Avast WEBforum

Other => Viruses and worms => Topic started by: MattiieG on October 14, 2013, 02:42:44 AM

Title: keylogger on vine4you.com
Post by: MattiieG on October 14, 2013, 02:42:44 AM

http://www.scamvoid.com/check/vine4you.com
I believe that I have recieved the keylogger from vine4you.com, but am not completely sure, can anyone help me check whether or not I have?
Maybe I didn't recieve it because I use the ultrasurf proxy?
Malwarebytes found nothing
Avast found nothing

Title: Re: keylogger on vine4you.com
Post by: Secondmineboy on October 14, 2013, 05:29:59 AM

Follow the logs in assist to clean malware thread at the top of the viruses and worms section. And attach logs. When done malware removers will be notified.

Title: Re: keylogger on vine4you.com
Post by: MattiieG on October 14, 2013, 11:19:07 AM

here they are

Title: Re: keylogger on vine4you.com
Post by: MattiieG on October 14, 2013, 11:19:34 AM

and Extras.txt if you need it

Title: Re: keylogger on vine4you.com
Post by: argus on October 14, 2013, 11:51:50 AM

Hello


Please download Farbar Recovery Scan Tool (http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/) and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them.
Only one of them will run on your system, that will be the right version.

• Double-click to run it. When the tool opens click Yes to disclaimer.
  
• Under Optional Scan ensure "List BCD" and "Driver MD5" are ticked.
  
• Press Scan button.
  
• It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
  
• The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.
  

Title: Re: keylogger on vine4you.com
Post by: MattiieG on October 14, 2013, 12:50:17 PM

hey, sorry for the late reply

Title: Re: keylogger on vine4you.com
Post by: polonus on October 14, 2013, 12:58:50 PM

Well WOT does not like that site either: http://www.mywot.com/en/scorecard/vine4you.com?utm_source=addon&utm_content=popup-donuts
Well 1000 websites on one IP, what security do you want there?

polonus

Title: Re: keylogger on vine4you.com
Post by: argus on October 14, 2013, 01:25:03 PM

1. Open notepad and copy/paste the text present inside the code box below.
To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system

Code: [Select]

Start
SearchScopes: HKLM-x32 - DefaultScope {F17BB688-52F9-4011-AE6D-F98B212548ED} URL = http://u-search.net/?a=1&e=1&q={searchTerms}
SearchScopes: HKLM-x32 - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKLM-x32 - {F17BB688-52F9-4011-AE6D-F98B212548ED} URL = http://u-search.net/?a=1&e=1&q={searchTerms}
SearchScopes: HKCU - DefaultScope {F17BB688-52F9-4011-AE6D-F98B212548ED} URL = http://u-search.net/?a=1&e=1&q={searchTerms}
SearchScopes: HKCU - {C10BC952-33B9-402F-B496-60D485BF64AB} URL = http://websearch.ask.com/redirect?client=ie&tb=ORJ&o=&src=kw&q={searchTerms}&locale=&apn_ptnrs=U4&apn_dtid=OSJ000YYUK&apn_uid=AEB2CAEF-770A-4A5C-890E-9AD38995E6FD&apn_sauid=97CAFC54-2AA0-43D0-8C39-937F8F6D53AE
SearchScopes: HKCU - {EAFA2A8B-D06F-4FBD-8A99-1349BBA5DA95} URL = http://searchou.com/?q={searchTerms}&id=a44c152500000000000016de2b77868e&affilt=5&r=251
SearchScopes: HKCU - {F17BB688-52F9-4011-AE6D-F98B212548ED} URL = http://u-search.net/?a=1&e=1&q={searchTerms}
BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - C:\Program Files (x86)\McAfee\SiteAdvisor\x64\McIEPlg.dll (McAfee, Inc.)
BHO-x32: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - C:\Program Files (x86)\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
Toolbar: HKLM - McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - C:\Program Files (x86)\McAfee\SiteAdvisor\x64\McIEPlg.dll (McAfee, Inc.)
Toolbar: HKLM-x32 - McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - C:\Program Files (x86)\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
Toolbar: HKCU -  No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} -  No File
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - C:\Program Files (x86)\McAfee\SiteAdvisor\x64\McIEPlg.dll (McAfee, Inc.)
Handler-x32: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - C:\Program Files (x86)\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
Handler-x32: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - C:\Program Files (x86)\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
FF Extension: McAfee SiteAdvisor - C:\Program Files (x86)\McAfee\SiteAdvisor
CHR RestoreOnStartup: "hxxp://google.com/", "hxxp://searchou.com/?id=a44c152500000000000016de2b77868e&affilt=5"
CHR Plugin: (McAfee SiteAdvisor) - C:\Users\Matt\AppData\Local\Google\Chrome\User Data\Default\Extensions\fheoggkfdfchfphceeifdbepaooicaho\3.60.126.1_0\McChPlg.dll No File
CHR Plugin: (McAfee SiteAdvisor) - C:\Program Files (x86)\McAfee\SiteAdvisor\npmcffplg32.dll (McAfee, Inc.)
CHR Plugin: (Pando Web Plugin) - C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll (Pando Networks)
CHR Plugin: (McAfee SecurityCenter) - c:\PROGRA~2\mcafee\msc\NPMCSN~1.DLL No File
CHR HKLM-x32\...\Chrome\Extension: [fheoggkfdfchfphceeifdbepaooicaho] - C:\Program Files (x86)\McAfee\SiteAdvisor\McChPlg.crx
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
C:\Users\Matt\jagex_cl_runescape_LIVE.dat
C:\Users\Matt\random.dat
C:\Users\Matt\AppData\Local\Temp\procexp64.exe
File: C:\Windows\Test.bat
End
2. Save notepad as fixlist.txt to your Desktop.
NOTE: => It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.


3. Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.
Note: If the tool warned you about the outdated version please download and run the updated version.

Title: Re: keylogger on vine4you.com
Post by: MattiieG on October 14, 2013, 01:35:33 PM

here's the fixlog

Title: Re: keylogger on vine4you.com
Post by: MattiieG on October 14, 2013, 01:42:57 PM

I just got 2 random desktop.ini files on my desktop, can I delete these?

Title: Re: keylogger on vine4you.com
Post by: argus on October 14, 2013, 01:51:47 PM

System is clean, you have not  keylogger.




Please download  DelFix (http://general-changelog-team.fr/fr/downloads/finish/20-outils-de-xplode/9-delfix) by "Xplode" to your Desktop.

Run the tool and check the following boxes below;

• Remove disinfection tools
• Create registry backup
• Purge System Restore
• Reset system settings

Now click on "Run" button. Wait for the programme completes his work.
All the tools we used should be gone.
Tool will create and open an log report (DelFix.txt)
Note: The report will also be stored on C:\DelFix.txt


> I don't need DelFix log report.

Title: Re: keylogger on vine4you.com
Post by: Michael (alan1998) on October 14, 2013, 02:02:49 PM

Quote from: MattiieG on October 14, 2013, 01:42:57 PM

I just got 2 random desktop.ini files on my desktop, can I delete these?

Do not. Most likely FRST or some other program Argus used to check your computer over unhide those files. Open up your File Explorer (Where you go to get your documents from.) --> Top Left Organize --> Folder and Search Options --> View --> Restore to Default.

If that doesn't work follow all the steps again except the last an make sure the tick is on "Don't show hidden folders, Files and drives.
Ensure the check is ON for "Hide extensions of known file types"