Winsnare Infection

[Ba19]

Hello !

Since some days my pc is infected with the Winsnare program which is re-installing himself...
I've removed it several times and he sometimes just re-appeares ! I've follow tutorials this morning but im not sure if it's enough  (Malwarebytes is still finding some infections !!)

My Pc is in french Sorry for this !

Thanks in advance for your help, I stay tuned to finish this fast !

 

Addition.txt

FRST.txt

Malwares_Analyse_First.txt

Malwares_Analyse_Last.txt

[Ba19]

up?

[Android8888]

Hello Ba19 and  Forum.

I'm Android 8888 and I'll be helping you with your malware issues. Please ask questions if anything is unclear.

I suggest printing out each set of instructions or copy them to a Notepad file and reading the entire post before proceeding. It will make following them easier.

Please DO NOT run any tools on your own and follow the directions in the order listed.

Make sure to run all the tools from the Desktop and with Administrator privileges.

With that being said, let's start.

Please uninstall the following program using the Programs and Features applet:
Ace Stream Media 3.1.2

If you have an issue when uninstalling this program, please let me know.

Next,
FRST Fix
Follow the instructions below to execute a fix on your system using FRST, and provide the log in your next reply.

• Download the attached fixlist.txt file, and save it on your Desktop (or wherever your FRST64.exe executable is located); DO NOT open or modify the file;
• Right-click on the FRST executable and select Run as Administrator;
• Click on the Fix button;
  
  Credits: Aura
• On completion, a message will come up saying that the fix has been completed and it'll open a log in Notepad;
• Please attach the fixlog.txt log in your next reply;

AdwCleaner Clean

• Download AdwCleaner and move it to your Desktop;
• Right-click on AdwCleaner.exe and select Run as Administrator;
• Accept the EULA (I accept), let the database update, then click on Scan;
• Let the scan complete. Once it's done, make sure that every item listed in the different tabs is checked and click on the Clean button. This will kill all the active processes;
• Once the cleaning process is complete, AdwCleaner will ask to restart your computer, do it;
• After the restart, a log will open when logging in. Please attach the log in your next reply;

Junkware Removal Tool

• Download Junkware Removal Tool (JRT) and move it to your Desktop;
• Right-click on JRT.exe and select Run as Administrator;
• Press on any key to launch the scan and let it complete;
  
  Credits: Bleeping Computer and Aura
• Once the scan is complete, a log will open. Please attach the log in your next reply;

Malwarebytes

• Please download Malwarebytes version 3 from here and install it on your computer.
• Right-click on the Malwarebytes icon and select Run as administrator to run the tool.
• Click Yes to accept any security warnings that may appear.
• Once the Malwarebytes dashboard opens, on the right detail pane click on the word "Current" under the Scan Status to update the tool´s database.
• On the left menu pane click on the Settings tab, and then select the Protection tab on the top.
• Under the "Scan Options", turn on the buttons Scan for rootkits and Scan within archives.
• Click the Scan tab on the right detail pane, select Threat Scan and click the Start Scan button
• Note: The scan may take some time to finish, so please be patient.
• If potential threats are detected, ensure to checkmark all the listed items, and click the Quarantine Selected button.
• While still on the Scan tab, click the View Report button, and in the window that opens click the Export button, select Text file (*.txt), and save the log to your Desktop.
• The log can also be viewed by clicking the log to select it, then clicking the View Report button.
• Please attach the log for my review.

Note: If asked to restart the computer, please do so immediately.

To summarize, please attach in your next reply the following logs:
The fixlog.txt produced by FRST;
The AdwCleaner clean log;
The JRT log;
The Malwarebytes log.

How is the computer running? What issues are you still having on the computer?

Thank you.

Android8888

fixlist.txt

Edited April 3, 2017 by Android8888

[Ba19]

Thanks here is the files,

I intend to reinstall Ace stream cuz i'm using it (installed on purpose, not malicious' program )

Otherwise everything looks fine now, host page on firefox, chrome ans opera are fine.

The tools you gave me just destroy some icons but ill rebuilt them and hope for them to work again

Thanks for your help, have  a great sunny day !

MalwaresByte.txt

Fixlog.txt

AdwCleaner[C0].txt

JRT.txt

[Android8888]

Hello Ba19.

You're welcome and thank you for providing me those logs.

It appears that Malwarebytes has not take any action on the threats it found and so they will remain active in your computer. In addition, I can see that "Scan for rootkits" and "Scan within archives" options are both disabled.

• Please re-run Malwarebytes and remove all the threats it finds. To do that:
• On the left pane select Settings;
• Select the Protection tab;
• Scroll down to Scan Options and ensure Scan for Rootkits and Scan within Archives are both on and leave all other settings to default.
• Go back to DashBoard and select the blue Scan Now tab; Note: The scan may take some time to finish, so please be patient.
• When the scan completes if potential threats are detected, ensure to checkmark all the listed items, and click the Quarantine Selectedbutton.
• While still on the Scan tab, click the View Report button, and in the window that opens click the Export button, select Text file (*.txt), give it a name and save it to your Desktop.
• The log can also be viewed by clicking the log to select it, then clicking the View Report button.
• Please attach the log in your next reply.

After performing the scan with Malwarebytes it's time to check for leftovers of infection with Sophos Virus Removal Tool.

Please download Sophos Virus Removal Tool and save it to your computer's Desktop.

• Right-click the icon and select Run as administrator.
• Click Yes to accept any security warnings that may appear.
• Click the Next button.
• Select 'I accept the terms in the license agreement', then click Next twice.
• Click the Install button and wait until the installation is complete.
• Click the Finish button. The tool created a shortcut icon on the Desktop of your computer.
• Now, double-click the Sophos Virus Removal Tool shortcut icon to run the tool.
• Click Yes to accept any security warnings that may appear.
• After it updates and a "Start Scanning" button appears in the lower right:
  
  • Disconnect from the Internet or physically unplug your Internet cable connection.
  • Close all open programs, scheduling/updating tasks and background processes that might activate during the scan including the screensaver.
  • Temporarily disable your anti-virus and real-time anti-spyware protection.

• Click the "Start Scanning" button in the lower right to start the scan.
• After starting the scan, do not use the computer until the scan has completed.
• When finished, if it detected anything there will be a "Start Clean-up" button, click it and allow it to finish.
• When finished, re-enable your anti-virus/anti-malware (or reboot) and then you can reconnect to the Internet.
• If any threats are found click Details, then View Log file (bottom left-hand corner).
• Copy and paste its contents in your next reply and note any errors encountered.
• Close the Notepad document, close the Threat Details screen, then click Start cleanup.
• Click Exit to close the program.
• If no threats were found, please confirm that result.
  

Note: Whenever necessary, the log will be in the following location:

C:\ProgramData\Sophos\Sophos Virus Removal Tool\Logs\SophosVirusRemovalTool.log

In your next reply, please attach:
The MBAM clean log;
The SVRT log.

Are there any issues or concerns with your computer?

Thank you.

[Ba19]

Hello !

thanks for everything !

Ok so SVRT just got another virus but not the good one
I saw that my Antivirus (Avira) is always blocking the access to the host file when i run malwarebytes.

I'm not sure if i'm still infected,
 

MalwaresByte 9 ap .txt

MalwaresByte 9 ap resume.txt

SophosVirusRemovalTool.log

[Android8888]

Hello and sorry for the late reply.

 

On 09/04/2017 at 9:45 PM, Ba19 said:

thanks for everything !

You're very welcome!

 

Malwarebytes and Sophos removed the threats they found. Each tool covers different types of threats so you don't need to worry about that.
Your computer appears to be clean at this point.

 

On 09/04/2017 at 9:45 PM, Ba19 said:

I saw that my Antivirus (Avira) is always blocking the access to the host file when i run malwarebytes.

This is probably due to the fact that for whatever reason Malwarebytes requires access to read the Hosts file when runs. But certainly this is not a threat.

Now let's perform some updates:

Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.
The latest version is Java 8 Update 121.

You can manually check your present version and update as recommended.
https://www.java.com...d/installed.jsp

Be careful not to install malware posing as Java update!
Important read this blog.
http://blog.trendmic...java-0-day-fix/

If you are not developping Java programs I suggest you remove the old version(s) of Java using the Programs and Features applet which can be found by right clicking on Start > Control Panel > Programs and Features

Run a program like Personal Software Inspector (PSI) or FileHippo Update Checker to see what programs need to be updated.

After performing the updates you can remove the tools we used in the malware removal process by using Delfix.

Follow the instructions below to download and execute DelFix.

• Download DelFix and move the executable to your Desktop;
• Right-click on DelFix.exe and select Run as Administrator;
• Check the following options :
  
  • Activate UAC (This option will enable the User Account Control feature).
  • Remove disinfection tools (this option will remove the tools used in the cleaning process).
  • Create registry backup (this option will create a backup from the Windows Registry).
  • Purge system restore (this option will remove all previous and possibly infected restore points, and will create a new and clean restore point of your system).
  • Reset system settings (this option will reset any system settings back to default that were changed either by us during cleansing or by malware infection).
    
• Once the options mentioned above are checked, click on Run;
• After DelFix is done running, a log will open. Please copy and paste the entire content of the output log in your next reply;
  

You can also delete any logs that may have been left on your system.

Are there any issues or concerns with your computer at this point?

[Ba19]

Hey !!

Thanks for your support

I updated my Java install (I'm programming in Java/ Android so i kept it :))

I installed PSI, what a great tool didnt know this ! So thanks a lot

 

I installed DelFix and ran it, here is the result :

 

Thanks a lot for your help

DelFix2.txt

[Android8888]

Hello Ba19 and sorry for the late reply. I have been out for some days and now I'm back.

Thank you for providing me the DelFix log. It indicates that the tool went well.

 

If your computer is running well please consider using these ideas and recommendations to help secure your computer and prevent future malware infections.

Keep your Windows Operating System up-to-date.

Keep your Anti-virus program up-to-date.

Please note: Many installer offer third-party downloads that are installed automatically when you do not uncheck certain checkboxes. While most of the time not being malicious you usually do not want these on your computer. Be careful during the installation process and you will avoid seeing tons of new unwanted toolbars in your favorite web browser.

Keep Malwarebytes Anti-Malware (MBAM) updated and perform a regular scan to your system as it will make it harder for malware to reside on your computer.
A tutorial on using MBAM can be found here and a complete guide here

Please Note: Only the paid for version has real time capabilities.

A free non-resident utility to prevent the installation of ActiveX-based malware is JavaCool's SpywareBlaster, available here

Please keep these programs up-to-date and run them whenever you suspect a problem to prevent malware problems. A number of programs have resident protection and it is a good idea to run the resident protection of one of each type of program to maintain protection. However, it is important to run only one resident program of each type since they can conflict and become less effective. That means only one antivirus, firewall and scanning anti-spyware program at a time. Passive protectors, like SpywareBlaster can be run with any of them.

Note that there are a lot of rogue programs out there that want to scare you into giving them your money and some malware actually claims to be security programs. If you get a popup for a security program that you did not install yourself, do NOT click on it and ask for help immediately. It is very important to run an antivirus and firewall, but you can't always rely on reviews and ads for information. Ask in a security forum that you trust if you are not sure.

A similar category of programs is now called "scareware." Scareware programs are active infections that will pop-up on your computer and tell you that you are infected. If you look closely, it will usually have a name that looks like it might be legitimate, but it is NOT one of the programs you installed. It tells you to click and install it right away. If you click on any part of it, including the 'X' to close it, you may actually help it infect your computer further. Keeping protection updated and running resident protection can help prevent these infections. If it happens anyway, get offline as quickly as you can. Pull the internet connection cable or shut down the computer if you have to. Contact someone to help by using another computer if possible. These programs are also sometimes called 'rogues', but they are different than the older version of rogues mentioned above.

Another most feared threat at the moment is an infection by a Ransomware. A Ransomware infection is a program that ransoms the data or functionality of your computer until you perform an action. This action is typically to pay a ransom in the form of Bitcoins or another payment method. I advise you to read more info on this terrible threat here and here.

Please keep your programs up to date. This applies to Adobe Flash Player, Java and all your Internet Browsers in particular. Vulnerabilities in these programs are often exploited in order to install malware on your PC.

Be careful with flash drives, as they can spread infections. See this post on USB/flash drive safety.

Stay away from P2P software; even with a clean P2P program, their networks are often riddled with malware.

Don't click on attachments or links in e-mail, and read your e-mail in text-only mode for the highest safety.

Don't click on links received in instant message programs.

A HOSTS file will prevent Internet Explorer from communicating with sites known to be associated with adware or spyware. A good regularly updated HOST file is MVPS HOSTS File, available here

For much more useful and complete information, please read the following links to fully understand PC Security and Best Practices:
So how did I get infected in the first place
Answers to common security questions - Best Practices

Hopefully these steps will help to keep you error and malware free. If you run into more difficulty, we will certainly do what we can to help.

Happy surfing and stay safe.

 

Are there any issues or concerns with this computer?

Android8888

[AdvancedSetup]

Glad we could help. :)If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.Other members who need assistance please start your own topic in a new thread. Thanks!