Cheshire Police Malware
- Thread starter Vitesse
- Start date
Hi Kuttus
MBAM now run. Did an auto results with no confirmation screen and results are shown.
[attachment=4546]
The program has a page showing items in quarantine (14 of them).
Should I delete them all?
Regards
Graham
MBAM now run. Did an auto results with no confirmation screen and results are shown.
[attachment=4546]
The program has a page showing items in quarantine (14 of them).
Should I delete them all?
Regards
Graham
- Oct 5, 2012
- 2,697
STEP 1: Run a scan with ESET Online Scanner
<ol>
<li>Download ESET Online Scanner utility from the below link
<><a title="External link" href="http://download.eset.com/special/eos/esetsmartinstaller_enu.exe" rel="nofollow">ESET ONLINE SCANNER DOWNLOAD LINK</a></> <em>(This link will automatically download ESET Online Scanner on your computer.)</em></li>
<li>Double click on the Eset installer program (esetsmartinstaller_enu.exe).</li>
<li>Check <>Yes, I accept the Terms of Use</></li>
<li>Click the <>Start</> button.</li>
<li>Check <>Scan archives</></li>
<li>Push the <>Start</> button.</li>
<li>ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.</li>
<li>When the scan completes, push <>List of found threats</></li>
<li>Push <>Export to Text file </> and save the file to your desktop using a unique name, such as <>ESET Scan</>. Include the contents of this report in your next reply.Note - when ESET doesn't find any threats, no report will be created.</li>
<li>Push the <>back</> button.</li>
<li>Push <>Finish</></li>
</ol>
<hr />
STEP 2: Run a HitmanPro scan
<ol>
<li><>Download the latest official version of HitmanPro</>.
<a href="http://www.surfright.nl/en/hitmanpro/" rel="nofollow" target="_blank"> <>HITMANPRO DOWNLOAD LINK</></a> <em>(This link will open a download page in a new window from where you can download HitmanPro)</em></li>
<li>Start HitmanPro by <>double clicking on the previously downloaded file.</> and then following the prompts.
<img src="http://malwaretips.com/images/removalguide/hpro4.png" alt="[Image: hitmanproscan4.png]" border="0" /></li>
<li>Once the scan is complete, a screen displaying all the malicious files that the program found will be shown as seen in the image below.After reviewing each malicious object click <>Next</> .
<img src="http://malwaretips.com/blogs/wp-content/uploads/2012/02/rsz_hpro5.png" alt="[Image: hitmanproscan5.png]" border="0" /></li>
<li>Click <>Activate free license</> to start the free 30 days trial and remove the malicious files.
<img src="http://malwaretips.com/images/removalguide/hpro6.png" alt="[Image: hitmanproscan6.png]" border="0" /></li>
<li>HitmanPro will now start removing the infected objects, and in some instances, may suggest a reboot in order to completely remove the malware from your system. In this scenario, always confirm the reboot action to be on the safe side.
</ol>
Add to your next reply, any log that HitmanPro might generate.
<hr />
STEP 3: Run a scan with Kaspersky Virus Removal Tool
<ol><li>Download Kaspersky Virus Removal Tool from the below link and then double click on it to start this utility.
<><a title="External link" href="http://www.kaspersky.com/antivirus-removal-tool?form=1" rel="nofollow">KASPERSKY VIRUS REMOVAL TOOL</a></> <em>(This link open an new webpage from where you can download Kaspersky Virus Removal Tool on your computer.)</em></li>
<li>Follow the onscreen prompts until it is installed</li>
<li>Click the Options button (the 'Gear' icon), then make sure only the following are ticked:
<ul>
<li><span style="color: #ff0000;">System Memory</span></li>
<li><span style="color: #ff0000;">Hidden startup objects</span></li>
<li><span style="color: #ff0000;">Disk boot sectors</span></li>
<li><span style="color: #ff0000;">Local Disk (C: )</span></li>
<li><span style="color: #ff0000;">Also any other drives (Removable that you may have)</span></li>
</ul>
</li>
<li>Then click on <>Actions</> on the left hand side</li>
<li>Click <>Select Action</>, then make sure both <>Disinfect</> and <>Delete if disinfection fails</> are ticked</li>
<li>Click on <>Automatic Scan</></li>
<li>Now click the <>Start Scanning</> button, to run the scan</li>
<li>After the scan is complete, click the reports button ('Paper icon', next to the 'Gear' icon) on the right hand side</li>
<li>Click <>Detected threats</> on the left</li>
<li>Now click the <>Save</> button, and save it as <>kaslog.txt</> to your <>Desktop</></li>
<li>Please attach kaslog.txt in your next reply.</li>
</ol>
<hr />
<ol>
<li>Download ESET Online Scanner utility from the below link
<><a title="External link" href="http://download.eset.com/special/eos/esetsmartinstaller_enu.exe" rel="nofollow">ESET ONLINE SCANNER DOWNLOAD LINK</a></> <em>(This link will automatically download ESET Online Scanner on your computer.)</em></li>
<li>Double click on the Eset installer program (esetsmartinstaller_enu.exe).</li>
<li>Check <>Yes, I accept the Terms of Use</></li>
<li>Click the <>Start</> button.</li>
<li>Check <>Scan archives</></li>
<li>Push the <>Start</> button.</li>
<li>ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.</li>
<li>When the scan completes, push <>List of found threats</></li>
<li>Push <>Export to Text file </> and save the file to your desktop using a unique name, such as <>ESET Scan</>. Include the contents of this report in your next reply.Note - when ESET doesn't find any threats, no report will be created.</li>
<li>Push the <>back</> button.</li>
<li>Push <>Finish</></li>
</ol>
<hr />
STEP 2: Run a HitmanPro scan
<ol>
<li><>Download the latest official version of HitmanPro</>.
<a href="http://www.surfright.nl/en/hitmanpro/" rel="nofollow" target="_blank"> <>HITMANPRO DOWNLOAD LINK</></a> <em>(This link will open a download page in a new window from where you can download HitmanPro)</em></li>
<li>Start HitmanPro by <>double clicking on the previously downloaded file.</> and then following the prompts.
<img src="http://malwaretips.com/images/removalguide/hpro4.png" alt="[Image: hitmanproscan4.png]" border="0" /></li>
<li>Once the scan is complete, a screen displaying all the malicious files that the program found will be shown as seen in the image below.After reviewing each malicious object click <>Next</> .
<img src="http://malwaretips.com/blogs/wp-content/uploads/2012/02/rsz_hpro5.png" alt="[Image: hitmanproscan5.png]" border="0" /></li>
<li>Click <>Activate free license</> to start the free 30 days trial and remove the malicious files.
<img src="http://malwaretips.com/images/removalguide/hpro6.png" alt="[Image: hitmanproscan6.png]" border="0" /></li>
<li>HitmanPro will now start removing the infected objects, and in some instances, may suggest a reboot in order to completely remove the malware from your system. In this scenario, always confirm the reboot action to be on the safe side.
</ol>
Add to your next reply, any log that HitmanPro might generate.
<hr />
STEP 3: Run a scan with Kaspersky Virus Removal Tool
<ol><li>Download Kaspersky Virus Removal Tool from the below link and then double click on it to start this utility.
<><a title="External link" href="http://www.kaspersky.com/antivirus-removal-tool?form=1" rel="nofollow">KASPERSKY VIRUS REMOVAL TOOL</a></> <em>(This link open an new webpage from where you can download Kaspersky Virus Removal Tool on your computer.)</em></li>
<li>Follow the onscreen prompts until it is installed</li>
<li>Click the Options button (the 'Gear' icon), then make sure only the following are ticked:
<ul>
<li><span style="color: #ff0000;">System Memory</span></li>
<li><span style="color: #ff0000;">Hidden startup objects</span></li>
<li><span style="color: #ff0000;">Disk boot sectors</span></li>
<li><span style="color: #ff0000;">Local Disk (C: )</span></li>
<li><span style="color: #ff0000;">Also any other drives (Removable that you may have)</span></li>
</ul>
</li>
<li>Then click on <>Actions</> on the left hand side</li>
<li>Click <>Select Action</>, then make sure both <>Disinfect</> and <>Delete if disinfection fails</> are ticked</li>
<li>Click on <>Automatic Scan</></li>
<li>Now click the <>Start Scanning</> button, to run the scan</li>
<li>After the scan is complete, click the reports button ('Paper icon', next to the 'Gear' icon) on the right hand side</li>
<li>Click <>Detected threats</> on the left</li>
<li>Now click the <>Save</> button, and save it as <>kaslog.txt</> to your <>Desktop</></li>
<li>Please attach kaslog.txt in your next reply.</li>
</ol>
<hr />
Last edited by a moderator:
[attachment=4566]
Step 1 completed. That was a LONG scan - over 6 hours!
Log attached.
Am going to have to run next one tomorrow as limited on time today.
Step 1 completed. That was a LONG scan - over 6 hours!
Log attached.
Am going to have to run next one tomorrow as limited on time today.
Apologies for long gap.
Ran HitMan and forgot to save the file (was sort of expecting it to do it automatically after all the others so ran again and saved the one here.
The original one had 98 items - think 94 were tracking. Two were not removed and are in the second file here with yellow markers. Two had red markers and were deleted (hope that makes sense).
Have tried to do Kaspersky but had to abort until I could have time to run (and not leave computer on unattended) as it seems to be about 10 hours (had to cancel it after 5 hours). So running today - now.
HitMan is as below as file type? is not allowed to be posted as attachment? (yellow marked items are the ones listed as suspicious below)
Ran HitMan and forgot to save the file (was sort of expecting it to do it automatically after all the others so ran again and saved the one here.
The original one had 98 items - think 94 were tracking. Two were not removed and are in the second file here with yellow markers. Two had red markers and were deleted (hope that makes sense).
Have tried to do Kaspersky but had to abort until I could have time to run (and not leave computer on unattended) as it seems to be about 10 hours (had to cancel it after 5 hours). So running today - now.
HitMan is as below as file type? is not allowed to be posted as attachment? (yellow marked items are the ones listed as suspicious below)
Code:
HitmanPro 3.7.3.194
www.hitmanpro.com
Computer name . . . . : HOME-PC
Windows . . . . . . . : 5.1.3.2600.X86/1
User name . . . . . . : HOME-PC\Graham
License . . . . . . . : Trial (30 days left)
Scan date . . . . . . : 2013-05-22 23:48:59
Scan mode . . . . . . : Normal
Scan duration . . . . : 36m 6s
Disk access mode . . : Direct disk access (SRB)
Cloud . . . . . . . . : Internet
Reboot . . . . . . . : No
Threats . . . . . . . : 15
Traces . . . . . . . : 20
Objects scanned . . . : 914,516
Files scanned . . . . : 96,759
Remnants scanned . . : 218,136 files / 599,621 keys
Suspicious files ____________________________________________________________
F:\Documents and Settings\Tracy\Local Settings\Temp\nsb6.tmp\installhelper.dll
Size . . . . . . . : 130,840 bytes
Age . . . . . . . : 1112.3 days (2010-05-06 16:46:46)
Entropy . . . . . : 6.5
SHA-256 . . . . . : 0411AB18ECB0D3D6292EABB89B4C8E41112B3E0BE272B087555C2CB8CB0BFC28
Product . . . . . : ALOT
Publisher . . . . : ALOT Inc.
Description . . . : ALOT
Version . . . . . : 1.0.4.0
Copyright . . . . : Copyright (C) 2009
RSA Key Size . . . : 1024
Authenticode . . . : Blacklisted
Fuzzy . . . . . . : 100.0
Program is code signed with a known fraudulent certificate.
F:\Documents and Settings\Tracy\Local Settings\Temp\nsn3.tmp\installhelper.dll
Size . . . . . . . : 130,840 bytes
Age . . . . . . . : 1112.3 days (2010-05-06 16:44:34)
Entropy . . . . . : 6.5
SHA-256 . . . . . : 0411AB18ECB0D3D6292EABB89B4C8E41112B3E0BE272B087555C2CB8CB0BFC28
Product . . . . . : ALOT
Publisher . . . . : ALOT Inc.
Description . . . : ALOT
Version . . . . . : 1.0.4.0
Copyright . . . . : Copyright (C) 2009
RSA Key Size . . . : 1024
Authenticode . . . : Blacklisted
Fuzzy . . . . . . : 100.0
Program is code signed with a known fraudulent certificate.
Malware remnants ____________________________________________________________
HKU\S-1-5-21-2052111302-1965331169-725345543-1005\Software\Microsoft\Internet
Explorer\Explorer Bars\{BDEA95CF-F0E6-41E0-BD3D-B00F39A4E939}\ (Adware.Hotbar)
HKU\S-1-5-21-2052111302-1965331169-725345543-1005\Software\Microsoft\Internet
Explorer\Extensions\CmdMapping\{DB38E21A-0133-419d-92AD-ECDFD5244D6D} (Adware.Hotbar)
HKU\S-1-5-21-2052111302-1965331169-725345543-1005\Software\Microsoft\Internet
Explorer\Extensions\CmdMapping\{EB620C54-E229-4942-87CE-E717109FC8C6} (Adware.Hotbar)
HKU\S-1-5-21-2052111302-1965331169-725345543-1005\Software\Microsoft\Windows\CurrentVersion\Ext
\Stats\{258C9770-1713-4021-8D7E-1F184A2BD754}\ (Adware.Hotbar)
HKU\S-1-5-21-2052111302-1965331169-725345543-1005\Software\Microsoft\Windows\CurrentVersion\Ext
\Stats\{DB38E21A-0133-419D-92AD-ECDFD5244D6D}\ (Adware.Hotbar)
HKU\S-1-5-21-2052111302-1965331169-725345543-1005\Software\Microsoft\Windows\CurrentVersion\Ext
\Stats\{EB620C54-E229-4942-87CE-E717109FC8C6}\ (Adware.Hotbar)
HKU\S-1-5-21-2052111302-1965331169-725345543-1005\Software\ShoppingReport2\ (Adware.Hotbar)
HKU\S-1-5-21-2052111302-1965331169-725345543-1006\Software\Microsoft\Windows\CurrentVersion\Ext
\Stats\{258C9770-1713-4021-8D7E-1F184A2BD754}\ (Adware.Hotbar)
HKU\S-1-5-21-2052111302-1965331169-725345543-1006\Software\Microsoft\Windows\CurrentVersion\Ext
\Stats\{DB38E21A-0133-419D-92AD-ECDFD5244D6D}\ (Adware.Hotbar)
HKU\S-1-5-21-2052111302-1965331169-725345543-1006\Software\Microsoft\Windows\CurrentVersion\Ext
\Stats\{EB620C54-E229-4942-87CE-E717109FC8C6}\ (Adware.Hotbar)
HKU\S-1-5-21-2052111302-1965331169-725345543-1006\Software\ShoppingReport2\ (Adware.Hotbar)
HKU\S-1-5-21-2052111302-1965331169-725345543-1007\Software\Microsoft\Windows\CurrentVersion\Ext
\Stats\{258C9770-1713-4021-8D7E-1F184A2BD754}\ (Adware.Hotbar)
HKU\S-1-5-21-2052111302-1965331169-725345543-1007\Software\ShoppingReport2\ (Adware.Hotbar)
HKU\S-1-5-21-2052111302-1965331169-725345543-1009\Software\Microsoft\Windows\CurrentVersion\Ext
\Stats\{258C9770-1713-4021-8D7E-1F184A2BD754}\ (Adware.Hotbar)
HKU\S-1-5-21-2052111302-1965331169-725345543-1009\Software\ShoppingReport2\ (Adware.Hotbar)
Cookies _____________________________________________________________________
F:\Documents and Settings\Graham\Cookies\2KGR2IFW.txt
F:\Documents and Settings\Graham\Cookies\MWKGNZD9.txt
F:\Documents and Settings\Graham\Cookies\O2DLONTY.txt[attachment=4631]
Seems OK, although at times it goes a bit slow, or does something that make me think there may be something wrong (mainly my desktop which can go blank or blue (usually a photo background) and the shortcut icons dissappear or go into a sort of negative image. But it has been doing that prior to this malware.
Also Excel takes an age to load, but again that started prior to infection.
Last log attached from Kaspersky. Hope it is the correct one. Tried to save the scan log but it didn't seem interested - poss too big as scan went on for over 10 hours although the program reported it took a lot less time.
Anything more to do now?
Regards
Graham
kuttus said:
Seems OK, although at times it goes a bit slow, or does something that make me think there may be something wrong (mainly my desktop which can go blank or blue (usually a photo background) and the shortcut icons dissappear or go into a sort of negative image. But it has been doing that prior to this malware.
Also Excel takes an age to load, but again that started prior to infection.
Last log attached from Kaspersky. Hope it is the correct one. Tried to save the scan log but it didn't seem interested - poss too big as scan went on for over 10 hours although the program reported it took a lot less time.
Anything more to do now?
Regards
Graham
- Oct 5, 2012
- 2,697
Okay. All the log files seems good only... Lets try this one also....
Please run Run Autoruns and send me the screenshots of the Tab Scheduled Task, Winlogon and Internet Explorer.
To Take Screen Of Your Screen.
Please run Run Autoruns and send me the screenshots of the Tab Scheduled Task, Winlogon and Internet Explorer.
To Take Screen Of Your Screen.
- Press PRINT SCREEN (Print Scr) key on Your Keyboard.
- Now Open MS Paint
- Open Paint by clicking the Start button
, clicking All Programs, clicking Accessories, and then clicking Paint.
- In MS Paint Click Edit, and then click Paste.
- After this Save the File on your computer by Clicking on File --> Save
OK did that. Not sure if better. Seemed to take longer to boot up. Once account screen came it logged in quicker as far as other accounts dissappearing but took longer to get to deskto screen. Once it did open it seemed to all appear faster with all the shortcuts etc.
After clicking onto internet connection it took quite a while (as usual) but this may ne waiting for netgear program to start up. Once it did get the netgear icon in taskbar it turned from red to green quickly and opened up internet possibly faster than usual.
After that I had warning that there was no anti-virus running and when clicked on baloon from task bar the MS screen showed no AV and no Firewall. There was no responce from MS to turn on firewall but think it was running as after about 3-5 minutes it decided it was on.
It Never seemes to know that ACG is running so wasn't too concerned there.
After clicking onto internet connection it took quite a while (as usual) but this may ne waiting for netgear program to start up. Once it did get the netgear icon in taskbar it turned from red to green quickly and opened up internet possibly faster than usual.
After that I had warning that there was no anti-virus running and when clicked on baloon from task bar the MS screen showed no AV and no Firewall. There was no responce from MS to turn on firewall but think it was running as after about 3-5 minutes it decided it was on.
It Never seemes to know that ACG is running so wasn't too concerned there.
- Oct 5, 2012
- 2,697
STEP 1: Run a scan with Farbar Service Scanner
<ol> <li>Download Farbar Service Scanner from the below link.
<><a title="External link" href="http://download.bleepingcomputer.com/farbar/FSS.exe" rel="external">FABAR SERVICE SCANNER</a></> <em> (This link will automatically download Farbar Service Scanner on your computer)</em></li>
<li>Run the ulity and checkmark all the boxes</li>
<li> Click on the Scan button.
<img src="http://malwaretips.com/blogs/wp-content/uploads/2012/09/fabar.png" /></li>
<li>Add the log that will produce in your next reply.</li></ol>
<hr />
<ol> <li>Download Farbar Service Scanner from the below link.
<><a title="External link" href="http://download.bleepingcomputer.com/farbar/FSS.exe" rel="external">FABAR SERVICE SCANNER</a></> <em> (This link will automatically download Farbar Service Scanner on your computer)</em></li>
<li>Run the ulity and checkmark all the boxes</li>
<li> Click on the Scan button.
<img src="http://malwaretips.com/blogs/wp-content/uploads/2012/09/fabar.png" /></li>
<li>Add the log that will produce in your next reply.</li></ol>
<hr />
Last edited by a moderator:
[attachment=4690]
Hi again.
Start up is very very slow. Didn't appreciate how slow at last posting.
Anyhow latest log attached.
Hi again.
Start up is very very slow. Didn't appreciate how slow at last posting.
Anyhow latest log attached.
- Oct 5, 2012
- 2,697
Download this Regfix files one by one and Open it... it will ask you do you want to modify windows Registry. Click on Yes on it......
sharedaccess
winmgmt
wscsvc
After that restart the computer. After the restart run the FABAR SERVICE SCANNER once more....
sharedaccess
winmgmt
wscsvc
After that restart the computer. After the restart run the FABAR SERVICE SCANNER once more....
Similar threads
- Locked
