Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Messages - Dancing_Bear

Pages: [1]
1
Malware removal help / Re: Not sure if this scan indicates that I am infected
« on: June 22, 2015, 12:58:25 PM »
Hi Curson, Thank you for confirming the clear scan. I posted a more detailed description of my problem on BleepingComputer.com (http://www.bleepingcomputer.com/forums/t/579994/frequent-avast-threat-detected-warnings-no-infectionions-found/)

I don't know how to generate a text report in Avast (my ignorance?), but my last 3 scans (1 x full-system, 2 x boot-time) came up clean and hence there are no detailed reports I can look up. Prior to that, immediately after inadvertently installing adware (Cinem Plus 2.4cV26.05) bundled in a download, I had 3 scans which showed detections. These were:

Scan 1 (Full System Scan) found:
JS:Redirector-BWW (successfully removed)
Win32:Evo-gen [Susp] (which I elected to skip because I believed it was a false positive - it corresponds to compiled Fortran90 code I wrote some years ago)

Scan 2 (Boot Time Scan) found:
hqghumeaylnlf.exe PUP:Win32:GenMaliciousA-III [PUP] (but could not remove because permission was denied)

Scan 3 (Boot Time Scan, run as administrator) found:
Win32:GenMaliciousA-III (the same detection above, but had been quarantined by ADWCleaner and renamed to hqghumeaylnlf.exe.vir. It was moved to chest)
Win32:Evo-gen [Susp] (the same detection as the first scan, this time moved to chest)

The 3 subsequent Avast scans have come up clean (no detections).

Nevertheless, I still get Avast "Threat Detected" warnings (always when my computer wakes up from sleep, but also at random intervals thereafter) where apparently my computer has tried to connect to a URL with a .dll file. Recent examples include (all preceded by http://)

alwaysisobar.com/4141/TroubleFix_142669690001746.dll
simplesitescan.net/4141/LibraryProc_142667285206710.dll
bestdriverstar.net/4141/CutterGeneration_142669028246641.dll
anythicago.com/4141/CutterSystem_142669222915982.dll
simplesitescan.net/4141/CutterGeneration_142669028215736.dll
alwaysisobar.com/4141/SystemInclude_142652930467594.dll
opticguardzip.net/4141/RelayTurbo_142668814316255.dll
simplesitescan.net/4141/SystemVisual_142669159151878.dll
simplesitescan.net/4141/TrimModule_142669092997470.dll
alwaysisobar.com/4141/afterguard_142667076317268.dll

Are there other diagnostic tools I might run to see if there is an infection?

Thank you again for your help!

2
Malware removal help / Not sure if this scan indicates that I am infected
« on: June 21, 2015, 01:32:20 AM »
Hello - I am reposting this message because my original did not appear to upload. I sincerely apologize if this message arrives twice.

I have run RogueKiller after encountering frequent "Threat Detected" warnings from Avast (attempts to link to different URLs linking to .dlls).

The scan appears to indicate my computer is clean with the exception of the following two registry PUMs:

¤¤¤ Registry : 2 ¤¤¤
[PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-2691382955-3789416768-595039784-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_TrackProgs : 0  -> Found
[PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-2691382955-3789416768-595039784-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_TrackProgs : 0  -> Found

I am not experienced with registry items and therefore cannot tell if these indicate an infection or not, and/or whether it is safe to allow RogueKiller to delete them. Can someone please advise?

For reference, the full RogueKiller report is included below.

Thank you very much for your help!

------------------------------------------------------

RogueKiller V10.8.4.0 (x64) [Jun 15 2015] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : <myname> [Administrator]
Started from : C:\Users\<myname>\Downloads\RogueKillerX64.exe
Mode : Scan -- Date : 06/21/2015  09:58:48

¤¤¤ Processes : 0 ¤¤¤

¤¤¤ Registry : 2 ¤¤¤
[PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-2691382955-3789416768-595039784-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_TrackProgs : 0  -> Found
[PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-2691382955-3789416768-595039784-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_TrackProgs : 0  -> Found

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ Hosts File : 0 ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: HGST HTS721010A9E630 +++++
--- User ---
[MBR] 294f44b9c5bc231730cbf420e6f7ce8a
[BSP] 87bff97a231e9a9784d276e9e7954f8a : Unknown|VT.Unknown MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 100 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 206848 | Size: 372736 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
2 - [XXXXXX] EXTEN-LBA (0xf) [VISIBLE] Offset (sectors): 763570176 | Size: 557520 MB
3 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 1905371136 | Size: 23512 MB
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive1: SanDisk iSSD P4 8GB +++++
--- User ---
[MBR] 88920e8157efee4827b2137e18b5ca63
[BSP] 0a9420da5d388cf72c9f5653515471d4 : Empty MBR Code
Partition table:
0 - [XXXXXX] UNKNOWN (0x73) [VISIBLE] Offset (sectors): 2048 | Size: 7639 MB
User = LL1 ... OK
User = LL2 ... OK


Pages: [1]