Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan? Malware? Help!


  • Please log in to reply
1 reply to this topic

#1 KIKI66

KIKI66

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:07:05 PM

Posted 29 January 2013 - 12:55 PM

Hi there, I'm having a crisis - I hope someone can help me. I recently uploaded my new website and found that I was being redirected to an unknown page (http://coverskin.ir/oewi.html?h=1358570) I phoned my website hosts, and they said there were no redirects on the site and that it sounded like malware. I have since completely deleted my website. I have scanned with Malwarebytes and found 2 PUP.crossfire files and deleted them. I have now downloaded everything you have suggested in other posts and here are the logs. I am also getting small pop up adverts while using FireFox. I have also found a programme 'coupon companion' in my control panel - which I cannot uninstall. I am now running ESET Scanner. Many thanks in advance.

Bootkit Remover
© 2009 Esage Lab
www.esagelab.com

Program version: 1.2.0.1
OS Version: Microsoft Windows 7 Home Premium Edition Service Pack 1 (build 7601)
, 64-bit

System volume is \\.\C:
\\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`06500000
Boot sector MD5 is: bb4f1627d8b9beda49ac0d010229f3ff

Size Device Name MBR Status
--------------------------------------------
465 GB \\.\PhysicalDrive0 OK (DOS/Win32 Boot code found)


...................................

aswMBR version 0.9.9.1707 Copyright© 2011 AVAST Software
Run date: 2013-01-30 04:24:32
-----------------------------
04:24:32.994 OS Version: Windows x64 6.1.7601 Service Pack 1
04:24:32.994 Number of processors: 4 586 0x1E05
04:24:32.994 ComputerName: KATJAKRIEGLER UserName:
04:24:39.094 Initialize success
04:24:54.644 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP5T0L0-5
04:24:54.654 Disk 0 Vendor: ST3500418AS CC38 Size: 476940MB BusType: 3
04:24:54.664 Disk 0 MBR read successfully
04:24:54.674 Disk 0 MBR scan
04:24:54.674 Disk 0 Windows 7 default MBR code
04:24:54.684 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 100 MB offset 2048
04:24:54.694 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 476838 MB offset 206848
04:24:54.714 Disk 0 scanning C:\Windows\system32\drivers
04:25:02.464 Service scanning
04:25:18.244 Modules scanning
04:25:18.254 Disk 0 trace - called modules:
04:25:18.284 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys ataport.SYS pciide.sys PCIIDEX.SYS hal.dll atapi.sys
04:25:18.294 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8004a38060]
04:25:18.294 3 CLASSPNP.SYS[fffff8800199143f] -> nt!IofCallDriver -> [0xfffffa80047e7520]
04:25:18.624 5 ACPI.sys[fffff88000f277a1] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP5T0L0-5[0xfffffa80047e3680]
04:25:18.634 Scan finished successfully
04:28:13.180 Disk 0 MBR has been saved successfully to "C:\Users\Katja.Kriegler\Desktop\VIRUS LOGS\MBR.dat"
04:28:13.190 The log file has been saved successfully to "C:\Users\Katja.Kriegler\Desktop\VIRUS LOGS\aswMBR.txt"


.......................

Malwarebytes Anti-Malware (Trial) 1.70.0.1100
www.malwarebytes.org

Database version: v2013.01.29.06

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 8.0.7601.17514
Katja.Kriegler :: KATJAKRIEGLER [administrator]

Protection: Enabled

30/01/2013 2:17:56 AM
mbam-log-2013-01-30 (02-17-56).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 271580
Time elapsed: 12 minute(s), 35 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 1
HKCU\SOFTWARE\INSTALLEDBROWSEREXTENSIONS\215 APPS (PUP.CrossFire.SA) -> Quarantined and deleted successfully.

Registry Values Detected: 1
HKCU\Software\InstalledBrowserExtensions\215 Apps|4493 (PUP.CrossFire.SA) -> Data: Coupon Companion -> Quarantined and deleted successfully.

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)
...............................

Malwarebytes Anti-Malware (Trial) 1.70.0.1100
www.malwarebytes.org

Database version: v2013.01.29.06

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 8.0.7601.17514
Katja.Kriegler :: KATJAKRIEGLER [administrator]

Protection: Enabled

30/01/2013 2:37:57 AM
mbam-log-2013-01-30 (02-37-57).txt

Scan type: Full scan (C:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 473268
Time elapsed: 1 hour(s), 7 minute(s), 23 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

Edited by KIKI66, 29 January 2013 - 01:35 PM.
Mod Edit: Moved topic from Windows 7 to the more appropriate forum. ~bloopie


BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,934 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:05 AM

Posted 29 January 2013 - 03:12 PM

Welcome,Please run these next..

Please Download TDSSkiller
Launch it.
Click on change parameters-Select TDLFS file system
Click on "Scan".
Please post the LOG report(log file should be in your C drive)

Do not change the default options on scan results.



MiniToolBox
Please download MiniToolBox, save it to your desktop and run it.Checkmark the following checkboxes:
  • Flush DNS
  • Report IE Proxy Settings
  • Reset IE Proxy Settings
  • Report FF Proxy Settings
  • Reset FF Proxy Settings
  • List content of Hosts
  • List IP configuration
  • List Winsock Entries
  • List last 10 Event Viewer log
  • List Installed Programs
  • List Users, Partitions and Memory size.

Click Go and post the result (Result.txt). A copy of Result.txt will be saved in the same directory the tool is run. Note: When using "Reset FF Proxy Settings" option Firefox should be closed.
>>>

ADW Cleaner

Please download AdwCleaner by Xplode onto your desktop.

  • Close all open programs and internet browsers.
  • Double click on adwcleaner.exe to run the tool.
  • Click on Delete.
  • Confirm each time with Ok.
  • You will be prompted to restart your computer. A text file will open after the restart.
  • Please post the contents of that logfile with your next reply.
  • You can find the logfile at C:\AdwCleaner[S1].txt as well.

>>>>

I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on this link to open ESET OnlineScan in a new window.
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image
      icon on your desktop.
  • Check "YES, I accept the Terms of Use."
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Under scan settings, check "Scan Archives" and "Remove found threats"
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click List Threats
  • Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Click the Back button.
  • Click the Finish button.

NOTE:Sometimes if ESET finds no infections it will not create a log.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users