Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

js kryptick js chromex. i am infected but not sure if i followed protocol


  • This topic is locked This topic is locked
21 replies to this topic

#1 julz6769

julz6769

  • Members
  • 97 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:06:39 AM

Posted 09 March 2015 - 03:16 PM

hi all, same time last year i had pc problem so this time when i could only start in safe mode i thought i'd follow the advice that i received back then.  well, in my desperation i've thrown alot at it since the other day.   today i had the bright idea of trying eset.  so far it has found 6 threats. including ;   js/krptik, atb trojan, js/chromex agent l trojan, win32/adware.multiplug k app.     it's almost done scanning and from what ii've googled thoe trojans can be bad,  did i totally screw up?



BC AdBot (Login to Remove)

 


m

#2 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:11:39 PM

Posted 09 March 2015 - 04:45 PM

Hello julz6769
You seem to have taken reasonable steps, but we would prefer to see the basic logs from your programs .......

 

First -

Please download Rkill (courtesy of BleepingComputer.com) to your desktop.
There are 2 different versions. If one of them won't run then download and try to run the other one.
You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.
rKill.exe: http://www.bleepingcomputer.com/download/rkill/dl/10/
iExplore.exe (renamed rKill.exe): http://www.bleepingcomputer.com/download/rkill/dl/11/
 

  • Double-click on the Rkill desktop icon to run the tool.
  • If using Windows Vista, 7 or 8 right-click on it and choose Run As Administrator.
  • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
  • If not, delete the file, then download and use the one provided in Link 2.
  • Do not reboot until instructed.
  • If the tool does not run from any of the links provided, please let me know.

If normal mode still doesn't work, run the tool from safe mode.
When the scan is done Notepad will open with rKill log.
Post it in your next reply.
NOTE. rKill.txt log will also be present on your desktop.

- NOTES: Do NOT wrap your logs in "quote" or "code" brackets.
Do NOT use spoilers.
Do NOT edit your reply to post additional logs. Create new reply. We will not get any email notifications about edits so we won't know you posted something new.

 

 

Please complete the ESET Online Scan,

When the scan completes, click List Threats
Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
Now - Click the Back button.
Click the Finish button.

NOTE:Sometimes if ESET finds no infections it will not create a log.

 

Next, for our required information ......

Download Screen317 Security Check from Here or Here and save it to your Desktop.

  • Double-click SecurityCheck.exe
  • Follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt
  • Please Copy/Paste the contents of that document.

Note 1:: If any security program requests permission to access the Internet, allow it to
Note 2. If you receive UNSUPPORTED OPERATING SYSTEM! ABORTED! message, (or similar) restart computer and Security Check should run

 

 

NOTE: If you already have a current version installed, Please update it
Please download Malwarebytes Anti-Malware

  • Follow the simple directions to install the program to desktop
  • Right click and choose "Run as administrator" to open Malwarebytes Anti-Malware and from the Dashboard please Check for Updates by clicking the Update Now... link
  • Open up Malwarebytes > Settings > Detection and Protection > Enable Scan for rootkit and Under Non Malware Protection set both PUP and PUM to Treat detections as malware.
  • Click on the SCAN button and run a Threat Scan with Malwarebytes Anti-Malware by clicking the Scan Now>> button.
  • If you find malware and tick it to remove it, you may be asked to re-boot the computer to finish cleaning.
  • Once completed please click on the History > Application Logs and find your scan log and open it and then click on the "copy to clipboard" button and post back the results on your next reply.

 

Please include the 3 requested logs first, and a report on how your computer is running ..

 

Thank You -


Edited by noknojon, 09 March 2015 - 11:34 PM.


#3 julz6769

julz6769
  • Topic Starter

  • Members
  • 97 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:06:39 AM

Posted 09 March 2015 - 09:19 PM

hi and thank you..   i thought i could fix it myself from retracing my path on last problem..   big no no i see.   okay, here are eset results and i will set to work on following your directions.  

 

C:\AdwCleaner\Quarantine\C\Program Files (x86)\AskPartnerNetwork\Toolbar\APNSetup.exe.vir    a variant of Win32/Bundled.Toolbar.Ask.E potentially unsafe application    deleted - quarantined
C:\AdwCleaner\Quarantine\C\windows\System32\drivers\netfilter64.sys.vir    a variant of Win64/NetFilter.A potentially unsafe application    deleted - quarantined
C:\Qoobox\Quarantine\C\Users\julie\AppData\Local\Google\Chrome\User Data\Default\Extensions\anllaofeeadeggfpiaicgkioibfbjepe\230\content.js.vir    JS/Chromex.Agent.L trojan    cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Users\julie\AppData\Local\Google\Chrome\User Data\Default\Extensions\anllaofeeadeggfpiaicgkioibfbjepe\230\gLf.js.vir    JS/Kryptik.ATB trojan    cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Users\julie\AppData\Roaming\Mozilla\Firefox\Profiles\fe27d901.default\Extensions\staged\ebhyv@oey-.edu\content\bg.js.vir    Win32/Adware.MultiPlug.EK application    cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Users\julie\AppData\Roaming\Mozilla\Firefox\Profiles\fe27d901.default\Extensions\staged\z18zl22t@yisvfysts.edu\content\bg.js.vir    JS/Kryptik.ATB trojan    cleaned by deleting - quarantined
C:\Users\julie\AppData\Roaming\ContentExplorer\uninstall.exe    a variant of MSIL/Adware.iBryte.T application    cleaned by deleting - quarantined
C:\Users\julie\AppData\Roaming\IDM2\Setup.exe    Win32/Idmsq.A potentially unwanted application    deleted - quarantined
C:\Users\julie\Downloads\Adobe_Flash_Setup.exe    a variant of Win32/InstallCore.QB potentially unwanted application    deleted - quarantined
C:\Users\julie\Downloads\cbsidlm-cbsi188-Any_Video_Converter_Freeware-SEO-10661456.exe    a variant of Win32/CNETInstaller.B potentially unwanted application    deleted - quarantined
C:\Users\julie\Downloads\cbsidlm-cbsi188-SWF__FLV_Player-SEO-170532.exe    a variant of Win32/CNETInstaller.B potentially unwanted application    deleted - quarantined
C:\Users\julie\Downloads\ccsetup413.exe    Win32/Bundled.Toolbar.Google.D potentially unsafe application    deleted - quarantined
C:\Users\julie\Downloads\IDM2.exe    Win32/Idmsq.A potentially unwanted application    deleted - quarantined
C:\Users\julie\Downloads\LostPhotosSetup-IM-1.1.exe    Win32/InstallMonetizer.AF potentially unwanted application    deleted - quarantined
C:\Users\julie\Downloads\null.exe    a variant of Win32/Adware.iBryte.BQ application    cleaned by deleting - quarantined
C:\Users\julie\Downloads\streamtransport_setup.exe    Win32/Somoto.Q potentially unwanted application    deleted - quarantined
C:\Users\julie\Downloads\winzip18-lan_en.exe    a variant of Win32/InstallCore.PO potentially unwanted application    deleted - quarantined
 



#4 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:11:39 PM

Posted 09 March 2015 - 11:31 PM

Hello -

I see that you have used AdwCleaner and I think ComboFix in your attempts to remove your problems..

Files noted as "C:\Qoobox" are generally remains of ComboFix program..

 

Please tell us if this is the situation, or am I reading files from the last time you had help here .

This is very important, and we need to know prior to starting other programs.

 

Thank You -



#5 julz6769

julz6769
  • Topic Starter

  • Members
  • 97 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:06:39 AM

Posted 10 March 2015 - 08:04 AM

hi, i may have.  honestly i can not remember all help programs i may have tried.  here is rkill log that you requested.  should i still download and try security check and malware bytes downloads that you mentioned? 

 

Rkill 2.7.0 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2015 BleepingComputer.com
More Information about Rkill can be found at this link:
 http://www.bleepingcomputer.com/forums/topic308364.html

Program started at: 03/09/2015 07:25:46 PM in x64 mode. (Safe Mode)
Windows Version: Windows 7 Home Premium Service Pack 1

Checking for Windows services to stop:

 * No malware services found to stop.

Checking for processes to terminate:

 * No malware processes found to kill.

Checking Registry for malware related settings:

 * No issues found in the Registry.

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks:

 * No issues found.

Checking Windows Service Integrity:

 * COM+ Event System (EventSystem) is not Running.
   Startup Type set to: Automatic

 * Security Center (wscsvc) is not Running.
   Startup Type set to: Automatic (Delayed Start)

 * Windows Update (wuauserv) is not Running.
   Startup Type set to: Automatic (Delayed Start)

Searching for Missing Digital Signatures:

 * No issues found.

Checking HOSTS File:

 * HOSTS file entries found:

  127.0.0.1       localhost

Program finished at: 03/09/2015 07:28:54 PM
Execution time: 0 hours(s), 3 minute(s), and 7 seconds(s)
 



#6 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:11:39 PM

Posted 10 March 2015 - 04:24 PM

OK -

Please continue, as there may be a small amount of the infection remaining.

 

Please report on any problems yoy currently have with your computer ..

 

Thank You -



#7 julz6769

julz6769
  • Topic Starter

  • Members
  • 97 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:06:39 AM

Posted 10 March 2015 - 04:42 PM

Results of screen317's Security Check version 0.99.97  
 Windows 7 Service Pack 1 x64 (UAC is disabled!)  
 Internet Explorer 11  
``````````````Antivirus/Firewall Check:``````````````
 Windows Security Center service is not running! This report may not be accurate!
 Windows Firewall Enabled!  
 WMI entry may not exist for antivirus; attempting automatic update.
`````````Anti-malware/Other Utilities Check:`````````
 Java™ 6 Update 20  
 Java 8 Update 31  
 Java version 32-bit out of Date!
  Java 64-bit 8 Update 31  
 Adobe Flash Player 16.0.0.305  
 Adobe Reader XI  
 Mozilla Firefox (36.0.1)
````````Process Check: objlist.exe by Laurent````````  
`````````````````System Health check`````````````````
 Total Fragmentation on Drive C:  
````````````````````End of Log``````````````````````
 



#8 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:11:39 PM

Posted 10 March 2015 - 08:33 PM

Go to Control Panel > Programs and features and delete Java™ 6 Update 20. It is very old and a good way for infections to enter.

You have no Antivirus listed there, is this correct ??

Please post a snapshot with Speccy for more system details -
How to Publish a snapshot with Speccy <<-- Full Directions Here (only Copy / Paste the link)

 

Thank You ...



#9 julz6769

julz6769
  • Topic Starter

  • Members
  • 97 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:06:39 AM

Posted 10 March 2015 - 10:47 PM

okay, malware byte scan finished and i quarantined files..   i tried to reboot into normal mode and it froze after a few minutes.   i can locate the scan log but can not get to any "export" option as i have to run in safe mode..     i am working on that right now.  i will delete java update that you mentioned


Edited by julz6769, 10 March 2015 - 10:49 PM.


#10 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:11:39 PM

Posted 11 March 2015 - 12:44 AM

OK -

Re-run Malwarebytes Anti-Malware once you can get normal mode, and post a fresh log from that scan.

 

Please post a snapshot with Speccy for more system details, as above once you have Normal Mode (it will not fully run in Safe Mode)..

 

Keep us updated with your Safe Mode / Normal Mode situation as you proceed.

 

Thanks -



#11 julz6769

julz6769
  • Topic Starter

  • Members
  • 97 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:06:39 AM

Posted 11 March 2015 - 08:34 AM

hi, got it to run in safe mode and was ale to export scan .   still barely responsive and takes long time for anything to load.  will follow your last directions.  thank you!

 

 

 

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 3/10/2015
Scan Time: 3:08:18 PM
Logfile: malware b scan.txt
Administrator: Yes

Version: 2.00.4.1028
Malware Database: v2015.03.10.06
Rootkit Database: v2015.02.25.01
License: Trial
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: julie

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 408716
Time Elapsed: 1 hr, 3 min, 12 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)
 



#12 julz6769

julz6769
  • Topic Starter

  • Members
  • 97 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:06:39 AM

Posted 11 March 2015 - 08:43 AM

http://speccy.piriform.com/results/DUfUqmEC4qGcwyOyZMYO8el



#13 julz6769

julz6769
  • Topic Starter

  • Members
  • 97 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:06:39 AM

Posted 11 March 2015 - 12:11 PM

finally got malware bytes to run in normal mode but after 2 hours it says it was unresponsive.    all it did was furnish a protection log but it did not produce any sort of scan log.   it just froze.   i am back into safe mode now to send this message..   i do not know what to do now



#14 julz6769

julz6769
  • Topic Starter

  • Members
  • 97 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:06:39 AM

Posted 11 March 2015 - 12:14 PM

this is the protection log from the malware bytes that only partially ran this morning before freezing..   i do not know if there is any useful information there for you..

 

Malwarebytes Anti-Malware
www.malwarebytes.org


Protection, 3/11/2015 6:24:04 AM, SYSTEM, JULIE-PC, Protection, Malware Protection, Starting,
Protection, 3/11/2015 6:24:05 AM, SYSTEM, JULIE-PC, Protection, Malware Protection, Started,
Protection, 3/11/2015 6:24:05 AM, SYSTEM, JULIE-PC, Protection, Malicious Website Protection, Starting,
Protection, 3/11/2015 6:25:24 AM, SYSTEM, JULIE-PC, Protection, Malicious Website Protection, Started,
Protection, 3/11/2015 6:50:37 AM, SYSTEM, JULIE-PC, Protection, Malware Protection, Starting,
Protection, 3/11/2015 6:50:37 AM, SYSTEM, JULIE-PC, Protection, Malware Protection, Started,
Protection, 3/11/2015 6:50:37 AM, SYSTEM, JULIE-PC, Protection, Malicious Website Protection, Starting,
Protection, 3/11/2015 6:54:14 AM, SYSTEM, JULIE-PC, Protection, Malicious Website Protection, Started,
Update, 3/11/2015 6:58:48 AM, SYSTEM, JULIE-PC, Manual, Malware Database, 2015.3.10.6, 2015.3.11.4,
Protection, 3/11/2015 6:58:48 AM, SYSTEM, JULIE-PC, Protection, Refresh, Starting,
Protection, 3/11/2015 6:58:48 AM, SYSTEM, JULIE-PC, Protection, Malicious Website Protection, Stopping,
Protection, 3/11/2015 6:58:48 AM, SYSTEM, JULIE-PC, Protection, Malicious Website Protection, Stopped,
Protection, 3/11/2015 6:58:55 AM, SYSTEM, JULIE-PC, Protection, Refresh, Success,
Protection, 3/11/2015 6:58:55 AM, SYSTEM, JULIE-PC, Protection, Malicious Website Protection, Starting,
Protection, 3/11/2015 6:58:56 AM, SYSTEM, JULIE-PC, Protection, Malicious Website Protection, Started,
 



#15 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:11:39 PM

Posted 11 March 2015 - 04:45 PM

Antivirus: Disabled << This concerns me (from your Speccy) and also Security Check.
Is there any reason why you do not have any active Antivirus, especially since you have had earlier problems ??
 
Post #11 gave a reasonable reading from Malwarebytes, so leave it there if it causes problems at the moment.
 
 
Please download Temp File Cleaner by Old Timer
Usage Instructions:
1.Download TFC from the download link above and save the file on your desktop.
2.Close ALL running applications as TFC will terminate them before attempting to clean up the temporary files.
3.Double-click on the TFC icon.
4.When the program opens, click on the Start button.  TFC will terminate the Explorer process and all running applications and then begin the process of cleaning out all of your temp folders.
5.When done, press OK > Exit, and reboot your computer and finish the cleanup..............
Note: After removing temp files, the computer may show to be slow than usual, but it will improve once the cache is rebuild.
 
 
 
Download TDSSKiller in ZIP form and save it to your desktop.
  • Extract (unzip) its contents to your desktop.
  • Open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here. (it will seem to be long).
  • If a reboot is required, the report can also be found in your root directory (usually C:\ folder) in the form of TDSSKiller_xxxx_log.txt.(date)
    Please copy and paste the contents of that file here.
 
Thank You ..

 






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users