Jump to content
Due to inclement weather in Southwest Florida, our Clearwater support team is offline. Our other offices are available to assist you, however their responses may be delayed. We appreciate your patience and understanding during this time. ×

I Think I Have Malware?


AZBri
 Share

Recommended Posts

So a few months ago I saw a weird program I'd never seen before on my PC running.  I'd left my room for a couple hours to watch TV with my friend, and when I get back some weird program is running.  I never installed such a thing, so I uninstalled it and that seemed to be the end.  Then, maybe a month ago I come across it again.  Same thing: I walked away from the PC for awhile and it was back, with no possibility of someone accessing the PC.  So I delete it again.  Both times I ran Malwarebytes and McAfee and found nothing.  So today it happened again, and again I delete it and don't find anything with Malwarebytes McAfee, and McAfee active protection keeps shutting down on me.  Is there some pesky hidden file that keeps bringing it back?  I don't know what the program is.  It just sits there with a list of a bunch of porno-sounding names with the word "seeding" next to it.  Whatever it is, I'm hoping you can help me get rid of it.

 

The files from the scan thingy are attached below.

 

                                                                                                                                                                                                                                         Brian, Arizona

attach.txt

dds.txt

Link to post
Share on other sites

Hello and post-32477-1261866970.gif

 

P2P/Piracy Warning:

 

   

If you're using Peer 2 Peer software such as uTorrent, BitTorrent or similar you must either fully uninstall them or completely disable them from running while being assisted here.

Failure to remove or disable such software will result in your topic being closed and no further assistance being provided.

If you have illegal/cracked software, cracks, keygens etc. on the system, please remove or uninstall them now and read the policy on Piracy.

 

Run Malwarebytes,  Open > Settings Tab > Scanner Settings > Under action for PUP > Select: Show in Results List and Check for removal.

Please Update and run a Quick scan

Make sure that everything is checked, and click Remove Selected on any found items.

 

Post the produced log

 

Next,

 

Download Farbar Recovery Scan Tool and save it to your desktop.

 

Note: You need to run the version compatible with your system (32 bit or 64 bit). If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.


Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

 

Next,

 

Please download RogueKiller from here:

http://www.sur-la-toile.com/RogueKiller/RogueKiller.exe'>http://www.sur-la-toile.com/RogueKiller/RogueKiller.exe  <- 32 bit version

http://www.sur-la-toile.com/RogueKiller/RogueKillerX64.exe'>http://www.sur-la-toile.com/RogueKiller/RogueKillerX64.exe  <- 64 bit version

                                   

  • Make sure to get the correct version for your system.
  • Quit all running programs
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista/Seven, right click -> run as administrator, for XP simply run RogueKiller.exe
  • Wait until Prescan has finished...
  • The following EULA will appear, please select accept
     
    RKLicence.png
     
  • Ensure MBR scan, Check faked and AntiRootkit are checked
  • Select Scan
     
    RK1A.png
     
  • When the scan completes select Report, copy and paste that to your reply.
     
    RK2A.png
     
  • The log should be found in RKreport[?].txt on your Desktop
  • Exit/Close RogueKiller


     
    Let me see those logs...
     
    Kevin...
Link to post
Share on other sites

Before we progress I`d like you to upload a file for analysis, as follows please...

 

Upload a File to Virustotal

 

Go to http://www.virustotal.com/


Click the Choose file button
Navigate to the file C:\Windows\system32\server.exe or just copy/paste it in.
Click the Scan it tab
If you get a message saying File has already been analyzed: click Reanalyze file now
Copy and paste the results back here please.

Link to post
Share on other sites

Nope Malwarebytes never removed that file, it shows up in FRST logs. Most research indicates the file to be malicious, ok as follows please:

 

Download attached fixlist.txt file and save it to the Desktop, or the folder you saved FRST into.

NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

 

Run FRST and press the Fix button just once and wait.

The tool will make a log on the Desktop (Fixlog.txt). Please post it to your reply.

 

Next,

 

 

Run Malwarebytes,  Open > Settings Tab > Scanner Settings > Under action for PUP > Select: Show in Results List and Check for removal.

Please Update and run a Quick scan

Make sure that everything is checked, and click Remove Selected on any found items.

 

Post the produced log

 

Next,

 

Uninstall adwcleaner.exe (unless you want to keep it)

  •   Please close all open programs and internet browsers.
  •   Double click on adwcleaner.exe to run the tool.
  •   Click on Uninstall
  • Click Yes at Would you like to Uninstall Adwcleaner

 

Next,

 

thisisujrt.gif Please download Junkware Removal Tool to your desktop.

  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.

 

Let me see those logs, give update on any obvious issues or concerns...

 

Kevin

fixlist.txt

Link to post
Share on other sites

Well, it all seemed to be going well until I clicked on the download button in the ad above the Junkware Removal Tool page by mistake and ran the installer thinking it was the JRT.  I have no idea what crap that put on my PC.  Went ahead and downloaded the real JRT and ran it.  All logs below.  Oh, and the server.exe file showed up again.  Should I try to upload it to virustotal like you mentioned before?

 

 

Fixlog.txt

JRT.txt

mbam-log-2014-02-21 (16-32-49).txt

Link to post
Share on other sites

It's in the directory.  I can find it with Windows Explorer, but it just doesn't show up on the uploader for virustotal, even with the direct link.  I double and tripple checked it: right file location, uploader doesn't see it.  Should I try copying it to the desktop and uploading it from there?

Link to post
Share on other sites

Leave it fr now and run the following scan, this is very thorough so will take a few hours....

 

Run Eset Online Scanner

 

**Note** You will need to use Internet explorer for this scan - Vista and win 7 right click on IE shortcut and run as admin

 

Go to Eset web page http://www.eset.com/us/online-scanner/ to run an online scan from ESET.

 

  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • click on the Run ESET Online Scanner button
  • Tick the box next to YES, I accept the Terms of Use.
    Click Start
  • When asked, allow the add/on to be installed
    Click Start
  • Make sure that the option Remove found threats is unticked
  • Click on Advanced Settings, ensure the options
  • Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
    Click Scan
  • wait for the virus definitions to be downloaded
  • Wait for the scan to finish

 

When the scan is complete

 

  • If no threats were found
  • put a checkmark in "Uninstall application on close"
  • close program
  • report to me that nothing was found

 

If threats were found

 

  • click on "list of threats found"
  • click on "export to text file" and save it as ESET SCAN and save to the desktop
  • Click on back
  • put a checkmark in "Uninstall application on close"
  • click on finish

 

close program

 

copy and paste the report in next reply

Link to post
Share on other sites

I ran the scan, and it found a few things, but then my IE closed sometime after 96% on the bar.  I saw the list of found programs though, and some of them said Poison.[3letters, can't remember which] trojan.  There were a couple other things that said trojan too.  And one that said rootkit.  I'm a little concerned about how the scan closed too.  It was minimized, but then it just popped to the foreground for a second, and then vanished like it was tabbed to and then Alt+F4ed.

 

If there are trojans in my PC would it be best to just reformat the thing?  It sounds like that's the general recommendation.  (I looked up some of this stuff while I was bored waiting for the scan to finish.)  All my important files are backed up on a seperate drive, so reformatting isn't a big deal.

Link to post
Share on other sites

Read the following link to fully understand PC security and best practices, you may find it useful....

 

http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/#entry2316629

 

My own security set up for Windows 7 is :-

 

Windows own Firewall, Microsoft Security Essentials and Malwarebytes Pro. Windows FW and MSE are free, MB does also have a free version, however I prefer the pro version as it provides auto updates and realtime protection.

 

As an extra layer I also use WinPatrol, the free version is adeqaute for general home use. Available here: http://www.winpatrol.com/download.html

 

For my browser I use Firefox with these addons: Web of Trust, Adblock Plus, Flash Block, NoScipt, Ghostery. When Firefox is open select these keys together :- Ctrl - Shift - A that will access Addons manger, this gives access to find addons, use, start, stop or disable those features etc....

Before using NoScript read from this link http://noscript.net/ makes it easy to understand....

 

Understanding Windows 7 Firewall - http://windows.microsoft.com/en-GB/windows7/Understanding-Windows-Firewall-settings

 

Understanding Microsoft Security Essentials - http://www.microsoft.com/en-gb/security/pc-security/mse.aspx

 

Understanding Malwarebytes, how to create an exclusion in MSE - http://forums.malwarebytes.org/index.php?showtopic=10138&st=0&p=162100entry162100

 

Understanding WinPatrol - http://www.winpatrol.com/features.html

 

I also use the Professional version of Sandboxie, I believe there is also free version available. Visit this link http://www.sandboxie.com/ for access to d/l, also make sure to use the "Help and FAQ" option to understand its uses, specifically how to run your browser sandboxed!.

 

I have also just started using CryptoGuard by Hitman Pro, once installed it will protect all Browsers against crypto ransomware infections, is also free. Go to following link for instructions, it will work with the set up I describe above..

 

Does that help?

 

Kevin

Link to post
Share on other sites

  • Root Admin

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.