Jump to content


Photo

Please Help - Trojan.Win32.Generic!BT + Trojan.HTML.Framer.do (v)


  • This topic is locked This topic is locked
13 replies to this topic

#1 burndawgz

burndawgz

    Advanced Member

  • Members
  • PipPipPip
  • 32 posts

Posted 17 February 2013 - 09:37 PM

Pleae help. DDS and Attach attached. Thank you for your generous support.

Jay

Attached Files



#2 burndawgz

burndawgz

    Advanced Member

  • Members
  • PipPipPip
  • 32 posts

Posted 17 February 2013 - 09:57 PM

Here is additional information for the above problem:

For: Trojan.Win32.Generic!BT
Adaware Location: C:\Users\Jay\AppData\Local\DDMSSettings\Microsoft Help\vvprsnlkk.dll
(infected file either starts with a "vv" or a "w" - hard to tell as the kerning is tight)

For: Trojan.HTML.Framer.do (v)
Adaware Location: C:\Users\Jay\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XYAL1E0O\search[1].htm

Also, I have uninstalled previous instances of JAVA from the system.

J.

#3 Blade81

Blade81

    Advanced Member

  • Volunteer Security Advisor
  • PipPipPip
  • 6582 posts

Posted 17 February 2013 - 10:49 PM

Hi,

Please visit this webpage for download links, and instructions for running ComboFix tool:

http://www.bleepingc...to-use-combofix

Please ensure you read this guide carefully first.

Please continue as follows:

  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link
    Remember to re-enable them afterwards.

  • Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New dds log.


A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.
Microsoft MVP Consumer Security 2008 2009 2010 2011 2012 2013

UNITE member since 2006

I don't help with logs thru PM so don't bother to post me one. If you have problems create a thread in the forum, please.
Don't post your log into other user's topic, create a new one.

Provided removal instructions are meant to be used in the correspondent user's case only.

Please use "Reply to this topic" -button while replying.

#4 burndawgz

burndawgz

    Advanced Member

  • Members
  • PipPipPip
  • 32 posts

Posted 17 February 2013 - 11:07 PM

Thank you Blade. Attached are the updated logs.

J.

Attached Files



#5 Blade81

Blade81

    Advanced Member

  • Volunteer Security Advisor
  • PipPipPip
  • 6582 posts

Posted 18 February 2013 - 10:42 AM

Hi,

* Go here to run an online scanner from ESET.
  • Note: You will need to use Internet explorer for this scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is UNchecked and the option Scan unwanted applications is checkmarked.
  • Click Scan
  • Wait for the scan to finish.
  • Copy and paste findings (if any) as a reply to this topic, along with attach.txt log from DDS.

Microsoft MVP Consumer Security 2008 2009 2010 2011 2012 2013

UNITE member since 2006

I don't help with logs thru PM so don't bother to post me one. If you have problems create a thread in the forum, please.
Don't post your log into other user's topic, create a new one.

Provided removal instructions are meant to be used in the correspondent user's case only.

Please use "Reply to this topic" -button while replying.

#6 burndawgz

burndawgz

    Advanced Member

  • Members
  • PipPipPip
  • 32 posts

Posted 18 February 2013 - 05:58 PM

I am running ESET now and will post results upon completion.

I am curious about how many times my attached DDS, ComboFix and ATTACH logs have been downloaded from this thread. Not only mine, but in many recent reports on this forum, download counts of posted personal logs exceed 50 or more. Who, besides the direct moderators/service techs, would have interest in my logs? I realize the answer is "anyone" can download them as I've made them public by posting them here, but why would 50 or more people want to review my logs? Is this in itself a security concern? Is making these logs public providing info to potential bad actors that may create new and targetted vulnerabilities?

In a related conern, yesterday someone posted multiple responses here in my thread which contained very malicious links within the body of the postings. Within a few minutes, the posts were deleted from this thread. It was not apparent to me whether your forum system software auto-detected these postings and nuked them, or a forum moderator manually removed them. Either way, it appeared I had become a specific target simply by posting within this forum.

I appreciate the expert support I've received from Lavasoft and the tireless efforts of the volunteers here. Thanks, J.

Edited by burndawgz, 18 February 2013 - 06:15 PM.


#7 burndawgz

burndawgz

    Advanced Member

  • Members
  • PipPipPip
  • 32 posts

Posted 18 February 2013 - 06:31 PM

ESET ran successfully. Updated logs attached.

Attached Files



#8 Blade81

Blade81

    Advanced Member

  • Volunteer Security Advisor
  • PipPipPip
  • 6582 posts

Posted 18 February 2013 - 07:57 PM

Hi,

We can ignore those ESET findings.

I am curious about how many times my attached DDS, ComboFix and ATTACH logs have been downloaded from this thread. Not only mine, but in many recent reports on this forum, download counts of posted personal logs exceed 50 or more. Who, besides the direct moderators/service techs, would have interest in my logs? I realize the answer is "anyone" can download them as I've made them public by posting them here, but why would 50 or more people want to review my logs? Is this in itself a security concern? Is making these logs public providing info to potential bad actors that may create new and targetted vulnerabilities?

Sometimes people have similar issues and look around for help without posting (that's bad practice, they should create own topic) and sometimes attachments are viewed multiple times by the same person. I wouldn't be worried about that :)

In a related conern, yesterday someone posted multiple responses here in my thread which contained very malicious links within the body of the postings. Within a few minutes, the posts were deleted from this thread. It was not apparent to me whether your forum system software auto-detected these postings and nuked them, or a forum moderator manually removed them. Either way, it appeared I had become a specific target simply by posting within this forum.

That was some spammer's doings. Unfortunately, occasionally some spam gets posted to active topics. We do take necessary action (delete such posts and ban the user) as soon as we see such a thing happen.


Make sure you have latest version (10.1.5 at the moment) of Adobe Acrobat X.


Uninstall old Adobe Reader versions and get Adobe Reader 11.0 here and update 11.0.01 for it or get Foxit Reader here. Make sure you don't (unless you want to) install toolbar if choose Foxit Reader! You may also check free readers introduced here.


Uninstall vulnerable Flash versions by following instructions here. Fresh version can be obtained here.


Any issues remaining?
Microsoft MVP Consumer Security 2008 2009 2010 2011 2012 2013

UNITE member since 2006

I don't help with logs thru PM so don't bother to post me one. If you have problems create a thread in the forum, please.
Don't post your log into other user's topic, create a new one.

Provided removal instructions are meant to be used in the correspondent user's case only.

Please use "Reply to this topic" -button while replying.

#9 burndawgz

burndawgz

    Advanced Member

  • Members
  • PipPipPip
  • 32 posts

Posted 18 February 2013 - 10:24 PM

Thanks for the reassurance Blade,

It appears the standard ComboFix runthrough did the trick. Adaware no longer finds the threat traces, and my Google Search redirects appear to have stopped. I've confirmed Acrobat X is most current 10.1.5 verison; uninstalled Reader v9; uninstalled older Flash versions and loaded latest. I'm on the Creative Suite platform so will remain with the Adobe software vs Foxit.

What's next?

J.

#10 burndawgz

burndawgz

    Advanced Member

  • Members
  • PipPipPip
  • 32 posts

Posted 18 February 2013 - 10:35 PM

I did notice one curious EVENT listed in the ATTACH log:

2/17/2013 10:59:26 AM, Error: bowser [8003] - The master browser has received a server announcement from the computer DAWG that believes that it is the master browser for the domain on transport NetBT_Tcpip_{B4C01157-9343-4A34-B077-6E7F14E37D4A}. The master browser is stopping or an election is being forced.

DAWG is a local network computer running W2K and IE5 browser. Anything to suggest prossible infections on the DAWG side (it appears to be operating fine) or would you guess it's just old W2K networking protocols conflicting with W7?

Edited by burndawgz, 18 February 2013 - 10:35 PM.


#11 Blade81

Blade81

    Advanced Member

  • Volunteer Security Advisor
  • PipPipPip
  • 6582 posts

Posted 19 February 2013 - 08:24 PM

Hi,

If no issues left let's see the final steps then :)


THESE STEPS ARE VERY IMPORTANT

Let's reset system restore
Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing those files. This is the only way to clean these files: You will lose all previous restore points which are likely to be infected. Please note you need Administrator Access to do clean the restore points.

A To disable the System Restore feature:

1. Click on the Start button.
2. Hover over the Computer option, right click on it and then click Properties.
3. On the left hand side, click Advanced Settings.
4. If asked to permit the action, click on Allow.
5. Click on the System Protection tab.
6. Select c: drive and click Configure...
7. Select Turn off protection
8. Press OK.
Repeat steps 6-8 for each hard drive.

B. Reboot.

C Turn ON System Restore.
Follow the steps like you did when disabling system restore but on step 7. select Restore system settings and previous versions of files -option.



Now lets uninstall ComboFix:
  • Click START then RUN
  • Now copy-paste Combofix /uninstall in the runbox and click OK
UPDATING WINDOWS AND INTERNET EXPLORER

IMPORTANT: You Need to Update Windows and Internet Explorer to protect your computer from the malware that is around on the Internet. Please go to the windows update site to get the critical updates.



Download and run Secunia Personal Software Inspector (PSI) and fix its findings. Leave the program installed so you'll stay alarmed about vulnerable components in future too.


Just a final reminder for you. I am trying to stress these two points.
UPDATE UPDATE UPDATE!!! Make sure you do this about every 1-2 weeks.
Make sure all of your security programs are up to date.
Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.


Once again, please post and tell me how things are going with your system... problems etc.

Have a great day,
Blade B)


I did notice one curious EVENT listed in the ATTACH log:

2/17/2013 10:59:26 AM, Error: bowser [8003] - The master browser has received a server announcement from the computer DAWG that believes that it is the master browser for the domain on transport NetBT_Tcpip_{B4C01157-9343-4A34-B077-6E7F14E37D4A}. The master browser is stopping or an election is being forced.

DAWG is a local network computer running W2K and IE5 browser. Anything to suggest prossible infections on the DAWG side (it appears to be operating fine) or would you guess it's just old W2K networking protocols conflicting with W7?


I'm not exactly sure what that error message means but it's not infection related. If there're no issues I'd ignore the message :)
Microsoft MVP Consumer Security 2008 2009 2010 2011 2012 2013

UNITE member since 2006

I don't help with logs thru PM so don't bother to post me one. If you have problems create a thread in the forum, please.
Don't post your log into other user's topic, create a new one.

Provided removal instructions are meant to be used in the correspondent user's case only.

Please use "Reply to this topic" -button while replying.

#12 burndawgz

burndawgz

    Advanced Member

  • Members
  • PipPipPip
  • 32 posts

Posted 20 February 2013 - 01:14 AM

Thank you Blade - I will proceed with the updates. Your support has been invaluable. Count me clean!

#13 Blade81

Blade81

    Advanced Member

  • Volunteer Security Advisor
  • PipPipPip
  • 6582 posts

Posted 20 February 2013 - 10:09 PM

You're welcome :)
Microsoft MVP Consumer Security 2008 2009 2010 2011 2012 2013

UNITE member since 2006

I don't help with logs thru PM so don't bother to post me one. If you have problems create a thread in the forum, please.
Don't post your log into other user's topic, create a new one.

Provided removal instructions are meant to be used in the correspondent user's case only.

Please use "Reply to this topic" -button while replying.

#14 Blade81

Blade81

    Advanced Member

  • Volunteer Security Advisor
  • PipPipPip
  • 6582 posts

Posted 02 April 2013 - 04:10 PM

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact the staff member who was helping you with your issue.

Everyone else please begin a New Topic.

Thank you !
Microsoft MVP Consumer Security 2008 2009 2010 2011 2012 2013

UNITE member since 2006

I don't help with logs thru PM so don't bother to post me one. If you have problems create a thread in the forum, please.
Don't post your log into other user's topic, create a new one.

Provided removal instructions are meant to be used in the correspondent user's case only.

Please use "Reply to this topic" -button while replying.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users