Avast WEBforum
Other => Viruses and worms => Topic started by: REDACTED on November 13, 2014, 06:25:05 AM
-
Hiya,
Basically, a few hours ago - it was brought to my attention that I had a potential trojan lurking on my PC. I was talking to my friend in a Skype call when my UAC informed me that Adobe Flash Player needed an update. I was skeptical about this because the publisher listed was not Adobe Systems Incorporated, it was unknown/unverified. When I selected 'No', the UAC window refused to disappear. It would keep popping up aggressively, expecting me to run the exe. I got a little panicky and restarted my PC before scanning everything with Malwarebytes.
It found and quarantined a trojan, and this is what it was from the logs:
http://puu.sh/cOIFc/29076dacbf.png
I was scared so I relayed this info to my friend and he advised me to get Avast because I've mostly been relying on MSE/Malwarebytes and haven't had too many problems. I did this and scanned again, and was greeted with another Trojan called BV:Agent-ANZ. I scanned and quarantined that, and allowed Avast to do the boot scan thing as well. Nothing untoward was picked up, as far as I'm aware.
Now, I was jittery for a couple of hours after this but managed to calm down after I scanned my system several times and nothing dodgy appeared. I was just about to head to bed but I decided to check one last time before hopping off and was greeted with another threat?
http://puu.sh/cOILf/692e652499.png
I'm not sure what's going on. My friend said that I may have to reformat my PC/reinstall Windows, and I'm a little stressed about that because I do not have the Windows disc on me. I don't know how I managed to pick up these trojans, or if they've been latent for a while and have only decided to start being a pain now. I'm worried that this may've been a keylogger because I was having issues with my keyboard being slow/unresponsive when inputting text. Silly me thought that it may've just been the fact that his keyboard is wireless and I'd actually damaged the dongle so I just assumed it was faulty hardware. However, since I've scanned my system and quarantined the buggers, I haven't had any issues so I'm guessing it was related to this trojan.
One thing that I'm thinking may be the root of the issue is that I did visit a website that I trusted earlier yesterday. I have AdBlock installed and NoScript but I was still seeing porny/dodgy ads on the site. Upon checking the URL of the site using AdBlock, I found that the actual site was hosting the ads from its own servers to probably circumvent the filters AdBlock has in place. I'm finding this really suspicious so I'm wondering if this is related.
Please help, I'm not sure what to do. I've never had a trojan before (as far as I'm aware) so I'm really anxious and probably won't get any sleep until I can hopefully get this resolved/know what course of action needs to take place. If you need more info, I will be glad to provide it.
-
Attach your basic logs. (MBAM, FRST and aswMBR..!!)
Instructions: https://forum.avast.com/index.php?topic=53253.0
-
Attach your basic logs. (MBAM, FRST and aswMBR..!!)
Instructions: https://forum.avast.com/index.php?topic=53253.0
Done, thank you so much for the quick reply. The addition.txt is the FRST thing.
-
You're welcome, now you've to wait a bit...
-
You're welcome, now you've to wait a bit...
I just scanned again with MWB and it's found something. It seems like something is downloading these trojans onto my computer. Ah, I'm honestly going to have a panic attack - I didn't expect to deal with all this stuff at quarter past 6 in the morning.
-
Ah, I'm honestly going to have a panic attack - I didn't expect to deal with all this stuff at quarter past 6 in the morning.
Don't worry, the experts have some powerful tools at hand. :)
-
Thank you. I can see that the experts here are really awesome and helpful, I just hope my issue won't be too much of a pain for them to look at.
Last couple of scans (10+ maybe? lol) with MWB and Avast have been clean. I think my USB stick may be infected because at the time of discovering the last infection, it was plugged into my system. Since I've removed it, I haven't received any alerts/nothing has been quarantined. I did transfer a folder full of txt files to the USB stick and it was plugged in the system for maybe an hour or so whilst I was removing other threats.
I've pretty much been scanning constantly back and forth on both. Still nervous though. It's my own fault really, I should've had some form of browser protection, but I thought NoScript and AdBlock would be sufficient. I know better now. Fingers crossed this will be something simple to fix.
-
I think my USB stick may be infected because at the time of discovering the last infection, it was plugged into my system.
see the guide Asyn gave link to....scroll down to SPECIFIC INFECTIONS LOGS / MCShield instructions ...run as instructed and attach log
removal experts will be online later today, usually after work hours european time ;)
-
I think my USB stick may be infected because at the time of discovering the last infection, it was plugged into my system.
see the guide Asyn gave link to....scroll down to SPECIFIC INFECTIONS LOGS / MCShield instructions ...run as instructed and attach log
removal experts will be online later today, usually after work hours european time ;)
Thank you!
Is it okay if I wait until my main system is clean before I install and use MCShield? I'm just worried about my rig because I game on this and I don't want these infections to break anything. So far there have been no further infections so I don't want to risk anything.
Haha, I'm in Europe myself so I guess I'll be waiting a long time for a response. Oh well, I'll just keep scanning.
-
Is it okay if I wait until my main system is clean before I install and use MCShield?
yepp ;)
-
Last 14 avast! scans (mix of full and quick) have come up clean.
Last 20 MWB scans have also come up clean as well.
No new infections found since the last one that MWB picked up at 6am. It's now over 6 hours later.
I am really, really tired and I haven't slept, haha.
-
Last 14 avast! scans (mix of full and quick) have come up clean.
Last 20 MWB scans have also come up clean as well.
No new infections found since the last one that MWB picked up at 6am. It's now over 6 hours later.
I am really, really tired and I haven't slept, haha.
D'oh! .... why do 34 scans as removal experts are notified.........why do quick and full as full will do the same as quick and then some?
-
Last 14 avast! scans (mix of full and quick) have come up clean.
Last 20 MWB scans have also come up clean as well.
No new infections found since the last one that MWB picked up at 6am. It's now over 6 hours later.
I am really, really tired and I haven't slept, haha.
D'oh! .... why do 34 scans as removal experts are notified.........why do quick and full as full will do the same as quick and then some?
I scanned so much because I was worried that whatever is infecting my system would continue to corrupt files while I wait for a response from the removal experts.
The last time I scanned and things were clean (before I posted here), I was going to go to sleep. Before I did, I scanned once more and MalwareBytes found another trojan. So I am a little paranoid that there may still be something hiding. Did I make a mistake? :'(
-
Did I make a mistake?
no, but the removal experts here will fix it one go, or two.....the computer in not going anywhere ;)
-
Hi you only have the partial infection so it is not active
CAUTION : This fix is only valid for this specific machine, using it on another may break your computer
Open notepad and copy/paste the text in the quotebox below into it:
2014-11-12 22:45 - 2014-11-12 23:00 - 00000000 ____D () C:\ProgramData\SosecRigey
2014-11-12 22:45 - 2014-11-12 22:45 - 00000000 ____D () C:\ProgramData\Windows Genuine Advantage
EmptyTemp:
CMD: bitsadmin /reset /allusers
Save this as fixlist.txt, in the same location as FRST.exe
Run FRST and press Fix
On completion a log will be generated please post that
THEN
Please download AdwCleaner (http://www.bleepingcomputer.com/download/adwcleaner/) by Xplode onto your desktop.
- Close all open programs and internet browsers.
- Double click on AdwCleaner.exe to run the tool.
- Click on Scan.
- After the scan is complete click on "Clean"
- Confirm each time with Ok.
- Your computer will be rebooted automatically. A text file will open after the restart.
- Please post the content of that logfile with your next answer.
- You can find the logfile at C:\AdwCleaner[S1].txt as well.
-
Thank you, essexboy, for your help!
I hope it's okay that I've added the files as attachments. <3
Weird thing is, when I tried to submit this post, my net went down for a few seconds. :o
-
A scan with MBAM should now show no problems .. Can you confirm that
-
A scan with MBAM should now show no problems .. Can you confirm that
Yes. :3
edit:
Is it ok for me to also check with MCShield to see if my USB has any traces of the trojan on it? I was stupid and transferred files that I wanted to salvage over there while I was cleaning out the initial infection. It's only a 2GB USB stick, but some of the files on there are important.
Also noticed that since I did what you asked, my net keeps disconnecting randomly. I don't know why. I think it is Avast's secure DNS that is acting up, actually.
-
To test the secure DNS problem out switch it off
Download MCShield (http://www.mcshield.net/) to your desktop and install
It will initially run a scan and show the result as a toaster by the system clock
Then in the control centre select scanner and tick unhide items on flash drives
(https://dl.dropbox.com/u/73555776/mcshield%20unhide.JPG)
Plug in the drive and McShield will start a scan
Then get the log which will be located under the logs tab on the main page
And post that
-
To test the secure DNS problem out switch it off
Download MCShield (http://www.mcshield.net/) to your desktop and install
It will initially run a scan and show the result as a toaster by the system clock
Then in the control centre select scanner and tick unhide items on flash drives
(https://dl.dropbox.com/u/73555776/mcshield%20unhide.JPG)
Plug in the drive and McShield will start a scan
Then get the log which will be located under the logs tab on the main page
And post that
Thank you so much for your help~
-
MCShield log is not readable (some forum issue) .... you need to copy and paste it
-
Ok!
>>> MCShield AllScans.txt <<<
-----------------------------
MCShield ::Anti-Malware Tool:: http://www.mcshield.net/
>>> v 3.0.5.28 / DB: 2014.11.5.1 / Windows 7 <<<
14/11/2014 09:09:26 > Drive C: - scan started (120GB SSD ~112 GB, NTFS HDD )...
=> The drive is clean.
14/11/2014 09:09:26 > Drive D: - scan started (1TB ~932 GB, NTFS HDD )...
=> The drive is clean.
MCShield ::Anti-Malware Tool:: http://www.mcshield.net/
>>> v 3.0.5.28 / DB: 2014.11.5.1 / Windows 7 <<<
14/11/2014 09:10:58 > Drive F: - scan started (no label ~1928 MB, FAT flash drive )...
>>> F:\~WRL0005.tmp > ignored (user request). (MD5: af7145a209777672d8a684a3cfdf7b95)
=> The drive is clean.
-
Is there an improvement after you stopped secure DNS ? Also do you have any other problems ?
-
I think there's been a marginal improvement since I turned the DNS thing off.
The thing is, my ISP's a bit crap when it comes to the net going down due to area faults, etc. If the problem persists, I'll give them a ring.
I don't think I've had any problems since you've saved my computer, thanks so much for your help. Is there a way to give you rep or something or is my account too new for that? c:
-
We don't use the rep thing here :)
Subject to no further problems :)
I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems
Now the best part of the day ----- Your log now appears clean :thumbsup:
A good workman always cleans up after himself so..The following will implement some cleanup procedures as well as reset System Restore points:
Download and run Delfix (http://general-changelog-team.fr/fr/downloads/finish/20-outils-de-xplode/9-delfix)
(https://dl.dropboxusercontent.com/u/73555776/delfix.JPG)
: Keep Java Updated :
WARNING: Java is the #1 exploited program at this time. The Department of Homeland Security recommends that computer users disable Java
See this article (http://www.forbes.com/sites/eliseackerman/2013/01/11/us-department-of-homeland-security-calls-on-computer-users-to-disable-java/)
I would recommend that you completely uninstall Java unless you need it to run an important software.
In that instance I would recommend that you disable Java in your browsers until you need it for that software and then enable it. (See How to diasble Java in your web browser (http://www.geekstogo.com/2600/how-to-disable-java-in-your-web-browser/) and How to unplug Java from the browser (http://krebsonsecurity.com/how-to-unplug-java-from-the-browser/))
Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:
CryptoPrevent (http://www.foolishit.com/vb6-projects/cryptoprevent/) install this programme to lock down and prevent crypto ransome ware
(https://dl.dropboxusercontent.com/u/73555776/CryptoPrevent.JPG)
Malwarebytes (http://www.malwarebytes.org/mbam-download.php).
Update and run weekly to keep your system clean
It is critical to have both a firewall and anti virus to protect your system and to keep them updated.
To learn more about how to protect yourself while on the internet read this little guide Best security practices (http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/)Keep safe :wave: