Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Url:mal originating from taskhost.exe


  • This topic is locked This topic is locked
21 replies to this topic

#16 aharonov

aharonov

  • Malware Response Team
  • 2,441 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:46 AM

Posted 26 February 2014 - 03:03 PM

I can still see malware entries in your log as well. Let's fix these.
And the ESET log file should be located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.


Step 1

Please download this attached Attached File  fixlist.txt   910bytes   2 downloads and save it in the same directory as FRST.
  • Start FRST with Administrator privileges.
  • Press the Fix button.
  • When finished, a log file (Fixlog.txt) pops up and is saved to same location the tool was run from.
    Please copy and paste its contents in your next reply.
Restart your computer.



Step 2

Start FRST with administator privileges.
  • Press the Scan button.
  • When finished, FRST will produce a log (FRST.txt) in the same directory the tool was run from.
    Please copy and paste this log in your next reply.


BC AdBot (Login to Remove)

 


#17 Juanmik

Juanmik
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:04:46 PM

Posted 26 February 2014 - 03:46 PM

This is what Eset found:

 

C:\Users\Doris\AppData\Local\Emftion\HandlerEventImage.dll a variant of Win32/Sefnit.CX trojan cleaned by deleting (after the next restart) - quarantined



#18 Juanmik

Juanmik
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:04:46 PM

Posted 26 February 2014 - 03:48 PM

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 26-02-2014 01
Ran by Doris at 2014-02-26 14:47:38 Run:1
Running from D:\Users\Doris\Downloads\FRST
Boot Mode: Normal
 
==============================================
 
Content of fixlist:
*****************
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
HKU\S-1-5-21-1167016168-3567840934-799961921-1000\...\Run: [Emftion] - regsvr32.exe C:\Users\Doris\AppData\Local\Emftion\HandlerEventImage.dll <===== ATTENTION
C:\Users\Doris\AppData\Local\Emftion
CHR HKLM\...\Chrome\Extension: [ceikklieffoecpdlmfcdebiimbfjiofp] - C:\Program Files\WebexpEnhancedV1\WebexpEnhancedV1alpha934\ch\WebexpEnhancedV1alpha934.crx [2013-10-09]
CHR HKLM\...\Chrome\Extension: [mhbkpgkjpamabmkcbegecpomahldalif] - C:\Program Files\VideoPlayerV3\VideoPlayerV3beta358\ch\VideoPlayerV3beta358.crx [2013-10-09]
CHR HKLM\...\Chrome\Extension: [npiecjlhkngdinoeekmccdbjdgclmnbk] - C:\Users\Doris\AppData\Local\CRE\npiecjlhkngdinoeekmccdbjdgclmnbk.crx [2013-10-09]
CHR HKCU\...\Chrome\Extension: [npiecjlhkngdinoeekmccdbjdgclmnbk] - C:\Users\Doris\AppData\Local\CRE\npiecjlhkngdinoeekmccdbjdgclmnbk.crx [2013-10-09]
*****************
 
HKLM\SOFTWARE\Policies\Google => Key deleted successfully.
HKU\S-1-5-21-1167016168-3567840934-799961921-1000\Software\Microsoft\Windows\CurrentVersion\Run\\Emftion => Value deleted successfully.
C:\Users\Doris\AppData\Local\Emftion => Moved successfully.
HKLM\SOFTWARE\Google\Chrome\Extensions\ceikklieffoecpdlmfcdebiimbfjiofp => Key deleted successfully.
"C:\Program Files\WebexpEnhancedV1\WebexpEnhancedV1alpha934\ch\WebexpEnhancedV1alpha934.crx" => File/Directory not found.
HKLM\SOFTWARE\Google\Chrome\Extensions\mhbkpgkjpamabmkcbegecpomahldalif => Key deleted successfully.
"C:\Program Files\VideoPlayerV3\VideoPlayerV3beta358\ch\VideoPlayerV3beta358.crx" => File/Directory not found.
HKLM\SOFTWARE\Google\Chrome\Extensions\npiecjlhkngdinoeekmccdbjdgclmnbk => Key deleted successfully.
"C:\Users\Doris\AppData\Local\CRE\npiecjlhkngdinoeekmccdbjdgclmnbk.crx" => File/Directory not found.
HKCU\SOFTWARE\Google\Chrome\Extensions\npiecjlhkngdinoeekmccdbjdgclmnbk => Key deleted successfully.
"C:\Users\Doris\AppData\Local\CRE\npiecjlhkngdinoeekmccdbjdgclmnbk.crx" => File/Directory not found.
 
==== End of Fixlog ====


#19 aharonov

aharonov

  • Malware Response Team
  • 2,441 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:46 AM

Posted 26 February 2014 - 04:17 PM

This is what Eset found:

Yes this is the malware entry that I've also seen.
So it's looking good now.


That's it! Your logs look clean to me at the moment.
We're gonna clean up everything now, close security holes on your computer and in the end I'll provide you with a list of security tips so you hopefully will not need our help anymore in the future.


My help is free for everybody.
If you want to support me fighting against malware or buy me a beer for the assistance you received, then you can consider a donation: btn_donate_SM.gif.
Thank you!



Clean Up

Now we remove all the tools we used (including their logs and quarantine folders), restore your settings and delete old and infected system restorepoints:

  • You can uninstall programs that you had to install (e.g. MBAM or ESET Onlinescanner) in the control panel if you so wish.
  • Rename Combofix.exe in Uninstall.exe and execute it with a double click. (Beware that file extensions might be hidden. So don't add a double extension Uninstall.exe.exe.)
  • Download DelFix (by Xplode) and save it to your Desktop.
    • Close all running programs and start delfix.exe.
    • Make sure that all available options are checked.
    • Click on Run
    • DelFix should remove all our tools and delete itself afterwards. I don't need the log file.
  • If there is still something left you can delete it manually.

 

 

 

Closing security holes

Many infections happen via drive-by downloads that run unnoticed in the background while the user visits an infected website. To achieve this malware exploits security holes in installed software (e.g. browser or its plugins). Older versions of such software often have lots of known exploitable holes. Therefor it's very important to always keep your software up-to-date.
The following software is outdated. Make sure you remove all old versions and install the current one instead if you need the program:


Internet Explorer Version 10




Tips

I recommend to read and follow the "16 simple and easy ways to keep your computer safe and secure on the Internet" (Link) by Lawrence Abrams.



#20 Juanmik

Juanmik
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:04:46 PM

Posted 26 February 2014 - 05:41 PM

Thanks you!



#21 aharonov

aharonov

  • Malware Response Team
  • 2,441 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:46 AM

Posted 27 February 2014 - 03:38 AM

You're welcome.



#22 aharonov

aharonov

  • Malware Response Team
  • 2,441 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:46 AM

Posted 27 February 2014 - 03:38 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users