Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Dont know if I'm infected


  • Please log in to reply
20 replies to this topic

#1 devin2

devin2

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:06:28 AM

Posted 06 January 2015 - 03:11 PM

Hey guys and gals. I recently came across this website: 



WARNING: Go to this site at your own risk
hxxp://great-britain.ru/checker/key/?file0.6083815372548997=Linear%20Algebra%20with%20Applications%205th%20Edition%2​0|%20Otto%20Bretscher%20|%20digital%20library%20Bookfi

and it just showed an empty screen on my browser and now I don't know whether my laptop is infected or not. I scanned the URL on virustotal and the downloaded file analysis showed that there was a malicious file. I was using Google Chrome at the time and my OS is Windows 8. I would like to know if I have malware or not on my system. Thanks in advance.

Edited by Queen-Evie, 06 January 2015 - 06:19 PM.
disabled malicious link. Please do not post malicious links/possible malicious links.


BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,900 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:28 AM

Posted 06 January 2015 - 06:43 PM


Usually when a computer is infected with malware there most likely will be other obvious indications (signs of infection) that something is wrong. Is your computer exhibiting such signs?

Please download and use the following tools (in the order listed) which will search for and remove many potentially unwanted programs (PUPs), adware, toolbars, browser hijackers, extensions, add-ons and other junkware as well as related registry entries (values, keys) and remnants.

RKill created by Grinler (aka Lawrence Abrams), the site owner of BleepingComputer.
Malwarebytes Anti-Malware 2.0
AdwCleaner created by Xplode.
Junkware Removal Tool created by thisisu.

1. Double-click on RKill to launch the tool. A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully. A log file will be created and saved to the root directory, C:\RKill.log. Copy and paste the contents of RKill.log in your next reply.

Important: Do not reboot your computer until you complete the next step.

2. Install and perform a THREAT SCAN with Malwarebytes Anti-Malware 2.0.
Be sure to print out and follow these instructions. When done, please post the complete results of your Malwarebytes scan for review.

To retrieve the Malwarebytes Anti-Malware 2.0 scan log information (Method 1)
  • Open Malwarebytes Anti-Malware.
  • Click the History Tab at the top and select Application Logs.
  • Select (check) the box next to Scan Log. Choose the most current scan.
  • Click the View button.
  • Click Copy to Clipboard at the bottom...come back to this thread, click Add Reply, then right-click and choose Paste.
  • Alternatively, you can click Export and save the log as a .txt file on your Desktop or another location.
To retrieve the Malwarebytes Anti-Malware 2.0 scan log information (Method 2)
  • Open Malwarebytes Anti-Malware.
  • Click the Scan Tab at the top.
  • Click the View detailed log link on the right.
  • Click Copy to Clipboard at the bottom...come back to this thread, click Add Reply, then right-click and choose Paste.
  • Alternatively, you can click Export and save the log as a .txt file on your Desktop or another location.
-- Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.

2. Double-click on AdwCleaner.exe to run the tool.
Vista/Windows 7/8 users right-click and select Run As Administrator.
  • Click on the Scan button.
  • AdwCleaner will begin...be patient as the scan may take some time to complete.
  • After the scan has finished, click on the Report button...a logfile (AdwCleaner[R0].txt) will open in Notepad for review.
  • After reviewing the log, click on the Clean button.
  • Press OK when asked to close all programs and follow the onscreen prompts.
  • Press OK again to allow AdwCleaner to restart the computer and complete the removal process.
  • After rebooting, a logfile report (AdwCleaner[S0].txt) will open automatically.
  • Copy and paste the contents of that logfile in your next reply.
  • A copy of all logfiles are saved in the C:\AdwCleaner folder which was created when running the tool.
-- Note: The contents of the AdwCleaner log file may be confusing. Unless you see a program name that you recognize and know should not be removed, don't worry about it. If you see an entry you want to keep, return to AdwCleaner before cleaning...all detected items will be listed (and checked) in each tab. Click on and uncheck any items you want to keep.


Close all open programs and shut down any protection/security software to avoid potential conflicts.

3. Double-click on JRT.exe to run the tool.
Vista/Windows 7/8 users right-click and select Run As Administrator.
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log file named JRT.txt will automatically open and be saved to your Desktop.
  • Copy and paste the contents of JRT.txt in your next reply.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 devin2

devin2
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:06:28 AM

Posted 06 January 2015 - 06:55 PM

Rkill log file

Rkill 2.6.8 by Lawrence Abrams (Grinler)
Copyright 2008-2015 BleepingComputer.com
More Information about Rkill can be found at this link:
 
Program started at: 01/06/2015 03:50:49 PM in x64 mode.
Windows Version: Windows 8 
 
Checking for Windows services to stop:
 
 * No malware services found to stop.
 
Checking for processes to terminate:
 
 * C:\Windows\SysWOW64\ACEngSvr.exe (PID: 5588) [WD-HEUR]
 
1 proccess terminated!
 
Checking Registry for malware related settings:
 
 * No issues found in the Registry.
 
Resetting .EXE, .COM, & .BAT associations in the Windows Registry.
 
Performing miscellaneous checks:
 
 * Windows Defender Disabled
 
   [HKLM\SOFTWARE\Microsoft\Windows Defender]
   "DisableAntiSpyware" = dword:00000001
 
Checking Windows Service Integrity: 
 
 * No issues found.
 
Searching for Missing Digital Signatures: 
 
 * No issues found.
 
Checking HOSTS File: 
 
 * No issues found.
 
Program finished at: 01/06/2015 03:52:00 PM

 

Execution time: 0 hours(s), 1 minute(s), and 10 seconds(s)
 
I think ACEngSvr.exe is a legit file because it's related to ASUS. I will run Malwarebytes right now.

Oh also I disabled windows defender because I have avast already.



#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,900 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:28 AM

Posted 06 January 2015 - 07:10 PM

Ok.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 devin2

devin2
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:06:28 AM

Posted 06 January 2015 - 07:16 PM

Malwarebytes Log

Malwarebytes Anti-Malware
www.malwarebytes.org
 
Scan Date: 1/6/2015
Scan Time: 3:57:16 PM
Logfile: 
Administrator: Yes
 
Version: 2.00.4.1028
Malware Database: v2015.01.06.14
Rootkit Database: v2015.01.06.01
License: Trial
Malware Protection: Enabled
Malicious Website Protection: Enabled
Self-protection: Disabled
 
OS: Windows 8
CPU: x64
File System: NTFS
User: devin
 
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 383069
Time Elapsed: 9 min, 9 sec
 
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Warn
PUM: Enabled
 
Processes: 0
(No malicious items detected)
 
Modules: 0
(No malicious items detected)
 
Registry Keys: 0
(No malicious items detected)
 
Registry Values: 0
(No malicious items detected)
 
Registry Data: 0
(No malicious items detected)
 
Folders: 0
(No malicious items detected)
 
Files: 0
(No malicious items detected)
 
Physical Sectors: 0
(No malicious items detected)
 
 

 

(end)
 
Doing Adwcleaner next


#6 devin2

devin2
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:06:28 AM

Posted 06 January 2015 - 07:45 PM

adwcleaner log

# AdwCleaner v4.106 - Report created 06/01/2015 at 16:30:49
# Updated 21/12/2014 by Xplode
# Database : 2015-01-03.1 [Live]
# Operating System : Windows 8  (64 bits)
# Username : devin - DEVINLIU
# Running from : C:\Users\devin\Downloads\AdwCleaner.exe
# Option : Clean
 
***** [ Services ] *****
 
 
***** [ Files / Folders ] *****
 
File Deleted : C:\Users\devin\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxps_static.olark.com_0.localstorage-journal
 
***** [ Scheduled Tasks ] *****
 
Task Deleted : Driver Booster Scan
Task Deleted : Driver Booster Update
 
***** [ Shortcuts ] *****
 
 
***** [ Registry ] *****
 
Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\lifbcibllhkdhoafpjfnlhfpfgnpldfl
Key Deleted : HKLM\SOFTWARE\MozillaPlugins\@qq.com/TXSSO
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{6517DD27-EA6F-4947-9DEA-F9C487BB1020}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{8FC1EE75-72B3-4A23-B987-2B1C4C8A611B}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{6517DD27-EA6F-4947-9DEA-F9C487BB1020}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{6CB9D494-2482-4277-9E45-22F36C471461}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{BA0C978D-D909-49B6-AFE2-8BDE245DC7E6}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\CLSID\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
Key Deleted : [x64] HKLM\SOFTWARE\Description
 
***** [ Browsers ] *****
 
-\\ Internet Explorer v10.0.9200.17183
 
 
-\\ Google Chrome v39.0.2171.95
 
 
*************************
 
AdwCleaner[R0].txt - [2200 octets] - [06/01/2015 16:18:36]
AdwCleaner[S0].txt - [2143 octets] - [06/01/2015 16:30:49]
 
########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [2203 octets] ##########

 



#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,900 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:28 AM

Posted 06 January 2015 - 07:59 PM

Looking good.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#8 devin2

devin2
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:06:28 AM

Posted 06 January 2015 - 08:04 PM

JRT Log

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.4.1 (12.28.2014:1)
OS: Windows 8 x64
Ran by devin on Tue 01/06/2015 at 16:48:48.77
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 
 
 
~~~ Services
 
 
 
~~~ Registry Values
 
 
 
~~~ Registry Keys
 
 
 
~~~ Files
 
 
 
~~~ Folders
 
Successfully deleted: [Folder] "C:\Users\devin\AppData\Roaming\tencent"
Successfully deleted: [Folder] "C:\Program Files (x86)\tencent"
 
 
 
~~~ Event Viewer Logs were cleared
 
 
 
 
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Tue 01/06/2015 at 16:54:24.43
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

 
This is the last scan. I ran all of these in normal mode and not in safe mode if that's ok.


#9 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,900 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:28 AM

Posted 06 January 2015 - 08:07 PM

Now try doing an online scan to see if it finds anything else that the other scans may have missed.

Please perform a scan with Eset Online Anti-virus Scanner.
If using Mozilla Firefox, you will be prompted to download and use the ESET Smart Installer. Just double-click on esetsmartinstaller_enu.exe to install.
Vista/Windows 7/8 users need to run Internet Explorer/Firefox as Administrator.
To do this, right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run As Administrator from the context menu.
 

  • Click the green esetOnline.png button.
  • Read the End User License Agreement and check the box:
  • Check esetAcceptTerms.png.
  • Click the esetStart.png button.
  • Accept any security warnings from your browser and allow the download/installation of any require files.
  • Under scan settings, check esetScanArchives.png and check Remove found threats
  • Click Advanced settings and select the following:
    • Enable detection of potentially unwanted applications
    • Enable detection of potentially unsafe applications
    • Enable Anti-Stealth technology
  • Click the Start button.
  • ESET will install itself, download virus signature database updates, and begin scanning your computer.
  • The scan can take some time to complete...close all programs and do NOT use the computer while the scan is running.
    If given the option (when threats are found), choose "Quarantine" instead of delete.
  • When the scan completes, push esetListThreats.png
  • Push esetExport.png, and save the file to your desktop as ESETScan.txt.
  • Push the esetBack.png button, then Finish.
  • Copy and paste the contents of ESETScan.txt in your next reply. If no threats are found, there is no option to create a log.

If you have other antivirus, antispyware or anti-malware programs running on your computer, they may intercept the scan being performed by the ESET Online Scanner and hinder performance. You may wish to disable the real-time protection components of your other security software before running the ESET Online Scanner. Remember to turn them back on after you are finished.

ESET Online Scanner FAQs

-- Note: If you recognize any of the detections as legitimate programs, it's possible they are "false positives" and you can ignore them or get a second opinion if you're not sure. ESET's detection rate is high and can include legitimate files which it considers suspicious, a Risk Tool, Hacking Tool, Potentially Unwanted Program, a possible threat or even Malware (virus/trojan) when that is not always the case. Be careful what you choose to remove. If in doubt, ask before taking action.
 

 


.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#10 devin2

devin2
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:06:28 AM

Posted 06 January 2015 - 11:23 PM

there were no threats found by eset scanner.



#11 devin2

devin2
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:06:28 AM

Posted 06 January 2015 - 11:42 PM

I just found this file called setstretch.exe and setstretch.cmd. They look very suspicious. Are they legit?



#12 devin2

devin2
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:06:28 AM

Posted 06 January 2015 - 11:59 PM

I just found another suspicious file called postbuild.exe in my temp folder. I got a feeling these scans arent catching anything and theres something on my machine.



#13 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,900 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:28 AM

Posted 07 January 2015 - 05:43 AM

Anytime you come across a suspicious file for which you cannot find any information about, a file with a legitimate name but is not located where it is supposed to be or you want a second opinion, submit it to one of the online services that analyzes suspicious files:--In the "File to Scan" (Upload or Submit) box, browse to the location of the suspicious file(s) and submit (upload) it for scanning/analysis. If you get a message saying "File has already been analyzed", click Reanalyze or Scan again.

virustotal analysis of SetStretch.exe
virustotal analysis of SetStretch.cmd
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#14 devin2

devin2
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:06:28 AM

Posted 07 January 2015 - 01:03 PM

There seems to be a lot of people downvoting these files on virustotal. Is that a cause for concern?



#15 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,900 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:28 AM

Posted 07 January 2015 - 01:15 PM

Not necessarily...they could be new files many folks have not seen before.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users