Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Got hit with ?trackID (AKA ?trackID=006)


  • This topic is locked This topic is locked
25 replies to this topic

#1 CodingCat

CodingCat

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:05:12 PM

Posted 28 April 2015 - 02:59 PM

I've never encountered such a stubborn piece of malware and I'm not confident that I've successfully nuked it fully. I'd greatly appreciate any help as this is my only computer and where I do my programming most of the time.

 

In short, while browsing the internet (on Chrome), Avast lost it's marbles and now I'm dealing with the aftermath. I've already done scans with Avast, Malwarebyes, AdwCleaner, and I've tried to find any rouge extensions or programs. None of these programs have found this malware and there were no unusual extensions or programs. I instead took it to my professor who majors in this sort of stuff and he could only find the registries for the malware, he told me to nuke them and said that theoretically I should be in the clear. Well, after setting up shop back home, the darn thing is still there and messing up my google searches. So I'm hoping you guys can help. Thanks in advance. (PS:My stuff is backed up already.)

 

ETA: I can't attach FRST.txt as it's too big.

Attached Files


Edited by CodingCat, 28 April 2015 - 03:05 PM.


BC AdBot (Login to Remove)

 


#2 deeprybka

deeprybka

  • Malware Response Team
  • 5,198 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:12:12 AM

Posted 29 April 2015 - 05:48 AM

Hi & :welcome: to Bleeping Computer Forums!
My name is Jürgen and I will be assisting you with your Malware related problems. :warrior:

Before we move on, please read the following points carefully: :exclame:

  • My native language isn't English. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.
  • Please read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.
  • Perform everything in the correct order. Sometimes one step requires the previous one.
  • If you have any problems while you are follow my instructions, Stop there and tell me the exact nature of your problem.
  • Do not run any other scans without instruction or Add/ Remove Software unless I tell you to do so. This would change the output of our tools and could be confusing for me.
  • If you have illegal/cracked software, cracks, keygens, etc. on the system, please remove or uninstall them now!
  • Post all Logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.
  • If I don't hear from you within 5 days from this initial or any subsequent post, then this thread will be closed.
  • If I don't reply within 24 hours please PM me!
  • Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.

Please paste the content of the FRST.txt here and post the link.


regards,
deeprybka
:busy:
Neminem laede, immo omnes, quantum potes, iuva. Arthur Schopenhauer
 
unite_blue.png
asap.png

#3 CodingCat

CodingCat
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:05:12 PM

Posted 29 April 2015 - 11:59 AM

I do apologize if I'm a little slow, Jurgen, but Pastebin has a limit on file size and even the website won't let me paste it in. (Same problem, the file is too big.) Would you like me to just copy and paste it in a seperate comment?


Edited by CodingCat, 29 April 2015 - 12:00 PM.


#4 deeprybka

deeprybka

  • Malware Response Team
  • 5,198 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:12:12 AM

Posted 29 April 2015 - 12:42 PM

Hi there,

then....please use this site and upload the file. 5GB should be enough... :lol:


regards,
deeprybka
:busy:
Neminem laede, immo omnes, quantum potes, iuva. Arthur Schopenhauer
 
unite_blue.png
asap.png

#5 CodingCat

CodingCat
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:05:12 PM

Posted 29 April 2015 - 01:04 PM

That should be more than enough! I will also bookmark that site for future reference.

 

Here's the direct link: http://www.filedropper.com/frst_1

 

Do you want the embed code too? Or will the direct link be fine?



#6 deeprybka

deeprybka

  • Malware Response Team
  • 5,198 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:12:12 AM

Posted 29 April 2015 - 01:25 PM

Hi there,
it's fine thanks.
 
Temporary disable your AntiVirus and AntiSpyware protection - instructions here.

Step 1

zoek.jpg

Please download 51a612a8b27e2-Zoek.pngZOEK by Smeenk and save it to your desktop (preferred version is the *.exe one)

  • Right-click on 51a612a8b27e2-Zoek.png icon and select RunAsAdmin.jpg Run as Administrator to start the tool.
  • Wait patiently until the main console will appear, it may take a minute or two.
  • In the main box please paste in the following script:
    systemspecs;
    filesrcm;
    iedefaults;
    CHRdefaults;
    emptyclsid;
    autoclean;
    
  • Make sure that Scan All Users option is checked.
  • Push Run Script and wait patiently. The scan may take a couple of minutes.
  • When the scan completes, a zoek-results logfile should open in notepad.
  • If a reboot is needed, it will be opened after it. You may also find it at your main drive (usually C:\ drive)

Post its content into your next reply.


regards,
deeprybka
:busy:
Neminem laede, immo omnes, quantum potes, iuva. Arthur Schopenhauer
 
unite_blue.png
asap.png

#7 CodingCat

CodingCat
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:05:12 PM

Posted 29 April 2015 - 03:02 PM

It seems that I again have a sizing issue with my files. This might be due to the fact that my computer was recently in the repair shop after an update completely destroyed my device (more or less). I lost a lot of data from that and my computer has had to remake old files while I've added on to the burden by re-installing programs. In short, there is a lot of stuff going on as my computer gets back to normal. Since I can't seem to get it to post, would you like me to just post a direct link to it like I did with the FRST.txt file?


Edited by CodingCat, 29 April 2015 - 03:05 PM.


#8 deeprybka

deeprybka

  • Malware Response Team
  • 5,198 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:12:12 AM

Posted 29 April 2015 - 04:14 PM

 would you like me to just post a direct link to it like I did with the FRST.txt file?

 

Please try to attach the file here first, then pastebin, then filedropper. :)


regards,
deeprybka
:busy:
Neminem laede, immo omnes, quantum potes, iuva. Arthur Schopenhauer
 
unite_blue.png
asap.png

#9 CodingCat

CodingCat
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:05:12 PM

Posted 29 April 2015 - 04:33 PM

Too big for the uploader on this site but I *think* I got it to work on pastebin.

 

Link here: http://pastebin.com/raw.php?i=nrVkij7E

 

Line 4716 is around where I saw the familiar ?trackID stuff but you're more adept at this than me so I'm sure you'll be able to find more information.


Edited by CodingCat, 29 April 2015 - 04:39 PM.


#10 deeprybka

deeprybka

  • Malware Response Team
  • 5,198 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:12:12 AM

Posted 30 April 2015 - 10:35 AM

Hi there,

Step 1

v21logo.PNG

Scan with Malwarebytes Anti-Malware.
  • Please open Malwarebytes Anti-Malware and update the database.
  • Click "Settings" [1] and go to "Detection and Protection" [2]
  • Make sure "Scan for Rootkits" is checked.
  • Click on Dashboard [3], then click on Scan Now [4] to start the scan.
    :exclame: If Malware or Potentially Unwanted Programs [PUPs] are found, you will receive a prompt:
    m21p.png
  • Click on "Remove Selected" [5].
  • Then click "Save Results" [6] and select
    m21p4.png
  • Return to our forum. Paste your log into your next reply and then click Finish [7].
mbamv21.gif

Step 2

Please downloadesetlogo.pngOnline Scanner and save it to your Desktop.
  • Disable the realtime-protection of your antivirus and anti-malware programs because they might interfere with the scan.
  • Start installer.pngwith administartor privileges.
  • Select the option Yes, I accept the Terms of Use and click on Start.
  • Choose the following settings:
settings.png
  • Click on Start. The virus signature database will begin to download. This may take some time.
  • When completed the Online Scan will begin automatically.
    Note: This scan might take a long time! Please be patient.
  • When completed, click on Finish.
  • A log filelog.pngis created at logpath.png
    Copy and paste the content of this log file in your next reply.
esetlog.png

Note: Do not forget to re-enable your antivirus application after running the above scan!
eset.gif
regards,
deeprybka
:busy:
Neminem laede, immo omnes, quantum potes, iuva. Arthur Schopenhauer
 
unite_blue.png
asap.png

#11 CodingCat

CodingCat
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:05:12 PM

Posted 30 April 2015 - 05:25 PM

Neither program has detected anything. ESET didn't even give me a log in my file.



#12 deeprybka

deeprybka

  • Malware Response Team
  • 5,198 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:12:12 AM

Posted 01 May 2015 - 06:19 AM

Step 1

frst.pngfrstsearch.png
  • Start FRST with Administrator privileges.
  • Write the following text into the Search textbox:
log.txt
  • Click on the Search Files button.
  • When finished, a log file (Search.txt) pops up and is saved to the same location the tool was run from.
  • Please copy and paste its contents in your next reply.
Please post the MBAM log.

scanlog1.png
scanlog2.png
regards,
deeprybka
:busy:
Neminem laede, immo omnes, quantum potes, iuva. Arthur Schopenhauer
 
unite_blue.png
asap.png

#13 CodingCat

CodingCat
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:05:12 PM

Posted 01 May 2015 - 07:50 PM

This is MBAM from that day, I believe:

 
Malwarebytes Anti-Malware
www.malwarebytes.org
 
Scan Date: 4/30/2015
Scan Time: 11:22:53 AM
Logfile: MBAM.txt
Administrator: Yes
 
Version: 2.01.6.1022
Malware Database: v2015.04.30.05
Rootkit Database: v2015.04.21.01
License: Trial
Malware Protection: Enabled
Malicious Website Protection: Enabled
Self-protection: Disabled
 
OS: Windows 8.1
CPU: x64
File System: NTFS
User: Rachel
 
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 404834
Time Elapsed: 33 min, 45 sec
 
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled
 
Processes: 0
(No malicious items detected)
 
Modules: 0
(No malicious items detected)
 
Registry Keys: 0
(No malicious items detected)
 
Registry Values: 0
(No malicious items detected)
 
Registry Data: 0
(No malicious items detected)
 
Folders: 0
(No malicious items detected)
 
Files: 0
(No malicious items detected)
 
Physical Sectors: 0
(No malicious items detected)
 
 
(end)

Edited by CodingCat, 01 May 2015 - 07:50 PM.


#14 CodingCat

CodingCat
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:05:12 PM

Posted 01 May 2015 - 07:56 PM

When you say search results do you mean this:

 

Farbar Recovery Scan Tool (x64) Version: 29-04-2015 01
Ran by Rachel at 2015-05-01 19:48:52
Running from C:\Users\Rachel\Downloads
Boot Mode: Normal
 
================== Search Files: "log.txt" =============
 
C:\Windows.old\Users\Rachel\AppData\Local\TOSHIBA\DemoDbgLog\log.txt
[2015-02-04 22:13][2015-04-23 17:42] 0000120 ____A () BBEBE3C5237E0CB2CA66C071D8AAAB84
 
C:\Users\Rachel\AppData\Local\TOSHIBA\DemoDbgLog\log.txt
[2015-04-26 13:03][2015-04-29 14:30] 0000120 ____A () E765980E2E4B50F83A78A9575E3E6746
 
C:\Users\Administrator\AppData\Local\TOSHIBA\RealMuiConfig\log.txt
[2014-04-11 01:27][2014-04-11 01:27] 0000529 ____A () 62EA7DF798CE28CA7BAB778F3F4D405E
 
C:\Users\Administrator\AppData\Local\TOSHIBA\DemoDbgLog\log.txt
[2014-11-15 04:27][2014-11-15 04:55] 0000120 ____A () 37CE233033E8C2C608DEACD194B41C0E
 
====== End Of Search ======


#15 deeprybka

deeprybka

  • Malware Response Team
  • 5,198 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:12:12 AM

Posted 01 May 2015 - 08:00 PM

Yes, you did it right. :)

 

Please run FRST again.

 

Step 1

frst.pngfrstscan.png

Start FRST with administator privileges.

  • Make sure the following option is checked: addition.png
  • Press the Scan button.
  • When finished, FRST will produce two logs (FRST.txt and Addition.txt) in the same directory the tool was run from.
    Please copy and paste these logs in your next reply.


regards,
deeprybka
:busy:
Neminem laede, immo omnes, quantum potes, iuva. Arthur Schopenhauer
 
unite_blue.png
asap.png




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users