Jump to content

Visited hacked website and concerned about drive-by downloads


Recommended Posts

Guys,

 

I was sent a link to a Croatian Bar by somebody known to me.

 

Website is http://www.redcarpet-medena.com/hojvj/uhjmy/wlzf/ufcfjgswznk/yreb  and was clicked which took me to the website.

 

The website has been hacked and calling card left ie hackers id and their website. You can google this and see the hackers from Google's description.

 

So were there any drive-by downloads? Don't know but the hackers were kind enough to leave their details.

 

Malwarebytes came up with lots (160 odd) of PUPs which were deleted. Log file attached.

 

So what to do?

 

I enclose DDS.txt and attach.txt

 

I appreciate any and all help that you can give me.

 

Thanks,

 

John

 

 

 

 

Attach.txt

DDS.txt

mbam-log-2013-09-26 (12-56-48).txt

Link to post
Share on other sites

  • Root Admin

Hello and :welcome:

Please uninstall ALL versions of Java on the computer and follow the directions below.

P2P/Piracy Warning:
 

 
If you're using
Peer 2 Peer
software such as
uTorrent, BitTorrent
or similar you must either fully uninstall them or completely disable them from running while being assisted here.

Failure to remove or disable such software will result in your topic being closed and no further assistance being provided.

If you have
illegal/cracked software, cracks, keygens etc
. on the system, please remove or uninstall them now and read the policy on
Piracy
.




Before we proceed further, please read all of the following instructions carefully.
If there is anything that you do not understand kindly ask before proceeding.
If needed please print out these instructions.
  • Please do not post logs using CODE, QUOTE, or FONT tags. Just paste them as direct text.
  • If the log is too large then you can use attachments by clicking on the More Reply Options button.
  • Please enable your system to show hidden files: How to see hidden files in Windows
  • Make sure you're subscribed to this topic:
    • Click on the Follow This Topic Button (at the top right of this page), make sure that the Receive notification box is checked and that it is set to Instantly

    [*]Removing malware can be unpredictable...It is unlikely but things can go very wrong! Please make sure you Backup all files that cannot be replaced if something were to happen. You can copy them to a CD/DVD, external drive or a pen drive [*]Please don't run any other scans, download, install or uninstall any programs unless requested by me while I'm working with you. [*]The removal of malware is not instantaneous, please be patient. Often we are also on a different Time Zone. [*]Perform everything in the correct order. Sometimes one step requires the previous one. [*]If you have any problems while following my instructions, Stop there and tell me the exact nature of the issue. [*]You can check here if you're not sure if your computer is 32-bit or 64-bit [*]Please disable your antivirus while running any requested scanners so that they do not interfere with the scanners. [*]When we are done, I'll give you instructions on how to cleanup all the tools and logs [*]Please stick with me until I give you the "all clear" and Please don't waste my time by leaving before that. [*]Your topic will be closed if you haven't replied within 3 days [*](If I have not responded within 24 hours, please send me a Private Message as a reminder)




STEP 0
RKill is a program that was developed at BleepingComputer.com that attempts to terminate known malware processes
so that your normal security software can then run and clean your computer of infections.
When RKill runs it will kill malware processes and then removes incorrect executable associations and fixes policies
that stop us from using certain tools. When finished it will display a log file that shows the processes that were
terminated while the program was running.

As RKill only terminates a program's running process, and does not delete any files, after running it you should not reboot
your computer as any malware processes that are configured to start automatically will just be started again.
Instead, after running RKill you should immediately scan your computer using the requested scans I've included.

Please download Rkill by Grinler from one of the links below and save it to your desktop.


Link 2

  • On Windows XP double-click on the Rkill desktop icon to run the tool.
  • On Windows Vista/Windows 7 or 8, right-click on the Rkill desktop icon and select Run As Administrator
  • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
  • If not, delete the file, then download and use the one provided in Link 2.
  • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
  • If the tool does not run from any of the links provided, please let me know.
  • Do not reboot the computer, you will need to run the application again.



STEP 01
Backup the Registry:
Modifying the Registry can create unforeseen problems, so it always wise to create a backup before doing so.

  • Please download ERUNT from one of the following links: Link1 | Link2 | Link3
  • ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.
  • Double click on erunt-setup.exe to Install ERUNT by following the prompts.
  • NOTE: Do not choose to allow ERUNT to add an Entry to the Startup folder. Click NO.
  • Start ERUNT either by double clicking on the desktop icon or choosing to start the program at the end of the setup process.
  • Choose a location for the backup.
    • Note: the default location is C:\Windows\ERDNT which is acceptable.

    [*]Make sure that at least the first two check boxes are selected. [*]Click on OK [*]Then click on YES to create the folder. [*]Note: if it is necessary to restore the registry, open the backup folder and start ERDNT.exe


STEP 02
Please download RogueKiller and save it to your desktop.

You can check here if you're not sure if your computer is 32-bit or 64-bit

  • RogueKiller 32-bit | RogueKiller 64-bit
  • Quit all running programs.
  • For Windows XP, double-click to start.
  • For Vista,Windows 7/8, Right-click on the program and select Run as Administrator to start and when prompted allow it to run.
  • Read and accept the EULA (End User Licene Agreement)
  • Click Scan to scan the system.
  • When the scan completes Close the program > Don't Fix anything!
  • Don't run any other options, they're not all bad!!
  • Post back the report which should be located on your desktop.


 

Link to post
Share on other sites

Thanks again Ron for your reply and kind words. I still have not had a chance to sit and work though your instructions. However, in your original email you mentioned P2P (Peer to Peer). Am I running any? I have looked at both attach.txt and DDS.txt. I did not recognise any P2P but I do know that there is a lot of crap installed. Please can you tell me if there is any P2P there.

 

Thanks,

 

John

Link to post
Share on other sites

  • Root Admin

I didn't notice any P2P software but that's just a generic warning for users as often user are running that type of software or have cracked software and we want to give them a chance up front to remove any before we find it otherwise we'll close the topic if we find it.

 

Thanks

Link to post
Share on other sites

Thanks again for your reply, Ron. Backing up of 1.2 TB of data (yes Terabytes!!!) is under way using Windows 7 backup program to a separate very large drive. This is taking a very long time. Tuesday I have to be away from my computer all day, so it is Wednesday when I will be following the rest of your instructions. 

 

In the meantime, can you please explain about driveby malware downloads. It seems that just visiting a website (without clicking on anything) can download these malwares which use java on a pc to run. Is this correct?

 

Can Malwarebytes detect these downloads?

 

Thanks again for your help and patience.

 

John

Link to post
Share on other sites

  • Root Admin

In a nutshell yes.  Basically older outdated software like Java, Flash, Acrobat (not the only ones but more commonly used and thus often targeted) are targeted and the code compromised by finding weaknesses in the code and then exploiting it.  We don't detect the actual exploitation of the code but we do try to locate and stop the dropper files that they often try to put down on your computer but it's difficult to be 100% detection and why it's a multi tiered process of keeping your computer software up to date and running antivirus and anti-malware.

 

Please make sure the backup is actually performed correctly as the the newer 4K format drives which pretty much all new drives for the past couple years use will not save correctly except on Windows 8 (Microsoft could easily make a driver to support it but they won't as they want you to update your OS to the newer version).

Link to post
Share on other sites

This is very frightening. Makes me want to not click on anything and go back to the abacus and quill pen!!!!

 

Backing up and removal of Java was successful.

 

I followed your comprehensive instructions and now have the RoqueKiller report which I now attach to this mail.

 

Thanks again for your help.

 

John

RKreport0_S_10022013_165246.txt

Link to post
Share on other sites

  • Root Admin

No obvious rootkit found but it does appear to have some adware stuff on the box.

 

Please go ahead and run through the following steps and post back the logs when ready.

STEP 03
Please download Malwarebytes Anti-Rootkit from here

  • Unzip the contents to a folder in a convenient location.
  • Open the folder where the contents were unzipped and run mbar.exe
  • Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
  • Click on the Cleanup button to remove any threats and reboot if prompted to do so.
  • Wait while the system shuts down and the cleanup process is performed.
  • Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
  • When done, please post the two logs produced they will be in the MBAR folder... mbar-log.txt and system-log.txt

STEP 04
Please download Junkware Removal Tool to your desktop.
  • Shutdown your antivirus to avoid any conflicts.
  • Right click over JRT.exe and select Run as administrator on Windows Vista or Windows 7, double-click on XP.
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next reply message
  • When completed make sure to re-enable your antivirus



STEP 05
Please download AdwCleaner by Xplode and save to your Desktop.

  • Double click on AdwCleaner.exe to run the tool.
  • Click on the Scan button.
  • AdwCleaner will begin...be patient as the scan may take some time to complete.
  • After the scan has finished, click on the Report button...a logfile (AdwCleaner[R0].txt) will open in Notepad for review.
  • The contents of the log file may be confusing. Unless you see a program name that you know should not be removed, don't worry about it. If you see an entry you want to keep, let me know about it.
  • Copy and paste the contents of that logfile in your next reply.
  • A copy of all logfiles are saved in the C:\AdwCleaner folder which was created when running the tool.



STEP 06
button_eos.gif

Please go here to run the online antivirus scannner from ESET.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked
  • Click on Advanced Settings and ensure these options are ticked:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology

    [*]Click Scan [*]Wait for the scan to finish [*]If any threats were found, click the 'List of found threats' , then click Export to text file.... [*]Save it to your desktop, then please copy and paste that log as a reply to this topic.



STEP 07
Please download the Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatibale with your system. You can check here if you're not sure if your computer is 32-bit or 64-bit

  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press the Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The first time the tool is run, it also makes another log (Addition.txt). Please attach it to your reply as well.


 

Link to post
Share on other sites

I have now run Steps 04 - 07 and the logs are attached.

 

Step 04 JRT.txt

 

Step 05  AdwCleaner(RO).txt

 

Step 06  There was a problem turning off McAfee.  I turned off Real Time Scanning and also Firewall.  However, when I ran ESET it detected McAfee.  So in "Services(Local)" the only McAfee item I could not turn                  off was McAfee Mcshield, and ESET still detected Mcafee.

 

              So I had to run ESET anyway, ignoring the fact that it detected McAfee - I hope this was OK.

 

              I saved the "List of found Threats" as "eset.txt"

 

Step 07 FRST,txt

             Addition.txt

 

 

I hope I've run these programs correctly.  Many thanks again for your help and advice.

 

John

JRT.txt

AdwCleanerR0.txt

eset.txt

FRST.txt

Addition.txt

Link to post
Share on other sites

  • Root Admin

Sorry for the delay John.  Lost track of your post.

 

Please run AdwCleaner again and get the updated version. Then do another scan but this time click on the CLEAN button.

Then post back the new log.

 

Then run MBAM and check for updates and do a Quick Scan and post back the new log.

 

Thanks

Link to post
Share on other sites

Hi Ron,

 

Thank you for your further instructions.

 

AdwCleaner

 

I ran Adwcleaner and the resulting log (S0) is attached.  However I then discovered that "Show hidden files, folders and drives" was not enabled even though this had been done at the start of these procedures.  I therefore enabled it again and ran the scan again, the system having been cleaned on the first scan.  The resulting log (S1) is attached.

 

MBAM

 

I ran the full scan, checked for updates and ran the Quick Scan.  the resulting MBAM log is attached.

 

I feel a bit of a novice at these procedures but hope that I have done everything correctly.

 

Many thanks again for your help.

 

John 

AdwCleanerS0.txt

AdwCleanerS1.txt

MBAM-log-2013-10-12 (20-45-14).txt

Link to post
Share on other sites

  • Root Admin

Please Run TFC by OldTimer to clear temporary files:

  • Download TFC from here and save it to your desktop.
  • http://oldtimer.geekstogo.com/TFC.exe
  • Close any open programs and Internet browsers.
  • Double click TFC.exe to run it on XP (for Vista and Windows 7 right click and choose "Run as administrator") and once it opens click on the Start button on the lower left of the program to allow it to begin cleaning.
  • Please be patient as clearing out temp files may take a while.
  • Once it completes you may be prompted to restart your computer, please do so.
  • Once it's finished you may delete TFC.exe from your desktop or save it for later use for the cleaning of temporary files.

 

Then reboot the computer and run a new scan with MBAM and post back the new log please.

Link to post
Share on other sites

Hi Ron,

 

Thank you for your further instructions.

 

AdwCleaner

 

I ran AdwCleaner and the resulting log (S0) is attached.  However, I then discovered that "Show hidden files, folders and drives" was not enabled even though this had been done at the start of these procedures.  I therefore enabled it again and ran the scan again, the system having been cleaned on the first scan.  The resulting log ( S1) is attached.

 

MBAM

 

 I ran the full scan, checked for updates, then ran a Quick Scan.  The resulting MBAM  log is attached.

 

I feel a bit of a novice at these procedures though I have had some help from a computer professional friend.  Anyway I hope I have run everything correctly.

 

Many thanks again for your help.

 

John

 

AdwCleanerS0.txt

AdwCleanerS1.txt

MBAM-log-2013-10-12 (20-45-14).txt

Link to post
Share on other sites

Hi Ron,

 

thank you for your further instructions.

 

AdwCleaner.

 

I ran AdwCleaner and the resulting log ( S0) is attached.  However I then discovered the "Show hidden files, folders and drives" was not enabled even though this had been done at the start of these procedures. I therefore enabled it again and ran the scan again, the system having been cleaned on the first scan.  The resulting log ( S1) is attached.

 

MBAM

 

 I ran the full scan, checked for updates and then ran Quick Scan.  The resulting MBAM  scan is attached.

 

 

I feel a bit of a novice at these procedures, though I have had advice from a computer professional friend.  Anyway I hope I have run everything correctly.

 

Many thanks again for your help.

 

John

AdwCleanerS0.txt

AdwCleanerS1.txt

MBAM-log-2013-10-12 (20-45-14).txt

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.