Jump to content

Mr. C- More help needed


reba_kay
 Share

Recommended Posts

You assisted me last weekend with a Trojan removal and now McAfee, Microsoft Security Scanner, and Microsoft malicious software removal have found a new Trojan - Medfos. Both of the microsoft products say they partially removed it. I tried to find the file to delete, but I can't find it.

I ran malwarebytes anti-rootkit twice and it didn't find it, nor did regular malwarebytes.

I also ran roguekiller in between running mbam.

I would appreciate your assistance again.

mbar-log-2012-11-18 (08-12-25).txt

msert1.txt

RKreport1_S_11182012_02d0753.txt

Link to post
Share on other sites

I'm sorry, I was reading the log wrong.

Threat detected: Trojan:JS/Medfos.B containerfile://C:\Users\BNB\AppData\Local\Google\Chrome\Application\21.0.1180.89\Extensions\chromeupdate.crx file://C:\Users\BNB\AppData\Local\Google\Chrome\Application\21.0.1180.89\Extensions\chromeupdate.crx->manager.js

SigSeq: 0x00003B96658C1A14

SHA1: 7C3903095E1AFD7853289A23DC764439F56ECD9A

Delete this extension:

C:\Users\BNB\AppData\Local\Google\Chrome\Application\21.0.1180.89\Extensions\chromeupdate.crx

Then...............

Please download AdwCleaner from here and save it on your Desktop.

  • Close all open programs and internet browsers.
  • Right-click on adwcleaner.exe and select Run As Administrator to launch the application. (XP just double click to run)
  • Click on Delete.
  • Confirm each time with Ok if asked.
  • Your computer will be rebooted automatically. A text file will open after the restart.
  • Please post the content of that logfile with your next answer.
  • You can find the logfile at C:\AdwCleaner[s1].txt as well.

~~~~~~~~~~~~~~~~~~~~~~

Next..............

thisisujrt.gif Please download Junkware Removal Tool to your desktop.

  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista or Seven, right-mouse click it and select Run as Administrator.
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.

MrC

Link to post
Share on other sites

Download Security Check by screen317 from HERE or HERE.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt.
  • Please Post the contents of that document.
  • Do Not Attach It!!!

MrC

Link to post
Share on other sites

Results of screen317's Security Check version 0.99.54

Windows 7 x64 (UAC is enabled)

Out of date service pack!!

Internet Explorer 8 Out of date!

``````````````Antivirus/Firewall Check:``````````````

Windows Security Center service is not running! This report may not be accurate!

Windows Firewall Enabled!

McAfee Anti-Virus and Anti-Spyware

WMI entry may not exist for antivirus; attempting automatic update.

`````````Anti-malware/Other Utilities Check:`````````

Malwarebytes Anti-Malware version 1.65.1.1000

Adobe Flash Player 11.4.402.278

Mozilla Firefox (16.0.2)

Google Chrome 21.0.1180.89

Google Chrome Plugins...

````````Process Check: objlist.exe by Laurent````````

`````````````````System Health check`````````````````

Total Fragmentation on Drive C:

````````````````````End of Log``````````````````````

Link to post
Share on other sites

OK, run Junkware Removal Tool again, please download a fresh copy though!!

Then.......

Please run a free online scan with the ESET Online Scanner

Note: You will need to use Internet Explorer for this scan.

http://www.eset.eu/online-scanner

Tick the box next to YES, I accept the Terms of Use.

Click Start

When asked, allow the ActiveX control to install

Click Start

Make sure that the options Remove found threats and the option Scan unwanted applications is checked

Click Advanced settings and select the following:

  • Scan potentially unwanted applications
  • Scan for potentially unsafe applications
  • Enable Anti-Stealth technology

Click Start

Wait for the scan to finish

Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt

Copy and paste that log as a reply to this topic

MrC

Link to post
Share on other sites

Please download SystemLook from the link below and save it to your Desktop.

http://jpshortstuff....temLook_x64.exe

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:

    :Filefind
    chromeupdate.crx->manager.js
    *chromeupdate*
    chromeupdate.crx
    3CF27234-0DDB-11E2-8271-B8AC6F996F26
    browser.xul
    :regfind
    chromeupdate.crx->manager.js
    chromeupdate.crx
    *chromeupdate*
    3CF27234-0DDB-11E2-8271-B8AC6F996F26
    browser.xul


  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

MrC

Link to post
Share on other sites

Please download OTL from one of the links below:

http://oldtimer.geekstogo.com/OTL.exe

http://www.itxassoci...T-Tools/OTL.exe

http://oldtimer.geekstogo.com/OTL.com (<---renamed version)

Save it to your desktop.

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following in bold:

:Files

C:\Users\BNB\AppData\Local\Google\Chrome\Application\21.0.1180.89\Extensions\chromeupdate.crx

C:\Users\BNB\AppData\Local\chromeupdate.crx

C:\Users\BNB\AppData\Local\{3CF27234-0DDB-11E2-8271-B8AC6F996F26}

:Reg

[-HKEY_CURRENT_USER\Software\Classes\VirtualStore\MACHINE\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\cdjbnddbclciabnckgeahmneohjlahdm]

[-HKEY_USERS\S-1-5-21-448086352-994739028-191266335-1000\Software\Classes\VirtualStore\MACHINE\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\cdjbnddbclciabnckgeahmneohjlahdm]

[-HKEY_USERS\S-1-5-21-448086352-994739028-191266335-1000_Classes\VirtualStore\MACHINE\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\cdjbnddbclciabnckgeahmneohjlahdm]

[HKEY_CURRENT_USER\Software\Mozilla\Firefox\Extensions]

"{3CF27234-0DDB-11E2-8271-B8AC6F996F26}"=-

[HKEY_USERS\S-1-5-21-448086352-994739028-191266335-1000\Software\Mozilla\Firefox\Extensions]

"{3CF27234-0DDB-11E2-8271-B8AC6F996F26}"=-

[*]Then click the Run Fix button at the top

[*]Let the program run unhindered, when done it will say "Fix Complete press ok to open the log"

[*]Please post that log in your next reply. Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTL\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

MrC

Link to post
Share on other sites

========== FILES ==========

C:\Users\BNB\AppData\Local\Google\Chrome\Application\21.0.1180.89\Extensions\chromeupdate.crx moved successfully.

File\Folder C:\Users\BNB\AppData\Local\chromeupdate.crx not found.

File\Folder C:\Users\BNB\AppData\Local\{3CF27234-0DDB-11E2-8271-B8AC6F996F26} not found.

========== REGISTRY ==========

Registry key HKEY_CURRENT_USER\Software\Classes\VirtualStore\MACHINE\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\cdjbnddbclciabnckgeahmneohjlahdm\ deleted successfully.

Registry key HKEY_USERS\S-1-5-21-448086352-994739028-191266335-1000\Software\Classes\VirtualStore\MACHINE\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\cdjbnddbclciabnckgeahmneohjlahdm\ not found.

Registry key HKEY_USERS\S-1-5-21-448086352-994739028-191266335-1000_Classes\VirtualStore\MACHINE\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\cdjbnddbclciabnckgeahmneohjlahdm\ not found.

Registry value HKEY_CURRENT_USER\Software\Mozilla\Firefox\Extensions\\{3CF27234-0DDB-11E2-8271-B8AC6F996F26} deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3CF27234-0DDB-11E2-8271-B8AC6F996F26}\ not found.

Registry value HKEY_USERS\S-1-5-21-448086352-994739028-191266335-1000\Software\Mozilla\Firefox\Extensions\\{3CF27234-0DDB-11E2-8271-B8AC6F996F26} not found.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3CF27234-0DDB-11E2-8271-B8AC6F996F26}\ not found.

OTL by OldTimer - Version 3.2.69.0 log created on 11212012_083801

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.