Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible Virus Infection on PC. Need Assistance


  • This topic is locked This topic is locked
4 replies to this topic

#1 1Jake

1Jake

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:08:36 AM

Posted 02 August 2017 - 07:02 PM

Hello Bleeping Computer Mods,

 

Two nights ago I was searching for the best Russian University to study in within Russia and clicked on www(dot)mgu-russian(dot)com thinking it was legitimate. My Norton Security stopped the intrusion attempt from an ertovnya(dot)info with a long hash and IP. I've stopped all normal use until I can get a specialist to verify if this PC is clean. With the advancements of Russian malware I worry I may be compromised.

 

I have attempted to run FRST on Windows 10 64 bit Pro but cannot install nor run it since it returns back "A referral was returned from the server". It is on the desktop and yes I have searched for a solution but it appears there is none that I can find. 


Edited by 1Jake, 02 August 2017 - 07:03 PM.


BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 38,934 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:36 AM

Posted 04 August 2017 - 06:38 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Malwarebytes Anti-Rootkit

Please download [url=https://www.malwarebytes.com/antirootkit

Anti-Rootkit BETA and save it to your Desktop.
  • Right-click on the icon and select Run as administrator to start the extraction of the program;
  • Click Yes to accept the security warning that may appear;
  • Click OK to extract it to your Desktop (MBAR will be launched shortly after the extraction);
  • Click on Next, and then on the Update button to let it update its database. Once the database has been successfully updated, click on Next;
  • Make sure all the checkboxes are checked, then click on the Scan button, and let it completes its scan (this can take a while);
  • Once the scan is done, if threats are found, make sure that every item is checked, and click on the Cleanup button (a reboot might be required);
  • After that (and the reboot, if one was required), go back in the mbar folder and look for a text file called mbar-log-TODAY'S-DATE.txt;
  • Please copy and paste the entire content of that log in your next reply;
If you have any problems running either one come back and let me know.
===

After a restart run the Farbar program as an Administrator.

Post the FRST and the Addition.txt logs if you have them.

#3 1Jake

1Jake
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:08:36 AM

Posted 04 August 2017 - 02:43 PM

Hello Nasdaq,

 

I've done the scan and it showed nothing. I attempted to run the Farbar program and it still shows the same issue. 

 

One question - is there a better way to post the logs of farbar (when it finally works of course). It seems to me, when checking other threads, that it is way too personal to post things like that to the public.

 

Attached below is the log.

 

Malwarebytes Anti-Rootkit BETA 1.9.3.1001
www.malwarebytes.org
 
Database version:
  main:    v2017.08.04.11
  rootkit: v2017.08.02.01
 
Windows 10 x64 NTFS
Internet Explorer 11.483.15063.0
RMoskvaCWA :: DESKTOP-T91R955 [administrator]
 
8/4/2017 2:57:51 PM
mbar-log-2017-08-04 (14-57-51).txt
 
Scan type: Quick scan
Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken
Scan options disabled: 
Objects scanned: 284920
Time elapsed: 28 minute(s), 3 second(s)
 
Memory Processes Detected: 0
(No malicious items detected)
 
Memory Modules Detected: 0
(No malicious items detected)
 
Registry Keys Detected: 0
(No malicious items detected)
 
Registry Values Detected: 0
(No malicious items detected)
 
Registry Data Items Detected: 0
(No malicious items detected)
 
Folders Detected: 0
(No malicious items detected)
 
Files Detected: 0
(No malicious items detected)
 
Physical Sectors Detected: 0
(No malicious items detected)
 
(end)


#4 nasdaq

nasdaq

  • Malware Response Team
  • 38,934 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:36 AM

Posted 05 August 2017 - 08:15 AM

Hi,
 

One question - is there a better way to post the logs of farbar (when it finally works of course). It seems to me, when checking other threads, that it is way too personal to post things like that to the public.


You can change your personal name using XXXX.
The only draw back is that you will have to change the XXXX in any fixes we provide so that the computer will be able to delete path/folders/names that have been changed.

===

Try to run this cleaning tool.

Temporarily disable your AV program so it does not interfere.
Info on how to disable your security applications How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs - Security Mini-Guides.

Download Zoek tool from here

When the download appears, save to the Desktop.
On the Desktop, right-click the Zoek.exe file and select: Run as Administrator
(Give it a few seconds to appear.)

Next, copy/paste the entire script inside the code box below to the input field of Zoek:
createsrpoint;
autoclean;
emptyclsid;
emptyffcache;
FFdefaults;
emptyiecache;
iedefaults;
emptychrcache;
CHRdefaults;
emptyalltemp;
emptyfolderscheck;delete
ipconfig /flushdns;b
Now...
Close any open Browsers.
Click the Run script button, and wait. It takes a few minutes to run all the script.

When the tool finishes, the zoek-results.log is opened in Notepad.
The log is also found on the systemdrive, normally C:\
If a reboot is needed, the log is opened after the reboot.

Please attach the zoek-results.log in your reply.

#5 nasdaq

nasdaq

  • Malware Response Team
  • 38,934 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:36 AM

Posted 11 August 2017 - 06:42 AM

Are you still with me?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users