Avast WEBforum

Other => Viruses and worms => Topic started by: REDACTED on January 11, 2018, 01:43:51 PM

Title: Help in cleaning malware needed
Post by: REDACTED on January 11, 2018, 01:43:51 PM
I followed all the steps in "logs to assist in cleaning malware". I attached these logs with this post. What should i do next?
Edit: I kept getting the popup for JS:Agent-EDB [Trj] before i did all the steps.
Title: Re: Help in cleaning malware needed
Post by: Asyn on January 11, 2018, 01:50:29 PM
Quote from: aleks1 on January 11, 2018, 01:43:51 PM
What should i do next?
Now you've to wait for one of the malware experts...
Title: Re: Help in cleaning malware needed
Post by: Sass Drake on January 11, 2018, 08:14:51 PM
Code: [Select]
HKU\S-1-5-21-1089142947-2339947531-804550469-1000\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://search.domaincentar.com
FF Homepage: Mozilla\Firefox\Profiles\08b4usov.default -> hxxp://search.domaincentar.com
FF NewTab: Mozilla\Firefox\Profiles\08b4usov.default -> hxxp://search.domaincentar.com
Title: Re: Help in cleaning malware needed
Post by: REDACTED on January 11, 2018, 09:18:32 PM
FRST is telling me that the fixlist.txt should be in the same folder/directory the tool is created. So should i move the fixlist.txt file to the Logs folder?
Title: Re: Help in cleaning malware needed
Post by: Pondus on January 11, 2018, 10:03:54 PM
FRST.exe and fixlist must be at the sampe place when run, if not FRST will not find it

if you have FRST.exe on your desktop (recomended) then you place fixlist on desktop
if FRST.exe is in your download folder then fixlist must be in your download folder

Title: Re: Help in cleaning malware needed
Post by: REDACTED on January 11, 2018, 10:09:55 PM
Thanks for clearing that up Pondus. The fixlog.txt is attached now.
Title: Re: Help in cleaning malware needed
Post by: Pondus on January 11, 2018, 10:11:47 PM
Sass Drake will check it when he is back online ...

Title: Re: Help in cleaning malware needed
Post by: Sass Drake on January 12, 2018, 12:49:10 AM
What is the system status now?
Title: Re: Help in cleaning malware needed
Post by: REDACTED on January 12, 2018, 06:41:55 AM
By that u mean is it working fine? It still keeps going to domaincentar.com or usa.bravo but it got blocked.
Title: Re: Help in cleaning malware needed
Post by: Sass Drake on January 12, 2018, 09:52:39 AM
Can you make screenshot of that? Does redirection to those sites happens everywhere or only on certain websites?
Title: Re: Help in cleaning malware needed
Post by: REDACTED on January 12, 2018, 01:06:31 PM
The redirections happen with firefox only, first when i open it and when i push the home button.The first screenshot is when firefox is first started. Home button redirects to the one shown in screenshot2. The chrome and edge open normally and their home button doesn't redirect somewhere.
Title: Re: Help in cleaning malware needed
Post by: REDACTED on January 12, 2018, 01:08:38 PM
And now the popup started appearing again. Screenshot attached.
Title: Re: Help in cleaning malware needed
Post by: Sass Drake on January 12, 2018, 05:27:12 PM
Please post, new FRST. txt and Addition.txt logs.
Title: Re: Help in cleaning malware needed
Post by: REDACTED on January 12, 2018, 09:04:36 PM
Here they are.
Title: Re: Help in cleaning malware needed
Post by: Sass Drake on January 13, 2018, 02:04:30 AM
Here we go again.

Code: [Select]
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Windows Startup.lnk [2017-07-07]
ShortcutTarget: Windows Startup.lnk -> C:\Windows\Windows_startup.bat ()
Tcpip\..\Interfaces\{d10abc88-f10c-49ed-a057-175822b0e656}: [DhcpNameServer] 85.253.0.130 85.253.0.2
HKU\S-1-5-21-1089142947-2339947531-804550469-1000\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://search.domaincentar.com
FF Homepage: Mozilla\Firefox\Profiles\08b4usov.default -> hxxp://search.domaincentar.com
FF NewTab: Mozilla\Firefox\Profiles\08b4usov.default -> hxxp://search.domaincentar.com
Title: Re: Help in cleaning malware needed
Post by: REDACTED on January 13, 2018, 02:47:47 AM
Done
Title: Re: Help in cleaning malware needed
Post by: Sass Drake on January 13, 2018, 12:16:12 PM
What is now status?
Title: Re: Help in cleaning malware needed
Post by: REDACTED on January 13, 2018, 02:30:39 PM
No redirections anymore. The popup stopped too for now.
Title: Re: Help in cleaning malware needed
Post by: Sass Drake on January 13, 2018, 06:05:54 PM
Good to hear.


The following will implement some post-cleanup procedures:

=> Please download DelFix (https://toolslib.net/downloads/finish/2-delfix/) by Xplode to your Desktop.
Run the tool and check the following boxes below;
(http://www.mcshield.net/personal/magna86/Images/checkmark.png) Remove disinfection tools
(http://www.mcshield.net/personal/magna86/Images/checkmark.png) Create registry backup
(http://www.mcshield.net/personal/magna86/Images/checkmark.png) Purge System Restore
Click Run button and wait a few seconds for the programme completes his work.
At this point all the tools we used here should be gone. Tool will create an report for you (C:\DelFix.txt)

The tool will also record healthy state of registry and make a backup using ERUNT program in %windir%\ERUNT\DelFix
Tool deletes old system restore points and create a fresh system restore point after cleaning.
Title: Re: Help in cleaning malware needed
Post by: REDACTED on January 13, 2018, 07:21:02 PM
Thanks for the help! :)