Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

What is "http://s.ss2.us/r.crl"?

  • 06-04-2016 11:10pm
    #1
    Registered Users, Registered Users 2 Posts: 37,315 ✭✭✭✭


    Got a few of the following;
    The web resource http://s.ss2.us/r.crl has been detected as infected.
    My AV then closed down some svchost.exe processes. Three times in a row, 5 minutes apart. Can't seem to find any info, apart from the CRL Distribution Point: http://s.ss2.us/r.crl not expiring until Wednesday Jun 28, 2034. Not really sure if that's normal, but slightly concerned that was on my system, yet can't find any info on how bad it is?

    Any ideas?


Comments

  • Registered Users, Registered Users 2 Posts: 134 ✭✭ishotjr2


    Have you tried validate it like below.

    https://raymii.org/s/articles/OpenSSL_manually_verify_a_certificate_against_a_CRL.html

    I got some of the way through the process and it seemed fine but...

    Do you know which site redirected you to the CRL?


  • Registered Users, Registered Users 2 Posts: 572 ✭✭✭Joe Exotic


    the_syco wrote: »
    Got a few of the following;

    My AV then closed down some svchost.exe processes. Three times in a row, 5 minutes apart. Can't seem to find any info, apart from the CRL Distribution Point: http://s.ss2.us/r.crl not expiring until Wednesday Jun 28, 2034. Not really sure if that's normal, but slightly concerned that was on my system, yet can't find any info on how bad it is?

    Any ideas?

    EDIT: did you browse to this url or did the warning come out of the blue, what we you doing at the time.

    It came up with a bad result on the virustotal URL analysis (scanned at 02.43 this morning)

    when i reanalysed with Virustotal it got no bad and one suspicious

    https://www.virustotal.com/en/url/c7f3c3c8b0c713c1bac5503dc9bde7ea9670bb628436686f70e722985cc47636/analysis/1460019583/
    Possible false positive but you never know.

    Modern malware tends to inject itself into existing processes such as svchost to try and avoid detection.

    Whats your AV?

    Run a full scan.

    Get Malware bytes and scan with that also


  • Registered Users, Registered Users 2 Posts: 37,315 ✭✭✭✭the_syco


    I wasn't redirected to the site. I was actually watching something with BS Player when my AV brought up the alerts. My AV is Bitdefender.


  • Registered Users, Registered Users 2 Posts: 37,315 ✭✭✭✭the_syco


    Bah. Getting a "movefile failed code 5" error when I try to install Malwarebytes. Shall run a virusscan.


  • Registered Users, Registered Users 2 Posts: 37,315 ✭✭✭✭the_syco


    14 hours later, and it's only on 47%

    Roll on Saturday :D


  • Advertisement
  • Registered Users, Registered Users 2 Posts: 37,315 ✭✭✭✭the_syco


    AV scan found a few items, deleted what it could, and the rest were achieved, but all seemed to be keygens marked as a "generic virus".

    As well as not being able to install Malwarebytes, it seems multiple "portable" programs (such as the portable version of "Spybot - Search & Destroy") attempt to save some file on the C drive, and these are blocked from doing so, and therefore won't proceed with the quarantine of files. Thus it seems the C drive is locked down.

    Cannot boot into Safe Mode. It gets to the login window of the Safe Mode, but when I try to login, the PC reboots.

    Don't have a CD drive, so can anyone recommend a program that will run off a USB stick that will scan the C drive?


  • Registered Users, Registered Users 2 Posts: 572 ✭✭✭Joe Exotic


    the_syco wrote: »
    AV scan found a few items, deleted what it could, and the rest were achieved, but all seemed to be keygens marked as a "generic virus".

    As well as not being able to install Malwarebytes, it seems multiple "portable" programs (such as the portable version of "Spybot - Search & Destroy") attempt to save some file on the C drive, and these are blocked from doing so, and therefore won't proceed with the quarantine of files. Thus it seems the C drive is locked down.

    Cannot boot into Safe Mode. It gets to the login window of the Safe Mode, but when I try to login, the PC reboots.

    Don't have a CD drive, so can anyone recommend a program that will run off a USB stick that will scan the C drive?

    Sounds like you have a malware infection thats preventing you from installing malwarebytes and booting into safe mode

    Try getting Kaspersky rescue disk here and install on a bootable usb (instructions here) then boot into it and update its definitions (can take a while), it can then scan your file system while its "offline"

    I havent used this in a few years but it has solved a couple of similar situations in the past.


  • Closed Accounts Posts: 3,006 ✭✭✭_Tombstone_


    Format your machine. You'll never be sure to get rid of whatever you have.


  • Registered Users, Registered Users 2 Posts: 37,315 ✭✭✭✭the_syco


    Format your machine. You'll never be sure to get rid of whatever you have.
    I learn nothing from formatting, so really try to avoid formatting.

    =-=

    The two infected bits were the following;
    C:/Windows/SysWOW64/Microsoft.com
    C:/Program Files (x86)/Windows Manager/winmgr.exe

    After a reboot, it BSOD'd after I logged in, and then after another reboot it booted okay, and I was able to install Malwarebytes.

    Looking at the logs, it seems the Kaspersky rescue disk also disinfected the following;
    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zlclient.exe/Debugger
    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wireshark.exe/Debugger
    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spybotsd.exe/Debugger
    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe/Debugger
    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msseces.exe/Debugger
    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe/Debugger
    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCui.exe/Debugger
    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe/Debugger
    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbamservice.exe/Debugger
    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbamscheduler.exe/Debugger
    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbampt.exe/Debugger
    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbamgui.exe/Debugger
    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbam.exe/Debugger
    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\keyscrambler.exe/Debugger
    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\instup.exe/Debugger
    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\hijackthis.exe/Debugger
    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\egui.exe/Debugger
    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ComboFix.exe/Debugger
    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccuac.exe/Debugger
    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bdwtxag.exe/Debugger
    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avscan.exe/Debugger
    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe/Debugger
    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgwdsvc.exe/Debugger
    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgui.exe/Debugger
    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avguard.exe/Debugger
    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgrsx.exe/Debugger
    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgnt.exe/Debugger
    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgidsagent.exe/Debugger
    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgcsrvx.exe/Debugger
    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avconfig.exe/Debugger
    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avcenter.exe/Debugger
    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AvastUI.exe/Debugger
    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AvastSvc.exe/Debugger

    An interesting one.


  • Registered Users, Registered Users 2 Posts: 37,315 ✭✭✭✭the_syco


    Booting into Safe Mode now causes the PC to reboot when the login screen appears, but before I'm able to type login details.

    After the PC had rebooted into "normal" mode, the keyboard didn't work until I rebooted again. Odd.

    Malwarebytes only found two Potentially Unwanted Programs, which I deleted.

    Think I'll leave it for the time being. Shall be getting a new mobo shortly, and think I'll do a fresh of install of W10 when I get it.


  • Advertisement
Advertisement