Author Topic: Chat Shenanigans  (Read 348 times)

0 Members and 1 Guest are viewing this topic.

Offline Richard Coop

  • Newbie
  • *
  • Posts: 4
Chat Shenanigans
« on: September 11, 2017, 01:09:00 PM »
Since I'm very much a novice in this department, I'm just hoping to have a few questions answered by the experts. If you need me to post logs, I will. But I doubt it. It's pretty straight forward.

Long story, short: I stopped by a chat site that I used to frequent. The kind that was popular 10-15 years ago. It still has the same old school layout, and I assume the same old school security, because I've seen it attacked few times. Rapid fire spam, unclosable (obscene) webcams, etc, etc. Well, when I logged in this time, Avast hit me with an alert almost immediately. A threat had been blocked. The object in question ended in "HACK3.php". The infection was listed as "JS:Agent-EAA [Trj]". I logged out a minute later, and ran scans with the programs that I had on hand -- Avast (Nothing), SuperAntiSpyware (Nothing serious), ShieldsUp (100% Passes all around). I even downloaded a couple of the more popular antiviruses, and didn't get anything from those either. As far as I could tell, the attack was blocked. It was still unacceptable though. If a site can't guarantee a safer experience than that, and people can't pretend to be humans, then it's not worth the time.

My questions..

Can anyone tell about that particular infection? What would be the goal behind a trojan like that?

Did I handle the attack correctly? Other than Avast, are there any other free programs that I should be running on a regular basis?

Is it possible that other infections got through and went undetected?

Thanks.

Offline Pondus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33585
Re: Chat Shenanigans
« Reply #1 on: September 11, 2017, 02:45:21 PM »
Quote
JS:Agent-EAA [Trj]
Malicious java script, maybe a blocked fake alert ?

Quote
I even downloaded a couple of the more popular antiviruses
Dont do that  >>  https://www.kaspersky.com/blog/multiple-antivirus-programs-bad-idea/2670/
If you want a second opinion use a online scanner like TrendMicro house call or F-Secure online scanner


Quote
Is it possible that other infections got through and went undetected?
If you want a check, follow instructions in the sticky post at top in this forum section


Chief Wiggum: Uh, no, you got the wrong number. This is 9-1…2.


Offline Richard Coop

  • Newbie
  • *
  • Posts: 4
Re: Chat Shenanigans
« Reply #2 on: September 12, 2017, 03:18:04 PM »
Quote
maybe a blocked fake alert?

I feel like it was meant to be worse. But that's possible.

Quote
use a online scanner like TrendMicro house call or F-Secure online scanner

Okay. Both turned out fine.

Quote
If you want a check, follow instructions in the sticky post at top in this forum section

Done. I've attached my Malwarebytes and Farbar logs. If anything seems off, please let me know.


I have another question. Hopefully this is the place to ask. My PC's been freezing up lately. It's been especially bad the last couple days. So I checked the Task Manager, and the DNS Client service was driving my CPU usage into the 90-100% range. Then I took a look at the Host file. It was modified on the same day that this trojan occurred. In addition to blocked adult sites and everything you'd expect, the Host file also included (what appeared to be) blocked security sites -- ones with "avast" and "avg" in their URLs. I cleared the entire thing out, taking the file size from around 50k down to 1k. And, so far, I haven't had another freeze up.

Could this have been related to the malicious java script from before? Should it be alright now?
« Last Edit: September 14, 2017, 01:23:22 PM by Richard Coop »

Offline Sass Drake

  • MyCity AMF R2
  • Full Member
  • ***
  • Posts: 194
Re: Chat Shenanigans
« Reply #3 on: September 12, 2017, 08:22:57 PM »
  • Open Notepad (click Start button -> type notepad.exe -> press Enter)
  • Copy text from code block below and paste it into Notepad
Code: [Select]
HKU\S-1-5-21-1759136461-2645483420-3116059984-1000\...\Run: [Chromium] => "c:\users\brandon\appdata\local\chromium\application\chrome.exe" --auto-launch-at-startup --profile-directory=Default --restore-last-session
HKU\S-1-5-21-1759136461-2645483420-3116059984-1000\...\ChromeHTML: ->  <==== ATTENTION
CHR NewTab: Profile 1 ->  Not-active:"chrome-extension://geamcidmcmgmnfoomdkkjdgimhjjobkf/newtab.html"
c:\users\brandon\appdata\local\chromium
  • Go to File -> Save As
  • Make sure that  UTF-8 is selected as Encoding (left side of Save button)
  • Save it as fixlist.txt on Desktop
  • Open again FRST and click on button Fix
  • Wait until FRST finishes
  • fixlog.txt should be genereted and opened. Attach it your post and wait further instructions.

Offline Richard Coop

  • Newbie
  • *
  • Posts: 4
Re: Chat Shenanigans
« Reply #4 on: September 13, 2017, 12:34:12 AM »
Okay.. I attached fixlog.txt to the previous post.
« Last Edit: September 13, 2017, 12:36:07 AM by Richard Coop »

Offline Sass Drake

  • MyCity AMF R2
  • Full Member
  • ***
  • Posts: 194
Re: Chat Shenanigans
« Reply #5 on: September 13, 2017, 01:04:36 AM »
Your PC is now clean and fix removed some adware leftovers.


The following will implement some post-cleanup procedures:

=> Please download DelFix by Xplode to your Desktop.]
Run the tool and check the following boxes below;
Remove disinfection tools
Create registry backup
Purge System Restore

Click Run button and wait a few seconds for the programme completes his work.
At this point all the tools we used here should be gone. Tool will create an report for you (C:\DelFix.txt)

The tool will also record healthy state of registry and make a backup using ERUNT program in %windir%\ERUNT\DelFix
Tool deletes old system restore points and create a fresh system restore point after cleaning.





Can you upload screenshot of Avast detection?

Offline Richard Coop

  • Newbie
  • *
  • Posts: 4
Re: Chat Shenanigans
« Reply #6 on: September 14, 2017, 01:22:53 PM »
Not sure I follow on the Avast detection question. I am glad to be completely rid of Chromium though.

As for my previous question: Rather than a malicious program modifying my Hosts file on the day of the (blocked) attack, I'm thinking that it was done by one of the other antiviruses that I carelessly installed at the time.

That should just about cover it. Your kindness has been much appreciated.