G Paw 0 Posted June 5, 2017 Share Posted June 5, 2017 For about a week, I have been getting nod32 warnings of blocked objects (eg: hxxp://www.server1800/r6.php?cmd=e, hxxp://www.elitefund/r6.php?cmd=e, etc) These occur daily with 2 to 4 sites involved Can anyone tell me what/why this is happening? Thanks Link to comment Share on other sites More sharing options...
Administrators Marcos 4,935 Posted June 5, 2017 Administrators Share Posted June 5, 2017 Please provide a screen shot of the alert that you're getting with the IP address visible. Link to comment Share on other sites More sharing options...
G Paw 0 Posted June 5, 2017 Author Share Posted June 5, 2017 (edited) Although this is not the alert, I think the alert makes reference to wscript.exe - I will try to be ready to capture the next alert. Here is the result in the log Edited June 5, 2017 by G Paw Link to comment Share on other sites More sharing options...
Most Valued Members cyberhash 181 Posted June 5, 2017 Most Valued Members Share Posted June 5, 2017 1 hour ago, G Paw said: Although this is not the alert, I think the alert makes reference to wscript.exe - I will try to be ready to capture the next alert. Here is the result in the log The original web url you posted is fine, looks like you have became infected with some type of re directing script. Were you running NOD32 prior to this happening ??? or did you install it after getting the messages as you appear to be infected with some type of redirect script. Link to comment Share on other sites More sharing options...
G Paw 0 Posted June 5, 2017 Author Share Posted June 5, 2017 (edited) I have run nod32 for many years so not sure how this would have happened. I also run malwarebytes (real time), so this is really making me wonder why to both of these. My hope is that there is a simple fix. I am now wondering if I should submit a ticket to Support for this? Edited June 5, 2017 by G Paw Link to comment Share on other sites More sharing options...
itman 1,630 Posted June 5, 2017 Share Posted June 5, 2017 Look in your "Filtered Web Sites" log for the source of the malware detection. IP address should also be shown there. Link to comment Share on other sites More sharing options...
G Paw 0 Posted June 5, 2017 Author Share Posted June 5, 2017 here is the details of the last pop-up warning: Link to comment Share on other sites More sharing options...
itman 1,630 Posted June 5, 2017 Share Posted June 5, 2017 If none of the blocked URL's look familiar to you, my best guess at this point is that your browser has been hijacked and you are being redirected to malicious web sites. Link to comment Share on other sites More sharing options...
G Paw 0 Posted June 5, 2017 Author Share Posted June 5, 2017 Thank you all for the replies. Any suggestions how how to get rid of it? Link to comment Share on other sites More sharing options...
Most Valued Members cyberhash 181 Posted June 5, 2017 Most Valued Members Share Posted June 5, 2017 17 minutes ago, G Paw said: Thank you all for the replies. Any suggestions how how to get rid of it? Adwcleaner seems to be able to do the trick.https://www.bleepingcomputer.com/download/adwcleaner/ Link to comment Share on other sites More sharing options...
itman 1,630 Posted June 5, 2017 Share Posted June 5, 2017 (edited) If AdwCleaner doesn't remove the hijack, you try SysInternals Autoruns: https://technet.microsoft.com/en-us/sysinternals/bb963902.aspx . After unzipping the download, open the created folder and run Autoruns.exe. Then click on the Image Hijacks tab to display any browser hijacks. If any exist, uncheck them only and exit the program. By unchecking them they are disabled only and can be re-enabled if something ends up borked. Be careful with this utility since it is powerful and can bork your OS installation by you disabling and/or deleting entries without fully assessing the impact of those actions. Edited June 5, 2017 by itman Link to comment Share on other sites More sharing options...
G Paw 0 Posted June 5, 2017 Author Share Posted June 5, 2017 @cyberhash - thanks for this suggestion - I ran AdwCleaner which found 110 threats. A second pass gave an all clear. @itman - I will try Autoruns if necessary... thanks for the caution as well. I will report back in a couple of days. Link to comment Share on other sites More sharing options...
Most Valued Members cyberhash 181 Posted June 6, 2017 Most Valued Members Share Posted June 6, 2017 2 hours ago, G Paw said: @cyberhash - thanks for this suggestion - I ran AdwCleaner which found 110 threats. A second pass gave an all clear. @itman - I will try Autoruns if necessary... thanks for the caution as well. I will report back in a couple of days. Just for reference , this type of redirect using wscript appears to bypass every A/V product and why its managed to bypass your NOD32 & Malwarebytes combo. But like you seen with the alerts on NOD32, it did actually block the redirect attempts made by it. There are lots of apps out there that are infected with this kind of thing and where possible try and download software direct from the vendor themselves. Some other sites bundle those nasties inside the the installers to try and make money from the ad's that they redirect you to. Superantispyware and Malwarebytes are 2 big targets for people trying to make money, people repackage their software constantly. Hope you are all sorted anyway Link to comment Share on other sites More sharing options...
G Paw 0 Posted June 6, 2017 Author Share Posted June 6, 2017 Having used nod32 for 12 years without issue, I was very surprised that this happened.. but as you said, this type of redirect bypasses all A/V and attempts were blocked by nod32. I am careful where I download from, but obviously not careful enough. Thanks again. Link to comment Share on other sites More sharing options...
G Paw 0 Posted June 6, 2017 Author Share Posted June 6, 2017 (edited) Update. I ran both of the above suggested products – the AdwCleaner cleaned 100+ entries. The Autoruns showed 1 Image Hijack entry which I unchecked. Rebooted and nothing happened for a few hours. However, I just received 3 simultaneous malwarebytes notifications - (blocked outbound connection) - and none from nod32 I also received a Windows Script Host Error. (jpg included below) - I renamed the entry noted in the error and rebooted. I checked the nod32 log to confirm there were no entries. However, I checked the malwarebytes log and they are recorded. In addition, Malwarebytes was also logging block-outbound actions much further back then nod32. A few hours later, I received a nod32 Outbound connection notification and an entry in their log … none was detected by malwarebytes. The entry timestamp of the logs occur at different times between the two logs, so it appears nod32 grabs some and malwarebytes grabs some. The fact that both nod32 and malwarebytes still detected attempts meant I am still infected. And not only that, it would seem there could be outbound attempts being successful that neither product is catching. Any other suggestions before I open a ticket with support? Edited June 6, 2017 by G Paw Link to comment Share on other sites More sharing options...
itman 1,630 Posted June 6, 2017 Share Posted June 6, 2017 1 hour ago, G Paw said: ran both of the above suggested products – the AdwCleaner cleaned 100+ entries. This in itself "speaks volumes" about the fact your browser is heavily infested with adware, etc.. Try to run an Eset custom scan selecting operating memory, boot sector, and the HDD your OS is installed on. Run the scan as administrator and see if Eset detects anything. Link to comment Share on other sites More sharing options...
G Paw 0 Posted June 8, 2017 Author Share Posted June 8, 2017 On 2017-6-6 at 6:58 PM, itman said: This in itself "speaks volumes" about the fact your browser is heavily infested with adware, etc.. The rhetorical question is "how in the world would this happen with nod32 and malwarebytes protecting my system?" Link to comment Share on other sites More sharing options...
Most Valued Members cyberhash 181 Posted June 8, 2017 Most Valued Members Share Posted June 8, 2017 10 minutes ago, G Paw said: The rhetorical question is "how in the world would this happen with nod32 and malwarebytes protecting my system?" A valid question but nothing can ever block 100% of threats out there sadly. You can take extra steps (over and above running a security app) to try and reduce the chances of infection. If you have java installed, you can go into the settings (configure java) for it and disable it in your browsers. Have done this personally for years and have never had any problems with any websites so far. I presume you are still infected by this nuisance re directing ???? Link to comment Share on other sites More sharing options...
Most Valued Members peteyt 388 Posted June 8, 2017 Most Valued Members Share Posted June 8, 2017 16 hours ago, G Paw said: The rhetorical question is "how in the world would this happen with nod32 and malwarebytes protecting my system?" There's a saying that goes a little like "if you keep looking under rocks you will eventually find a snake." I'm not sure what kind of computer user you are so I am not trying to jump to conclusions and hope you don't get offended. However from my past experience with fixing friends and family computers they tend to think their security products make their pc invisible. If you keep going on possible dangerous sites there's always a risk of getting infected. Security products are never 100 percent perfect - they can miss things and also make safe things as bad. The risk of getting infected increases if you start to visit risky sites and the more sites you visit, the higher the risk. Hope I haven't offended you. Link to comment Share on other sites More sharing options...
G Paw 0 Posted June 10, 2017 Author Share Posted June 10, 2017 On 2017-6-7 at 10:08 PM, cyberhash said: I presume you are still infected by this nuisance re directing ???? Well, the good news is I was able to remove the nuisance after many hours of applying tips from the Microsoft site which finally triggered a nod32 notice indicating a "JS/Kryptik.BFX trojan" - which I was then finally able to remove using the NOD32 menu selection "Help and support/ESET Specialized Cleaner". That was 2 days ago and no more warnings, blocked objects/websites. I decided to submit the trojan to eset, although I don't expect to hear back from them. @peteyt: I have been in IT support for 20+ years. Link to comment Share on other sites More sharing options...
itman 1,630 Posted June 10, 2017 Share Posted June 10, 2017 Also make sure all your application software is fully patched with lastest updates applied since this malware is usually delivered via exploit: https://blog.malwarebytes.com/threat-analysis/2014/08/shining-some-light-on-the-unknown-exploit-kit/ Link to comment Share on other sites More sharing options...
Recommended Posts