Jump to content
csalmon

Website blocked due to Trojan

Recommended Posts

My roommate ran a shortcut he downloaded and it appears to have installed some kind of malware.  Malewarebytes is giving me this error now.  Please help.  Log files are attached.

 

 

FRST.txt

Addition.txt

Share this post


Link to post
Share on other sites

Hello, Welcome to Malwarebytes.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Your logs are clean.

===

If the problem persists in Firefox and you are Syncing with other Devices reset it.
https://support.mozilla.org/en-US/kb/how-do-i-set-sync-my-computer

When all is well you can re-sync your devices.

===

If the problem persists  and this happens only when the Shortcut is executed it could be compromised.

Scan the computer with the Farbar program and check the the box to create a the shortcut file.

Post the log for my review.

p.s.

You did not attach the MBAM log.

 

Share this post


Link to post
Share on other sites

Hi,

Please download Malwarebytes Anti-Malware from here
Just update if necessary. 


  • Right-click on the MBAM icon and select Run as administrator to run the tool.
  • Click Yes to accept any security warnings that may appear.
  • Once the MBAM dashboard opens, on the right detail pane click on the word "Current" under the Scan Status to update the tool database.
  • On the left menu pane click the Settings tab, and then select the Protection tab on the top.
  • Under the Scan Options, turn on the button Scan for rootkits and Scan within archives.
  • Click the Scan tab on the right detail pane, select Threat Scan and click the Start Scan button
  • Note: The scan may take some time to finish, so please be patient.
  • If potential threats are detected, ensure to check mark all the listed items, and click the Quarantine Selected button.
  • While still on the Scan tab, click the View Report button, and in the window that opens click the Export button, select Text file (*.txt), and save the log to your Desktop.
  • The log can also be viewed by clicking the log to select it, then clicking the View Report button.


Please post the log for my review.

Note: If asked to restart the computer, please do so immediately.
===

Post the log for my review.

Share this post


Link to post
Share on other sites

MBAM logfile attached.  The file in question was shortcut file that was disguised as a .avi movie file.  The target in the file was executing an elevated powershell command.  I know these logs don't seem to show any infections but I am very suspicious of this file.  I am nervous that malware scanners are not identifying this file correctly.  Unfortunately the file is 1.5GB so it too big to upload anywhere to check.

Malwarebytes Summary File.txt

Share this post


Link to post
Share on other sites


Hi,

For your peace of mind run this scan.

Please download Sophos Virus Removal Tool and save it to your computer's Desktop.

  • Right-click the icon and select Run as administrator.
  • Click Yes to accept any security warnings that may appear.
  • Click the Next button.
  • Select 'I accept the terms in the license agreement', then click Next twice.
  • Click the Install button and wait until the installation is complete.
  • Click the Finish button. The tool created a shortcut icon on the Desktop of your computer.
  • Now, double-click the Sophos Virus Removal Tool shortcut icon to run the tool.
  • Click Yes to accept any security warnings that may appear.
  • After it updates and a "Start Scanning" button appears in the lower right:
    • Disconnect from the Internet or physically unplug your Internet cable connection.
    • Close all open programs, scheduling/updating tasks and background processes that might activate during the scan including the screensaver.
    • Temporarily disable your anti-virus and real-time anti-spyware protection.



Windows Vista and above:
C:\ProgramData\Sophos\Sophos Virus Removal Tool\Logs\SophosVirusRemovalTool.log
 
Please post the contents of the log in your next reply and note any errors encountered.
===

Share this post


Link to post
Share on other sites

Thank you Nasdaq, I will run the Sophos check tonight and post the results.  Is there some way to upload this file to you for analysis?  The file is large (1.5 GB)and is definitely meant to contain malware of some sort.

Share this post


Link to post
Share on other sites

The file has been reported clean.

Any remaining issues with this computer?

Share this post


Link to post
Share on other sites

I don't think so.  Thanks so much for giving me peace of mind with this issue and that suspicious file!

Share this post


Link to post
Share on other sites

Nasdaq, my friend just let me know that since the file I uploaded to virustotal was in the form of filename.avi.lnk with the target being powershell, it only scanned the powershell command  on my PC.  He opened the file in a hex editor and stripped out the extra padding and rechecked it on virustotal.  This is a very different result on the actual file.  What are your thoughts on this?

https://www.virustotal.com/#/file/bb745ee7b0bd0dd70ab075a068e18e5ad38b30f0a3758c7e9efffd00b7c5658c/detection

Share this post


Link to post
Share on other sites

Hi,

I would not trust it.

Delete the file and the .lnk.

 

 

Share this post


Link to post
Share on other sites

Thanks, unfortunately he had already run it.  Since there is definitely something fishy with the file and no virus scanners seem able to identify it as a threat, I think at this point it is probably best to just reinstall windows to a new drive and start over.

Thanks again nasdaq!

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.