This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

"Safe Browsing detected browser Internet Explorer has been compromised" - Intercept X on Windows 7 x64

Hi all,

I have a user who keeps receiving a 'Safe Browsing detected browser Internet Explorer has been compromised' alert when using IE11 in Windows 7 x64.

I've seen some other threads that all seem to point to Trusteer Rapport. This user doesn't have this installed and I'm having trouble trying to track down the culprit.

Below is some log information.


Event Viewer - HitmanPro.Alert - Event ID 911:

Intruder

PID 6728
Application C:\Program Files\Internet Explorer\iexplore.exe
Description Internet Explorer 11

Detour Report
# Address Owner Disassembly
-- ------------------ ------------------------ ------------------------
CreateProcessInternalW
1 0x0000000076C1DD20 kernel32.dll JMP 0x412f0dd4
2 0x00000000412F0DD4 (unknown)

GetMessageA
1 0x0000000076D360D0 USER32.dll JMP 0x412f0d55
2 0x00000000412F0D55 (unknown)

GetMessageW
1 0x0000000076D39E54 USER32.dll JMP 0x412f0d14
2 0x00000000412F0D14 (unknown)

PeekMessageA
1 0x0000000076D339B0 USER32.dll JMP 0x412f0cd8
2 0x00000000412F0CD8 (unknown)

PeekMessageW
1 0x0000000076D38FD4 USER32.dll JMP 0x412f0c98
2 0x00000000412F0C98 (unknown)

KiUserExceptionDispatcher
1 0x0000000076E6BC8A ntdll.dll JMP 0x412f0d96
2 0x00000000412F0D96 (unknown)

LdrLoadDll
1 0x0000000076E46130 ntdll.dll JMP 0x412f0e18
2 0x00000000412F0E18 (unknown)

NtAllocateVirtualMemory
1 0x0000000076E6BEB0 ntdll.dll JMP 0x412f0f16
2 0x00000000412F0F16 (unknown)

NtCreateFile
1 0x0000000076E6C280 ntdll.dll JMP 0x74819a8d
2 0x0000000074819A8D SYSFER.DLL MOV R10, 0x0
JMP 0x748199a0
3 0x00000000748199A0 SYSFER.DLL

NtCreateKey
1 0x0000000076E6BF00 ntdll.dll JMP 0x74819ac9
2 0x0000000074819AC9 SYSFER.DLL MOV R10, 0x1
JMP 0x748199a0
3 0x00000000748199A0 SYSFER.DLL

NtCreateUserProcess
1 0x0000000076E6C800 ntdll.dll JMP 0x74819b05
2 0x0000000074819B05 SYSFER.DLL MOV R10, 0x2
JMP 0x748199a0
3 0x00000000748199A0 SYSFER.DLL

NtDeleteFile
1 0x0000000076E6C880 ntdll.dll JMP 0x74819b41
2 0x0000000074819B41 SYSFER.DLL MOV R10, 0x3
JMP 0x748199a0
3 0x00000000748199A0 SYSFER.DLL

NtDeleteKey
1 0x0000000076E6C890 ntdll.dll JMP 0x74819ca9
2 0x0000000074819CA9 SYSFER.DLL MOV R10, 0x9
JMP 0x748199a0
3 0x00000000748199A0 SYSFER.DLL

NtDeleteValueKey
1 0x0000000076E6C8C0 ntdll.dll JMP 0x74819b7d
2 0x0000000074819B7D SYSFER.DLL MOV R10, 0x4
JMP 0x748199a0
3 0x00000000748199A0 SYSFER.DLL

NtFreeVirtualMemory
1 0x0000000076E6BF10 ntdll.dll JMP 0x412f0ed6
2 0x00000000412F0ED6 (unknown)

NtMapViewOfSection
1 0x0000000076E6BFB0 ntdll.dll JMP 0x74819bb9
2 0x0000000074819BB9 SYSFER.DLL MOV R10, 0x5
JMP 0x748199a0
3 0x00000000748199A0 SYSFER.DLL

NtOpenFile
1 0x0000000076E6C060 ntdll.dll JMP 0x74819bf5
2 0x0000000074819BF5 SYSFER.DLL MOV R10, 0x6
JMP 0x748199a0
3 0x00000000748199A0 SYSFER.DLL

NtOpenKey
1 0x0000000076E6BE50 ntdll.dll JMP 0x74819c31
2 0x0000000074819C31 SYSFER.DLL MOV R10, 0x7
JMP 0x748199a0
3 0x00000000748199A0 SYSFER.DLL

NtOpenKeyEx
1 0x0000000076E6CC80 ntdll.dll JMP 0x74819c6d
2 0x0000000074819C6D SYSFER.DLL MOV R10, 0x8
JMP 0x748199a0
3 0x00000000748199A0 SYSFER.DLL

NtProtectVirtualMemory
1 0x0000000076E6C230 ntdll.dll JMP 0x412f0e96
2 0x00000000412F0E96 (unknown)

NtRenameKey
1 0x0000000076E6D110 ntdll.dll JMP 0x74819ce5
2 0x0000000074819CE5 SYSFER.DLL MOV R10, 0xa
JMP 0x748199a0
3 0x00000000748199A0 SYSFER.DLL

NtSetInformationFile
1 0x0000000076E6BFA0 ntdll.dll JMP 0x74819d21
2 0x0000000074819D21 SYSFER.DLL MOV R10, 0xb
JMP 0x748199a0
3 0x00000000748199A0 SYSFER.DLL

NtSetValueKey
1 0x0000000076E6C330 ntdll.dll JMP 0x74819d5d
2 0x0000000074819D5D SYSFER.DLL MOV R10, 0xc
JMP 0x748199a0
3 0x00000000748199A0 SYSFER.DLL

NtTerminateProcess
1 0x0000000076E6BFF0 ntdll.dll JMP 0x74819d99
2 0x0000000074819D99 SYSFER.DLL MOV R10, 0xd
JMP 0x748199a0
3 0x00000000748199A0 SYSFER.DLL

NtTerminateThread
1 0x0000000076E6C260 ntdll.dll JMP 0x74819dd5
2 0x0000000074819DD5 SYSFER.DLL MOV R10, 0xe
JMP 0x748199a0
3 0x00000000748199A0 SYSFER.DLL

NtUnmapViewOfSection
1 0x0000000076E6BFD0 ntdll.dll JMP 0x412f0e56
2 0x00000000412F0E56 (unknown)

NtWaitForDebugEvent
1 0x0000000076E6D610 ntdll.dll JMP 0x412f0fd6
2 0x00000000412F0FD6 (unknown)

RtlInstallFunctionTableCallback
1 0x0000000076E222B0 ntdll.dll JMP 0x412f0f95
2 0x00000000412F0F95 (unknown)

HttpOpenRequestA *
1 0x000007FEFD50ACE0 WININET.dll JMP 0x7fe800201c1
2 0x000007FE800201C1 (unknown)

HttpSendRequestA
1 0x000007FEFD47E570 WININET.dll JMP 0x7fe80020070
2 0x000007FE80020070 (unknown)

HttpSendRequestExA *
1 0x000007FEFD508210 WININET.dll JMP 0x7fe80020312
2 0x000007FE80020312 (unknown)

HttpSendRequestExW *
1 0x000007FEFD43CF70 WININET.dll JMP 0x7fe80020461
2 0x000007FE80020461 (unknown)

URLDownloadToFileW
1 0x000007FEFEFD54A0 urlmon.dll JMP 0x7fef76f0f8e
2 0x000007FEF76F0F8E (unknown)


 

 ProgramData\HitmanPro.Alert\Logs\Sophos.log information:

2017-08-09T11:14:18.820Z [Protected] PID 6504, Features 000000361FBF0106, C:\Program Files (x86)\Microsoft Office\Office15\EXCEL.EXE
2017-08-09T11:14:20.200Z [Protected] PID 7064, Features 000000300000010E, C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
2017-08-09T11:14:21.320Z [Protected] PID 1472, Features 0000003000000102, C:\Windows\System32\dllhost.exe
2017-08-09T11:14:36.172Z [Protected] PID 4640, Features 000000300000010A, C:\Windows\System32\taskhost.exe
2017-08-09T11:14:36.572Z [Protected] PID 5268, Features 0000003000000102, C:\Windows\System32\SearchFilterHost.exe
2017-08-09T11:16:51.851Z [Protected] PID 7732, Features 0000003000000102, C:\Windows\System32\SearchProtocolHost.exe
2017-08-09T11:16:51.881Z [Protected] PID 6708, Features 0000003000000102, C:\Windows\System32\SearchFilterHost.exe
2017-08-09T11:17:01.311Z [Protected] PID 6312, Features 0000003000000102, C:\Windows\System32\SearchProtocolHost.exe
2017-08-09T11:17:02.291Z [Protected] PID 5704, Features 0000003000000102, C:\Windows\System32\dllhost.exe
2017-08-09T11:17:04.351Z [Protected] PID 7336, Features 0000003000000102, C:\Windows\System32\PrintIsolationHost.exe
2017-08-09T11:17:09.551Z [Protected] PID 4080, Features 0000003000000106, C:\Program Files (x86)\Microsoft Office\Office15\OUTLOOK.EXE
2017-08-09T11:17:30.821Z [Protected] PID 7696, Features 0000003000000102, C:\Windows\SysWOW64\SearchProtocolHost.exe
2017-08-09T11:18:32.990Z [Protected] PID 5744, Features 000000361FBF2106, C:\Program Files (x86)\Microsoft Office\Office15\WINWORD.EXE
2017-08-09T11:18:33.310Z [Protected] PID 5040, Features 0000003000000102, C:\Windows\System32\dllhost.exe
2017-08-09T11:18:44.761Z [Alert] Intruder, familyId=fef6cbf9-cff1-4647-a736-2a8e236b9dbf, PID 6728, C:\Program Files\Internet Explorer\iexplore.exe
2017-08-09T11:18:44.761Z [Sophos] dropped C:\ProgramData\HitmanPro.Alert\MCS\Alert-20170809101844761-1.xml
2017-08-09T11:18:44.771Z [Sophos] dropped C:\ProgramData\Sophos\Health\Event Store\Incoming\29ebc42c-fcfc-4650-a297-7d36ec9ad32a.json
2017-08-09T11:18:54.791Z [Protected] PID 8172, Features 0000003000000106, C:\Program Files (x86)\HitmanPro.Alert\hmpalert.exe
2017-08-09T11:18:54.861Z [Protected] PID 7812, Features 0000003000000106, C:\Program Files (x86)\HitmanPro.Alert\hmpalert.exe
2017-08-09T11:18:54.921Z [VerifyPolicy] success, C:\ProgramData\HitmanPro.Alert\policy_20170809101854
2017-08-09T11:19:10.921Z [Protected] PID 7536, Features 000000341FBF9106, C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
2017-08-09T11:19:10.981Z [Protected] PID 4724, Features 000000341FBFB106, C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
2017-08-09T11:19:11.151Z [Protected] PID 3784, Features 000000341FBFB106, C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
2017-08-09T11:19:11.201Z [Protected] PID 6980, Features 000000341FBFB106, C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
2017-08-09T11:19:11.282Z [Protected] PID 6556, Features 000000341FBFB106, C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
2017-08-09T11:19:11.318Z [Protected] PID 6384, Features 000000341FBFB106, C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
2017-08-09T11:19:14.879Z [Protected] PID 6760, Features 000000341FBFB106, C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
2017-08-09T11:19:18.778Z [Protected] PID 8036, Features 0000003000000102, C:\Windows\System32\SearchFilterHost.exe
2017-08-09T11:19:24.229Z [Protected] PID 7432, Features 0000003000000102, C:\Windows\System32\LogonUI.exe
2017-08-09T11:20:00.050Z [Protected] PID 7524, Features 0000003000000102, C:\Windows\System32\taskeng.exe
2017-08-09T11:20:00.550Z [Protected] PID 7292, Features 0000003000000106, C:\Users\cbolster\AppData\Local\GoToMeeting\7435\g2mupdate.exe
2017-08-09T11:23:49.793Z [Protected] PID 4000, Features 000000341FBF9106, C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
2017-08-09T11:23:49.843Z [Protected] PID 6516, Features 000000341FBFB106, C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
2017-08-09T11:23:49.913Z [Protected] PID 8028, Features 000000341FBFB106, C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
2017-08-09T11:23:49.963Z [Protected] PID 7344, Features 000000341FBFB106, C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
2017-08-09T11:23:50.050Z [Protected] PID 4672, Features 000000341FBFB106, C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
2017-08-09T11:23:50.097Z [Protected] PID 1748, Features 000000341FBFB106, C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
2017-08-09T11:23:56.646Z [Protected] PID 4724, Features 000000341FBFB106, C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
2017-08-09T11:24:35.064Z [Protected] PID 3880, Features 000000341FBFB106, C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
2017-08-09T11:24:36.135Z [Protected] PID 5836, Features 0000003000002106, C:\Program Files (x86)\Unipass\Securemail Client\bin\ppVirtualCOM.exe
2017-08-09T11:25:03.549Z [Protected] PID 1420, Features 000000341FBFB106, C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
2017-08-09T11:25:04.432Z [Protected] PID 936, Features 000000341FBFB106, C:\Program Files (x86)\Google\Chrome\Application\chrome.exe


Any help appreciated.

Thanks,

Oliver.



This thread was automatically locked due to age.
  • Hi,

    I see this module referenced: SYSFER.DLL

    A quick Google tells me this is related to:

    Symantec CMC Firewall or Symantec Endpoint Protection by Symantec 

    If you run Process Explorer - https://docs.microsoft.com/en-us/sysinternals/downloads/process-explorer ), look at the lower pane where the DLLs are listed you can see the path to it.

    Maybe try just rename it if this is possible, If you then relaunch IE I assume it won't load it, does the problem then happen?

    The only reason I suggest rename is that it might be a quicker test than uninstalling Symantec Endpoint FW.

    It may not be possible but it would be good to get that module out of IE as a test.

    The other option might be to run Process Explorer as before and see what the startup location is for that DLL.

    Regards,

    Jak