Avast WEBforum
Other => Viruses and worms => Topic started by: okym on March 05, 2013, 01:24:52 PM
-
I attached my sister-in-law's portable drive to my pc to transfer some files to my portable drive and all the files on her drive were shown as shortcucts.
When I attempted to open a shortcut,auto run flashed on the screen.
I cancelled it as fast as I could,however Malwarebytes Pro is now disabled including protection mode and my control panel has been disabled.
Running Malwarebytes in safemode detects a possible trojan horse (Trojan.Agent.Ck) as well as a number of malicious registry entries.
Avast now continually notifies me of two malicious URL's
//nnh42.name/a/
//jsh37.net/a/
One of the malicious registry entries contains the phrase "don't steal our software"
All attempts to rectify the problem have failed
My system is running Windows XP with Service pack 3.
I have attached theRogue killer logs.
Any help you can give me would be greatly appreciated
-
One of the malicious registry entries contains the phrase "don't steal our software"
so, you have a key genrator for cracking malwarebytes license..... noughty boy
-
attach the following logs. http://forum.avast.com/index.php?topic=53253.0
AdwCleaner
Malwarebytes. and malwarebytes should be run from normal mode unless it has a problem
OTL
aswMBR
-
To be honest the PC was part of an inheritance from a deceased estate with the software preloaded and I never bothered to check if it was genuine.
Looks like an uninstall is warranted.
I have attempted to run the programs you have listed but what ever has infected me is blocking them from running.
-
OK....malware removers are notified, it may take hours before they arrive so be patient
you may try run from safe mode
-
I managed to run Adw cleaner from safe mode,the log,if it is any use,is attached,together with the MBAM log.
Thanks for assistance and patience,this a whole new experience to me.
Kym
-
Hi I will need the OTL log please
Download OTL (http://oldtimer.geekstogo.com/OTL.exe) to your Desktop
Secondary link (http://www.itxassociates.com/OT-Tools/OTL.exe)
- Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
(https://dl.dropbox.com/u/73555776/OTL_Main_Tutorial.gif)
- Select All Users
- Under the Custom Scan box paste this in
netsvcs
BASESERVICES
%SYSTEMDRIVE%\*.exe
/md5start
services.*
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
winsock.*
/md5stop
CREATERESTOREPOINT
- Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
- When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
- Attach both logs
-
Sorry for the late reply,the "bug is now interfering with my internet access.
Log's attached as requested.
Kym
-
OK I think I can see the problem
Warning This fix is only relevant for this system and no other, using on another computer may cause problems
Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot
Run OTL
- Under the Custom Scans/Fixes box at the bottom, paste in the following
(https://dl.dropbox.com/u/73555776/OTL_Fix.GIF)
:OTL
O4 - HKU\S-1-5-21-682003330-764733703-1177238915-1004..\Run: [7d7e7] C:\Documents and Settings\Bronwyn and Kym\Application Data\6b6\7d7e7.js ()
O4 - Startup: C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\2a2a.js ()
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\2a2a.js ()
O4 - Startup: C:\Documents and Settings\Bronwyn and Kym\Start Menu\Programs\Startup\2a2a.js ()
O4 - Startup: C:\Documents and Settings\Default User\Start Menu\Programs\Startup\2a2a.js ()
[2013/03/05 14:35:47 | 000,000,000 | -HSD | C] -- C:\Program Files\74607
[2013/03/05 14:35:47 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\Bronwyn and Kym\Application Data\6b6
[2013/03/05 14:35:46 | 000,000,000 | -HSD | C] -- C:\6a4
[2013/03/06 07:00:03 | 000,047,405 | ---- | C] () -- C:\Documents and Settings\Bronwyn and Kym\Start Menu\Programs\Startup\2a2a.js
[2013/03/06 07:00:03 | 000,047,405 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\2a2a.js
:Commands
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]- Then click the Run Fix button at the top
- Let the program run unhindered, reboot the PC when it is done
- Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
THEN
Please download MiniToolBox (http://download.bleepingcomputer.com/farbar/MiniToolBox.exe), save it to your desktop and run it.
(https://dl.dropbox.com/u/73555776/minitoolbox.JPG)
Checkmark the following checkboxes:
- Flush DNS
- Report IE Proxy Settings
- Reset IE Proxy Settings
- Report FF Proxy Settings
- Reset FF Proxy Settings
- List content of Hosts
- List IP configuration
- List Winsock Entries
- List last 10 Event Viewer log
- List Installed Programs
- List Devices
- List Users, Partitions and Memory size.
- List Minidump Files
Click Go and post the result (Result.txt). A copy of Result.txt will be saved in the same directory the tool is run.
Note: When using "Reset FF Proxy Settings" option Firefox should be closed.
-
Hi i am facing the same issue.
I addition there are multiple windows update icon in system tray and disappearing with mouse roll on
-
Hi i am facing the same issue.
I addition there are multiple windows update icon in system tray and disappearing with mouse roll on
Please start your own topic and supply/attach the following logs
http://forum.avast.com/index.php?topic=53253.0
AdwCleaner
Malwarebytes
OTL
aswMBR
-
Hi essexboy,
Thanks for that,I may have to run the fix in safe mode,will that still work.
Will try it in normal mode first.
Kym
-
If you need to run it in safe mode then so be it, but allow the reboot to normal mode so that we can determine the effectiveness, or whether I need to look deeper
-
Will do
Kym
-
Quick fix log and Mini Toolbox log attached as requested.
As a side note,the only way I could get OTL to run in normal mode was to rename the desk top icon as "safe file".
The system now runs better but the malicious URL pop ups are still appearing and control panel is disabled.
Regard's,
Kym
-
OK the JS files returned so we will need to go deeper
Download and Install Combofix
Download ComboFix from one of the following locations:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
VERY IMPORTANT !!! Save ComboFix.exe to your Desktop
* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here (http://forums.whatthetech.com/How_Disable_your_Security_Programs_t96260.html&pid=494216#entry494216)
- Double click on ComboFix.exe & follow the prompts.
- Accept the disclaimer and allow to update if it asks
(http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png)
(http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png)
- When finished, it shall produce a log for you.
- Please include the C:\ComboFix.txt in your next reply.[/b]
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.
Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now
-
Between work and other things,finally managed to run ComboFix,log attached as requested.
The control panel now appears to be accessable via the start menu,have not tried to open it as yet,the "malicious URL blocked" pop ups appear to have ceased,still unable to open malwarebytes,got a pop up stating "files waiting to be written to cd" .overall seems to be running better.
Kym
-
One more run to finish it off then try MBAM again
1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
3. Open notepad and copy/paste the text in the quotebox below into it:
File::
c:\documents and settings\Administrator\Start Menu\Programs\Startup\21.js
c:\documents and settings\Bronwyn and Kym\Start Menu\Programs\Startup\21.js
c:\documents and settings\All Users\Start Menu\Programs\Startup\21.js
c:\documents and settings\Default User\Start Menu\Programs\Startup\21.js
Folder::
c:\documents and settings\Bronwyn and Kym\Application Data\6b6
Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"7d7e7"=-
Save this as CFScript.txt, in the same location as ComboFix.exe
(http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif)
Refering to the picture above, drag CFScript into ComboFix.exe
When finished, it will produce a log for you at C:\ComboFix.txt which I will require in your next reply.
-
Thanks essexboy,will do this as soon as I get home after work tonight.
Many thanks and kindest regard's,
Kym
-
OK,
Turned on the pc to run the file as requested.
Control panel had again been disabled,opened an internet connection and immediately got the malicious url blocked pop up again as well as "files waiting to be written to cd"notification.
The ComboFix icon had gone from the desk top as well as the log file from the C drive.
Ran the CFScript.txt as advised,log file attached.
After running the txt file Control panel has returned and MalwareBytes is now accessable.
I thank you for your time so far.
Regard's,
Kym
-
Yep it created a new folder and startup set in that short period
Warning This fix is only relevant for this system and no other, using on another computer may cause problems
Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot
Run OTL
- Under the Custom Scans/Fixes box at the bottom, paste in the following
(https://dl.dropbox.com/u/73555776/OTL_Fix.GIF)
:Files
C:\6a4
c:\documents and settings\Administrator\Start Menu\Programs\Startup\283.js
c:\documents and settings\Bronwyn and Kym\Start Menu\Programs\Startup\283.js
c:\documents and settings\All Users\Start Menu\Programs\Startup\283.js
c:\documents and settings\Default User\Start Menu\Programs\Startup\283.js
:Commands
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]- Then click the Run Fix button at the top
- Let the program run unhindered, reboot the PC when it is done
- Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
-
Loged back on to check your reply only to find control panel again disabled and malicious URL pop Ups appearing again.Should I still run the otl as requested in your last post.This post is done from my mobile phone.
-
Yes but we will do some additional work as the drive you are plugging in is infected and we need to stop that first
Plug in the drive
Download McShield (http://amf.mycity.rs/mcshield/downloads.html) to your desktop and install
It will initially run a scan and show the result as a toaster by the system clock
Then in the control centre select scanner and tick unhide items on flash drives
(https://dl.dropbox.com/u/73555776/mcshield%20unhide.JPG)
Then get the log which will be here :
Start > all programs > MCShield > logs > all scans
And post that
Then run the OTL fix and follow with a fresh scan
-
Will do when I get home tonight.
The drive I plugged in originally has not been connected to the pc since the problem started,that is why I posed my last question.
I hope I have not confused the issue by not stating this earlier.
Regard's,
Kym
-
Nope but it will catch any autoruns that are hidden on the main drive, and will protect against further infections
-
Thanks
-
Hi essexboy,
Sorry to take so long to get back to you,got called away on business at short notice and only just got back.
The MC2 Shield log is attached as requested.
Will now run the fresh OTL fix and post that log when complete.
Regard's,
Kym
-
Not sure if I have done the fix correctly.
Tried running it in normal mode and nothing happened for over an hour,so I rebooted in safe mode and ran the fix,took a few minutes.
Rebooted and ran the quick scan in normal mode,log attached.
If I have messed things up I am sorry.
Kym
-
Safe mode, Normal mode.. OTL does not care ;D
How is the computer behaving now ? McShield did some nice work and removed some bad boys
Could you attach the new OTL scan please
-
Sorry I thought that was the log I attached in my last post,obviously not.
MalwareBytes is still unable to be run,control panel still deactivated and malicious pop up warnings still appearing but not as often.
PC is running faster than it was.
My connection manager indicates I am downloading a bucket load of data as well,not sure what or why.
Kym
-
Have to start work in 4 hours so off to bed.
Will check for your reply later.
Regards,
Kym
-
Could you re-run Combofix now please, allowing it to update if requested
-
Sorry this is taking so long,work is extremely busy and I am doing 14-16 hour days,so not getting a lot of time to myself.
I re ran combo fix as requested,log attached.
Control panel has reappeared in start box,malicious url pop ups have stopped again.
MalwareBytes has updated and is accessable.
Will see what happens when I close the pc and log on again.
Regard's,
Kym
-
Rebooted pc,control panel again disabled as is MalwareBytes,malicious url popups back again.
-
OK the file is changing every reboot
So could you run a fresh OTL scan and attach here. In the meantime do not reboot until I have created and you have run the new fix
-
OK,so run a new OTL scan,retreive the log and leave the pc running until I run the new fix.
Will run when I get home tonight.
This post from the work pc.
Kym
-
Aye and if that fix fails I will remove the windows scripting host for the duration as it needs that to run
-
Ended up having to work all through easter ,so have only just had time to run OTL.
Log is attached.
PC will remain on until I hear back from you.
Regard's,
Kym
-
OK lets do it
Warning This fix is only relevant for this system and no other, using on another computer may cause problems
Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot
Run OTL
- Under the Custom Scans/Fixes box at the bottom, paste in the following
(https://dl.dropbox.com/u/73555776/OTL_Fix.GIF)
:OTL
O4 - HKCU..\Run: [7d7e7] C:\Documents and Settings\Bronwyn and Kym\Application Data\6b6\7d7e7.js ()
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\203c2.js ()
O4 - Startup: C:\Documents and Settings\Bronwyn and Kym\Start Menu\Programs\Startup\203c2.js ()
[2013/03/23 22:50:39 | 000,000,000 | -HSD | C] -- C:\6a4
[2013/03/28 23:04:58 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\Bronwyn and Kym\Application Data\6b6
[2013/03/05 14:35:47 | 000,000,000 | -HSD | C] -- C:\Program Files\74607
:Reg
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"7d7e7"=-
:Files
C:\Documents and Settings\Bronwyn and Kym\Start Menu\Programs\Startup\*.js
c:\Documents and Settings\All Users\Start Menu\Programs\Startup\*.js
[override]
C:\Windows\System32\wscript.exe
[stopoverride]
:Commands
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]- Then click the Run Fix button at the top
- Let the program run unhindered, reboot the PC when it is done
- Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
-
Not having much luck with the fix.
Pasted the fix into OTL clicked "run fix" and left it to run.
Six hours later,nothing has happened.PC appears to be locked up and can not close OTL to try and run fix again.
PC is still on,will not reboot until I hear back.
Kym
-
OK I now have a quick way of killing this blighter, as you are the fourth or fifth you get the benefits ;D
Reboot the computer
Open windows explorer and go to C:\Windows\System32
Locate wscript.exe
Right click Wscript.exe
Select Properties
Select Security Tab
Select Advanced
Select Owner
Select Edit
Select your account
Click Apply
OK the warning
Click OK
(https://dl.dropbox.com/u/73555776/wscript%20ownership.JPG)
Now delete wscript.exe to the recycle bin
Warning This fix is only relevant for this system and no other, using on another computer may cause problems
Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot
Run OTL
- Under the Custom Scans/Fixes box at the bottom, paste in the following
(https://dl.dropbox.com/u/73555776/OTL_Fix.GIF)
:OTL
O4 - HKCU..\Run: [7d7e7] C:\Documents and Settings\Bronwyn and Kym\Application Data\6b6\7d7e7.js ()
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\203c2.js ()
O4 - Startup: C:\Documents and Settings\Bronwyn and Kym\Start Menu\Programs\Startup\203c2.js ()
[2013/03/23 22:50:39 | 000,000,000 | -HSD | C] -- C:\6a4
[2013/03/28 23:04:58 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\Bronwyn and Kym\Application Data\6b6
[2013/03/05 14:35:47 | 000,000,000 | -HSD | C] -- C:\Program Files\74607
:Reg
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"7d7e7"=-
:Files
C:\Documents and Settings\Bronwyn and Kym\Start Menu\Programs\Startup\*.js
c:\Documents and Settings\All Users\Start Menu\Programs\Startup\*.js
:Commands
[resethosts]
[CREATERESTOREPOINT]
[Reboot]- Then click the Run Fix button at the top
- Let the program run unhindered, reboot the PC when it is done
- Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
-
Took most of the day to get in to delete WScript but got there in the end.
Ran fix.
Ran quick scan,log attached.
Still no access to control panel,but malicious pop up's appear to have stopped.MalwareBytes is accessable at the moment.
Will log off and check for your reply in the morning.
Kym
-
You can now restore wscript form the recycle bin
Run MBAM and see if that restores the control panel
If not could you let me know what error you get
-
Hi essexboy,I am back again - got to love short notice business trips.
I have restored wscript and run Malwarebytes,only a quick scan though.
Still no control panel and no error from the Malwarebytes log.
Should I run a full scan instead ?
Regard's,
Kym
-
No run Combofix again, but allow it to update if it asks
-
Will do and will report back,with log's when done.
Kym
-
Control panel is now back,Malwarebytes appears to be functioning normally,everything else seems ok.
Combofix log attached.
-
OK that now looks good, combofix did all the repairs again ;D
Any outstanding problems before I tidy up ?
-
No apparent problems at this stage.
Kym
-
OK let it run as normal and if all is well tomorrow let me know and I will tidy up
-
I have been playing around with the pc over the last week or so and all seems fine.
The only thing I noticed was that Avast blocked MCShield from updating,specifically the file MCShieldDS.exe,which then caused MCShield to notify me it's installatiion was corrupt and to re-install it,then Avast blocked it again and so on.Eventually ran an Avast update and MCShield re-installed and ran as normal.MalwareBytes is running fine,control panel works ok and no malicious software or website popups have appeared.
I am hoping everything is back to normal.
-
In the aftermath of this thread read here about this active threat: http://www.avgthreatlabs.com/sitereports/domain/nnh42.name/
It is a backdoored trojan horse with 53 known variants, also known as Agent_r
polonus
-
Grand, glad to hear that
Subject to no further problems :)
I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems
Now the best part of the day ----- Your log now appears clean :thumbsup:
A good workman always cleans up after himself so..The following will implement some cleanup procedures as well as reset System Restore points:
Run OTL- Under the Custom Scans/Fixes box at the bottom, paste in the following
:Commands
[resethosts]
[emptytemp]
[CLEARALLRESTOREPOINTS]
[Reboot]
- Then click the Run Fix button at the top
- Let the program run unhindered, reboot the PC when it is done
Remove ComboFix- Hold down the Windows key + R on your keyboard. This will display the Run dialogue box
- In the Run box, type in ComboFix /Uninstall
(Notice the space between the "x" and "/")
then click OK
(http://i1224.photobucket.com/albums/ee362/Essexboy3/Misc%20screen%20shots/CF_Uninstall-1.jpg)
- Follow the prompts on the screen
- A message should appear confirming that ComboFix was uninstalled
Run OTL and hit the cleanup button. It will remove all the programmes we have used plus itself.
Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:
(http://img233.imageshack.us/img233/7729/mbamicontw5.gif) Malwarebytes (http://www.malwarebytes.org/mbam-download.php).
Update and run weekly to keep your system clean
Download and install FileHippo update checker (http://www.filehippo.com/updatechecker/) and run it monthly it will show you which programmes on your system need updating and give a download link
If you use on-line banking then as an added layer of protection install Trusteer Rapport (http://www.trusteer.com/Products/Trusteer-Rapport-for-Online-Banking)
It is critical to have both a firewall and anti virus to protect your system and to keep them updated. To keep your operating system up to date visit - Microsoft Windows Update (http://windowsupdate.microsoft.com)
To learn more about how to protect yourself while on the internet read our little guide How did I get infected in the first place ? (http://www.geekstogo.com/forum/topic/225044-preventing-malware-and-safe-computing/)Keep safe :wave:
-
Will do.
Have Malwarebytes installed as well as avast! free.Will add File Hippo and double check the windows update settings.
Should I leave MC Shield on to help prevent further problems from portable drives ?
I have also purchased a Windows 8 laptop on which I have installed Malwarebytes.
It came with Norton Anti Virus pre installed and valid for 12 months (freebee from the retailer to try and sweeten the deal),shoukd I install MC Shield on this as well,just to be on the safer side ?
Much and many thanks to you and polonus and all the team at this forum for your assistance and advice :)
-
Should I leave MC Shield on to help prevent further problems from portable drives ?
if you use portable drives alot i sure would do that