Computer Hope

Software => Computer viruses and spyware => Virus and spyware removal => Topic started by: Clrrr on July 20, 2016, 06:10:22 PM

Title: Posting Logs For Malware Problem like they told; Thanks for the Help!
Post by: Clrrr on July 20, 2016, 06:10:22 PM
So my computer at startup has 2 programs that I have to close down in windows manager that are ¨system functions¨but take up 500,000k to 1,000,000k in my ram space randomly since this malware from i think trotux has been on my computer from a program I accidentally installed.
I it also installed it´s own search bar and was opening to it´s own homepage in all my browsers.  As soon as i installed malwarebytes it stopped that, but I still get adds that the malwarebytes pro is blocking.

Sometimes I am also getting DNS error on this computer only in the network when the other ones are working fine.  I got all the logs and am going to post them below like it says to in that main post they directed me to.  Thanks for your help I really appreciate it If there is anything I can do to help back please let me know.  Thanks again.

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 20/07/2016
Scan Time: 16:52
Logfile: 20-07-16.txt
Administrator: Yes

Version: 0.0.0.0000
Malware Database: v2016.07.20.03
Rootkit Database: v2016.05.27.01
License: Trial
Malware Protection: Enabled
Malicious Website Protection: Enabled
Self-protection: Disabled

OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: Michael

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 333939
Time Elapsed: 13 min, 21 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)


(end)



 Results of screen317's Security Check version 1.014 --- 12/23/15 
   x64 (UAC is disabled!) 
``````````````Antivirus/Firewall Check:``````````````[/u]
 WMI entry may not exist for antivirus; attempting automatic update.
`````````Anti-malware/Other Utilities Check:`````````[/u]
 AVG Web TuneUp   
 Java 8 Update 45 
 Java version 32-bit out of Date!
 Adobe Flash Player    22.0.0.209 
 Mozilla Firefox (47.0.1)
 Google Chrome (51.0.2704.106)
 Google Chrome (SetupMetrics.pma..)
````````Process Check: objlist.exe by Laurent````````[/u] 
`````````````````System Health check`````````````````[/u]
 Total Fragmentation on Drive C:  %
````````````````````End of Log``````````````````````[/u]



# AdwCleaner v5.201 - Relatório criado 20/07/2016 às 17:59:44
# Atualizado 30/06/2016 por ToolsLib
# Banco de dados : 2016-07-19.2 [Servidor]
# Sistema operacional : Windows 7 Professional Service Pack 1 (X64)
# Usuário : Michael - MICHAEL-PC
# Executando de : C:\Users\Michael\Downloads\adwcleaner_5.201 (2).exe
# Opção : Limpar
# Apoio : https://toolslib.net/forum

***** [ Serviços ] *****

[-] Serviço Excluído : WtuSystemSupport
[-] Serviço Excluído : vToolbarUpdater40.3.1

***** [ Pastas ] *****

[-] Pasta Excluído : C:\ProgramData\apn
[-] Pasta Excluído : C:\ProgramData\avg web tuneup
[x64] HKLM\SOFTWARE\{8C4CE252-7DB2-4F8E-8E76-BAD0E5826A83}
[-] Chave Excluída : HKU\.DEFAULT\Software\{8C4CE252-7DB2-4F8E-8E76-BAD0E5826A83}
[-] Chave Excluída : HKLM\SOFTWARE\Classes\Installer\UpgradeCodes\7AB5857A57A0687786597A857BFFFFFF
[-] Chave Excluída : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\8036C72171EF4ba46856BF57969F6A36
[-] Chave Excluída : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\89BB7852687BDC34B9A81E01C7FF9173
[-] Chave Excluída : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\8CBC85D72B148084ABE8C2F072F781F4
[-] Chave Excluída : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\8CC5A38A64D6098468BC8395BA0EFF03
[-] Chave Excluída : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\8DF9A1AC557F56c49B56F6B83E293C15
[-] Chave Excluída : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\A97C590397DCC454AA8923563BAB10E4
[-] Chave Excluída : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\B08932C78B697C244BE7BA3E6FF09B62
[-] Chave Excluída : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\CFA51B44D54927c4E9B7BC1D3FD1E49F
[-] Chave Excluída : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\D14A7F65792054F418578C78367D13F7
[-] Chave Excluída : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\DFE9F0BD163D827438CB6AD6B100EC48
[-] Chave Excluída : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\F739A19A8327dc64C9A8B641A9E89646
[-] Chave Excluída : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\158D6D9E3FE81fa428925F22ACB3A965
[-] Chave Excluída : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\15E6C514FEFC09f45BAFAAE1D7546ED4
[-] Chave Excluída : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\1DB42320A8525634AA089F0BEC86473B
[-] Chave Excluída : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\22468B0D6050b2e46B9C4B67A8F59577
[-] Chave Excluída : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\2251BF05A2F606d43BB064BD63CBD87E
[-] Chave Excluída : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\3255D95681398614190EDF0A4F3F77DB
[-] Chave Excluída : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\3CDF313E9B28c944FBC7579CF4949414
[-] Chave Excluída : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\71E54748EDD3dc1468548785DC856EDA
[-] Chave Excluída : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\754590DD06DE8d249B526503432F99D4
[-] Chave Excluída : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UpgradeCodes\7AB5857A57A0687786597A857BFFFFFF
[-] Chave Excluída : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{95B7759C-8C7F-4BF1-B163-73684A933233}
[-] Chave Excluída : [x64] HKLM\SOFTWARE\Microsoft\Shared Tools\MsConfig\StartupReg\pcspeedup
[-] Valor Excluída : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run [vProt]
[-] Chave Excluída : HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Application\winzipersvc
[-] Chave Excluída : HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Application\qkseeService

***** [ Navegadores ] *****

[-] [C:\Users\Michael\AppData\Local\Google\Chrome\User Data\Default\Web Data] [Search Provider] Excluído : br.ask.com
[-] [C:\Users\Michael\AppData\Local\Google\Chrome\User Data\Default\Web Data] [Search Provider] Excluído : aol.com
[-] [C:\Users\Michael\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences] [Extension] Excluído : bopakagnckmlgajfccecajhnimjiiedh

*************************

:: Chaves "Tracing" excluídas
:: Configurações Winsock restauradas

*************************

C:\AdwCleaner\AdwCleaner[C1].txt - [13081 bytes] - [20/07/2016 17:59:44]
C:\AdwCleaner\AdwCleaner[S1].txt - [13816 bytes] - [20/07/2016 17:24:13]

########## EOF - C:\AdwCleaner\AdwCleaner[C1].txt - [13229 bytes] ##########


Title: Re: Posting Logs For Malware Problem like they told; Thanks for the Help!
Post by: SuperDave on July 21, 2016, 01:17:32 PM
Hello and welcome to Computer Hope Forum. My name is Dave. I will be helping you out with your particular problem on your computer.

1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.
2. The fixes are specific to your problem and should only be used for this issue on this machine.
3. If you don't know or understand something, please don't hesitate to ask.
4. Please DO NOT run any other tools or scans while I am helping you.
5. It is important that you reply to this thread. Do not start a new topic.
6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
7. Absence of symptoms does not mean that everything is clear.

If you can't access the internet with your infected computer you will have to download and transfer any programs to the computer you're using now and transfer them to the infected computer with a CD-RW or a USB storage device. I prefer a CD because a storage device can get infected. If you use a storage device hold the shift key down while inserting the USB storage device for about 10 secs. You will also have to transfer the logs you receive back to the good computer using the same method until we can get the computer back on-line.
*************************************************************************

What does this mean?  # Opção : Limpar

Please download Junkware Removal Tool (http://thisisudax.org/downloads/JRT.exe) to your desktop.

•Warning! Once the scan is complete JRT will shut down your browser with NO warning.

•Shut down your protection software now to avoid potential conflicts.

•Temporarily disable your Antivirus and any Antispyware real time protection before performing a scan. Click this  (http://www.bleepingcomputer.com/forums/topic114351.html) link to see a list of security programs that should be disabled and how to disable them.

•Run the tool by double-clicking it. If you are using Windows Vista or Windows 7, right-click JRT and select Run as Administrator

(http://i424.photobucket.com/albums/pp322/digistar/Junkware-icon.jpg)

•The tool will open and start scanning your system. At the Command Prompt, you’ll need to press any key to perform a scan.

(http://i424.photobucket.com/albums/pp322/digistar/junkware-removal-tool.jpg)

•Please be patient as this can take a while to complete depending on your system's specifications.

•On completion, a log (JRT.txt) is saved to your desktop and will automatically open.

•Copy and Paste the JRT.txt log into your next message.
Title: Re: Posting Logs For Malware Problem like they told; Thanks for the Help!
Post by: Clrrr on July 23, 2016, 10:30:22 AM
Thank you sir, Here is the log

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Malwarebytes
Version: 8.0.7 (07.03.2016)
Operating System: Windows 7 Professional x64
Ran by Michael (Administrator) on 22/07/2016 at 21:13:19,95
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




File System: 0




Registry: 0





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on 23/07/2016 at  0:19:41,56
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Title: Re: Posting Logs For Malware Problem like they told; Thanks for the Help!
Post by: SuperDave on July 23, 2016, 01:12:54 PM
What does this mean?  # Opção : Limpar

Title: Re: Posting Logs For Malware Problem like they told; Thanks for the Help!
Post by: Clrrr on July 25, 2016, 01:52:09 PM
Sorry my system is in portuguese it means Opção=Option Limpar=clean, so Option Clean.
Title: Re: Posting Logs For Malware Problem like they told; Thanks for the Help!
Post by: SuperDave on July 26, 2016, 12:25:22 PM
I'd like to scan your machine with ESET OnlineScan

•Hold down Control and click on the following link to open ESET OnlineScan in a new window.
 ESET OnlineScan (http://eset.com/onlinescan)

•Click the (http://i424.photobucket.com/albums/pp322/digistar/esetOnline.png) button.
•For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
•Check (http://i424.photobucket.com/albums/pp322/digistar/esetAcceptTerms.png)
•Click the (http://i424.photobucket.com/albums/pp322/digistar/esetStart.png) button.
•Accept any security warnings from your browser.
•Check (http://i424.photobucket.com/albums/pp322/digistar/esetScanArchives.png)
•Push the Start button.
•ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
•When the scan completes, push (http://i424.photobucket.com/albums/pp322/digistar/esetListThreats.png)
•Push (http://i424.photobucket.com/albums/pp322/digistar/esetExport.png), and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
•Push the (http://i424.photobucket.com/albums/pp322/digistar/esetBack.png) button.
•Push (http://i424.photobucket.com/albums/pp322/digistar/esetFinish.png)
A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt
Title: Re: Posting Logs For Malware Problem like they told; Thanks for the Help!
Post by: Clrrr on July 28, 2016, 11:37:03 AM
Thanks Dave.

C:\AdwCleaner\FileQuarantine\C\Program Files (x86)\TXQQBrowser\Update\C24225EF4EA29EBA8683BB51917E3893\Update\chrome_elf.dll.vir   a variant of Win32/Obfuscated.NGM trojan   
C:\Program Files (x86)\4qzovq2p\{5ECE9ED2-53AD-41E8-A9BF-2EC3A6F8C0E9}\4qzovq2p.a8e   a variant of Win32/Obfuscated.NGR trojan   
C:\Program Files (x86)\d9n9q0vz\{3AD8934E-44DB-4078-92B0-2FBA228E57E0}\gsvo9cbn.q05   a variant of Win32/Obfuscated.NGS trojan   

Title: Re: Posting Logs For Malware Problem like they told; Thanks for the Help!
Post by: SuperDave on July 28, 2016, 12:48:54 PM
Based on the information in your last log I feel I should give you this warning.

One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and Download and Execute files

Read this article: Danger: Remote Access Trojans. (http://www.microsoft.com/technet/security/alerts/info/virusrat.mspx)

If your computer was used for online banking, has credit card information or other sensitive data on it, all passwords should be changed immediately to include those used for banking, email, eBay and forums. You should consider them to be compromised. They should be changed by using a different computer and not the infected one! If not, an attacker may get the new passwords and transaction information. Banking and credit card institutions should be notified of the possible security breach.

I would counsel you to disconnect this PC from the Internet immediately.

Though the Trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud? (http://www.dslreports.com/faq/10451)

When Should I Format, How Should I Reinstall? (http://www.dslreports.com/faq/10063)

We can attempt to clean this machine but i can't guarantee that it will be 100% secure afterwards.

Should you have any questions, please feel free to ask.

Please let us know what you have decided to do in your next post