Author Topic: Recurent threat.  (Read 3414 times)

0 Members and 1 Guest are viewing this topic.

February 03, 2018, 02:33:49 am

Ajohin

  • Newbie

  • Offline
  • *

  • 7
  • Reputation:
    0
    • View Profile
Recurent threat.
« on: February 03, 2018, 02:33:49 am »
Hello!

Just in need of advice about a threat, repeatingly comin and blocked by my avast antivirus. http://217.61.106.159/ is its origin, and I never been here. Roguekiller, malwarebytes and KVRT don't find anythin. Its processus is C::\user\user\appdata\roaming\comobject\update.exe, detected by 'agent web'.

As it's just a green threat I don't mind it much, but it has nothin to do here, eh. And I had some troubles recently with my desktop, up to restauration.

Do you have any idea about that?

Reply #1February 03, 2018, 07:00:47 pm

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2206
  • Reputation:
    79
    • View Profile
Re: Recurent threat.
« Reply #1 on: February 03, 2018, 07:00:47 pm »
Hi Ajohin,

Welcome to Adlice.com Forum.
This seems malware-related. Could you please zip the "comobject" folder and attach it with your next reply ?

Regards.0

Reply #2February 03, 2018, 09:27:51 pm

Ajohin

  • Newbie

  • Offline
  • *

  • 7
  • Reputation:
    0
    • View Profile
Re: Recurent threat.
« Reply #2 on: February 03, 2018, 09:27:51 pm »
Can't send the zip, Postin leads to a new post, without sendin anythin.

Reply #3February 03, 2018, 10:56:15 pm

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2206
  • Reputation:
    79
    • View Profile
Re: Recurent threat.
« Reply #3 on: February 03, 2018, 10:56:15 pm »
Hi Ajohin,

OK, let's try this another way.

Please download Farbar Recovery Scan Tool (x64) and save it to your Desktop.
  • Right click to run as administrator (XP users click run after receipt of Windows Security Warning - Open File). When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will produce a log called FRST.txt in the same directory the tool is run from.
  • Please attach log back here.
  • The first time the tool is run it generates another log (Addition.txt - also located in the same directory as FRST.exe). Please also attach that along with the FRST.txt into your reply.
Regards.

Reply #4February 03, 2018, 11:17:16 pm

Ajohin

  • Newbie

  • Offline
  • *

  • 7
  • Reputation:
    0
    • View Profile
Re: Recurent threat.
« Reply #4 on: February 03, 2018, 11:17:16 pm »
Ok, there they are.

Reply #5February 04, 2018, 01:21:50 am

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2206
  • Reputation:
    79
    • View Profile
Re: Recurent threat.
« Reply #5 on: February 04, 2018, 01:21:50 am »
Hi Ajohin,

Is your system used for development purpose ? Was it modified in any way ?

Please download SystemLook (x64) and save it to your desktop.
  • Double-click SystemLook_X64.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    Code: [Select]
    :dir
    C:\WINDOWS\system32\codeintegrity /md5

    :filefind
    usbser.*
    • Click the Look button to start the scan.
    • When finished, a notepad window will open with the results of the scan. Please attach this log in your next reply.
    Note: The log can also be found on your Desktop entitled SystemLook.txt

    Regards.

    Reply #6February 04, 2018, 01:50:17 am

    Ajohin

    • Newbie

    • Offline
    • *

    • 7
    • Reputation:
      0
      • View Profile
    Re: Recurent threat.
    « Reply #6 on: February 04, 2018, 01:50:17 am »
    Hi, not specially for development and no special modification neither. That I know.

    Reply #7February 04, 2018, 01:11:33 pm

    Curson

    • Global Moderator
    • Hero Member

    • Offline
    • *****

    • 2206
    • Reputation:
      79
      • View Profile
    Re: Recurent threat.
    « Reply #7 on: February 04, 2018, 01:11:33 pm »
    Hi Ajohin,

    Download attached fixlist.txt file and save it to the Desktop.
    NOTE. It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

    NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system !

    Run FRST and press the Fix button just once and wait.
    If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
    When finished FRST will generate a log on the Desktop (Fixlog.txt). Please attach it to your reply.

    How is your computer running ?

    Regards.

    Note : This thread has been moved to the "Malware removal help" section for clarity.

    Reply #8February 04, 2018, 04:57:54 pm

    Ajohin

    • Newbie

    • Offline
    • *

    • 7
    • Reputation:
      0
      • View Profile
    Re: Recurent threat.
    « Reply #8 on: February 04, 2018, 04:57:54 pm »
    Ok. There had been cleansin of files, and computer's runin as usual, for all I see.

    Reply #9February 04, 2018, 07:56:22 pm

    Curson

    • Global Moderator
    • Hero Member

    • Offline
    • *****

    • 2206
    • Reputation:
      79
      • View Profile
    Re: Recurent threat.
    « Reply #9 on: February 04, 2018, 07:56:22 pm »
    Hi Ajohin,

    The removal was a success.
    Is Avast still blocking connections ?

    Regards.

    Reply #10February 04, 2018, 09:35:05 pm

    Ajohin

    • Newbie

    • Offline
    • *

    • 7
    • Reputation:
      0
      • View Profile
    Re: Recurent threat.
    « Reply #10 on: February 04, 2018, 09:35:05 pm »
    Hey, my thxs for you!
    Avast isn't blockin anythin yet, but it was hapenin from time to time. I'll tell you if it hapens again. That was medlin with my browser, right? First time you hear of that site?

    Reply #11February 04, 2018, 11:37:56 pm

    Curson

    • Global Moderator
    • Hero Member

    • Offline
    • *****

    • 2206
    • Reputation:
      79
      • View Profile
    Re: Recurent threat.
    « Reply #11 on: February 04, 2018, 11:37:56 pm »
    Hi Ajohin,

    You are welcome.
    You can now remove all the tools and linked files used during the malware removal process.

    217.61.106.159 belongs to Aruba Cloud, a hosting/VPS service so it's not malicious per se. The specific site were the malware was uploading data is now down.

    Regards.

    Reply #12February 05, 2018, 12:15:44 am

    Ajohin

    • Newbie

    • Offline
    • *

    • 7
    • Reputation:
      0
      • View Profile
    Re: Recurent threat.
    « Reply #12 on: February 05, 2018, 12:15:44 am »
    Ok, again, my thanks for you, makin such a great job! :)

    Reply #13February 05, 2018, 02:15:14 pm

    Curson

    • Global Moderator
    • Hero Member

    • Offline
    • *****

    • 2206
    • Reputation:
      79
      • View Profile
    Re: Recurent threat.
    « Reply #13 on: February 05, 2018, 02:15:14 pm »
    Hi Ajohin,

    You are very welcome.
    Thanks for the kind words. :)

    Regards.