Sign in to follow this  
trojanmana

I think I have a browser virus

Recommended Posts

Hi,

1. Download [url=http://support.kaspersky.com/downloads/utils/tdsskiller.zip]TDSSKiller[/url] and extract its contents into a folder in desired location (i.e. c:\tdsskiller).
2. Execute the file TDSSKiller.exe.
3. Click Start Scan. If threats are found, select [b]skip[/b] and click Continue (tool may prompt for a reboot).
4. Post back contents of log file in c: drive root (name should be in UtilityName.Version_Date_Time_log.txt format)

Share this post


Link to post
Share on other sites
Hi again,


Open notepad and copy/paste the text in the quotebox below into it:

[code]
RegLockDel::
[HKEY_USERS\S-1-5-21-1159727113-3215902153-4262205293-1000_Classes\Wow6432Node\CLSID\{5e7d6feb-2e5f-4fa9-9136-f76b06546311}]
[HKEY_USERS\S-1-5-21-1159727113-3215902153-4262205293-1000_Classes\Wow6432Node\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}]
[/code]


Save this as
CFScript

[COLOR=#ff0000][B]A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.[/B][/COLOR]

[img]http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif[/img]

Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe (let the tool to update itself if prompted).
Then post the resultant log.


Uninstall vulnerable [b]Flash[/b] versions by following instructions [url=http://kb2.adobe.com/cps/141/tn_14157.html]here[/url]. Fresh version can be obtained [url=http://get.adobe.com/flashplayer/]here[/url].


[b][color=blue]Your Java is out of date.[/color][/b] Older versions have vulnerabilities that malware can use to infect your system. [b]Please follow these steps to remove older version Java components and update to the latest version...[/b]

[b][color=blue]Updating Java:[/color][/b]
[list]
[*]Download the latest version of [b][URL=http://www.oracle.com/technetwork/java/javase/downloads/index.html]Java Runtime Environment (JRE) 7 Update 1[/URL][/b].
[*]Click the
[b]Download[/b]
button to the right.
[*]Select Windows on platform combobox and check the box that says:
[b][i]Accept[/b] License Agreement[/i]. Click continue.

[*]The page will refresh.
[*]Click on the link to download [i]Windows Offline Installation[/i] with or without Multi-language and save to your desktop.
[*]Close any programs you may have running - especially your web browser.
[*]Go to [b]Start[/b] > [b]Control Panel[/b] double-click on [b]Add/Remove[/b] programs and remove all older versions of Java.
[*]Check any item with Java Runtime Environment (JRE or J2SE) in the name.
[*]Click the [b]Remove[/b] or [b]Change/Remove[/b] button.
[*]Repeat as many times as necessary to remove each Java versions.
[*]Reboot your computer once all Java components are removed.
[*]Then from your desktop double-click on [b]jre-7u1-windows-i586.exe[/b] to install the newest version. Uncheck Carbonite online backup trial if it's offered there.[/list]

* Go [url=http://www.eset.eu/online-scanner][color=red][b][u]here[/u][/b][/color][/url] to run an online scanner from ESET.[list]
[*][color=red][b]Note:[/b][/color] You will need to use [color=blue][b]Internet explorer[/b][/color] for this scan
[*]Tick the box next to [b]YES, I accept the Terms of Use.[/b]
[*]Click [b]Start[/b]
[*]When asked, allow the activex control to install
[*]Click [b]Start[/b]
[*]Make sure that the option [b]Remove found threats[/b] is UNchecked and the option [b]Scan unwanted applications[/b] is checkmarked.
[*]Click [b]Scan[/b]
[*]Wait for the scan to finish.
[/list]


Post back its report, a fresh dds.txt log and above mentioned ComboFix resultant log. Any issues left?

Share this post


Link to post
Share on other sites
Hi,

Was ESET able to finish its scan? Did it show any items in results? That ESET related log looked a bit odd.

Share this post


Link to post
Share on other sites
my advanced system optimizer is finding infections.

[color="10478a"][b]trojan-backdoor.bifrose[/b][/color][color="c00a0a"] (Backdoor[/color])
[b][color="10478a"]Status [/color][/b]: Quarantined

[b]Infected registry keys/values detected[/b] hkey_current_user\software\wget [color="10478a"][b]trojan-spy.banker[/b][/color][color="c00a0a"] (Trojan Spy[/color])
[b][color="10478a"]Status [/color][/b]: Quarantined

[b]Infected registry keys/values detected[/b] hkey_local_machine\system\currentcontrolset\services\catchme hkey_local_machine\system\currentcontrolset\services\catchme!type hkey_local_machine\system\currentcontrolset\services\catchme!errorcontrol hkey_local_machine\system\currentcontrolset\services\catchme!start hkey_local_machine\system\currentcontrolset\services\catchme!imagepath hkey_local_machine\system\currentcontrolset\services\catchme!group [color="10478a"][b]monitoring.employees-pc-monitor[/b][/color][color="c00a0a"] (Monitoring Tool[/color])
[b][color="10478a"]Status [/color][/b]: Quarantined

[b]Infected registry keys/values detected[/b] hkey_users\s-1-5-18\software\microsoft\windows\currentversion\policies\system [color="10478a"][b]trojan.downloader[/b][/color][color="c00a0a"] (Trojan[/color])
[b][color="10478a"]Status [/color][/b]: Quarantined

[b]Infected files detected[/b]
[b]FileName: [/b]c:\windows\erdnt\cache64\winlogon.exe
[b]MD5: [/b]1151b1baa6f350b1db6598e0fea7c457[b](390656 Bytes)[/b]
[b]Signature[/b]

Share this post


Link to post
Share on other sites
Hi,

Open [b]notepad[/b] and copy/paste the text in the codebox below into it:

[code]
@echo off
for %%g in (
c:\windows\erdnt\cache64\winlogon.exe
) do zip Files_for_submission %%g
del %0

[/code]

Save this as [b]grab.bat[/b]
Choose to Save type as - All Files
Save it on your desktop.
It should look like this: [img]http://www.techsupportforum.com/sectools/tetonbob/bat_icon.gif[/img]
Double click on grab.bat & allow it to run

A file, [b]Files_for_submission.zip[/b] will be created on your desktop. Upload it to [url="http://www.bleepingcomputer.com/submit-malware.php?channel=76"]this website[/url].

Kindly include a link to this topic in the message.

Share this post


Link to post
Share on other sites
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter.

Everyone else please begin a New Topic.

Thank You !

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this