Avast WEBforum
Other => Viruses and worms => Topic started by: Jimmyjam85 on October 15, 2012, 09:28:28 PM
-
I am trying to clean a friends computer and am repeatedly being redirected to other websites which from what I´ve read is due to the BCMiner trojan. I tried running mutiple scanners to get rid of it but it just keeps re-appearing. The scanner that is actually catching it is MBAM and it also caught Adware.Agent, PUP.PlayBryte, PUP.MyWebSearc, and Adware.IBryte
From what I´ve read here on the forums regarding this trojan I downloaded nd ran ComboFix, so heres the log from that scan, if theres anything else you need I will be more than happy to provide any information needed.
-
follow guide and attach logs....not copy and paste. http://forum.avast.com/index.php?topic=53253.0
AdwCleaner
Malwarebytes
OTL
aswMBR
when done a removal specialist will help you
-
Question. My friend purchased there computer with Windows 7 home edition in Spanish. So will the logs be okay if they are in Spanish? I mean it basically looks the same just a couple things here and there are in Spanish. I've tried seeing if there was a way to change the language on the ADWcleaner program but I can't seem to find it.
-
hi
just done a bit of research. this may help you :)
www.froggie.sk/
anthony
-
adwcleaner will clear som browser toolbar crap if you have any....the log is not that important
also any file path and malware names are still in english...i think......and Essexboy have seen so many logs that he can read these logs blindfolded
-
Haha sounds good then, but now for some reason Malwarebytes won't update anymore so now I have to figure this out
-
Hi it appears to be a firefox/IE browser hijact and not bitcoiner
To remove this I will need the OTL logs
-
Here´s the log you requested. :)
-
OK let me know what problems remain after this
Warning This fix is only relevant for this system and no other, using on another computer may cause problems
Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot
Run OTL
- Under the Custom Scans/Fixes box at the bottom, paste in the following
(https://dl.dropbox.com/u/73555776/OTL_Fix.GIF)
:OTL
IE:64bit: - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://searchfunmoods.com/?f=1&a=aed&chnl=aed&cd=2XzuyEtN2Y1L1Qzu0EtDtB0AzztByEyD0FzyyEtCyCyE0B0EtN0D0Tzu0CtByBzztN1L2XzutBtFtBtFtDtFtAyEyE&cr=2092008366
IE - HKLM\..\SearchScopes\{17B15372-2A23-8F17-D120-661A6ED7B4DE}: "URL" = http://dts.search-results.com/sr?src=ieb&appid=168&systemid=406&sr=0&q={searchTerms}
IE - HKLM\..\SearchScopes\{23088cf8-eaf8-4bb3-a251-9ba61557ac75}: "URL" = http://search.mywebsearch.com/mywebsearch/GGmain.jhtml?id=Z1xdm003YYus&ptnrS=Z1xdm003YYus&si=CJm8h_f9m6oCFakaQgodvWIu2A&ptb=F5FB6AC8-2559-457F-B1E6-7AA2B5287957&psa=&ind=2011072503&st=sb&n=77de87f7&searchfor={searchTerms}
IE - HKU\S-1-5-21-4123514263-4221296367-3105316158-1000\..\SearchScopes\{8D0206EA-D72B-4D74-9FB7-267972EA5D77}: "URL" = http://searchfunmoods.com/results.php?f=4&q={searchTerms}&a=aed&chnl=aed&cd=2XzuyEtN2Y1L1Qzu0EtDtB0AzztByEyD0FzyyEtCyCyE0B0EtN0D0Tzu0CtByBzztN1L2XzutBtFtBtFtDtFtAyEyE&cr=2092008366
IE - HKU\S-1-5-21-4123514263-4221296367-3105316158-1000\..\SearchScopes\{91607fa7-3c2f-4f90-93e3-d5337a6b0ac2}: "URL" = Playbryte-fa-ptn/search/redirect/?type=default&user_id=75b85d46-7125-4563-9f75-ba03c68d3d4b&query={searchTerms}
O2 - BHO: (My Personal Homepage) - {0538CF1C-8419-4800-ADBB-0C00C799FDA2} - C:\Users\Ana\AppData\Roaming\Genieo\Application\IEPlugins\bin\IEWrapper.dll ()
O2 - BHO: (no name) - {1036AD63-AEAC-460B-9060-C96005D4DC86} - No CLSID value found.
O2 - BHO: (Privacy Safeguard BHO) - {A42D2EB4-DD31-4BB5-8AA5-8D4E04806DBE} - C:\Program Files\PrivacySafeGuard\PrivacySafeGuard.dll File not found
O3 - HKLM\..\Toolbar: (no name) - {06C7AD57-B655-418D-9AB8-9526A6D2E052} - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - 10 - No CLSID value found.
O4 - HKLM..\Run: [Sendori Tray] C:\Program Files (x86)\Sendori\SendoriTray.exe (Sendori, Inc.)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O20:64bit: - AppInit_DLLs: (C:\PROGRA~2\IMESHA~1\MediaBar\Datamngr\x64\IEBHO.dll) - C:\Program Files (x86)\iMesh Applications\MediaBar\Datamngr\x64\IEBHO.dll (Bandoo Media, inc)
[2012/10/04 14:47:17 | 000,000,000 | ---D | C] -- C:\Program Files\PrivacySafeGuard
[2012/10/04 14:47:17 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Privacy SafeGuard
[2012/10/04 14:39:36 | 000,321,384 | ---- | C] (Sendori) -- C:\Windows\SysWow64\Sendori.dll
[2012/10/04 14:39:33 | 000,000,000 | ---D | C] -- C:\ProgramData\Sendori
[2012/10/04 14:39:31 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Sendori
[2012/10/04 14:39:27 | 000,000,000 | ---D | C] -- C:\ProgramData\FreePriceAlerts
[2012/10/02 15:47:33 | 000,000,000 | ---D | C] -- C:\Users\Ana\AppData\Roaming\7551CC04
[2012/09/22 02:23:26 | 000,000,000 | ---D | C] -- C:\Users\Ana\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\File Recovery
[2012/09/22 11:36:30 | 000,000,136 | ---- | M] () -- C:\ProgramData\-rZkt00NwntvqGMr
[2012/10/04 14:18:51 | 000,290,500 | ---- | C] () -- C:\Users\Ana\AppData\Local\funmoods-speeddial_sf.crx
[2012/09/22 02:50:31 | 000,000,136 | ---- | C] () -- C:\ProgramData\-rZkt00NwntvqGMr
[2012/09/22 02:50:31 | 000,000,136 | ---- | C] () -- C:\ProgramData\-rZkt00NwntvqGM
:Files
C:\Users\Ana\AppData\Local\Google\Chrome\User Data\Default\Extensions\geggofhlfbcmanadhknllmlajiafopoh
C:\Users\Ana\AppData\Local\Google\Chrome\User Data\Default\Extensions\gmekldhjpnedilgjphomliffhhnknpeb
C:\Users\Ana\AppData\Local\Google\Chrome\User Data\Default\Extensions\gejobfgabjknekpkpnpnieipmfapcdpe
C:\Program Files (x86)\iMesh Applications
:Commands
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]
- Then click the Run Fix button at the top
- Let the program run unhindered, reboot the PC when it is done
- Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
-
Will do as soon as I get home from work which is 10 more hours. Thanks for the help and ill update you on the status in a while.
-
Tsk reading while at work ;D ;D ;D ;D
-
Sorry for the delay, been working 10 hours shifts and busy with family etc. Just did as told and here´s the report after inserting the script running the fix and running the quick scan after the reboot.
-
How is the computer behaving now ?
-
Not sure didn't do much after running OTL. The computer battery died when restarting, would that harm the fix in any way? And what in particular improvements should I be looking for exactly? I stopped getting the Internet re-directions a couple days ago.
Should this fix the virus scanner update, Google Chrome and Safari issue I just started having?
-
I removed the remaining funweb and other redirecting/bad extensions
What is the virus update scanner error ?
Should this fix the virus scanner update, Google Chrome and Safari issue I just started having
-
Well on Avast it basically times out and says it can't reach the server, same thing on Spynot S&D, MBAM is the only one that shows an error "PROGRAM_ERROR_UPDATING(0,0 Host not found)", also no Internet access when using Safari or Google Chrome(web pages just say not connected to a network) but IE works fine.
-
IE - HKU\S-1-5-21-4123514263-4221296367-3105316158-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = actsvr.comcastonline.com;*.local
IE - HKU\S-1-5-21-4123514263-4221296367-3105316158-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = actsvr.comcastonline.com:8100
Is comcast your ISP ?
-
It might be my friends ISP but it's definitely not mine.
-
OK could you create a system restore point. I will remove those then let me know if that makes a difference
Warning This fix is only relevant for this system and no other, using on another computer may cause problems
Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot
Run OTL
- Under the Custom Scans/Fixes box at the bottom, paste in the following
(https://dl.dropbox.com/u/73555776/OTL_Fix.GIF)
:OTL
IE - HKU\S-1-5-21-4123514263-4221296367-3105316158-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = actsvr.comcastonline.com;*.local
IE - HKU\S-1-5-21-4123514263-4221296367-3105316158-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = actsvr.comcastonline.com:8100
:Commands
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]
- Then click the Run Fix button at the top
- Let the program run unhindered, reboot the PC when it is done
- Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
THEN
Please download MiniToolBox (http://download.bleepingcomputer.com/farbar/MiniToolBox.exe), save it to your desktop and run it.
(https://dl.dropbox.com/u/73555776/minitoolbox.JPG)
Checkmark the following checkboxes:
- Flush DNS
- Report IE Proxy Settings
- Reset IE Proxy Settings
- Report FF Proxy Settings
- Reset FF Proxy Settings
- List content of Hosts
- List IP configuration
- List Winsock Entries
- List last 10 Event Viewer log
- List Installed Programs
- List Devices
- List Users, Partitions and Memory size.
- List Minidump Files
Click Go and attach the result (Result.txt). A copy of Result.txt will be saved in the same directory the tool is run.
Note: When using "Reset FF Proxy Settings" option Firefox should be closed.
-
Here are the reports for the OTL fix and the MiniToolBox, the MiniToolBpx report is in spanish and if needed I can try and run it through some kind of translator.
-
Spanish is not a problem as the file names are English
First :
Start an elevated command prompt
Go Start > All Programs > Accessories
Right click Command Prompt and select Run as Administrator
In the black box that opens enter the following commands pressing enter after each one :
netsh winsock reset
netsh int ip reset resetlog.txt
Let me know of any errors generated
-
Don´t know how you did that but you sure fixed that issue, as for that root-kit, where shall we go from here? Should I update and run MBAM, avast and spybot S&D? Or perhaps some others aswell?
-
it will be some hours before essexboy is back in the forum, so be patient ;)
-
The lsp stack was corrupted.. Now fixed.
How is the computer behaving ?
As I have said I saw no indication of a rootkit .. But run MBAM again please and post the resultant log