FFDE shows warning about random - I think - named program while FF does not. Virus, malware?
Hey ppl,
Continuing the topic: My wife got a call from her bank (after trying to log to her account from my PC) about the PC having a virus. So they banned my PC adress on the list.
Today I have istalled Ff DE and it showed me a warning while FF - nothing. And then it sparked - read above again, starting from "My wife" :)
Check out the string name of the program: Ecuvduy- hmm, can't see anything on google and in my win10 processes... Well, just at the moment, didn't dig deeper, or how to even check it - yet, and I hope I won't have to. Or was this process printed as some random string (or maybe not random)?
This happens on every site I want to open on Ff DE. Check out the snaps to grasp the idea of the hole question. Standard Ff just runs.
But some time ago we've had - and still have - massive drops in loading site speeds, but then when I was checking the bandwidth on speedtest.net - everything went fine, 300Mbit < Income and 150Mbit > Outcome. It helps when I set a static IP adress. So maybe this is just a coincidence and have only to do with IP collisions of the rest of the hardware that is supported via WiFi in my home? Wanted to mention it, maybe it matters. Slowing down site loads happen on every of them - I mean hardware. Whether it's a PC, mobile or any other device.
So what about this Ecuvduy?
I will be very gratefull if someone can help me with that, I can provide more data if you think you feel something in your very bones about this case.
With best regards, Me of_course
All Replies (9)
For those of us who regrettably only read English, could you run the text through a translator or paste the error text into a reply?
This support article suggests tools for cleaning infections. If there's potentially malware active, let's not dally in checking for that: Troubleshoot Firefox issues caused by malware.
I am sory for that,
Now without further ado:
"Warning: potential security risk
"Www.neuber.com" is probably a secure site, but a secure connection could not be established. This is caused by the "Ecuvduy" program running on this computer or on this network.
What to do in this case?
If your anti-virus software includes an encrypted connection scan feature (often called "network traffic scan" or "HTTPS scan"), you can try disabling it. If this does not help, you can remove and reinstall the antivirus software.
In corporate networks, it's best to contact IT departments.
If you do not recognize the name "Ecuvduy" then it could be an attack and you should not open this page."
Just run Security Task Manager and I've spotted a C:\Windows\system32\ibtsiva file, can't be entered or found. So there's something in here. It fires from service and app controller process so I think that's where it hooks into. Will check internet packages now. This windows process is kinda shady I've read . Hmmm...
Found it - can't remove it with standard shift+delete, it shows me Intel Bluetooth iBtSiva Service which is responsible for classic bluetooth. Hmmm... Or is someone listening via this? Or maybe I am paranoid? But then again - this can be done.
Thank you for the translation. I've never seen Firefox be that specific before. Is it possibly set up as a proxy? In that case, you could try to bypass it here:
- Windows: "3-bar" menu button (or Tools menu) > Options
- Mac: "3-bar" menu button (or Firefox menu) > Preferences
- Linux: "3-bar" menu button (or Edit menu) > Preferences
- Any system: type or paste about:preferences into the address bar and press Enter/Return to load it
In the search box at the top of the page, type proxy and Firefox should filter to the "Settings" button, which you can click.
The default of "Use system proxy settings" piggybacks on your Windows/IE "LAN" setting. "Auto-detect" can lead to a flaky connection. You may want to try "No proxy".
Any difference?
Also, sorry our posts are crossing, on the error page, if you expand the "Advanced" section, does Firefox show a code like SEC_ERROR_SOMETHING? I'd love to know the code. Also, there may be a "View Certificate" button if the problem is a fake certificate.
Ok,
So to the first task: set to no proxy in FF DE and no difference, even cleaned cach and cookies.
Now - the next one, here's the dump:
"Websites prove their identity by using certificates issued by certification organizations.
Firefox Developer Edition is software created by the Mozilla organization, which manages the completely open Certification Authority (CA) store. This magazine helps ensure that certification authorities comply with best practices for user safety.
Instead of system certificates, Firefox Developer Edition uses the CA organization of the Mozilla organization to verify connection security. A connection is not considered secure if anti-virus or network software intercepts the connection to a security certificate issued by a certification organization not present in the Mozilla CA CA.
Error code: MOZILLA_PKIX_ERROR_MITM_DETECTED
View certificate".
I've am adding google.com and youtube.com certs. We can see that we have: "Wuipt" Organization with common name: "Ecuvduy".
Oh, and one more, below:
"1312/5000 https://www.google.com/
The connection is intercepted by a TLS proxy. Uninstall them if possible, or configure the device to trust the root proxy certificate.
HTTP Strict Transport Security: false HTTP Public Key Pinning: true
Certificate Chain:
BEGIN CERTIFICATE -----
MIIC1jCCAb6gAwIBAgIE1sLfkzANBgkqhkiG9w0BAQsFADAiMQ4wDAYDVQQKDAVX dWlwdDEQMA4GA1UEAwwHRWN1dmR1eTAeFw0yMDA0MzAxMTE4MDNaFw0yMTA0MzAx MTE4MDNaMBkxFzAVBgNVBAMMDnd3dy5nb29nbGUuY29tMIIBIjANBgkqhkiG9w0B AQEFAAOCAQ8AMIIBCgKCAQEA0F5bt1QgmT0fjJA8mPJ1OhJHZunTpYD5666miMPL NBmom2mrOqGkXZFQZuJhbf / msiqH2uBCBzjSxjKx8efRFd4lMKIevwk4BDbC / QC1 if1HCwj3BOsESir4nMoGErEA91UktfmRqEx / HkC8PvMnfiP6pR3cvJxYp25cDwS9 XYIrTEbeZ8WXVc9DtEAttp8AiBy70vGryKlefSvkUCdhp3b30o9gboUMuJlLYHsX 3vWgo0lTY / n6Rz4ymLypKV27pai5ulLm1zh4ZHigFCIFEpc5u5v5QOR7nu0Z8Uyy iV6b0btkGqMOg0LWA tXIXJh9ocu1ykfeeDN09yIx + + / kYwIDAQABox0wGzAZBgNV HREEEjAQgg53d3cuZ29vZ2xlLmNvbTANBgkqhkiG9w0BAQsFAAOCAQEAP + ZQ2xpQ K0U7rqvYIiM6F0bSGBivOJvANzngxuKuYVCf7ZGkQDwq3NYjYILq0e3rjyklDaqG TKXePYaNRdFeseNZgrAYNLI IakC4eOOW7RsnbepN9yHStb1ja + + p2HBQClyqeawt JVNogENG / zfBEy3N0DyWOOWoQZhpSL0E7Xqjca9xy / 18FzHPCkGmQXbtGogqthmW T3jvjDQ8QhgvQr6bD4RmtZnFPfbM PJlNRgW4jtzijeGC2EGiukP32YdjqcN7 + / t2 g / PWkkGp3L4iw3bWgcPTrLM2VFsGngecnKOTUDiyFHrXv0 / HOO6oWoaS9j / oHmiS u / 0hm6gjSQJw9w ==
END CERTIFICATE -----
I'm thinking "Wuipt" and "Ecuvduy" may be randomly generated as a smokescreen, but that doesn't help us track down the culprit.
If regular malware cleaners don't find the proxy, you could check the specialized forums mentioned in the article where they can walk you through using much more advanced diagnostics.
Freefixer removed the .exe file, also "additional Application extention (dll) file named ibtproppage.dll was found to accompany it as well. Recommend deleting both." - (https://www.file.net/process/ibtsiva.exe.html)
FF DE sees the connections as secure so - thumbs up for freefixer (https://www.freefixer.com/), managed to remove the troublesome files where's antivirus and malwarebytes could not even detect the problem.
After removing files I switched back to auto settings for IP and the lagging problem was gone, but what's more - even on my wife's laptop. Checked her PC and found nothing so I advised her to change passwords to the bank accounts. I have PC with all admin network rights so I don't know if the malware soft wasn't listening via ports on other PCs (remember - site load speed problem).
Anyway that's it for now, will post more info if sth's going on.
Stay safe in the web guys, thanks for support @jscher2000 !
Regards