Malware 21

spookisgirl
New Helpee

Posts: 9

Malware 21 Nov 22, 2017 22:25:42 GMT -8

Quote

Post by spookisgirl on Nov 22, 2017 22:25:42 GMT -8

Hi,

I am getting notice of malvertisement attack 21 on my norton every time I open firefox. I followed your instructions from the thread on it and attached are my reports.FRST.txt (82.47 KB)
I can't seem to get my other file to upload. but here is the link: wikisend.com/download/668394/Addition.txt

Thank you and let me know if I need to do anything else.

dbrisen
Malware Removalists

Posts: 3,688

Malware 21 Nov 24, 2017 0:23:14 GMT -8

Quote

Post by dbrisen on Nov 24, 2017 0:23:14 GMT -8

Sorry for the delay in replying; fighting a nasty head-cold at the moment.

Did you know that System Restore is disabled? It would be best to have this function enabled during our repairs should anything unforseen happen. We can always turn it back off when we are done.

If you did not do this intentionally, please check the following:

Go to Start and type System in the search box.

Click on System (under Control Panel or Settings) and then on System Protection.

Click on Configure and then select Turn on system protection.

Click Apply and then OK.

In the System Protection screen, is Protection now On for the drive? If so, please proceed with the following repairs (in order).

FIRST >>>>

Please go to START (Windows Orb) >> Control Panel >> Uninstall a Program or Programs and Features and remove the following (if listed):

App Explorer

To do so, left clicking on the name once and then click Uninstall/Change at the bar above the list window.

Follow the prompts of the uninstaller BUT please read carefully any questions it asks before answering; some uninstallers will try and deceive you into keeping the software.

SECOND >>>>

1- Please double-click on FRST/FRST64
2- Press the Ctrl+y keys (Ctrl and y keys at the same time)
3- A fixlist.txt file opens up in notepad.exe. Please copy the contents of the quote box below. To do this highlight the contents of the box and right click on it and select copy. Paste this into the open notepad.

Start::
CreateRestorePoint:
CloseProcesses:
C:\Users\jennj\AppData\Local\Host App Service
SearchScopes: HKU\S-1-5-21-1656603209-3388659482-3860139864-1001 -> DefaultScope {A00AD066-33D4-48C4-B174-B690C621B6C8} URL =
SearchScopes: HKU\S-1-5-21-1656603209-3388659482-3860139864-1001 -> {A00AD066-33D4-48C4-B174-B690C621B6C8} URL =
FF Extension: (Amazon Assistant for Firefox) - C:\Users\jennj\AppData\Roaming\Mozilla\Firefox\Profiles\r1fnv2x6.default\Extensions\abb-acer@amazon.com [2017-04-06] [Lagacy]
C:\Users\jennj\AppData\Roaming\Mozilla\Firefox\Profiles\r1fnv2x6.default\Extensions\abb-acer@amazon.com
FF Extension: (Amazon Assistant for Firefox) - C:\Program Files (x86)\Mozilla Firefox\distribution\extensions\abb-acer@amazon.com [2017-04-08] [Lagacy]
C:\Program Files (x86)\Mozilla Firefox\distribution\extensions\abb-acer@amazon.com
ContextMenuHandlers5: [igfxcui] -> {3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} => -> No File
Task: {16445301-35CC-45E2-8155-18C079E34F39} - \Microsoft\Windows\UNP\RunCampaignManager -> No File <==== ATTENTION
Task: {B238B878-F38A-49C7-A524-828DE23FC73F} - System32\Tasks\App Explorer => C:\Users\jennj\AppData\Local\Host App Service\Engine\HostAppServiceUpdater.exe [2017-11-20] (SweetLabs, Inc) <==== ATTENTION
cmd: ipconfig /flushdns
cmd: netsh advfirewall reset
cmd: netsh advfirewall set allprofiles state on
Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
CMD: bitsadmin /reset /allusers
RemoveProxy:
EmptyTemp:
Reboot:
End::

4- Press Ctrl+s to save. Close the fixlist.txt file.
5- Press the Fix button on FRSTjust once.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post it to your reply.

LAST >>>>

AdwCleaner by Xplode

Download AdwCleaner from here or from here. Save the file to the desktop.

NOTE: If you are using IE 8 or above you may get a warning that stops the program from downloading. Just click on the warning and allow the download to complete.

Close all open windows and browsers.

[/b][/font] Right click the AdwCleaner icon on the desktop, click Run as administrator and accept the UAC prompt to run AdwCleaner.
You will see the following console:

Click the Scan button and wait for the scan to finish.

After the Scan has finished the window may or may not show what it found and above, in the progress bar, you will see: Waiting for action. Please uncheck elements you don't want to remove.

Click the Clean button.

Everything checked will be deleted.

When the program has finished cleaning a report appears.

Once done, the program may ask to reboot the system; please allow this to happen to finish cleaning.

On reboot a log will be produced please copy / paste that in your next reply. This report is also saved to C:\AdwCleaner\AdwCleaner[C#].txt
[/ul]

Optional:
NOTE: If you see AVG Secure Search being targeted for deletion, Here's Why and Here. You can always Reinstall it.

INFO TO REPLY WITH:
How is your system running now?
How did the uninstall(s) go? Any problems?
The Fixlog.txt text file (you should be able to attach this file; no need for wikisend.com usually).
The AdwCleaner[C#].txt log file.
Any questions?

I will not provide malware removal by PM; please post in your thread on the Malware Removal board.
My help is always free but if you would like to help encourage me or show your thanks -----> DONATE

spookisgirl
New Helpee

Posts: 9

Malware 21 Nov 24, 2017 16:22:16 GMT -8

Quote

Post by spookisgirl on Nov 24, 2017 16:22:16 GMT -8

Hi,

Thank you very much for the help. Unfortunately, after following all the steps, I am still seeing the attack from malvertisement 21 from norton when I start firefox. Norton originally allowed frst, but then removed it when I ran the fix, so I had to reinstall it and mark it as trusted and redo the fix. I don't know if this affected things. No problem uninstalling the apexplorer.

Attached is the log, and this is the report from adwcleaner:

# AdwCleaner 7.0.4.0 - Logfile created on Sat Nov 25 00:14:10 2017
# Updated on 2017/27/10 by Malwarebytes
# Database: 11-23-2017.1
# Running on Windows 10 Home (X64)
# Mode: scan
# Support: www.malwarebytes.com/support

***** [ Services ] *****

No malicious services found.

***** [ Folders ] *****

PUP.Optional.Legacy, C:\Users\defaultuser0\AppData\Local\Host App Service
PUP.Optional.Legacy, C:\ProgramData\DriverSetupUtility
PUP.Optional.Legacy, C:\ProgramData\Application Data\DriverSetupUtility
PUP.Optional.Legacy, C:\Program Files\DriverSetupUtility
PUP.Optional.Legacy, C:\Users\All Users\DriverSetupUtility

***** [ Files ] *****

No malicious files found.

***** [ DLL ] *****

No malicious DLLs found.

***** [ WMI ] *****

No malicious WMI found.

***** [ Shortcuts ] *****

No malicious shortcuts found.

***** [ Tasks ] *****

No malicious tasks found.

***** [ Registry ] *****

PUP.Optional.Legacy, [Key] - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{2B51C83A-465D-4EA9-9CDC-1ED95ED09AC6}
PUP.Optional.Legacy, [Key] - HKLM\SOFTWARE\Classes\Interface\{7BCA6879-A9F8-47DE-AE05-F5CE7EA3A474}
PUP.Optional.Legacy, [Key] - HKLM\SOFTWARE\Classes\TypeLib\{ADF1FA2A-6EAA-4A97-A55F-3C8B92843EF5}
PUP.Optional.Legacy, [Key] - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\A38C15B2D5649AE4C9CDE19DE50DA96C
PUP.Optional.Legacy, [Key] - HKLM\SOFTWARE\Classes\Installer\Features\A38C15B2D5649AE4C9CDE19DE50DA96C
PUP.Optional.Legacy, [Key] - HKLM\SOFTWARE\Classes\Installer\Products\A38C15B2D5649AE4C9CDE19DE50DA96C
PUP.Optional.Legacy, [Key] - HKLM\SOFTWARE\Classes\AppID\OverlayIcon.DLL

***** [ Firefox (and derivatives) ] *****

No malicious Firefox entries.

***** [ Chromium (and derivatives) ] *****

No malicious Chromium entries.

*************************

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt ##########Fixlog.txt (6.27 KB)

spookisgirl New Helpee Posts: 9	Malware 21 Nov 24, 2017 16:22:53 GMT -8 Quote Select Post Deselect Post Link to Post Member Give Gift Back to Top Post by spookisgirl on Nov 24, 2017 16:22:53 GMT -8 I also turned on system restore

dbrisen Malware Removalists Posts: 3,688	Malware 21 Nov 25, 2017 12:45:54 GMT -8 Quote Select Post Deselect Post Link to Post Member Give Gift Back to Top Post by dbrisen on Nov 25, 2017 12:45:54 GMT -8 Can you post any details from the Norton warnings?
	I will not provide malware removal by PM; please post in your thread on the Malware Removal board. My help is always free but if you would like to help encourage me or show your thanks -----> *DONATE*

spookisgirl
New Helpee

Posts: 9

Malware 21 Nov 25, 2017 13:18:51 GMT -8

Quote

Post by spookisgirl on Nov 25, 2017 13:18:51 GMT -8

Here is the text specific to this threat from my Norton recent history file. I can't seem to upload the file (through this forum or wikifile--keep getting an error the file is no longer available). I don't know if the other information would be useful to you, but let me know.

Category: Scan Results
Date & Time,Risk,Activity,Status,Scan Time (d:h:m:s),Total items scanned,Files & Directories,Registry Entries,Processes & Start-Up Items,Network & Browser Items,Other,Trusted Files,Skipped Files,Total Security Risks Detected,Total Security Risks Resolved,Total Security Risks Requiring Attention
25/11/2017 12:38:24 PM,Info,Quick Scan results,Completed,0:00:01:23,"10,316","6,413",491,"2,804",604,4,709,0,0,0,0
,,,,,,,,,,,,,,,,
23/11/2017 6:56:56 PM,Info,Quick Scan results,Completed,0:00:01:30,"10,291","6,380",491,"2,813",603,4,715,0,0,0,0
22/11/2017 9:43:20 PM,Info,Quick Scan results,Completed,0:00:01:13,"10,240","6,356",491,"2,783",606,4,715,0,0,0,0
19/11/2017 12:16:00 PM,Info,Quick Scan results,Completed,0:00:01:17,"10,230","6,319",491,"2,814",602,4,716,0,0,0,0
18/11/2017 3:07:24 PM,Info,Quick Scan results,Completed,0:00:02:09,"10,254","6,321",491,"2,836",602,4,343,0,0,0,0

Category: Resolved Security Risks
Date & Time,Risk,Activity,Status,Recommended Action,Activity - Details
24/11/2017 3:59:08 PM,High,frst64.exe (SONAR.SuspLaunch!g21) detected by SONAR,Quarantined,Resolved - No Action Required,Threat Actions performed: 56

Category: Quarantine
Date & Time,Risk,Activity,Status,Recommended Action,Activity - Details
24/11/2017 3:59:08 PM,High,frst64.exe (SONAR.SuspLaunch!g21) detected by SONAR,Quarantined,Resolved - No Action Required,Threat Actions performed: 56

Category: SONAR Activity
Date & Time,Risk,Activity,Status,Recommended Action,Activity - Details
24/11/2017 3:59:08 PM,High,frst64.exe (SONAR.SuspLaunch!g21) detected by SONAR,Quarantined,Resolved - No Action Required,Threat Actions performed: 56

Category: Firewall - Network and Connections
Date & Time,Risk,Activity,Status,Recommended Action,Gateway IP Address,Gateway Physical Address,Category,Subnet Identifier
25/11/2017 11:54:54 AM,Info,Connected to a public network. (Teredo tunnel adapter(::0)),Protected,No Action Required,Teredo tunnel adapter(::0),,,
25/11/2017 11:54:54 AM,Info,Connected to a private network. (78 96 84 56 12 16),Shared,No Action Required,,78 96 84 56 12 16,,
25/11/2017 11:54:47 AM,Info,"Protecting your connection to a newly detected network on adapter \"Teredo Tunneling Pseudo-Interface\" (IP address: 2001::5ef5:79fb:3c62:2ced:3f57:fff7).",Detected,No Action Required,,,Firewall - Network and Connections,
25/11/2017 11:54:44 AM,Info,"Protecting your connection to a newly detected network on adapter \"Teredo Tunneling Pseudo-Interface\" (IP address: fe80::3c62:2ced:3f57:fff7%8).",Detected,No Action Required,,,Firewall - Network and Connections,
25/11/2017 11:54:44 AM,Info,IP address has disappeared from adapter Teredo Tunneling Pseudo-Interface (IP address: fe80::ffff:ffff:fffe%8).,Detected,No Action Required,,,Firewall - Network and Connections,
25/11/2017 11:54:44 AM,Info,IP address has disappeared from adapter Bluetooth Device (Personal Area Network) (IP address: fe80::6931:3aa3:7988:1a5a%5).,Detected,No Action Required,,,Firewall - Network and Connections,
25/11/2017 11:54:44 AM,Info,IP address has disappeared from adapter Microsoft Wi-Fi Direct Virtual Adapter (IP address: fe80::5ccc:6fa:94f4:304a%15).,Detected,No Action Required,,,Firewall - Network and Connections,
25/11/2017 11:54:44 AM,Info,"Protecting your connection to a newly detected network on adapter \"Qualcomm Atheros QCA61x4A Wireless Network Adapter\" (IP address: 192.168.0.8).",Detected,No Action Required,,,Firewall - Network and Connections,
25/11/2017 11:54:44 AM,Info,IP address has disappeared from adapter Qualcomm Atheros QCA61x4A Wireless Network Adapter (IP address: 169.254.61.98).,Detected,No Action Required,,,Firewall - Network and Connections,
25/11/2017 11:54:44 AM,Info,IP address has disappeared from adapter Bluetooth Device (Personal Area Network) (IP address: 169.254.26.90).,Detected,No Action Required,,,Firewall - Network and Connections,
25/11/2017 11:54:44 AM,Info,IP address has disappeared from adapter Microsoft Wi-Fi Direct Virtual Adapter (IP address: 169.254.48.74).,Detected,No Action Required,,,Firewall - Network and Connections,
25/11/2017 11:54:40 AM,Info,"Protecting your connection to a newly detected network on adapter \"Teredo Tunneling Pseudo-Interface\" (IP address: fe80::ffff:ffff:fffe%8).",Detected,No Action Required,,,Firewall - Network and Connections,
25/11/2017 11:54:40 AM,Info,"Protecting your connection to a newly detected network on adapter \"Qualcomm Atheros QCA61x4A Wireless Network Adapter\" (IP address: fe80::c44f:30da:87e9:3d62%9).",Detected,No Action Required,,,Firewall - Network and Connections,
25/11/2017 11:54:40 AM,Info,"Protecting your connection to a newly detected network on adapter \"Bluetooth Device (Personal Area Network)\" (IP address: fe80::6931:3aa3:7988:1a5a%5).",Detected,No Action Required,,,Firewall - Network and Connections,
25/11/2017 11:54:40 AM,Info,"Protecting your connection to a newly detected network on adapter \"Bluetooth Device (Personal Area Network)\" (IP address: 169.254.26.90).",Detected,No Action Required,,,Firewall - Network and Connections,
25/11/2017 11:54:40 AM,Info,"Protecting your connection to a newly detected network on adapter \"Qualcomm Atheros QCA61x4A Wireless Network Adapter\" (IP address: 169.254.61.98).",Detected,No Action Required,,,Firewall - Network and Connections,
25/11/2017 11:37:42 AM,Info,IP address has disappeared from adapter Qualcomm Atheros QCA61x4A Wireless Network Adapter (IP address: 192.168.0.8).,Detected,No Action Required,,,Firewall - Network and Connections,
25/11/2017 11:37:42 AM,Info,"Protecting your connection to a newly detected network on adapter \"Microsoft Wi-Fi Direct Virtual Adapter\" (IP address: fe80::5ccc:6fa:94f4:304a%15).",Detected,No Action Required,,,Firewall - Network and Connections,
25/11/2017 11:37:42 AM,Info,IP address has disappeared from adapter Qualcomm Atheros QCA61x4A Wireless Network Adapter (IP address: fe80::c44f:30da:87e9:3d62%9).,Detected,No Action Required,,,Firewall - Network and Connections,
25/11/2017 11:37:42 AM,Info,"Protecting your connection to a newly detected network on adapter \"Microsoft Wi-Fi Direct Virtual Adapter\" (IP address: 169.254.48.74).",Detected,No Action Required,,,Firewall - Network and Connections,
24/11/2017 11:37:41 PM,Info,IP address has disappeared from adapter Teredo Tunneling Pseudo-Interface (IP address: 2001::5ef5:79fb:2025:124:3f57:fff7).,Detected,No Action Required,,,Firewall - Network and Connections,
24/11/2017 11:37:41 PM,Info,IP address has disappeared from adapter Teredo Tunneling Pseudo-Interface (IP address: fe80::2025:124:3f57:fff7%8).,Detected,No Action Required,,,Firewall - Network and Connections,
24/11/2017 10:39:45 PM,Info,"Protecting your connection to a newly detected network on adapter \"Teredo Tunneling Pseudo-Interface\" (IP address: 2001::5ef5:79fb:2025:124:3f57:fff7).",Detected,No Action Required,,,Firewall - Network and Connections,
24/11/2017 10:39:42 PM,Info,"Protecting your connection to a newly detected network on adapter \"Teredo Tunneling Pseudo-Interface\" (IP address: fe80::2025:124:3f57:fff7%8).",Detected,No Action Required,,,Firewall - Network and Connections,
24/11/2017 10:39:42 PM,Info,"Protecting your connection to a newly detected network on adapter \"Qualcomm Atheros QCA61x4A Wireless Network Adapter\" (IP address: fe80::c44f:30da:87e9:3d62%9).",Detected,No Action Required,,,Firewall - Network and Connections,
24/11/2017 10:39:42 PM,Info,IP address has disappeared from adapter Microsoft Wi-Fi Direct Virtual Adapter (IP address: fe80::5ccc:6fa:94f4:304a%15).,Detected,No Action Required,,,Firewall - Network and Connections,
24/11/2017 10:39:42 PM,Info,"Protecting your connection to a newly detected network on adapter \"Qualcomm Atheros QCA61x4A Wireless Network Adapter\" (IP address: 192.168.0.8).",Detected,No Action Required,,,Firewall - Network and Connections,
24/11/2017 10:39:42 PM,Info,IP address has disappeared from adapter Microsoft Wi-Fi Direct Virtual Adapter (IP address: 169.254.48.74).,Detected,No Action Required,,,Firewall - Network and Connections,
24/11/2017 10:39:39 PM,Info,IP address has disappeared from adapter Qualcomm Atheros QCA61x4A Wireless Network Adapter (IP address: fe80::c44f:30da:87e9:3d62%9).,Detected,No Action Required,,,Firewall - Network and Connections,
24/11/2017 10:39:39 PM,Info,IP address has disappeared from adapter Bluetooth Device (Personal Area Network) (IP address: fe80::6931:3aa3:7988:1a5a%5).,Detected,No Action Required,,,Firewall - Network and Connections,
24/11/2017 10:39:39 PM,Info,IP address has disappeared from adapter Bluetooth Device (Personal Area Network) (IP address: 169.254.26.90).,Detected,No Action Required,,,Firewall - Network and Connections,
24/11/2017 10:39:39 PM,Info,IP address has disappeared from adapter Qualcomm Atheros QCA61x4A Wireless Network Adapter (IP address: 192.168.0.8).,Detected,No Action Required,,,Firewall - Network and Connections,
24/11/2017 5:24:40 PM,Info,"Protecting your connection to a newly detected network on adapter \"Bluetooth Device (Personal Area Network)\" (IP address: fe80::6931:3aa3:7988:1a5a%5).",Detected,No Action Required,,,Firewall - Network and Connections,
24/11/2017 5:24:40 PM,Info,"Protecting your connection to a newly detected network on adapter \"Microsoft Wi-Fi Direct Virtual Adapter\" (IP address: fe80::5ccc:6fa:94f4:304a%15).",Detected,No Action Required,,,Firewall - Network and Connections,
24/11/2017 5:24:40 PM,Info,"Protecting your connection to a newly detected network on adapter \"Bluetooth Device (Personal Area Network)\" (IP address: 169.254.26.90).",Detected,No Action Required,,,Firewall - Network and Connections,
24/11/2017 5:24:40 PM,Info,"Protecting your connection to a newly detected network on adapter \"Microsoft Wi-Fi Direct Virtual Adapter\" (IP address: 169.254.48.74).",Detected,No Action Required,,,Firewall - Network and Connections,
24/11/2017 5:24:40 PM,Info,IP address has disappeared from adapter Teredo Tunneling Pseudo-Interface (IP address: 2001::5ef5:79fb:1031:2be5:3f57:fff7).,Detected,No Action Required,,,Firewall - Network and Connections,
24/11/2017 5:24:40 PM,Info,IP address has disappeared from adapter Teredo Tunneling Pseudo-Interface (IP address: fe80::1031:2be5:3f57:fff7%8).,Detected,No Action Required,,,Firewall - Network and Connections,
24/11/2017 4:16:03 PM,Info,Connected to a public network. (Teredo tunnel adapter(::0)),Protected,No Action Required,Teredo tunnel adapter(::0),,,
24/11/2017 4:16:03 PM,Info,Connected to a private network. (78 96 84 56 12 16),Shared,No Action Required,,78 96 84 56 12 16,,
24/11/2017 4:15:59 PM,Info,"Protecting your connection to a newly detected network on adapter \"Teredo Tunneling Pseudo-Interface\" (IP address: fe80::1031:2be5:3f57:fff7%8).",Detected,No Action Required,,,Firewall - Network and Connections,
24/11/2017 4:15:59 PM,Info,"Protecting your connection to a newly detected network on adapter \"Teredo Tunneling Pseudo-Interface\" (IP address: 2001::5ef5:79fb:1031:2be5:3f57:fff7).",Detected,No Action Required,,,Firewall - Network and Connections,
24/11/2017 4:15:56 PM,Info,Connected to a public network. (78 96 84 56 12 16),Protected,No Action Required,,78 96 84 56 12 16,,
24/11/2017 4:15:53 PM,Info,Connected to a public network. (127.0.0.0/255.0.0.0),Protected,No Action Required,,,,127.0.0.0/255.0.0.0
24/11/2017 4:15:53 PM,Info,Connected to a private network. (78 96 84 56 12 16),Shared,No Action Required,,78 96 84 56 12 16,,
24/11/2017 4:15:50 PM,Info,"Protecting your connection to a newly detected network on adapter \"Qualcomm Atheros QCA61x4A Wireless Network Adapter\" (IP address: fe80::c44f:30da:87e9:3d62%9).",Detected,No Action Required,,,Firewall - Network and Connections,
24/11/2017 4:15:50 PM,Info,"Protecting your connection to a newly detected network on adapter \"Qualcomm Atheros QCA61x4A Wireless Network Adapter\" (IP address: 192.168.0.8).",Detected,No Action Required,,,Firewall - Network and Connections,
24/11/2017 4:15:39 PM,Info,"Protecting your connection to a newly detected network on adapter \"Software Loopback Interface 1\" (IP address: ::1).",Detected,No Action Required,,,Firewall - Network and Connections,
24/11/2017 4:15:39 PM,Info,"Protecting your connection to a newly detected network on adapter \"Software Loopback Interface 1\" (IP address: 127.0.0.1).",Detected,No Action Required,,,Firewall - Network and Connections,
24/11/2017 4:11:06 PM,Info,"Protecting your connection to a newly detected network on adapter \"Teredo Tunneling Pseudo-Interface\" (IP address: fe80::3800:2452:3f57:fff7%8).",Detected,No Action Required,,,Firewall - Network and Connections,
24/11/2017 4:11:06 PM,Info,"Protecting your connection to a newly detected network on adapter \"Teredo Tunneling Pseudo-Interface\" (IP address: 2001::5ef5:79fb:3800:2452:3f57:fff7).",Detected,No Action Required,,,Firewall - Network and Connections,
24/11/2017 4:11:06 PM,Info,Connected to a private network. (78 96 84 56 12 16),Shared,No Action Required,,78 96 84 56 12 16,,
24/11/2017 4:11:02 PM,Info,Connected to a public network. (78 96 84 56 12 16),Protected,No Action Required,,78 96 84 56 12 16,,
24/11/2017 4:10:59 PM,Info,Connected to a public network. (127.0.0.0/255.0.0.0),Protected,No Action Required,,,,127.0.0.0/255.0.0.0
24/11/2017 4:10:59 PM,Info,Connected to a private network. (78 96 84 56 12 16),Shared,No Action Required,,78 96 84 56 12 16,,

Category: Firewall - Activities
Date & Time,Risk,Activity,Status,Recommended Action,Category,Program Path,Default Action,Action Taken,Local Computer,Traffic Description,Program Name
25/11/2017 12:01:28 PM,Info,Firewall rules updated ,Detected,No Action Required,Firewall - Activities,,,,,,
25/11/2017 12:01:28 PM,Info,You allowed an application to access your network resources.,Allowed,No Action Required,,C:\Program Files\Mozilla Firefox\pingsender.exe,No Action Required,Allow,"192.168.0.8, 53479","Outbound TCP, https",
25/11/2017 12:01:28 PM,Info,You allowed an application to access your network resources.,Allowed,No Action Required,,C:\Program Files\Mozilla Firefox\pingsender.exe,No Action Required,Allow,"192.168.0.8, 53478","Outbound TCP, https",
25/11/2017 12:00:56 PM,Info,Firewall rules updated ,Detected,No Action Required,Firewall - Activities,,,,,,
25/11/2017 12:00:43 PM,Info,You allowed Firefox to access your network resources.,Allowed,No Action Required,,C:\Program Files\Mozilla Firefox\firefox.exe,No Action Required,Allow,"192.168.0.8, 53324","Outbound TCP, https",Firefox
25/11/2017 12:00:43 PM,Info,You allowed Firefox to access your network resources.,Allowed,No Action Required,,C:\Program Files\Mozilla Firefox\firefox.exe,No Action Required,Allow,"192.168.0.8, 53323","Outbound TCP, https",Firefox
25/11/2017 11:59:58 AM,Info,Firewall rules updated ,Detected,No Action Required,Firewall - Activities,,,,,,
25/11/2017 11:59:58 AM,Info,You allowed setup-stub to access your network resources.,Allowed,No Action Required,,C:\Users\jennj\AppData\Local\Temp\7zS450F.tmp\setup-stub.exe,No Action Required,Allow,"192.168.0.8, 53307","Outbound TCP, https",setup-stub
25/11/2017 11:59:41 AM,Info,Firewall rules updated ,Detected,No Action Required,Firewall - Activities,,,,,,
25/11/2017 11:59:41 AM,Info,You allowed Browser_Broker to access your network resources.,Allowed,No Action Required,,C:\Windows\System32\browser_broker.exe,No Action Required,Allow,"192.168.0.8, 53289","Outbound TCP, https",Browser_Broker
25/11/2017 11:59:15 AM,Info,Firewall rules updated ,Detected,No Action Required,Firewall - Activities,,,,,,
25/11/2017 11:59:14 AM,Info,You allowed Microsoft Edge to access your network resources.,Allowed,No Action Required,,C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe,No Action Required,Allow,"192.168.0.8, 53197","Outbound TCP, https",Microsoft Edge
25/11/2017 11:59:14 AM,Info,You allowed Microsoft Edge to access your network resources.,Allowed,No Action Required,,C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe,No Action Required,Allow,"192.168.0.8, 53196","Outbound TCP, https",Microsoft Edge
25/11/2017 11:59:12 AM,Info,Firewall rules updated ,Detected,No Action Required,Firewall - Activities,,,,,,
25/11/2017 11:59:12 AM,Info,You allowed Microsoft Edge Content Process to access your network resources.,Allowed,No Action Required,,C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe,No Action Required,Allow,"192.168.0.8, 53146","Outbound TCP, https",Microsoft Edge Content Process
25/11/2017 11:59:12 AM,Info,You allowed Microsoft Edge Content Process to access your network resources.,Allowed,No Action Required,,C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe,No Action Required,Allow,"192.168.0.8, 53145","Outbound TCP, https",Microsoft Edge Content Process
25/11/2017 11:59:12 AM,Info,You allowed Microsoft Edge Content Process to access your network resources.,Allowed,No Action Required,,C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe,No Action Required,Allow,"192.168.0.8, 53144","Outbound TCP, https",Microsoft Edge Content Process
25/11/2017 11:59:12 AM,Info,You allowed Microsoft Edge Content Process to access your network resources.,Allowed,No Action Required,,C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe,No Action Required,Allow,"192.168.0.8, 53143","Outbound TCP, https",Microsoft Edge Content Process
24/11/2017 11:26:16 PM,Info,Firewall rules updated ,Detected,No Action Required,Firewall - Activities,,,,,,
24/11/2017 11:26:16 PM,Info,You allowed an application to access your network resources.,Allowed,No Action Required,,C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.17092.13511.0_x64__8wekyb3d8bbwe\Video.UI.exe,No Action Required,Allow,"192.168.0.8, 52549","Outbound TCP, https",
24/11/2017 11:26:16 PM,Info,You allowed an application to access your network resources.,Allowed,No Action Required,,C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.17092.13511.0_x64__8wekyb3d8bbwe\Video.UI.exe,No Action Required,Allow,"192.168.0.8, 52545","Outbound TCP, https",
24/11/2017 11:26:16 PM,Info,You allowed an application to access your network resources.,Allowed,No Action Required,,C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.17092.13511.0_x64__8wekyb3d8bbwe\Video.UI.exe,No Action Required,Allow,"192.168.0.8, 52546","Outbound TCP, https",
24/11/2017 4:45:04 PM,Info,Firewall rules updated ,Detected,No Action Required,Firewall - Activities,,,,,,
24/11/2017 4:45:04 PM,Info,You allowed Apple Software Update to access your network resources.,Allowed,No Action Required,,C:\Program Files (x86)\Apple Software Update\SoftwareUpdate.exe,No Action Required,Allow,"192.168.0.8, 50851","Outbound TCP, https",Apple Software Update
24/11/2017 4:15:54 PM,Info,User logged in. ,Detected,No Action Required,Firewall - Activities,,,,,,
24/11/2017 4:15:39 PM,Info,Firewall rules updated ,Detected,No Action Required,Firewall - Activities,,,,,,
24/11/2017 4:15:26 PM,Info,No user is logged in. ,Detected,No Action Required,Firewall - Activities,,,,,,
24/11/2017 4:13:00 PM,Info,Firewall rules updated ,Detected,No Action Required,Firewall - Activities,,,,,,
24/11/2017 4:13:00 PM,Info,You allowed AdwCleaner to access your network resources.,Allowed,No Action Required,,C:\Users\jennj\Desktop\AdwCleaner.exe,No Action Required,Allow,"192.168.0.8, 50190","Outbound TCP, https",AdwCleaner
24/11/2017 4:11:03 PM,Info,User logged in. ,Detected,No Action Required,Firewall - Activities,,,,,,

Category: Intrusion Prevention
Date & Time,Risk,Activity,Status,Recommended Action,IPS Alert Name,Default Action,Action Taken,Attacker URL,Category
25/11/2017 1:03:48 PM,High,An intrusion attempt was blocked.,Blocked,No Action Required,Web Attack : Malvertisement Website Redirect 21,No Action Required,No Action Required,https://deloton.com/afu.php?zoneid=1407888&var=1436082,
25/11/2017 12:03:00 PM,High,An intrusion attempt was blocked.,Blocked,No Action Required,Web Attack : Malvertisement Website Redirect 21,No Action Required,No Action Required,https://deloton.com/afu.php?zoneid=1407888&var=1436082,
25/11/2017 11:54:59 AM,High,An intrusion attempt was blocked.,Blocked,No Action Required,Web Attack : Malvertisement Website Redirect 21,No Action Required,No Action Required,https://deloton.com/afu.php?zoneid=1407888&var=1436082,
24/11/2017 11:14:53 PM,High,An intrusion attempt was blocked.,Blocked,No Action Required,Web Attack : Malvertisement Website Redirect 21,No Action Required,No Action Required,https://deloton.com/afu.php?zoneid=1407888&var=1436082,
24/11/2017 11:00:06 PM,Info,Intrusion Prevention has been enabled,Detected,No Action Required,,No Action Required,No Action Required,,Intrusion Prevention
24/11/2017 11:00:06 PM,Info,Intrusion Prevention Engine version: 8.0.2.12 Definitions Set version: 20171124.001,Detected,No Action Required,,No Action Required,No Action Required,,Intrusion Prevention
24/11/2017 11:00:06 PM,Info,Intrusion Prevention is monitoring network traffic. Driver version: 16.1.4.31,Detected,No Action Required,,No Action Required,No Action Required,,Intrusion Prevention
24/11/2017 10:40:01 PM,High,An intrusion attempt was blocked.,Blocked,No Action Required,Web Attack : Malvertisement Website Redirect 21,No Action Required,No Action Required,https://deloton.com/afu.php?zoneid=1407888&var=1436082,
24/11/2017 4:40:05 PM,High,An intrusion attempt was blocked.,Blocked,No Action Required,Web Attack : Malvertisement Website Redirect 21,No Action Required,No Action Required,https://deloton.com/afu.php?zoneid=1407888&var=1436082,
24/11/2017 4:23:26 PM,High,An intrusion attempt was blocked.,Blocked,No Action Required,Web Attack : Malvertisement Website Redirect 21,No Action Required,No Action Required,https://deloton.com/afu.php?zoneid=1407888&var=1436082,
24/11/2017 4:16:04 PM,High,An intrusion attempt was blocked.,Blocked,No Action Required,Web Attack : Malvertisement Website Redirect 21,No Action Required,No Action Required,https://deloton.com/afu.php?zoneid=1407888&var=1436082,
24/11/2017 4:15:48 PM,Info,Intrusion Prevention has been enabled,Detected,No Action Required,,No Action Required,No Action Required,,Intrusion Prevention
24/11/2017 4:15:48 PM,Info,Intrusion Prevention Engine version: 8.0.2.12 Definitions Set version: 20171123.001,Detected,No Action Required,,No Action Required,No Action Required,,Intrusion Prevention
24/11/2017 4:15:48 PM,Info,Intrusion Prevention is monitoring network traffic. Driver version: 16.1.4.31,Detected,No Action Required,,No Action Required,No Action Required,,Intrusion Prevention
24/11/2017 4:12:07 PM,High,An intrusion attempt was blocked.,Blocked,No Action Required,Web Attack : Malvertisement Website Redirect 21,No Action Required,No Action Required,https://deloton.com/afu.php?zoneid=1407888&var=1436082,

dbrisen
Malware Removalists

Posts: 3,688

Malware 21 Nov 25, 2017 13:28:13 GMT -8

Quote

Post by dbrisen on Nov 25, 2017 13:28:13 GMT -8

Please check out the Ad Blocker add-ins listed on this Mozilla page and see if adding one of these to Firefox stops the Norton warnings.

blog.mozilla.org/firefox/ad-blocker-roundup-5-adblockers-that-improve-your-internet-experience/

Also, on AdwCleaner - did you click on Clean or just Scan?

Last Edit: Nov 25, 2017 13:33:57 GMT -8 by dbrisen

I will not provide malware removal by PM; please post in your thread on the Malware Removal board.
My help is always free but if you would like to help encourage me or show your thanks -----> DONATE

spookisgirl
New Helpee

Posts: 9

Malware 21 Nov 25, 2017 16:40:19 GMT -8

Quote

Post by spookisgirl on Nov 25, 2017 16:40:19 GMT -8

I added all the add-ins and am still getting the warning.

I did both clean and scan. The only thing that comes up (and has come up) is a pup thing.

Here is the text from the most recent scan (I just did it again):

# AdwCleaner 7.0.4.0 - Logfile created on Sun Nov 26 00:32:32 2017
# Updated on 2017/27/10 by Malwarebytes
# Running on Windows 10 Home (X64)
# Mode: clean
# Support: www.malwarebytes.com/support

***** [ Services ] *****

No malicious services deleted.

***** [ Folders ] *****

No malicious folders deleted.

***** [ Files ] *****

No malicious files deleted.

***** [ DLL ] *****

No malicious DLLs cleaned.

***** [ WMI ] *****

No malicious WMI cleaned.

***** [ Shortcuts ] *****

No malicious shortcuts cleaned.

***** [ Tasks ] *****

No malicious tasks deleted.

***** [ Registry ] *****

Deleted: [Key] - HKLM\SOFTWARE\Classes\Interface\{7BCA6879-A9F8-47DE-AE05-F5CE7EA3A474}

***** [ Firefox (and derivatives) ] *****

No malicious Firefox entries deleted.

***** [ Chromium (and derivatives) ] *****

No malicious Chromium entries deleted.

*************************

::Tracing keys deleted
::Winsock settings cleared
::Additional Actions: 0

spookisgirl
New Helpee

Posts: 9

Malware 21 Nov 25, 2017 16:44:55 GMT -8

Quote

Post by spookisgirl on Nov 25, 2017 16:44:55 GMT -8

I also redid the first steps, as my norton deleted frst64 when it tried to do the repairs the first time (I redownloaded it and marked it as trusted in norton and did the clean steps again). I don't know if the txt files are the same, but here they are. FRST.txt (81.44 KB)

wikisend.com/download/466600/Addition.txt

spookisgirl New Helpee Posts: 9	Malware 21 Nov 30, 2017 9:05:13 GMT -8 Quote Select Post Deselect Post Link to Post Member Give Gift Back to Top Post by spookisgirl on Nov 30, 2017 9:05:13 GMT -8 HI, Am I out of options?

Post by spookisgirl on Nov 22, 2017 22:25:42 GMT -8

Post by dbrisen on Nov 24, 2017 0:23:14 GMT -8

Post by spookisgirl on Nov 24, 2017 16:22:16 GMT -8

Post by spookisgirl on Nov 24, 2017 16:22:53 GMT -8

Post by dbrisen on Nov 25, 2017 12:45:54 GMT -8

Post by spookisgirl on Nov 25, 2017 13:18:51 GMT -8

Post by dbrisen on Nov 25, 2017 13:28:13 GMT -8

Post by spookisgirl on Nov 25, 2017 16:40:19 GMT -8

Post by spookisgirl on Nov 25, 2017 16:44:55 GMT -8

Post by spookisgirl on Nov 30, 2017 9:05:13 GMT -8