Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Log File Assistance Please


  • This topic is locked This topic is locked
11 replies to this topic

#1 JackS88

JackS88

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:41 PM

Posted 24 August 2016 - 03:36 PM

I had an instance of "UrgentChromeUpdate" yesterday which is probably unrelated, but today, one of my CC's was hacked.  I was notified by the card company via fraud alert.  I'm concerned I have a keylogger or some form of malware. 

 

Attached are logs from Malwarebytes Pro, HijackThis, ADWCleaner and FRST. 

 

Thank you in advance to anyone who can provide assistance.  [attachment=184069:MalwareBytes Scan Log 8-24-16.txt][attachment=184070:hijackthis.log][attachment=184071:FRST.txt][attachment=184072:Addition.txt][attachment=184073:AdwCleanerC0.txt]



BC AdBot (Login to Remove)

 


#2 Jo*

Jo*

  • Malware Response Team
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:07:41 PM

Posted 28 August 2016 - 06:42 AM

:welcome: to BleepingComputer.

Hi there,

my name is Jo and I will help you with your computer problems.


Please follow these guidelines:
  • Read and follow the instructions in the sequence they are posted.
  • print or copy & save instructions.
  • back up all your private data / music / important files on another (external) drive before using our tools.
  • Do not install / uninstall any applications, unless otherwise instructed.
  • Use only that tools you have been instructed to use.
  • Copy and Paste the log files inside your post, unless otherwise instructed.
  • Ask for clarification, if you have any questions.
  • Stay with this topic til you get the all clean post.
  • My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.

***


:step1: Download Security Check by screen317 from here or here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
    Vista / Windows 7/8 users right-click and select Run As Administrator.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

***


:step2: Please download Malwarebytes Anti-Rootkit and save it to your desktop.
  • Be sure to print out and follow the instructions provided on that same page.
  • Caution: This is a beta version so please be sure to read the disclaimer and back up all your data before using.
  • Double click on downloaded file. OK self extracting prompt.
  • MBAR will start. Click in the introduction screen "next" to continue.
  • Click in the following screen "Update" to obtain the latest malware definitions.
  • Once the update is complete select "Next" and click "Scan".
With some infections, you may see two messages boxes.
  • 'Could not load protection driver'. Click 'OK'.
  • 'Could not load DDA driver'. Click 'Yes' to this message, to allow the driver to load after a restart. Allow the computer to restart. Continue with the rest of these instructions.
  • If malware is found - do not press the Clean up button, please go to the MBAR folder and then copy/paste the contents of the MBAR-log-***.txt file to your next reply.
  • If there is no malware found, please let me know as well.

***


Graduate of the WTT Classroom
Cheers,
Jo
If I have been helping you, and I have not replied to your latest post in 36 hours please send me a PM.


#3 JackS88

JackS88
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:41 PM

Posted 28 August 2016 - 01:59 PM

Hi Jo,

 

Thank you very much for your help!

 

The checkup file is attached.  Malwarebytles Anti-Rootkit found no malware. 

 

Thanks again,

 

Jack

 

 



#4 Jo*

Jo*

  • Malware Response Team
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:07:41 PM

Posted 28 August 2016 - 02:36 PM

Hello,
 

***


Copy FRST / FSRT64.exe to your desktop!

Log on to all your user accounts now - without restarting !

Open notepad. Please copy the contents of the code box below. To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
Save it in the same location as / FSRT / FSRT64 (usually your desktop) as fixlist.txt




 
Start
CloseProcesses:

SearchScopes: HKLM-x32 -> {4FB4D1F2-C7F3-4040-BD6D-7960BAD3C14E} URL = hxxp://www.amazon.com/s/ref=azs_osd_iea?ie=UTF-8&tag=hp-us2-vsb-20&link%5Fcode=qs&index=aps&field-keywords={searchTerms}
CustomCLSID: HKU\S-1-5-21-2669594336-3576701628-29038340-1001_Classes\CLSID\{590C4387-5EBD-4D46-8A84-CD0BA2EF2856}\InprocServer32 -> C:\Users\XXXX\AppData\Local\Google\Update\1.3.30.3\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-2669594336-3576701628-29038340-1001_Classes\CLSID\{793EE463-1304-471C-ADF1-68C2FFB01247}\InprocServer32 -> C:\Users\XXXX\AppData\Local\Google\Update\1.3.29.5\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-2669594336-3576701628-29038340-1001_Classes\CLSID\{CC182BE1-84CE-4A57-B85C-FD4BBDF78CB2}\InprocServer32 -> C:\Users\XXXX\AppData\Local\Google\Update\1.3.29.1\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-2669594336-3576701628-29038340-1001_Classes\CLSID\{D1EDC4F5-7F4D-4B12-906A-614ECF66DDAF}\InprocServer32 -> C:\Users\XXXX\AppData\Local\Google\Update\1.3.28.15\psuser_64.dll => No File
Task: {118DECEC-158D-45D7-8037-28C2DBCF3FF1} - \Microsoft\Windows\Setup\gwx\refreshgwxconfig -> No File <==== ATTENTION
Task: {2C55C76A-6E7B-40EC-91DF-5C8A71E7C3BC} - \Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B -> No File <==== ATTENTION
Task: {5E991AEF-75C2-4E16-84F4-AD80FB981DD4} - \Microsoft\Windows\Setup\GWXTriggers\Time-5d -> No File <==== ATTENTION
Task: {61234A62-A550-4B83-BB13-DEA5DD488E66} - \Microsoft\Windows\Setup\gwx\launchtrayprocess -> No File <==== ATTENTION
Task: {656569FB-7D37-4677-8682-74BA39FB6F7E} - \Microsoft\Windows\Setup\GWXTriggers\MachineUnlock-5d -> No File <==== ATTENTION
Task: {65843DB5-8743-486F-9388-556E72DCA75E} - \Microsoft\Windows\Setup\GWXTriggers\OutOfIdle-5d -> No File <==== ATTENTION
Task: {7ECEAD1D-C72C-4CEE-AE47-6A4F3E4EE63B} - \Microsoft\Windows\Setup\gwx\refreshgwxcontent -> No File <==== ATTENTION
Task: {93141BF1-6E0C-4294-BBA3-BA24B15922C1} - \Microsoft\Windows\Setup\GWXTriggers\OutOfSleep-5d -> No File <==== ATTENTION
Task: {AF7434BB-3BDC-4528-B2A0-E4CF03760C2D} - \Microsoft\Windows\Setup\gwx\refreshgwxconfigandcontent -> No File <==== ATTENTION
Task: {BF1F5A52-5278-4ADC-AA8C-662CD7691BEC} - \Microsoft\Windows\Setup\GWXTriggers\Logon-5d -> No File <==== ATTENTION
Task: {C86AFADA-A397-4340-9B5D-18845795131F} - \Microsoft\Windows\Setup\GWXTriggers\Telemetry-4xd -> No File <==== ATTENTION

EmptyTemp:
End
NOTICE: This script was written specifically for this user, for use on that particular machine.
Running this on another machine may cause damage to your operating system


Run FRST / FSRT64 again as Administrator like we did before but this time press the Fix button just once and wait.
The tool will make a log (Fixlog.txt) please post it to your reply.

---

Download and run Chrome Software Cleaner

---

How the computer is running now?

Graduate of the WTT Classroom
Cheers,
Jo
If I have been helping you, and I have not replied to your latest post in 36 hours please send me a PM.


#5 JackS88

JackS88
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:41 PM

Posted 28 August 2016 - 03:11 PM

Thanks Jo. 
 
Attached is the Fixlog.txt. 
 
I ran Chrome Software Cleaner.  The computer is running well. 
 
Jack

#6 Jo*

Jo*

  • Malware Response Team
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:07:41 PM

Posted 28 August 2016 - 04:54 PM

ESET Online Scanner
  • Click here to download the installer for ESET Online Scanner and save it to your Desktop.
  • Disable all your antivirus and antimalware software - see how to do that here.
  • Right click on esetsmartinstaller_enu.exe and select Run as Administrator.
  • Place a checkmark in YES, I accept the Terms of Use, then click Start. Wait for ESET Online Scanner to load its components.
  • Select Enable detection of potentially unwanted applications.
  • Click Advanced Settings, then place a checkmark in the following:
    • Remove found threats
    • Scan archives
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • Click Start to begin scanning.
  • ESET Online Scanner will start downloading signatures and scan. Please be patient, as this scan can take quite some time.
  • When the scan is done, click List threats (only available if ESET Online Scanner found something).
  • Click Export, then save the file to your desktop.
  • Click Back, then Finish to exit ESET Online Scanner.
Open the scan log and copy and paste the content to your next reply.

Graduate of the WTT Classroom
Cheers,
Jo
If I have been helping you, and I have not replied to your latest post in 36 hours please send me a PM.


#7 JackS88

JackS88
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:41 PM

Posted 29 August 2016 - 01:48 AM

Jo,

 

ESET did not find any threats. 



#8 Jo*

Jo*

  • Malware Response Team
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:07:41 PM

Posted 29 August 2016 - 03:37 AM

FRST / FSRT64: run it again.
  • Right-click FRST / FSRT64 then click "Run as administrator" (XP users: click run after receipt of Windows Security Warning - Open File).
  • When the tool opens, click Yes to disclaimer.
  • Put a check into the box next to Addition.txt and press the Scan button.
  • When finished, it will produce logs called FRST.txt and Addition.txt in the same directory the tool was run from.
  • Please copy and paste both logs in your next reply.

Graduate of the WTT Classroom
Cheers,
Jo
If I have been helping you, and I have not replied to your latest post in 36 hours please send me a PM.


#9 JackS88

JackS88
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:41 PM

Posted 29 August 2016 - 03:53 AM

Attached are the FRST and Addition files.  I had re-enabled Malwarebytes after the ESET scanner.  Please let me know if I need to disable and run Farbar again.

#10 Jo*

Jo*

  • Malware Response Team
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:07:41 PM

Posted 29 August 2016 - 04:26 AM

Your pc was not infected.
 

***


It Appears That Your Pc Is Clean!


***


Clean up:


***


Right-click AdwCleaner.exe and select Run As Administrator.
  • Click on the Uninstall button.
  • A window will open, press the Confirm button.
  • AdwCleaner will uninstall now.

***


Clean up with delfix:
  • please download delfix to your desktop.
  • Close all other programms and start delfix.
  • Please check all the boxes and run the tool.
  • delfix will now delete all found traces of our removal process

***


Delete the log files our tools created; they are located at your desktop or at the
"c:\users\{.......}\Downloads" folder.
Highlight them, and press the del or delete key on the keyboard.
You can browse to the location of the file or folder using either My Computer or Windows Explorer.


***


Here are some Preventive tips to reduce the potential for spyware infection in the future

:step1: Browse more secure :step2: Make sure you keep your Windows OS current.
  • Windows XP users can visit Windows update regularly to download and install any critical updates and service packs.
  • Windows Vista / 7 / 8 users can update via
    Start menu > All Programs > Windows Update > Check for Updates (in left hand task pane).
:step3: Avoid P2P
  • If you think you're using a "safe" P2P program, only the program is safe, not the data.
  • You will share files from unsafe sources, and these may be infected.
  • Some bad guys use P2P filesharing as an important chanel to spread their wares.
:step4: Use only one anti-virus software and keep it up-to-date.

:step5: Firewall
Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

:step6: Backup regularly
You never know when your PC will become unstable or become so infected that you can't recover it.

:step7: Use Strong passwords!

:step8: Email attachments
Do not open any unknown email attachments, which you received without asking for it!


Extra note:
Keep your Browser, Java, pdf Reader and Adobe Flash Up to Date.
And you could install Malwarebytes Anti-Exploit to run alongside your traditional anti-virus or anti-malware products.

Make sure your programs are up to date - because older versions may contain Security Leaks.


***


Graduate of the WTT Classroom
Cheers,
Jo
If I have been helping you, and I have not replied to your latest post in 36 hours please send me a PM.


#11 JackS88

JackS88
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:41 PM

Posted 29 August 2016 - 04:38 AM

Jo,

 

Thanks so much for all your help.  It is much appreciated. 

 

Jack



#12 Jo*

Jo*

  • Malware Response Team
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:07:41 PM

Posted 29 August 2016 - 05:25 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

Graduate of the WTT Classroom
Cheers,
Jo
If I have been helping you, and I have not replied to your latest post in 36 hours please send me a PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users