Author Topic: Malware/Trojans  (Read 27357 times)

0 Members and 1 Guest are viewing this topic.

JackSession

  • Guest
Malware/Trojans
« on: July 25, 2012, 10:13:12 PM »
Hello,

I seem to be having the same issues other people are having with the blocked Trojans with Avast! and the blocking of malicious sites with MalWareBytes. I have attached the logs requested. While running aswMBR I got a blue screen stop error IRQL_NOT_LESS_OR_EQUAL. I restarted and it seems fine however I wasnt able to save the log. If you need that log please let me know what to do.

Thank you very much!

Jack :)

JackSession

  • Guest
Re: Malware/Trojans
« Reply #1 on: July 25, 2012, 11:10:04 PM »
Should I try to get the log from aswMBR again?

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37698
  • F-Secure user
Re: Malware/Trojans
« Reply #2 on: July 25, 2012, 11:12:36 PM »
Should I try to get the log from aswMBR again?
it does not hurt trying  ;)

JackSession

  • Guest
Re: Malware/Trojans
« Reply #3 on: July 26, 2012, 12:09:05 AM »
got another blue screen stop error trying to run aswMBR...please advise

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37698
  • F-Secure user
Re: Malware/Trojans
« Reply #4 on: July 26, 2012, 12:13:29 AM »
essexboy (the removal expert) is logged out for today but will be back tomorrow

i will PM him so he see this when he log in tomorrow

« Last Edit: July 26, 2012, 12:35:21 AM by Pondus »

Offline oldman

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4142
  • Some days..... MOS...this bug's for you
Re: Malware/Trojans
« Reply #5 on: July 26, 2012, 02:43:12 AM »
Hi JackSession, welcome to the forum.

To make cleaning this machine easier
  • Please do not uninstall/install any programs unless asked to
    It is more difficult when files/programs are appearing in/disappearing from the logs.
  • Please do not run any scans other than those requested
  • Please follow all instructions in the order posted
  • All logs/reports, etc.. must be posted in Notepad. Please ensure that word wrap is unchecked. In notepad click format, uncheck word wrap if it is checked.
  • Do not attach any logs/reports, etc.. unless specifically requested to do so.
  • If you have problems with or do not understand the instructions, Please ask before continuing.
  • Please stay with this thread until given the All Clear. A absence of symptoms does not mean a clean machine.
Please read through the instructions to familarize youself with what to expect when the tool runs.

It is vitally important that combofix is renamed before it is even started to download


Please download ComboFix from Link 1or Link 2 to your Desktop.

**Note:  In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

  • If you are using Firefox, make sure that your download settings are as follows:

     -Tools->Options->Main tab
     -Set to "Always ask me where to Save the files".

  • During the download, before you save it to your desktop, rename Combofix to jgh.exe
  • It is important you rename Combofix during the download, but not after.
  • Please do not rename Combofix to other names, but only to the one indicated.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix

-----------------------------------------------------------
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.[/color]
    -----------------------------------------------------------
  • Double click on ComboFix.exe (jgh.exe in your case) & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.  It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you.  Please include the C:\ComboFix.txt in your next reply.

Notes:

1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. CF disconnects your machine from the internet.  The connection is automatically restored before CF completes its run.  If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.[/b]

Please post back with
  • combofix log
How is the computer?

Thanks

JackSession

  • Guest
Re: Malware/Trojans
« Reply #6 on: July 26, 2012, 11:16:16 PM »
Hi Oldman...thanks for your help..its much appreciated :)

Ran combofix...everything seems cool..Ive attached the log. If I should do anything else please let me know. Also I found out where I got this malware..I can let you know if you like.

Thanks Again!!

If I am back Ill try not to be such a noob next time ;)

Jack :)

Offline oldman

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4142
  • Some days..... MOS...this bug's for you
Re: Malware/Trojans
« Reply #7 on: July 27, 2012, 12:57:23 AM »
Hi JackSession,


Quote
Also I found out where I got this malware..I can let you know if you like.
Yes please but do not post any live links.

A bit more to do.

Your java is out of date. Click your start button, open Control panel.
  • Locate the Java icon (it looks like a coffee cup)
  • double click it to open it
  • click the Update tab
  • Click update now
Decline any additional installs that may be offered.

Next, Double click on OTL.exe
  • Under the Custom Scans/Fixes box at the bottom, paste in the following
  • Do Not copy the word CODE
  • please note the fix starts with the :
  • to ensure you get it all click the [select]
Code: [Select]
:Services

:OTL
O15 - HKU\.DEFAULT\..Trusted Domains: clonewarsadventures.com ([]* in Trusted sites)
O15 - HKU\.DEFAULT\..Trusted Domains: freerealms.com ([]* in Trusted sites)
O15 - HKU\.DEFAULT\..Trusted Domains: soe.com ([]* in Trusted sites)
O15 - HKU\.DEFAULT\..Trusted Domains: sony.com ([]* in Trusted sites)
O15 - HKU\S-1-5-18\..Trusted Domains: clonewarsadventures.com ([]* in Trusted sites)
O15 - HKU\S-1-5-18\..Trusted Domains: freerealms.com ([]* in Trusted sites)
O15 - HKU\S-1-5-18\..Trusted Domains: soe.com ([]* in Trusted sites)
O15 - HKU\S-1-5-18\..Trusted Domains: sony.com ([]* in Trusted sites)
O15 - HKU\S-1-5-19\..Trusted Domains: clonewarsadventures.com ([]* in Trusted sites)
O15 - HKU\S-1-5-19\..Trusted Domains: freerealms.com ([]* in Trusted sites)
O15 - HKU\S-1-5-19\..Trusted Domains: soe.com ([]* in Trusted sites)
O15 - HKU\S-1-5-19\..Trusted Domains: sony.com ([]* in Trusted sites)
O15 - HKU\S-1-5-21-4148830102-3702229732-935236359-500\..Trusted Domains: clonewarsadventures.com ([]* in Trusted sites)
O15 - HKU\S-1-5-21-4148830102-3702229732-935236359-500\..Trusted Domains: doginhispen.com ([]* in Trusted sites)
O15 - HKU\S-1-5-21-4148830102-3702229732-935236359-500\..Trusted Domains: freerealms.com ([]* in Trusted sites)
O15 - HKU\S-1-5-21-4148830102-3702229732-935236359-500\..Trusted Domains: soe.com ([]* in Trusted sites)
O15 - HKU\S-1-5-21-4148830102-3702229732-935236359-500\..Trusted Domains: sony.com ([]* in Trusted sites)
O15 - HKU\S-1-5-21-4148830102-3702229732-935236359-500\..Trusted Domains: whataboutadog.com ([]* in Trusted sites)
[2012/07/23 14:20:34 | 000,027,520 | ---- | C] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\dt.dat
ipconfig /flushdns /c

:Reg

:Files
C:\Documents and Settings\Administrator\Local Settings\Application Data\{ef4d12c4-2c3d-b467-55e4-247babf9b81f}\L\00000004.@
C:\WINDOWS\Installer\{ef4d12c4-2c3d-b467-55e4-247babf9b81f}\@
C:\Documents and Settings\Administrator\Local Settings\Application Data\{ef4d12c4-2c3d-b467-55e4-247babf9b81f}\@
C:\WINDOWS\Installer\{ef4d12c4-2c3d-b467-55e4-247babf9b81f}\L\00000004.@
C:\WINDOWS\Installer\{ef4d12c4-2c3d-b467-55e4-247babf9b81f}\n
C:\Documents and Settings\Administrator\Local Settings\Application Data\{ef4d12c4-2c3d-b467-55e4-247babf9b81f}\L
C:\Documents and Settings\Administrator\Local Settings\Application Data\{ef4d12c4-2c3d-b467-55e4-247babf9b81f}
C:\WINDOWS\Installer\{ef4d12c4-2c3d-b467-55e4-247babf9b81f}\L
c:\windows\installer\{ef4d12c4-2c3d-b467-55e4-247babf9b81f}\u
C:\WINDOWS\Installer\{ef4d12c4-2c3d-b467-55e4-247babf9b81f}

:Commands
[emptytemp]
[createrestorepoint]

Then click the Run Fix button at the top
  • Let the program run unhindered
  • Please save the resulting log to be posted in your next reply.
Please post the  OTL fix log.

Next

If OTL is not still open please open it by
  • Double click on OTL.exe  to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, underneath Output at the top change it to Minimal Output
  • check the box beside scan All users
  • Check the boxes beside LOP Check and Purity Check.
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
When the scan completes, it will open a notepad window, OTL.Txt, no Extras.Txt this time.

Please post back with
  • OTL fix log
  • OTL.txt


JackSession

  • Guest
Re: Malware/Trojans
« Reply #8 on: July 27, 2012, 02:06:31 AM »
At the end of the fix OTL wanted a restart so I did...when I got back this is the only log it opened..I hope its the right one.

Pretty sure this is where I got this mess..I was reading comments people posted on an article I was reading:

"Kacy Lamb - Suspect will be charged with attempted murder for stabbing him 7 times. http://  HopOnToday.  blogspot.  com"

that link goes to a site that immediately starts downloading "Windows Security Center Update" Ive seen this before so tried to immediately shut off the PC which has worked before but this time it was too quick. All my problems started after that...

How's it look? Are we done?

Thanks!!

Jack :)

Offline oldman

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4142
  • Some days..... MOS...this bug's for you
Re: Malware/Trojans
« Reply #9 on: July 27, 2012, 05:13:00 AM »
Hi JackSession,

The link and the bait are an example of social engineering. It's designed to get the curious to click an unknown link.


Looks a lot better than when we started. This malware can be difficult to remove and can get in very deep.

See if you can now get aswMBR to run. If it's clean there will be one more scan then we'll clean up the tools and send you on your way.

Offline mchain

  • Avast Evangelist
  • Ultra Poster
  • ***
  • Posts: 5719
  • Spartan Warrior
Re: Malware/Trojans
« Reply #10 on: July 27, 2012, 10:32:02 AM »
urlquery
http://urlquery.net/report.php?id=105545
Suricata w/emerging threats: level 3 threat detected.
Windows 11 Home 23H2
Windows 11 Pro 23H2
Avast Premier Security version 24.8.6127 (build 24.8.9372.868)
UI version 1.0.814

JackSession

  • Guest
Re: Malware/Trojans
« Reply #11 on: July 27, 2012, 08:50:18 PM »
Im still getting the blue screens trying to run aswMBR...

Offline oldman

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4142
  • Some days..... MOS...this bug's for you
Re: Malware/Trojans
« Reply #12 on: July 27, 2012, 10:36:09 PM »
Hi JackSession,


How has the computer been?


Let's see if this will show us the problem.

Download Rogue Killerand save it to your desktop.
  • double click the Rogue Killer icon to run it
  • After it has completed it's prescan click scan
  • When the scan is complete click report
Please post the log.


JackSession

  • Guest
Re: Malware/Trojans
« Reply #13 on: July 27, 2012, 11:12:57 PM »
hi oldman..the computer has been running fine..heres the roguekiller report...thanks

JackSession

  • Guest
Re: Malware/Trojans
« Reply #14 on: July 28, 2012, 01:08:16 AM »
i guess there was an adaware component still running...uninstalled and re-ran RK and attached the report...looks like theres a reg key RK found..should i use RK to delete and rerun aswMBR afterwards?