Can't figure out how to clean out malware infection

Discussion in 'Networking & Security' started by DaRuSsIaMaN, Dec 19, 2018.

  1. DaRuSsIaMaN

    DaRuSsIaMaN [H]ard|Gawd

    Messages:
    1,192
    Joined:
    Apr 22, 2007
    I have Heimdal Security & Avast AV installed on both my desktop as well as my laptop. (These are not two anti-virus programs; Heimdal is supposed to complement any proper anti-virus.) On both I keep getting the following symptom intermittently. Heimdal pops up a notification telling me that it blocked something, and there's always two of them: one for popcash.net and one for onclickads.net. You can see the log below:

    Heimdal log.png

    By the way, Heimdal does nothing to actually clean out any problems; its purpose is only to help block things. Anyway, when I do a Wi-Fi Inspector scan via Avast, it identifies my PC as having a problem and tells me that I have a DNS hijack.

    Avast network scan.png

    Clicking on the Vulnerability ID brings up a page where Avast claims that my router is infected. However, I'm doubtful that this is accurate, because I checked my router settings, and none of my DNS stuff is out of order. Also, the network scan actually identified this problem on my computer, NOT on my router. So Avast seems to be contradicting itself here.

    Also, before I installed Heimdal, which was not that long ago actually (several months?), I never experienced any issues. No random redirects of my browser, nothing else suspicious.

    What's going on here and how to fix?
     
  2. DrLobotomy

    DrLobotomy [H]ardness Supreme

    Messages:
    5,485
    Joined:
    May 19, 2016
  3. DaRuSsIaMaN

    DaRuSsIaMaN [H]ard|Gawd

    Messages:
    1,192
    Joined:
    Apr 22, 2007
    Oh right, forgot to mention that. It didn't help.
     
  4. FNtastic

    FNtastic [H]ard|Gawd

    Messages:
    1,340
    Joined:
    Jul 6, 2013
    Give ClamAV a shot

    If a no go there, maybe a reinstall of the OS is in order? Depending how worried you are about the infection: a new hard drive and/or new hardware
     
  5. rtangwai

    rtangwai [H]ard|Gawd

    Messages:
    1,365
    Joined:
    Jul 26, 2007
    Did you check the HOSTS file?
     
  6. IdiotInCharge

    IdiotInCharge [H]ardForum Junkie

    Messages:
    9,669
    Joined:
    Jun 13, 2003
    To expound: get a Linux 'live' distro with ClamAV and boot off of it to do the scan. Maybe something like this?
     
    FNtastic likes this.
  7. FNtastic

    FNtastic [H]ard|Gawd

    Messages:
    1,340
    Joined:
    Jul 6, 2013
    They also have a windows installer available
     
  8. DaRuSsIaMaN

    DaRuSsIaMaN [H]ard|Gawd

    Messages:
    1,192
    Joined:
    Apr 22, 2007
    Thanks for the suggestions, everyone. I tried ClamAV but it doesn't work. The image doesn't boot off the flash drive even though the website claims that:
    Nope. No directions for which distro to use. I used the directions given here at UNetbootin, and nothing happens when I try to boot off it. My UEFI just bypasses it and goes to Windows. I go into UEFI and under the "Boot override" section click the flash drive -- which normally would make it boot off the drive directly without a reset -- and nothing happens.

    ***

    Hmm, the hosts file. How can I check it and what do I look for?
     
  9. DaRuSsIaMaN

    DaRuSsIaMaN [H]ard|Gawd

    Messages:
    1,192
    Joined:
    Apr 22, 2007
  10. drklu

    drklu 2[H]4U

    Messages:
    2,134
    Joined:
    Jul 15, 2013
    I would just wipe the system and start over. I have wasted way too much time in the past trying to get virus' off of machines so now I just wipe and reinstall.
     
    dvsman likes this.
  11. DaRuSsIaMaN

    DaRuSsIaMaN [H]ard|Gawd

    Messages:
    1,192
    Joined:
    Apr 22, 2007
    Eh, no way I'm doing that anytime soon... That would take... days. Huge, huge loss of time to redo all my customizations and get all my software reinstalled.
     
  12. rtangwai

    rtangwai [H]ard|Gawd

    Messages:
    1,365
    Joined:
    Jul 26, 2007
    C:\Windows\System32\Drivers\Etc\hosts

    It is a text file, open it with Notepad and see if it has any extraneous entries. If you aren't sure copy/paste into this forum and we'll let you know.
     
  13. DaRuSsIaMaN

    DaRuSsIaMaN [H]ard|Gawd

    Messages:
    1,192
    Joined:
    Apr 22, 2007
    I figured it out! It's some kind of false positive!

    Here's what I did. I have another, secondary laptop/convertible/tablet (Yoga Book), in addition to my main laptop and desktop. I use the Yoga Book only rarely, mostly just for digital handwritten notes, so I did NOT even have Heimdal installed on it. I experimented as follows.
    1.) Used the Avast WiFi scanner tool as in my OP on the Yoga Book. Result: no problems.
    2.) Installed Heimdal Home (still had one unused license).
    3.) Immediately after 2.) I repeated step 1.) Result: same problem as in my OP!
    Also, immediately after I launched the WiFi scanner (while it was still scanning), Heimdal popped up a notification window saying it blocked some locations. This is exactly the behavior I get on my two main computers.

    So, anyone have any further insight on this? In a way, I guess it makes sense that Avast identifies this as a DNS hijack. Because Heimdal does change the DNS settings in the computer, as explained here:
    https://support.heimdalsecurity.com/hc/en-us/articles/208744905-How-Does-DarkLayer-Guard-Work-

    However, the unresolved issues are:
    #1. Where does the association with onclickads.net and popcash.net come from?
    #2. Ok, if Avast thinks there's a DNS hijack, then okay fine... But why does Heimdal also think that it's blocking some kind of exploit?
    #3. I used to get these Heimdal notifications somewhat regularly while just doing my regular work. Even if I now know that it's not actually a real threat, it is a slight annoyance. How can it be resolved fully?
     
    IdiotInCharge and Farva like this.
  14. stormy1

    stormy1 [H]ard|Gawd

    Messages:
    1,048
    Joined:
    Apr 3, 2008
  15. Dead Parrot

    Dead Parrot 2[H]4U

    Messages:
    2,401
    Joined:
    Mar 4, 2013
    Might be worth it at some point to get a real firewall appliance and add onclickads.net and popcash.net to the block list.

    One Malware program detecting a 2nd Malware program as malware is common issue. Some allow skipping of folders where the other malware detector stores the signature files.

    And backups. External not normally connected HD of some type. Makes the wipe/fight with malware decision a lot easier.