Got some kind of infection - not sure what I'm dealing with.

[logix27]

I posted a few weeks ago when I got infected with malware from work computers via a flash drive. The problem was resolved, and I was very happy with the support provided here. 

 

But the work computers are still compromised and I believe I've got something else.

 

Malwarebytes comes up clean. But I did a scan with AVG, and it flagged a Trojan. Checked with Avast, and again it flagged a win32:trojan-gen. I removed it to quarantine and deleted the file. On subsequent scans, nothing is flagged. So far, so good. Everything seems OK. 

 

BUT, looking at my task manager, I discovered some strange processes running. And when I look at my programs, it shows various strange startup programs. I've attached the screenshots to show you what I mean.

 

Also attached is the FRST.txt and Addition.text.

 

Thank you in advance for taking a look. 

FRST.txt

Addition.txt

[kevinf80]

Hello and welcome,

P2P/Piracy Warning:
 

If you're using Peer 2 Peer software such as uTorrent, BitTorrent or similar you must either fully uninstall them or completely disable them from running while being assisted here.Failure to remove or disable such software will result in your topic being closed and no further assistance being provided.If you have illegal/cracked software, cracks, keygens etc. on the system, please remove or uninstall them now and read the policy on Piracy.

 

 

Next,

 

Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into.
NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

Run FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply.
 

Next,

 

Please open Malwarebytes Anti-Malware.

 

On the Settings tab > Detection and Protection sub tab, Detection Options, tick the box "Scan for rootkits".

Under Non-Malware Protection sub tab Change PUP and PUM entries to Treat detections as Malware

Click on the Scan tab, then click on Scan Now >> . If an update is available, click the Update Now button.

A Threat Scan will begin.

With some infections, you may or may not see this message box.

 

'Could not load DDA driver'

 

Click 'Yes' to this message, to allow the driver to load after a restart.

Allow the computer to restart. Continue with the rest of these instructions.

When the scan is complete, click Apply Actions.

Wait for the prompt to restart the computer to appear, then click on Yes.

After the restart once you are back at your desktop, open MBAM once more.

 

To get the log from Malwarebytes do the following:

 

Click on the History tab > Application Logs.

Double click on the scan log which shows the Date and time of the scan just performed.

Click Export > From export you have three options:

 

Copy to Clipboard - if seleted right click to your reply and select "Paste" log will be pasted to your reply

Text file (*.txt) - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply

XML file (*.xml) - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply

 

Recommend you use "Copy to Clipboard, then Right click to your reply > select "Paste" that will copy the log to your reply…

 

Next,

 

Download AdwCleaner by Xplode onto your Desktop.

• Double click on Adwcleaner.exe to run the tool.
• Click on Scan
• Once the scan is done, click on the Clean button. <<<--- Ensure this option is completed
• You will get a prompt asking to close all programs. Click OK.
• Click OK again to reboot your computer.
• A text file will open after the restart. Please post the content of that logfile in your reply.
• You can also find the logfile at C:\AdwCleaner[sn].txt. Where n in the scan reference number
  

 

Next,

 

Please download Junkware Removal Tool to your desktop.

Shut down your protection software now to avoid potential conflicts. (re-enable when done)

Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".

The tool will open and start scanning your system.

Please be patient as this can take a while to complete depending on your system's specifications.

On completion, a log (JRT.txt) is saved to your desktop and will automatically open.

Post the contents of JRT.txt into your next message.

Next,

Download Microsoft's " Malicious Software Removal Tool" and save direct to the desktop

Ensure to get the correct version for your system....

32 Bit version:

https://www.microsoft.com/downloads/en/confirmation.aspx?FamilyId=AD724AE0-E72D-4F54-9AB3-75B8EB148356&displaylang=en

64 Bit version:

https://www.microsoft.com/downloads/en/confirmation.aspx?FamilyId=585D2BDE-367F-495E-94E7-6349F4EFFC74&displaylang=en

 

Right click on the Tool, select “Run as Administrator” the tool will expand to the options Window

In the "Scan Type" window, select Quick Scan

Perform a scan and Click Finish when the scan is done.

 

Retrieve the MSRT log as follows, and post it in your next reply:

 

1) Select the Windows key and R key together to open the "Run" function

2) Type or Copy/Paste the following command to the "Run Line" and Press Enter:

 

notepad c:\windows\debug\mrt.log

 

Post those logs, also let me know if any remaining issues or concerns...

 

Thank you,

 

Kevin..

 

 

 

 

Fixlist.txt

[logix27]

Hello, many thanks for you guidance.

 

I've done as you asked to the letter, and attached all relevant logs for you. I've noticed that the applications with the strange file names have now disappeared from the startup processes list. 

 

Cheers. 

mrt.log

Fixlog.txt

mwb scan log.txt

AdwCleanerS0.txt

JRT.txt

[kevinf80]

Yes we remove malicious entries with FRST, other logs look good. Do you have any remaining issues or concerns? if none run the following to clean up:

 

Download "Delfix by Xplode" and save it to your desktop.

 

Or use the following if first link is down:

 

"Delfix link mirror"

 

Double Click to start the program. If you are using Vista or higher, please right-click and choose run as administrator

 

Make Sure the following items are checked:

 

 

Remove disinfection tools

Purge System Restore <--- this will remove all previous restore points and create a fresh point relative to system status at present.

Reset system settings

 

Now click on "Run" and wait patiently until the tool has completed.

 

The tool will create a log when it has completed. We don't need you to post this.

 

Any remnant files/logs from tools we have used can be deleted…

 

Next,

 

Read the following link to fully understand PC security and best practices, you may find it useful....

http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/#entry2316629

 

Let me know if we are ok to close out....

 

Thanks,

 

Kevin...

[logix27]

Hi again Kevin,

 

Everything seem ok, apart from the fact that when I go to start programs, the startup folder with winzip preloader / quick pick is permanently highlighted in orange, and I'm unable to delete it as it says it's already in use. I've attached another screenshot to show what I mean.

 

I'll see how I get on for the next few days.

 

Thanks again.  

[kevinf80]

Thanks for the update, if you still have FRST run the following fix...

 

Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into.
NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

Run FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply.

 

Let me know if any remaining issues or concerns..

 

Thanks,

 

Kevin.
 

 

Fixlist.txt

[logix27]

Hi Kevin,

 

So, the Fixlog moved the undeletable startup program. That seems to be a wrap. Thank you for your guidance.  

 

Will send a donation your way after next pay day (couple of weeks).

 

Cheers. 

[kevinf80]

Thanks for the update, run the following to clean up...

 

Download "Delfix by Xplode" and save it to your desktop.

 

Or use the following if first link is down:

 

"Delfix link mirror"

 

Double Click to start the program. If you are using Vista or higher, please right-click and choose run as administrator

 

Make Sure the following items are checked:

 

 

Remove disinfection tools

Purge System Restore <--- this will remove all previous restore points and create a fresh point relative to system status at present.

Reset system settings

 

Now click on "Run" and wait patiently until the tool has completed.

 

The tool will create a log when it has completed. We don't need you to post this.

 

Any remnant files/logs from tools we have used can be deleted…

 

Next,

 

Read the following link to fully understand PC security and best practices, you may find it useful....

http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/#entry2316629
 

Thank you,

 

Kevin...

[logix27]

Hello again,

 

So I ran a full system scan today with Avast to make sure all was well, and to my surprise it detected win32:malware-gen in C:\Users\user\AppDate\Roaming. The file name is obtjqkhby.exe. It has been successfully quarantined for now. 

 

I haven't used any flash drive since we last spoke, or downloaded anything I was unsure of. Was the problem not resolved previously, or is there some software / extension etc. causing this issue? 

[kevinf80]

Continue please:

 

1.Download Malwarebytes Anti-Rootkit from this link:
 

http://www.malwarebytes.org/products/mbar/
 

2. Unzip the File to a convenient location. (Recommend the Desktop)

3. Open the folder where the contents were unzipped to run mbar.exe

 

 

4. Double-click on the mbar.exe file, you may receive a User Account Control prompt asking if you are sure you wish to allow the program to run. Please allow the program to run and MBAR will now start to install any necessary drivers that are required for the program to operate correctly. If a rootkit is interfering with the installation of the drivers you will see a message that states that the DDA driver was not installed and that you should reboot your computer to install it. You will see this image:

 

 

5. If you receive this message, please click on the Yes button and Malwarebytes Anti-Rootkit will now restart your computer. Once the computer is rebooted and you login, MBAR will automatically start and you will now be at the start screen. (If no Rootkit warning you will go from step 4 to 6.)

 

6. The following image opens, select Next.

 

 

7. The following image opens, select Update

 

 

8. When the update completes select Next.

 

 

9. In the following window ensure "Targets" are ticked. Then select "Scan"

 

 

10. If an infection is found select the "Cleanup Button" to remove threats, Reboot if prompted. Wait while the system shuts down and the cleanup process is performed.

 

 

11. Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click "Cleanup Button" once more and repeat the process.

12. If no threats were found you will see the following image, Select Exit:

 

 

13. Verify that your system is now running normally, making sure that the following items are functional:

 

Internet access

Windows Update

Windows Firewall

 

14. If there are additional problems with your system, such as any of those listed above or other system issues, then run the 'fixdamage' tool included within Malwarebytes Anti-Rootkit folder.

 

15. Select "Y" from your Keyboard, tap Enter.

 

16. The fix will be applied, select any key to Exit.

 

17. Let me know how your system now responds. Copy and paste the two following logs from the mbar folder:

 

System - log

Mbar - log Date and time of scan will also be shown
 

Thanks,
 

Kevin...

[logix27]

Hi again,

 

So, when I run mbar.exe, it say Applnit_Dlls has been found (see screenshot). It asks me if I want to remove the value and restart the tool, but nothing happens. When I run the scanner, it crashes. I have done it 3 times so far, and every time it crashes (see screenshot). 

[kevinf80]

Please read carefully and follow these steps.

• Download TDSSKiller from here  http://support.kaspersky.com/downloads/utils/tdsskiller.exe and save it to your Desktop.
• Doubleclick on to run the application.
  
• The "Ready to scan" window will open, Click on "Change parameters"  
  
  
  
  
  
• Place a checkmark next to Verify Driver Digital Signature  and Detect TDLFS file system, (Leave "Service & Drivers" and "Boot Sectors" ticked. Click OK.
   
  
  
  
  
  
• Select "Start Scan"
  
  
  
  
  
• If an infected file is detected, the default action will be Cure, click on Continue.
  
  
  
  
  
• If a suspicious file is detected, the default action will be Skip, click on Continue.
  
  
  
  
  
• It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  
  
  
  
  
• If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
• If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.
  

 

Thanks,

 

Kevin

[logix27]

Hello,

 

Ran TDSSKiller, and the only thing it found was MSI_Supercharger, but no infection. 

[kevinf80]

Run Windows Defender Offline...

 

Do you have access to another PC to create the Widows Defender Offline Tool, I give the instructions to load to a USB flash drive. It can also be run from a CD, just change to that option in the instructions…

It can be created from the PC with issues, but a different clean PC is preferred!

Download the tool from here :- http://windows.microsoft.com/en-US/windows/what-is-windows-defender-offline and save to the Desktop.

You will have to select the correct version for your system, either 32 or 64 bit

Run the tool, Windows 7 or Vista user right click and select "Run as Administrator"

Read the instructions in the new window and select "Next"

 

 

In the new window accept the agreement:

 

 

In the new window select your USB Flash Drive, then select "Next"

 

 

In the new window ensure you Flash drive is selected, if not click on "Refresh" then select "Next"

 

 

In the new window accept the formatting alert by selecting "Next"

 

 

Files will be Downloaded:

 

 

Files will be processed and created

 

 

Flash drive will be formatted and prepared

 

 

Files will be added to the Flash Drive and the tool will be created.

 

 

The procedure is finished and the Tool created, click on "Finish" to complete.

 

 

Plug the USB into the sick PC and boot up, if it does not boot from the flash drive change the boot options as required, Use F12 as it boots, change options...

As it boots you`ll see files being loaded and the windows splash screen, eventually the tool will run a "Quick Scan" follow the prompts and deal with what it finds.

When complete do a full scan, deal with what it finds.

When finished, remove the USB stick then press the Esc key to boot into regular windows.

Navigate to the following file:

"C:\Windows\Windows Defender Offline\Support\MPLog-MM/DD/YYYY-HH/MM/SS .txt"

Open with notepad and copy and paste it into a reply.

Thanks,

 

Kevin..

[logix27]

Hello,

 

Unfortunately, that is not going to work. I can only create a book disk from this computer, and it will not boot from it, even though I change the boot order to the usb drive. Regards. 

[kevinf80]

Ok, see if you can run the following:

 

Download Norton Power Eraser from here: https://security.symantec.com/nbrt/npe.aspx? and save direct to your Desktop.

 

Double click on NPE.exe to start the tool. Vista, Windows 7/8/8.1 right click, select "Run as Administrator" accept UAC.

 

 

 

 

The EULA will open, accept that to move on...

 

 

 

 

The tool will check for updates/latest version

 

 

 

 

The GUI will open, select "Scan for Risks"

 

 

 

 

Rootkit scan alert will open, select "Restart"

 

 

 

 

Rootkit scan preparations will time out and Reboot the system.

 

 

 

 

Tool will will restart and check for update, do nothing.

 

 

 

 

System scan will start, do nothing.

 

 

 

 

If infections are found a list will be produced, make sure to checkmark "Create System Restore Point" then select "Fix Now" if nothing is found select "Exit" to close out the tool.

 

 

 

 

To remove "found entries" the system will need to restart, select that option.

 

 

 

 

If applicable select "Locate Log" attach to reply. Select "Done" when complete....

 

The log is saved to this folder: C:\User\user name\Appdata\Local\NPE\INFOyyyymmddhhmmss

 

The date and time listed against INFO identify the log. Right click on that log, Select Send to > Compressed (Zipped) Folder. Attach that folder to your next reply, it maybe easier to locate if you drag the zip folder to your Desktop….

 

Thanks,

 

Kevin..

[logix27]

Ok, so Power Eraser found something, and it said it removed it!

 

Zipped log is attached. 

 

Is all OK now? If so, was it actually a rootkit then? Any suggestions how that got on my PC from the logs? I haven't had an infection since as long as I can remember, and I am very eager not to have that happen again. Thanks as ever.

Regards.

Info20150626171845.zip

[kevinf80]

NPE has removed C:\Users\User\appdata\roaming\obskjzdatn.exe In reply #9 obtjqkhby.exe was located and removed by Avast from the same folder..

 

What is the current status of your system, is there any improvement?

 

Run FRST one more time, ensure all boxes are checkmarked under "Whitelist" but only Addition.txt under "Optional scan" Select scan, when done post the two logs....

[logix27]

Well, I haven't noticed anything out of the ordinary on my system - no slowdown, no popups, no unrecognized programs or processes - which is why I was surprised by the Avast scan.

 

The logs are attached as requested. Sorry about all this. I am very grateful for your help. 

 

 

FRST.txt

Addition.txt

[kevinf80]

No apologies necessary, Can you check your startup folder and see if the following are there:

 

HKU\S-1-5-21-2004945069-1412603571-1251126373-1002\...\StartupApproved\StartupFolder: => "y.lnk"
HKU\S-1-5-21-2004945069-1412603571-1251126373-1002\...\StartupApproved\StartupFolder: => "v.lnk"
HKU\S-1-5-21-2004945069-1412603571-1251126373-1002\...\StartupApproved\StartupFolder: => "t.lnk"

 

Next,

 

I recommend that you run another scan with Avast, see if anything else turns up.. If the log is clean and your system is responding normally we can clean up....

 

Thank you,

 

Kevin....

[logix27]

Right, so I found nothing in my startup folder; completely empty now. When I check start-up processes in task-manager, nothing is running!

 

Have run a full Avast scan twice today and it is clean. Shall I delete the virus in quarantine? 

[kevinf80]

Yes delete quarantine contents, other that that run Delfix once more to clean up....

 

Download "Delfix by Xplode" and save it to your desktop.

 

Or use the following if first link is down:

 

"Delfix link mirror"

 

Double Click to start the program. If you are using Vista or higher, please right-click and choose run as administrator

 

Make Sure the following items are checked:

 

 

Remove disinfection tools

Purge System Restore <--- this will remove all previous restore points and create a fresh point relative to system status at present.

Reset system settings

 

Now click on "Run" and wait patiently until the tool has completed.

 

The tool will create a log when it has completed. We don't need you to post this.

 

Any remnant files/logs from tools we have used can be deleted…

 

If no remaining issues or concerns are we ok to close out..

 

Thank you,

 

Kevin..

[logix27]

Hi there,

 

Just to say that all looks OK - touch wood. Did I once over with MalwareBytes and Avast, and no issues. Thanks again for going all out to assist me. Look out for a donation next week Cheers. 

[kevinf80]

Thank you for kind words, it was a pleasure to work with you.....

 

Take care and surf safe,

 

Kevin...

[AdvancedSetup]

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!