Author Topic: http://differentia.ru/diff.php Malware  (Read 3030 times)

0 Members and 1 Guest are viewing this topic.

REDACTED

  • Guest
http://differentia.ru/diff.php Malware
« on: October 06, 2015, 08:39:43 AM »
Hi! I've been alerted by Avast several times about this malware. Here's a screenshot:



I've done the the instructions in this thread https://forum.avast.com/index.php?topic=53253.0; attached are my results.

I would just like to know if my system is now free from viruses/malware. Thank you so much!

« Last Edit: October 06, 2015, 08:46:31 AM by Luis Van »

REDACTED

  • Guest
Re: http://differentia.ru/diff.php Malware
« Reply #1 on: October 06, 2015, 08:42:14 AM »
attached are the mcshield and fixlog results....

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37509
  • Not a avast user
Re: http://differentia.ru/diff.php Malware
« Reply #2 on: October 06, 2015, 10:41:46 AM »
Quote
I would just like to know if my system is now free from viruses/malware.
a malware expert have to create a fix for you first (if needed)


from where did you get the fix you have run?
never use fix you find online. Fix are made specific for the computer that the diagnostic logs came from, running fix you find online are made for other computers and may damage your computer if used


MCShield log you must copy and paste here (not attach MCShield log) or we cant read it  (a forum bug)


« Last Edit: October 06, 2015, 10:44:18 AM by Pondus »

REDACTED

  • Guest
Re: http://differentia.ru/diff.php Malware
« Reply #3 on: October 06, 2015, 11:30:42 AM »
Quote
I would just like to know if my system is now free from viruses/malware.
a malware expert have to create a fix for you first (if needed)


from where did you get the fix you have run?
never use fix you find online. Fix are made specific for the computer that the diagnostic logs came from, running fix you find online are made for other computers and may damage your computer if used


MCShield log you must copy and paste here (not attach MCShield log) or we cant read it  (a forum bug)

Oh, I see. I thought the fix was applicable to any computer. Btw, here is my MCShield log:

>>> MCShield AllScans.txt <<<

-----------------------------




MCShield ::Anti-Malware Tool:: http://www.mcshield.net/

>>> v 3.0.5.28 / DB: 2015.10.2.1 / Windows 7 <<<


10/6/2015 10:38:55 AM > Drive C: - scan started (TOBYTES ~396 GB, NTFS HDD )...



=> The drive is clean.


10/6/2015 10:38:55 AM > Drive L: - scan started (TROJAN ~50 GB, NTFS HDD )...



=> The drive is clean.





MCShield ::Anti-Malware Tool:: http://www.mcshield.net/

>>> v 3.0.5.28 / DB: 2015.10.2.1 / Windows 7 <<<


10/6/2015 10:39:11 AM > Drive F: - scan started (LBYTES ~7616 MB, FAT32 flash drive )...


>>> F:\LBYTES (8GB).lnk - Malware > Deleted. (15.10.06. 10.39 LBYTES (8GB).lnk.43545; MD5: 58198cc06884e2bf8d024eee22db956a)

> Resetting attributes: F:\  < Successful.


=> Malicious files   : 1/1 deleted.
=> Hidden folders    : 1/1 unhidden.

____________________________________________

::::: Scan duration: 8sec ::::::::::::::::::
____________________________________________




MCShield ::Anti-Malware Tool:: http://www.mcshield.net/

>>> v 3.0.5.28 / DB: 2015.10.2.1 / Windows 7 <<<


10/6/2015 10:40:39 AM > Drive F: - scan started (LBYTES ~7616 MB, FAT32 flash drive )...



=> The drive is clean.




Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: http://differentia.ru/diff.php Malware
« Reply #4 on: October 06, 2015, 04:08:38 PM »
MBAM took out the run key but left the file behind

CAUTION :  This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:
 
Quote
CreateRestorePoint:
Toolbar: HKLM - avast! Online Security - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} -  No File
Toolbar: HKLM - No Name - {CC1A175A-E45B-41ED-A30C-C9B1D7A0C02F} -  No File
Handler: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files (x86)\Windows Live\Messenger\msgrapp.dll No File
Handler: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files (x86)\Windows Live\Messenger\msgrapp.dll No File
CHR Extension: (Savings-Slider) - C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\mhkaekfpcppmmioggniknbnbdbcigpkk [2012-11-22]
CHR Extension: (Yontoo) - C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\niapdbllcanepiiimjjndipklodoedlc [2012-11-22]
CHR Extension: (ssAvensihare ) - C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\oldgbfadlfkalgllfeidaddlkmhmpenb [2013-09-22]
CHR Extension: (Savings-Slider) - C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Profile 2\Extensions\mhkaekfpcppmmioggniknbnbdbcigpkk [2012-11-22]
CHR Extension: (Yontoo) - C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Profile 2\Extensions\niapdbllcanepiiimjjndipklodoedlc [2012-11-22]
CHR Extension: (ssAvensihare ) - C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Profile 2\Extensions\oldgbfadlfkalgllfeidaddlkmhmpenb [2013-09-22]
CHR Extension: (Savings-Slider) - C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Profile 3\Extensions\mhkaekfpcppmmioggniknbnbdbcigpkk [2012-11-22]
CHR Extension: (Yontoo) - C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Profile 3\Extensions\niapdbllcanepiiimjjndipklodoedlc [2012-11-22]
CHR Extension: (ssAvensihare ) - C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Profile 3\Extensions\oldgbfadlfkalgllfeidaddlkmhmpenb [2013-09-22]
S3 X6va005; \??\C:\Users\Owner\AppData\Local\Temp\0052FAD.tmp [X]
2015-09-23 09:33 - 2015-09-23 09:33 - 00000430 _____ C:\Windows\Tasks\{AA55CCDE-9F2D-4588-8654-C538B2035777}.job
2015-09-21 11:31 - 2015-09-21 11:31 - 00000000 ____D C:\Users\Owner\AppData\Local\{C659BCFB-D90D-4712-9D2B-55D2F9F509AA}
2015-09-21 11:02 - 2015-09-21 11:02 - 00000000 ____D C:\Users\Owner\AppData\Local\{FF3F0168-51AA-439A-8A62-499FEE6CF736}
2015-09-21 10:43 - 2015-09-21 10:43 - 00000000 ____D C:\Users\Owner\AppData\Local\{624E17E3-E36C-4042-AB87-224724CE19B8}
2015-09-21 10:36 - 2015-09-21 10:37 - 00000000 ____D C:\Users\Owner\AppData\Local\{88E62A67-F226-4CC4-B5A0-4C188934CB0A}
2015-09-21 10:11 - 2015-09-21 10:11 - 00000000 ____D C:\Users\Owner\AppData\Local\{38AE5750-F431-4BFC-89CA-97DE945EA5B8}
2015-09-21 09:10 - 2015-09-21 09:10 - 00000000 ____D C:\Users\Owner\AppData\Local\{65594FD3-49A0-4057-8BC9-9D893AD5F4DB}
2015-09-20 09:01 - 2015-09-20 09:01 - 00003164 _____ C:\Windows\System32\Tasks\{ACFF32EC-202C-4978-8803-E5399368A02D}
2015-09-20 08:49 - 2015-09-20 08:49 - 00003170 _____ C:\Windows\System32\Tasks\{7E4D949D-484F-4F9D-96BC-E85C56FD97CA}
2015-09-13 12:49 - 2015-09-13 12:49 - 00000000 ____D C:\Users\Owner\AppData\Local\{F0727120-69EE-48BC-8ACA-E08E0E291924}
2015-09-13 09:57 - 2015-09-13 09:57 - 00000000 ____D C:\Users\Owner\AppData\Local\{66080C2C-49F4-4DE1-B9F0-A4E071705223}
2010-11-21 11:24 - 2010-11-21 11:24 - 88073472 ___SH (THOMSON) C:\ProgramData\msmfbx.exe
CustomCLSID: HKU\S-1-5-21-644284162-2181404400-2350963189-1000_Classes\CLSID\{0F22A205-CFB0-4679-8499-A6F44A80A208}\InprocServer32 -> C:\Users\Owner\AppData\Local\Google\Update\1.3.25.5\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-644284162-2181404400-2350963189-1000_Classes\CLSID\{1423F872-3F7F-4E57-B621-8B1A9D49B448}\InprocServer32 -> C:\Users\Owner\AppData\Local\Google\Update\1.3.27.5\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-644284162-2181404400-2350963189-1000_Classes\CLSID\{355EC88A-02E2-4547-9DEE-F87426484BD1}\InprocServer32 -> C:\Users\Owner\AppData\Local\Google\Update\1.3.23.9\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-644284162-2181404400-2350963189-1000_Classes\CLSID\{5C8C2A98-6133-4EBA-BBCC-34D9EA01FC2E}\InprocServer32 -> C:\Users\Owner\AppData\Local\Google\Update\1.3.28.1\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-644284162-2181404400-2350963189-1000_Classes\CLSID\{78550997-5DEF-4A8A-BAF9-D5774E87AC98}\InprocServer32 -> C:\Users\Owner\AppData\Local\Google\Update\1.3.28.13\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-644284162-2181404400-2350963189-1000_Classes\CLSID\{90B3DFBF-AF6A-4EA0-8899-F332194690F8}\InprocServer32 -> C:\Users\Owner\AppData\Local\Google\Update\1.3.24.15\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-644284162-2181404400-2350963189-1000_Classes\CLSID\{C3BC25C0-FCD3-4F01-AFDD-41373F017C9A}\InprocServer32 -> C:\Users\Owner\AppData\Local\Google\Update\1.3.26.9\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-644284162-2181404400-2350963189-1000_Classes\CLSID\{D0336C0B-7919-4C04-8CCE-2EBAE2ECE8C9}\InprocServer32 -> C:\Users\Owner\AppData\Local\Google\Update\1.3.25.11\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-644284162-2181404400-2350963189-1000_Classes\CLSID\{FE498BAB-CB4C-4F88-AC3F-3641AAAF5E9E}\InprocServer32 -> C:\Users\Owner\AppData\Local\Google\Update\1.3.24.7\psuser_64.dll => No File
RemoveProxy:
EmptyTemp:
CMD: bitsadmin /reset /allusers

 
Save this as fixlist.txt, in the same location as FRST.exe

Run FRST and press Fix
On completion a log will be generated please post that

THEN

Please download AdwCleaner by Xplode onto your desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Scan.
  • After the scan is complete click on "Clean"
  • Confirm each time with Ok.
  • Your computer will be rebooted automatically. A text file will open after the restart.
  • Please post the content of that logfile with your next answer.
  • You can find the logfile at C:\AdwCleaner[S0].txt as well.

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37509
  • Not a avast user
Re: http://differentia.ru/diff.php Malware
« Reply #5 on: October 06, 2015, 06:23:15 PM »
Quote
Oh, I see. I thought the fix was applicable to any computer.
as you see from the fix Essexboy has made for you, it has a big red warning at top, should be easy to see   ;)


REDACTED

  • Guest
Re: http://differentia.ru/diff.php Malware
« Reply #6 on: October 10, 2015, 10:23:01 AM »
MBAM took out the run key but left the file behind

CAUTION :  This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:
 
Quote
CreateRestorePoint:
Toolbar: HKLM - avast! Online Security - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} -  No File
Toolbar: HKLM - No Name - {CC1A175A-E45B-41ED-A30C-C9B1D7A0C02F} -  No File
Handler: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files (x86)\Windows Live\Messenger\msgrapp.dll No File
Handler: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files (x86)\Windows Live\Messenger\msgrapp.dll No File
CHR Extension: (Savings-Slider) - C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\mhkaekfpcppmmioggniknbnbdbcigpkk [2012-11-22]
CHR Extension: (Yontoo) - C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\niapdbllcanepiiimjjndipklodoedlc [2012-11-22]
CHR Extension: (ssAvensihare ) - C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\oldgbfadlfkalgllfeidaddlkmhmpenb [2013-09-22]
CHR Extension: (Savings-Slider) - C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Profile 2\Extensions\mhkaekfpcppmmioggniknbnbdbcigpkk [2012-11-22]
CHR Extension: (Yontoo) - C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Profile 2\Extensions\niapdbllcanepiiimjjndipklodoedlc [2012-11-22]
CHR Extension: (ssAvensihare ) - C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Profile 2\Extensions\oldgbfadlfkalgllfeidaddlkmhmpenb [2013-09-22]
CHR Extension: (Savings-Slider) - C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Profile 3\Extensions\mhkaekfpcppmmioggniknbnbdbcigpkk [2012-11-22]
CHR Extension: (Yontoo) - C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Profile 3\Extensions\niapdbllcanepiiimjjndipklodoedlc [2012-11-22]
CHR Extension: (ssAvensihare ) - C:\Users\Owner\AppData\Local\Google\Chrome\User Data\Profile 3\Extensions\oldgbfadlfkalgllfeidaddlkmhmpenb [2013-09-22]
S3 X6va005; \??\C:\Users\Owner\AppData\Local\Temp\0052FAD.tmp [X]
2015-09-23 09:33 - 2015-09-23 09:33 - 00000430 _____ C:\Windows\Tasks\{AA55CCDE-9F2D-4588-8654-C538B2035777}.job
2015-09-21 11:31 - 2015-09-21 11:31 - 00000000 ____D C:\Users\Owner\AppData\Local\{C659BCFB-D90D-4712-9D2B-55D2F9F509AA}
2015-09-21 11:02 - 2015-09-21 11:02 - 00000000 ____D C:\Users\Owner\AppData\Local\{FF3F0168-51AA-439A-8A62-499FEE6CF736}
2015-09-21 10:43 - 2015-09-21 10:43 - 00000000 ____D C:\Users\Owner\AppData\Local\{624E17E3-E36C-4042-AB87-224724CE19B8}
2015-09-21 10:36 - 2015-09-21 10:37 - 00000000 ____D C:\Users\Owner\AppData\Local\{88E62A67-F226-4CC4-B5A0-4C188934CB0A}
2015-09-21 10:11 - 2015-09-21 10:11 - 00000000 ____D C:\Users\Owner\AppData\Local\{38AE5750-F431-4BFC-89CA-97DE945EA5B8}
2015-09-21 09:10 - 2015-09-21 09:10 - 00000000 ____D C:\Users\Owner\AppData\Local\{65594FD3-49A0-4057-8BC9-9D893AD5F4DB}
2015-09-20 09:01 - 2015-09-20 09:01 - 00003164 _____ C:\Windows\System32\Tasks\{ACFF32EC-202C-4978-8803-E5399368A02D}
2015-09-20 08:49 - 2015-09-20 08:49 - 00003170 _____ C:\Windows\System32\Tasks\{7E4D949D-484F-4F9D-96BC-E85C56FD97CA}
2015-09-13 12:49 - 2015-09-13 12:49 - 00000000 ____D C:\Users\Owner\AppData\Local\{F0727120-69EE-48BC-8ACA-E08E0E291924}
2015-09-13 09:57 - 2015-09-13 09:57 - 00000000 ____D C:\Users\Owner\AppData\Local\{66080C2C-49F4-4DE1-B9F0-A4E071705223}
2010-11-21 11:24 - 2010-11-21 11:24 - 88073472 ___SH (THOMSON) C:\ProgramData\msmfbx.exe
CustomCLSID: HKU\S-1-5-21-644284162-2181404400-2350963189-1000_Classes\CLSID\{0F22A205-CFB0-4679-8499-A6F44A80A208}\InprocServer32 -> C:\Users\Owner\AppData\Local\Google\Update\1.3.25.5\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-644284162-2181404400-2350963189-1000_Classes\CLSID\{1423F872-3F7F-4E57-B621-8B1A9D49B448}\InprocServer32 -> C:\Users\Owner\AppData\Local\Google\Update\1.3.27.5\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-644284162-2181404400-2350963189-1000_Classes\CLSID\{355EC88A-02E2-4547-9DEE-F87426484BD1}\InprocServer32 -> C:\Users\Owner\AppData\Local\Google\Update\1.3.23.9\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-644284162-2181404400-2350963189-1000_Classes\CLSID\{5C8C2A98-6133-4EBA-BBCC-34D9EA01FC2E}\InprocServer32 -> C:\Users\Owner\AppData\Local\Google\Update\1.3.28.1\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-644284162-2181404400-2350963189-1000_Classes\CLSID\{78550997-5DEF-4A8A-BAF9-D5774E87AC98}\InprocServer32 -> C:\Users\Owner\AppData\Local\Google\Update\1.3.28.13\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-644284162-2181404400-2350963189-1000_Classes\CLSID\{90B3DFBF-AF6A-4EA0-8899-F332194690F8}\InprocServer32 -> C:\Users\Owner\AppData\Local\Google\Update\1.3.24.15\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-644284162-2181404400-2350963189-1000_Classes\CLSID\{C3BC25C0-FCD3-4F01-AFDD-41373F017C9A}\InprocServer32 -> C:\Users\Owner\AppData\Local\Google\Update\1.3.26.9\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-644284162-2181404400-2350963189-1000_Classes\CLSID\{D0336C0B-7919-4C04-8CCE-2EBAE2ECE8C9}\InprocServer32 -> C:\Users\Owner\AppData\Local\Google\Update\1.3.25.11\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-644284162-2181404400-2350963189-1000_Classes\CLSID\{FE498BAB-CB4C-4F88-AC3F-3641AAAF5E9E}\InprocServer32 -> C:\Users\Owner\AppData\Local\Google\Update\1.3.24.7\psuser_64.dll => No File
RemoveProxy:
EmptyTemp:
CMD: bitsadmin /reset /allusers

 
Save this as fixlist.txt, in the same location as FRST.exe

Run FRST and press Fix
On completion a log will be generated please post that

THEN

Please download AdwCleaner by Xplode onto your desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Scan.
  • After the scan is complete click on "Clean"
  • Confirm each time with Ok.
  • Your computer will be rebooted automatically. A text file will open after the restart.
  • Please post the content of that logfile with your next answer.
  • You can find the logfile at C:\AdwCleaner[S0].txt as well.

Here are the results of the frst fix and adwcleaner..

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: http://differentia.ru/diff.php Malware
« Reply #7 on: October 10, 2015, 12:11:58 PM »
Any further problems ?

REDACTED

  • Guest
Re: http://differentia.ru/diff.php Malware
« Reply #8 on: October 10, 2015, 02:47:38 PM »
Any further problems ?

the pop up alert was gone after i have attempted to try the fix which link is posted on my first post. but i wanted to make sure if the malware was completely removed. is my system clean now?

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: http://differentia.ru/diff.php Malware
« Reply #9 on: October 10, 2015, 03:42:03 PM »
Subject to no further problems   :)

I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems 

Now the best part of the day ----- Your log now appears clean  :thumbsup:

A good workman always cleans up after himself so..The following will implement some cleanup procedures as well as reset  System Restore points:

Remove tools

Download and run Delfix
Select the options as shown



: Keep Java Updated :

WARNING: Java is the #1 exploited program at this time. The Department of Homeland Security recommends that computer users disable Java
See this article

I would recommend that you completely uninstall Java unless you need it to run an important software.
In that instance I would recommend that you disable Java in your browsers until you need it for that software and then enable it. (See How to diasble Java in your web browser and How to unplug Java from the browser)

If you do need to keep Java then download JavaRa
Run the programme and select  Remove Java Runtime.  Uninstall all versions of Java present
Once done then run it again and select Update Java runtime > Download and install Latest version



Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:

CryptoPrevent install this programme to lock down and prevent crypto ransome ware



Malwarebytes

Update and run weekly to keep your system clean

Unchecky

Click on the link above to be taken to Unchecky.com
click the very large Download button.
click Save
Click Open folder
Right click on the Unchecky_setup and choose to Run as Administrator
Once open click the Install button.
Then click on Finish
Unchecky is now installed and will help you keep unwanted check boxes unchecked, this is a fire and forget programme  ;)

It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To learn more about how to protect yourself while on the internet read this little guide  Best security practices Keep safe  :wave: