Jump to content

Malwarebytes detecting an outbound Trojan on Everything Variation 2

AllanM

By AllanM
in Resolved Malware Removal Logs

 Share

Recommended Posts

AllanM

AllanM

Posted
Posted

As kindly asked by nasdaq, (Thank You!!), I am opening my Own topic here. I am having pretty much the same problem as Oreo on the earlier thread
"Malwarebytes detecting an outbound Trojan on Everything". As requested, here are my FRST.txt and Addition.txt files.

Thanks.  PS I am not an expert at any of this, so apologies if I have made mistakes.

I tried to include the FRST and Addition files as inline text, but the MWB forum interface rejected the submission, saying it looked like spam, so I include them as attachments, 

FRST_04-12-2018 14.13.10.txt

Addition_04-12-2018 14.13.10.txt

Link to post
Share on other sites
nasdaq

nasdaq

Posted
Posted

Hello, Welcome to Malwarebytes.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Please download the attached Fixlist.txt file to  the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the FRST.txt log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Let me know if the problem persists.

p.s.
If Malwarebytes reports some issues please post the log for my review.

fixlist.txt

Link to post
Share on other sites
AllanM

AllanM

Posted
  • Author
Posted

Hi nasdaq,

many thanks for all your attention to this. I ran FRST and pressed Fix once. I attach here the Fixlog.txt file it generated.

To reply here, I had to launch Chrome, and thereby discovered that the problem persists.

Chrome went straight to    go.microsoft.com/?69157  , and on later tabs, Malwarebytes is still giving me  "Website blocked due to Trojan" with outbound to 

cdn.immereeako.info at every new tab or search.

I also note that, since the reboot that FRST asked for,  there exists a subdirectory called C:\ProgramData\itranslator, and within that 

there is a fresh (10 minutes ago) version of a Text Document called 

"update" which is 5.8Mb, and if I open that in Notepad I get pages and pages of Chinese(?) characters.

best wishes, and thanks

 

 

 

Fixlog.txt

Link to post
Share on other sites
AllanM

AllanM

Posted
  • Author
Posted

Hi nasdaq,

I am so grateful for your efforts and I apologise for this, but I have deadlines etc, and I couldn't just sit on my hands. I read a few other blogs and forums online, and tried my own solution. I downloaded and ran Hitmanpro, which found and eliminated (on reboot) the iNetfilterSvc and the trojan called evwschQTcA. I ran Hitmanpro again and ti said all was clean.

I then ran MWB AdwCleaner which found nothing, and then a full Mallwarebytes Premium Trial, which found 17 drivers in places like /SSL, including the SAMPLE CA 2 certificate, and it quarantined them all successfully.

I then ran Chrome and Edge, and hooray - it didn't head off to go.microsoft.com/?69157 on the first tab, and there were no outbound Trojans detected on all later searches!

So hooray, it was all clean!

OR SO I THOUGHT!!!! 

Now, it is only when I go to the Outlook or Hotmail page to check my mail and load my Inbox that up pops the same MWB warning

"Website blocked due to Trojan",  with outbound to cdn.immereeako.info, same as it as ever was.

Darn it. I thought it was clean, but somehow, and I have no idea how, it now seems to be confined to calls to Hotmail and or Outlook.

Maybe its some sort of remnant. I have no idea.

There is no C:/ProgramData/itranslator directory any more, which is good. And no C:\Windows\iNetfilterSvc.

But there must still be something somewhere.

Anyway, I can understand if you are fed up with me for not waiting for you, but I really do appreciate all the efforts you made for me, 

and I am grateful to MWB, which even now is preventing unwanted malicious outbounds.

I'll try rebooting and rerunning MWB and the various AV and see what happens.

 

Link to post
Share on other sites
AllanM

AllanM

Posted
  • Author
Posted

... and now a complete uninstall/reinstall of Chrome, and deleting all passwords, browsing history, etc, everything, seems to have cleaned up the hotmail problem.

So, fingers crossed, I am now all clean. I will be buying the Malwarebytes Premium though, because it has doubtless saved me a lot of grief.

Many thanks indeed to nasdaq.

Link to post
Share on other sites
AllanM

AllanM

Posted
  • Author
Posted

Hi nasdaq,

again, many thanks for all your help. One of the main problems seemed to be the way that the infection protected all its files, so that they could not be deleted or stopped, even when I had found them. I suspect there is a strong chance that your Fixlist.txt, although it did not eradicate everything first time, actually disabled a lot of the protection, such that when I later ran HitmanPro, it could then get to and kill the offending objects. So there is much credit to you, I think.

And also, I forgot to mention, that the final clean I had to do was running certmgr in a Windows Power Shell to delete a couple of SAMPLE CA 2 certificates that were still lying around.

Anyway, I have been using the machine for a day now, and it all seems clean, so hooray, I can get on with my work, with no outbound Trojan traffic!

Thanks again.

 

Link to post
Share on other sites
Jevykur

Jevykur

Posted
Posted

AllanM! Truly glad to read this thread. I'm having the EXACT same issue since a few days and I'm going crazy trying to get rid of it. I've been trying so many things... I get the yahoo redirection, ads by pa, go.microsoft.com/?69157  and the MWB warning everywhere. May I ask the exact step you took so that I may attempt to get rid of it, please? I def need help

Link to post
Share on other sites
AllanM

AllanM

Posted
  • Author
Posted

Hi Jevykur,

It was HitmanPro (free trial download), followed by MalwareBytes AntiMalware Premium (trial download).

Final cleanup, as described in the earlier posts, was to reinstall Chrome and to use certmgr to delete a couple of certificates.

But before that,  I had help from nasdaq, and there is a chance that nasdaq's Fixlist.txt file disabled the bug so that the HitmanPro/MBAM combo worked.

I suggest you contact nasdaq. Good luck!

 

Link to post
Share on other sites
Jevykur

Jevykur

Posted
Posted

Thank you! I just ran HitmanPro and it found the trojan and deleted it, I'm running MalwareBytes atm. I'm not quite sure how to do the certmgr though... Can you run me through it, if that's not too much trouble? 

 

I also did the fixlist.txt things while trying to fix it a few days ago!

Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Thanks

 

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.