Posted 03 August 2021 - 10:01 AM
Suspecting malware activity I started this in that forum section. Apparently, thankfully, it doesn't seem to be malware and was advised to continue in this forum. Rather than repeat everything, here are issues and what we've done so far (first post for problems, last couple for DCOM and certificate issues)
https://www.bleepingcomputer.com/forums/t/755730/possible-malware-interfering-with-internet/
Posted 04 August 2021 - 09:26 AM
Hi originaljgf:
I'm not trained to interpret Farbar Recovery Scan Tools (FRST) diagnostic logs, but I'll throw out a few comments that might point you in the right direction.
Since this computer hasn't been used for ~ 4 years, just be aware that Microsoft deactivated the Windows Update servers for Win XP and Vista on 03-Aug-2020, so expect to see an error if you run Windows Update on your computer now. See the Microsoft support article Windows Update SHA-1 Based Endpoints Discontinued for Older Windows Devices for more information.
I'm not sure if this will help with certificate issues, but try the following. Download the MicrosoftRootCertificateAuthority2011.cer file from http://go.microsoft.com/fwlink/?linkid=747875&clcid=0x409 and save it to the root C:\ directory of your computer (i.e.., so the location is C:\MicrosoftRootCertificateAuthority2011.cer). Then open an elevated command prompt with Administrator rights (search for "Command Prompt" from the search box next to the Start button and choose Run as Administrator), and enter the command certutil -addstore "Root" "C:\MicrosoftRootCertificateAuthority2011.cer" (include the quotes) to apply the required trust certificate. Kudos to greenhillmaniac for posting about this fix in his 06-Apr-2020 post in the MSFN thread Certificate Trust Provider Error Installing Updates.
I doubt updating your trust certificates will solve all your problems (including your DCOM error). If you haven't already done so run a scan with the built-in System File Checker (SFC) utility to see if it can find any issues with your Windows system files. Open an elevated command prompt with Administrator rights and then enter the command sfc /scannow (note the space after "scf"). Allow the scan to run to completion, and if it does not report "Windows Resource Protection did not find any integrity violations" as shown below then let us know the exact message displayed.
SFC Scannow Administrator Vista 21 May 2017.png 11.6KB
0 downloads
You said you can't download Malwarebytes. Did you download the installer for Malwarebytes v3.5.1 (the legacy version for Win XP and Vista) from https://www.bleepingcomputer.com/download/malwarebytes-anti-malware/dl/383/_legacy per the Malwarebytes FAQ <here>?
Are you using Firefox ESR v52.9.0 (the legacy version for Win XP and Vista, rel. 26-Jun-2018)? Your FRST logs indicate that Firefox v28.0 is your default browser, which dates back to 18-Mar-2014. If required, full offline installers for FF ESR v52.9.0 (all languages and regions) are available at https://archive.mozilla.org/pub/firefox/releases/52.9.0esr/win32/ (note that 32-bit Firefox ESR is recommended for both 32-bit and 64-bit Vista SP2). If you want the English-US installer (Firefox Setup 52.9.0esr.exe), for example, choose the /EN-US subfolder at https://archive.mozilla.org/pub/firefox/releases/52.9.0esr/win32/en-US/. I would recommend that you add the latest TLS 1.3 support to your Firefox ESR v52.9.0 browser [i.e., by changing security.tls.version.max to a value of 4 (TLS 1.3) in the advanced browser settings] as instructed in Martin Brinkmann's June 2017 ghacks.net article How to Enable TLS 1.3 Support in Firefox and Chrome and add a reputable ad blocker like Adblock Plus (https://addons.mozilla.org/en-US/firefox/addon/adblock-plus/) that still supports Firefox ESR v52.
If an upgrade to FF ESR v52.9.0 doesn't help I would suggest you create a new Firefox user profile using the Firefox Profile Manager (this will create a clean profile with no browser extensions but will keep your old profile intact if you want to switch back) and just run Firefox for a few days with nothing but the Adblock Plus extension installed to see how your browser behaves. If that helps you can recover your bookmarks from your old profile, if desired, and then start installing additional browser extensions in your new profile one-by-one to see how they affect the behaviour of your browser.
I've never used Kaspersky Free on my Vista machine, but I believe it was replaced by Kaspersky Security Cloud Free a few years ago (see my 21-Oct-2019 post <here> in the Norton Tech Outpost). Unfortunately, the specs <here> indicate that Kaspersky Security Cloud requires Win 7 and higher. You can still download an installer for Kaspersky Free 2018 v18.0.0.405 [the version recommended for Win XP and Vista machines with older CPUs that do not support SSE2 (e.g., Pentium III and older)] from the Kaspersky support article Compatibility of Kaspersky Applications with Windows XP (last updated 15-Jul-2021) and the support article Recommendations on How to Configure Kaspersky Products Under Windows XP / Vista / 7 was last updated 11-Jan-2021 so I assume that Kaspersky Free v18.0.0.405 should still receive regular virus definition updates on a Vista SP2 machine, but that's something you might want to confirm in the Kaspersky Free for Windows forum. I had a paid subscription for the legacy Norton Security v22.15.x when my Vista SP2 machine was my main computer and I was still using this machine online, but if you need a free replacement for Kaspersky I know that the legacy Avast Antivirus v18.8. is a also popular choice with current Vista SP2 users.
-----------
32-bit Vista Home Premium SP2 * Firefox ESR v52.9.0 * Malwarebytes Premium v3.5.1.2522-1.0.365
HP Pavilion dv6835ca, Intel Core2Duo T5550 @ 1.83 GHz, 3 GB RAM, NVIDIA GeForce 8400M GS
-----------
64-bit Win 10 Pro v20H2 build 19042.1110 * Firefox v90.0.2 * Microsoft Defender v4.18.2107.2 * Malwarebytes Premium v4.4.3.125-1.0.1387
Dell Inspiron 15 5584, Intel i5-8265U CPU, 8 GB RAM, Toshiba KBG40ZNS256G 256 GB NVMe SSD, Intel UHD Graphics 620
Edited by lmacri, 04 August 2021 - 09:45 AM.
Posted 04 August 2021 - 03:27 PM
Thanks for the input.
First, everything on this system worked fine before I retired it (thought it had a bad mobo, was a coincidental two bad PS in a row).
Ran SFC a few weeks ago, no problems.
I've no idea what certificates are, or why suddenly they are an issue, but will try that file.
Auto-update has been disabled for ages. No issues there.
Could not d/l Malwarebytes or ADWCleaner on the Vista system, d/l'd both on Win7 system, transferred to Vista on flashdrive, installed and ran fine. When system first fired up, Kaspersky (v18.0.0.405 (m)) updated and did full scan, continues to check updates and scan daily. Used Malwarebytes for 3-4 weeks, until trial expired; it scanned daily. Also could not d/l Java on Vista system, so d/l'd on Win7 and transferred.
Yes, using Firefox 28.0, it was the recommended legacy version when system last used.
To recap, the only "symptoms" of something amiss are:
- cannot connect to any microsoft site, even just microsoft.com merely gets a continuous loading circle on tab and a "waiting for microsoft.com" message in status bar
- can connect to Oracle but get a blank page with Oracle logo in upper left
- can connect to Malwarebytes and Java but cannot download from either
- every time I open Firefox, regardless of what other tabs were left pinned or open, a new tab opens to a site of Russian porn (I assume, NoScript blocks this so all I see is a blank white window with Cyrillic text, but the url has "porn.ru"); I can close this tab and no other signs of interference - no tool bars, no search redirects, no homepage hijack
- an online game I play is java based, with it's own client so browser not involved, it partially loads then aborts with an error about resources not found
All this works fine on my Win7 system, and previously worked on Vista system, both are hard-wired to same router.
Posted 04 August 2021 - 03:38 PM
Posted 04 August 2021 - 04:12 PM
Hi Imacri:
FYI originaljgf had a thread in the Web Browsing/Email subforum last month...
Lol, yes, started there, was told should take issue to malware section, they said should take issue to Vista forum. So here I am.
Posted 04 August 2021 - 04:19 PM
One other - simple - thing to check. Are your date and time correct ? With the computer out of service for 4 years it is likely the CMOS battery has died and a dead CMOS battery can cause certificate errors. The fix is also fairly simple, fit a new battery. It's almost always a CR2032 and they are readily available and cheap, if you are charged much more than $US1 somebody's pricing is on the ambitious side !
Chris Cosgrove
Posted 04 August 2021 - 06:09 PM
Lol, yes, started there, was told should take issue to malware section, they said should take issue to Vista forum. So here I am.
Posted 04 August 2021 - 09:00 PM
... Ran SFC a few weeks ago, no problems....
... When system first fired up, Kaspersky (v18.0.0.405 (m)) updated and did full scan, continues to check updates and scan daily. Used Malwarebytes for 3-4 weeks, until trial expired...
...Yes, using Firefox 28.0, it was the recommended legacy version when system last used...
....every time I open Firefox, regardless of what other tabs were left pinned or open, a new tab opens to a site of Russian porn...
Hi originaljgf:
Is there any reason why you don't want to update to Firefox ESR v52.9.0? If you're having problems downloading files with your old Firefox v28 browser perhaps an update to Firefox ESR v52.9.0 will fix some of those problems. Creating a new Firefox user profile as I suggested might also fix the issue with what sounds like a browser hijacker that is re-directing your browser to a porn site.
You said that you "Ran SFC a few weeks ago, no problems" but it looks like you have entries in your CBS.log file from a System File Checker (SFC) scan that was run today that detects all sorts of problems, including entries like this:
2021-08-04 17:01:30, Info CSI 0000024b [SR] Repairing corrupted file [ml:58{29},l:56{28}]"\??\C:\Windows\system32\wbem"\[l:24{12}]"Wdf01000.mof" from store
2021-08-04 17:01:30, Info CSI 0000024c WARNING: File [l:42{21}]"Wdf01000Uninstall.mof" in [l:56{28}]"\??\C:\Windows\system32\wbem" switching ownership
Entries in your CBS log date back to back to 2013, but entries related to System File Checker (SFC) will be tagged with the string "[SR]". If you run the command findstr /c:"[SR]" %windir%\logs\cbs\cbs.log >%userprofile%\Desktop\SFCdetails.txt in an elevated command prompt this will extract the details of your SFC scan from CBS.log and save it to a file called SFCdetails.txt on your desktop that should be easier to read. Instead of re-typing this long command you can copy and paste it into your command prompt.
Again, I'm not trained to diagnose CBS.log files but the MS support article Analyze the Log File Entries That SFC.exe Generates in Windows has some basic information on interpreting the output. Your thread possible malware interfering with internet hasn't been closed yet so I'd suggest you post your SFCdetails.txt file there and see what nasdaq has to say.
Once the Malwarebytes Premium 14-day trial expires it just reverts to Malwarebytes Free, so you're still allowed to run manual on-demand scans. Please run a new Threat Scan to see if it detects any issues on your computer (check the scan log just in case there's a recurring problem that reappears on your system after it's removed by Malwarebytes), and let us know if a FRST scan still reports that your Kaspersky Free is disabled now that the trial version of Malwarebytes Premium has expired. Note that I always have PUP and PUM (potentially unwanted programs and registry modification) detections set to "Warn User" so I can review any lower-risk malware that Malwarebytes detects before it's quarantined.
Malwarebytes MB v3_5_1 Potential Threats PUPs PUMs Warn User.png 20.71KB
0 downloads
-----------
32-bit Vista Home Premium SP2 * Firefox ESR v52.9.0 * Malwarebytes Premium v3.5.1.2522-1.0.365
HP Pavilion dv6835ca, Intel Core2Duo T5550 @ 1.83 GHz, 3 GB RAM, NVIDIA GeForce 8400M GS
-----------
64-bit Win 10 Pro v20H2 build 19042.1110 * Firefox v90.0.2 * Microsoft Defender v4.18.2107.2 * Malwarebytes Premium v4.4.3.125-1.0.1387
Dell Inspiron 15 5584, Intel i5-8265U CPU, 8 GB RAM, Toshiba KBG40ZNS256G 256 GB NVMe SSD, Intel UHD Graphics 620
Posted 05 August 2021 - 09:59 AM
Edited by originaljgf, 05 August 2021 - 10:00 AM.
Posted 05 August 2021 - 12:23 PM
Hi originaljgf:
Throwing out a few more ideas ...
Are you still trying to fix your DistributedCOM (DCOM) errors?
I took a closer look at your DCOM errors in the FRST logs that you posted <here> and they all appear to be related to mobsync.exe (i.e., Happened while starting this command: C:\Windows\System32\mobsync.exe -Embedding). See the 2010 How-To Geeks article What is Mobsync.exe and Why Is It Running?. If you aren't using the Microsoft Sync Center there are instructions in that article for disabling this feature, which might resolve those particular DCOM errors.
... Cannot open Kat\Desktop\SFCdetails.txt ...
The SFC portion of your CBS.log file has several references to folder ownership problems, like the excerpt I referenced in post # 9:
2021-08-04 17:01:30, Info CSI 0000024b [SR] Repairing corrupted file [ml:58{29},l:56{28}]"\??\C:\Windows\system32\wbem"\[l:24{12}]"Wdf01000.mof" from store
2021-08-04 17:01:30, Info CSI 0000024c WARNING: File [l:42{21}]"Wdf01000Uninstall.mof" in [l:56{28}]"\??\C:\Windows\system32\wbem" switching ownership
A problem with C:\Windows\system32\wbem might indicate a corruption of your WMI (Windows Management Instrumentation) repository but before you go down that rabbit hole I'd suggest you create a new Windows user account with Administrator rights, log in with that new account, and then create a new SFCdetails.txt file as instructed in post # 9 to see if SFCDetails.txt can be opened from this new desktop. See the BleepingComputer tutorial How to Create a New User Account in Windows 7 and Windows Vista.
I'm beginning to wonder now if you have a wider issue related to file and folder ownership . I had a failed Windows Update mess up all the permission in the Windows registry on my Vista machine years ago. It took ages to find a fix so hope the same thing hasn't happened to you.
When you post back please let us know if you've noticed that your system clock is losing time, per Chris Cosgrove's excellent suggestion in post # 7 to check for a dying CMOS battery.
... every time I open Firefox, regardless of what other tabs were left pinned or open, a new tab opens to a site of Russian porn (I assume, NoScript blocks this so all I see is a blank white window with Cyrillic text, but the url has "porn.ru"); I can close this tab and no other signs of interference - no tool bars, no search redirects, no homepage hijack...
Have you tried to clear your entire browsing history (History | Clear Recent History | Time Range to Clear | Everything)? See the Mozilla support article Delete Browsing, Search and Download History on Firefox.
FF ESR v52_9_0 Clear All History 02 Aug 2019.png 15.33KB
0 downloads
It's always possible that an earlier scan by Kaspersky or Malwarebytes found and removed an active browser hijacker, but you might still have remnants that have to be manually removed. You confirmed that your home page hasn't changed in Firefox 28 but if you don't want to install Firefox ESR v52.9.0 and test with a new Firefox user profile (or even try a Firefox Refresh from Help | Troubleshooting Information | Refresh, which will remove your browser extensions and reset your custom settings to defaults without removing bookmarks, cookies, download and browsing histories, etc., which isn't going to help if any of these items still include remnants of a browser hijacker) then I'm not sure what else I can suggest that might stop this browser re-direct and/or get your downloads working correctly, short of a full system (Custom) scan with Malwarebytes Free v3.5.1.
----------
32-bit Vista Home Premium SP2 * Firefox ESR v52.9.0 * Malwarebytes Premium v3.5.1.2522-1.0.365
HP Pavilion dv6835ca, Intel Core2Duo T5550 @ 1.83 GHz, 3 GB RAM, NVIDIA GeForce 8400M GS
-----------
64-bit Win 10 Pro v20H2 build 19042.1110 * Firefox v90.0.2 * Microsoft Defender v4.18.2107.4 * Malwarebytes Premium v4.4.4.126-1.0.1413
Dell Inspiron 15 5584, Intel i5-8265U CPU, 8 GB RAM, Toshiba KBG40ZNS256G 256 GB NVMe SSD, Intel UHD Graphics 620
Edited by lmacri, 05 August 2021 - 12:27 PM.
Posted 05 August 2021 - 02:06 PM
Posted 06 August 2021 - 09:41 AM
...Regarding porn.ru: You stated in your browser thread that this issue began when your Flagfox addon updated, so you might want to try disabling or removing this addon. (As I have mentioned before, Flagfox has required Firefox 60 and newer for at least two years, so you probably did not actually get an update.)...
Hi originaljgf:
Further to Abzyx's commments, I counted 33 browser extensions in your Firefox 28 browser, most of which are no longer compatible with either Firefox 28 or Firefox ESR v52.9.0, including Ghostery (requires FF68+), NoScript (requires FF59+) and GreaseMonkey (requires FF57+). The fact that you still have an outdated Adobe Flash Player plugin in your current Firefox profile is also concerning given that Adobe officially ended all support for Flash on 31-Dec-2020 (see the official announcement Adobe Flash Player EOL General Information Page which recommends that all users remove the Flash Player plugin from their browsers). Your re-directs are happening in an old Firefox 28 browser (i.e., missing 4 years of security patches included in FF ESR v52.9.0) and blocked by an outdated NoScript browser extension, which is why I suggested you update to FF ESR v52.9.0 and test with a new Firefox user profile (which won't delete your old profile) with nothing but Adblock Plus (requires FF52+) installed. If you know the full URL of the porn site that your old NoScript extension is blocking (e.g., www.porn.ru) also note that there is a browser extension called Block Site (requires FF48+) that might be able to block this site if you upgrade to FF ESR v52.9.0 - see the How-To Geek article How to Block a Website in Mozilla Firefox.
___________________________________________
Two things you might be able to clarify for me. Is your Firefox browser configured to save downloads to M:\ drive by default (your FRST log says "FF DownloadDir: M:\downloads" but I don't see an M: drive in your list of drives), and can you successfully download files with your Firefox browser if you save them to your desktop?
Also, what software were you using that created 1300+ entries in your Hosts file (perhaps the ToolBiz KSafeDisk PUP that nasdaq removed from your system)? I used to use SpyBot Search & Destroy on my Vista SP2 machine years ago that could "immunize" your computer by adding restricted sites to the Hosts file but that's an old method for site blocking that has gone out of favour (these static lists quickly go out-of-date since malicious sites frequently change their URL) now that reputable ad blockers extensions like Adbllock Plus and uBlock Origin can be also be configured to block malicious sites. What ever software you were using also seems to have "immunized" your IE9 browser as well, which has 7000+ URLs that have been blocked (or allowed as a trusted site, which is somewhat concerning) in your browser site permissions.
If NoScript can show you the full URL of the porn site it's blocking (e.g., www.porn.ru) open your Hosts file in Notepad and search to see if the URL is blocked there. If not, go ahead and add that URL to your Hosts file to see if that stops the re-directs. See the Help Desk Geek article How To Block Websites On Windows Using The Hosts File for instructions. Since NoScript is blocking this re-direct I would normally suggest that you uninstall Java just in case you have Java-based malware on your system, but you've said you need Java to run older games on your Vista SP2 machine.
Site blocking might solve your immediate re-direct problem, but I wouldn't stop there. It's much better if you can find the root cause of this browser re-direct and find the malware (or its remnants) that has infected your system.
----------
32-bit Vista Home Premium SP2 * Firefox ESR v52.9.0 * Malwarebytes Premium v3.5.1.2522-1.0.365
HP Pavilion dv6835ca, Intel Core2Duo T5550 @ 1.83 GHz, 3 GB RAM, NVIDIA GeForce 8400M GS
-----------
64-bit Win 10 Pro v20H2 build 19042.1110 * Firefox v90.0.2 * Microsoft Defender v4.18.2107.4 * Malwarebytes Premium v4.4.4.126-1.0.1413
Dell Inspiron 15 5584, Intel i5-8265U CPU, 8 GB RAM, Toshiba KBG40ZNS256G 256 GB NVMe SSD, Intel UHD Graphics 620
Edited by lmacri, 06 August 2021 - 09:49 AM.
Posted 06 August 2021 - 12:36 PM
Thanks to everyone for the input.
"Is there any reason why you don't want to update to Firefox ESR v52.9.0? "
I proceed a step at a time. When SFC reports problems I prefer to address that before moving to other issues.
"Are you still trying to fix your DistributedCOM (DCOM) errors?"
I wasn't aware of DCOM issues until they were mentioned in the malware forum. I've no idea what DCOM is, and obviously have never tweaked it. I read the instructions at the link provided, but what was, or wasn't, in my DCOM was different enough from that described in the article that I paused there awaiting further instruction. (For example, the last step was to edit a certain item in DCOM config, that item does not exist in my DCOMconfig.)
"Further to Abzyx's commments, I counted 33 browser extensions in your Firefox 28 browser, most of which are no longer compatible with either Firefox 28 or Firefox ESR v52.9.0..."
All installed ages ago without problem, so I assume it is new versions not compatible with Firefox28; and Firefox will not install "incompatible" plugins (without hacking, which I've not done on this system).
"what software were you using that created 1300+ entries in your Hosts file"
There is a long string under the heading of "block youtube ads"; another long string under a heading of "Anti-WebMiner", yet another under "BlockPUPs". This seems to be actively edited, the timestamp frequently changes; size is around 34k (have a 5k backup dated 1/2017, and apparently an original, 1k in size, dated 9/2006 but backed up 5/2011).
"If NoScript can show you the full URL of the porn site it's blocking (e.g., www.porn.ru) open your Hosts file in Notepad and search to see if the URL is blocked there. If not, go ahead and add that URL to your Hosts file to see if that stops the re-directs. "
I can easily see the address in the url bar hxxxx hd.lenkino.porn/russian....delete or edit if not acceptable to post), but some new info - I also use Accuweather, checking it today it displayed New York weather; I checked options, they still showed Ohio; back to the map, select "change location" and a new tab opens ... to that porn site, but with "#location" appended to "russian". Adding that url to the hosts file 127.0.0.1 had no apparent effect.
Mod Edit: Neutralized potentially malicious link - Hamluis.
"What ever software you were using also seems to have "immunized" your IE9 browser as well..."
FWIW, I've not used IE in over twenty years, installed IE9 because told it was necessary for newer Java, never even ran it.
If this is of any help, I also have K-meleon browser (looks to be V75.0); I can access Microsoft and Malwarebytes on it (at least I could this morning) but not Oracle or Java.
"Is your Firefox browser configured to save downloads to M:\ drive by default (your FRST log says "FF DownloadDir: M:\downloads" but I don't see an M: drive in your list of drives)"
M: is a partition of a secondary HD not currently installed, it is essentially a "warehouse" of graphic, sound, video, and archive files (there's also an L: partition with some games and around 100gig of scenery files for MS FlightSim); I mentioned this in the malware forum in case anything pointed to either partition and was told they were only concerned with the C: drive. Anything I download now just goes to the default user download folder.
"A clean install of Windows 7 was suggested and rejected in your browser thread."
If that were a viable option I'd have done that from the start (except for validation - Microsoft would have an apoplectic seizure from losing so much income to me installing two copies of an obsolete OS from one disc). And my preference would be to just let a local shop build a new system for me (though no doubt they would balk at Win7 x64), but this would cost as much as my pending MRI, which I've been postponing. So this ancient Vista system must serve while I gather components for its replacement.
"...but you've said you need Java to run older games on your Vista SP2 machine"
Actually just one online game that has been around over ten years but is updated every Sunday afternoon. I currently play on this old laptop whose vid card is dieing, stuck in PCIe 1 it is excruciatingly slow in any 3D applications, especially with OGL which java demands, so driver crashes and java crashes are frequent. Hence the Vista system as interim since I've no idea how much life is left in this laptop (I'm certainly not going to buy another eight year old used vid card to replace my eight year old vid card).
So, should we pursue the SFC issues, the DCOM issues, or the browser issues first?
Edited by hamluis, 06 August 2021 - 04:34 PM.
Posted 06 August 2021 - 05:52 PM
0 members, 1 guests, 0 anonymous users
Back to top
