Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


I don't need help, but just want to submit an interesting find

  • Please log in to reply
2 replies to this topic

#1 Croatian


  • Members
  • 2 posts
  • Local time:09:30 AM

Posted 18 August 2016 - 11:03 AM

To BC staff interested in this kind of stuff:


  I was cleaning a computer that got infected in one shot by a multitude of Trojans. The owner claims he was trying to search for a PDF manual of a sort (he Googled it). So when he tried to open one of those "PDF" links the bad apps started installing themselves all over his Windows 7 Pro laptop that has IE, Chrome and Firefox installed. Thankfully he had MS Security Essentials installed and up to date, so a few got quarantined right away.


  To clean it more thoroughly I unleashed a barrage of different tools known to mankind to get rid of the nasty stuff. This included Malwarebytes and popular Bleeping Computer downloads. All was well afterwards except that, unbeknown to me, the links he used to launch those browsers were also modified by this Trojan by incorporating a direct link appended to the original browser executable path from which a renewed attempt is made to re-infect the computer each time you'd click on it. At first I thought it was some kind of a sophisticated redirector or maybe a poisoned DNS cache. Nope, it was just a simple line that did the trick.


  That's not all. While manually searching for files that I may have missed I came across the file containing the following original Trojan installation log, located in the system32 folder, named "tmplog.log". I don't know why the guys who created this stuff didn't clean it up, but here it is (attached) in all its glory, a testament to what they have done (or tried to do). There you have it now and I hope it will come useful to some when troubleshooting.


Have a nice day! You are :welcome:


Attached Files

Edited by hamluis, 18 August 2016 - 11:42 AM.
Moved from MRL to Gen Security - Hamluis.

BC AdBot (Login to Remove)



#2 Grinler


    Lawrence Abrams

  • Admin
  • 43,436 posts
  • Gender:Male
  • Location:USA
  • Local time:10:30 AM

Posted 18 August 2016 - 06:00 PM

That's good stuff and what makes malware analysis and computer security such an interesting subject. I have been looking for this hijacker and its all about finding the right clues, which are presented in that log you uploaded. So thanks for that!

#3 Croatian

  • Topic Starter

  • Members
  • 2 posts
  • Local time:09:30 AM

Posted 19 August 2016 - 09:09 AM

Lawrence, you are quite welcome. Many times over the past untold years I've watched you guys selflessly help people in need, myself included (although only as a reader/researcher). When I saw that log file I knew it was a smoking gun, one that some smarter folks can have a field day with. So your website came first to my mind. If it helps the community in any way - even better!


Thank you for all that you guys and girls do, day in and day out. Please continue the good work!



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users