• Announcements

    • LS.Andy

      Support for other products than adaware, ad block, web protection and Web Companion   05/05/2017

      Support for the following products is handled by the Lavasoft support team: Lavasoft Tuneup Kit Lavasoft PC Optimizer Lavasoft Driver Updater Lavasoft Registry Tuner Lavasoft Privacy Toolbox Lavasoft File Shredder Lavasoft Digital Lock

      For help with these products, contact the support team here: http://www.lavasoft.com/support/supportcenter/
       
Sign in to follow this  
Followers 0
burndawgz

Please Help - Trojan.Win32.Generic!BT + Trojan.HTML.Framer.do (v)

14 posts in this topic

Here is additional information for the above problem:

 

For: Trojan.Win32.Generic!BT

Adaware Location: C:\Users\Jay\AppData\Local\DDMSSettings\Microsoft Help\vvprsnlkk.dll

(infected file either starts with a "vv" or a "w" - hard to tell as the kerning is tight)

 

For: Trojan.HTML.Framer.do (v)

Adaware Location: C:\Users\Jay\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XYAL1E0O\search[1].htm

 

Also, I have uninstalled previous instances of JAVA from the system.

 

J.

Share this post


Link to post
Share on other sites

Hi,

 

Please visit this webpage for download links, and instructions for running ComboFix tool:

 

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

 

Please ensure you read this guide carefully first.

 

Please continue as follows:

 

  1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link
    Remember to re-enable them afterwards.
     
     
  2. Click Yes to allow ComboFix to continue scanning for malware.

 

When the tool is finished, it will produce a report for you.

 

Please include the following reports for further review, and so we may continue cleansing the system:

 

C:\ComboFix.txt

New dds log.

 

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.

Share this post


Link to post
Share on other sites

Hi,

 

* Go here to run an online scanner from ESET.

  • Note: You will need to use Internet explorer for this scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is UNchecked and the option Scan unwanted applications is checkmarked.
  • Click Scan
  • Wait for the scan to finish.
  • Copy and paste findings (if any) as a reply to this topic, along with attach.txt log from DDS.

Share this post


Link to post
Share on other sites

I am running ESET now and will post results upon completion.

 

I am curious about how many times my attached DDS, ComboFix and ATTACH logs have been downloaded from this thread. Not only mine, but in many recent reports on this forum, download counts of posted personal logs exceed 50 or more. Who, besides the direct moderators/service techs, would have interest in my logs? I realize the answer is "anyone" can download them as I've made them public by posting them here, but why would 50 or more people want to review my logs? Is this in itself a security concern? Is making these logs public providing info to potential bad actors that may create new and targetted vulnerabilities?

 

In a related conern, yesterday someone posted multiple responses here in my thread which contained very malicious links within the body of the postings. Within a few minutes, the posts were deleted from this thread. It was not apparent to me whether your forum system software auto-detected these postings and nuked them, or a forum moderator manually removed them. Either way, it appeared I had become a specific target simply by posting within this forum.

 

I appreciate the expert support I've received from Lavasoft and the tireless efforts of the volunteers here. Thanks, J.

Edited by burndawgz

Share this post


Link to post
Share on other sites

Hi,

 

We can ignore those ESET findings.

 

I am curious about how many times my attached DDS, ComboFix and ATTACH logs have been downloaded from this thread. Not only mine, but in many recent reports on this forum, download counts of posted personal logs exceed 50 or more. Who, besides the direct moderators/service techs, would have interest in my logs? I realize the answer is "anyone" can download them as I've made them public by posting them here, but why would 50 or more people want to review my logs? Is this in itself a security concern? Is making these logs public providing info to potential bad actors that may create new and targetted vulnerabilities?

Sometimes people have similar issues and look around for help without posting (that's bad practice, they should create own topic) and sometimes attachments are viewed multiple times by the same person. I wouldn't be worried about that :)

In a related conern, yesterday someone posted multiple responses here in my thread which contained very malicious links within the body of the postings. Within a few minutes, the posts were deleted from this thread. It was not apparent to me whether your forum system software auto-detected these postings and nuked them, or a forum moderator manually removed them. Either way, it appeared I had become a specific target simply by posting within this forum.

That was some spammer's doings. Unfortunately, occasionally some spam gets posted to active topics. We do take necessary action (delete such posts and ban the user) as soon as we see such a thing happen.

 

 

Make sure you have latest version (10.1.5 at the moment) of Adobe Acrobat X.

 

 

Uninstall old Adobe Reader versions and get Adobe Reader 11.0 here and update 11.0.01 for it or get Foxit Reader here. Make sure you don't (unless you want to) install toolbar if choose Foxit Reader! You may also check free readers introduced here.

 

 

Uninstall vulnerable Flash versions by following instructions here. Fresh version can be obtained here.

 

 

Any issues remaining?

Share this post


Link to post
Share on other sites

Thanks for the reassurance Blade,

 

It appears the standard ComboFix runthrough did the trick. Adaware no longer finds the threat traces, and my Google Search redirects appear to have stopped. I've confirmed Acrobat X is most current 10.1.5 verison; uninstalled Reader v9; uninstalled older Flash versions and loaded latest. I'm on the Creative Suite platform so will remain with the Adobe software vs Foxit.

 

What's next?

 

J.

Share this post


Link to post
Share on other sites

I did notice one curious EVENT listed in the ATTACH log:

 

2/17/2013 10:59:26 AM, Error: bowser [8003] - The master browser has received a server announcement from the computer DAWG that believes that it is the master browser for the domain on transport NetBT_Tcpip_{B4C01157-9343-4A34-B077-6E7F14E37D4A}. The master browser is stopping or an election is being forced.

 

DAWG is a local network computer running W2K and IE5 browser. Anything to suggest prossible infections on the DAWG side (it appears to be operating fine) or would you guess it's just old W2K networking protocols conflicting with W7?

Edited by burndawgz

Share this post


Link to post
Share on other sites

Hi,

 

If no issues left let's see the final steps then :)

 

 

THESE STEPS ARE VERY IMPORTANT

 

Let's reset system restore

Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing those files. This is the only way to clean these files: You will lose all previous restore points which are likely to be infected. Please note you need Administrator Access to do clean the restore points.

 

A To disable the System Restore feature:

 

1. Click on the Start button.

2. Hover over the Computer option, right click on it and then click Properties.

3. On the left hand side, click Advanced Settings.

4. If asked to permit the action, click on Allow.

5. Click on the System Protection tab.

6. Select c: drive and click Configure...

7. Select Turn off protection

8. Press OK.

Repeat steps 6-8 for each hard drive.

 

B. Reboot.

 

C Turn ON System Restore.

Follow the steps like you did when disabling system restore but on step 7. select Restore system settings and previous versions of files -option.

 

 

 

Now lets uninstall ComboFix:

  • Click START then RUN
  • Now copy-paste Combofix /uninstall in the runbox and click OK

UPDATING WINDOWS AND INTERNET EXPLORER

 

IMPORTANT: You Need to Update Windows and Internet Explorer to protect your computer from the malware that is around on the Internet. Please go to the windows update site to get the critical updates.

 

 

 

Download and run Secunia Personal Software Inspector (PSI) and fix its findings. Leave the program installed so you'll stay alarmed about vulnerable components in future too.

 

 

Just a final reminder for you. I am trying to stress these two points.

UPDATE UPDATE UPDATE!!! Make sure you do this about every 1-2 weeks.

Make sure all of your security programs are up to date.

Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

 

 

Once again, please post and tell me how things are going with your system... problems etc.

 

Have a great day,

Blade B)

 

 

I did notice one curious EVENT listed in the ATTACH log:

 

2/17/2013 10:59:26 AM, Error: bowser [8003] - The master browser has received a server announcement from the computer DAWG that believes that it is the master browser for the domain on transport NetBT_Tcpip_{B4C01157-9343-4A34-B077-6E7F14E37D4A}. The master browser is stopping or an election is being forced.

 

DAWG is a local network computer running W2K and IE5 browser. Anything to suggest prossible infections on the DAWG side (it appears to be operating fine) or would you guess it's just old W2K networking protocols conflicting with W7?

 

I'm not exactly sure what that error message means but it's not infection related. If there're no issues I'd ignore the message :)

Share this post


Link to post
Share on other sites

Thank you Blade - I will proceed with the updates. Your support has been invaluable. Count me clean!

Share this post


Link to post
Share on other sites

You're welcome :)

Share this post


Link to post
Share on other sites

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

 

If you're the topic starter, and need this topic reopened, please contact the staff member who was helping you with your issue.

 

Everyone else please begin a New Topic.

 

Thank you !

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  
Followers 0