Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

ComSurrogate and Malware Whack-a-Mole


  • This topic is locked This topic is locked
57 replies to this topic

#16 GrayAnderson

GrayAnderson
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:08:00 PM

Posted 15 October 2014 - 04:56 AM

# AdwCleaner v4.000 - Report created 15/10/2014 at 05:55:23
# Updated 12/10/2014 by Xplode
# Database : 2014-10-15.7
# Operating System : Windows 8  (64 bits)
# Username : Gray - VAL
# Running from : C:\Users\William\Downloads\AdwCleaner.exe
# Option : Scan

***** [ Services ] *****


***** [ Files / Folders ] *****

Folder Found : C:\Program Files (x86)\Viewpoint
Folder Found : C:\ProgramData\Viewpoint

***** [ Scheduled Tasks ] *****


***** [ Shortcuts ] *****


***** [ Registry ] *****

Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Found : HKCU\Software\Softonic
Key Found : [x64] HKCU\Software\Softonic
Key Found : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtl
Key Found : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtl.1
Key Found : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtlSecondary
Key Found : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtlSecondary.1
Key Found : HKLM\SOFTWARE\Classes\CLSID\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{03F998B2-0E00-11D3-A498-00104B6EB52E}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{058F0E48-61CA-4964-9FBA-1978A1BB060D}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{058F0E48-61CA-4964-9FBA-1978A1BB060D}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{18F33C35-8EF2-40D7-8BA4-932B0121B472}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{18F33C35-8EF2-40D7-8BA4-932B0121B472}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{1B00725B-C455-4DE6-BFB6-AD540AD427CD}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Found : HKLM\SOFTWARE\MetaStream
Key Found : HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{03F998B2-0E00-11D3-A498-00104B6EB52E}
Key Found : HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{1B00725B-C455-4DE6-BFB6-AD540AD427CD}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ViewpointMediaPlayer
Key Found : HKLM\SOFTWARE\Viewpoint
Value Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{EF99BD32-C1FB-11D2-892F-0090271D4F88}]

***** [ Browsers ] *****

-\\ Internet Explorer v10.0.9200.16453


-\\ Mozilla Firefox v25.0.1 (en-US)


*************************

AdwCleaner[R0].txt - [2915 octets] - [15/10/2014 05:22:43]
AdwCleaner[R1].txt - [2872 octets] - [15/10/2014 05:55:23]

########## EOF - C:\AdwCleaner\AdwCleaner[R1].txt - [2932 octets] ##########
 



BC AdBot (Login to Remove)

 


#17 Naathim

Naathim

    Bleepin' Minion


  • Members
  • 435 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Poland
  • Local time:01:00 AM

Posted 15 October 2014 - 04:56 AM

Please don't miss my previous post:

http://www.bleepingcomputer.com/forums/t/551874/comsurrogate-and-malware-whack-a-mole/#entry3506813

 

:)


Radek Naathim Pawelczyk

Malware Removal Specialist

 

staff.png


#18 GrayAnderson

GrayAnderson
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:08:00 PM

Posted 15 October 2014 - 04:59 AM

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.3.3 (10.14.2014:1)
OS: Windows 8 x64
Ran by Gray on Wed 10/15/2014 at  5:57:24.66
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




~~~ Services



~~~ Registry Values



~~~ Registry Keys



~~~ Files



~~~ Folders

Successfully deleted: [Folder] "C:\ProgramData\viewpoint"
Failed to delete: [Folder] "C:\Program Files (x86)\viewpoint"



~~~ Event Viewer Logs were cleared





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Wed 10/15/2014 at  5:59:12.78
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 



#19 GrayAnderson

GrayAnderson
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:08:00 PM

Posted 15 October 2014 - 05:05 AM

Ok, sorry for jumping around.  I didn't see my previous post on a refresh so I re-ran everything and flooded the thread with mostly redundant scans.  I did run a clean with AdwCleaner and the log is below.  I only held off because you didn't say to, and I'm holding to your directions as closely as humanly possible.  I'm going to hit Malwarebytes next.

 

# AdwCleaner v4.000 - Report created 15/10/2014 at 06:00:33
# DB v2014-10-15.7
# Updated 12/10/2014 by Xplode
# Operating System : Windows 8  (64 bits)
# Username : Gray - VAL
# Running from : C:\Users\William\Downloads\AdwCleaner.exe
# Option : Clean

***** [ Services ] *****


***** [ Files / Folders ] *****

Folder Deleted : C:\Program Files (x86)\Viewpoint

***** [ Scheduled Tasks ] *****


***** [ Shortcuts ] *****


***** [ Registry ] *****

Key Deleted : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtl
Key Deleted : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtl.1
Key Deleted : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtlSecondary
Key Deleted : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtlSecondary.1
Key Deleted : HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{03F998B2-0E00-11D3-A498-00104B6EB52E}
Key Deleted : HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{1B00725B-C455-4DE6-BFB6-AD540AD427CD}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{03F998B2-0E00-11D3-A498-00104B6EB52E}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{058F0E48-61CA-4964-9FBA-1978A1BB060D}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{18F33C35-8EF2-40D7-8BA4-932B0121B472}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{1B00725B-C455-4DE6-BFB6-AD540AD427CD}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{EF99BD32-C1FB-11D2-892F-0090271D4F88}]
Key Deleted : HKCU\Software\Softonic
Key Deleted : HKLM\SOFTWARE\MetaStream
Key Deleted : HKLM\SOFTWARE\Viewpoint
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ViewpointMediaPlayer

***** [ Browsers ] *****

-\\ Internet Explorer v10.0.9200.16453


-\\ Mozilla Firefox v25.0.1 (en-US)


*************************

AdwCleaner[R0].txt - [2915 octets] - [15/10/2014 05:22:43]
AdwCleaner[R1].txt - [3016 octets] - [15/10/2014 05:55:23]
AdwCleaner[S0].txt - [2735 octets] - [15/10/2014 06:00:33]

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [2795 octets] ##########
 



#20 GrayAnderson

GrayAnderson
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:08:00 PM

Posted 15 October 2014 - 05:09 AM

Ok, I'm running Malwarebytes; I was unable to update the Malwarebytes files (the current ones are four days old); I'm going to blame the fact that I'm doing all of this while on a train with occasionally "quirky" wifi.  This will probably take a while based on previous experience.  After that I'll hit the two scans below it.  Hopefully all should be done by 0700 my time.



#21 Naathim

Naathim

    Bleepin' Minion


  • Members
  • 435 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Poland
  • Local time:01:00 AM

Posted 15 October 2014 - 05:13 AM

No worries, I will stay around at least for the next 2-3 hours or so, so you may still catch me here :)


Radek Naathim Pawelczyk

Malware Removal Specialist

 

staff.png


#22 GrayAnderson

GrayAnderson
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:08:00 PM

Posted 15 October 2014 - 05:26 AM

Ok, Malwarebytes ran quickly.  Got one small side issue, namely that when I just restarted I pulled up my Task Manager (I've been keeping it around a lot to deal with the ComSurrogate floods) and saw two instances of ComSurrogate running.  These aren't memory hogs, so...who knows, they might actually be legitimate?

 

 

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 10/15/2014
Scan Time: 06:06:32
Logfile:
Administrator: Yes

Version: 2.00.2.1012
Malware Database: v2014.10.11.01
Rootkit Database: v2014.10.08.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows 8
CPU: x64
File System: NTFS
User: Gray

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 345237
Time Elapsed: 9 min, 17 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 2
PUP.Optional.Softonic, C:\Users\William\Downloads\SoftonicDownloader_for_spybot-search-destroy.exe, Quarantined, [660746cd7507ee4823b3d6e4dd24916f],
Exploit.Drop.GS, C:\Users\William\AppData\Local\Temp\Low\obupdat.exe, Quarantined, [630a749f5527171fa370ea7e15ee7090],

Physical Sectors: 0
(No malicious items detected)


(end)



#23 GrayAnderson

GrayAnderson
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:08:00 PM

Posted 15 October 2014 - 05:33 AM

I skipped over ESET for now.  I can't download the file due to Amtrak's downloading limits on this particular train (I think...there's a certain amount of voodoo in what gets blocked) while in IE the popup just goes blank after I accept the EULA.  Security Check's file is below.

 

 Results of screen317's Security Check version 0.99.88  
   x64 (UAC is enabled)  
 Internet Explorer 10 Out of date!
``````````````Antivirus/Firewall Check:``````````````
 Windows Firewall Enabled!  
Windows Defender   
 WMI entry may not exist for antivirus; attempting automatic update.
`````````Anti-malware/Other Utilities Check:`````````
 Java 7 Update 55  
 Java version out of Date!
  Adobe Flash Player     11.8.800.94 Flash Player out of Date!  
 Adobe Reader XI  
 Mozilla Firefox 25.0.1 Firefox out of Date!  
 Mozilla Thunderbird (24.6.0)
````````Process Check: objlist.exe by Laurent````````  
 Windows Defender MSMpEng.exe
 Malwarebytes Anti-Malware mbam.exe  
 Windows Defender MsMpEng.exe   
 Windows Defender MpCmdRun.exe   
`````````````````System Health check`````````````````
 Total Fragmentation on Drive C:  %
````````````````````End of Log``````````````````````
 



#24 Naathim

Naathim

    Bleepin' Minion


  • Members
  • 435 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Poland
  • Local time:01:00 AM

Posted 15 October 2014 - 05:35 AM

OK, no worries. I will wait patiently for the ESET report. Do it when you'll be able to.
 
Answering your previous question:
 

These aren't memory hogs, so...who knows, they might actually be legitimate?

 
Yes, they are. dllhost itself is a legitimate process, which is mandatory to run (it's used by Windows OS itself to handle internal system tasks). The infection you had fires more instances of this process to use it for its own, illegitimate purposes.


Radek Naathim Pawelczyk

Malware Removal Specialist

 

staff.png


#25 GrayAnderson

GrayAnderson
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:08:00 PM

Posted 15 October 2014 - 08:07 AM

Ok, I'm running ESET now.  I was able to get a more cooperative wifi connection off of one of the train stations we stopped at for long enough to download the relevant files.

 

It's about two hours in, and ESET has already found 57 infected files.  There's a chance I'll be stuck pausing the scan for a while...but ESET's sure finding a lot on here.



#26 Naathim

Naathim

    Bleepin' Minion


  • Members
  • 435 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Poland
  • Local time:01:00 AM

Posted 15 October 2014 - 08:09 AM

Post the log when ready. After the inspection I will remove what should be removed.

Radek Naathim Pawelczyk

Malware Removal Specialist

 

staff.png


#27 GrayAnderson

GrayAnderson
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:08:00 PM

Posted 15 October 2014 - 09:02 AM

C:\FRST\Quarantine\C\Users\William\AppData\Roaming\ftbmt.dll.xBAD    a variant of MSIL/Injector.FTG trojan
C:\ProgramData\Windows Genuine Advantage\{01F5C7D9-FEB9-4A73-BE42-CD3EB36565CD}\msiexec.exe    Win32/TrojanDownloader.Cerabit.A trojan
C:\ProgramData\Windows Genuine Advantage\{685955DB-0ECF-458E-813C-5720B4E1FA1E}\msiexec.exe    Win32/TrojanDownloader.Cerabit.A trojan
C:\Users\All Users\Windows Genuine Advantage\{01F5C7D9-FEB9-4A73-BE42-CD3EB36565CD}\msiexec.exe    Win32/TrojanDownloader.Cerabit.A trojan
C:\Users\All Users\Windows Genuine Advantage\{685955DB-0ECF-458E-813C-5720B4E1FA1E}\msiexec.exe    Win32/TrojanDownloader.Cerabit.A trojan
C:\Users\William\AppData\Local\Microsoft\{772f3d14-647d-7f5f-3fa4-9a6c28df52f6}\{772f3d14-647d-7f5f-3fa4-9a6c28df52f6}.exe    Win32/Kovter.A trojan
C:\Users\William\AppData\LocalLow\DECRYPT_INSTRUCTION.HTML    Win32/Filecoder.CR trojan
C:\Users\William\AppData\LocalLow\DECRYPT_INSTRUCTION.TXT    Win32/Filecoder.CR trojan
C:\Users\William\AppData\LocalLow\qolwtrt.dll    Win32/TrojanDownloader.Tracur.AM trojan
C:\Users\William\AppData\LocalLow\Adobe\DECRYPT_INSTRUCTION.HTML    Win32/Filecoder.CR trojan
C:\Users\William\AppData\LocalLow\Adobe\DECRYPT_INSTRUCTION.TXT    Win32/Filecoder.CR trojan
C:\Users\William\AppData\LocalLow\Adobe\Acrobat\DECRYPT_INSTRUCTION.HTML    Win32/Filecoder.CR trojan
C:\Users\William\AppData\LocalLow\Adobe\Acrobat\DECRYPT_INSTRUCTION.TXT    Win32/Filecoder.CR trojan
C:\Users\William\AppData\LocalLow\Adobe\Acrobat\11.0\DECRYPT_INSTRUCTION.HTML    Win32/Filecoder.CR trojan
C:\Users\William\AppData\LocalLow\Adobe\Acrobat\11.0\DECRYPT_INSTRUCTION.TXT    Win32/Filecoder.CR trojan
C:\Users\William\AppData\LocalLow\Adobe\Acrobat\11.0\Search\DECRYPT_INSTRUCTION.HTML    Win32/Filecoder.CR trojan
C:\Users\William\AppData\LocalLow\Adobe\Acrobat\11.0\Search\DECRYPT_INSTRUCTION.TXT    Win32/Filecoder.CR trojan
C:\Users\William\AppData\LocalLow\Microsoft\DECRYPT_INSTRUCTION.HTML    Win32/Filecoder.CR trojan
C:\Users\William\AppData\LocalLow\Microsoft\DECRYPT_INSTRUCTION.TXT    Win32/Filecoder.CR trojan
C:\Users\William\AppData\LocalLow\Microsoft\Silverlight\DECRYPT_INSTRUCTION.HTML    Win32/Filecoder.CR trojan
C:\Users\William\AppData\LocalLow\Microsoft\Silverlight\DECRYPT_INSTRUCTION.TXT    Win32/Filecoder.CR trojan
C:\Users\William\AppData\LocalLow\Microsoft\Silverlight\is\DECRYPT_INSTRUCTION.HTML    Win32/Filecoder.CR trojan
C:\Users\William\AppData\LocalLow\Microsoft\Silverlight\is\DECRYPT_INSTRUCTION.TXT    Win32/Filecoder.CR trojan
C:\Users\William\AppData\LocalLow\Microsoft\Silverlight\is\jcft1z4a.mg1\DECRYPT_INSTRUCTION.HTML    Win32/Filecoder.CR trojan
C:\Users\William\AppData\LocalLow\Microsoft\Silverlight\is\jcft1z4a.mg1\DECRYPT_INSTRUCTION.TXT    Win32/Filecoder.CR trojan
C:\Users\William\AppData\LocalLow\Microsoft\Silverlight\is\jcft1z4a.mg1\y2xcdidv.dkv\DECRYPT_INSTRUCTION.HTML    Win32/Filecoder.CR trojan
C:\Users\William\AppData\LocalLow\Microsoft\Silverlight\is\jcft1z4a.mg1\y2xcdidv.dkv\DECRYPT_INSTRUCTION.TXT    Win32/Filecoder.CR trojan
C:\Users\William\AppData\LocalLow\Microsoft\Silverlight\is\jcft1z4a.mg1\y2xcdidv.dkv\1\DECRYPT_INSTRUCTION.HTML    Win32/Filecoder.CR trojan
C:\Users\William\AppData\LocalLow\Microsoft\Silverlight\is\jcft1z4a.mg1\y2xcdidv.dkv\1\DECRYPT_INSTRUCTION.TXT    Win32/Filecoder.CR trojan
C:\Users\William\AppData\LocalLow\Microsoft\Silverlight\is\jcft1z4a.mg1\y2xcdidv.dkv\1\s\DECRYPT_INSTRUCTION.HTML    Win32/Filecoder.CR trojan
C:\Users\William\AppData\LocalLow\Microsoft\Silverlight\is\jcft1z4a.mg1\y2xcdidv.dkv\1\s\DECRYPT_INSTRUCTION.TXT    Win32/Filecoder.CR trojan
C:\Users\William\AppData\LocalLow\Microsoft\Silverlight\is\jcft1z4a.mg1\y2xcdidv.dkv\1\s\by2gtp4dbmfqlwslrjukvw04opnfpojwz45isskqs1i2sv3b35aaacfa\DECRYPT_INSTRUCTION.HTML    Win32/Filecoder.CR trojan
C:\Users\William\AppData\LocalLow\Microsoft\Silverlight\is\jcft1z4a.mg1\y2xcdidv.dkv\1\s\by2gtp4dbmfqlwslrjukvw04opnfpojwz45isskqs1i2sv3b35aaacfa\DECRYPT_INSTRUCTION.TXT    Win32/Filecoder.CR trojan
C:\Users\William\AppData\LocalLow\Microsoft\Silverlight\is\jcft1z4a.mg1\y2xcdidv.dkv\1\s\by2gtp4dbmfqlwslrjukvw04opnfpojwz45isskqs1i2sv3b35aaacfa\f\DECRYPT_INSTRUCTION.HTML    Win32/Filecoder.CR trojan
C:\Users\William\AppData\LocalLow\Microsoft\Silverlight\is\jcft1z4a.mg1\y2xcdidv.dkv\1\s\by2gtp4dbmfqlwslrjukvw04opnfpojwz45isskqs1i2sv3b35aaacfa\f\DECRYPT_INSTRUCTION.TXT    Win32/Filecoder.CR trojan
C:\Users\William\AppData\LocalLow\Microsoft\Silverlight\is\jcft1z4a.mg1\y2xcdidv.dkv\1\s\jdjxtasls1w0uzn0kklqwdgrxrchceye2tvbgumndotxdqvgojaaadfa\DECRYPT_INSTRUCTION.HTML    Win32/Filecoder.CR trojan
C:\Users\William\AppData\LocalLow\Microsoft\Silverlight\is\jcft1z4a.mg1\y2xcdidv.dkv\1\s\jdjxtasls1w0uzn0kklqwdgrxrchceye2tvbgumndotxdqvgojaaadfa\DECRYPT_INSTRUCTION.TXT    Win32/Filecoder.CR trojan
C:\Users\William\AppData\LocalLow\Microsoft\Silverlight\is\jcft1z4a.mg1\y2xcdidv.dkv\1\s\jdjxtasls1w0uzn0kklqwdgrxrchceye2tvbgumndotxdqvgojaaadfa\f\DECRYPT_INSTRUCTION.HTML    Win32/Filecoder.CR trojan
C:\Users\William\AppData\LocalLow\Microsoft\Silverlight\is\jcft1z4a.mg1\y2xcdidv.dkv\1\s\jdjxtasls1w0uzn0kklqwdgrxrchceye2tvbgumndotxdqvgojaaadfa\f\DECRYPT_INSTRUCTION.TXT    Win32/Filecoder.CR trojan
C:\Users\William\AppData\LocalLow\Microsoft\Silverlight\is\jcft1z4a.mg1\y2xcdidv.dkv\1\s\psld1rq2evnjg2ki2ziatkouhebg2l4klzm3vvurqxwtu41pinaaahda\DECRYPT_INSTRUCTION.HTML    Win32/Filecoder.CR trojan
C:\Users\William\AppData\LocalLow\Microsoft\Silverlight\is\jcft1z4a.mg1\y2xcdidv.dkv\1\s\psld1rq2evnjg2ki2ziatkouhebg2l4klzm3vvurqxwtu41pinaaahda\DECRYPT_INSTRUCTION.TXT    Win32/Filecoder.CR trojan
C:\Users\William\AppData\LocalLow\Microsoft\Silverlight\is\jcft1z4a.mg1\y2xcdidv.dkv\1\s\psld1rq2evnjg2ki2ziatkouhebg2l4klzm3vvurqxwtu41pinaaahda\f\DECRYPT_INSTRUCTION.HTML    Win32/Filecoder.CR trojan
C:\Users\William\AppData\LocalLow\Microsoft\Silverlight\is\jcft1z4a.mg1\y2xcdidv.dkv\1\s\psld1rq2evnjg2ki2ziatkouhebg2l4klzm3vvurqxwtu41pinaaahda\f\DECRYPT_INSTRUCTION.TXT    Win32/Filecoder.CR trojan
C:\Users\William\AppData\LocalLow\Sun\DECRYPT_INSTRUCTION.HTML    Win32/Filecoder.CR trojan
C:\Users\William\AppData\LocalLow\Sun\DECRYPT_INSTRUCTION.TXT    Win32/Filecoder.CR trojan
C:\Users\William\AppData\LocalLow\Sun\Java\DECRYPT_INSTRUCTION.HTML    Win32/Filecoder.CR trojan
C:\Users\William\AppData\LocalLow\Sun\Java\DECRYPT_INSTRUCTION.TXT    Win32/Filecoder.CR trojan
C:\Users\William\AppData\LocalLow\Sun\Java\Deployment\DECRYPT_INSTRUCTION.HTML    Win32/Filecoder.CR trojan
C:\Users\William\AppData\LocalLow\Sun\Java\Deployment\DECRYPT_INSTRUCTION.TXT    Win32/Filecoder.CR trojan
C:\Users\William\AppData\LocalLow\Sun\Java\Deployment\SystemCache\DECRYPT_INSTRUCTION.HTML    Win32/Filecoder.CR trojan
C:\Users\William\AppData\LocalLow\Sun\Java\Deployment\SystemCache\DECRYPT_INSTRUCTION.TXT    Win32/Filecoder.CR trojan
C:\Users\William\AppData\LocalLow\Sun\Java\Deployment\SystemCache\6.0\DECRYPT_INSTRUCTION.HTML    Win32/Filecoder.CR trojan
C:\Users\William\AppData\LocalLow\Sun\Java\Deployment\SystemCache\6.0\DECRYPT_INSTRUCTION.TXT    Win32/Filecoder.CR trojan
C:\Users\William\AppData\LocalLow\Sun\Java\Deployment\SystemCache\6.0\32\DECRYPT_INSTRUCTION.HTML    Win32/Filecoder.CR trojan
C:\Users\William\AppData\LocalLow\Sun\Java\Deployment\SystemCache\6.0\32\DECRYPT_INSTRUCTION.TXT    Win32/Filecoder.CR trojan
C:\Users\William\Documents\bitcoin-0.8.5-win32-setup.exe    a variant of Win32/BitCoinMiner.BJ potentially unsafe application
C:\Users\William\Documents\SC2K.rar    a variant of Win32/MiniUPnP.C potentially unsafe application
 



#28 Naathim

Naathim

    Bleepin' Minion


  • Members
  • 435 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Poland
  • Local time:01:00 AM

Posted 15 October 2014 - 03:01 PM

Some detections here are most interesting.

 

Please download and run this tool. 

http://www.bleepstatic.com/fhost/uploads/3/idtool.zip

 

It's a fresh one, I;m sorry that I don't have a fresh instructions prepared.


Radek Naathim Pawelczyk

Malware Removal Specialist

 

staff.png


#29 GrayAnderson

GrayAnderson
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:08:00 PM

Posted 15 October 2014 - 04:27 PM

Downloaded the new program.  It's giving me nothing and...well, doing nothing.  When I hit "Rescan Computer and Generate New Report" it just spits back "Rescan Complete", and there's no indication of anything else of use on there.

 

Edit: Also, should I delete anything that the last program found?


Edited by GrayAnderson, 15 October 2014 - 04:28 PM.


#30 Naathim

Naathim

    Bleepin' Minion


  • Members
  • 435 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Poland
  • Local time:01:00 AM

Posted 15 October 2014 - 05:22 PM

I will remove its findings manually. But please navigate to one of the DECRYPT_INSTRUCTION.TXT files listed in the ESET report and open it (paste here). I'd like to see what's there.


Radek Naathim Pawelczyk

Malware Removal Specialist

 

staff.png





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users