Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Mom's persistent scareware, what do I take?


  • Please log in to reply
22 replies to this topic

#1 StarKiller

StarKiller

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:54 PM

Posted 10 November 2014 - 07:06 PM

I have a little knowledge but with large gaps.
 
64 bit Win7 Home Premium sp 1, automatic updates enabled. My mom has a scareware malware of some kind.  It is throwing up a big popup in the middle of her screen saying the program is infected.  It happened when she was checking her Windstream webmail using IE on her limited account.  
 
She ran SAS and mbam from her admin account but it still happened so she called me.  I talked her through booting to safe mode with networking and had her update and run both MSE and then ESET online scanner.   She said MSE quarantined something, a whole list of the same thing, as soon as she'd delete them more would show up so she gave up.  When she ran ESET, it removed a couple of things, something like Win32xxxx.  I wasn't able to get the exact names of them or the exact wording of the popup.  She also re-updated and reran SAS and mbam, then rebooted to normal mode.  (All of those are the free versions)
 
The popup happened again as soon as she went back to her limited account to check her email.  She shut the computer down and hasn't started it again.  She didn't mention it until today, when she was in town, even though I told her to call me back if it came back.  
 
I'm going up there Thursday to see what I can do.  I don't have a laptop so I'll have to take everything I need with me.  I've downloaded a renamed version of Rkill and tdsskiller to put on a thumb drive, I should run those from safe mode?  What else should I try?  If I will need to post a combofix log, I'll need to run it while I'm there.
 
I was thinking I might burn a Win7 Home .iso on a CD to take, so I can reinstall jic, but if it's in the MBR will that help?  
 
I'm not really very experienced with Linux.
I have a 32 bit Mint live CD I had tried out on an older computer that I can take, Is there anything I can do from that, that might help?  Should I download the Linux versions of anything to take with me?  
I can also burn a 64 bit Ubuntu 14.04 LTS .iso, I already have it downloaded, to install on Virtualbox but I didn't need to burn it for that.
 
Any advice, instruction links, etc. appreciated
 


BC AdBot (Login to Remove)

 


#2 Condobloke

Condobloke

    Outback Aussie @ 54.2101 N, 0.2906 W


  • Members
  • 5,810 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:11:54 AM

Posted 10 November 2014 - 07:14 PM

What is the name of the scareware/malware

 

Ask mum to turn the PC back on again and write down exactly what is said on the screen.


Condobloke ...Outback Australian  

 

fed up with Windows antics...??....LINUX IS THE ANSWER....I USE LINUX MINT 18.3  EXCLUSIVELY.

 

Microsoft gives you Windows, Linux gives you the whole house...

It has been said that time heals all wounds. I don't agree. The wounds remain. Time - the mind, protecting its sanity - covers them with some scar tissue and the pain lessens, but it is never gone. Rose Kennedy

#3 StarKiller

StarKiller
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:54 PM

Posted 10 November 2014 - 09:26 PM

How do I find the NAME of the scareware?  

 

Are we looking for the wording on the popup?

the name of what ESET said it removed?



#4 Condobloke

Condobloke

    Outback Aussie @ 54.2101 N, 0.2906 W


  • Members
  • 5,810 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:11:54 AM

Posted 10 November 2014 - 09:36 PM

Wording on the popup would be good.

 

Whatever eset removed may be helpful, but is not crucial at all.


Condobloke ...Outback Australian  

 

fed up with Windows antics...??....LINUX IS THE ANSWER....I USE LINUX MINT 18.3  EXCLUSIVELY.

 

Microsoft gives you Windows, Linux gives you the whole house...

It has been said that time heals all wounds. I don't agree. The wounds remain. Time - the mind, protecting its sanity - covers them with some scar tissue and the pain lessens, but it is never gone. Rose Kennedy

#5 StarKiller

StarKiller
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:54 PM

Posted 10 November 2014 - 09:56 PM

MSE says:

 

TrojanClicker:JS/Chroject.A

 

apparently lines and lines of it.

 

She said the popup didn't come this time

She's running ESET again and will call me back



#6 Condobloke

Condobloke

    Outback Aussie @ 54.2101 N, 0.2906 W


  • Members
  • 5,810 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:11:54 AM

Posted 10 November 2014 - 10:08 PM

run these....IN THE ORDER LISTED.

 

 

Please download and run RKill by Grinler.
 A black DOS box will appear for a short time and then disappear.
 This is normal and indicates the tool ran successfully.
 At most the tool will usually run for about 2 minutes
 Please Copy / Paste the small log back here.

 
    RKill.exe:    http://www.bleepingcomputer.com/download/rkill/dl/10/

       iExplore.exe (renamed rKill.exe):     http://www.bleepingcomputer.com/download/rkill/dl/11/

Rkill.com   RKill Download Link Download Now Rkill.com


Important: Do not reboot your computer until you complete the next step.

 

Download MalwareBytes Anti-Malware to your desktop.

   Please download MALWAREBYTES Anti Malwareto your desktop.

NOTE. If you already have MBAM 2.0 installed scroll down. to the paragraph written in red


Otherwise....follow these instructions Please...

    Double-click mbam-setup-2.0.0.1000.exe and follow the prompts to install the program.
    At the end, be sure a checkmark is placed next to the following:

        Launch Malwarebytes Anti-Malware
        A 14 day trial of the Premium features is pre-selected. You may deselect this if you wish, and it will not diminish the scanning and removal capabilities of the program.

    Click Finish.
    On the Dashboard, click the 'Update Now >>' link....IMPORTANT !!
 
    After the update completes, click the 'Scan Now >>' button.
   (Or, alternatively, on the Dashboard, click the Scan Now >> button...... If an update is available, click the Update Now button

    A Threat Scan will begin.
    When the scan is complete, if there have been detections, click Apply Actions to allow MBAM to clean what was detected.
    (In most cases, a restart will be required.)
    Wait for the prompt to restart the computer to appear, then click on Yes.




If you already have MBAM 2.0 installed:

    On the Dashboard, click the 'Update Now >>' link
   After the update completes, click the 'Scan Now >>' button.
   (Or, alternatively, on the Dashboard, click the Scan Now >> button.
    If an update is available, click the Update Now button.)
    A Threat Scan will begin.
   When the scan is complete, if there have been detections, click Apply Actions to allow MBAM to clean what was detected.
    (In most cases, a restart will be required.)

   Wait for the prompt to restart the computer to appear, then click  Yes.




 How To Find Your Logs ...
(Export log to save as txt

    After the restart , and you are back on your desktop, open MBAM once more.
    Click on the History tab > Application Logs.
    Double click on the Scan Log which shows the Date and time of the scan just performed.
    Click 'Export'.
    Click 'Text file (*.txt)'
    In the Save File dialog box which appears, click on Desktop.
    In the File name box type a name for your scan log.
    A message box named 'File Saved' should appear stating "Your file has been successfully exported".
    Click Ok
    Copy and Paste that saved log to your next reply, for me to review.




(Copy to clipboard for pasting into forum replies )

    After the restart and you are back on your desktop, open MBAM once more.
    Click on the History tab > Application Logs.
    Double click on the scan log which shows the Date and time of the scan just performed.
    Click 'Copy to Clipboard'
    Paste the contents of the clipboard into your reply, for my review.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

      Remove TrojanClicker:JS/Chroject.A infection with HitmanPro

HitmanPro is a second opinion scanner, designed to rescue your computer from malware (viruses, trojans, rootkits, etc.) that have infected your computer despite all the security measures you have taken (such as anti-virus software, firewalls, etc.). HitmanPro is designed to work alongside existing security programs without any conflicts. It scans the computer quickly (less than 5 minutes) and does not slow down the computer.

  1. You can download HitmanPro from the below link:
    HITMANPRO DOWNLOAD LINK (This link will open a new web page from where you can download HitmanPro)
  2. Double-click on the file named “HitmanPro.exe” (for 32-bit versions of Windows) or “HitmanPro_x64.exe” (for 64-bit versions of Windows). When the program starts you will be presented with the start screen as shown below.
    hitmanpro-install.jpg
    Click on the “Next” button, to install HitmanPro on your computer.
    hitmapro-start-scan.jpg
  3. HitmanPro will now begin to scan your computer for TrojanClicker:JS/Chroject.A malicious files.
    hitmanpro-scanning.jpg
  4. When it has finished it will display a list of all the malware that the program found as shown in the image below. Click on the “Next” button, to remove TrojanClicker:JS/Chroject.A virus.
    hitmanpro-scan-results.jpg
  5. Click on the “Activate free license” button to begin the free 30 days trial, and remove all the malicious files from your computer.
    hitmanpro-activation.jpg

Condobloke ...Outback Australian  

 

fed up with Windows antics...??....LINUX IS THE ANSWER....I USE LINUX MINT 18.3  EXCLUSIVELY.

 

Microsoft gives you Windows, Linux gives you the whole house...

It has been said that time heals all wounds. I don't agree. The wounds remain. Time - the mind, protecting its sanity - covers them with some scar tissue and the pain lessens, but it is never gone. Rose Kennedy

#7 Condobloke

Condobloke

    Outback Aussie @ 54.2101 N, 0.2906 W


  • Members
  • 5,810 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:11:54 AM

Posted 10 November 2014 - 10:13 PM

You can run rkill in safe mode if you have trouble running in ordinary mode.

 

Hopefully that will clean it up....if it Still persists........then a visit to the Malware Removal Area HERE  will be in order.


Condobloke ...Outback Australian  

 

fed up with Windows antics...??....LINUX IS THE ANSWER....I USE LINUX MINT 18.3  EXCLUSIVELY.

 

Microsoft gives you Windows, Linux gives you the whole house...

It has been said that time heals all wounds. I don't agree. The wounds remain. Time - the mind, protecting its sanity - covers them with some scar tissue and the pain lessens, but it is never gone. Rose Kennedy

#8 StarKiller

StarKiller
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:54 PM

Posted 11 November 2014 - 01:26 AM

Thank you for your helpful responses and your time.

 

MSE quarantined a lot of TrojanClicker:JS/Chroject.A but it was the only thing that found them.  She couldn't get it to remove them. Should I try to remove them, first?  It's supposed to remove them automatically in 30 days.  I may change the default on that to just remove the really bad stuff instead of quarantine it.  It's freaking her out.

 

OK, I have on a thumb drive, rkill, the one that's named iExplore.exe & HitmanPro_x64.exe

(she already has mbam)

 

1. install and run rkill and save the log

2. update and run mbam and

if it detects something this time, let it clean it, reboot and save the log

3. install and run HitmanPro

​if it finds something activate the free trial to remove it

4. post the rkill & mbam logs here

 

anything else?


Edited by StarKiller, 11 November 2014 - 01:26 AM.


#9 Condobloke

Condobloke

    Outback Aussie @ 54.2101 N, 0.2906 W


  • Members
  • 5,810 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:11:54 AM

Posted 11 November 2014 - 02:09 PM

Yes...that will be fine.

 

I am reasonably certain the trojan is only a pup..

 

TrojanClicker:JS/Chroject.A got on your computer after you have installed a freeware software (video recording/streaming, download-managers or PDF creators) that had bundled into their installation this browser hijacker. This Potentially Unwanted Program is also bundled within the custom installer on many download sites (examples: CNET, Brothersoft or Softonic), so if you have downloaded a software from these websites, chances are that TrojanClicker:JS/Chroject.A was installed during the software setup process.

 

If it becomes necessary to take this further, the people in MRL will advise you regarding Combofix.

 

Please do not run it without supervision from the Experts in that area...I am not trained in its use, and would hate to see your mums pc turned into a doorstop.

 

 


Condobloke ...Outback Australian  

 

fed up with Windows antics...??....LINUX IS THE ANSWER....I USE LINUX MINT 18.3  EXCLUSIVELY.

 

Microsoft gives you Windows, Linux gives you the whole house...

It has been said that time heals all wounds. I don't agree. The wounds remain. Time - the mind, protecting its sanity - covers them with some scar tissue and the pain lessens, but it is never gone. Rose Kennedy

#10 StarKiller

StarKiller
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:54 PM

Posted 11 November 2014 - 05:59 PM

Thank you

 

I am 100% sure, she did not download something on purpose.  She uses her admin account to run the malware scans.  If she wants something updated that isn't automatic or she wants a program installed, she has me do it.  

 

She usually has a couple of questions written down about how to do something with one of her programs, like one time she accidently lost the menu bar for IE.  The last time I was there, I checked everything for updates and ran malware scanners from safe mode in her admin account. She asked me to save all her available bank statements as .pdfs, as a back up to the ones she'd been printing out, as the bank was switching over to a new system and they would no longer be available.  I did that from her limited account.  That has been at least a month ago.  

 

She pretty much does email, word processing and a little shopping and light surfing.  She's been using the Lumosity thing, also, it's on the web.  It's supposed to keep her from losing her faculties, she's 80.   She had me delete her Facebook almost 2 years ago, she never played the games on it, either.  

 

She has opened spoofed email that looked like it was from people she knew but realized right away that it didn't smell right and either called the person to check or just deleted it, never clicking on the links or attachments.  She recognizes and deletes spam that gets through, unopened.  

 

I'm thinking it might have been some ad on a website with a malicious script in it, something that autoplayed, or she accidently clicked on.  After she read me the exact thing that MSE was repeatedly quarantining,  'TrojanClicker:JS/Chroject.A' I googled it and found:

 

http://answers.microsoft.com/en-us/protect/forum/protect_other-protect_scanning/trojanclickerjschrojecta-constantly-detected-and/431dac13-b950-44b1-8061-6a41c8688fcb?page=1&tab=question&status=AllReplies

 

I didn't see any program named that seemed to work to get rid of it for good, for everyone.

 

Sounds like it's the same thing and started about the same time.  
 
This morning on her own, she ran MSE in safe mode, again.  It gave her more results in addition to the previous ones  
Trojan:Win32/powessere.alreg   removed
Exploit:HTML/Axpergle.J            quarantined
Exploit:HTML/Axpergle.G           quarantined twice
 
She had checked her email and the popup came again.  She wrote it down and described it the best she could, (The screenshot instructions I gave her didn't take)  I will paste it in. 
/quote
This is what I jotted down
 
Screen completely red.
 
A little white shield looking thing with a big red X in it.
To the right of this are the words:
 
Microsoft Security Essentials blocked content on this website
fen.chebroom.com
Hosted by webmail-classic. Windstream.net
Then a line across the red page and then
 
A little white shield looking thing with a big green check mark in it.
To the right of this are the words:
 
Go to my home page instead 
Microsoft Security Essentials Blocked this side because it might contain threats to my PC or your privacy.
/end quote
 
Her email website isn't the only place she has seen it.  I don't know if this is a legitimate MSE popup or a masquerade,  like I originally thought, as I have never been warned about a website in that manner by MSE.  It sounds like something is re-installing itself plus more things.   She checked her email from here, yesterday, and I don't have it. 
I told her to keep the computer off the internet as soon as she had sent me the email about the popup. 
 
I'll be up there Thursday afternoon to run those programs you listed and collect the logs.  In light of this additional  information is there anything you want to add?  It will be at least Saturday or Sunday, possibly Monday before I can make another trip.


#11 Condobloke

Condobloke

    Outback Aussie @ 54.2101 N, 0.2906 W


  • Members
  • 5,810 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:11:54 AM

Posted 11 November 2014 - 06:50 PM

Thank you for gathering that info.

 

My instincts tell me it is a masquerade.

 

If this topic goes to the MRL area , it will bring about a delay.....up to 5 days wait....they are horrendously busy at the moment.

 

Would it make life easier if you were to bring your mums tower back to your home with you......and tackle the problem from there ?....just a suggestion.

 

 

I dont think this is the actual problem on mums pc, but worth a look anyway

 

http://www.bleepingcomputer.com/virus-removal/remove-fake-microsoft-security-essentials-alert

 

....and.....which browser does your mum use ?

 

 

 

 

 

 

 

 


Condobloke ...Outback Australian  

 

fed up with Windows antics...??....LINUX IS THE ANSWER....I USE LINUX MINT 18.3  EXCLUSIVELY.

 

Microsoft gives you Windows, Linux gives you the whole house...

It has been said that time heals all wounds. I don't agree. The wounds remain. Time - the mind, protecting its sanity - covers them with some scar tissue and the pain lessens, but it is never gone. Rose Kennedy

#12 StarKiller

StarKiller
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:54 PM

Posted 12 November 2014 - 01:25 AM

She uses IE, she has the automatic updates on so it's probably 11, I'll check that when I go.  I had put Firefox and Chrome on there to get her to try them, she didn't seem to like either very much.  The newer versions of IE are supposed to be more secure, I've read.  



#13 Condobloke

Condobloke

    Outback Aussie @ 54.2101 N, 0.2906 W


  • Members
  • 5,810 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:11:54 AM

Posted 12 November 2014 - 01:43 AM

On the page linked to below....there is a "click on" Fixit from Microsoft.

 

This will reset proxy settings in IE. It is worth a try before running rkill etc etc

 

if it does make a difference...still proceed to run rkill etc etc etc

 

 

http://support.microsoft.com/kb/2289942

 


Condobloke ...Outback Australian  

 

fed up with Windows antics...??....LINUX IS THE ANSWER....I USE LINUX MINT 18.3  EXCLUSIVELY.

 

Microsoft gives you Windows, Linux gives you the whole house...

It has been said that time heals all wounds. I don't agree. The wounds remain. Time - the mind, protecting its sanity - covers them with some scar tissue and the pain lessens, but it is never gone. Rose Kennedy

#14 StarKiller

StarKiller
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:54 PM

Posted 12 November 2014 - 08:14 PM

I had extra time, so I went by and ran things, today

 

rkill

 

Rkill 2.6.8 by Lawrence Abrams (Grinler)
Copyright 2008-2014 BleepingComputer.com
More Information about Rkill can be found at this link:
 
Program started at: 11/12/2014 05:43:51 PM in x64 mode.
Windows Version: Windows 7 Home Premium Service Pack 1
 
Checking for Windows services to stop:
 
 * No malware services found to stop.
 
Checking for processes to terminate:
 
 * No malware processes found to kill.
 
Checking Registry for malware related settings:
 
 * No issues found in the Registry.
 
Resetting .EXE, .COM, & .BAT associations in the Windows Registry.
 
Performing miscellaneous checks:
 
 * No issues found.
 
Checking Windows Service Integrity: 
 
 * No issues found.
 
Searching for Missing Digital Signatures: 
 
 * No issues found.
 
Checking HOSTS File: 
 
 * Cannot edit the HOSTS file.
 * Permissions Fixed. Administrators can now edit the HOSTS file.
 
 * HOSTS file entries found: 
 
  127.0.0.1 www.007guard.com
  127.0.0.1 007guard.com
  127.0.0.1 008i.com
  127.0.0.1 www.008k.com
  127.0.0.1 008k.com
  127.0.0.1 www.00hq.com
  127.0.0.1 00hq.com
  127.0.0.1 010402.com
  127.0.0.1 www.032439.com
  127.0.0.1 032439.com
  127.0.0.1 www.0scan.com
  127.0.0.1 0scan.com
  127.0.0.1 1000gratisproben.com
  127.0.0.1 www.1000gratisproben.com
  127.0.0.1 1001namen.com
  127.0.0.1 www.1001namen.com
  127.0.0.1 100888290cs.com
  127.0.0.1 www.100888290cs.com
  127.0.0.1 www.100sexlinks.com
  127.0.0.1 100sexlinks.com
 
  20 out of 15492 HOSTS entries shown.
  Please review HOSTS file for further entries.
 
Program finished at: 11/12/2014 05:45:43 PM
Execution time: 0 hours(s), 1 minute(s), and 52 seconds(s)
 
 
mbam
 
Malwarebytes Anti-Malware
www.malwarebytes.org
 
Scan Date: 11/12/2014
Scan Time: 5:51:16 PM
Logfile: mbam111214.txt
Administrator: Yes
 
Version: 2.00.3.1025
Malware Database: v2014.11.12.10
Rootkit Database: v2014.11.12.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled
 
OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: Joyce
 
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 433144
Time Elapsed: 8 min, 0 sec
 
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Warn
PUM: Enabled
 
Processes: 0
(No malicious items detected)
 
Modules: 0
(No malicious items detected)
 
Registry Keys: 0
(No malicious items detected)
 
Registry Values: 0
(No malicious items detected)
 
Registry Data: 0
(No malicious items detected)
 
Folders: 0
(No malicious items detected)
 
Files: 0
(No malicious items detected)
 
Physical Sectors: 0
(No malicious items detected)
 
 
(end)
 
HitmanPro found tracking cookies and an ask toolbar, which I left, for now.
 
 
So, I ran something else from  
 
 
that came up clean

 

So I updated MSE from the direct link http://go.microsoft.com/fwlink/?LinkID=121721&arch=x64

and left it running in safe mode. She called and said there were no new detected items.

 

What do you think?  Is it over or are there other things I should do to make sure?


Edited by StarKiller, 12 November 2014 - 09:08 PM.


#15 Condobloke

Condobloke

    Outback Aussie @ 54.2101 N, 0.2906 W


  • Members
  • 5,810 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:11:54 AM

Posted 12 November 2014 - 08:21 PM

ok.....run the proxy resetter in post 13


and then::

 

TDSS
Download TDSSKiller and save it to your desktop.
* Extract (unzip) its contents to your desktop.
* Open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
* If an infected file is detected, the default action will be Cure, click on Continue.
* If a suspicious file is detected, the default action will be Skip, click on Continue.
* It may ask you to reboot the computer to complete the process. Click on Reboot Now.
* If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
* If a reboot is required, the report can also be found in your root directory (usually C:\ folder) in the form of TDSSKiller_xxxx_log.txt. Please copy and paste the contents of that file here.


Condobloke ...Outback Australian  

 

fed up with Windows antics...??....LINUX IS THE ANSWER....I USE LINUX MINT 18.3  EXCLUSIVELY.

 

Microsoft gives you Windows, Linux gives you the whole house...

It has been said that time heals all wounds. I don't agree. The wounds remain. Time - the mind, protecting its sanity - covers them with some scar tissue and the pain lessens, but it is never gone. Rose Kennedy




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users