email with infected link

yabberAugust 2, 2012

Hi all,

My colleague at work received an email with a link that contained a virus. He opened it, then realised it was probably dodgy and closed out of it before the page finished loading. Was that too late? He does have AVG on his computer and it didn't come up with a warning when he clicked on the link.

He's got the week off now and we need to start his pc up to look at some ordering info but I'm not sure what to expect, thanks for your help!

Thank you for reporting this comment. Undo
yabber

We just ran a scan and all seems fine

    Bookmark   August 2, 2012 at 9:58PM
Thank you for reporting this comment. Undo
ravencajun Zone 8b TX

Run full updated malwarebytes scan immediately and then run a full superantispyware updated scan, both are free. You might also run an online antivirus scan like eset free.
Let us know if you need to have links or help. And report back what is found.

    Bookmark   August 3, 2012 at 12:43AM
Thank you for reporting this comment. Undo
yabber

Could you please send me the link for these scans? Thanks very much!

    Bookmark   August 7, 2012 at 2:23AM
Thank you for reporting this comment. Undo
ravencajun Zone 8b TX

Malwarebytes' Anti-Malware (Win) - Detecting and Removing Malware FREE version

SUPERAntiSpyware select FREE edition RED button

Free Online Scanner

be sure to update each program prior to running the full scan.

you can keep these and run them weekly or monthly for a good layered protection for your pc. They will not interfere with your Antivirus program since they do not run until you run them.

    Bookmark   August 7, 2012 at 1:19PM
Thank you for reporting this comment. Undo
yabber

Thank you very much, I'll let you know what we find, if anything

    Bookmark   August 7, 2012 at 11:33PM
Thank you for reporting this comment. Undo
yabber

I haven't run the scans on my colleagues computer yet but decided to try my own first. So the malwarebytes scan came up clean and the SUPERantispyware scan came up with some cookies and 2 trojans? This is the log:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 08/08/2012 at 12:17 PM

Application Version : 5.5.1012

Core Rules Database Version : 9025
Trace Rules Database Version: 6837

Scan type : Complete Scan
Total Scan Time : 00:25:57

Operating System Information
Windows 7 Professional 64-bit, Service Pack 1 (Build 6.01.7601)
UAC Off - Administrator

Memory items scanned : 626
Memory threats detected : 0
Registry items scanned : 70158
Registry threats detected : 0
File items scanned : 42042
File threats detected : 46

Adware.Tracking Cookie
C:\Users\Drawing3\AppData\Roaming\Microsoft\Windows\Cookies\T00N465N.txt [ /overture.com ]
C:\Users\Drawing3\AppData\Roaming\Microsoft\Windows\Cookies\6Q194JQR.txt [ /zedo.com ]
C:\Users\Drawing3\AppData\Roaming\Microsoft\Windows\Cookies\XXR6FAXF.txt [ /adserver.adtechus.com ]
C:\Users\Drawing3\AppData\Roaming\Microsoft\Windows\Cookies\CUMN1ZYF.txt [ /invitemedia.com ]
C:\Users\Drawing3\AppData\Roaming\Microsoft\Windows\Cookies\VCE5GKCO.txt [ /revsci.net ]
C:\Users\Drawing3\AppData\Roaming\Microsoft\Windows\Cookies\BJ4V2VH2.txt [ /mediaplex.com ]
C:\Users\Drawing3\AppData\Roaming\Microsoft\Windows\Cookies\F1RU0NHR.txt [ /serving-sys.com ]
C:\Users\Drawing3\AppData\Roaming\Microsoft\Windows\Cookies\53T8TQ0U.txt [ /ad.yieldmanager.com ]
C:\Users\Drawing3\AppData\Roaming\Microsoft\Windows\Cookies\1YUML058.txt [ /fastclick.net ]
C:\Users\Drawing3\AppData\Roaming\Microsoft\Windows\Cookies\5Q9647X2.txt [ /ads.weatherzone.com.au ]
C:\Users\Drawing3\AppData\Roaming\Microsoft\Windows\Cookies\TKD3MT1H.txt [ /statcounter.com ]
C:\Users\Drawing3\AppData\Roaming\Microsoft\Windows\Cookies\S5YBX3GR.txt [ /imrworldwide.com ]
C:\Users\Drawing3\AppData\Roaming\Microsoft\Windows\Cookies\MHNEW4Y2.txt [ /legolas-media.com ]
C:\Users\Drawing3\AppData\Roaming\Microsoft\Windows\Cookies\V7LCDHTC.txt [ /apmebf.com ]
C:\Users\Drawing3\AppData\Roaming\Microsoft\Windows\Cookies\IYCTIIIJ.txt [ /msnportal.112.2o7.net ]
C:\Users\Drawing3\AppData\Roaming\Microsoft\Windows\Cookies\0Y20E032.txt [ /accounts.youtube.com ]
C:\Users\Drawing3\AppData\Roaming\Microsoft\Windows\Cookies\J2C4UZ0Z.txt [ /accounts.google.com ]
C:\Users\Drawing3\AppData\Roaming\Microsoft\Windows\Cookies\9AO47PXP.txt [ /bs.serving-sys.com ]
C:\Users\Drawing3\AppData\Roaming\Microsoft\Windows\Cookies\NSMJ2VJ2.txt [ /adxpose.com ]
C:\Users\Drawing3\AppData\Roaming\Microsoft\Windows\Cookies\BI9QZVIJ.txt [ /atdmt.com ]
C:\Users\Drawing3\AppData\Roaming\Microsoft\Windows\Cookies\SB87EQKW.txt [ /casalemedia.com ]
C:\Users\Drawing3\AppData\Roaming\Microsoft\Windows\Cookies\HPN7KZ2W.txt [ /c.atdmt.com ]
C:\Users\Drawing3\AppData\Roaming\Microsoft\Windows\Cookies\UBMIMP3G.txt [ /doubleclick.net ]
C:\USERS\DRAWING3\AppData\Roaming\Microsoft\Windows\Cookies\Q2Z2Q5EK.txt [ Cookie:drawing3@www.google.com.au/accounts ]
C:\USERS\DRAWING3\Cookies\T00N465N.txt [ Cookie:drawing3@overture.com/ ]
C:\USERS\DRAWING3\Cookies\6Q194JQR.txt [ Cookie:drawing3@zedo.com/ ]
C:\USERS\DRAWING3\Cookies\CUMN1ZYF.txt [ Cookie:drawing3@invitemedia.com/ ]
C:\USERS\DRAWING3\Cookies\VCE5GKCO.txt [ Cookie:drawing3@revsci.net/ ]
C:\USERS\DRAWING3\Cookies\BJ4V2VH2.txt [ Cookie:drawing3@mediaplex.com/ ]
C:\USERS\DRAWING3\Cookies\F1RU0NHR.txt [ Cookie:drawing3@serving-sys.com/ ]
C:\USERS\DRAWING3\Cookies\53T8TQ0U.txt [ Cookie:drawing3@ad.yieldmanager.com/ ]
C:\USERS\DRAWING3\Cookies\Q2Z2Q5EK.txt [ Cookie:drawing3@www.google.com.au/accounts ]
C:\USERS\DRAWING3\Cookies\1YUML058.txt [ Cookie:drawing3@fastclick.net/ ]
C:\USERS\DRAWING3\Cookies\TKD3MT1H.txt [ Cookie:drawing3@statcounter.com/ ]
C:\USERS\DRAWING3\Cookies\S5YBX3GR.txt [ Cookie:drawing3@imrworldwide.com/cgi-bin ]
C:\USERS\DRAWING3\Cookies\MHNEW4Y2.txt [ Cookie:drawing3@legolas-media.com/ ]
C:\USERS\DRAWING3\Cookies\V7LCDHTC.txt [ Cookie:drawing3@apmebf.com/ ]
C:\USERS\DRAWING3\Cookies\0Y20E032.txt [ Cookie:drawing3@accounts.youtube.com/accounts ]
C:\USERS\DRAWING3\Cookies\J2C4UZ0Z.txt [ Cookie:drawing3@accounts.google.com/ ]
C:\USERS\DRAWING3\Cookies\9AO47PXP.txt [ Cookie:drawing3@bs.serving-sys.com/ ]
C:\USERS\DRAWING3\Cookies\NSMJ2VJ2.txt [ Cookie:drawing3@adxpose.com/ ]
C:\USERS\DRAWING3\Cookies\SB87EQKW.txt [ Cookie:drawing3@casalemedia.com/ ]
C:\USERS\DRAWING3\Cookies\HPN7KZ2W.txt [ Cookie:drawing3@c.atdmt.com/ ]
C:\USERS\DRAWING3\Cookies\UBMIMP3G.txt [ Cookie:drawing3@doubleclick.net/ ]

Trojan.Agent/Gen-Koobface[Bonkers]
C:\USERS\DRAWING3\LIESBETH\ROOT\PLANIT\WOODWIZARD\WWIZHRI.EXE
C:\USERS\DRAWING3\LIESBETH\ROOT\PLANIT\WOODWIZARD\WWIZSND.EXE

-------------------------------------------
It has removed them from the computer now, so all is good?

I'll try the free online scanner next as well.

    Bookmark   August 8, 2012 at 12:33AM
Thank you for reporting this comment. Undo
yabber

The free online scanner cleaned up 1 more file but I'm not sure what that was because I accidentally closed out of it

    Bookmark   August 8, 2012 at 1:55AM
Thank you for reporting this comment. Undo
ravencajun Zone 8b TX

Oh that's not good you had koobface, facebook backwards, it usually comes from facebook. Is part of a botnet. Very nasty bug, I would use another clean machine and change all your passwords because part of what it does is get all that info. You can google koobface and read the wiki on it.
I think you should go to LzD forum and run some special scans to make sure you are fully clean.
You need to go there, register, and post your own new thread in the malware removal area. The team will help you step by step. Post your logs there as you did here.
I am there also, if you need assistance let me know. With this kind of infection it is best to be overly through.

Here is a link that might be useful: LzD

    Bookmark   August 8, 2012 at 2:01AM
Thank you for reporting this comment. Undo
yabber

Will do, see you there.

Just a quick question: we have 4 computers at work; all connected. Is it possible this trojan came from one of the other pc's because it's a network?

    Bookmark   August 8, 2012 at 2:26AM
Sign Up to comment
More Discussions
Basic Video Help Needed
I know almost nothing about getting videos from video...
chas045
Changing HOUZZ page appearance
I use Chrome browser and have an extension called Change...
jean_mi_z5
which tablet
Shopping for a friend's 11yr old GD who wants a 10"...
abreeze
Lenovo's "malware" not just Lenovo's.
It's been found in a dozen or so apps, some pre-installed,...
lazy_gardens
Owbist Where is Owbist?
Did he cash in? Haven't seen his dulcet tones since B4...
mxyplux
People viewed this after searching for:
© 2015 Houzz Inc. Houzz® The new way to design your home™