Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Can't establish secure internet connection after executing .vbs file


  • This topic is locked This topic is locked
8 replies to this topic

#1 KiriKaeshi

KiriKaeshi

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:29 AM

Posted 13 September 2016 - 12:01 PM

Hi!

 

i've carelessly executed .vbs file and today I noticed that secure internet connection doesn't work in firefox and dropbox. Also, steam exhibited some difficulties in logging in (but that could be just steam). Chrome is working normally.

 

Other symptoms are that windows firewall and windows defender are turned off when I start the computer. I can turn the firewall on, but defender is blocked by group rule (I managed to override this by deleting the registry key). I ran windows defender but it didn't find anything. There was also an error while trying to install optional windows update.

 

Here is some info that seems related to my case: http://www.malware-traffic-analysis.net/2016/07/25/index4.html

 

Just like in this example, malware was in .vbs file and I have SYS>mycomputername<.exe showing in task manager. If I shut down this process I'm unable to access internet anymore (something about proxy not being set up properly).

 

This exe runs from this folder: c:\Users\username\AppData\Local\Temp\Java

 

Contents of it are:

<mycomputername>.aes

<mycomputername>.zip

<mycomputername>X.xml

Ionic.Zip.Reduced.dll

makecert.exe

SYS<mycomputername>.exe

warePlguin.txt

 

Edit:

I've deleted FRST.txt content as it seems i've resolved my problem and I don't want anyone waste time reading through it.

 

Here's what I did.

I've deleted content of Java folder and removed entries from registry. After reboot SYS>mycomputername<.exe didn't show up again and my firewall wasn't blocked. Windows defender was blocked again, but I imagine that could be due to something else (could some antivirus software block it?). Then I manually chnged proxy settings in internet options, firefox and dropbox. And now it seems everything is back to normal. I hope I didn't do more harm than good, but I was really uncomfortable with this situation and was very close to format my computer.

 

Let me know if I should do another FRST scan to check whether some malware is still present in my system. I'd appreciate if someone qualified would take a look at it.

Attached Files


Edited by KiriKaeshi, 13 September 2016 - 03:35 PM.


BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 39,936 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:29 AM

Posted 14 September 2016 - 09:39 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

You have attached the Addition.txt twice.

I need to see the FRST log from the Farbar run.

===

p.s.
The Addition.txt show that your Firewall is disabled.
Turn your System Restore ON - Windows Help
http://windows.microsoft.com/en-ca/windows/turn-system-restore-on-off#1TC=windows-7

Avast is disabling the Windows Defender. It's normal.

Post the FRST log and wait for my instructions.

#3 KiriKaeshi

KiriKaeshi
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:29 AM

Posted 14 September 2016 - 07:37 PM

Hi,

 

Unfortunately I can't perform FRST scan anymore. The program just hangs after I run it. Sometimes during checking for updates, sometimes after stating that "The tool is ready to use".



#4 nasdaq

nasdaq

  • Malware Response Team
  • 39,936 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:29 AM

Posted 15 September 2016 - 08:47 AM

Run this tool. Post the logs if you get one.

disable your AV program so it does not interfere.
Info on how to disable your security applications How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs - Security Mini-Guides.

Download Zeok tool from here

When the download appears, save to the Desktop.
On the Desktop, right-click the Zoek.exe file and select: Run as Administrator
(Give it a few seconds to appear.)

Next, copy/paste the entire script inside the code box below to the input field of Zoek:
createsrpoint;
autoclean;
emptyalltemp;
ipconfig /flushdns;b
Now...
Close any open Browsers.
Click the Run script button, and wait. It takes a few minutes to run all the script.

When the tool finishes, the zoek-results.log is opened in Notepad.
The log is also found on the systemdrive, normally C:\
If a reboot is needed, the log is opened after the reboot.

Please attach the zoek-results.log in your reply.

Also, please provide an update on how the computer is behaving after running the above script.

#5 KiriKaeshi

KiriKaeshi
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:29 AM

Posted 16 September 2016 - 06:27 AM

Attached File  zoek-results.txt   16.52KB   0 downloadsHi,

 

I ran the tool and attached the log. As far as I can see, everything is working normally, but I'll update the post if I notice something.

 

Thanks



#6 nasdaq

nasdaq

  • Malware Response Team
  • 39,936 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:29 AM

Posted 16 September 2016 - 09:14 AM

Delete the current copy of the Farbar tool.

Download it again and run it.

Post both logs for my review.

#7 KiriKaeshi

KiriKaeshi
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:29 AM

Posted 16 September 2016 - 12:18 PM

I'm afraid it still hangs. To be honest, I tried running it today after zoek had finished and it downloaded a new version automatically, opened a notification window informing me of update and then froze...



#8 nasdaq

nasdaq

  • Malware Response Team
  • 39,936 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:29 AM

Posted 17 September 2016 - 08:25 AM

Run it with only these two options.

autoclean;
emptyalltemp;

#9 nasdaq

nasdaq

  • Malware Response Team
  • 39,936 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:29 AM

Posted 23 September 2016 - 10:18 AM

Are you still with me?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users