Jump to content

Recommended Posts

I ran my security scans earlier and they both found a trojan on my system. As well as finding them they did take a long time to complete most likely due to it. Where they say they found it was in a temp file for Malwarebytes though so this worries me. I restarted after finishing both scans and immediately tried a second scan with both. Neither found anything however they still took longer than normal. I will attach the two frst logs from just now running it as well as the malwarebytes log where it found it. 

 

As a note about the anti-piracy policies. A couple of years ago I used Bittorrent to download a game on this computer, the game was only availiable by torrenting it. I have no idea if it's still this way or not. I uninstalled it after I used it so if it still shows up then I would like to know how to get rid of it as it shouldn't be there. 

 

I would appreciate help in making sure my computer is truly clean and fixing the problem if there still is one hidden.

Addition.txt

FRST.txt

trojan.clickbot.txt

Link to post
Share on other sites

Hello gerik, welcome to Malwarebytes' Malware Removal forum!
 
My username is LiquidTension, but you can call me Adam. I will be assisting you with your malware-related problems.
If you would allow me to call you by your first name I would prefer that. :)
 
General P2P/Piracy Notice: 
 

If you are using Peer to Peer (P2P) filesharing software such as uTorrent, BitTorrent or similar you must either fully uninstall or completely disable the programme(s) from running whilst receiving assistance at this forum. 
Failure to remove or disable such software will result in your topic being closed and no further assistance being provided.
If you have illegal/cracked/keygen or similar software on the computer, please remove/uninstall the software now and read the policy on Piracy. Failure to do so will also result in your topic being closed.

 
======================================================
 
Please read through the points below to ensure this process moves as quickly and efficiently as possible.

  • Please ensure you read through my instructions thoroughly, and carry out each step in the order specified.
  • If you are unable to copy/paste your logs directly into your post, please attach the file. 
  • Please do not run any tools or take any steps other than those I provide for you. Independent efforts may make matters worse, and will affect my ability in ascertaining the current situation and providing the best set of instructions for you.
  • Please backup important files before proceeding with my instructions. Malware removal can be unpredictable.
  • If you come across any issues whilst following my instructions, please stop and inform me of the issue in as much detail as possible. Please do not hesitate to ask before proceeding.
  • Topics are locked if no response is made after 4 days. Please inform me if you will require additional time to complete my instructions.
  • Ensure you are following this topic. Click xetYzdbu.png.pagespeed.ic.U7AjmRUewW.png at the top of the page. 
     

======================================================
 
The file flagged by MBAM looks to be a false-positive. See here: 
https://forums.malwarebytes.org/index.php?/topic/164660-nis-2014-detects-mbam-as-threat/
 
Your FRST logs are also clean. 
 
Lets run a few scans to double-check.

STEP 1
xlK5Hdb.png Farbar Recovery Scan Tool (FRST) Script

  • Press the Windows Key pdKOQKY.png + r on your keyboard at the same time. Type Notepad and click OK.
  • Copy the entire contents of the codebox below and paste into the Notepad document.start
    CreateRestorePoint:​ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} =>  No FileSearchScopes: HKLM-x32 -> DefaultScope value is missing.BHO-x32: No Name -> {bb46be07-13eb-4c49-b0f0-fc78b9ea4983} ->  No FileCHR HKLM\...\Chrome\Extension: [iikflkcanblccfahdhdonehdalibjnif] - No PathCHR HKLM-x32\...\Chrome\Extension: [iikflkcanblccfahdhdonehdalibjnif] - No PathS1 AntiLog32; \??\C:\Windows\system32\drivers\AntiLog64.sys [X]S3 keycrypt; system32\DRIVERS\KeyCrypt64.sys [X]CMD: ipconfig /flushdnsEmptyTemp:end
  • Click FileSave As and type fixlist.txt as the File Name
  • Important: The file must be saved in the same location as FRST64.exe. 

NOTICE: This script is intended for use on this particular machine. Do not use this script on any other machine; doing so may cause damage to your Operating System.

  • Right-Click FRST64.exe and select AVOiBNU.jpg Run as administrator to run the programme.
  • Click Fix.
  • A log (Fixlog.txt) will open on your desktop. Copy the contents of the log and paste in your next reply.
     

STEP 2
YARWD1t.png TDSSKiller Scan

  • Please download TDSSKiller and save the file to your Desktop.
  • Right-Click TDSSKiller.exe and select AVOiBNU.jpg Run as administrator to run the programme.
  • Click Change parameters. Place a checkmark next to:
    • Loaded Modules
    • Detect TDLFS file system
    • Verify file digital signatures
  • Note: If you receive the following message: Extended Monitoring Driver is required, click Reboot now, and continue from here following the reboot.
  • ​Click Start Scan. Do not use the computer during the scan.
  • If objects are found, change the action to skip.
  • Click Continue and close the window.
  • A log will be created and saved to the root directory (usually C:\). Attach the log in your next reply.
     

STEP 3
BY4dvz9.png AdwCleaner

  • Please download AdwCleaner and save the file to your Desktop.
  • Right-Click AdwCleaner.exe and select AVOiBNU.jpg Run as administrator to run the programme.
  • Follow the prompts. 
  • Click Scan
  • Upon completion, click Report. A log (AdwCleaner[R0].txt) will open. Briefly check the log for anything you know to be legitimate. 
  • Ensure anything you know to be legitimate does not have a checkmark, and click Clean
  • Follow the prompts and allow your computer to reboot
  • After rebooting, a log (AdwCleaner[s0].txt) will open. Copy the contents of the log and paste in your next reply.

-- File and folder backups are made for items removed using this tool. Should a legitimate file or folder be removed (otherwise known as a 'false-positive'), simple steps can be taken to restore the item. Please do not overly concern yourself with the contents of AdwCleaner[R0].txt.
 
 
STEP 4
GzlsbnV.png ESET Online Scan
Note: This scan may take a long time to complete. Please do not browse the Internet whilst your Anti-Virus is disabled.

  • Please download ESET Online Scan and save the file to your Desktop.
  • Temporarily disable your anti-virus software. For instructions, please refer to the following link.
  • Double-click esetsmartinstaller_enu.exe to run the programme. 
  • Agree to the EULA by placing a checkmark next to Yes, I accept the Terms of Use. Then click Start.
  • Agree to the Terms of Use once more and click Start. Allow components to download.
  • Place a checkmark next to Enable detection of potentially unwanted applications.
  • Click Advanced settings. Place a checkmark next to:
    • Scan archives
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • Ensure Remove found threats is unchecked.
  • Click Start.
  • Wait for the scan to finish. Please be patient as this can take some time.
  • Upon completion, click esetListThreats.png. If no threats were found, skip the next two bullet points. 
  • Click Export to text file... and save the file to your Desktop, naming it something such as "MyEsetScan".
  • Push the Back button.
  • Place a checkmark next to xKN1w2nv.png.pagespeed.ic.JWqIaEgZi7.png and click Finish.
  • Re-enable your anti-virus software.
  • Copy the contents of the log and paste in your next reply.
     

======================================================

STEP 5
pfNZP4A.png Logs
In your next reply please include the following logs. Please be sure to copy and paste the requested logs, as well as provide information on any questions I may have asked.

  • Fixlog.txt
  • TDSSKiller log (attached!)
  • AdwCleaner[s0].txt
  • ESET log
Link to post
Share on other sites

As I went a few hours without hearing anything, I booted the system into safe mode with networking and it's currently running a malwarebytes scan and a norton full system scan. Should I quit out those, or allow them to finish before I follow what you posted?

Link to post
Share on other sites

I'm still letting them scan but I had a question about this false positive situation. I looked over the topic you linked and I actually encountered that problem last Thursday where Norton was saying I had what it called Infostealer.gampass. I made a topic on here and got help with it. (The computer in question is different also.) However, this time it isn't just Norton finding it, but Malwarebytes itself. Is it uncommon for two security programs to find a false positive like that? As well as somehow when it found it somehow both scans were slowed down compared to their normal speed.

Link to post
Share on other sites

I'm about to do the Eset scanner so I'm going to go ahead and post the rest of the info you wanted.

 

Fixlog

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 12-02-2015
Ran by Zach at 2015-02-13 01:20:46 Run:1
Running from C:\Users\Zach\Desktop
Loaded Profiles: Zach & UpdatusUser (Available profiles: Zach & others & UpdatusUser)
Boot Mode: Normal
==============================================
 
Content of fixlist:
*****************
CreateRestorePoint:
​ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} =>  No File
SearchScopes: HKLM-x32 -> DefaultScope value is missing.
BHO-x32: No Name -> {bb46be07-13eb-4c49-b0f0-fc78b9ea4983} ->  No File
CHR HKLM\...\Chrome\Extension: [iikflkcanblccfahdhdonehdalibjnif] - No Path
CHR HKLM-x32\...\Chrome\Extension: [iikflkcanblccfahdhdonehdalibjnif] - No Path
S1 AntiLog32; \??\C:\Windows\system32\drivers\AntiLog64.sys [X]
S3 keycrypt; system32\DRIVERS\KeyCrypt64.sys [X]
CMD: ipconfig /flushdns
EmptyTemp:
end
*****************
 
Restore point was successfully created.
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\​00avast => Key not found. 
HKCR\CLSID\​{472083B0-C522-11CF-8763-00608CC02F24} => Key not found. 
HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => Value was restored successfully.
"HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{bb46be07-13eb-4c49-b0f0-fc78b9ea4983}" => Key deleted successfully.
HKCR\Wow6432Node\CLSID\{bb46be07-13eb-4c49-b0f0-fc78b9ea4983} => Key not found. 
"HKLM\SOFTWARE\Google\Chrome\Extensions\iikflkcanblccfahdhdonehdalibjnif" => Key deleted successfully.
"HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\iikflkcanblccfahdhdonehdalibjnif" => Key deleted successfully.
AntiLog32 => Service deleted successfully.
keycrypt => Service deleted successfully.
 
=========  ipconfig /flushdns =========
 
 
Windows IP Configuration
 
Successfully flushed the DNS Resolver Cache.
 
========= End of CMD: =========
 
EmptyTemp: => Removed 4.9 GB temporary data.
 
 
The system needed a reboot. 
 
==== End of Fixlog 01:22:07 ====
 
AdwCleaner
 
# AdwCleaner v4.110 - Logfile created 13/02/2015 at 01:50:13
# Updated 05/02/2015 by Xplode
# Database : 2015-02-13.1 [server]
# Operating system : Windows 7 Home Premium Service Pack 1 (x64)
# Username : Zach - ZACH-PC
# Running from : C:\Users\Zach\Desktop\AdwCleaner.exe
# Option : Cleaning
 
***** [ Services ] *****
 
 
***** [ Files / Folders ] *****
 
Folder Deleted : C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Coupons
Folder Deleted : C:\Users\Zach\AppData\LocalLow\Simple Adblock
File Deleted : C:\Users\others\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxps_static.olark.com_0.localstorage-journal
 
***** [ Scheduled tasks ] *****
 
 
***** [ Shortcuts ] *****
 
 
***** [ Registry ] *****
 
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{9522B3FB-7A2B-4646-8AF6-36E7F593073C}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{A85A5E6A-DE2C-4F4E-99DC-F469DF5A0EEC}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{EE171732-BEB4-4576-887D-CB62727F01CA}
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\3152E1F19977892449DC968802CE8964
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\649A52D257CA5DB4EAAE8BA9EB23E467
Data Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings [ProxyOverride] - *.local
 
***** [ Web browsers ] *****
 
-\\ Internet Explorer v11.0.9600.17631
 
 
-\\ Mozilla Firefox v31.0 (x86 en-US)
 
 
-\\ Google Chrome v40.0.2214.111
 
[C:\Users\others\AppData\Local\Google\Chrome\User Data\Default\Web Data] - Deleted [search Provider] : hxxp://search.aol.com/aol/search?q={searchTerms}
[C:\Users\others\AppData\Local\Google\Chrome\User Data\Default\Web Data] - Deleted [search Provider] : hxxp://www.ask.com/web?q={searchTerms}
[C:\Users\Zach\AppData\Local\Google\Chrome\User Data\Default\Web Data] - Deleted [search Provider] : hxxp://search.aol.com/aol/search?q={searchTerms}
[C:\Users\Zach\AppData\Local\Google\Chrome\User Data\Default\Web Data] - Deleted [search Provider] : hxxp://www.ask.com/web?q={searchTerms}
 
*************************
 
AdwCleaner[R0].txt - [2291 bytes] - [13/02/2015 01:47:33]
AdwCleaner[s0].txt - [2236 bytes] - [13/02/2015 01:50:13]
 
########## EOF - C:\AdwCleaner\AdwCleaner[s0].txt - [2295  bytes] ##########
 
Link to post
Share on other sites

When I tried to attach the tdsskiller log it said "Upload skipped. No file was selected." I moved the log file to the desktop thinking I needed it there for some reason. Do you think this is the problem and do I need to rerun the tool? (When it ran it found nothing.)

Link to post
Share on other sites

I'm about to do the ESET online scan but I had a question. As I have to disable my anti-virus for it, when I run the program and after it gets it's database update and it's running can I disconnect the computer from the internet whilst it scans? Or does it need to have an internet connection as it's an online scanner?

Link to post
Share on other sites

Hello,

There's nothing concerning so far. The results from AdwCleaner are related to adware/Potentially Unwanted Programmes (PUPs) which are of little concern.

Regarding ESET - you need to be connected to the Internet to run the scan. I appreciate your concern with disabling your Anti-Virus. Leaving the AV enabled may significantly increase scan time, cause conflicts affecting the stability of your computer and trigger false-positives (incorrect flagging of a legitimate file) or false-negatives (failure to flag a malicious file).

As long as you do not browse the Internet whilst the scan is running, you should be OK. The very same instructions are issued to users hundreds/thousands of times every day.

Link to post
Share on other sites

Hello, 
 

Is it uncommon for two security programs to find a false positive like that?

From the original link provided: 

This is a tmp file that is generated by Norton actually in our folder. Its a false positive on their part by has to do with their endpoint security and file caching. I have seen this quite a few times. Its not an active piece of malware or anything.

 
Also see others reporting the same: 
https://forums.malwarebytes.org/index.php?/topic/162117-mbam-with-trojancryect/
http://community.norton.com/en/forums/norton-360-premier-flagged-malwarebytes-tmp-file
 
The file does not appear to be malicious. 
 
--------
 
Do you have any other concerns or outstanding issues with your computer?

Link to post
Share on other sites

Hello, 
 

I was only worried about the detection by the both of them and wanted to make sure my computer was safe.

Yes, your computer appears clean. 
 
Lets update your vulnerable software to reduce the risk of infection. 
 
STEP 1
CXrghb6.png Update Outdated Software

Outdated software contain security risks that must be patched. Please download and install the latest version of the programmes below.

STEP 2
EtQetiM.png Remove Outdated Software

  • Press the Windows Key pdKOQKY.png + r on your keyboard at the same time. Type appwiz.cpl and click OK.
  • Search for the following programmes, right-click and click Uninstall one at a time.
  • Note: The programmes below may not be present. If this is the case, please skip to the next step.
    • Adobe Shockwave Player 12.0
    • JavaFX 2.1.1
  • Follow the prompts, and reboot if necessary.
     

STEP 3
zANS9oB.png Disable Java in Your Browser
Due to frequent exploits we recommend you disable Java in your browser.
For information on Java vulnerabilities, please read the following article (point #7).

  • Click the 29Fou9c.jpg Windows Start Button  and type Java Control Panel (or javacpl) in the search bar. 
  • Click on the Java Control Panel. Once opened, click the Security tab.
  • Deselect the check box for Enable Java content in the browser. This will disable the Java plug-in in the browser. 
  • Click Apply. When the AVOiBNU.jpg Windows User Account Control (UAC) appears, allow permissions to make the changes. 
  • Click OK in the Java Plug-in confirmation window.
  • Restart your browser(s) for changes to take effect.
  • More information can be found here and here.
     

STEP 4
oxliOQk.png Security Check

  • Please download SecurityCheck and save the file to your Desktop.
  • Double-click SecurityCheck.exe and follow the onscreen instructions inside the black box.
  • A log (checkup.txt) will automatically open on your Desktop.
  • Copy the contents of the log and paste in your next reply.
     

======================================================
 
STEP 5
pfNZP4A.png Logs
In your next reply please include the following logs. Please be sure to copy and paste the requested logs, as well as provide information on any questions I may have asked.

  • checkup.txt
  • How is your computer performing? Are there any outstanding issues?
Link to post
Share on other sites

I uninstalled the outdated software as they are things I don't use and uninstalled the other stuff you asked. I sadly can't disable java as I have to have it for school work. 

 

Here is the log.

 

Results of screen317's Security Check version 0.99.96  
 Windows 7 Service Pack 1 x64 (UAC is enabled)  
 Internet Explorer 11  
``````````````Antivirus/Firewall Check:`````````````` 
 Windows Firewall Enabled!  
Norton Security Suite   
 WMI entry may not exist for antivirus; attempting automatic update. 
`````````Anti-malware/Other Utilities Check:````````` 
 Java 8 Update 31  
 Java version 32-bit out of Date! 
  Java 64-bit 8 Update 31  
 Adobe Flash Player 16.0.0.305  
 Adobe Reader XI  
 Google Chrome (40.0.2214.111) 
 Google Chrome (40.0.2214.94) 
````````Process Check: objlist.exe by Laurent````````  
 Malwarebytes Anti-Exploit mbae-svc.exe   
 Malwarebytes Anti-Exploit mbae64.exe   
 Malwarebytes Anti-Exploit mbae.exe   
 Symantec Norton Online Backup NOBuAgent.exe  
`````````````````System Health check````````````````` 
 Total Fragmentation on Drive C: 0% 
````````````````````End of Log`````````````````````` 
Link to post
Share on other sites

Hello, 
 

As you said my computer appears to be clean and I uninstalled what you wanted, I should be clear for normal usage and just need to run the Delfix to get rid of the tools right?

Yes, that's correct.
 
All Clean!
Congratulations, your computer appears clean!  :)
I no longer see signs of malware on your computer, and feel satisfied that our work here is done. The steps below will remove the tools we have used, and reset any settings changed. I have also provided a list of resources and tools that you may find useful
 
My help will always be free. But if you are happy with the help provided, and would like to support my fight against malware and/or buy me a beer, please consider a donation. YSCcjW7.png
 
AFZxnZc.jpg DelFix

  • Please download DelFix and save the file to your Desktop.
  • Double-click DelFix.exe to run the programme.
  • Place a checkmark next to the following items:
    • Activate UAC
    • Remove disinfection tools
    • Create registry backup
    • Purge system restore
    • Reset system settings
  • Click the Run button.

-- This will remove the specialised tools we used to disinfect your system. Any leftover logs, files, folders or tools remaining on your Desktop which were not removed can be deleted manually (right-click the file + delete).
 
======================================================
 
I have compiled below a list of resources you may find useful. The articles document information on computer security, common infection vectors and how you can stay safe on the Internet.

The following programmes come highly recommended in the security community.

  • xKsUqI5A.png.pagespeed.ic.vn1Hlvqi8h.jpg AdBlock is a browser add-on that blocks annoying banners, pop-ups and video ads.
  • E8I37RF.pngCryptoPrevent places policy restrictions on loading points for ransomware (eg. CryptoWall), helping prevent the execution of malware. 
  • EG85Vjt.png Malwarebytes Anti-Exploit (MBAE) is designed to prevent zero-day malware from exploiting vulnerable software.
  • x6YRrgUC.png.pagespeed.ic.HjgFxjvw2Z.jpg Malwarebytes Anti-Malware Premium (MBAM) works in real-time along side your Anti-Virus to prevent malware execution.
  • xjv4nhMJ.png.pagespeed.ic.A5YbWn1eDO.png NoScript is a Firefox add-on that blocks the actions of malicious scripts by using whitelisting and other technology.
  • 3O8r9Uq.png Sandboxie isolates programmes of your choice, preventing files from being written to your HDD unless approved by you.
  • DgW1XL2.png.pagespeed.ce.v1OlJl_ZAS.png Secunia PSI will scan your computer for vulnerable software that is outdatedand automatically find the latest update for you.
  • xj1OLIec.png.pagespeed.ic.k6hhwopU0q.jpg SpywareBlaster is a form of passive protection, designed to block the actions of malicious websites and tracking cookies.
  • xJEP5iWI.png.pagespeed.ic.4tmM1lM7DQ.png Web of Trust (WOT) is a browser add-on designed to alert you before interacting with a potentially malicious website.

-- Please feel free to ask if you have any questions or concerns on computer security or the programmes above.
 
======================================================
 
Please confirm you have no outstanding issues, and are happy with the state of your computer. Once I have confirmation things are in order, we can wrap things up and I will close this thread. 
 
Thank you for using Malwarebytes.
 
Safe Surfing. :)    
Adam

Link to post
Share on other sites

I ran the Delfix and it cleaned up the tools and logs. I did take notice that compared to the last time when I ran it, you asked me to choose the UAC option which I wasn't asked to the last time. I ran it and tried testing to make sure UAC was working and when I tried to run Malwarebytes it didn't pop up the UAC window and just went straight to it. I checked the UAC settings and set them to maximum and tried again and it still didn't bring up UAC. So I restarted and now the UAC is back. I guess it was just a small issue that a restart fixed.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.