Jump to content

Website blocked due to Trojan

csalmon
 Share

Recommended Posts

nasdaq

nasdaq

Posted
Posted

Hello, Welcome to Malwarebytes.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Your logs are clean.

===

If the problem persists in Firefox and you are Syncing with other Devices reset it.
https://support.mozilla.org/en-US/kb/how-do-i-set-sync-my-computer

When all is well you can re-sync your devices.

===

If the problem persists  and this happens only when the Shortcut is executed it could be compromised.

Scan the computer with the Farbar program and check the the box to create a the shortcut file.

Post the log for my review.

p.s.

You did not attach the MBAM log.

 

Link to post
Share on other sites
nasdaq

nasdaq

Posted
Posted

Hi,

Please download Malwarebytes Anti-Malware from here
Just update if necessary. 


  • Right-click on the MBAM icon and select Run as administrator to run the tool.
  • Click Yes to accept any security warnings that may appear.
  • Once the MBAM dashboard opens, on the right detail pane click on the word "Current" under the Scan Status to update the tool database.
  • On the left menu pane click the Settings tab, and then select the Protection tab on the top.
  • Under the Scan Options, turn on the button Scan for rootkits and Scan within archives.
  • Click the Scan tab on the right detail pane, select Threat Scan and click the Start Scan button
  • Note: The scan may take some time to finish, so please be patient.
  • If potential threats are detected, ensure to check mark all the listed items, and click the Quarantine Selected button.
  • While still on the Scan tab, click the View Report button, and in the window that opens click the Export button, select Text file (*.txt), and save the log to your Desktop.
  • The log can also be viewed by clicking the log to select it, then clicking the View Report button.


Please post the log for my review.

Note: If asked to restart the computer, please do so immediately.
===

Post the log for my review.

Link to post
Share on other sites
csalmon

csalmon

Posted
  • Author
Posted

MBAM logfile attached.  The file in question was shortcut file that was disguised as a .avi movie file.  The target in the file was executing an elevated powershell command.  I know these logs don't seem to show any infections but I am very suspicious of this file.  I am nervous that malware scanners are not identifying this file correctly.  Unfortunately the file is 1.5GB so it too big to upload anywhere to check.

Malwarebytes Summary File.txt

Link to post
Share on other sites
nasdaq

nasdaq

Posted
Posted


Hi,

For your peace of mind run this scan.

Please download Sophos Virus Removal Tool and save it to your computer's Desktop.

  • Right-click the icon and select Run as administrator.
  • Click Yes to accept any security warnings that may appear.
  • Click the Next button.
  • Select 'I accept the terms in the license agreement', then click Next twice.
  • Click the Install button and wait until the installation is complete.
  • Click the Finish button. The tool created a shortcut icon on the Desktop of your computer.
  • Now, double-click the Sophos Virus Removal Tool shortcut icon to run the tool.
  • Click Yes to accept any security warnings that may appear.
  • After it updates and a "Start Scanning" button appears in the lower right:
    • Disconnect from the Internet or physically unplug your Internet cable connection.
    • Close all open programs, scheduling/updating tasks and background processes that might activate during the scan including the screensaver.
    • Temporarily disable your anti-virus and real-time anti-spyware protection.



Windows Vista and above:
C:\ProgramData\Sophos\Sophos Virus Removal Tool\Logs\SophosVirusRemovalTool.log
 
Please post the contents of the log in your next reply and note any errors encountered.
===

Link to post
Share on other sites
csalmon

csalmon

Posted
  • Author
Posted

Nasdaq, my friend just let me know that since the file I uploaded to virustotal was in the form of filename.avi.lnk with the target being powershell, it only scanned the powershell command  on my PC.  He opened the file in a hex editor and stripped out the extra padding and rechecked it on virustotal.  This is a very different result on the actual file.  What are your thoughts on this?

https://www.virustotal.com/#/file/bb745ee7b0bd0dd70ab075a068e18e5ad38b30f0a3758c7e9efffd00b7c5658c/detection

Link to post
Share on other sites
csalmon

csalmon

Posted
  • Author
Posted

Thanks, unfortunately he had already run it.  Since there is definitely something fishy with the file and no virus scanners seem able to identify it as a threat, I think at this point it is probably best to just reinstall windows to a new drive and start over.

Thanks again nasdaq!

Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Thanks

 

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.

  I accept