Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Another sd-steam / zodiac-game pop up


  • This topic is locked This topic is locked
15 replies to this topic

#1 sgtbeano

sgtbeano

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:38 AM

Posted 21 August 2016 - 03:57 AM

Hey There,

 

Like a number of other users I'm getting Chrome open at login and directing to the URL zodiac-game.info (pretty nasty :( ).  I've got Kaspersky up to date and running, no threats detected and I've also manually scanned with MWB, again nothing found.

 

Here's the log output from FRST64.exe;

 

Attached File  FRST.txt   899.2KB   4 downloads

 

And here's the addition one;

 

Attached File  Addition.txt   52.62KB   1 downloads

 

All my software is legit, paid for and licensed.  How could this happen?

 

Thanks in advance for your help :)



BC AdBot (Login to Remove)

 


#2 sgtbeano

sgtbeano
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:38 AM

Posted 21 August 2016 - 05:22 AM

Update on this, I may have fixed this;

 

Removed Java 7u21 entirely and then removed RUN registry entry using CCleaner.

 

Have rebooted multiple times now and no sign of recurrence - posted here in case it's useful.



#3 sgtbeano

sgtbeano
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:38 AM

Posted 21 August 2016 - 05:36 AM

Adding outputs from some of the tools you guys use on here for confirmation.

 

Attached File  AdwCleanerS3.txt   1.1KB   2 downloads

Attached File  ckfiles.txt   127bytes   1 downloads

Attached File  ckfiles.txt   127bytes   2 downloads

Attached File  RogueKiller.txt   3.69KB   2 downloads



#4 sgtbeano

sgtbeano
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:38 AM

Posted 21 August 2016 - 11:47 AM

Had a PM from someone with the same issue asking for more details.  Here's what I did;

 

1.  Removed Java 7 from Programs and Features, along with the Java 7 SDK and a Java 7 update.  (Open Programs and Features on Windows 10 by right clicking on the start / windows symbol and selecting 'Programs and Features')

 

2.  Installed CCleaner (free version) from here; https://www.piriform.com/ccleaner/download

 

3.  Once installed, run CCleaner and from the menu buttons on the left hand side, click the Tools icon, then the Startup panel.  Find the entry with the Key HKCU:Run and the File value "explorer.exe http://zodiac-game.info" or something similar and select it.  Then from the right hand buttons, click Delete

 

Please not this is not a professional answer from this forum, this is simply what I've done and after 20+ reboots I haven't seen the problem reoccur.  Obviously one of the dedicated awesome Malware experts on here could provide a far more full proof resolution so use at your own risk!



#5 sgtbeano

sgtbeano
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:38 AM

Posted 22 August 2016 - 02:06 AM

Right, this hasn't worked.  Started my computer for work this morning and I had browser open with zodiac-game.info again, ffs!  Please can someone help?

 

Attached File  FRST.txt   122.5KB   5 downloads

Attached File  Addition.txt   53.88KB   2 downloads



#6 sgtbeano

sgtbeano
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:38 AM

Posted 22 August 2016 - 02:33 AM

Ran MBAM

 

Attached File  MBAM.txt   1.18KB   4 downloads



#7 Jo*

Jo*

  • Malware Response Team
  • 3,445 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:09:38 AM

Posted 23 August 2016 - 06:36 AM

:welcome: to BleepingComputer.

Hi there,

my name is Jo and I will help you with your computer problems.


Please follow these guidelines:
  • Read and follow the instructions in the sequence they are posted.
  • print or copy & save instructions.
  • back up all your private data / music / important files on another (external) drive before using our tools.
  • Do not install / uninstall any applications, unless otherwise instructed.
  • Use only that tools you have been instructed to use.
  • Copy and Paste the log files inside your post, unless otherwise instructed.
  • Ask for clarification, if you have any questions.
  • Stay with this topic til you get the all clean post.
  • My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.

***


:step1: Download Security Check by screen317 from here or here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
    Vista / Windows 7/8 users right-click and select Run As Administrator.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

***


:step2: Please download Malwarebytes Anti-Rootkit and save it to your desktop.
  • Be sure to print out and follow the instructions provided on that same page.
  • Caution: This is a beta version so please be sure to read the disclaimer and back up all your data before using.
  • Double click on downloaded file. OK self extracting prompt.
  • MBAR will start. Click in the introduction screen "next" to continue.
  • Click in the following screen "Update" to obtain the latest malware definitions.
  • Once the update is complete select "Next" and click "Scan".
With some infections, you may see two messages boxes.
  • 'Could not load protection driver'. Click 'OK'.
  • 'Could not load DDA driver'. Click 'Yes' to this message, to allow the driver to load after a restart. Allow the computer to restart. Continue with the rest of these instructions.
  • If malware is found - do not press the Clean up button, please go to the MBAR folder and then copy/paste the contents of the MBAR-log-***.txt file to your next reply.
  • If there is no malware found, please let me know as well.

***


:step3: Please download AdwCleaner by Xplode and save to your Desktop.
Double-click AdwCleaner.exe
Vista / Windows 7/8 users right-click and select Run As Administrator.
  • Click on the Scan button.
  • AdwCleaner will begin...be patient as the scan may take some time to complete.
    The actual line should say "Pending. Please uncheck elements you do not want to remove" => scan is complete.
  • After the scan has finished, click on the Logfile button...a logfile (AdwCleaner[R0].txt) will open in Notepad for review.
  • The contents of the log file may be confusing. Unless you see a program name that you know should not be removed, don't worry about it.
    If you see an entry you want to keep, let me know about it.
  • Copy and paste the contents of that logfile in your next reply.
  • A copy of all logfiles are saved in the C:\AdwCleaner folder which was created when running the tool.

***


Graduate of the WTT Classroom
Cheers,
Jo
If I have been helping you, and I have not replied to your latest post in 36 hours please send me a PM.


#8 sgtbeano

sgtbeano
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:38 AM

Posted 23 August 2016 - 07:23 AM

Hey Jo,

 

I think the virus / malware has gone now - MBAM did detect something and removed it, haven't had the problem again since. 

 

Here's the requested logs - thanks so much for your help with this;

 

Attached File  checkup.txt   984bytes   1 downloads

Attached File  system-log.txt   51.55KB   1 downloads

Attached File  AdwCleanerS5.txt   1.59KB   1 downloads



#9 Jo*

Jo*

  • Malware Response Team
  • 3,445 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:09:38 AM

Posted 23 August 2016 - 07:27 AM

:step1: Run Malwarebytes Anti-Rootkit again: Double click mbar.exe to run the tool.
Vista / Windows 7/8 users right-click and select Run As Administrator.
  • Scan your system for malware
  • If malware is found, click on the Cleanup
  • button to remove any threats and reboot if prompted to do so.
  • Wait while the system shuts down and the cleanup process is performed.
  • then please go to the MBAR folder and then copy/paste the contents of the MBAR-log-***.txt file to your next reply.
  • If there is no malware found, please let me know as well.

***


:step2: Please download Junkware Removal Tool from HERE and save it to your desktop.
Shutdown your antivirus to avoid any potential conflicts.
Double click JRT.exe to run the tool.
Vista / Windows 7/8 users right-click and select Run As Administrator.
  • JRT will begin to backup your registry and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, the log JRT.txt is saved on your desktop and will automatically open.
Enable your antivirus!
Post the contents of JRT.txt into your next reply.


***


Graduate of the WTT Classroom
Cheers,
Jo
If I have been helping you, and I have not replied to your latest post in 36 hours please send me a PM.


#10 sgtbeano

sgtbeano
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:38 AM

Posted 23 August 2016 - 07:31 AM

MB anti-rootkit reports nothing found;

 

Attached File  system-log.txt   51.55KB   0 downloads

 

JRT found nothing;

 

Attached File  JRT.txt   546bytes   0 downloads



#11 sgtbeano

sgtbeano
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:38 AM

Posted 23 August 2016 - 07:38 AM

Sorry, posted the wrong log;

 

Attached File  mbar-log-2016-08-23 (13-14-42).txt   2.04KB   1 downloads



#12 Jo*

Jo*

  • Malware Response Team
  • 3,445 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:09:38 AM

Posted 23 August 2016 - 07:39 AM

Log on to all your user accounts now - without restarting !

Open notepad. Please copy the contents of the code box below. To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
Save it in the same location as / FSRT / FSRT64 (usually your desktop) as fixlist.txt




start
CreateRestorePoint:
CloseProcesses:
EmptyTemp:
HKU\S-1-5-21-4260653350-3820879013-3187957919-1001\...\Run: [bbull] => explorer.exe hxxp://sd-steam.info <===== ATTENTION
S3 cpuz137; \??\C:\Users\bbull\AppData\Local\Temp\cpuz137\cpuz137_x64.sys [X]
U4 klkbdflt2; \SystemRoot\system32\DRIVERS\klkbdflt2.sys [X]
Task: {A7717450-5A1B-4158-B86B-45848244476D} - System32\Tasks\bbull => REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v bbull /t REG_SZ /d "explorer.exe hxxp://sd-steam.info" <==== ATTENTION
Task: {A7717450-5A1B-4158-B86B-45848244476D} - System32\Tasks\bbull => REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v bbull /t REG_SZ /d "explorer.exe hxxp://sd-steam.info" <==== ATTENTION
End

NOTICE: This script was written specifically for this user, for use on that particular machine.
Running this on another machine may cause damage to your operating system


Run FRST / FSRT64 again as Administrator like we did before but this time press the Fix button just once and wait.
The tool will make a log (Fixlog.txt) please post it to your reply.

Graduate of the WTT Classroom
Cheers,
Jo
If I have been helping you, and I have not replied to your latest post in 36 hours please send me a PM.


#13 sgtbeano

sgtbeano
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:38 AM

Posted 23 August 2016 - 08:10 AM

Thanks Jo, here's the fix log;

 

Attached File  Fixlog.txt   2.61KB   1 downloads



#14 Jo*

Jo*

  • Malware Response Team
  • 3,445 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:09:38 AM

Posted 23 August 2016 - 08:41 AM

***


:step1: ESET Online Scanner
  • Click here to download the installer for ESET Online Scanner and save it to your Desktop.
  • Disable all your antivirus and antimalware software - see how to do that here.
  • Right click on esetsmartinstaller_enu.exe and select Run as Administrator.
  • Place a checkmark in YES, I accept the Terms of Use, then click Start. Wait for ESET Online Scanner to load its components.
  • Select Enable detection of potentially unwanted applications.
  • Click Advanced Settings, then place a checkmark in the following:
    • Remove found threats
    • Scan archives
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • Click Start to begin scanning.
  • ESET Online Scanner will start downloading signatures and scan. Please be patient, as this scan can take quite some time.
  • When the scan is done, click List threats (only available if ESET Online Scanner found something).
  • Click Export, then save the file to your desktop.
  • Click Back, then Finish to exit ESET Online Scanner.
Open the scan log and copy and paste the content to your next reply.
 

***


:step2: How the computer is running now?


***


Graduate of the WTT Classroom
Cheers,
Jo
If I have been helping you, and I have not replied to your latest post in 36 hours please send me a PM.


#15 Jo*

Jo*

  • Malware Response Team
  • 3,445 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:09:38 AM

Posted 28 August 2016 - 05:46 AM


Hi,

it has been several days since I sent my last set of instructions to help with your computer problem.

Please let me know if you are having problems and still need help.

Note: Thread will be closed if no response after 3 days.

Graduate of the WTT Classroom
Cheers,
Jo
If I have been helping you, and I have not replied to your latest post in 36 hours please send me a PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users