The privacy issue has been raised many times here at Malwarebytes, also many other similar malware removal forums. The answer is always the same, the information in your logs cannot be used to track down who you actually are. My name and details are readily available from my profile information, I have no concerns whatsoever regarding that information. User names etc contained in your logs are of even less importance with regard to tracking down who you are, or where you are from... Please do not worry about log information, it really is meaningless.... How do you feel your PC is responding now, do you have any remaining issues or concerns... Thank you, Kevin Finan.... Link to post Share on other sites More sharing options...
sarah_sakura Posted April 24, 2021 Author ID:1453139 Share Posted April 24, 2021 Hi Kevin, Many thanks for clearing that up, really appreciate it! PC responding perfectly, it's running faster and no sign of the "lunac" related issues at all. Thanks so much for your help. Best wishes, Sarah Link to post Share on other sites More sharing options...
kevinf80 Posted April 24, 2021 ID:1453145 Share Posted April 24, 2021 Hiya Sarah, Thanks for the update, I guess we can close out now.... Right click on FRST here: C:\Users\press\Downloads\FRST.exe and rename uninstall.exe when complete right click on uninstall.exe and select "Run as Administrator" If you do not see the .exe appended that is because file extensions are hidden, in that case just rename FRST to uninstall That action will remove FRST and all created files and folders... Next, Remove all System Restore Points: https://www.tenforums.com/tutorials/33593-delete-system-restore-points-windows-10-a.html#option2 Create clean fresh Restore Point: http://www.thewindowsclub.com/create-system-restore-point Run Windows Disk Clean Up Utility - https://neosmart.net/wiki/disk-cleanup/ Condsider the following: Malwarebytes Browser Guard (Free) for Firefox: https://addons.mozilla.org/en-GB/firefox/addon/malwarebytes/ Malwarebytes Browser Guard (Free) for Chrome: https://chrome.google.com/webstore/detail/malwarebytes-browser-guar/ihcjicgdanjaechkgeegckofjjedodee Will also work for Opera and Edge.. PatchMyPC, keep all your software upto date - https://patchmypc.com/home-updater#download From there you should be good to go... Next, Read the following links to fully understand PC Security and Best Practices, you may find them useful....Answers to Common Security Questions and best PracticesDo I need a Registry Cleaner? Take care and surf safe Kevin... Link to post Share on other sites More sharing options...
kevinf80 Posted April 25, 2021 ID:1453310 Share Posted April 25, 2021 Glad we could help. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request. This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread. Please review the following for Tips to help protect from infection Thank you Link to post Share on other sites More sharing options...
Recommended Posts