Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help

User Tag List

picked up malware from amazon

This is a discussion on picked up malware from amazon within the Virus/Trojan/Spyware Help forums, part of the Tech Support Forum category. Although hate ordering from amazon for multiple reasons, had to yesterday. I was checking out and it asked me to


Closed Thread
 
Thread Tools Search this Thread
Old 04-06-2020, 01:55 PM   #1
TSF Enthusiast
 
Join Date: Nov 2007
Location: Seattle, Washington, USA
Posts: 1,087
OS: Windows 10 home premium 64-bit



Although hate ordering from amazon for multiple reasons, had to yesterday. I was checking out and it asked me to add-on to my browser (Firefox) an add-on about delivery (since they never deliver as instructed and rarely get my packages I downloaded the add-on but went to Firefox to get it). I scanned with Malwarebyts shortly after and it found a PUP and quarantined it.

I immediately tried to post but every time I attached the FRST additon.txt I would get error message:


Sorry, you have been blocked
You are unable to access techsupportforum.com
Why have I been blocked?

This website is using a security service to protect itself from online attacks. The action you just performed triggered the security solution. There are several actions that could trigger this block including submitting a certain word or phrase, a SQL command or malformed data.
What can I do to resolve this?

You can email the site owner to let them know you were blocked. Please include what you were doing when this page came up and the Cloudflare Ray ID found at the bottom of this page.

Cloudflare Ray ID: 57f9755bbd99fdb1 Your IP: 174.21.149.170 Performance & security by Cloudflare

A different number later:

Cloudflare Ray ID: 57fe01a01a10fda5 Your IP: 174.21.149.170 Performance & security by Cloudflare

Then I tried to post without Addition.txt and pasted the FRST.txt and got similar error message without number.

So, I can't seem to post any of the FRST results, without being barred from posting.

I do think I have a thumb drive with windows 10 on it.
Attached Thumbnails
Click image for larger version

Name:	malwarebytes finds pup april 2020.png
Views:	9
Size:	19.5 KB
ID:	325474  
tierra is offline  
Sponsored Links
Advertisement
 
Old 04-06-2020, 09:31 PM   #2
Moderator
Security Team
 
Gary R's Avatar
 
Join Date: Jul 2008
Location: Yorkshire
Posts: 669
OS: W8.1 x64, Mint Cinnamon 19.2 x64, MX Linux x64



Try zipping your FRST and Addition logs before attaching them to your next reply to this topic.

If you're still being blocked when you try to do this, please let me know.

On the matter or PUPs .... PUP stands for Potentially Unwanted Programs .... please note the word Potentially.

Not all PUPs are unwanted, some may be actually be useful to some people, it's up to the individual concerned to determine whether they are or not.

So just because Malwarebytes has detected one, does not necessarily mean that it needs removing.

You can set Malwarebytes just to warn you when it detects a PUP, that way you get to decide whether they get removed or not.

To do that ...
  • With Malwarebytes open, click on the Gearwheel to open Settings
  • Now click on Security
  • Scroll down to Potentially Unwanted Items
  • Change Detect Potentially Unwanted Programs (PUPs) from Always to Warn
__________________
Gary R is offline  
Old 04-07-2020, 06:15 AM   #3
TSF Enthusiast
 
Join Date: Nov 2007
Location: Seattle, Washington, USA
Posts: 1,087
OS: Windows 10 home premium 64-bit



Thank you Gary R!
Attached Files
File Type: zip FRST.zip (17.0 KB, 4 views)
File Type: zip Addition.zip (7.7 KB, 3 views)
tierra is offline  
Sponsored Links
Advertisement
 
Old 04-07-2020, 07:22 AM   #4
Moderator
Security Team
 
Gary R's Avatar
 
Join Date: Jul 2008
Location: Yorkshire
Posts: 669
OS: W8.1 x64, Mint Cinnamon 19.2 x64, MX Linux x64



Looking over your FRST logs now, I'll get back to you as soon as I've finished.
__________________
Gary R is offline  
Old 04-07-2020, 07:40 AM   #5
Moderator
Security Team
 
Gary R's Avatar
 
Join Date: Jul 2008
Location: Yorkshire
Posts: 669
OS: W8.1 x64, Mint Cinnamon 19.2 x64, MX Linux x64



No signs of any Malware in your logs. There's a couple of files I'd like to run a scan on at VirusTotal just to make sure, but it is just a precaution, and I don't really expect either of them to test positive. There's also an ADS file running from a temp location that can be deleted. Files of this type are normally deleted by the program that created them, but in this case that doesn't appear to have happened, so we'll remove it with FRST.

So .....
  • Start FRST in a similar manner to when you ran a scan earlier, but this time when it opens ....
  • Press Ctrl+y (Ctrl and y keys at the same time)
  • A blank randomly named .txt Notepad file will open.
  • Copy and paste the following into it ....
Code:
VirusTotal: C:\WINDOWS\System32\drivers\BthA2dp.sys;C:\WINDOWS\system32\rdpnano.dll

AlternateDataStreams: C:\ProgramData\TEMP:5C321E34 [143]
  • Press Ctrl+s to save fixlist.txt
NOTICE: This script was written specifically for this user. Running it on another machine may cause damage to your operating system
  • Now press the Fix button once and wait.
  • FRST will process fixlist.txt
  • When finished, it will produce a log fixlog.txt in the same folder/directory as FRST64.exe
  • Please post me the log
__________________
Gary R is offline  
Old 04-07-2020, 10:20 AM   #6
TSF Enthusiast
 
Join Date: Nov 2007
Location: Seattle, Washington, USA
Posts: 1,087
OS: Windows 10 home premium 64-bit



Thank you -- Gary R.

When I hit ctrl + s nothing happened. I tried several times.
tierra is offline  
Old 04-07-2020, 12:34 PM   #7
TSF Enthusiast
 
Join Date: Nov 2007
Location: Seattle, Washington, USA
Posts: 1,087
OS: Windows 10 home premium 64-bit



Fix result of Farbar Recovery Scan Tool (x64) Version: 05-04-2020
Ran by 93 (07-04-2020 12:33:27) Run:1
Running from C:\Users\93\Desktop
Loaded Profiles: 93 (Available Profiles: 93 & 4 & Administrator)
Boot Mode: Normal
==============================================

fixlist content:
*****************
VirusTotal: C:\WINDOWS\System32\drivers\BthA2dp.sys;C:\WINDOWS\system32\rdpnano.dll

AlternateDataStreams: C:\ProgramData\TEMP:5C321E34 [143]
*****************

VirusTotal: C:\WINDOWS\System32\drivers\BthA2dp.sys => https://www.virustotal.com/file/8b0f...is/1586284653/
VirusTotal: C:\WINDOWS\system32\rdpnano.dll => https://www.virustotal.com/file/b281...is/1585955228/
C:\ProgramData\TEMP => ":5C321E34" ADS removed successfully

==== End of Fixlog 12:33:28 ====
tierra is offline  
Old 04-07-2020, 02:22 PM   #8
Moderator
Security Team
 
Gary R's Avatar
 
Join Date: Jul 2008
Location: Yorkshire
Posts: 669
OS: W8.1 x64, Mint Cinnamon 19.2 x64, MX Linux x64



Well, as I expected, the two files were clean, so unless you're experiencing any abnormal behaviour from your computer, I think it's reasonable to assume that you do not have an active infection on your machine.

We could run an online scan to double check if you wish, but I would be surprised if it found anything amiss. Please let me know if you want to do that.

If not ....

To uninstall FRST and remove all its files, please do the following ...
  • Rename FRST64.exe to Uninstall.exe
  • Double click on Uninstall.exe to launch it.
    • Your computer will reboot, and on reboot will remove FRST and all its files.
__________________
Gary R is offline  
Old 04-07-2020, 02:40 PM   #9
TSF Enthusiast
 
Join Date: Nov 2007
Location: Seattle, Washington, USA
Posts: 1,087
OS: Windows 10 home premium 64-bit



Thank you -- Gary R.

Since malwarebytes quarantined the PUP the computer is a bit buggy. Should I un-quarantine it? Then uninstall it from ad-onns?

Yes, I think I'd like to run an online (maybe after unquarantining the PUP and uninstalling just to be sure) -- I usually do ESET online monthly -- so would you recommend another or just ESET?
tierra is offline  
Old 04-07-2020, 02:53 PM   #10
Moderator
Security Team
 
Gary R's Avatar
 
Join Date: Jul 2008
Location: Yorkshire
Posts: 669
OS: W8.1 x64, Mint Cinnamon 19.2 x64, MX Linux x64



Yes, I'd unquarantine it first, and see if that improves your computer's stability. Once you've established that it does, then you can uninstall it from add-ons.

If your computer still acts buggy when you've unquarantined it, don't do anything else, just let me know.

ESET is the online scanner I would have recommended, so if you want to run a scan, and you're comfortable doing it without instruction from me, then by all means go ahead, and when finished post me the scan results.
__________________
Gary R is offline  
Old 04-07-2020, 05:50 PM   #11
TSF Enthusiast
 
Join Date: Nov 2007
Location: Seattle, Washington, USA
Posts: 1,087
OS: Windows 10 home premium 64-bit



Thank you -- Gary R.

I unquarantined the file; however, it disappeared, never showed back up as an add-on. I can't remember the correct Amazon add-on name, but only have a translation and security add-ons now, as usual.

I ran ESET online, and as you said the computer is clean.

I'll let you know if it still acts buggy; hoping it's OK.

Thank you very much.
tierra is offline  
Old 04-07-2020, 10:17 PM   #12
Moderator
Security Team
 
Gary R's Avatar
 
Join Date: Jul 2008
Location: Yorkshire
Posts: 669
OS: W8.1 x64, Mint Cinnamon 19.2 x64, MX Linux x64



OK. I'll leave this topic open for a couple of days, if you have any problems then come back to me and we'll explore the matter further.

If I haven't heard back from you by Friday then I'll close this topic.
__________________
Gary R is offline  
Old 04-09-2020, 07:08 AM   #13
TSF Enthusiast
 
Join Date: Nov 2007
Location: Seattle, Washington, USA
Posts: 1,087
OS: Windows 10 home premium 64-bit



Thank you very much -- Gary R.
tierra is offline  
Old 04-09-2020, 07:37 AM   #14
Moderator
Security Team
 
Gary R's Avatar
 
Join Date: Jul 2008
Location: Yorkshire
Posts: 669
OS: W8.1 x64, Mint Cinnamon 19.2 x64, MX Linux x64



You're welcome.
__________________
Gary R is offline  
Closed Thread

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is on
Smilies are on
[IMG] code is on
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Post a Question


» Site Navigation
 > FAQ
  > 10.0.0.2
Powered by vBadvanced CMPS v3.2.3


All times are GMT -7. The time now is 05:29 PM.


Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2020, vBulletin Solutions, Inc.
vBulletin Security provided by vBSecurity v2.2.2 (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
User Alert System provided by Advanced User Tagging v3.1.0 (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
Copyright 2001 - 2018, Tech Support Forum

Windows 10 - Windows 7 - Windows XP - Windows Vista - Trojan Removal - Spyware Removal - Virus Removal - Networking - Security - Top Web Hosts