Author Topic: I am probably infected. (Read 6029 times)

maokai · « **on:** January 20, 2012, 10:13:59 PM »

Oh hey all, got a question, I was on not-so-safe websites and Ive got a trojan warning from avast, but the thing is, it crashed AVAST. So I'm pretty sure I am infected. I restarted the computer half a second after windows told me AVAST crashed. What should I do to remove the threat?

thanks

essexboy · « **Reply #1 on:** January 20, 2012, 10:31:16 PM »

Could you follow the instructions on this thread and post the relevant logs please http://forum.avast.com/index.php?topic=53253.0

Pondus · « **Reply #2 on:** January 20, 2012, 10:55:26 PM »

and by post, he means attach the logs

lower left corner: additional options > attach

essexboy · « **Reply #3 on:** January 20, 2012, 11:07:14 PM »

Ooops

maokai · « **Reply #4 on:** January 21, 2012, 02:59:12 AM »

Malwarebytes Anti-Malware (Trial) 1.60.0.1800
www.malwarebytes.org

Database version: v2012.01.20.04

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
Mathieu :: MATHIEU-PC [administrator]

Protection: Enabled

2012-01-20 20:52:09
mbam-log-2012-01-20 (20-52-09).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 201968
Time elapsed: 5 minute(s), 19 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 4
HKCR\batfile\shell\open\command| (Broken.OpenCommand) -> Bad: (NOTEPAD.EXE %1) Good: ("%1" %*) -> Quarantined and repaired successfully.
HKCR\comfile\shell\open\command| (Broken.OpenCommand) -> Bad: (NOTEPAD.EXE %1) Good: ("%1" %*) -> Quarantined and repaired successfully.
HKCR\piffile\shell\open\command| (Broken.OpenCommand) -> Bad: (NOTEPAD.EXE %1) Good: ("%1" %*) -> Quarantined and repaired successfully.
HKCR\scrfile\shell\open\command| (Broken.OpenCommand) -> Bad: (NOTEPAD.EXE %1) Good: ("%1" /S) -> Quarantined and repaired successfully.

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

maokai · « **Reply #5 on:** January 21, 2012, 03:14:27 AM »

extras.txt

maokai · « **Reply #6 on:** January 21, 2012, 03:14:54 AM »

otl.txt

maokai · « **Reply #7 on:** January 21, 2012, 03:30:48 AM »

ASWMRB.EXE crash while scanning or cannot complete his scan.

Also, looking the antivirus report up there, seems I had some kind of keylogger, should I reset ALL my passwords?

Stopping there for tonight, should I try rogue tomorrow?

essexboy · « **Reply #8 on:** January 21, 2012, 01:04:58 PM »

Hi it is always prudent to reset passwords from a clean computer

Could you right click aswMBR
Select rename
Call it explorer and retry it

THEN

Do the following:

Click on the Start button and then choose Control Panel.
Click on the System and Security link.

Note: If you're viewing the Large icons or Small icons view of Control Panel, you won't see this link so just click on the Administrative Tools icon and skip to Step 4.
In the System and Security window, click on the Administrative Tools heading located near the bottom of the window.
In the Administrative Tools window, double-click on the Computer Management icon.
When Computer Management opens, click on Disk Management on the left side of the window, located under Storage.

After a brief loading period, Disk Management should now appear on the right side of the Computer Management window.

Note: If you don't see Disk Management listed, you may need to click on the |> icon to the left of the Storage icon.

Take a screen Shot of the Disk Management Window and attach the screen shot to your reply.

maokai · « **Reply #9 on:** January 21, 2012, 04:19:15 PM »

I hope you have good knownledge of the french language.

Its basicly saying that they are ''healthy'' or ''sain'' if thats what you are looking for...

It crashed again btw.

essexboy · « **Reply #10 on:** January 21, 2012, 09:02:11 PM »

OK it is just that the latest TDL causes aswMBR to crash and it has a small partition all to itself. But you look clean

I saw no apparent malware markers on the OTL log

The MBAM removals are not really infections they are just a possible hijack point.. I have my reg files set to open in notepad and MBAM kills that every time I run it

Are you experiencing any problems ?

maokai · « **Reply #11 on:** January 21, 2012, 10:58:42 PM »

Nope, just making sure everything was clean and safe, since AVAST crashed during a trojan attack, and it never happenned before.

Thanks for the help!

essexboy · « **Reply #12 on:** January 22, 2012, 12:18:44 AM »

Is Avast OK now and everything working as normal ?

maokai · « **Reply #13 on:** January 22, 2012, 03:35:43 PM »

Ya, the PUP scan was turned off, turned that on and it caught another spyware, other than that, everything seem normal.

maokai · « **Reply #14 on:** January 23, 2012, 04:54:09 PM »

I think we have a problem!

Author Topic: I am probably infected. (Read 6029 times)

maokai

I am probably infected.

essexboy

Re: I am probably infected.

Pondus

Re: I am probably infected.

essexboy

Re: I am probably infected.

maokai

Re: I am probably infected.

maokai

Re: I am probably infected.

maokai

Re: I am probably infected.

maokai

Re: I am probably infected.

essexboy

Re: I am probably infected.

maokai

Re: I am probably infected.

essexboy

Re: I am probably infected.

maokai

Re: I am probably infected.

essexboy

Re: I am probably infected.

maokai

Re: I am probably infected.

maokai

Re: I am probably infected.