Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

malware/ trojan attacking browsers


  • Please log in to reply
41 replies to this topic

#1 phant0m2017

phant0m2017

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:10:51 AM

Posted 22 October 2016 - 07:01 AM

hi there.   my laptop is a toshiba qosmio G50 series...... running windows 10 anniversary edition . 64 bit.....
 
all my browsers have been attacked by malware/ trojan  and my windows defender is not working. i cannot get online.
tried running a whole host of tools but nothing seems to work. i,m not too experienced in the technical side of computers but everything on the computer i want e.g photos , music etc.  is backed up . i i downloaded FARBAR recovery scan tool on a desktop and transferred it over with a usb pen drive and scanned. any help would be gratefully appreciated...... cheers.

Attached Files



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 38,569 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:51 AM

Posted 23 October 2016 - 10:25 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.

Please copy the entire contents of the code box below to a new file.
 
Start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

HKU\S-1-5-21-3830988767-168896783-2422545067-1000\...\Winlogon: [Shell] C:\WINDOWS\explorer.exe [4673296 2016-09-15] (Microsoft Corporation) <==== ATTENTION
HKU\S-1-5-18\...\Run: [] => 0
ShellIconOverlayIdentifiers: ["DropboxExt1"] -> {FB314ED9-A251-47B7-93E1-CDD82E34AF8B} =>  No File
ShellIconOverlayIdentifiers: ["DropboxExt2"] -> {FB314EDA-A251-47B7-93E1-CDD82E34AF8B} =>  No File
ShellIconOverlayIdentifiers: ["DropboxExt3"] -> {FB314EDD-A251-47B7-93E1-CDD82E34AF8B} =>  No File
ShellIconOverlayIdentifiers: ["DropboxExt4"] -> {FB314EDE-A251-47B7-93E1-CDD82E34AF8B} =>  No File
ShellIconOverlayIdentifiers: ["DropboxExt5"] -> {FB314EDB-A251-47B7-93E1-CDD82E34AF8B} =>  No File
ShellIconOverlayIdentifiers: ["DropboxExt6"] -> {FB314EDF-A251-47B7-93E1-CDD82E34AF8B} =>  No File
ShellIconOverlayIdentifiers: ["DropboxExt7"] -> {FB314EDC-A251-47B7-93E1-CDD82E34AF8B} =>  No File
ShellIconOverlayIdentifiers: ["DropboxExt8"] -> {FB314EE0-A251-47B7-93E1-CDD82E34AF8B} =>  No File
ShellIconOverlayIdentifiers: [0PerformanceMonitor] -> {3B5B973C-92A4-4855-9D3F-0F3D23332208} =>  No File
ShellIconOverlayIdentifiers-x32: ["DropboxExt1"] -> {FB314ED9-A251-47B7-93E1-CDD82E34AF8B} =>  No File
ShellIconOverlayIdentifiers-x32: ["DropboxExt2"] -> {FB314EDA-A251-47B7-93E1-CDD82E34AF8B} =>  No File
ShellIconOverlayIdentifiers-x32: ["DropboxExt3"] -> {FB314EDD-A251-47B7-93E1-CDD82E34AF8B} =>  No File
ShellIconOverlayIdentifiers-x32: ["DropboxExt4"] -> {FB314EDE-A251-47B7-93E1-CDD82E34AF8B} =>  No File
ShellIconOverlayIdentifiers-x32: ["DropboxExt5"] -> {FB314EDB-A251-47B7-93E1-CDD82E34AF8B} =>  No File
ShellIconOverlayIdentifiers-x32: ["DropboxExt6"] -> {FB314EDF-A251-47B7-93E1-CDD82E34AF8B} =>  No File
ShellIconOverlayIdentifiers-x32: ["DropboxExt7"] -> {FB314EDC-A251-47B7-93E1-CDD82E34AF8B} =>  No File
ShellIconOverlayIdentifiers-x32: ["DropboxExt8"] -> {FB314EE0-A251-47B7-93E1-CDD82E34AF8B} =>  No File
S2 AGSService; "C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe" [X]
S2 MbaeSvc; "C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae-svc.exe" [X]
R1 NetUtils2016; C:\WINDOWS\system32\drivers\NetUtils2016.sys [909944 2016-10-14] () <==== ATTENTION
U3 idsvc; no ImagePath
Task: {07905E26-0D59-4C97-8262-587A959F15B2} - \Microsoft\Windows\Setup\gwx\refreshgwxconfigandcontent -> No File <==== ATTENTION
Task: {29849092-346A-4220-886F-C46E110B9955} - \Microsoft\Windows\Setup\GWXTriggers\MachineUnlock-5d -> No File <==== ATTENTION
Task: {34EE686A-1945-44C8-AAC9-6D78418C3E24} - \SMW_P -> No File <==== ATTENTION
Task: {3B2C0D5B-4D4C-4F58-9AAB-4A22EDD90C5D} - \Microsoft\Windows\Setup\GWXTriggers\Telemetry-4xd -> No File <==== ATTENTION
Task: {4DE7FBE9-027D-458F-B741-7C65C162F91F} - \Microsoft\Windows\Setup\GWXTriggers\Logon-5d -> No File <==== ATTENTION
Task: {5158F85E-975F-4F54-8F8B-94C8B87E17A2} - System32\Tasks\AutoPico Daily Restart => C:\Users\NEIL\AppData\Local\Temp\RarSFX0\AutoPico.exe <==== ATTENTION
Task: {6A1000AE-3ABC-43A8-9C43-4D75B04B7FD3} - \Microsoft\Windows\Setup\gwx\refreshgwxconfig -> No File <==== ATTENTION
Task: {6F621F1F-D982-4767-97DD-73404F5DD025} - \Evceuholnixlu -> No File <==== ATTENTION
Task: {70DF99FD-874E-4379-BB26-1A2CEAB3DB6C} - \Google Chrome -> No File <==== ATTENTION
Task: {786B2FBB-00C4-4509-9909-6C7730413110} - \Microsoft\Windows\Setup\gwx\launchtrayprocess -> No File <==== ATTENTION
Task: {90005213-8263-44B0-8BB4-7E954F70C352} - \IBUpd2 -> No File <==== ATTENTION
Task: {98EFAB80-AD11-489D-B78E-95ED336FE614} - \ConfigFree Startup Programs -> No File <==== ATTENTION
Task: {9CF2585C-2BEE-43A6-B713-3F9812420F21} - \Microsoft\Windows\Setup\gwx\refreshgwxcontent -> No File <==== ATTENTION
Task: {C8333E23-7744-4D64-8410-2547FF6B3405} - \RunAsStdUser Task -> No File <==== ATTENTION
Task: {D13A45B8-600A-4C4F-8347-EC1FF75B8AEC} - \Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B -> No File <==== ATTENTION
Task: {D1452451-2B7A-4694-B914-BB765B5689BA} - \Microsoft\Windows\Setup\GWXTriggers\Time-5d -> No File <==== ATTENTION
Task: {D6928493-D384-46B9-9069-DEFEA3D0B0A7} - System32\Tasks\updengine => C:\Program Files (x86)\OtherSearch\updengine.exe <==== ATTENTION
Task: {DAC8C4A8-FD9B-4489-BD24-E332E7999079} - \Microsoft\Windows\Setup\GWXTriggers\OutOfSleep-5d -> No File <==== ATTENTION
Task: {EAFDE908-8BF0-44FA-B328-0166A3B69AB1} - \Microsoft\Windows\Setup\GWXTriggers\OutOfIdle-5d -> No File <==== ATTENTION
Task: {F4BC5723-20C4-4565-802D-B2E2A83844DA} - System32\Tasks\KMSAuto => C:\WINDOWS\KMSAuto.exe
AlternateDataStreams: C:\ProgramData\TEMP:E0BAFCE6 [124]
C:\Users\NEIL\AppData\Local\Temp\RarSFX0\AutoPico.exe
C:\Program Files (x86)\OtherSearch
C:\WINDOWS\system32\drivers\NetUtils2016.sys

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.

===

Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.

You can manually check your present version and update as recommended.
https://www.java.com/en/download/installed.jsp

Be careful not to install malware posing as Java update!
Important read this blog.
http://blog.trendmicro.com/trendlabs-security-intelligence/malware-poses-as-an-update-for-java-0-day-fix/

Quoted from the page.
"In light of the recent events surrounding Java, users must seriously consider their use of Java. Do they really need it? If yes, make sure that users follow the steps we recommended and get the security update directly from the official oracle website." at:
http://www.oracle.com/technetwork/java/javase/downloads/index.html

How to disable Java in your browsers
http://www.infoworld.com/t/web-browsers/how-disable-java-in-your-browsers-210882

If still present after the update you can remove the old version(s) of Java via the Control Panel > Programs and Features.
Java 8 Update 101 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F32180101F0}) (Version: 8.0.1010.13 - Oracle Corporation)
Java SE Development Kit 7 Update 79 (64-bit) (HKLM\...\{64A3A4F4-B792-11D6-A78A-00B0D0170790}) (Version: 1.7.0.790 - Oracle)

===

Please let me know what problem persists with this computer.

#3 phant0m2017

phant0m2017
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:10:51 AM

Posted 23 October 2016 - 02:39 PM

hi there Nasdaq, thanks for the help.......

i copied the contents of the code box in notepad and transferred with usb pen drive from the desktop i have here which has internet access onto the desktop of my problem laptop which is not getting internet access.

you asked me to Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

my farbar tool is running from my desktop. the FRST file and addition file is alongside the tool on my desktop. the new fixlist.txt file is alongside those files.

what do you want me to do with this new file ?

my java is V.8 update 101.
i have disabled it and restarted.

Edited by phant0m2017, 23 October 2016 - 02:54 PM.


#4 nasdaq

nasdaq

  • Malware Response Team
  • 38,569 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:51 AM

Posted 24 October 2016 - 08:53 AM

With the Fixlis.txt on the Control panel where the Farbar tool is located just Run FRST and click Fix only once and wait.

A fixlog will be created, post it for my review.

Let me know what problem persists.

#5 phant0m2017

phant0m2017
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:10:51 AM

Posted 24 October 2016 - 09:15 AM

hi there,here is the file you need....

Attached Files



#6 phant0m2017

phant0m2017
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:10:51 AM

Posted 24 October 2016 - 09:21 AM

the problem is that i cant get online. the wifi icon down on the bottom right of the screen next to airplane mode has dissapeared ? last week when i did have a connection none of my browsers worked . i have ie edge, firefox and chrome.

#7 nasdaq

nasdaq

  • Malware Response Team
  • 38,569 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:51 AM

Posted 25 October 2016 - 08:29 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.
 
If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===
 
Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.
 
start
 
CloseProcesses:
 
cmd: ipconfig /flushdns
cmd: IPCONFIG /release
cmd: IPCONFIG /renew
CMD: netsh advfirewall reset
CMD: netsh advfirewall set allprofiles state ON
CMD: netsh winsock reset catalog
CMD: netsh int ip reset c:\resetlog.txt
CMD: netsh int ipv4 reset
CMD: netsh int ipv6 reset
cmd: netsh winsock reset catalog
CMD: bitsadmin /reset /allusers
 
End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.
 
Run FRST and click Fix only once and wait.
 
Restart the computer normally to reset the registry.
 
The tool will create a log (Fixlog.txt) please post it to your reply.
===
 
If still not able to used the internet Download and run this tool.
 
Check mark the following boxes:
  •  
  • Flush DNS
  • Report IE Proxy Settings
  • Reset IE Proxy Settings
  • Report FF Proxy Settings
  • Reset FF Proxy Settings
  • List last 10 Event Viewer log
  • List content of Hosts
  • List IP Configuration
  • List Winsock Entries
  • Click Go and copy/paste the log (MTB.txt) into your next post.
  • Note: When using "Reset FF Proxy Settings" option Firefox should be closed.
 
 
Post the logs and let me know if the internet is back.
 


#8 phant0m2017

phant0m2017
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:10:51 AM

Posted 25 October 2016 - 10:36 AM

hi there. i,m still using the notepad on my parents computer and pasting the contents of the code box into it , then transferring onto usb stick then onto problem laptop.the new fixlist.txt file is on my desktop now alongside the other files as well as the farbar tool.
i clicked fix once, when the tool opened . as it was running a box appeared saying - ipconfig.exe -ststem error. the program cant start because DNSAPL.dll is missing from your computertry reinstalling the program to fix this problem ?
when farbar had created the Fixlog.txt and restarted i copied this notepad log over onto usb stick and posted it here using parents computer.
i,m also getting a box popping up in the bottom right corner saying... you need to fix your microsoft account for apps on your other devices to be able to launch.
i did not understand all after "check mark the following boxes" ?
i still have no internet on laptop.

Attached Files


Edited by phant0m2017, 25 October 2016 - 10:39 AM.


#9 nasdaq

nasdaq

  • Malware Response Team
  • 38,569 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:51 AM

Posted 26 October 2016 - 08:35 AM

The following helper DLL cannot be loaded: NETIOHLP.DLL.
The following helper DLL cannot be loaded: NSHIPSEC.DLL.
The following helper DLL cannot be loaded: WLANCFG.DLL.

An error occurred while attempting to contact the Windows Firewall service. Make sure that the service is running and try your request again.


If the Firewall is running I suggest you re-install the Router.

If the internet still not available please check with the Internet Provider. It may just be that your Modem or router NOT defective.

===

While you check with your provider please run this search and post the log for my review.

Please run the Farbar Recovery Scan Tool. Enter dnsapi.dll;NETIOHLP.DLL;NSHIPSEC.DLL;WLANCFG.DLL in the Search Box and hit the File Search button.
Post the content of the Search.txt in your next reply.

<<<>>>

P.S.
If you can bypass the router by connecting with a wire from you computer to the modem.
If that works then possibly your router must be reset or is damaged.

#10 phant0m2017

phant0m2017
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:10:51 AM

Posted 26 October 2016 - 09:01 AM

hi there, here is the search file.

Attached Files



#11 phant0m2017

phant0m2017
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:10:51 AM

Posted 26 October 2016 - 09:06 AM

i dont think its a router problem as everything in the household that is wifi is using it without a problem.
the firewall is not running though and i cant seem to turn it on ? i get this message---- error opening the firewall with advanced security snap in.
error code 0x6D9 windows firewall with advanced security snap in failed to load. restart windows firewall service on the computer you are managing .

#12 nasdaq

nasdaq

  • Malware Response Team
  • 38,569 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:51 AM

Posted 26 October 2016 - 09:41 AM

I understand, run this tool.

Download Farbar's Service Scanner utility
http://www.bleepingcomputer.com/download/farbar-service-scanner/dl/62/
and Save to your Desktop.
If using Windows 7 or Vista, Right-Click on fss.exe and select Run As Administrator.
If using XP, double-click to start.
Answer Yes to ok when prompted.
If your firewall then puts out a prompt, again, allow it to run.
Once FSS is on-screen, be sure the following items are checkmarked:
Internet Services
Windows Firewall
System Restore
Security Center/Action Center
Windows Update
Windows Defender


Click on "Scan".
It will create a log (FSS.txt) in the same directory the tool is run.
Copy & Paste contents of FSS.txt into your reply.

#13 phant0m2017

phant0m2017
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:10:51 AM

Posted 26 October 2016 - 09:54 AM

ok... here is the FSS File.

Attached Files

  • Attached File  FSS.txt   3.82KB   1 downloads


#14 nasdaq

nasdaq

  • Malware Response Team
  • 38,569 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:51 AM

Posted 26 October 2016 - 12:40 PM

ATTENTION!=====> C:\Windows\System32\dnsapi.dll FILE IS MISSING.

Lets see if you have a good copy on the hard disk that we can use.

Please run the Farbar Recovery Scan Tool. Enter dnsapi.dll in the Search Box and hit the File Search button.
Post the content of the Search.txt in your next reply.

#15 phant0m2017

phant0m2017
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:10:51 AM

Posted 26 October 2016 - 01:04 PM

hi there, here is the file you asked for.....

Attached Files






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users