Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Messages - lkbart

Pages: [1] 2
1
Malware removal help / Re: Browser Hijacker I can't get rid of
« on: February 02, 2017, 05:43:00 am »
So, got the new computer hooked up, was using Firefox & the blasted Urgent Firefox Update popped up.  I was horrified - I had not plugged any external drives into it and I hadn't been anywhere I would have previously considered to be sketchy.  So I did some research on another computer & apparently it is just an ad - a pretty aggressive and malicious looking ad, but is supposed to be stopped by an ad blocker extension.  Just search for "Fake Firefox Update".  I also installed an ad blocker in Chrome for when I use it since that is where I got the first redirect.  I guess that's why the scans never showed anything, because I never clicked on it and let it install anything, I just pulled the plug.

Since I had only been on like 3 sites, I disconnected from the network and checked the history.  The only thing it could have come from is:  r.search.yahoo.com  We have now blocked that site in the router.  And I believe I had typed a search in the address bar (I have an email at att.net, and yahoo is in the url), and somehow that had to be what caused this crap.  I attached a photo of the history log & I don't read code, but that address can't be legit.  So I have sworn off any Yahoo anything on my computers (am thinking maybe I need to replace that email with a different one too)!

Thanks for all your help.  I did get a new computer out of the deal! I guess that should make up for some of the extreme frustrations of the past week. lol

2
Malware removal help / Re: Browser Hijacker I can't get rid of
« on: February 01, 2017, 11:38:13 pm »
So, I bought a new computer (needed more RAM anyway).  I can't load any personal information on the infected one without fear of it being compromised, and I'm really not in the mood to share my data with all the scammers out there.  Only issue right now is that I have no confidence that the 2 drives that were attached to it are clean.  There are no program files on them (or shouldn't be), there are mainly photo files - CR2, JPG, PSD, PNGs, a few GIFs & some BMPs.  Also some text , WPD (WordPerfect) & PDFs.   

I have read that because photo files contain a space for the metadata, that they could fairly easily be compromised and someone could hide some code in them.  What I don't know is if a photo file is hiding code, will the photo still show up like normal?  And is there any way to scan these drives for stuff like that?  I do have another old computer that I can hook these drives up to, and see if they infect it - it's old and we don't use it, & I'm thinking there's no personal data on it. 

The other thing I may do, since the infected computer has a nice SSD, I may format it from DOS or Linux, and then reinstall windows & see what happens.  I'm just wondering how well the drive was formatted from the Windows 7 formatting & installation, since it took hardly any time at all for it to format, and installation was a lot quicker than when I did the Windows installation without formatting. 

Thoughts on any of this?

3
Malware removal help / Re: Browser Hijacker I can't get rid of
« on: February 01, 2017, 04:47:33 pm »
Honestly can't remember right now - it produced 2 logs & I've attached those.

4
Malware removal help / Re: Browser Hijacker I can't get rid of
« on: February 01, 2017, 05:37:18 am »
So I've run some additional scans - a couple from the email from Cox, although I can't get the Cox Security Suite to open for me, not sure if this is because of the virus or if Cox's website is just screwed up (won't go there on another computer either, so I think it's their website).  I ran the Microsoft Safety Scanner, TDSSkiller, Norton Power Eraser, Rkill, Malwarebytes, Zemana & ComboFix; am attaching the first ComboFix report, mainly because I have no idea how to read it.  I ran the ComboFix again, mainly because I opened it to see if there were any options & it just simply runs, so after the second run, it put the reports from the first run in its "Qoobox" folder, those two files are the ones I've attached.   

5
Malware removal help / Re: Browser Hijacker I can't get rid of
« on: February 01, 2017, 01:28:45 am »
An interesting thing - back in September I got an email from Cox saying that one of our computers may be infected with a virus; we scanned everything and nothing ever showed up, no symptoms, nothing caught in any scans.  I called Cox & basically they said that if they thought we had the virus that they could and would shut off our internet, they couldn't tell me how they got the report that we had an infected computer, just said I should go to their website to access their security software (which is McAfee).  Never found anything, and never heard back from Cox.  And we still have internet.  I don't think what I've got is that virus, as it apparently gives redirects in google searches to ads, and I've never had that happen (it just takes over one browser tab that's already open), and I haven't had any programs fail to run.  The only part of it that seems to be the same (from the blip I read) is that the services it uses don't show it being infected.

Not sure that this helps, but thought I'd throw it out there if it might.  Here's the email from Cox, copied & pasted:

Dear Subscriber,
 
Cox has identified that one or more of the computers in your home may be infected with the Alureon / TDSS Virus.
 
Viruses can take control of your PC and gather your personal information such as passwords and credit card numbers, putting your data at risk
 
The following FREE security tools could help you detect and remove infections from your systems:
The Microsoft Safety Scanner
http://www.microsoft.com/security/scanner/
 
Norton Power Eraser
http://security.symantec.com/nbrt/npe.aspx
 
Cox Security Suite Plus powered by McAfee is included FREE with your Cox High Speed Internet service.  This software can be used to help protect up-to 5  devices in your home, including Windows and Mac OS computers, and Android and Apple tablets and smartphones.
To get started, simply browse to www.cox.com/securitysuite and login with your Cox primary User ID and Password.
If you already have an Anti-virus solution installed, you should refer to your software manual before installing the Cox Security Suite.
 
If you need additional support, Cox offers premium technical support at reasonable rates. 
Visit Cox Tech Solutions at https://secure.coxtechsolutions.com/ or call 877.TEC.SOLV (832.7658) to get started.
 
If you would like additional information on the Alureon / TDSS Virus:
http://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Virus%3aWin32%2fAlureon.H
 
If you have any questions regarding this matter, you may call Cox Customer Safety at 800-753-6085.
 
Regards,
 
Cox Customer Safety

6
Malware removal help / Re: Browser Hijacker I can't get rid of
« on: January 31, 2017, 11:44:16 pm »
Yes, it is Cox

7
Malware removal help / Re: Browser Hijacker I can't get rid of
« on: January 31, 2017, 12:47:47 am »
Firefox, Chrome
No, there are 4 other computers unaffected.
No, it's not default.  Not a weak password, probably not terribly strong, but nothing common or a word or anything like that.  I am updating it now to a stronger one.

8
Malware removal help / Re: Browser Hijacker I can't get rid of
« on: January 30, 2017, 10:09:34 pm »
Downloaded, ran, didn't find anything.  Attached the log file.  This is crazy.

9
Malware removal help / Re: Browser Hijacker I can't get rid of
« on: January 30, 2017, 07:51:56 pm »
It started on Chrome, but I uninstalled it along with all the personal data, and then reinstalled Chrome and the virus came back, so I uninstalled it again and have not reinstalled after I formatted and reinstalled Windows 7 prof.  Been using Firefox since then. 

10
Malware removal help / Re: Browser Hijacker I can't get rid of
« on: January 30, 2017, 07:00:00 am »
Happened again.  Attached the Roguekiller scan, & the FRST  & Addition scans.  And a screenshot of the hijack.

11
Malware removal help / Re: Browser Hijacker I can't get rid of
« on: January 30, 2017, 12:33:40 am »
Thanks for checking for me.  I will let you know if it hits me again. 

12
Malware removal help / Re: Browser Hijacker I can't get rid of
« on: January 29, 2017, 09:18:30 pm »
At this point in time, no, I'm not.  I have not reinstalled Chrome - that's where the attacks began, but continued in Firefox.  We have put a site block in the router on mellowsurvey and engine.spotcenered.info, and got a blocked site pop-up (wanting the password to the router - ha!). Then a while later the browser tab I was reading got hijacked to the below screenshot - and I unplugged the machine.  I ran Roguekiller right after that & it didn't find anything.  So I'm not comfortable that it's completely gone.   

13
Malware removal help / Re: Browser Hijacker I can't get rid of
« on: January 29, 2017, 08:03:02 pm »
Apparently only the Addition file attached - here is the FRST

14
Malware removal help / Re: Browser Hijacker I can't get rid of
« on: January 29, 2017, 08:02:25 pm »
I've attached the FRST and the Addition files.

15
Malware removal help / Re: Browser Hijacker I can't get rid of
« on: January 29, 2017, 07:02:40 pm »
This is the last scan that found anything (well, except the one that found & killed zemana). 

RogueKiller V12.9.5.0 (x64) [Jan 23 2017] (Premium) by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/download/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Calypso [Administrator]
Started from : C:\Program Files\RogueKiller\RogueKiller64.exe
Mode : Scan -- Date : 01/26/2017 00:51:48 (Duration : 00:15:17)

Processes : 0

Registry : 4
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters | DhcpNameServer : 68.105.28.11 68.105.29.11 68.105.28.12 ([X][X][X])  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters | DhcpNameServer : 68.105.28.11 68.105.29.11 68.105.28.12 ([X][X][X])  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{0BE4C1DE-B26F-4EEE-928C-3D7760162FE1} | DhcpNameServer : 68.105.28.11 68.105.29.11 68.105.28.12 ([X][X][X])  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters\Interfaces\{0BE4C1DE-B26F-4EEE-928C-3D7760162FE1} | DhcpNameServer : 68.105.28.11 68.105.29.11 68.105.28.12 ([X][X][X])  -> Found

Tasks : 0

Files : 0

WMI : 0

Hosts File : 0

Antirootkit : 0 (Driver: Loaded)

Web browsers : 0

MBR Check :
+++++ PhysicalDrive0: ST3500418AS ATA Device +++++
--- User ---
[MBR] 445a0fa862053eabad731431ee9710de
[BSP] 279c2ca4427da3d2b1ef6b539245d5f4 : Windows Vista/7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 476937 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive1: Samsung SSD 840 EVO 500GB ATA Device +++++
--- User ---
[MBR] 73b4e66ae4fc15e17f09ace7cd96c9e9
[BSP] 75fd2afd17331e5cf04f48804a9e0dbf : Windows Vista/7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 100 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 206848 | Size: 476838 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive2: TEAC USB   HS-CF Card USB Device +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] The request is not supported. )

+++++ PhysicalDrive3: TEAC USB   HS-xD/SM USB Device +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] The request is not supported. )

+++++ PhysicalDrive4: TEAC USB   HS-MS Card USB Device +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] The request is not supported. )

+++++ PhysicalDrive5: TEAC USB   HS-SD Card USB Device +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] The request is not supported. )

+++++ PhysicalDrive6: LaCie P9230 USB Device +++++
Error reading User MBR! ([57] The parameter is incorrect. )
Error reading LL1 MBR! ([79] The semaphore timeout period has expired. )
Error reading LL2 MBR! ([32] The request is not supported. )

+++++ PhysicalDrive7: Seagate Backup+ Desk USB Device +++++
--- User ---
[MBR] ec3c24db9a445467986b831406c66357
[BSP] 0abffb185016e72bdad2b091f91bef0b : Empty MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 1907726 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
Error reading LL2 MBR! ([32] The request is not supported. )



This scan was the first one I ran that found anything:
RogueKiller V12.9.5.0 (x64) [Jan 23 2017] (Free) by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/download/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Calypso [Administrator]
Started from : C:\Program Files\RogueKiller\RogueKiller64.exe
Mode : Scan -- Date : 01/24/2017 21:05:01 (Duration : 00:18:24)

Processes : 0

Registry : 12
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters | DhcpNameServer : 68.105.28.11 68.105.29.11 68.105.28.12 ([X][X][X])  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters | DhcpNameServer : 68.105.28.11 68.105.29.11 68.105.28.12 ([X][X][X])  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{0BE4C1DE-B26F-4EEE-928C-3D7760162FE1} | DhcpNameServer : 68.105.28.11 68.105.29.11 68.105.28.12 ([X][X][X])  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters\Interfaces\{0BE4C1DE-B26F-4EEE-928C-3D7760162FE1} | DhcpNameServer : 68.105.28.11 68.105.29.11 68.105.28.12 ([X][X][X])  -> Found
[PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-2734581294-2491555814-1348959036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0  -> Found
[PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-2734581294-2491555814-1348959036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyDocs : 0  -> Found
[PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-2734581294-2491555814-1348959036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowUser : 0  -> Found
[PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-2734581294-2491555814-1348959036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyPics : 0  -> Found
[PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-2734581294-2491555814-1348959036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0  -> Found
[PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-2734581294-2491555814-1348959036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyDocs : 0  -> Found
[PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-2734581294-2491555814-1348959036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowUser : 0  -> Found
[PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-2734581294-2491555814-1348959036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyPics : 0  -> Found

Tasks : 0

Files : 1
[PUP.Gen1][Folder] C:\Users\Calypso\AppData\Local\PackageAware -> Found

WMI : 0

Hosts File : 0

Antirootkit : 0 (Driver: Loaded)

Web browsers : 0

MBR Check :
+++++ PhysicalDrive0: ST3500418AS ATA Device +++++
--- User ---
[MBR] 445a0fa862053eabad731431ee9710de
[BSP] 279c2ca4427da3d2b1ef6b539245d5f4 : Windows Vista/7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 476937 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive1: Samsung SSD 840 EVO 500GB ATA Device +++++
--- User ---
[MBR] 73b4e66ae4fc15e17f09ace7cd96c9e9
[BSP] 75fd2afd17331e5cf04f48804a9e0dbf : Windows Vista/7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 100 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 206848 | Size: 476838 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive2: TEAC USB   HS-CF Card USB Device +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] The request is not supported. )

+++++ PhysicalDrive3: TEAC USB   HS-xD/SM USB Device +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] The request is not supported. )

+++++ PhysicalDrive4: TEAC USB   HS-MS Card USB Device +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] The request is not supported. )

+++++ PhysicalDrive5: TEAC USB   HS-SD Card USB Device +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] The request is not supported. )

+++++ PhysicalDrive6: LaCie P9230 USB Device +++++
Error reading User MBR! ([57] The parameter is incorrect. )
Error reading LL1 MBR! ([79] The semaphore timeout period has expired. )
Error reading LL2 MBR! ([32] The request is not supported. )

+++++ PhysicalDrive7: Seagate Backup+ Desk USB Device +++++
--- User ---
[MBR] ec3c24db9a445467986b831406c66357
[BSP] 0abffb185016e72bdad2b091f91bef0b : Empty MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 1907726 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
Error reading LL2 MBR! ([32] The request is not supported. )




Pages: [1] 2