Author Topic: Malicious software or Trojan  (Read 22026 times)

0 Members and 1 Guest are viewing this topic.

okym

  • Guest
Malicious software or Trojan
« on: March 05, 2013, 01:24:52 PM »
I attached my sister-in-law's portable drive to my pc to transfer some files to my portable drive and all the files on her drive were shown as shortcucts.
When I attempted to open a shortcut,auto run flashed on the screen.
I cancelled it as fast as I could,however Malwarebytes Pro is now disabled including protection mode and my control panel has been disabled.
Running Malwarebytes in safemode detects a possible trojan horse (Trojan.Agent.Ck) as well as a number of malicious registry entries.
Avast now continually notifies me of two malicious URL's
//nnh42.name/a/
//jsh37.net/a/
One of the malicious registry entries contains the phrase "don't steal our software"
All attempts to rectify the problem have failed
My system is running Windows XP with Service pack 3.
I have attached theRogue killer logs.
Any help you can give me would be greatly appreciated
« Last Edit: April 28, 2013, 06:08:04 AM by okym »

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37613
  • Not a avast user
Re: Malicious software or Trojan
« Reply #1 on: March 05, 2013, 01:33:16 PM »
Quote
One of the malicious registry entries contains the phrase "don't steal our software"
so, you have a key genrator for cracking malwarebytes license.....  noughty boy

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37613
  • Not a avast user
Re: Malicious software or Trojan
« Reply #2 on: March 05, 2013, 01:37:19 PM »
attach the following logs.    http://forum.avast.com/index.php?topic=53253.0

AdwCleaner
Malwarebytes.   and malwarebytes should be run from normal mode unless it has a problem
OTL
aswMBR


« Last Edit: March 05, 2013, 01:38:54 PM by Pondus »

okym

  • Guest
Re: Malicious software or Trojan
« Reply #3 on: March 05, 2013, 02:04:56 PM »
To be honest the PC was part of an inheritance from a deceased estate with the software preloaded and I never bothered to check if it was genuine.
Looks like an uninstall is warranted.
I have attempted to run the programs you have listed but what ever has infected me is blocking them from running.

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37613
  • Not a avast user
Re: Malicious software or Trojan
« Reply #4 on: March 05, 2013, 02:39:18 PM »
OK....malware removers are notified, it may take hours before they arrive so be patient

you may try run from safe mode

« Last Edit: March 05, 2013, 02:40:49 PM by Pondus »

okym

  • Guest
Re: Malicious software or Trojan
« Reply #5 on: March 05, 2013, 02:50:59 PM »
I managed to run Adw cleaner from safe mode,the log,if it is any use,is attached,together with the MBAM log.
Thanks for assistance and patience,this a whole new experience to me.
Kym

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Malicious software or Trojan
« Reply #6 on: March 05, 2013, 04:16:18 PM »
Hi I will need the OTL log please

Download OTL  to your Desktop
Secondary link
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.


  • Select All Users
  • Under the Custom Scan box paste this in
netsvcs
BASESERVICES
%SYSTEMDRIVE%\*.exe
/md5start
services.*
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
winsock.*
/md5stop
CREATERESTOREPOINT


  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
    • Attach   both logs

okym

  • Guest
Re: Malicious software or Trojan
« Reply #7 on: March 06, 2013, 10:10:05 AM »
Sorry for the late reply,the "bug is now interfering with my internet access.
Log's attached as requested.
Kym

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Malicious software or Trojan
« Reply #8 on: March 06, 2013, 03:57:18 PM »
OK I think I can see the problem

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following


Code: [Select]
:OTL
O4 - HKU\S-1-5-21-682003330-764733703-1177238915-1004..\Run: [7d7e7] C:\Documents and Settings\Bronwyn and Kym\Application Data\6b6\7d7e7.js ()
O4 - Startup: C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\2a2a.js ()
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\2a2a.js ()
O4 - Startup: C:\Documents and Settings\Bronwyn and Kym\Start Menu\Programs\Startup\2a2a.js ()
O4 - Startup: C:\Documents and Settings\Default User\Start Menu\Programs\Startup\2a2a.js ()
[2013/03/05 14:35:47 | 000,000,000 | -HSD | C] -- C:\Program Files\74607
[2013/03/05 14:35:47 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\Bronwyn and Kym\Application Data\6b6
[2013/03/05 14:35:46 | 000,000,000 | -HSD | C] -- C:\6a4
[2013/03/06 07:00:03 | 000,047,405 | ---- | C] () -- C:\Documents and Settings\Bronwyn and Kym\Start Menu\Programs\Startup\2a2a.js
[2013/03/06 07:00:03 | 000,047,405 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\2a2a.js

:Commands
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
THEN

Please download MiniToolBox, save it to your desktop and run it.

Checkmark the following checkboxes:
  • Flush DNS
  • Report IE Proxy Settings
  • Reset IE Proxy Settings
  • Report FF Proxy Settings
  • Reset FF Proxy Settings
  • List content of Hosts
  • List IP configuration
  • List Winsock Entries
  • List last 10 Event Viewer log
  • List Installed Programs
  • List Devices
  • List Users, Partitions and Memory size.
  • List Minidump Files

Click Go and post the result (Result.txt). A copy of Result.txt will be saved in the same directory the tool is run.
 
Note: When using "Reset FF Proxy Settings" option Firefox should be closed.

Shobana

  • Guest
Re: Malicious software or Trojan
« Reply #9 on: March 06, 2013, 07:50:07 PM »
Hi  i am facing the same issue.
I addition there are multiple windows update icon in system tray and disappearing with mouse roll on

Offline CraigB

  • Avast Überevangelist
  • Serious Graphoman
  • *****
  • Posts: 11249
  • No support PM's thanks
Re: Malicious software or Trojan
« Reply #10 on: March 06, 2013, 08:33:21 PM »
Hi  i am facing the same issue.
I addition there are multiple windows update icon in system tray and disappearing with mouse roll on
Please start your own topic and supply/attach the following logs

http://forum.avast.com/index.php?topic=53253.0

AdwCleaner
Malwarebytes
OTL
aswMBR

okym

  • Guest
Re: Malicious software or Trojan
« Reply #11 on: March 06, 2013, 10:15:47 PM »
Hi essexboy,
Thanks for that,I may have to run the fix in safe mode,will that still work.
Will try it in normal mode first.
Kym

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Malicious software or Trojan
« Reply #12 on: March 06, 2013, 10:17:43 PM »
If you need to run it in safe mode then so be it, but allow the reboot to normal mode so that we can determine the effectiveness, or whether I need to look deeper

okym

  • Guest
Re: Malicious software or Trojan
« Reply #13 on: March 06, 2013, 10:19:22 PM »
Will do
Kym

okym

  • Guest
Re: Malicious software or Trojan
« Reply #14 on: March 07, 2013, 05:22:14 AM »
Quick fix log and Mini Toolbox log attached as requested.
As a side note,the only way I could get OTL to run in normal mode was to rename the desk top icon as "safe file".
The system now runs better but the malicious URL pop ups are still appearing and control panel is disabled.
Regard's,
Kym
« Last Edit: March 07, 2013, 05:23:51 AM by okym »