Page 2 of 3 FirstFirst 123 LastLast
Results 11 to 20 of 30

Thread: Redirecting and stuff

  1. #11
    Senior Member
    Join Date
    Jun 2014
    Posts
    155

    Default An important point

    The site/software Duckware I mentioned in the previous post is without a doubt legitimate, my concern is that it has been modified as I don't recognize it at all. If anyone has info on the entry on the log I highlighted I would be interested to hear it.
    Cheers

  2. #12
    Security Expert-emeritus Juliet's Avatar
    Join Date
    Feb 2007
    Location
    Deep South
    Posts
    4,084

    Default

    The multiple addresses that showed for adlice (RogueKiller), are genuine and correct. Over time/years there have been several.

    and I see network connections from time to time that I can't make sense of

    I also in mDNS devices at random times, a program called, I believe, tcp-scan-local(close approximation only), it says its attached to my Kodak software... the one with all the unsigned files, and is connecting to a lot more than I believe it really needs access to
    Anything on your computer that has an auto updater wrote into the program will connect randomly for an update, some are necessary and some I think are just a bunch of hooey.
    All I can do is take out the task associated to the tool to stop traffic for the update.

    At one time did you download something related to PhotoFinder?
    From what I can find the file (Duckware) C:\Users\oldman\x.exe could possibly be from there.

    ~~~~~~~~~~~~~~~~~~

    Start Farbar Recovery Scan Tool with Administrator privileges
    (Right click on the FRST icon and select Run as administrator)

    highlight on the text below and select Copy.
    beginning with Start:: and finishing with End::
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    Highlight the entire content of the quote box below and select Copy.


    Start::
    CloseProcesses:
    CreateRestorePoint:
    U4 npcap_wifi; no ImagePath
    C:\Users\oldman\x.exe
    2019-05-15 22:42 - 2019-05-15 22:42 - 000111688 _____ (Duckware) C:\Users\oldman\x.exe
    C:\Windows\Temp\*.*
    End::
    Press the Fix button.
    If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
    When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post it to your reply.

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~`
    If you could please, uninstall/remove any version you have on your machine for RogueKiller. and we can attempt to download an updated version.
    Before running the tool if you could temporarily disable Nortons so it can run without conflict.

    RogueKiller
    • Download the right version of RogueKiller for your Windows version (32 or 64-bit)
    • Once done, move the executable file to your Desktop, right-click on it and select Run as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users)
    • Click on the Start Scan button in the right panel, which will bring you to another tab, and click on it again (this time it'll be in the bottom right corner)
    • Wait for the scan to complete
    • On completion, the results will be displayed
    • Check every single entry (threat found), and click on the Remove Selected button
    • On completion, the results will be displayed. Click on the Open Report button in the bottom left corner, followed by the Open TXT button (also in the bottom left corner)
    • This will open the report in Notepad. Copy/paste its content in your next reply


    ~~~

    Please open Malwarebytes Anti-Malware.



    On the Settings tab > Detection and Protection sub tab, Detection Options, tick the box "Scan for rootkits".
    Under Non-Malware Protection sub tab Change PUP and PUM entries to Treat detections as Malware
    Click on the Scan tab, then click on Scan Now >> . If an update is available, click the Update Now button.
    A Threat Scan will begin.
    When the scan is complete Apply Actions to any found entries.
    Wait for the prompt to restart the computer to appear (if applicable), then click on Yes.
    After the restart once you are back at your desktop, open MBAM once more.



    To get the log from Malwarebytes do the following:



    Click on the History tab > Application Logs.
    Double click on the scan log which shows the Date and time of the scan just performed.
    Click Export > From export you have three options: > From export you have three options:

    Copy to Clipboard - if seleted right click to your reply and select "Paste" log will be pasted to your reply
    Text file (*.txt) - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply
    XML file (*.xml) - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply



    Please use "Copy to Clipboard, then Right click to your reply > select "Paste" that will copy the log to your reply…

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    Please post these logs when finished.
    Last edited by Juliet; 2019-05-21 at 12:15.
    Windows Insider MVP Consumer Security 2009 - 2017
    Please do not PM me for Malware help, we all benefit from posting on the open board.

  3. #13
    Security Expert-emeritus Juliet's Avatar
    Join Date
    Feb 2007
    Location
    Deep South
    Posts
    4,084

    Default

    script edited, sorry.
    Windows Insider MVP Consumer Security 2009 - 2017
    Please do not PM me for Malware help, we all benefit from posting on the open board.

  4. #14
    Senior Member
    Join Date
    Jun 2014
    Posts
    155

    Default Logs, script and strange things.

    About the logs, After running the latest FRST fix, (the script did its thing flawlessly, thanks again) I was able to download RK and Mbam through your links, run them without any problem and get the logs posted.
    As for the "strange things" part of of the title... At this point, the best I've been able to get out of the browser is by sticking with the bookmarks and internal links on legit sites, although I'm still a Yahoo cookie magnet. I managed to get the browser to switch to google search,
    this left me with a search bar that gave me the results you will see in the attached Screen shots. (irrelevant, useless results) Note that in both examples I searched "jexepackers" in one and "jexepacker threat" in the other. this was done from the search bar then, the resulting url, I copy/pasted to the notepads you see. Funny, how a browser can misread an entry then result something like "jetpack" but I guess nobody is perfect, eh? Now, about why I'm searching jexepackers, (as well as code.jquery) I see these things in my "shark logs" this leads to learning what I can about wpad as well as a lot of other security settings and "stuff".

    Fix result of Farbar Recovery Scan Tool (x64) Version: 19-05.2019
    Ran by oldman (21-05-2019 11:28:26) Run:4
    Running from C:\Users\oldman\Desktop
    Loaded Profiles: oldman (Available Profiles: oldman)
    Boot Mode: Normal
    ==============================================

    fixlist content:
    *****************
    CloseProcesses:
    CreateRestorePoint:
    U4 npcap_wifi; no ImagePath
    C:\Users\oldman\x.exe
    2019-05-15 22:42 - 2019-05-15 22:42 - 000111688 _____ (Duckware) C:\Users\oldman\x.exe
    C:\Windows\Temp\*.*

    *****************

    Processes closed successfully.
    Restore point was successfully created.
    HKLM\System\CurrentControlSet\Services\npcap_wifi => removed successfully
    npcap_wifi => service removed successfully
    C:\Users\oldman\x.exe => moved successfully
    "C:\Users\oldman\x.exe" => not found

    =========== "C:\Windows\Temp\*.*" ==========

    not found

    ========= End -> "C:\Windows\Temp\*.*" ========



    The system needed a reboot.

    ==== End of Fixlog 11:30:00 ====
    RogueKiller Anti-Malware V13.2.0.0 (x64) [May 14 2019] (Free) by Adlice Software
    mail : https://adlice.com/contact/
    Website : https://adlice.com/download/roguekiller/
    Operating System : Windows 10 (10.0.17763) 64 bits
    Started in : Normal mode
    User : oldman [Administrator]
    Started from : C:\Program Files\RogueKiller\RogueKiller64.exe
    Signatures : 20190521_110536, Driver : Loaded
    Mode : Standard Scan, Scan -- Date : 2019/05/21 11:53:08 (Duration : 01:32:26)

    いいいいいいいいいいいい Processes いいいいいいいいいいいい

    いいいいいいいいいいいい Process Modules いいいいいいいいいいいい

    いいいいいいいいいいいい Services いいいいいいいいいいいい

    いいいいいいいいいいいい Tasks いいいいいいいいいいいい

    いいいいいいいいいいいい Registry いいいいいいいいいいいい

    いいいいいいいいいいいい WMI いいいいいいいいいいいい

    いいいいいいいいいいいい Hosts File いいいいいいいいいいいい
    Hosts file is too big

    いいいいいいいいいいいい Files いいいいいいいいいいいい

    いいいいいいいいいいいい Web browsers いいいいいいいいいいいい

    Malwarebytes
    www.malwarebytes.com

    -Log Details-
    Scan Date: 4/1/19
    Scan Time: 6:20 PM
    Log File: 1de4401f-54dd-11e9-80c0-38eaa7eb314f.json

    -Software Information-
    Version: 3.7.1.2839
    Components Version: 1.0.563
    Update Package Version: 1.0.9962
    License: Trial

    -System Information-
    OS: Windows 10 (Build 17763.379)
    CPU: x64
    File System: NTFS
    User: System

    -Scan Summary-
    Scan Type: Threat Scan
    Scan Initiated By: Scheduler
    Result: Completed
    Objects Scanned: 347886
    Threats Detected: 0
    Threats Quarantined: 0
    Time Elapsed: 56 min, 46 sec

    -Scan Options-
    Memory: Enabled
    Startup: Enabled
    Filesystem: Enabled
    Archives: Enabled
    Rootkits: Disabled
    Heuristics: Enabled
    PUP: Detect
    PUM: Detect

    -Scan Details-
    Process: 0
    (No malicious items detected)

    Module: 0
    (No malicious items detected)

    Registry Key: 0
    (No malicious items detected)

    Registry Value: 0
    (No malicious items detected)

    Registry Data: 0
    (No malicious items detected)

    Data Stream: 0
    (No malicious items detected)

    Folder: 0
    (No malicious items detected)

    File: 0
    (No malicious items detected)

    Physical Sector: 0
    (No malicious items detected)

    WMI: 0
    (No malicious items detected)


    (end)





    These will be the full urls (disabled by the usual space)That I mentioned were displayed by the browser while searching jexepacks
    https://www.google. com/search?client=firefox-b-1-d&q=jexepackers
    https://www.google. com/search?client=firefox-b-1-d&q=jexepack+threat
    See attached screenshots of the pages that loaded.

    I nearly forgot to answer this from a previous post, sorry.
    From what I can find the file (Duckware) C:\Users\oldman\x.exe could possibly be from there."

    No, not intentionally but a drive by is always a possibility. I have a few thoughts on this duck "stuff", could be related to "Donald Duck" (More on that in updates).

    After yesterdays post, I was clearing Super cookies with my STM program. As I scrolled over the process monitor, I came across a FF browser running after I closed the window. This is something I've never seen before but the most concerning part to me, is that on the program description area of the line was Text from a post (update) that I had made to you. This has never happened and have no idea why it displayed that way. I'll keep you updated.

    Cheers
    Attached Images Attached Images

  5. #15
    Senior Member
    Join Date
    Jun 2014
    Posts
    155

    Default Prolific posting

    I believe I posted the wrong Mbam log previously this should be the correct one.
    Malwarebytes
    www.malwarebytes.com

    -Log Details-
    Scan Date: 5/21/19
    Scan Time: 1:00 AM
    Log File: 1a4b8360-7b96-11e9-9fac-38eaa7eb314f.json

    -Software Information-
    Version: 3.7.1.2839
    Components Version: 1.0.586
    Update Package Version: 1.0.10690
    License: Expired

    -System Information-
    OS: Windows 10 (Build 17763.503)
    CPU: x64
    File System: NTFS
    User: eustace\oldman

    -Scan Summary-
    Scan Type: Custom Scan
    Scan Initiated By: Manual
    Result: Completed
    Objects Scanned: 1
    Threats Detected: 0
    Threats Quarantined: 0
    Time Elapsed: 1 min, 9 sec

    -Scan Options-
    Memory: Disabled
    Startup: Disabled
    Filesystem: Enabled
    Archives: Enabled
    Rootkits: Disabled
    Heuristics: Enabled
    PUP: Detect
    PUM: Detect

    -Scan Details-
    Process: 0
    (No malicious items detected)

    Module: 0
    (No malicious items detected)

    Registry Key: 0
    (No malicious items detected)

    Registry Value: 0
    (No malicious items detected)

    Registry Data: 0
    (No malicious items detected)

    Data Stream: 0
    (No malicious items detected)

    Folder: 0
    (No malicious items detected)

    File: 0
    (No malicious items detected)

    Physical Sector: 0
    (No malicious items detected)

    WMI: 0
    (No malicious items detected)


    (end)


    I have disabled the Phone in my win10 system some time ago, was surprised to see it running yesterday with a couple accounts I don't recognize. I'm attaching some screen shots to demonstrate, also my Norton settings are still being an issue. a couple shots of from the IE settings page, there are a total of 15 of these "firewall" items, those are new to me also. any thoughts?
    Attached Images Attached Images

  6. #16
    Security Expert-emeritus Juliet's Avatar
    Join Date
    Feb 2007
    Location
    Deep South
    Posts
    4,084

    Default

    I have disabled the Phone in my win10 system some time ago, was surprised to see it running yesterday with a couple accounts I don't recognize. I'm attaching some screen shots to demonstrate, also my Norton settings are still being an issue. a couple shots of from the IE settings page, there are a total of 15 of these "firewall" items, those are new to me also. any thoughts?
    The windows phone will be there till its completely removed. Would include anything related to it throughout the computer.
    From what I was reading (Not understanding much of it Remove-AppxPackage? ) It's not uncommon to have left over firewall rules for many items, some are games, some are for tools, messengers, very long list.

    At this time please uninstall Java 8 Update 211
    if later you should run into something that its required you can download the most current version.

    Your Norton settings, it's possible it should be removed and then downloaded again. Not saying this is a cure but, it might possibly re-enable something thats giving you fits now or, I can give you a list of free or paid for antivirus and security suites.

    ~~~~

    Firefox had an update this morning, it says it has upped your protection against ad trackers.
    https://www.mozilla.org/en-US/firefo...version=66.0.5


    Turning off Autofill in Firefox

    Click on the Firefox menu icon. (Three lines at top right of screen.)
    Click on Preferences.
    Choose the Privacy.
    In the History section choose Firefox will: 'Use custom settings for history.'
    Uncheck 'Remember search and form history.'
    Click OK.



    Clear Your Cache on Any Browser
    https://support.mozilla.org/en-US/kb...e-data-firefox
    https://www.pcmag.com/article/333441...on-any-browser
    ```````````

    I really don't think the issues here is malware related, it's through some type of setting in a program somewhere thats not giving the results we're looking for but,
    Just for peace of mind I'd like for you to run a rootkit scan.

    You will probably have to temporarily disable Nortons for this tool to run.
    if you should get some type of alert this is a malicious tool, let me assure you it is not and it is often used for a deeper scanning.

    Follow the instructions in the thread below. Make sure to download the MBAR version linked in it. Let me know if you're not able to launch it and run a scan.

    https://forums.malwarebytes.com/topi...-malwarebytes/

    run a scan, delete everything it finds, and then copy/paste the content of the mbar-log-DATE-(TIME).txt log that is located in the MBAR folder here after.
    Windows Insider MVP Consumer Security 2009 - 2017
    Please do not PM me for Malware help, we all benefit from posting on the open board.

  7. #17
    Senior Member
    Join Date
    Jun 2014
    Posts
    155

    Default Clean roots

    "The windows phone will be there till its completely removed."
    Done, those two unknown accounts were creeping me out. I let the STM program do it for me. Not sure how exactly the phone program was removed but it involved about one and a half command lines in power shell. It's worth noting that I haven't had any conflicts or issues (that I know of) so far, since completely removing it from the system.

    The Firewall entry stuff in IE Cache? I'm finding that to be a very dynamic list, the entries I showed last post have disappeared. I'll just watch and learn for a while to understand what I'm seeing, that never hurts.

    "At this time please uninstall Java 8 Update 211"
    Thanks so much for that! wasn't sure if it was needed at the moment. The jscript stuff, until I learn a lot more about it, is kinda spooky to me from what I'm reading lately.

    "Firefox had an update this morning, it says it has upped your protection against ad trackers."
    I grabbed that as soon as it was available, a couple of notable additions were in cookie blocking, you have an option for cryptominers and fingerprinting. I'm running them both enabled and haven't seen any conflicts yet.

    "Turning off Autofill in Firefox"
    "Clear Your Cache on Any Browser"
    Great info! thanks, I really need to do that.

    I'm still trying to figure out how to export the fixlog from mbar, it came up clean, but I'm not seeing any way to export a clean scan result. I'm ok with clean scans, especially the mbar. It agrees with Nortons root scanner, that things are clean. You can't do much better than that.

    I did do an R&R on the Norton (I noticed it saving user settings so I'll repeat with advanced options) but the malware issues are, I'm very certain, cleaned up. Thank you so much for the links and advice.

    At this point, I'll go back to learning what I can about avoiding the problems in the first place. I have a lot to learn about security and settings in general, what do I use for proxy settings? for example. right now, I'm on system settings. (which should be covered by Norton)

    Again, thanks and have an awesome weekend!

  8. #18
    Security Expert-emeritus Juliet's Avatar
    Join Date
    Feb 2007
    Location
    Deep South
    Posts
    4,084

    Default

    Read the below for quick info related to using a proxy, proxy settings.
    https://support.mozilla.org/en-US/kb...ttings-firefox


    A tool I use and feel secure with is an addon NoScript.
    People do get tired of it quickly it seems but I just enable/disable it when needed and it hasn't stopped me from doing anything I need to do. (I keep the addons window open at all times to make this a quick procedure)
    When web sites or if something wont run, just simply disable it and refresh the page. I find it amazing how web pages add java script for so many details on their sites. One major venue in getting infected is clicking on links and being redirected or injected with (fill in the blank here since so there are so many different malicious items using this technique)

    Firefox
    https://noscript.net/

    Google Chrome
    https://chrome.google.com/webstore/d...feoakpjm?hl=en

    ~~~~~~~~~~~~~~~

    I think we can remove tools and quarantine folders now, good chance in future virus scans they'll be found and then some might freak out a bit.

    • Please download DelFix or from Here and save the file to your Desktop.
    • Double-click DelFix.exe to run the programme.
    • Place a checkmark next to the following items:
    • Activate UAC
    • Remove disinfection tools
    • Click the Run button.
    • -- This will remove the specialized tools we used to disinfect your system.
      Any leftover logs, files, folders or tools remaining on your Desktop which were not removed can be deleted manually (right-click the file + delete
      ).

    ************************************
    Windows Insider MVP Consumer Security 2009 - 2017
    Please do not PM me for Malware help, we all benefit from posting on the open board.

  9. #19
    Senior Member
    Join Date
    Jun 2014
    Posts
    155

    Default Epilogue

    Thanks for those links, I'll be making good use of that stuff. In particular the noscript looks exactly like what I need.
    Norton of course flagged delfix as threat and quarantined it as a SAPE. I'm familiar enough with the tools here by now to "replace" the tool and run it, just thought other users should be aware of this when they come across it in the future. It seems they flag it because it has to have SAPE characteristics to do what its supposed to do, (and it did)
    I attached a shot of the warning page from Symantec, any ideas about letting them know this file is good? They know thousands of times, community members have used the file without problems.



    # DelFix v1.010 - Logfile created 24/05/2019 at 15:07:04
    # Updated 26/04/2015 by Xplode
    # Username : oldman - EUSTACE
    # Operating System : Windows 10 Home (64 bits)

    ~ Activating UAC ... OK

    ~ Removing disinfection tools ...

    Deleted : C:\FRST
    Deleted : C:\AdwCleaner
    Deleted : C:\RegBackup
    Deleted : C:\Users\oldman\Desktop\FRST-OlderVersion
    Deleted : C:\Users\oldman\Desktop\mbar
    Deleted : C:\Users\oldman\Desktop\Addition.txt
    Deleted : C:\Users\oldman\Desktop\AdwCleaner.exe
    Deleted : C:\Users\oldman\Desktop\Fixlog.txt
    Deleted : C:\Users\oldman\Desktop\FRST.txt
    Deleted : C:\Users\oldman\Desktop\FRST64.exe
    Deleted : C:\Users\oldman\Desktop\HijackThis.exe
    Deleted : C:\Users\oldman\Desktop\hijackthis.log
    Deleted : C:\Users\Public\Desktop\RogueKiller.lnk
    Deleted : HKLM\SOFTWARE\TrendMicro\Hijackthis

    ########## - EOF - ##########
    Attached Images Attached Images

  10. #20
    Security Expert-emeritus Juliet's Avatar
    Join Date
    Feb 2007
    Location
    Deep South
    Posts
    4,084

    Default

    I attached a shot of the warning page from Symantec, any ideas about letting them know this file is good? They know thousands of times, community members have used the file without problems.
    Best way I can think of, people who have accounts with Nortons is to keep reporting it.
    In their eyes, I can't because, I'm just a small tech they don't know and probably really don't care.

    Safe Surfing.
    Windows Insider MVP Consumer Security 2009 - 2017
    Please do not PM me for Malware help, we all benefit from posting on the open board.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •