Jump to content

Possibly infected with s3.amazonaws.com URL:phishing


Recommended Posts

I don't know if I am infected or not. I recently got several of these alerts on Avast for roll20.net, a site I use quite frequently. That it blocked connections to s3.amazonaws.com because it is infected with URL:phishing. When I scanned my system with Malwarebytes, Avast, and Superantispyware, nothing came up except a few tracking cookies. I tried looking around and can't seem to find anyone else experiencing this issue. I did some research on amazonaws and it seems to be some sort of cloud service, but there is that s3 in front. When I reached out on the Avast forums, all I got was that the administrators of roll20.net may not be diligent in keeping their security measures updated and their site might not be as secured as it should. They assured me the WebShield should have blocked anything malicious from getting through, but maybe I'm just being paranoid. I want to be sure that nothing snuck past. They also moved my thread to their "Viruses and worms" sections.

A bit of background. I use roll20.net quite frequently and when I type the url into my browser directly or navigate to it via my bookmarks, it doesn't trigger anything. I think the trigger is when I try to go on roll20.net via a google search link. Sometimes I want to look up specific pieces of information on roll20.net and it's faster for me to enter the keywords into google and have the search engine pull up the specific page on roll20.net instead of navigating the website myself. I do it this way because the website has a rather clunky UI and it's a pain to navigate unfortunately. I don't know if it's those encyclopedia/compendium pages on roll20.net specifically, because they have images on them that they may or may not be hosting.

These alerts seem to have started a few days ago for me. I had one on March 31st, then on April 2nd. Before that, I would do what I described above all the time. Look up something on google that I know is on roll20.net, and click on the link to get to that specific page directly.

I have attached the requested logs. Can a professional look them over and see if I may or may not be infected? Let me know if you require anything else.

MB log_2023.04.03.txt FRST.txt Addition.txt

Link to post
Share on other sites

  • Root Admin

Hello @guibin

I don't see that in the logs, so if you're seeing that then perhaps you need to contact Avast and work with them as to why you're seeing an issue.

The computer as you know if running a version of Windows that is no longer supported by Microsoft and is not considered secure anymore at this point. If possible you really should consider installing Windows 10 or Windows 11

The logs show the computer could use some generic clean up but I don't see an obvious known infection.

If you like we can run some other scans and check and see if we can find anything. Let me know, please.

 

 

Link to post
Share on other sites

46 minutes ago, AdvancedSetup said:

If you like we can run some other scans and check and see if we can find anything. Let me know, please.

 

 

Yes, I would like that.

All Avast has told me to do is clear my browser cache and cookies, and monitor the situation.

Link to post
Share on other sites

  • Root Admin

Well, not expected to cause an issue, but IF we break something it would make it easier to repair it.

Do you have access to another computer in the home if needed?

I've cleaned hundreds of systems and no issues with Windows 10 and 11 but every once in a while Windows 7 due to it's age can sometimes break things. It's only happened twice out of the many systems I've done so of course it's always best to cover your bases.

If you were to get a ransomware infection that encrypted your data or you had a hardware failure you could also easily lose all your data. Thus why it's always best to have a backup.

 

If you're okay with the minimal risk we can continue. Please make a new System Restore Point

Let me know if you want me to proceed.

Thanks

 

Link to post
Share on other sites

51 minutes ago, AdvancedSetup said:

If you were to get a ransomware infection that encrypted your data or you had a hardware failure you could also easily lose all your data. Thus why it's always best to have a backup.

 

 

Is this a potential problem in the fixing process?

 

I don't have another PC near me I can use unfortunately. I did make a new System Restore point.

Link to post
Share on other sites

  • Root Admin

Okay, temporarily disable any current security real-time protection.

Then run the following scan.

 

 

Microsoft Safety Scanner

Please make sure you Exit out of any other program you might have open so that the sole task is to run the following scan.   
That goes especially for web browsers, make sure all are fully exited out of and messenger programs are exited and closed as well
 

STEP 1

Please set File Explorer to SHOW ALL folders, all files, including hidden ones.  Use OPTION ONE or TWO of this article

https://www.tenforums.com/tutorials/7078-turn-off-show-all-folders-windows-10-navigation-pane.html

STEP 2

I suggest a new scan for viruses & other malware. This may take several hours, depending on the number of files on the system and the speed of the computer.

The Microsoft Safety Scanner is a free Microsoft stand-alone virus scanner that can be used to scan for & remove malware or potentially unwanted software from a system. 

The download links & the how-to-run-the tool are at this link at Microsoft 

https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download

 

Look on the Scan Options & select the FULL scan.

Then start the scan. Have lots of patience. It may take several hours.

  • Once you see it has started, take a long long break;  walk away.  Do not pay credence if you see some intermediate early flash messages on the screen display.  The only things that count are the End result at the end of the run.
  • The scan will take several hours.  Leave it alone. It will remove any other remaining threats as it goes along.  Take a very long break, do your normal personal errands .....just do not use the computer during this scan.

This is likely to run for many hours as previously mentioned  ( depending on the number of files on your machine & the speed of the hardware.)

The log is named MSERT.log  and the log will be at C:\Windows\debug\msert.log

Please attach that log with your next reply.

 

It is normal for the Microsoft Safety Scanner to show detections during the scan process.

It is scanning for basically all bread crumbs or traces of files and registry entries that "might" be or have been part of some infection or previous infection.

That DOES NOT mean the computer is infected. Once the scan has been completed it uploads the log to their Cloud service which then uses Artificial Intelligence to determine if in fact any of the traces are an infection or not.

Then it writes into the log on your computer what it found.

 

Thank you

 

Link to post
Share on other sites

Ok, how about these? Close or exit them too? Not sure if some of these can be closed.

Top 4 are Intel HD Graphics, ELAN Pointing Device, Bluetooth Devices, Hotkey. Middle 4 are VIA HD Audio Deck, CCleaner, Intel Driver & Support Assistant.

open apps.png

Link to post
Share on other sites

Here is the MSERT log.

I also attached a screenshot of an odd phenomenon with Malwarebytes when I opened it after finishing the safety scan. I was reactivating all my real-time protections.The UI became completely unreadable. I closed and opened it again and it fixed itself. I don't know if it means anything, but just thought I mention it anyways.

MB UI unreable.png

msert.log

Link to post
Share on other sites

My Windows Update shows I'm already up to date.

Am I downloading and installing all those updates starting with "Windows Update Client for Windows 7 and Windows Server 2008 R2: July 2015"? The updates on that list has dates back to 2019. How do I know if those were installed or not already?

How do I know if I'm running SP1 or not?

windows update.png

Link to post
Share on other sites

  • Root Admin

You simply start at the Enable TLS portion. I have not seen a non SP1 Windows 7 for well over a decade now. Every system seen is running Service Pack 1 already.

 

Then if you go to download and run something and it says it's already installed, move on to the next step.

 

Link to post
Share on other sites

  • Root Admin

It's because they are old and not commonly used anymore ( Windows 7 is no longer supported by Microsoft ) the links are to Microsoft sites.

A few of the links use HTTP instead of HTTPS which modern browsers don't like. Unfortunately Microsoft does not appear to provide an updated HTTPS link for it.

The link though is to a Microsoft site and the files downloaded are from Microsoft

 

Link to post
Share on other sites

  • Root Admin

What do you mean failed to configure Windows?

Also, do you have an external backup of your system to an external USB drive?

The laptop is rather old with the logs showing from 2014 but the specs show that it can probably run Windows 10 or even Windows 11

BIOS: American Megatrends Inc. 1.03.05RLS2 03/13/2014
Motherboard: Notebook W65_67SZ
Processor: Intel(R) Core(TM) i7-4710MQ CPU @ 2.50GHz
Percentage of memory in use: 65%
Total physical RAM: 8112.16 MB
Available physical RAM: 2831.91 MB

 

If possible you might want to see if you can upgrade to Windows 10 (Windows 11 requires much stricter hardware requirements, but you could check that too)

I would suggest having a full image style backup of your current system to an external USB drive just in case so that if anything goes wrong you can restore the system to exactly where it's at right now.

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.