Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

http://prosharereactor.in/


  • This topic is locked This topic is locked
20 replies to this topic

#1 Marr123

Marr123

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:11:58 AM

Posted 05 March 2015 - 12:34 PM

 

Hello,

 

Everytime my computer boots up I get a message from ESET SMART SECURITY telling me "iconscachehelper.dll" is a variant of Win64/Sathurbot.A and it has been quarantined. I usually delete it from quarantine but even if I dont, the message will show again on the next reboot.

Another problem (perhaps the same), I also get a frequent warning saying a connection to http://prosharereactor.in/ has been blocked.

 

Can you help me? Thanks!

 

i also saw another report on this and you asked to add these 

Attached Files



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 39,497 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:58 AM

Posted 10 March 2015 - 10:29 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below.
 
start

CloseProcesses:

HKLM Group Policy restriction on software: C:\Program Files (x86)\Avira\AntiVir Desktop\avnotify.exe <====== ATTENTION
HKLM Group Policy restriction on software: %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot% <====== ATTENTION
HKLM Group Policy restriction on software: %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir% <====== ATTENTION
SearchScopes: HKLM -> {9BB47C17-9C68-4BB3-B188-DD9AF0FD2503} URL = http://www.default-search.net/search?sid=503&aid=112&itype=n&ver=13986&tm=537&src=ds&p={searchTerms}
SearchScopes: HKLM-x32 -> {9BB47C17-9C68-4BB3-B188-DD9AF0FD2503} URL = http://www.default-search.net/search?sid=503&aid=112&itype=n&ver=13986&tm=537&src=ds&p={searchTerms}
SearchScopes: HKU\S-1-5-21-2413165503-1814366453-1758440313-1000 -> {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL = http://www.google.com/search?q={sear
SearchScopes: HKU\S-1-5-21-2413165503-1814366453-1758440313-1000 -> {9BB47C17-9C68-4BB3-B188-DD9AF0FD2503} URL = http://www.default-search.net/search?sid=503&aid=112&itype=n&ver=13986&tm=537&src=ds&p={searchTerms}
FF DefaultSearchEngine: default-search.net
FF SearchEngineOrder.1: default-search.net
FF SelectedSearchEngine: default-search.net
FF Keyword.URL: hxxp://www.default-search.net/search?sid=503&aid=112&itype=n&ver=13986&tm=537&src=ds&p=
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @pandonetworks.com/PandoWebPlugin -> C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll No File
FF SearchPlugin: C:\Users\PK\AppData\Roaming\Mozilla\Firefox\Profiles\egcudghh.default\searchplugins\default-search.xml
FF SearchPlugin: C:\Program Files (x86)\mozilla firefox\browser\searchplugins\default-search.xml
S3 BEService; C:\Program Files (x86)\Common Files\BattlEye\BEService.exe [X]
S2 DgivEcp; System32\Drivers\DgivEcp.Sys [X]
S3 VGPU; System32\drivers\rdvgkmd.sys [X]

End
Save the files as fixlist.txt into the same folder as FRST

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Click the Report button and the report will open in Notepad.
IMPORTANT
  • If you click the Clean button all items listed in the report will be removed.
If you find some false positive items or programs that you wish to keep, Close the AdwCleaner windows.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Check off the element(s) you wish to keep.
  • Click on the Clean button follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleaner[Sn].txt (n is a number).
===

How is the computer running now?

#3 Marr123

Marr123
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:11:58 AM

Posted 10 March 2015 - 11:49 AM

yea il check for that error but now i got www.prosharereactor or something trojan virus error how do i fix that? :(

Attached Files



#4 nasdaq

nasdaq

  • Malware Response Team
  • 39,497 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:58 AM

Posted 10 March 2015 - 12:35 PM

Please run the AdwCleaner tool and when the scan is over select the clean button.

Post the log for my review.

===

If the problem persists reset the browsers that have been compromised.

Reset Chrome...
Open Google Chrome, click on menu icon google-chrome-setting-icon.png which is located right side top of the google chrome.
 
Click "Settings" then "Show advanced settings" at the bottom of the screen.
 
Click "Reset browser settings" button.
 
Restart Chrome.
====

Firefox:
Reset Default Browsing settings:
https://support.mozilla.org/en-US/kb/reset-firefox-easily-fix-problems?utm_expid=65912487-41.djHNRQY0RhaLvvtvcd0BQA.2&utm_referrer=https%3A%2F%2Fwww.google.ca%2F
===

Reset Internet Explorer:
Menu > Tools > Internet Options > Advanced Tab.
Click the Reset button on the bottom of the pane.
Click the Apply button.
Close IE.

===

Download Security Check by screen317 from here
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
p.s.
If the SecurityCheck program fails to run for any reason, run it as an Administrator.

If the site is busy or not available use this mirror site:
http://www.bleepingcomputer.com/download/securitycheck/

How is the computer running now?

======

How is it now?

#5 Marr123

Marr123
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:11:58 AM

Posted 11 March 2015 - 01:18 AM

il see if it works soon because it only pop ups sometimes

Results of screen317's Security Check version 0.99.97
Windows 7 Service Pack 1 x64 (UAC is disabled!)
Internet Explorer 11
``````````````Antivirus/Firewall Check:``````````````
Windows Firewall Enabled!
ESET NOD32 Antivirus 6.0
Antivirus up to date!
`````````Anti-malware/Other Utilities Check:`````````
Java 7 Update 55
Java version 32-bit out of Date!
Java 64-bit 8 Update 31
Adobe Flash Player 16.0.0.305
Adobe Reader XI
Mozilla Firefox 35.0.1 Firefox out of Date!
Google Chrome (40.0.2214.111)
Google Chrome (40.0.2214.115)
````````Process Check: objlist.exe by Laurent````````
ESET NOD32 Antivirus egui.exe
ESET NOD32 Antivirus ekrn.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C: 1%
````````````````````End of Log``````````````````````

Attached Files


Edited by nasdaq, 11 March 2015 - 08:35 AM.
log posted.


#6 nasdaq

nasdaq

  • Malware Response Team
  • 39,497 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:58 AM

Posted 11 March 2015 - 08:38 AM

Using the Add/Remove program applet delete this old version of Java 7 Update 55
===

If all is well.

To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/
===

#7 Marr123

Marr123
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:11:58 AM

Posted 13 March 2015 - 01:27 AM

yea i think its fixed thank you! but il post again if the virus is back because it sometimes comes sometimes dissapears



#8 Marr123

Marr123
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:11:58 AM

Posted 13 March 2015 - 08:22 AM

hello again! my problem with prosharereactor link (trojan) is gone but now i have another one wich is  C:\Program Data\Microsoft\Security\Securityhelper.dll i think... any way to fix this?



#9 Marr123

Marr123
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:11:58 AM

Posted 13 March 2015 - 12:49 PM

never midn both trojans are still alive...



#10 nasdaq

nasdaq

  • Malware Response Team
  • 39,497 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:58 AM

Posted 14 March 2015 - 07:20 AM

hello again! my problem with prosharereactor link (trojan) is gone but now i have another one wich is C:\Program Data\Microsoft\Security\Securityhelper.dll i think... any way to fix this?


It must be removed. It's something new not in any of your logs.

--RogueKiller--
  • Download & SAVE to your Desktop Download RogueKiller
  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or Windows 7, right-click and select "Run as Administrator to start"
  • For Windows XP, double-click to start.
  • Wait until Prescan has finished ...
  • Then Click on "Scan" button
  • Wait until the Status box shows "Scan Finished"
  • click on "delete"
  • Wait until the Status box shows "Deleting Finished"
  • Click on "Report" and copy/paste the content of the Notepad into your next reply.
  • The log should be found in RKreport[1].txt on your Desktop
  • Exit/Close RogueKiller+
=======

Run the Farbar tool and submit a fresh FRST log for my review.

#11 Marr123

Marr123
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:11:58 AM

Posted 15 March 2015 - 02:37 AM

ok 

Attached Files



#12 nasdaq

nasdaq

  • Malware Response Team
  • 39,497 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:58 AM

Posted 15 March 2015 - 07:58 AM

C:\Program Data\Microsoft\Security\Securityhelper.dll


Are you sure you have the correct PATH and filename?


Please run the Farbar Recovery Scan Tool. Enter Securityhelper.dll in the Search Box and hit the File Search button.
Post the content of the Search.txt in your next reply.

<<<>>>

Do an other search in the Registry.

Please run the Farbar Recovery Scan Tool. Enter Securityhelper.dll in the Search Box.
Click the Search Registry button, post the content of the Search.txt file in your next reply.


Post the logs.

#13 Marr123

Marr123
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:11:58 AM

Posted 16 March 2015 - 08:19 AM

i tried it but the file was not found... it sometimes appears and it sometimes dosent but the weirdest thing is that it shows the wrong name ends of the files because it displays files in english directionary while my computer is in another than english 

Attached Files



#14 nasdaq

nasdaq

  • Malware Response Team
  • 39,497 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:58 AM

Posted 16 March 2015 - 12:46 PM

it sometimes appears and it sometimes dosent but the weirdest thing is that it shows the wrong name ends of the files because it displays files in english directionary while my computer is in another than english


Next time use the same Farbar tool to search the exact name. We may be able to identify the culprit.

#15 Marr123

Marr123
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:11:58 AM

Posted 17 March 2015 - 08:10 AM

i can't see it i ran the farbar 3times already






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users