Can't figure out how to clean out malware infection

DaRuSsIaMaN

[H]ard|Gawd
Joined
Apr 22, 2007
Messages
1,216
I have Heimdal Security & Avast AV installed on both my desktop as well as my laptop. (These are not two anti-virus programs; Heimdal is supposed to complement any proper anti-virus.) On both I keep getting the following symptom intermittently. Heimdal pops up a notification telling me that it blocked something, and there's always two of them: one for popcash.net and one for onclickads.net. You can see the log below:

Heimdal log.png

By the way, Heimdal does nothing to actually clean out any problems; its purpose is only to help block things. Anyway, when I do a Wi-Fi Inspector scan via Avast, it identifies my PC as having a problem and tells me that I have a DNS hijack.

Avast network scan.png

Clicking on the Vulnerability ID brings up a page where Avast claims that my router is infected. However, I'm doubtful that this is accurate, because I checked my router settings, and none of my DNS stuff is out of order. Also, the network scan actually identified this problem on my computer, NOT on my router. So Avast seems to be contradicting itself here.

Also, before I installed Heimdal, which was not that long ago actually (several months?), I never experienced any issues. No random redirects of my browser, nothing else suspicious.

What's going on here and how to fix?
 
Give ClamAV a shot

If a no go there, maybe a reinstall of the OS is in order? Depending how worried you are about the infection: a new hard drive and/or new hardware
 
Thanks for the suggestions, everyone. I tried ClamAV but it doesn't work. The image doesn't boot off the flash drive even though the website claims that:
"The Antivirus Live CD ISO images are fully compatible with UNetbootin, which can be used to create an easy-to-use Antivirus Live USB.

Nope. No directions for which distro to use. I used the directions given here at UNetbootin, and nothing happens when I try to boot off it. My UEFI just bypasses it and goes to Windows. I go into UEFI and under the "Boot override" section click the flash drive -- which normally would make it boot off the drive directly without a reset -- and nothing happens.

***

Hmm, the hosts file. How can I check it and what do I look for?
 
I would just wipe the system and start over. I have wasted way too much time in the past trying to get virus' off of machines so now I just wipe and reinstall.
 
Eh, no way I'm doing that anytime soon... That would take... days. Huge, huge loss of time to redo all my customizations and get all my software reinstalled.
 
Hmm, the hosts file. How can I check it and what do I look for?

C:\Windows\System32\Drivers\Etc\hosts

It is a text file, open it with Notepad and see if it has any extraneous entries. If you aren't sure copy/paste into this forum and we'll let you know.
 
I figured it out! It's some kind of false positive!

Here's what I did. I have another, secondary laptop/convertible/tablet (Yoga Book), in addition to my main laptop and desktop. I use the Yoga Book only rarely, mostly just for digital handwritten notes, so I did NOT even have Heimdal installed on it. I experimented as follows.
1.) Used the Avast WiFi scanner tool as in my OP on the Yoga Book. Result: no problems.
2.) Installed Heimdal Home (still had one unused license).
3.) Immediately after 2.) I repeated step 1.) Result: same problem as in my OP!
Also, immediately after I launched the WiFi scanner (while it was still scanning), Heimdal popped up a notification window saying it blocked some locations. This is exactly the behavior I get on my two main computers.

So, anyone have any further insight on this? In a way, I guess it makes sense that Avast identifies this as a DNS hijack. Because Heimdal does change the DNS settings in the computer, as explained here:
https://support.heimdalsecurity.com/hc/en-us/articles/208744905-How-Does-DarkLayer-Guard-Work-

However, the unresolved issues are:
#1. Where does the association with onclickads.net and popcash.net come from?
#2. Ok, if Avast thinks there's a DNS hijack, then okay fine... But why does Heimdal also think that it's blocking some kind of exploit?
#3. I used to get these Heimdal notifications somewhat regularly while just doing my regular work. Even if I now know that it's not actually a real threat, it is a slight annoyance. How can it be resolved fully?
 
Might be worth it at some point to get a real firewall appliance and add onclickads.net and popcash.net to the block list.

One Malware program detecting a 2nd Malware program as malware is common issue. Some allow skipping of folders where the other malware detector stores the signature files.

And backups. External not normally connected HD of some type. Makes the wipe/fight with malware decision a lot easier.
 
Back
Top