Note: I am indeed researching cryptomining, I am aware of those two files on the desktop.
No idea about the file in Chrome data. Could it be an interrupted download?
Let it be known that it doesn’t detect a miner available on this system.
I want to be clear. Rana never had any issue up to a few days ago, when it started preventing access to google and a few other sites. I had a boot scan with avast and it cleaned Somoto. The problem arisen again after some hours. After each cleaning so far I have been granted some hours of functional internet.
Browsers work as expected on Rana right now - Q6600 is isolated and I have taken precautions to ensure it is not accidentally connected.
Results of screen317's Security Check version 0.99.82
Windows 7 Service Pack 1 x64 (UAC is enabled)
Internet Explorer 11
[b][u]``````````````Antivirus/Firewall Check:``````````````[/b][/u]
avast! Antivirus
[b]Antivirus out of date![/b]
[b][u]`````````Anti-malware/Other Utilities Check:`````````[/b][/u]
Adobe Flash Player 13.0.0.206
Adobe Reader XI
Mozilla Firefox (29.0)
Google Chrome 34.0.1847.131
[b][u]````````Process Check: objlist.exe by Laurent````````[/b][/u]
AVAST Software Avast AvastSvc.exe
AVAST Software Avast afwServ.exe
AVAST Software Avast AvastUI.exe
[b][u]`````````````````System Health check`````````````````[/b][/u]
Total Fragmentation on Drive C: 0%
[b][u]````````````````````End of Log``````````````````````[/b][/u]
As your message previously stated to let ESET run with no AV, I left it disabled. I hope that's the reason it is reported as outdated, I'm fairly sure I got a update notice just a few minutes before shutting it down.
I'm inclined to believe I might be safe for now. Let's see how it goes in the next few hours.
I cannot believe what I just got :o
Rana worked perfectly for hours. Then I noticed an hiccup while surfing one of my trusted sites. I pointed the browes to google and facebook and they were blocked. Reloading the button took me to the fake site. I suppose it might be useful to see it.
I have taken a screenshot of my recently visited pages, albeit I don’t trust it as I think I’ve read somewhere it can be manipulated easily. I would try replicating but for the time being I’m back on the issue.
As a side note, I found Avast browser plugin to be shutdown.
I haven’t shut down the browser and went to write this immediately.
Please download FRST (by Farbar) from the link below and save it to your Desktop.
Download Mirror #1 If you are unsure whether you have 32-Bit or 64-Bit Windows, see here
[*]Disable all anti-virus and anti-malware software to prevent them inhibiting FRST in any way. If you are unsure how to do this, see THIS.
[*]Double-click FRST.exe/FRST64.exe (depending on which version you downloaded) to run it. (if you have Windows Vista / Windows 7 / Windows 8: Please do a Right click on the FRST icon and select Run as Administrator)
[*]When the disclaimer appears, click Yes.
[*]Click Scan to start FRST.
[*]When FRST finishes scanning, two logs, FRST.txt and Addition.txt will open.
[*]Copy (Ctrl+C) and Paste (Ctrl+V) the contents of both of these logs into your next post please.
Ok, I ran the tool as admin (but from my download directory).
I just hit scan as instructed.
I won’t paste the contents here as they are too big.
Seeing AMD whitelisted, I think it’s the case to note that I think AMD.com might be somehow involved.
It is in the list of sites I consider trustable, but also in the list of sites I visited some hours ago.
So far I’ve tried to replicate in SafeZone with no success.
Download attached fixlist.txt file and save it to the Desktop. NOTE. It’s important that both files, FRST/FRST64 and fixlist.txt are in the same location or the fix will not work. NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system Run FRST/FRST64 and press the Fix button just once and wait.
If for some reason the tool needs a restart, please make sure you let the system restart normally.
After that let the tool complete its run.
When finished FRST will generate a log on the Desktop (Fixlog.txt).
Please post it to your reply.
Then,
[*]Run FRST. (if you have Windows Vista / Windows 7 / Windows 8: Please do a Right click on the FRST icon and select Run as Administrator)
[*]Click Scan to start FRST.
[*]When FRST finishes scanning, a log, FRST.txt, will open.
[*]Copy (Ctrl+C) and Paste (Ctrl+V) the contents of this log into your next post please.
Those two files are a game I have tested for a fellow user in a forum I partecipate. It didn’t require an install and it didn’t require elevated privileges. This user is a long-standing forum contributor but I wouldn’t have given it privilages anyway.
Unfortunately, virtual machines and 3D graphics don’t quite mix for the time being.
If he has been building this, then it’s sure a hell of well designed vector as the game looks like no joke. Be warned it will make your eyes bleed.
I think I ran it the first time somewhere about 20 days ago. I could try dig some notes from my daily scratchpads if you want more info. Beta 7 has been ran Monday 05, probably in the morning. I am 100% sure google and facebook were not accessible at the time from Rana but maybe Q6600 could still get to them. Rana had this “Flash pro” issue first.
[b]Fixlog.txt[/b]
Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 07-05-2014
Ran by settaggi at 2014-05-07 18:59:41 Run:2
Running from C:\Users\massimo\Desktop\frst64
Boot Mode: Normal
==============================================
Content of fixlist:
Toolbar: HKLM - No Name - {CC1A175A-E45B-41ED-A30C-C9B1D7A0C02F} - No File
FF Plugin: @microsoft.com/GENUINE - disabled No File
Folder:C:\Program Files\Microsoft Research
HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{CC1A175A-E45B-41ED-A30C-C9B1D7A0C02F} => Value deleted successfully.
HKCR\CLSID{CC1A175A-E45B-41ED-A30C-C9B1D7A0C02F} => Key not found.
HKLM\Software\MozillaPlugins\FF Plugin: @microsoft.com/GENUINE - disabled No File => Key not found.
“FF Plugin: @microsoft.com/GENUINE - disabled No File” => not found.
========================= Folder:C:\Program Files\Microsoft Research ========================
Directory Not Found
==== End of Fixlog ====
I will post the result of the scan in a few minutes.
EDIT: I forgot to add a note - you might have got from the log anyway.
Since the instruction didn’t specify to run the fix as admin, I didn’t run it elevated. It would fail to delete the key and list all the rest. Failure log attached.
After yesterday fix, I disconnected Rana from the network. I still had a few things to do however.
This morning, I logged in and launched Chrome.
I had to fiiddle a bit the screenshots to have them fit the attach limit.
[ol]- In first attachment we see in order: (A) state of google chrome v34 at startup. It can navigate to most of the sites I visit however (B) results of navigating to google.com or facebook.com, the javascript box is indeed embedded in the fetched HTML. (C) Sites using (adwords? analytics?) are also corrupted. This is a more widespread phenomenon. Sometimes the error is contained in a iframe (D) Some sites I visited to produce the above screenshots.
Firefox (note a new version had been rolled out in those days, running v29) seems somewhat more resistant. In general the various search providers are either broken or result in the injected page.
In general, both browsers appear quite slower than usual, especially in the initial connection steps. Safezone chromium is way faster.[/ol]
I think I have no problems outside the browsers.
Do you think it could be useful to have a wireshark capture?
For the time being, I did a netstat to see if there’s something going on the network. I don’t think I’ll find anything since I believe this issue to be local but I’ll run a few checks anyway.
I believe each fix worked so far… until reboot but since I have not tested internet connection after yesterday fix I cannot be sure.
I came back to my PC after launch.
The browsers are functional.
I think the malware or whatever it is might have updated to be less invasive and thus go along habits.
Hello Machiavelli, thank you very much for your help. You’re providing incredible value to this community and so much help to me.
Unfortunately, this afternoon facebook.com is blocked. Verified it works in safezone. I am now aware if it worked this morning as I have to finish a thing before tomorrow morning and I’ve got so little time.
Other sites appear functional, including google.com and the guru3d article I tested yesterday.
At this point I’m very surprised.
I would consider a full wipe at this point but I suppose I could keep this going to better understand what’s going on, in case it comes useful for someone else in the future. For the rest, the system appears functional, with the only notable exception of a debugging tool I use (I suspect it needs elevation but I haven’t checked as I seldom require that specific function).
:o
My VMWare Virtual Machine running Ubuntu 12.10 cannot access google.com nor gmail!
Of course the site proposed download of a .exe. How naive. Clicking on it, avast blocked (from the host OS) the download.
This explains why our efforts in finding the problem have been so unfruitful. I am now considering asking a friend to borrow me his modem for a few days or perhaps moving my machine to another network to a friend of mine.
Now the question is: how can safezone be immune? Perhaps it uses encrypted traffic?
What I mean is: no matter what URL I put in safezone chromium address bar, it never reproduces the problem and it seems to work just fine.
I considered this thing might be locked on Rana IP/MAC so I also tried setting up vmware supervisor to produce a direct network access to VM (instead to NAT in Rana).
Pinging google.com from NAT’d Ubuntu produces 192.99.14.132 as a result, resolved to ns233431.ip-192-99-14.net, this seemed wrong. Maybe it’s just a result of NATing, but doing the same using the bridged virtual machine produced 151.49.136.50, which I suspect to be correct.
Surprisingly, the bridged VM seems to be unable to access any site albeit I don’t remember setting up filters in my router (it should just give away full features to whatever manages to get in the network).
I’m afraid I’ll have to update till mondey to get another look at this. The fact that I won’t be able to fix this by just wiping clean my disks is fairly scary.
No need to apologize. You have difficulty understanding because I don’t have a clear vision as a start!
Today, I was supposed to use a Linux liveCD to see if I can replicate the problem.
It’s still in the todo list, but I think it will replicate. I found out that on DHCP the router pulls out a different server as primary DNS, ip is 128.199.225.64, some tools report it to be in Singapore. I cannot quite read the results of the tracert, but the ping time definetely looks like we’re going to the other side of the world.
UPDATE
Partially replicated under Ubuntu 12.10 live CD, DHCP server is (as expected) pulled out wrong.
Strangely, it does not prevent access to the blocked sites but given the delay in loading, I’d say the server is still getting the requests. This is indeed a major privacy problem since we have no idea who’s holding the data and for what purpose.
I would like to check out my router settings but all the passwords I have tried failed to log me in. There’s always the chance I changed the router password and forgot it but I suspect it might have been changed.
I’m going to reset my router in the next few hours. I also believe I could flash it to latest firmware.