Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

There and back again. Infection and trying to fix.


  • Please log in to reply
11 replies to this topic

#1 saekalive

saekalive

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:01:02 PM

Posted 02 February 2017 - 10:23 AM

Back again with more stuff, but ESET didnt catch this, because of idiocy. brother was trying to install some antivirus on my computer. (ESET specifically) but he didnt use the proper link and ended up putting a trojan on my laptop. everything has been cleaned and removed that i know of, but i have sme odd happenings from the scraps that i think the programs left behind.
 
Issues:
 
Reinstalled chrome after it being infected by said program. current version works fine for loading links, but anything involving a search engine yields no results only says "x results found in x seconds" but give no links. and windows will not let me set chrome as the default browser.
 
when chrome was infected, it would redirect to a broken file in the chrome directories and just display a grey browser with nothing on it.
 
Tests and Fixes Run:
(since i had issues before, ive run and tried a lot of the methods from before)
Malwarebytes
ESET Scan and clean
FRST (logs below)
Adware cleaner from malwarebytes
 
 
i also have hitmanpro available to run but i wanted to wait off.
 
here are the logs today.
 
Attached File  FRST.txt   61.94KB   3 downloads
Attached File  Addition.txt   69.08KB   4 downloads

Edit: Merged two posts and the reply to one into a single thread. This was for the sake of continuity and possible confusion of different helpers picking up related posts. ~ Animal

BC AdBot (Login to Remove)

 


#2 saekalive

saekalive
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:01:02 PM

Posted 02 February 2017 - 10:30 AM

Attached File  FRST.txt   61.94KB   3 downloads

Attached File  Addition.txt   69.08KB   2 downloads

 

Long story, but short thing is brother decided to install "free" security and it was a trojan without my knowing and now im back. mostly clean computer but i think i have some remnants left behind that the tools i have didnt clean.

 

problems:

 

chrome searching yields no results, only says it found them.

 

setting chrome as default browser crashes settings

 

Misc: 

 

anytime i try to run a program as administrator, the file manager window freezes and i have to close it and open it back up to get it to display the allow box.

 

 

i would also like to request that Bezukov handles this case since he was awesome last time and knows my computer from my last case.

 

 

programs available to run:

 

ESET 

Malwarebytes

Adwarebytes by ^^^^

SuperAntiSpyware

HitmanPro



#3 saekalive

saekalive
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:01:02 PM

Posted 02 February 2017 - 12:00 PM

Update. i fixed the chrome issues by disableing proxy server for lan. still having issues with setting default browser



#4 nasdaq

nasdaq

  • Malware Response Team
  • 40,749 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:02 PM

Posted 03 February 2017 - 09:26 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.

Please copy the entire contents of the code box below to a new file.
 
Start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:
RemoveProxy:

HKLM-x32\...\Run: [] => [X]
ProxyEnable: [.DEFAULT] => Proxy is enabled.
ProxyServer: [.DEFAULT] => 127.0.0.1:8003
ProxyEnable: [S-1-5-19] => Proxy is enabled.
ProxyServer: [S-1-5-19] => 127.0.0.1:8003
ProxyEnable: [S-1-5-20] => Proxy is enabled.
ProxyServer: [S-1-5-20] => 127.0.0.1:8003
ProxyEnable: [S-1-5-21-3671988040-2425771200-329971809-1001] => Proxy is enabled.
ProxyServer: [S-1-5-21-3671988040-2425771200-329971809-1001] => 127.0.0.1:8003
HKU\S-1-5-21-3671988040-2425771200-329971809-1001\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.palikan.com/?f=1&a=plk_coinisre_16_39_ssg01&cd=2XzuyEtN2Y1L1Qzu0FtDyByCtC0C0CtDyB0C0EyBtDtCyDtBtN0D0Tzu0StCyBtAyCtN1L2XzutAtFtByEtFtCtAtFtDtN1L1Czu1TtN1L1G1B1V1N2Y1L1Qzu2SyD0DtA0F0CtCtAyDtGyD0E0D0BtG0A0DzztDtGyB0B0CtAtG0D0ByBzztD0B0CyD0A0DyD0D2QtN1M1F1B2Z1V1N2Y1L1Qzu2S0DyBtDtAyCyDzzyEtG0DzzyCtCtGyEzz0C0AtGzyyDtD0CtGyCzytCtD0AzytCzz0ByB0E0C2QtN0A0LzuyE&cr=2052177093&ir=
CHR Extension: (BetterTTV) - C:\Users\Weston\AppData\Local\Google\Chrome\User Data\Default\Extensions\ajopnjidmegmdimjlfnijceegpefgped [2017-02-02]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Weston\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2017-02-02]
CHR Extension: (Chrome Media Router) - C:\Users\Weston\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2017-02-02]
CHR HKLM-x32\...\Chrome\Extension: [bhfhojbhbnajajgihpicejdalbjlpcep] - hxxps://clients2.google.com/service/update2/crx
S2 serverss; C:\WINDOWS\Temp\CCBA.tmp [X]
Shortcut: C:\Users\Weston\Desktop\Mimi Music\G??gl? ?hr?m?.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.bat (No File)
Shortcut: C:\Users\Weston\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\St?rt ??r ?r?ws?r.lnk -> C:\Users\Weston\Desktop\Misc\Tor Browser\Browser\firefox.bat (No File)
Shortcut: C:\Users\Weston\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Internet Explorer.lnk -> C:\Program Files (x86)\Internet Explorer\iexplore.bat ()
Shortcut: C:\Users\Weston\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Int?rn?t ??pl?r?r.lnk -> C:\Program Files (x86)\Internet Explorer\iexplore.bat ()
Shortcut: C:\Users\Weston\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\G??gl? ?hr?m?.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.bat (No File)
Shortcut: C:\Users\Weston\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\G??gl? ?hr?m?.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.bat (No File)
Shortcut: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\G??gl? ?hr?m?.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.bat (No File)
2017-02-02 08:21 - 2017-01-29 03:36 - 00015360 _____ () C:\WINDOWS\src_srv\winsrcsrv.exe
FirewallRules: [TCP Query User{30982534-5521-48FC-AD4F-FB8F7F89D5F8}C:\program files (x86)\minecraft\runtime\jre-x64\1.8.0_25\bin\javaw.exe] => C:\program files (x86)\minecraft\runtime\jre-x64\1.8.0_25\bin\javaw.exe
FirewallRules: [UDP Query User{87B7BA9A-F20E-4FD3-8C1D-D39B4633BB14}C:\program files (x86)\minecraft\runtime\jre-x64\1.8.0_25\bin\javaw.exe] => C:\program files (x86)\minecraft\runtime\jre-x64\1.8.0_25\bin\javaw.exe
FirewallRules: [TCP Query User{3197DE31-1597-429D-AAD7-C91C083524BC}C:\users\weston\documents\curse\minecraft\install\runtime\jre-x64\1.8.0_25\bin\javaw.exe] => C:\users\weston\documents\curse\minecraft\install\runtime\jre-x64\1.8.0_25\bin\javaw.exe
FirewallRules: [UDP Query User{12683DA1-1F5D-4D1F-AAE5-AAF842C85608}C:\users\weston\documents\curse\minecraft\install\runtime\jre-x64\1.8.0_25\bin\javaw.exe] => C:\users\weston\documents\curse\minecraft\install\runtime\jre-x64\1.8.0_25\bin\javaw.exe
FirewallRules: [TCP Query User{DC373BE7-759F-4FBE-A87B-CCAADE8B8B4D}C:\program files\java\jre1.8.0_101\bin\javaw.exe] => C:\program files\java\jre1.8.0_101\bin\javaw.exe
FirewallRules: [UDP Query User{2951D03E-44CC-41E6-95FA-CFD278FA8FDF}C:\program files\java\jre1.8.0_101\bin\javaw.exe] => C:\program files\java\jre1.8.0_101\bin\javaw.exe
FirewallRules: [{3E513198-7355-4171-8220-413882502A87}] => C:\Users\Weston\AppData\Local\ddnow.exe
C:\Users\Weston\AppData\Local\ddnow.exe
C:\users\weston\documents\curse\minecraft\install\runtime\jre-x64\1.8.0_25
C:\program files\java\jre1.8.0_101

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.

Please let me know what problem persists with this computer.

#5 saekalive

saekalive
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:01:02 PM

Posted 06 February 2017 - 08:26 AM

Here you go. sorry for the long wait.

 

2 things that are issues that have popped up:

 

when booting up my computer after thee restart, i was redirected to this website (DO NOT CLICK)

 

http://ic-dc.deliverydlcenter.com/pr/72e8e276-8bc5-11e6-a5ec-0695da005429/typ_1.html

 

it was blocked by ESET which i am thankful for.

 

another thing that is very odd is after putting my computer in sleep mode, i booted it up once i got to my destination and it loaded up fine, but the task bar was frozen, and cortana was stuck open. when i pressed escape, she closed and left a blank space where the search bar was supposed to be. i then hard rebooted the computer having no way to turn it off else-wise, it booted back up with tan bars and Raw HTML where the Razer loading screen should be. i have not turned the computer off yet nor am i going to try to. here is the fixlog from last time.

 

Attached File  Fixlog.txt   12.01KB   2 downloads

 

 

 



#6 nasdaq

nasdaq

  • Malware Response Team
  • 40,749 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:02 PM

Posted 06 February 2017 - 08:49 AM



Temporarily disable your AV program so it does not interfere.
Info on how to disable your security applications How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs - Security Mini-Guides.

Download Zoek tool from here

When the download appears, save to the Desktop.
On the Desktop, right-click the Zoek.exe file and select: Run as Administrator
(Give it a few seconds to appear.)

Next, copy/paste the entire script inside the code box below to the input field of Zoek:
createsrpoint;
autoclean;
emptyclsid;
emptyffcache;
FFdefaults;
emptyiecache;
iedefaults;
emptychrcache;
CHRdefaults;
emptyalltemp;
emptyfolderscheck;delete
ipconfig /flushdns;b
Now...
Close any open Browsers.
Click the Run script button, and wait. It takes a few minutes to run all the script.

When the tool finishes, the zoek-results.log is opened in Notepad.
The log is also found on the systemdrive, normally C:\
If a reboot is needed, the log is opened after the reboot.

Please attach the zoek-results.log in your reply.
===

--RogueKiller--
  • Download & SAVE to your Desktop Download RogueKiller
  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or above, right-click the program file and select "Run as Administrator"
  • Accept the user agreements.
  • Execute the scan and wait until it has finished.
  • If a Windows opens to explain what [PUM's] are, read about it.
  • Click the RoguKiller icon on your taksbar to return to the report.
  • Click open the Report
  • Click Export TXT button
  • Save the file as ReportRogue.txt
  • Click the Remove button to delete the items in RED
  • Click Finish and close the program.
  • Locate the ReportRogue.txt file on your Desktop and copy/paste the contents in your next.
=======

Also, please pos the logs and provide an update on how the computer is behaving after running the above script.

#7 saekalive

saekalive
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:01:02 PM

Posted 06 February 2017 - 04:05 PM

Attached File  ReportRogue.txt   8.59KB   2 downloadsAttached File  zoek-results.txt   6.39KB   2 downloads



#8 nasdaq

nasdaq

  • Malware Response Team
  • 40,749 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:02 PM

Posted 07 February 2017 - 08:27 AM


Please run the RogueKiller tool and remove these entries.

¤¤¤ Registry : 15 ¤¤¤
[PUP.PennyBee] (X64) HKEY_LOCAL_MACHINE\Software\Jidd -> Found
[PUP.PennyBee] (X86) HKEY_LOCAL_MACHINE\Software\Jidd -> Found
[PUP.Gen1] (X86) HKEY_LOCAL_MACHINE\Software\mybeesearch -> Found
[PUP.Gen1] (X64) HKEY_USERS\S-1-5-21-3671988040-2425771200-329971809-1001\Software\IM -> Found
[PUP.Gen1] (X86) HKEY_USERS\S-1-5-21-3671988040-2425771200-329971809-1001\Software\IM -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {A7F3256E-25A6-4825-921C-09C72E37CB09} : v2.26|Action=Allow|Active=TRUE|Dir=Out|App=C:\Users\Weston\AppData\Local\Temp\A6605C10-586D-416B-A668-6FEA548A9F32\installer.exe|Name=C27862909|Desc=Allow|EmbedCtxt=@C:\Users\Weston\AppData\Local\Temp\A6605C10-586D-416B-A668-6FEA548A9F32\installer.exe,-10000| [x] -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {CD5FFF1E-2892-46B4-AEB7-C76BB1AEB812} : v2.26|Action=Allow|Active=TRUE|Dir=Out|App=C:\Users\Weston\AppData\Local\27862909.exe|Name=A27862909|Desc=Allow|EmbedCtxt=@C:\Users\Weston\AppData\Local\27862909.exe,-10000| [x] -> Found
[PUP.Gen1] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {3E518560-47D3-4882-B891-26E44E85FA1A} : v2.26|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Public|App=C:\Program Files (x86)\Itibiti Soft Phone\Itibiti.exe|Name=Itibiti.exe| [x] -> Found
[PUP.Gen1] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {E7273DAA-A4FB-40E4-B803-90FCE87B64C2} : v2.26|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Public|App=C:\Program Files (x86)\Itibiti Soft Phone\Itibiti.exe|Name=Itibiti.exe| [x] -> Found



===


How is the computer running now?

#9 saekalive

saekalive
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:01:02 PM

Posted 07 February 2017 - 09:40 AM

Okay. I am having a he'll of a morning. Shut my computer down for my morning commute and then boot it up to this. Thanks for the help in advanceAttached File  0207170936a.jpg   56.4KB   0 downloads

#10 saekalive

saekalive
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:01:02 PM

Posted 07 February 2017 - 09:41 AM

After this it loaded up fine. Switching back to my laptop to run your script.

#11 saekalive

saekalive
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:01:02 PM

Posted 09 February 2017 - 10:46 AM

don't know if you are waiting on a keyword or me to say that i deleted those entries, which i did, but anyways. loaded up today to a frozen taskbar and system processes not working well. currently running sfc /scannow in CMD to find corrupt system files. any help would be appreciated



#12 nasdaq

nasdaq

  • Malware Response Team
  • 40,749 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:02 PM

Posted 10 February 2017 - 08:45 AM


Try to boot to safe mode with Networking and run this is you can.
I suspect a bad video Driver or you Video card is going bad.

How to detect vulnerable and out-dated programs using Secunia Personal Software Inspector (PSI)
Follow the instructions on this page.

http://www.bleepingcomputer.com/tutorials/detect-vulnerable-programs-with-secunia-psi/

Run the application and updates all the programs/drivers that needs to be updated.

p.s.

Secunia will start looking for new updates every time you boot the system.
This is an overkill. When all is well you can remove it using the Add/Remove programs applet.
===




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users