Trojan.Dropper.MSIL

View previous topic View next topic Go down

Trojan.Dropper.MSIL

Post by cstreatfeild on Sun 14 Aug 2016, 4:31 pm

Hi
I ran Malwarebytes last month because my laptop was suddenly very slow. It found "Trojan.Dropper.MSIL" and quarantined it, but machine was still slow. After that I deleted the trojan from quarantine and I also ran AdwCleaner. Machine seems to be even slower now and is getting "Windows detected a hard disk problem" messages.

Full disclosure, I also dropped the machine shortly after finding the trojan which could not have helped.

Below are Malwarebytes and AdwCleaner logs from July when I first found the problem, and from today. I tried to follow a link from your site to Security check by screen317 but it says the account is suspended. Is there another source I can use for that?

Grateful for your help.
css

================================================
Malwarebytes Anti-Malware
[You must be registered and logged in to see this link.]

Scan Date: 7/9/2016
Scan Time: 11:12 AM
Logfile:
Administrator: Yes

Version: 2.2.1.1043
Malware Database: v2016.07.09.07
Rootkit Database: v2016.05.27.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows 10
CPU: x64
File System: NTFS
User: carol

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 430032
Time Elapsed: 2 hr, 21 min, 35 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 3
Trojan.Dropper.MSIL, C:\Users\carol\Downloads\freshland world trading stores ORDER#K331.01338 UK.zip, Quarantined, [f00b2af71882e94dc697d28993718a76],
PUP.Optional.HomePageHelper, C:\Users\carol\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences, Good: ("session":{"restore_on_startup":4,"startup_urls":["https://www.malwarebytes.org/restorebrowser/"]}}), Bad: ("session":{"restore_on_startup":4,"startup_urls":["https://homepage-web.com/?s=lenovo&m=start"]}}), Replaced,[6c8f4fd227739f970ca3bce21aea4db3]
PUP.Optional.HomePageHelper, C:\Users\carol\AppData\Roaming\Mozilla\Firefox\Profiles\nmbfgbfe.default\prefs.js, Good: (user_pref("browser.startup.homepage", "https://www.malwarebytes.org/restorebrowser/), Bad: (user_pref("browser.startup.homepage", "https://homepage-web.com), Replaced,[b9420e138c0e37ffb006485755af9070]

Physical Sectors: 0
(No malicious items detected)

(end)

===================================================================================

# AdwCleaner v5.201 - Logfile created 10/07/2016 at 23:46:31
# Updated 30/06/2016 by ToolsLib
# Database : 2016-07-10.3 [Server]
# Operating system : Windows 10 Home  (X64)
# Username : carol - YOGASLUE
# Running from : C:\Users\carol\Desktop\adwcleaner_5.201.exe
# Option : Scan
# Support : [You must be registered and logged in to see this link.]

***** [ Services ] *****

Service Found : Amazon 1Button App Service

***** [ Folders ] *****

Folder Found : C:\ProgramData\pokki
Folder Found : C:\ProgramData\Application Data\pokki
Folder Found : C:\Program Files (x86)\Amazon\Amazon1ButtonApp
Folder Found : C:\Users\carol\AppData\Local\SweetLabs App Platform
Folder Found : C:\Users\carol\AppData\Roaming\download Manager
Folder Found : C:\Users\QBDataServiceUser20\AppData\Local\pokki
Folder Found : C:\Users\QBDataServiceUser26\AppData\Local\pokki
Folder Found : C:\Users\Administrator\AppData\Local\pokki
Folder Found : C:\Users\Default User\AppData\Local\Pokki
Folder Found : C:\Users\Default\AppData\Local\Pokki

***** [ Files ] *****

File Found : C:\Users\carol\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\PC App Store.lnk
File Found : C:\Users\Administrator\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\PC App Store.lnk
File Found : C:\Users\carol\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxps_homepage-web.com_0.localstorage
File Found : C:\Users\carol\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxps_homepage-web.com_0.localstorage-journal

***** [ DLL ] *****


***** [ WMI ] *****


***** [ Shortcuts ] *****


***** [ Scheduled tasks ] *****

Task Found : SweetLabs App Platform

***** [ Registry ] *****

Key Found : HKCU\Software\Classes\AllFileSystemObjects\shell\pokki
Key Found : HKCU\Software\Classes\Directory\shell\pokki
Key Found : HKCU\Software\Classes\Drive\shell\pokki
Key Found : HKCU\Software\Classes\lnkfile\shell\pokki
Key Found : HKLM\SOFTWARE\Classes\Amazon1ButtonRuntime.Amazon1ButtonRuntime
Key Found : HKLM\SOFTWARE\Classes\Amazon1ButtonRuntime.AmazonRuntimeServer
Key Found : HKLM\SOFTWARE\Classes\AppID\{7F46C358-270D-4791-A579-AD1DDA1A3F7B}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{BD6ECB00-7C4A-4F97-B425-44117F2A7AAE}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{BD6ECB00-7C4A-4F97-B425-44117F2A7AAE}
Key Found : HKCU\Software\SweetLabs App Platform
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\SweetLabs_AP
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\SweetLabs_Start_Menu
Key Found : HKU\S-1-5-21-153808505-2681921322-2986878879-1001\Software\SweetLabs App Platform
Key Found : HKU\S-1-5-21-153808505-2681921322-2986878879-1001\Software\Microsoft\Windows\CurrentVersion\Uninstall\SweetLabs_AP
Key Found : HKU\S-1-5-21-153808505-2681921322-2986878879-1001\Software\Microsoft\Windows\CurrentVersion\Uninstall\SweetLabs_Start_Menu
Key Found : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\3DCCCD6BD02558446B24CF1C63EC213C
Data Found : HKCU\Software\Microsoft\Internet Explorer\Main [Default_Secondary_Page_URL] - [You must be registered and logged in to see this link.]
Data Found : HKCU\Software\Microsoft\Internet Explorer\Main [Secondary Start Pages] - [You must be registered and logged in to see this link.]
Data Found : HKU\S-1-5-21-153808505-2681921322-2986878879-1001\Software\Microsoft\Internet Explorer\Main [Default_Secondary_Page_URL] - [You must be registered and logged in to see this link.]
Data Found : HKU\S-1-5-21-153808505-2681921322-2986878879-1001\Software\Microsoft\Internet Explorer\Main [Secondary Start Pages] - [You must be registered and logged in to see this link.]
Value Found : HKU\S-1-5-21-153808505-2681921322-2986878879-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run [Pokki]

***** [ Web browsers ] *****

[C:\Users\carol\AppData\Roaming\Mozilla\Firefox\Profiles\nmbfgbfe.default\prefs.js] Found : user_pref("browser.search.defaultenginename", "Web Search");
[C:\Users\carol\AppData\Roaming\Mozilla\Firefox\Profiles\nmbfgbfe.default\prefs.js] Found : user_pref("browser.search.defaultenginename.US", "Web Search");
[C:\Users\carol\AppData\Roaming\Mozilla\Firefox\Profiles\nmbfgbfe.default\prefs.js] Found : user_pref("browser.search.hiddenOneOffs", "Yahoo,Bing,Amazon.com,eBay,Twitter,Web Search,Wikipedia (en)");
[C:\Users\carol\AppData\Roaming\Mozilla\Firefox\Profiles\nmbfgbfe.default\prefs.js] Found : user_pref("browser.search.selectedEngine", "Web Search");
[C:\Users\carol\AppData\Local\Google\Chrome\User Data\Default\Web data] [Search Provider] Found : aol.com
[C:\Users\carol\AppData\Local\Google\Chrome\User Data\Default\Web data] [Search Provider] Found : ask.com
[C:\Users\carol\AppData\Local\Google\Chrome\User Data\Default\Web data] [Search Provider] Found : search.homepage-web.com
[C:\Users\carol\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences] [Homepage] Found : [You must be registered and logged in to see this link.]

*************************

C:\AdwCleaner\AdwCleaner[S1].txt - [4995 bytes] - [10/07/2016 23:46:31]

########## EOF - C:\AdwCleaner\AdwCleaner[S1].txt - [5068 bytes] ##########

====================================================================================


SCANS FROM AUGUST 13
Malwarebytes Anti-Malware
[You must be registered and logged in to see this link.]

Scan Date: 8/13/2016
Scan Time: 9:09 AM
Logfile: malwarebytes 8-13-16.txt
Administrator: Yes

Version: 2.2.1.1043
Malware Database: v2016.08.13.03
Rootkit Database: v2016.08.09.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows 10
CPU: x64
File System: NTFS
User: carol

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 436807
Time Elapsed: 6 hr, 39 min, 20 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)


(end)


# AdwCleaner v6.000 - Logfile created 13/08/2016 at 16:46:49
# Updated on 12/08/2016 by ToolsLib
# Database : 2016-08-13.2 [Server]
# Operating System : Windows 10 Home (X64)
# Username : carol - YOGASLUE
# Running from : C:\Users\carol\Downloads\adwcleaner_6.000.exe
# Mode: Clean
# Support : [You must be registered and logged in to see this link.]



***** [ Services ] *****



***** [ Folders ] *****



***** [ Files ] *****



***** [ DLL ] *****



***** [ WMI ] *****



***** [ Shortcuts ] *****



***** [ Scheduled Tasks ] *****



***** [ Registry ] *****

[-] Key deleted: [x64] HKLM\SOFTWARE\Classes\CLSID\{BD6ECB00-7C4A-4F97-B425-44117F2A7AAE}


***** [ Web browsers ] *****

[-] [aol.com] [Search Provider] Deleted: aol.com
[-] [ask.com] [Search Provider] Deleted: ask.com


*************************

:: "Tracing" keys deleted
:: Winsock settings cleared

*************************

C:\AdwCleaner\AdwCleaner[C1].txt - [5098 Bytes] - [10/07/2016 23:54:45]
C:\AdwCleaner\AdwCleaner[C1]1.txt - [5098 Bytes] - [11/07/2016 00:25:01]
C:\AdwCleaner\AdwCleaner[C2].txt - [1215 Bytes] - [09/08/2016 08:31:41]
C:\AdwCleaner\AdwCleaner[C3].txt - [1145 Bytes] - [13/08/2016 16:46:49]
C:\AdwCleaner\AdwCleaner[S1].txt - [5151 Bytes] - [10/07/2016 23:46:31]
C:\AdwCleaner\AdwCleaner[S2].txt - [1142 Bytes] - [09/08/2016 08:19:37]
C:\AdwCleaner\AdwCleaner[S3].txt - [1700 Bytes] - [13/08/2016 16:42:39]

########## EOF - C:\AdwCleaner\AdwCleaner[C3].txt - [1437 Bytes] ##########

cstreatfeild

Newbie Surfer
Newbie Surfer

Posts : 14
Joined : 2009-10-20
Operating System : xp

View user profile

Back to top Go down

Re: Trojan.Dropper.MSIL

Post by Superdave on Mon 15 Aug 2016, 4:47 am

Hello and welcome to GeekPolice.Net My name is Dave. I will be helping you out with your particular problem on your computer.

1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.
2. The fixes are specific to your problem and should only be used for this issue on this machine.
3. If you don't know or understand something, please don't hesitate to ask.
4. Please DO NOT run any other tools or scans while I am helping you.
5. It is important that you reply to this thread. Do not start a new topic.
6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
7. Absence of symptoms does not mean that everything is clear.

If you can't access the internet with your infected computer you will have to download and transfer any programs to the computer you're using now and transfer them to the infected computer with a CD-RW or a USB storage device. I prefer a CD because a storage device can get infected. If you use a storage device hold the shift key down while inserting the USB storage device for about 10 secs. You will also have to transfer the logs you receive back to the good computer using the same method until we can get the computer back on-line.
*************************************************************************
Please download Junkware Removal Tool to your desktop.

Warning! Once the scan is complete JRT will shut down your browser with NO warning.

Shut down your protection software now to avoid potential conflicts.

•Temporarily disable your Antivirus and any Antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.

•Run the tool by double-clicking it. If you are using Windows Vista or Windows 7, right-click JRT and select Run as Administrator

•The tool will open and start scanning your system.

•Please be patient as this can take a while to complete depending on your system's specifications.

•On completion, a log (JRT.txt) is saved to your desktop and will automatically open.

•Copy and Paste the JRT.txt log into your next message.
*****************************************
Download Security Check by screen317 from one of the following links and save it to your desktop.

Security Check

* Double-click Security Check.bat
* Follow the on-screen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt
* Post the contents of that document in your next reply.

Note: If a security program requests permission from dig.exe to access the Internet, allow it to do so.
*************************************************
Please follow the instructions here.

Superdave
Tech Staff


Tech Staff

Posts : 4193
Joined : 2010-02-01
Operating System : Windows 8.1 and a dual-boot with XP Home SP3

View user profile

Back to top Go down

Re: Trojan.Dropper.MSIL

Post by cstreatfeild on Mon 15 Aug 2016, 10:45 am

Hi Dave,
Here are the JRT, Securty Check and CheckDisk logs.

thanks!
css

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Malwarebytes
Version: 8.0.7 (07.03.2016)
Operating System: Windows 10 Home x64
Ran by carol (Administrator) on Sun 08/14/2016 at 15:13:24.53
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




File System: 1

Successfully deleted: C:\WINDOWS\wininit.ini (File)

Deleted the following from C:\Users\carol\AppData\Roaming\Mozilla\Firefox\Profiles\y4h3s3ij.default-1468986069978\prefs.js
user_pref(browser.urlbar.suggest.searches, true);



Registry: 1

Successfully deleted: HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{46E0D770-FC75-414A-83A6-89B3964F3CB0} (Registry Key)




~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Sun 08/14/2016 at 15:24:26.89
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



Results of screen317's Security Check version 1.014 --- 12/23/15
x64 (UAC is enabled)
Internet Explorer 11
``````````````Antivirus/Firewall Check:``````````````
Windows Firewall Enabled!
Webroot SecureAnywhere
Windows Defender
Antivirus up to date! (On Access scanning disabled!)
`````````Anti-malware/Other Utilities Check:`````````
Spybot - Search & Destroy
Java 8 Update 91
Java version 32-bit out of Date!
Adobe Flash Player 22.0.0.209
Mozilla Firefox (47.0)
Google Chrome (51.0.2704.103)
Google Chrome (52.0.2743.116)
Google Chrome (SetupMetrics...)
````````Process Check: objlist.exe by Laurent````````
Windows Defender MSMpEng.exe
Windows Defender MpCmdRun.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C: %
````````````````````End of Log``````````````````````



Log Name: Application
Source: Chkdsk
Date: 8/14/2016 5:16:13 PM
Event ID: 26226
Task Category: None
Level: Information
Keywords: Classic
User: N/A
Computer: yogaslue
Description:
Chkdsk was executed in scan mode on a volume snapshot.

Checking file system on C:
Volume label is Windows8_OS.

Stage 1: Examining basic file system structure ...

File verification completed.



Stage 2: Examining file name linkage ...

Index verification completed.



Stage 3: Examining security descriptors ...
Security descriptor verification completed.

CHKDSK is verifying Usn Journal...

Usn Journal verification completed.

Windows has scanned the file system and found no problems.
No further action is required.

445972479 KB total disk space.
159623352 KB in 240095 files.
152384 KB in 43929 indexes.
552243 KB in use by the system.
65536 KB occupied by the log file.
285644496 KB available on disk.

4096 bytes in each allocation unit.
111493119 total allocation units on disk.
71411124 allocation units available on disk.

----------------------------------------------------------------------


Stage 1: Examining basic file system structure ...

Stage 2: Examining file name linkage ...

Stage 3: Examining security descriptors ...

Windows has scanned the file system and found no problems.
No further action is required.

Event Xml:



26226
4
0
0x80000000000000

27933
Application
yogaslue





Checking file system on C:
Volume label is Windows8_OS.

Stage 1: Examining basic file system structure ...

File verification completed.



Stage 2: Examining file name linkage ...

Index verification completed.



Stage 3: Examining security descriptors ...
Security descriptor verification completed.

CHKDSK is verifying Usn Journal...

Usn Journal verification completed.

Windows has scanned the file system and found no problems.
No further action is required.

445972479 KB total disk space.
159623352 KB in 240095 files.
152384 KB in 43929 indexes.
552243 KB in use by the system.
65536 KB occupied by the log file.
285644496 KB available on disk.

4096 bytes in each allocation unit.
111493119 total allocation units on disk.
71411124 allocation units available on disk.

----------------------------------------------------------------------


Stage 1: Examining basic file system structure ...

Stage 2: Examining file name linkage ...

Stage 3: Examining security descriptors ...

Windows has scanned the file system and found no problems.
No further action is required.

0096060009550400500B080000000000181100006B0000000000000000000000




cstreatfeild

Newbie Surfer
Newbie Surfer

Posts : 14
Joined : 2009-10-20
Operating System : xp

View user profile

Back to top Go down

Re: Trojan.Dropper.MSIL

Post by Superdave on Mon 15 Aug 2016, 12:56 pm

Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.
Save Rkill to your desktop.

There are 7 different versions. If one of them won't run then download and try to run the other one.

Vista and Win7 users need to right click Rkill and choose Run as Administrator


You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

* Rkill.exe
* Rkill.com
* Rkill.scr
* WiNlOgOn.exe
* uSeRiNiT.exe
* iExplore.exe
* eXplorer.exe

Superdave
Tech Staff


Tech Staff

Posts : 4193
Joined : 2010-02-01
Operating System : Windows 8.1 and a dual-boot with XP Home SP3

View user profile

Back to top Go down

Re: Trojan.Dropper.MSIL

Post by cstreatfeild on Tue 16 Aug 2016, 1:25 am

Good morning
I got another Windows disk error message when I woke up my machine on this morning, but things are running much faster today. Thanks for that.

Here's the log from RKill. Rkill 2.8.4 by Lawrence Abrams (Grinler)
[You must be registered and logged in to see this link.]
Copyright 2008-2016 BleepingComputer.com
More Information about Rkill can be found at this link:
[You must be registered and logged in to see this link.]

Program started at: 08/15/2016 08:54:19 AM in x64 mode.
Windows Version: Windows 10 Home

Checking for Windows services to stop:

* No malware services found to stop.

Checking for processes to terminate:

* C:\Users\carol\AppData\Local\Apps\2.0\C1AEHMKC.6WA\2D5XKQP1.1N7\lsb...tion_91a10ba61c75c82d_0001.0004_53146ffb7155a994\LSB.exe (PID: 5756) [UP-HEUR]

1 proccess terminated!

Checking Registry for malware related settings:

* No issues found in the Registry.

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks:

* Windows Defender Disabled

[HKLM\SOFTWARE\Microsoft\Windows Defender]
"DisableAntiSpyware" = dword:00000001

* Windows Firewall Disabled

[HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = dword:00000000

Checking Windows Service Integrity:

* No issues found.

Searching for Missing Digital Signatures:

* No issues found.

Checking HOSTS File:

* No issues found.

Program finished at: 08/15/2016 09:07:10 AM
Execution time: 0 hours(s), 12 minute(s), and 52 seconds(s)

cstreatfeild

Newbie Surfer
Newbie Surfer

Posts : 14
Joined : 2009-10-20
Operating System : xp

View user profile

Back to top Go down

Re: Trojan.Dropper.MSIL

Post by Superdave on Tue 16 Aug 2016, 6:01 am

I'd like to scan your machine with ESET OnlineScan

•Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan

•Click the button.
•For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

  • Click on to download the ESET Smart Installer. Save it to your desktop.
  • Double click on the icon on your desktop.

•Check
•Click the button.
•Accept any security warnings from your browser.

  • Leave the check mark next to Remove found threats.

•Check
•Push the Start button.
•ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
•When the scan completes, push
•Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
•Push the button.
•Push
A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt

Superdave
Tech Staff


Tech Staff

Posts : 4193
Joined : 2010-02-01
Operating System : Windows 8.1 and a dual-boot with XP Home SP3

View user profile

Back to top Go down

Re: Trojan.Dropper.MSIL

Post by cstreatfeild on Wed 17 Aug 2016, 4:46 pm

I scanned with ESET. Another Trojan file found. Log is below.
It took a long time so I left it running overnight. I checked it in the middle of the night and saw that it had found a couple of threats. In the morning it looked like it had frozen before finishing the scan. There were black blocks covering parts of the screen. I minimized and maximized to see if they would clear and the screen came back mostly blank. Not long after that I got a Windows error message saying the program wasn't working and would be closed. I couldn't find the log file so I did another scan that showed no threats.
After that I found a log of both scans using these directions: [You must be registered and logged in to see this link.]

How can I view the log file from ESET Online Scanner?
The ESET Online Scanner saves a log file after running, which can be examined or sent in to ESET for further analysis. To view the log file, Show hidden files and folders must be enabled. New logs are appended to the existing log files when multiple scans are run.
The path to the log file is the following: C:\users\%userprofile%\appdata\local\temp\log.txt


I was still getting disk error messages intermittently through the second scan. Anything else I should do?
in gratitute,
cs

16:40:34 Updating
16:40:34 Update Init
16:40:39 Update Download
16:44:52 esets_scanner_reload returned 0
16:44:52 g_uiModuleBuild: 30434
16:44:52 Update Finalize
16:44:53 Call m_esets_charon_send
16:44:54 Call m_esets_charon_destroy
16:44:54 Updated modules version: 30434
16:45:07 Call m_esets_charon_setup_create
16:45:08 Call m_esets_charon_create
16:45:09 m_esets_charon_create OK
16:45:09 Call m_esets_charon_start_send_thread
16:45:10 Call m_esets_charon_setup_set
16:45:10 m_esets_charon_setup_set OK
16:45:11 Scanner engine: 30434
08:34:10 # product=EOS
# version=8
# flags=0
# esetonlinescanner_enu.exe=2.0.12.0
# EOSSerial=db99f3fdb38a5f48939139e97ef180b8
# engine=30434
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# sfx_checked=true
# utc_time=2016-08-16 13:34:09
# local_time=2016-08-16 08:34:09 (-0600, Central Daylight Time)
# country="United States"
# lang=1033
# osver=6.2.9200 NT
# compatibility_mode_1=''
# compatibility_mode=5893 16776574 100 94 0 24243392 0 0
# compatibility_mode_1='Webroot SecureAnywhere'
# compatibility_mode=16132 16777213 100 66 1360064 10337160 0 0
# scanned=2
# found=4
# cleaned=4
# scan_time=56951
sh=0000000000000000000000000000000000000000 ft=- fh=0000000000000000 vn="a variant of Win32/CNETInstaller.B potentially unwanted application (cleaned by deleting)" ac=C fn="C:\Users\carol\Documents\OldLenovo8\Downloads\cbsidlm-cbsi183-Free_MP4_to_AVI_Converter-SEO-75925890.exe"
sh=0000000000000000000000000000000000000000 ft=- fh=0000000000000000 vn="a variant of Win32/CNETInstaller.B potentially unwanted application (cleaned by deleting)" ac=C fn="C:\Users\carol\Documents\OldLenovo8\Downloads\cbsidlm-cbsi183-Winmail_Reader-SEO-10578231.exe"
sh=0000000000000000000000000000000000000000 ft=- fh=0000000000000000 vn="a variant of Win32/Toolbar.Widgi.B potentially unwanted application (deleted)" ac=C fn="C:\Users\carol\Documents\OldLenovo8\Downloads\windows.8.codec.pack.v2.0.1.setup.exe"
sh=0000000000000000000000000000000000000000 ft=- fh=0000000000000000 vn="JS/TrojanDownloader.Nemucod.BK trojan (deleted)" ac=C fn="C:\Users\carol\Videos\scanned-00823584.zip"
11:26:46 RecursiveRemoveDirectoryAndAllFiles: C:\Users\carol\AppData\Local\ESET\ESETOnlineScanner\Quarantine\
11:43:59 RecursiveRemoveDirectoryAndAllFiles: C:\Users\carol\AppData\Local\ESET\ESETOnlineScanner\Quarantine\
11:45:53 Call m_esets_charon_setup_create
11:45:53 Call m_esets_charon_create
11:45:54 m_esets_charon_create OK
11:45:54 Call m_esets_charon_start_send_thread
11:45:54 Call m_esets_charon_setup_set
11:45:54 m_esets_charon_setup_set OK
11:46:30 Updating
11:46:30 Update Init
11:46:42 Call m_esets_charon_setup_create
11:46:42 Call m_esets_charon_create
11:46:42 m_esets_charon_setup_set ERROR
11:46:42 Update Download
11:47:18 esets_scanner_reload returned 0
11:47:18 g_uiModuleBuild: 30444
11:47:18 Update Finalize
11:47:18 Call m_esets_charon_send
11:47:18 Call m_esets_charon_destroy
11:47:19 Updated modules version: 30444
11:47:31 Call m_esets_charon_setup_create
11:47:31 Call m_esets_charon_create
11:47:31 m_esets_charon_setup_set ERROR
11:47:31 Scanner engine: 30444
23:01:38 # product=EOS
# version=8
# flags=0
# esetonlinescanner_enu.exe=2.0.12.0
# EOSSerial=db99f3fdb38a5f48939139e97ef180b8
# engine=30444
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# sfx_checked=true
# utc_time=2016-08-17 04:01:37
# local_time=2016-08-16 23:01:37 (-0600, Central Daylight Time)
# country="United States"
# lang=1033
# osver=6.2.9200 NT
# compatibility_mode_1=''
# compatibility_mode=5893 16776574 100 94 0 24295440 0 0
# compatibility_mode_1='Webroot SecureAnywhere'
# compatibility_mode=16132 16777213 100 66 1412112 10389208 0 0
# scanned=2
# found=0
# cleaned=0
# scan_time=40457
23:08:37 Call m_esets_charon_send
23:08:38 Call m_esets_charon_destroy
23:08:42 RecursiveRemoveDirectoryAndAllFiles: C:\Users\carol\AppData\Local\ESET\ESETOnlineScanner\Quarantine\
23:35:03 RecursiveRemoveDirectoryAndAllFiles: C:\Users\carol\AppData\Local\ESET\ESETOnlineScanner\Quarantine\

cstreatfeild

Newbie Surfer
Newbie Surfer

Posts : 14
Joined : 2009-10-20
Operating System : xp

View user profile

Back to top Go down

Re: Trojan.Dropper.MSIL

Post by Superdave on Thu 18 Aug 2016, 6:04 am

Is the computer still running slowly?

Superdave
Tech Staff


Tech Staff

Posts : 4193
Joined : 2010-02-01
Operating System : Windows 8.1 and a dual-boot with XP Home SP3

View user profile

Back to top Go down

Re: Trojan.Dropper.MSIL

Post by cstreatfeild on Sun 21 Aug 2016, 10:06 am

It isn't as cripplingly slow as it was before you started helping me but it's still slow. It takes maybe 10 minutes to start up. I also still get hard disk error messages intermittently. I think it gets a bit faster after it's been on awhile.

Do you think this is malware related or something else?



cstreatfeild

Newbie Surfer
Newbie Surfer

Posts : 14
Joined : 2009-10-20
Operating System : xp

View user profile

Back to top Go down

Re: Trojan.Dropper.MSIL

Post by Superdave on Sun 21 Aug 2016, 12:12 pm

StartupLite

Download StartupLite by MalwareBytes to your Desktop.
Doubleclick StartupLite.exe to launch the program.
Ensure the Disable box is checked.
Click Continue.
A pop up message will tell you the unecessary startup items in your list have been disabled and ask you to restart your computer.
Re-start your computer.

Superdave
Tech Staff


Tech Staff

Posts : 4193
Joined : 2010-02-01
Operating System : Windows 8.1 and a dual-boot with XP Home SP3

View user profile

Back to top Go down

Re: Trojan.Dropper.MSIL

Post by cstreatfeild on Sun 28 Aug 2016, 3:22 am

Dear Superdave
I am posting this morning from my new laptop as, sadly, my old one has crashed.
I was able to run StartupLite but it didn't seem to find anything to remove. Later that day my wireless internet connection disappeared. I tried rebooting to see if it would come back and got a Windows startup repair screen. It was late by then so I chose the option for just shutting it down. The next morning it wouldn't boot up at all. Fortunately, since I had plenty of warning, I was able to backup everything I needed. I will eventually try turning it back on again and see if I can reload Windows or reformat the hard drive (not something I've ever done). For now, I have had enough of staring at little blue circles and blank screens.

Thanks very much for your help. Wish I had contacted you sooner. One last question. Is it possible that the Trojan made my machine crash or was that more likely something else?
best
css

cstreatfeild

Newbie Surfer
Newbie Surfer

Posts : 14
Joined : 2009-10-20
Operating System : xp

View user profile

Back to top Go down

Re: Trojan.Dropper.MSIL

Post by Superdave on Sun 28 Aug 2016, 5:48 am

Is it possible that the Trojan made my machine crash or was that more likely something else?
Malware does not want to disable your computer. They want it running so they can steal information and other such things. I was more than likely a problem with hardware (hard drive or RAM) or heating.It could even be the motherboard.

Superdave
Tech Staff


Tech Staff

Posts : 4193
Joined : 2010-02-01
Operating System : Windows 8.1 and a dual-boot with XP Home SP3

View user profile

Back to top Go down

Re: Trojan.Dropper.MSIL

Post by cstreatfeild on Sun 28 Aug 2016, 9:36 am

Thanks for your expertise and help.
best
css

cstreatfeild

Newbie Surfer
Newbie Surfer

Posts : 14
Joined : 2009-10-20
Operating System : xp

View user profile

Back to top Go down

Re: Trojan.Dropper.MSIL

Post by Superdave on Sun 28 Aug 2016, 11:55 am

You're welcome. I will lock this thread. If you need it re-opened, please send me a pm.

Superdave
Tech Staff


Tech Staff

Posts : 4193
Joined : 2010-02-01
Operating System : Windows 8.1 and a dual-boot with XP Home SP3

View user profile

Back to top Go down

Re: Trojan.Dropper.MSIL

Post by Sponsored content Today at 2:51 pm


Sponsored content


Back to top Go down

View previous topic View next topic Back to top


 
Permissions in this forum:
You cannot reply to topics in this forum