View Full Version : Malware Keeps Comming Back
Hi,
I was infected or am still infected by Easy Driver Pro and YTDownloader on an XP machine. I ran superAntiSpyware, MalwareByets Anti-Malware, ESET + kaspersky rootkit scan. Now the computer seems to operate ok, every time I run a malware check scan i find 500 tracking cookies plus various items. This morning I found Gen-Qbot trojan. So ether I did not totally get rid of the infections or something has happened to the computer to make it more vulnerable.
see attached logs.
Thanks in advance for your help!!
Roger
Welcome.
Running from E:\Documents and Settings\Roger\Desktop\SaferNetworking
Is this where you downloaded and run FRST?(Farbar Recovery Scan Tool)
It really needs to be on desktop.
Please go to your Desktop\SaferNetworking downloads folder, locate Farbar Recovery Scan Tool, right click and select CUT
Go to an open spot on your desktop, right click and select PASTE
You should now have Farbar Recovery Scan Tool on your desktop.
Please open Notepad *Do Not Use Wordpad!* or use any other text editor than Notepad or the script will fail. (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the quote box below:
To do this highlight the contents of the box and right click on it and select copy.
Paste this into the open notepad. save it to the Desktop as fixlist.txt
NOTE. It's important that both files, FRST/FRST64 and fixlist.txt are in the same location or the fix will not work.
It needs to be saved Next to the "Farbar Recovery Scan Tool" (If asked to overwrite existing one please allow)
https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG
start
CreateRestorePoint:
CloseProcesses:
HKLM\...\Run: [] => [X]
HKLM\...\Run: [YTDownloader] => "E:\Program Files\YTDownloader\YTDownloader.exe" /boot
HKU\S-1-5-21-1644491937-813497703-682003330-1003\...\Run: [YTDownloader] => "E:\Program Files\YTDownloader\YTDownloader.exe" /boot
CHR HKU\S-1-5-21-1644491937-813497703-682003330-1003\SOFTWARE\Policies\Google: Restriction <======= ATTENTION
URLSearchHook: [S-1-5-21-1644491937-813497703-682003330-500] ATTENTION => Default URLSearchHook is missing
SearchScopes: HKU\S-1-5-21-1644491937-813497703-682003330-1003 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
S2 BrsHelper; E:\PROGRA~1\YTDOWN~1\BROWSE~2.EXE [X]
U2 CertPropSvc; no ImagePath
S4 IntelIde; no ImagePath
S3 MFE_RR; \??\E:\DOCUME~1\Roger\LOCALS~1\Temp\mfe_rr.sys [X]
S1 sbmntr; \??\E:\PROGRA~1\YTDOWN~1\sbmntr.sys [X]
2015-09-24 21:44 - 2015-09-28 10:23 - 00000358 _____ E:\WINDOWS\Tasks\YTDownloader.job
2015-09-24 21:44 - 2015-09-28 10:23 - 00000348 _____ E:\WINDOWS\Tasks\YTDownloaderUpd.job
CustomCLSID: HKU\S-1-5-21-1644491937-813497703-682003330-1003_Classes\CLSID\{005A3A96-BAC4-4B0A-94EA-C0CE100EA736}\localserver32 -> E:\Documents and Settings\Roger\Application Data\Dropbox\bin\Dropbox.exe /autoplay => No File
Settings\Roger\Application Data\ShopAtHome\ShopAtHomeHelper\ShopAtHomeHelper.exe" (the data entry has 10 more characters).
CustomCLSID: HKU\S-1-5-21-1644491937-813497703-682003330-1003_Classes\CLSID\{08613A51-6E3E-43CC-9ECF-DD58B5837341}\localserver32 -> "E:\Documents and Settings\Roger\Application Data\ShopAtHome\ShopAtHomeHelper\ShopAtHomeHelper.exe" (the data entry has 10 more characters).
CustomCLSID: HKU\S-1-5-21-1644491937-813497703-682003330-1003_Classes\CLSID\{153EDC41-A2CC-4BEB-9EC8-008242389E50}\localserver32 -> "E:\Documents and Settings\Roger\Application Data\ShopAtHome\ShopAtHomeHelper\ShopAtHomeHelper.exe" (the data entry has 10 more characters).
CustomCLSID: HKU\S-1-5-21-1644491937-813497703-682003330-1003_Classes\CLSID\{188028B8-D91D-4BE2-BABA-68E32BDE4420}\localserver32 -> "E:\Documents and Settings\Roger\Application Data\ShopAtHome\ShopAtHomeHelper\ShopAtHomeHelper.exe" (the data entry has 10 more characters).
CustomCLSID: HKU\S-1-5-21-1644491937-813497703-682003330-1003_Classes\CLSID\{28E74F15-18C2-465E-B545-6CC738121C68}\localserver32 -> "E:\Documents and Settings\Roger\Application Data\ShopAtHome\ShopAtHomeHelper\ShopAtHomeHelper.exe" (the data entry has 10 more characters).
CustomCLSID: HKU\S-1-5-21-1644491937-813497703-682003330-1003_Classes\CLSID\{2BF6042B-B9B1-46D9-A3F8-9C987FADD4C6}\localserver32 -> "E:\Documents and Settings\Roger\Application Data\ShopAtHome\ShopAtHomeHelper\ShopAtHomeHelper.exe" (the data entry has 10 more characters).
CustomCLSID: HKU\S-1-5-21-1644491937-813497703-682003330-1003_Classes\CLSID\{40A222E2-93B1-45F9-9B07-0D1160A31A6C}\localserver32 -> "E:\Documents and Settings\Roger\Application Data\ShopAtHome\ShopAtHomeHelper\ShopAtHomeHelper.exe" (the data entry has 10 more characters).
CustomCLSID: HKU\S-1-5-21-1644491937-813497703-682003330-1003_Classes\CLSID\{6325A84C-E746-4007-A9C5-E4C1A50ED61F}\localserver32 -> "E:\Documents and Settings\Roger\Application Data\ShopAtHome\ShopAtHomeHelper\ShopAtHomeHelper.exe" (the data entry has 10 more characters).
CustomCLSID: HKU\S-1-5-21-1644491937-813497703-682003330-1003_Classes\CLSID\{92B0265C-B929-4D42-BA54-75AA39C99198}\localserver32 -> "E:\Documents and Settings\Roger\Application Data\ShopAtHome\ShopAtHomeHelper\ShopAtHomeHelper.exe" (the data entry has 10 more characters).
CustomCLSID: HKU\S-1-5-21-1644491937-813497703-682003330-1003_Classes\CLSID\{9BCA87A0-5B8F-4500-A5AF-EA1279714FDF}\localserver32 -> "E:\Documents and Settings\Roger\Application Data\ShopAtHome\ShopAtHomeHelper\ShopAtHomeHelper.exe" (the data entry has 10 more characters).
CustomCLSID: HKU\S-1-5-21-1644491937-813497703-682003330-1003_Classes\CLSID\{BB17DE65-B548-48C2-AC73-1FD1996C7261}\localserver32 -> "E:\Documents and Settings\Roger\Application Data\ShopAtHome\ShopAtHomeHelper\ShopAtHomeHelper.exe" (the data entry has 10 more characters).
CustomCLSID: HKU\S-1-5-21-1644491937-813497703-682003330-1003_Classes\CLSID\{C77D3EEF-FDCA-4D37-B0D2-5FF650E07825}\localserver32 -> "E:\Documents and Settings\Roger\Application Data\ShopAtHome\ShopAtHomeHelper\ShopAtHomeHelper.exe" (the data entry has 10 more characters).
CustomCLSID: HKU\S-1-5-21-1644491937-813497703-682003330-1003_Classes\CLSID\{D565B35E-B787-40FA-95E3-E3562F8FC1A0}\InprocServer32 -> "E:\Documents and Settings\Roger\Application Data\ShopAtHome\ShopAtHomeHelper\ShopAtHomeHelper.exe" (the data entry has 10 more characters).
CustomCLSID: HKU\S-1-5-21-1644491937-813497703-682003330-1003_Classes\CLSID\{EA70EB31-CBAD-4862-AFDA-DCFCC32722ED}\localserver32 -> "E:\Documents and Settings\Roger\Application Data\ShopAtHome\ShopAtHomeHelper\ShopAtHomeHelper.exe" (the data entry has 10 more characters).
CustomCLSID: HKU\S-1-5-21-1644491937-813497703-682003330-1003_Classes\CLSID\{EC9100F8-5918-4F1B-9CC1-4D34A64E0FE0}\localserver32 -> "E:\Documents and Settings\Roger\Application Data\ShopAtHome\ShopAtHomeHelper\ShopAtHomeHelper.exe" (the data entry has 10 more characters).
CustomCLSID: HKU\S-1-5-21-1644491937-813497703-682003330-1003_Classes\CLSID\{F1A1ABE3-F454-4DD9-B520-01F2EEC5F0DD}\localserver32 -> "E:\Documents and Settings\Roger\Application Data\ShopAtHome\ShopAtHomeHelper\ShopAtHomeHelper.exe" (the data entry has 10 more characters).
Task: E:\WINDOWS\Tasks\SpeedyPC Pro_sch_55147764-2E24-11E4-A89E-001FD08F1F5B.job => E:\Program Files\SpeedyPC Software\SpeedyPC\SpeedyPC.exe <==== ATTENTION
Task: E:\WINDOWS\Tasks\SpeedyPC Update Version3_triggeronce.job => e:\program files\common files\speedypc software\uus3\SpeedyPC_Update3.exe <==== ATTENTION
Task: E:\WINDOWS\Tasks\YTDownloader.job => E:\Program Files\YTDownloader\YTDownloader.exe <==== ATTENTION
Task: E:\WINDOWS\Tasks\YTDownloaderUpd.job => E:\Program Files\YTDownloader\Updater.exe <==== ATTENTION
CMD: ipconfig /flushdns
EmptyTemp:
End
Open FRST/FRST64 and press the > Fix < button just once and wait.
If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post it to your reply.
~~~~~~~~~~~~~~~~~~~~~
http://i.imgur.com/BY4dvz9.png AdwCleaner
Please download AdwCleaner (http://www.bleepingcomputer.com/download/adwcleaner/) and save the file to your Desktop.
Right-Click AdwCleaner.exe and select http://i.imgur.com/AVOiBNU.jpg Run as administrator to run the programme.
Follow the prompts.
Click Scan.
Upon completion, click Report. A log (AdwCleaner[SX].txt) will open. Briefly check the log for anything you know to be legitimate.
Ensure anything you know to be legitimate does not have a checkmark, and click Clean.
Follow the prompts and allow your computer to reboot.
After rebooting, a log (AdwCleaner[SX].txt) will open. Copy the contents of the log and paste in your next reply.
-- File and registry key backups are made for anything removed using this tool. Should a legitimate entry be removed (otherwise known as a 'false-positive'), simple steps can be taken to restore the entry. Please do not overly concern yourself with the contents of AdwCleaner[R0].txt.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
http://imageshack.us/a/img841/7292/thisisujrt.gif
Please download Junkware Removal Tool (http://www.bleepingcomputer.com/download/junkware-removal-tool/)
or from here http://downloads.malwarebytes.org/file/jrt
to your desktop.
Shut down your protection software now to avoid potential conflicts.
Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
The tool will open and start scanning your system.
Please be patient as this can take a while to complete depending on your system's specifications.
On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
Post the contents of JRT.txt into your next message.
~~~`
please post
Fixlog.txt
AdwCleaner[CX].txt
JRT.txt
Hi!
All tasks preformed as requested. summary follows:
1. Run FRST-FIx and the program died after several minuets with the following message" FRST.exe has encountered a problem and needs to close.
2. Repeat run of FRST-fix this time as administrator and it completed successfully.
3. Run AdwCleaner which found nothing. Clicked clean anyway and allowed it to complete and reboot.
4. Ran Junkware removal tool successfully.
5. Requested files are attached. This was a little confusing. Since i ran the programs as administrator the jtr.txt file was on the administrator desktop not mine. Also I found the AdwCleaner files at e:/adwCleaner/ and there were 5 files AdwCleaner[c2], AdwCleaner[r0], AdwCleaner[s0], AdwCleaner[s2] and AdwCleaner[s3]. i could only upload 5 files. let me know if you need the other files.
Thank you sooo much!!!
Roger
. Run FRST-FIx and the program died after several minuets with the following message" FRST.exe has encountered a problem and needs to close
From what I can see in the results log for FRST it did work.
Download Malwarebytes' Anti-Malware (http://www.malwarebytes.org/mbam-download.php) TO YOUR DESKTOP
Windows XP : Double click on the icon to run it.
Windows Vista, Windows 7 & 8 : Right click and select "Run as Administrator"
http://i24.photobucket.com/albums/c30/ken545/0841859c-1a35-4dbd-b41a-e720629e3e22_zpst0yckuua.png
On the Dashboard click on Update Now
Go to the Setting Tab
Under Setting go to Detection and Protection
Under PUP and PUM make sure both are set to show Treat Detections as Malware
Go to Advanced setting and make sure Automatically Quarantine Detected Items is checked
Then on the Dashboard click on Scan
Make sure to select THREAT SCAN
Then click on Scan
When the scan is finished and the log pops up...select Copy to Clipboard
Please paste the log back into this thread for review
Exit Malwarebytes
~~~~~~~~~~~~~~~~~~~~~~``
On completion of the scan (or after the reboot), start MBAM,
Click History, then Application Logs, then check the Select box by the first Scan Log in the list and then click on the log to highlight it.
Click Export, select text file and save to the desktop as MBAM.txt and post in your next reply.
*************
Please update me on what the computer is doing now.
Hi and again thank you soo much for your help!!
MBAM run as requested. See attached logs.
The computer seems to be operating normal (correctly). No obvious issues.
Thanks,
Roger
Did you allow it to quarantine what it found. Logs didn't show me.
How is your computer now?
***
What we can do now is run an online scan with Eset, for the time being it is our most trusted scanner.
Most reliable and thorough.
The settings I suggest will show us items located in quarantine folders so don't be alarmed with this, also, in case of a false positive I ask that you not allow it to delete what it does find.
This scanner can take quite a bit of time to run, depending of course how full your computer is.
Note: This scan may take a long time to complete. Please do not browse the Internet whilst your Anti-Virus is disabled.
http://i.imgur.com/GzlsbnV.png ESET Online Scan
Note: This scan may take a long time to complete. Please do not browse the Internet whilst your Anti-Virus is disabled.
Please download ESET Online Scan (http://download.eset.com/special/eos/esetsmartinstaller_enu.exe) and save the file to your Desktop.
Temporarily disable your anti-virus software. For instructions, please refer to the following link (http://www.bleepingcomputer.com/forums/t/114351/how-to-temporarily-disable-your-anti-virus-firewall-and-anti-malware-programs/).
Double-click esetsmartinstaller_enu.exe to run the programme.
Agree to the EULA by placing a checkmark next to Yes, I accept the Terms of Use. Then click Start.
Agree to the Terms of Use once more and click Start. Allow components to download.
Place a checkmark next to Enable detection of potentially unwanted applications.
Click Advanced settings. Place a checkmark next to:
Scan archives
Scan for potentially unsafe applications
Enable Anti-Stealth technology
Ensure Remove found threats is unchecked.
Click Start.
Wait for the scan to finish. Please be patient as this can take some time.
Upon completion, click http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetListThreats.png. If no threats were found, skip the next two bullet points.
Click http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetExport.png and save the file to your Desktop, naming it something such as "MyEsetScan".
Push the Back button.
Place a checkmark next to http://3-ps.googleusercontent.com/x/forums.whatthetech.com/i.imgur.com/xKN1w2nv.png.pagespeed.ic.JWqIaEgZi7.png and click http://1-ps.googleusercontent.com/x/forums.whatthetech.com/i.imgur.com/SzOC1p0.png.pagespeed.ce.OWDP45O6oG.png.
Re-enable your anti-virus software.
Copy the contents of the log and paste in your next reply.
Thanks again for your help!!!
As far as I know I allowed MBAM to quarantine files
Computer seem to be running normal
Log file from ESET:
E:\System Volume Information\_restore{05550178-5CB7-486E-9D8F-A2F080AA3A04}\RP996\A0102955.dll a variant of Win32/OpenCandy.C potentially unsafe application
Note ESET did quarantine file.
Thanks again!!
Roger
oops. I meant to say that ESET did not quarantine files.
Good deal.
All that was found was a bad restore point.
Please open Notepad *Do Not Use Wordpad!* or use any other text editor than Notepad or the script will fail. (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the quote box below:
To do this highlight the contents of the box and right click on it and select copy.
Paste this into the open notepad. save it to the Desktop as fixlist.txt
NOTE. It's important that both files, FRST/FRST64 and fixlist.txt are in the same location or the fix will not work.
It needs to be saved Next to the "Farbar Recovery Scan Tool" (If asked to overwrite existing one please allow)
start
CreateRestorePoint:
CloseProcesses:
E:\System Volume Information\_restore{05550178-5CB7-486E-9D8F-A2F080AA3A04}\RP996\A0102955.dll
EmptyTemp:
End
Open FRST/FRST64 and press the > Fix < button just once and wait.
If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post it to your reply.
~~~~~~~~~~~~~~~
I think it's time we can remove tools and quarantine folders.
DelFix
Please download DelFix (http://general-changelog-team.fr/en/downloads/finish/20-outils-de-xplode/9-delfix) or from Here (http://www.bleepingcomputer.com/download/delfix/) and save the file to your Desktop.
Double-click DelFix.exe to run the programme.
Place a checkmark next to the following items:
Activate UAC
Remove disinfection tools
Click the Run button.
-- This will remove the specialised tools we used to disinfect your system. Any leftover logs, files, folders or tools remaining on your Desktop which were not removed can be deleted manually (right-click the file + delete).
~~~~~~~~~~~~~~~~`
Answers to common security questions - Best Practices (http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/) by quietman7, MVP
How Malware Spreads - How did I get infected? (http://www.bleepingcomputer.com/forums/t/287710/how-malware-spreads-how-did-i-get-infected/) by quietman7, MVP
Simple and easy ways to keep your computer safe and secure on the Internet (http://www.bleepingcomputer.com/tutorials/keep-your-computer-safe-online/) by Lawrence Abrams, MVP
How to Prevent Malware (http://users.telenet.be/bluepatchy/miekiemoes/prevention.html) by miekiemoes, MVP
How to backup and restore your data using Cobian Backup (http://www.bleepingcomputer.com/tutorials/backup-and-restore-data-with-cobian-backup/) by YourHighness
Slow Computer/browser? It May Not Be Malware (http://www.bleepingcomputer.com/forums/t/87058/slow-computerbrowser-check-here-first;-it-may-not-be-malware/) by quietman7, MVP
The following programmes come highly recommended in the security community.
http://3-ps.googleusercontent.com/x/forums.whatthetech.com/i.imgur.com/xKsUqI5A.png.pagespeed.ic.vn1Hlvqi8h.jpgAdBlock (https://adblockplus.org/en/firefox) is a browser add-on that blocks annoying banners, pop-ups and video ads.
http://i.imgur.com/E8I37RF.pngCryptoPrevent (https://www.foolishit.com/) places policy restrictions on loading points for ransomware (eg.CryptoPrevent), preventing your files from being encrypted.
http://i.imgur.com/EG85Vjt.png Malwarebytes Anti-Exploit (https://www.malwarebytes.org/antiexploit/) (MBAE) is designed to prevent zero-day malware from exploiting vulnerable software.
http://3-ps.googleusercontent.com/x/forums.whatthetech.com/i.imgur.com/x6YRrgUC.png.pagespeed.ic.HjgFxjvw2Z.jpgMalwarebytes Anti-Malware Premium (https://www.malwarebytes.org/) (MBAM) works in real-time along side your Anti-Virus to prevent malware execution.
http://1-ps.googleusercontent.com/x/forums.whatthetech.com/i.imgur.com/xjv4nhMJ.png.pagespeed.ic.A5YbWn1eDO.png NoScript (http://noscript.net/) is a Firefox add-on that blocks the actions of malicious scripts by using whitelisting and other technology.
http://i.imgur.com/3O8r9Uq.png (http://www.sandboxie.com/) Sandboxie (http://www.sandboxie.com/) isolates programmes of your choice, preventing files from being written to your HDD unless approved by you.
http://1-ps.googleusercontent.com/x/forums.whatthetech.com/i.imgur.com/DgW1XL2.png.pagespeed.ce.v1OlJl_ZAS.png Secuina PSI (http://secunia.com/vulnerability_scanning/personal/) will scan your computer for vulnerable software that is outdated, and automatically find the latest update for you.
http://3-ps.googleusercontent.com/x/forums.whatthetech.com/i.imgur.com/xj1OLIec.png.pagespeed.ic.k6hhwopU0q.jpg SpywareBlaster (https://www.brightfort.com/spywareblaster.html) is a form of passive protection, designed to block the actions of malicious websites and tracking cookies.
http://3-ps.googleusercontent.com/x/forums.whatthetech.com/i.imgur.com/xJEP5iWI.png.pagespeed.ic.4tmM1lM7DQ.pngWeb of Trust (https://www.mywot.com/) (WOT) is a browser add-on designed to alert you before interacting with a potentially malicious website.
Want to help others? Join the ClassRoom (http://forums.whatthetech.com/What_the_Tech_Classroom_t80368.html) and learn how.
Actions preformed as requested.
I could not post the fixlist.txt because the file was deleted by DelFix.
DelFix.txt is attached
Again thank you sooo much!!!
Roger
I could not post the fixlist.txt because the file was deleted by DelFix.
Correct and not a problem.
Again thank you sooo much!!!
Your welcome!
Glad we could help. :)http://i204.photobucket.com/albums/bb106/Juliet702/sparkle.gif
Since this issue appears resolved ... this Topic is closed.