Hello guys,

I need help - I got the following email:

From: Josephine Bergson Subject: FYI

Message Body:
Hello!

My name is Josephine Bergson representing the advertising department of the LLT Consulting company. We are interested to place ads (banners), of your choice, on your websites.

Design and sizes can be seen on our website at wwwlltconsultingnet/id_0u64lymt/
Depending on the banner size you choose we can pay up to $950.00/month.

If you are interested to become an advertising partner please let me hear from you.

Kind Regards,
Josephine Bergson
josephine.bergson@lltconsulting.net

and I clicked on that suspicious link for banner designs (I’ve replaced the dots with here on the forum in order to not post the URL here). I first opened it in my Firefox browser and it showed a popup window that Java needs to be downloaded - I did not click on that, as it would probably install malware on my PC. However, I opened that URL in Google Chrome and it loaded a Java applet and I confirmed that I trust that connection. Then it loaded the banners.

I hope I now don’t have any malware in my PC. I have already updated my Avast Pro and also updated the virus database and run a full PC scan. Nothing was found, but maybe Avast doesn’t know this spyware yet? Is my PC safe?

Be careful as you read this: http://www.hightechdad.com/2015/01/22/blogger-warning-llt-consulting-banner-ad-scam/
I hope you do not run java on your machine

polonus

Thanks for your reply. As I said, I opened that URL in Google Chrome and it loaded a Java applet and I confirmed that I trust that connection. Then it loaded the Java applet and the banners showed.

What should I do now? I have not noticed any unusual behavior of my PC.

if you want a check, see instructions here https://forum.avast.com/index.php?topic=53253.0
attach Malwarebytes and Farbar Recovery Scan Tool logs … 3 logs total

when done, essexboy will take a look

OK, I have runned the scans and am attaching the logs here.

essexboy will now take a look, it may be a few hours before he is online

OK, no problem. Thanks.

Hi,

As you are using Avast Pro, why don’t you run your browser in the Sandbox ( with dropped rights ) ?

Greetz, Red.

I have no idea what that means or what is that. Do you mean the Avast SafeZone chrome browser?

Hi not a deal there just a browser hijacker

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

CreateRestorePoint: HKU\S-1-5-21-1408603183-996343438-2516081543-1003\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.babylon.com/?affID=111434&babsrc=HP_ss&mntrId=0e6b4c66000000000000c446192fcf50 SearchScopes: HKU\S-1-5-21-1408603183-996343438-2516081543-1003 -> DefaultScope {0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9} URL = http://search.babylon.com/?q={searchTerms}&affID=111434&babsrc=SP_ss&mntrId=0e6b4c66000000000000c446192fcf50 SearchScopes: HKU\S-1-5-21-1408603183-996343438-2516081543-1003 -> {0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9} URL = http://search.babylon.com/?q={searchTerms}&affID=111434&babsrc=SP_ss&mntrId=0e6b4c66000000000000c446192fcf50 Toolbar: HKLM - avast! Online Security - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - No File Toolbar: HKLM - No Name - {CC1A175A-E45B-41ED-A30C-C9B1D7A0C02F} - No File Toolbar: HKU\S-1-5-21-1408603183-996343438-2516081543-1003 -> No Name - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File S2 MLPTDR_Q; \??\C:\windows\system32\ [0 ] () <==== ATTENTION (zero size file/folder) S2 MLPTDR_Q; \??\C:\windows\SysWOW64\ [0 ] () <==== ATTENTION (zero size file/folder) Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f RemoveProxy: EmptyTemp: CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe

https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG

Run FRST and press Fix
On completion a log will be generated please post that

THEN

Please download AdwCleaner by Xplode onto your desktop.

[*]Close all open programs and internet browsers.
[*]Double click on AdwCleaner.exe to run the tool.
[*]Click on Scan.
[*]After the scan is complete click on “Clean”
[*]Confirm each time with Ok.
[*]Your computer will be rebooted automatically. A text file will open after the restart.
[*]Please post the content of that logfile with your next answer.
[*]You can find the logfile at C:\AdwCleaner[S0].txt as well.

Thank you for the instructions. However, is this necessary even if I do not use the Internet Explorer browser at all?

And besides this issue, there is nothing else wrong? So the Java applet did not do anything malicious to my PC? When I scanned my PC with Malwarebytes, there was one trojan horse found. Also, I did not do anything with the Malwarebytes results - should I quarantine that trojan?

Thank you for the instructions. However, is this necessary even if I do not use the Internet Explorer browser at all?

Also, I did not do anything with the Malwarebytes results - should I quarantine that trojan?

Essexboy: I have done what you suggested. I attach the log files to this post. I chose to not delete the “AP” folder that I have on the C drive, as that whole folder contains my personal stuff (photos, etc.).

OK, I’m going to do that now.

OK I see why it wanted to delete it as that is the same name used for the Ask toolbar stuff

As it stands I can see no malware … Are you experiencing any problems at all ?

Everything seems to be running fine. Thank you very much for your help.

No, I mean the Sandbox.

Right click on your browser and choose to run it in the Sandbox.
To make it more secure choose :

Avast - Settings - Tools - Sandbox - Customize - Parameters - And check " Drop administrative rights … "

SafeZone is for online banking and shopping, and the Sandbox is for your everyday browsing.
Some info https://www.avast.com/faq.php?article=AVKB44#idt_404

If you still have questions feel free to ask

Greetz, Red.

Thank you Rednose, I’ve already tried that - it works.

Ok, so next time you copy and paste a suspicious link in an email into the sandboxed browser

Greetz, Red.

Yes, exactly. Or better to even do not click on it. Thank you for your advice.