IP blocking specific to one user account

[MM658]

I'm noticing that Defender is logging quarantined trojan files each time that user account is logged into.  So something appears to be spawning them regularly.

Latest FRST/Addition logs attached.

 

Addition.txt

FRST.txt

[AdvancedSetup]

Okay well I don't see anything in the log that should be triggering a detection. So the one here you're logged in as is ADMIN and this is the profile that is generating this alert and none of the other accounts ?

Let's try a different antivirus. The built-in Windows Defender is not exactly state of the art for detection and removal. Please create a new System Restore point and then go here and download a Trial of "Norton Security Deluxe" and then install it and update it and do a  Full System Scan and let me know if it detects anything or not.

http://us.norton.com/downloads

Thanks

 

[MM658]

No, the "Admin" account is not the one that is generating the alerts.  It is the account "Jen" that is generating the alerts.

Should I re-run FRST under that account, instead?   (Before proceeding w/ the Norton suggestion)  Or just go straight to the Norton install/scan instead?

[MM658]

I went ahead and re-ran FRST under the 'Jen' account--the account that is having the problems  (I didn't realize that it mattered which account it was run under, previously, I thought running under the Admin account was best way to get all pertinent info).

Attached are the logs from this new run.

 

FRST.txt

Addition.txt

[AdvancedSetup]

Yes there are "user" settings that may not be as easily detected for minor things like this.

The user may not have rights to remove but this is being triggered by FRST - could be an invalid entry or even a bogus one for Google so please see if you can remove these from the Scheduled Tasks and if found in the Registry too

Task: C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job =>  <==== ATTENTION
Task: C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job =>  <==== ATTENTION
Task: C:\WINDOWS\Tasks\GoogleUpdateTaskUserS-1-5-21-3671776566-451609337-1825776771-1001Core.job =>  <==== ATTENTION
Task: C:\WINDOWS\Tasks\GoogleUpdateTaskUserS-1-5-21-3671776566-451609337-1825776771-1001UA.job =>  <==== ATTENTION

I thought I already had you fix this but it still shows in the HOSTS file. Please remove the entry (requires admin rights) to C:\Windows\System32\Drivers\Etc\hosts

127.0.0.1            d3oxij66pru1i3.cloudfront.net

 

This entry would almost have to be junk. Can you confirm what this file is and if it is valid. If needed you can upload to http://www.virustotal.com

The user should be able to edit the registry and remove it from this key if it's not a valid file:   HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

HKU\S-1-5-21-3671776566-451609337-1825776771-1008\...\Run: [scuzzy-51] => C:\ProgramData\scuzzy-1\scuzzy-29.exe [612352 2016-05-09] ()

 

Actually..... Let me have you restart the computer again and run a new FRST scan. Make sure you place a check mark in the Additions.txt check box and attach back both new logs while logged in with the Admin or other account that has Admin rights. Those entries should still be showing under the Admin account and maybe I just missed them before. If found then we can run a clean up script to remove them with Admin rights. But I'd still  like you to verify the scuzzy-1 folder if it's a valid program or not please.

Thanks

 

 

[MM658]

New FRST/Addition logs attached (run as Admin).

FYI: I tried deleting the cloudfront entry in /etc/hosts as Admin, and was prevented from saving the file ("Access Denied").

I don't have an actual scuzzy-1 folder under c:\ProgramData, so that must be an invalid reference.  See attached Explorer screen shot (I have "show hidden files" enabled in Explorer).

So, to sum up, I ran FRST as Admin and have made no changes yet from your most recent post.

 

Addition.txt

FRST.txt

Edited May 10, 2016 by MM658

[MM658]

May 11 Update:

1- I figured out how to delete the cloudfront entry from the hosts file, and successfully removed it.

2- I deleted the four Google Update tasks from the Task Scheduler.  There were no references to them in the Registry.

3-There is currently no reference to "C:\ProgramData\scuzzy-1" in the registry under the 'Jen' user account.  As mentioned in previous post, nor does such a folder exist on the hard drive.

4- After performing the above, I restarted the PC and ran FRST again as ADMIN (not as 'Jen') and the newest logs are attached.

5- I did notice, however, in HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run for the 'Jen' account, an entry that looked suspicious for kelvin-43.exe (see screenshot).  However, now after the reboot, the file and folder is no longer there.  However, there are other suspicious-looking folders in c:\ProgramData with executables in them, like C:\ProgramData\componet-9\componet-7.exe, which I uploaded to virustotal.com and it got flagged by 8 of 56 AV scans (see VirusTotal screen shot).  There are also similar-looking folders/executables in C:\Users\Jen\AppData\Roaming - example:  C:\Users\Jen\AppData\Roaming\scsi2-4\scsi2-5.exe, which I also uploaded and gets flagged by 7 of 56 scans.

6- I have not done anything to remove any files or Registry entries (other than the updates mentioned in #1 and #2 above) and will wait to hear back from you on how to proceed next.

 

Addition.txt

FRST.txt

[AdvancedSetup]

The log for Admin vs the Jen account show different things oddly as it's supposed to be able to load that and show it as well. I'm going to try to compare the Jen logs vs the Admin log and we'll look at removing some more items. The other folders like the ones with the scsi2-4 name would seem to be bogus unfortunately no indication of where they may have come from. We can run a custom scan for file names like that but not sure it's really needed or not.

Will try to get back with you later tonight with a new clean up script.

 

[AdvancedSetup]

Please download the attached fixlist.txt file and save it to the Desktop.
NOTE. It's important that both files, FRST or FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system.

Run FRST or FRST64 and press the Fix button just once and wait.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Desktop (Fixlog.txt). Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

fixlist.txt

Thanks

 

[MM658]

Fixlist run.  Fixlog attached.

Fixlog.txt

[MM658]

After running the fix script earlier today (see most-recent previous post for fix log), I have now re-run a Farbar scan, both as user Admin, and as user Jen, to give you an up-to-date picture.  Those logs are attached.

Also, when I logged on to user Jen to run that scan, I got several messages from MBAM:

Detection, 5/12/2016 10:17 PM, Jen, HP-2009, Protection, Malware Protection, File, Trojan.Downloader.SSV, C:\ProgramData\faraday-9\faraday-85.exe, Quarantine, [362f27aeb9e0e650e777517e2bd6e020]
Detection, 5/12/2016 10:17 PM, Jen, HP-2009, Protection, Malware Protection, File, Trojan.Downloader.SSV, C:\Users\Jen\AppData\Roaming\liquid-71\liquid-98.exe, Quarantine, [a7be13c2247583b3f46ac906748d7789]
Detection, 5/12/2016 10:22 PM, Jen, HP-2009, Protection, Malware Protection, File, Trojan.Downloader.SSV, C:\ProgramData\ascii-72\ascii-02.exe, Quarantine, [e580b520c7d2ee48c599636cc33e32ce]
Detection, 5/12/2016 10:24 PM, Jen, HP-2009, Protection, Malware Protection, File, Trojan.Downloader.SSV, C:\Users\Jen\AppData\Roaming\boost-45\boost-99.exe, Quarantine, [461fa035178250e6a5b92ea1748d57a9]

Addition-as-Admin.txt

FRST-as-Admin.txt

Addition-as-Jen.txt

FRST-as-Jen.txt

[AdvancedSetup]

I don't think any of these are live active but the scanner is seeing them and alerting. Let's try something new. Normally don't need or recommend doing a full scan but for this please use an Admin account and open MBAM and go to SCAN, Custom Scan, Configure Scan. Make sure all 4 scanning options are selected. Then place a check mark in the top of your C: drive to have it scan all files of the drive. Then click the Scan Now button and let it run. As it will now scan even zip files, and all files the scan can take a very long time but hopefully it will find some of these other unexpected files and offer to remove them for us.

Review what it finds though and if something looks valid then don't remove it.

Next please run the scan below and post back both logs when ready.

 

Please download the correct version of SystemLook for your computer and save it to your desktop.
You can check here if you're not sure if your computer is 32-bit or 64-bit

SystemLook 32-bit x86 | or | SystemLook 64-bit x64

• If using Windows XP just double click on SystemLook.exe to run it.
• For all other versions of Windows, right click over SystemLook.exe or SystemLook_x64.exe and choose Run as administrator to run it
• Copy the contents of the following code box into the main text field - including the colon characters.
   

  :filefind
  *.exe
  *.bat
  *.pif
  :folderfind
  *scsi*
  
  

• Click the Look button to start the scan
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
• Note: The log can also be found on your Desktop named SystemLook.txt

 

 

Edited May 13, 2016 by AdvancedSetup

[MM658]

Unfortunately(?), no hits in the MBAM scan.  Log attached.

Also attached is the SystemLook log.

Our PayPal account got emptied this week, so negative impacts have definitely been felt.  

MBAM-scan-log.txt

SystemLook.txt

[AdvancedSetup]

So far I'm not seeing anything "current" that would indicate or allow remote attack or obtaining information about your account on PayPal. Have you contacted PayPal and worked with them as to what or how they believe that you  account was compromised ?

 

Please give me some time to review the log as it's quite large. If I've not replied within about 6 hours or so please send me a PM reminder.

Thanks

 

 

[MM658]

No worries re: timing, I won't be able to do anything to this PC for a day or two, so take your time.  I appreciate the help.

PayPal has been contacted.  They claim that the transactions trace back to our IP address so they are not being very forthcoming with assistance.  But we did not receive any emails when the transactions took place, so whomever got the info did a good job of covering tracks.

[AdvancedSetup]

Well we can search for some type of rootkit that we're not somehow detecting using an offline tool from Kaspersky.

 

Please download the following tool from Kaspersky and burn it to CD from a clean working computer and then boot from it on the affected computer.
 
Make sure you watch this video which describes how to create the CD to use it.
 
How to create the Kaspersky Rescue Disk 10 CD
 
 
Please visit the Kaspersky site and review the information and then download and burn the ISO image to CD to use on the affected computer.
Make sure you update the definitions for Kaspersky before doing the actual scan.  Make sure to also write down what it finds or does as some users have trouble saving and accessing the log afterwards.
 

• Kaspersky Rescue Disk 10 Product Info
• Kaspersky Rescue Disk 10 download

  Here is a free safe utility to properly burn the ISO image if needed.
  

• Though please note as shown in the video that you do not install any additional add-on programs or toolbars offered during the install.
  

• ImgBurn
  

• How to write an image file to a disc with ImgBurn

  Further information on using Kaspersky Rescue Disk
  

• How to Use the Kaspersky Rescue Disk to Clean Your Infected PC
  

• Kaspersky Rescue Disk - User Guide (English)
  

[MM658]

It will take me a couple of days to create the rescue disk and have a chance to use it - I'll report back once I do.

[MM658]

As I had just logged on the Admin account to update this thread, I now notice that I am  getting a dialog box indicating that MBAM cannot load anti-rootkit protection. It suggested trying a reboot, so I tried rebooting, and MBAM started a scan, but with a message: "Error: Malwarebytes was unable to load the Anti-Rootkit Driver. Error code: 20025. Do you want to continue the scan without anti-rootkit support?"

[AdvancedSetup]

Are you using any type of encrypted drives?

If you're not then maybe a clean reinstall may correct.

Please uninstall your current version of MBAM and reinstall the latest version using the following guide. MBAM Clean Removal Process 2x

 

Let me know. Thanks

Ron

 

[MM658]

After another reboot, the MBAM anti-rootkit message did not return.  So, I have not yet pursued a re-install of MBAM.

I have done some work with the Kaspersky Rescue Disk.

For starters, I did a scan of just the "Disk boot sectors" and "Hidden startup objects" and it found one item:

File C:/Users/Jen/AppData/Roaming/ycbcr-9/ycbcr-0.exe contains Trojan program Trojan.Win32.Waldek.nlu.

I was given the choice of Delete or Skip, and for now, I chose Skip (not wanting to take any actions without checking w/ you first).

I have not yet done a full scan of C: since (a) it would take a while, and (b) I wasn't sure if perhaps the disk boot/startup scan was sufficient.

Should I re-run the Rescue Disk and choose Delete on that item?  Should I proceed with a scan of the entire C: drive?

Please advise on next steps.  Thanks.

Edited May 15, 2016 by MM658

[AdvancedSetup]

If you can please zip up that file and attach it here so we can take a look at it. Then go ahead and do a full scan and see what else it can find please.

Thanks

 

[MM658]

Unfortunately, when I booted into this PC last night as Admin, Windows Defender gave me some message about removing malware, and now this morning after reading your last message, when I go to C:/Users/Jen/AppData/Roaming/ycbcr-9 the folder is now empty. If you think there's a version of the file worth analyzing located in some Windows Defender folder, let me know and I'll try to find it there.

It seems that there's something else that is spawning these various EXE files as soon as they get removed, whenever the 'Jen' account is accessed.  

I guess I'll proceed with the Kaspersky scan on the whole C:/ drive - I was hoping to avoid that because when I started one yesterday, it estimated that it would take SIX DAYS to complete.  

 

[AdvancedSetup]

Wow, not sure how large the drive is but even on a big one I did a while back it was only about 24 hours. Just odd in that none of the typical startup means are showing it and even normal antivirus tools are not finding these files either. Leads me to believe that it's somehow browser related.

Okay, what if we take another approach. How about creating a new user account for Jen. Then copy all her documents and bookmarks to the new profile. When use that new profile for a couple days. When you're reasonably certain that there are no issues or missing data from the new account and no new IP blocks or File detections then we can look at removing the old profile.

If the issue comes back on the new profile then I'd be even more sure that it's somehow due to browser setup/sync from online otherwise your account or other accounts should have this same issue.

 

[MM658]

It's a 1 TB drive, about 75% full.  I started a scan this morning and it started the estimate at 11 days to complete (!) and has grown since then, eventually up to 20 days.  Not sure why it's so projected to take so long.  I have since killed that scan.

However, I just now discovered that I could tell it to scan specific locations - I thought the only choices were full hard drives or the boot sectors and startup objects.

I have started a new scan just looking at:

C:/ProgramData

C:/Users/Jen

since those seem to be the locations that have been the "hot spots" thus far.  Once it finishes - or at least comes back with a time estimate for completion - I will report back.

 

Edited May 16, 2016 by MM658

[AdvancedSetup]

Okay. A new profile might be quicker but let me know