Cheshire Police Malware

Vitesse

New Member
Thread author
Verified
May 15, 2013
31
MBAR logs
First run - just starting second scan
[attachment=4542][attachment=4543]
 

Attachments

  • mbar-log-2013-05-19 (17-29-30).txt
    5 KB · Views: 130
  • system-log.txt
    27 KB · Views: 114

Vitesse

New Member
Thread author
Verified
May 15, 2013
31
Hi Kuttus

MBAM now run. Did an auto results with no confirmation screen and results are shown.
[attachment=4546]

The program has a page showing items in quarantine (14 of them).
Should I delete them all?

Regards

Graham
 

Attachments

  • mbam-log-2013-05-19 (20-48-00).txt
    1.8 KB · Views: 109

kuttus

Level 2
Verified
Oct 5, 2012
2,697
STEP 1: Run a scan with ESET Online Scanner
<ol>
<li>Download ESET Online Scanner utility from the below link
<><a title="External link" href="http://download.eset.com/special/eos/esetsmartinstaller_enu.exe" rel="nofollow">ESET ONLINE SCANNER DOWNLOAD LINK</a></> <em>(This link will automatically download ESET Online Scanner on your computer.)</em></li>
<li>Double click on the Eset installer program (esetsmartinstaller_enu.exe).</li>
<li>Check <>Yes, I accept the Terms of Use</></li>
<li>Click the <>Start</> button.</li>
<li>Check <>Scan archives</></li>
<li>Push the <>Start</> button.</li>
<li>ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.</li>
<li>When the scan completes, push <>List of found threats</></li>
<li>Push <>Export to Text file </> and save the file to your desktop using a unique name, such as <>ESET Scan</>. Include the contents of this report in your next reply.Note - when ESET doesn't find any threats, no report will be created.</li>
<li>Push the <>back</> button.</li>
<li>Push <>Finish</></li>
</ol>
<hr />
STEP 2: Run a HitmanPro scan
<ol>
<li><>Download the latest official version of HitmanPro</>.
<a href="http://www.surfright.nl/en/hitmanpro/" rel="nofollow" target="_blank"> <>HITMANPRO DOWNLOAD LINK</></a> <em>(This link will open a download page in a new window from where you can download HitmanPro)</em></li>
<li>Start HitmanPro by <>double clicking on the previously downloaded file.</> and then following the prompts.
<img src="http://malwaretips.com/images/removalguide/hpro4.png" alt="[Image: hitmanproscan4.png]" border="0" /></li>
<li>Once the scan is complete, a screen displaying all the malicious files that the program found will be shown as seen in the image below.After reviewing each malicious object click <>Next</> .
<img src="http://malwaretips.com/blogs/wp-content/uploads/2012/02/rsz_hpro5.png" alt="[Image: hitmanproscan5.png]" border="0" /></li>
<li>Click <>Activate free license</> to start the free 30 days trial and remove the malicious files.
<img src="http://malwaretips.com/images/removalguide/hpro6.png" alt="[Image: hitmanproscan6.png]" border="0" /></li>
<li>HitmanPro will now start removing the infected objects, and in some instances, may suggest a reboot in order to completely remove the malware from your system. In this scenario, always confirm the reboot action to be on the safe side.
</ol>
Add to your next reply, any log that HitmanPro might generate.
<hr />
STEP 3: Run a scan with Kaspersky Virus Removal Tool
<ol><li>Download Kaspersky Virus Removal Tool from the below link and then double click on it to start this utility.
<><a title="External link" href="http://www.kaspersky.com/antivirus-removal-tool?form=1" rel="nofollow">KASPERSKY VIRUS REMOVAL TOOL</a></> <em>(This link open an new webpage from where you can download Kaspersky Virus Removal Tool on your computer.)</em></li>
<li>Follow the onscreen prompts until it is installed</li>
<li>Click the Options button (the 'Gear' icon), then make sure only the following are ticked:
<ul>
<li><span style="color: #ff0000;">System Memory</span></li>
<li><span style="color: #ff0000;">Hidden startup objects</span></li>
<li><span style="color: #ff0000;">Disk boot sectors</span></li>
<li><span style="color: #ff0000;">Local Disk (C: )</span></li>
<li><span style="color: #ff0000;">Also any other drives (Removable that you may have)</span></li>
</ul>
</li>
<li>Then click on <>Actions</> on the left hand side</li>
<li>Click <>Select Action</>, then make sure both <>Disinfect</> and <>Delete if disinfection fails</> are ticked</li>
<li>Click on <>Automatic Scan</></li>
<li>Now click the <>Start Scanning</> button, to run the scan</li>
<li>After the scan is complete, click the reports button ('Paper icon', next to the 'Gear' icon) on the right hand side</li>
<li>Click <>Detected threats</> on the left</li>
<li>Now click the <>Save</> button, and save it as <>kaslog.txt</> to your <>Desktop</></li>
<li>Please attach kaslog.txt in your next reply.</li>
</ol>
<hr />
 
Last edited by a moderator:

Vitesse

New Member
Thread author
Verified
May 15, 2013
31
[attachment=4566]
Step 1 completed. That was a LONG scan - over 6 hours!
Log attached.

Am going to have to run next one tomorrow as limited on time today.
 

Attachments

  • ESET.txt
    1 KB · Views: 162

Vitesse

New Member
Thread author
Verified
May 15, 2013
31
Apologies for long gap.
Ran HitMan and forgot to save the file (was sort of expecting it to do it automatically after all the others so ran again and saved the one here.
The original one had 98 items - think 94 were tracking. Two were not removed and are in the second file here with yellow markers. Two had red markers and were deleted (hope that makes sense).

Have tried to do Kaspersky but had to abort until I could have time to run (and not leave computer on unattended) as it seems to be about 10 hours (had to cancel it after 5 hours). So running today - now.

HitMan is as below as file type? is not allowed to be posted as attachment? (yellow marked items are the ones listed as suspicious below)

Code:
HitmanPro 3.7.3.194
www.hitmanpro.com

   Computer name . . . . : HOME-PC
   Windows . . . . . . . : 5.1.3.2600.X86/1
   User name . . . . . . : HOME-PC\Graham
   License . . . . . . . : Trial (30 days left)

   Scan date . . . . . . : 2013-05-22 23:48:59
   Scan mode . . . . . . : Normal
   Scan duration . . . . : 36m 6s
   Disk access mode  . . : Direct disk access (SRB)
   Cloud . . . . . . . . : Internet
   Reboot  . . . . . . . : No

   Threats . . . . . . . : 15
   Traces  . . . . . . . : 20

   Objects scanned . . . : 914,516
   Files scanned . . . . : 96,759
   Remnants scanned  . . : 218,136 files / 599,621 keys

Suspicious files ____________________________________________________________

   F:\Documents and Settings\Tracy\Local Settings\Temp\nsb6.tmp\installhelper.dll
      Size . . . . . . . : 130,840 bytes
      Age  . . . . . . . : 1112.3 days (2010-05-06 16:46:46)
      Entropy  . . . . . : 6.5
      SHA-256  . . . . . : 0411AB18ECB0D3D6292EABB89B4C8E41112B3E0BE272B087555C2CB8CB0BFC28
      Product  . . . . . : ALOT
      Publisher  . . . . : ALOT Inc.
      Description  . . . : ALOT
      Version  . . . . . : 1.0.4.0
      Copyright  . . . . : Copyright (C) 2009
      RSA Key Size . . . : 1024
      Authenticode . . . : Blacklisted
      Fuzzy  . . . . . . : 100.0
         Program is code signed with a known fraudulent certificate.

   F:\Documents and Settings\Tracy\Local Settings\Temp\nsn3.tmp\installhelper.dll
      Size . . . . . . . : 130,840 bytes
      Age  . . . . . . . : 1112.3 days (2010-05-06 16:44:34)
      Entropy  . . . . . : 6.5
      SHA-256  . . . . . : 0411AB18ECB0D3D6292EABB89B4C8E41112B3E0BE272B087555C2CB8CB0BFC28
      Product  . . . . . : ALOT
      Publisher  . . . . : ALOT Inc.
      Description  . . . : ALOT
      Version  . . . . . : 1.0.4.0
      Copyright  . . . . : Copyright (C) 2009
      RSA Key Size . . . : 1024
      Authenticode . . . : Blacklisted
      Fuzzy  . . . . . . : 100.0
         Program is code signed with a known fraudulent certificate.


Malware remnants ____________________________________________________________

   HKU\S-1-5-21-2052111302-1965331169-725345543-1005\Software\Microsoft\Internet 

Explorer\Explorer Bars\{BDEA95CF-F0E6-41E0-BD3D-B00F39A4E939}\ (Adware.Hotbar)
   HKU\S-1-5-21-2052111302-1965331169-725345543-1005\Software\Microsoft\Internet 

Explorer\Extensions\CmdMapping\{DB38E21A-0133-419d-92AD-ECDFD5244D6D} (Adware.Hotbar)
   HKU\S-1-5-21-2052111302-1965331169-725345543-1005\Software\Microsoft\Internet 

Explorer\Extensions\CmdMapping\{EB620C54-E229-4942-87CE-E717109FC8C6} (Adware.Hotbar)
   

HKU\S-1-5-21-2052111302-1965331169-725345543-1005\Software\Microsoft\Windows\CurrentVersion\Ext

\Stats\{258C9770-1713-4021-8D7E-1F184A2BD754}\ (Adware.Hotbar)
   

HKU\S-1-5-21-2052111302-1965331169-725345543-1005\Software\Microsoft\Windows\CurrentVersion\Ext

\Stats\{DB38E21A-0133-419D-92AD-ECDFD5244D6D}\ (Adware.Hotbar)
   

HKU\S-1-5-21-2052111302-1965331169-725345543-1005\Software\Microsoft\Windows\CurrentVersion\Ext

\Stats\{EB620C54-E229-4942-87CE-E717109FC8C6}\ (Adware.Hotbar)
   HKU\S-1-5-21-2052111302-1965331169-725345543-1005\Software\ShoppingReport2\ (Adware.Hotbar)
   

HKU\S-1-5-21-2052111302-1965331169-725345543-1006\Software\Microsoft\Windows\CurrentVersion\Ext

\Stats\{258C9770-1713-4021-8D7E-1F184A2BD754}\ (Adware.Hotbar)
   

HKU\S-1-5-21-2052111302-1965331169-725345543-1006\Software\Microsoft\Windows\CurrentVersion\Ext

\Stats\{DB38E21A-0133-419D-92AD-ECDFD5244D6D}\ (Adware.Hotbar)
   

HKU\S-1-5-21-2052111302-1965331169-725345543-1006\Software\Microsoft\Windows\CurrentVersion\Ext

\Stats\{EB620C54-E229-4942-87CE-E717109FC8C6}\ (Adware.Hotbar)
   HKU\S-1-5-21-2052111302-1965331169-725345543-1006\Software\ShoppingReport2\ (Adware.Hotbar)
   

HKU\S-1-5-21-2052111302-1965331169-725345543-1007\Software\Microsoft\Windows\CurrentVersion\Ext

\Stats\{258C9770-1713-4021-8D7E-1F184A2BD754}\ (Adware.Hotbar)
   HKU\S-1-5-21-2052111302-1965331169-725345543-1007\Software\ShoppingReport2\ (Adware.Hotbar)
   

HKU\S-1-5-21-2052111302-1965331169-725345543-1009\Software\Microsoft\Windows\CurrentVersion\Ext

\Stats\{258C9770-1713-4021-8D7E-1F184A2BD754}\ (Adware.Hotbar)
   HKU\S-1-5-21-2052111302-1965331169-725345543-1009\Software\ShoppingReport2\ (Adware.Hotbar)

Cookies _____________________________________________________________________

   F:\Documents and Settings\Graham\Cookies\2KGR2IFW.txt
   F:\Documents and Settings\Graham\Cookies\MWKGNZD9.txt
   F:\Documents and Settings\Graham\Cookies\O2DLONTY.txt
 

Vitesse

New Member
Thread author
Verified
May 15, 2013
31
[attachment=4631]
kuttus said:
Okay No issues.... How's everything working now?

Seems OK, although at times it goes a bit slow, or does something that make me think there may be something wrong (mainly my desktop which can go blank or blue (usually a photo background) and the shortcut icons dissappear or go into a sort of negative image. But it has been doing that prior to this malware.
Also Excel takes an age to load, but again that started prior to infection.

Last log attached from Kaspersky. Hope it is the correct one. Tried to save the scan log but it didn't seem interested - poss too big as scan went on for over 10 hours although the program reported it took a lot less time.

Anything more to do now?
Regards

Graham
 

Attachments

  • KasperskyDetected.txt
    1.9 KB · Views: 122

kuttus

Level 2
Verified
Oct 5, 2012
2,697
Okay. All the log files seems good only... Lets try this one also....

Please run Run Autoruns and send me the screenshots of the Tab Scheduled Task, Winlogon and Internet Explorer.


To Take Screen Of Your Screen.
  1. Press PRINT SCREEN (Print Scr) key on Your Keyboard.
  2. Now Open MS Paint
  3. Open Paint by clicking the Start button
    4f6cbd09-148c-4dd8-b1f2-48f232a2fd33_47.png
    , clicking All Programs, clicking Accessories, and then clicking Paint.
  4. In MS Paint Click Edit, and then click Paste.
  5. After this Save the File on your computer by Clicking on File --> Save
Add this Saved File in your next Replay
 

Vitesse

New Member
Thread author
Verified
May 15, 2013
31
[attachment=4664][attachment=4665][attachment=4666]

OK screenshots as requested.
 

Attachments

  • WinLog.JPG
    WinLog.JPG
    70.5 KB · Views: 126
  • SchTask.JPG
    SchTask.JPG
    73.2 KB · Views: 125
  • IntExpl.JPG
    IntExpl.JPG
    125.2 KB · Views: 122

kuttus

Level 2
Verified
Oct 5, 2012
2,697
Unchecke Everything in Scheduled Task and Internet Explorer restrat the computer and check how's the computer now..
 

Vitesse

New Member
Thread author
Verified
May 15, 2013
31
OK did that. Not sure if better. Seemed to take longer to boot up. Once account screen came it logged in quicker as far as other accounts dissappearing but took longer to get to deskto screen. Once it did open it seemed to all appear faster with all the shortcuts etc.
After clicking onto internet connection it took quite a while (as usual) but this may ne waiting for netgear program to start up. Once it did get the netgear icon in taskbar it turned from red to green quickly and opened up internet possibly faster than usual.

After that I had warning that there was no anti-virus running and when clicked on baloon from task bar the MS screen showed no AV and no Firewall. There was no responce from MS to turn on firewall but think it was running as after about 3-5 minutes it decided it was on.

It Never seemes to know that ACG is running so wasn't too concerned there.
 

kuttus

Level 2
Verified
Oct 5, 2012
2,697
STEP 1: Run a scan with Farbar Service Scanner

<ol> <li>Download Farbar Service Scanner from the below link.
<><a title="External link" href="http://download.bleepingcomputer.com/farbar/FSS.exe" rel="external">FABAR SERVICE SCANNER</a></> <em> (This link will automatically download Farbar Service Scanner on your computer)</em></li>
<li>Run the ulity and checkmark all the boxes</li>
<li> Click on the Scan button.
<img src="http://malwaretips.com/blogs/wp-content/uploads/2012/09/fabar.png" /></li>
<li>Add the log that will produce in your next reply.</li></ol>
<hr />
 
Last edited by a moderator:

Vitesse

New Member
Thread author
Verified
May 15, 2013
31
[attachment=4690]

Hi again.

Start up is very very slow. Didn't appreciate how slow at last posting.

Anyhow latest log attached.
 

Attachments

  • FSS.txt
    3.1 KB · Views: 122

kuttus

Level 2
Verified
Oct 5, 2012
2,697
Download this Regfix files one by one and Open it... it will ask you do you want to modify windows Registry. Click on Yes on it......

sharedaccess

winmgmt

wscsvc

After that restart the computer. After the restart run the FABAR SERVICE SCANNER once more....
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top