SCared that my Laptop is infected: request help to confirm

[SRoy]

Hi: today I noticed a command prompt window opening, and after some time closing, both times on its own. I could not notice anything (written) either on the prompts or on the title of the window. This (coming and going of the command prompts) happened a few times. I immediately ran the Malwarebytes anti-malware free (no threats) and a quick scan of Windows Defender (No threats).

I am not sure why the sudden display and disappearance of the prompts happened, and would like to make sure there's no malware involved.

If this qualifies for a check, I would request help. I have attached the output files of FRST64.exe in this post.

Thanks in advance, and regards: SRoy

Addition.txt

FRST.txt

[AdvancedSetup]

Hello @SRoy and

I'm not seeing anything obvious stand out to indicate the computer is infected, but we can run some scans and see.

STEP 01
Please run a Threat Scan with MBAM. If you're unable to run or complete the scan as shown below, please see the following:
MBAM Clean Removal Process 2x
When reinstalling the program, please try the latest version.

Right click and choose "Run as administrator" to open Malwarebytes Anti-Malware and from the Dashboard please Check for Updates by clicking the Update Now... link
Open up Malwarebytes > Settings > Detection and Protection > Enable Scan for rootkit and Under Non Malware Protection set both PUP and PUM to Treat detections as malware.
Click on the SCAN button and run a Threat Scan with Malwarebytes Anti-Malware by clicking the Scan Now>> button.
Once completed please click on the History > Application Logs and find your scan log and open it and then click on the "copy to clipboard" button and post back the results on your next reply.

 

Please restart the computer first and then run the following steps and post back the logs as ATTACHMENTS when ready.

STEP 02
Please download Junkware Removal Tool to your desktop.

• Shutdown your antivirus to avoid any conflicts.
• Right click over JRT.exe and select Run as administrator on Windows Vista or Windows 7, double-click on XP.
• The tool will open and start scanning your system.
• Please be patient as this can take a while to complete.
• On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
• Post the contents of JRT.txt into your next reply message
• When completed make sure to re-enable your antivirus

STEP 03
Let's clean out any adware now: (this will require a reboot so save all your work)

Please download AdwCleaner by Xplode and save to your Desktop.

• Double click on AdwCleaner.exe to run the tool.
  Vista / Windows 7/8 users right-click and select Run As Administrator
• Click on the Scan button.
• AdwCleaner will begin...be patient as the scan may take some time to complete.
• When it's done, you'll see: Pending: Please uncheck elements you don't want to be removed.
• Now click on the Report button and a logfile (AdwCleaner[R0].txt) will open in Notepad for review.
• Look at the log especially under Files/Folders for any program you want to save.
• If there's a program you may want to save, just uncheck it from AdwCleaner.
• If you're not sure, post the log for review. (all items found are adware/spyware/foistware)
• If you're ready to clean it all up, click the Clean button.
• After rebooting, a logfile report (AdwCleaner[S0].txt) will open automatically.
• Copy and paste the contents of that logfile in your next reply.
• A copy of that logfile will also be saved in the C:\AdwCleaner folder.
• Items that are deleted are moved to the Quarantine Folder: C:\AdwCleaner\Quarantine
• To restore an item that has been deleted:
• Go to Tools > Quarantine Manager > check what you want to be restored > now click on Restore.

STEP 04
Download Sophos Free Virus Removal Tool and save it to your desktop.
 

• Double click the icon and select Run
• Click Next
• Select I accept the terms in this license agreement, then click Next twice
• Click Install
• Click Finish to launch the program
• Once the virus database has been updated click Start Scanning
• If any threats are found click Details, then View Log file (bottom left-hand corner)
• Copy and paste the results in your reply
• Close the Notepad document, close the Threat Details screen, then click Start cleanup
• Click Exit to close the program
• If no threats were found, please confirm that result.

STEP 05
Please download the Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system. You can check here if you're not sure if your computer is 32-bit or 64-bit

• Double-click to run it. When the tool opens, click Yes to disclaimer.
• Press the Scan button.
• It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
• The first time the tool is run, it also makes another log (Addition.txt). If you've, run the tool before you need to place a check mark here.
• Please attach the Additions.txt log to your reply as well.

 

Thanks

[SRoy]

16 hours ago, AdvancedSetup said:

STEP 01
......
Once completed please click on the History > Application Logs and find your scan log and open it and then click on the "copy to clipboard" button and post back the results on your next reply.

 

 

Protection Log

---------------

Malwarebytes Anti-Malware

www.malwarebytes.org

 

 

Update, 9/3/2016 4:28 AM, SYSTEM, LR-PC, Manual, Remediation Database, 2016.2.12.1, 2016.8.31.1, 

Update, 9/3/2016 4:28 AM, SYSTEM, LR-PC, Manual, Rootkit Database, 2016.2.8.1, 2016.8.15.1, 

Update, 9/3/2016 4:28 AM, SYSTEM, LR-PC, Manual, IP Database, 2016.2.8.1, 2016.9.2.1, 

Update, 9/3/2016 4:28 AM, SYSTEM, LR-PC, Manual, Domain Database, 2016.2.16.8, 2016.9.2.5, 

Update, 9/3/2016 4:28 AM, SYSTEM, LR-PC, Manual, Malware Database, 2016.2.16.6, 2016.9.2.10, 

Scan, 9/3/2016 4:53 AM, SYSTEM, LR-PC, Manual, Start:9/3/2016 4:29 AM, Duration:24 min 22 sec, Threat Scan, Completed, 0 Malware Detections, 0 Non-Malware Detections, 

 

(end)

 

Scan Log

--------

Malwarebytes Anti-Malware

www.malwarebytes.org

 

Scan Date: 9/3/2016

Scan Time: 4:29 AM

Logfile: 

Administrator: Yes

 

Version: 2.2.1.1043

Malware Database: v2016.09.02.10

Rootkit Database: v2016.08.15.01

License: Free

Malware Protection: Disabled

Malicious Website Protection: Disabled

Self-protection: Disabled

 

OS: Windows 10

CPU: x64

File System: NTFS

User: lr

 

Scan Type: Threat Scan

Result: Completed

Objects Scanned: 434208

Time Elapsed: 24 min, 22 sec

 

Memory: Enabled

Startup: Enabled

Filesystem: Enabled

Archives: Enabled

Rootkits: Enabled

Heuristics: Enabled

PUP: Enabled

PUM: Enabled

 

Processes: 0

(No malicious items detected)

 

Modules: 0

(No malicious items detected)

 

Registry Keys: 0

(No malicious items detected)

 

Registry Values: 0

(No malicious items detected)

 

Registry Data: 0

(No malicious items detected)

 

Folders: 0

(No malicious items detected)

 

Files: 0

(No malicious items detected)

 

Physical Sectors: 0

(No malicious items detected)

 

 

(end)

 

16 hours ago, AdvancedSetup said:

STEP 02
Please download Junkware Removal Tool to your desktop.
.......

• Post the contents of JRT.txt into your next reply message

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Junkware Removal Tool (JRT) by Malwarebytes

Version: 8.0.7 (07.03.2016)

Operating System: Windows 10 Pro x64 

Ran by lr (Administrator) on Sat 09/03/2016 at  5:17:22.07

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

 

 

 

File System: 5 

 

Successfully deleted: C:\Users\lr\AppData\Local\Google\Chrome\User Data\Default\Extensions\klbibkeccnjlkjkiokjodocebajanakg (Folder) 

Successfully deleted: C:\WINDOWS\system32\Tasks\PCDEventLauncherTask (Task)

Successfully deleted: C:\WINDOWS\system32\Tasks\PCDoctorBackgroundMonitorTask (Task)

Successfully deleted: C:\WINDOWS\prefetch\FREEPDF.EXE-EEC35BE9.pf (File) 

Successfully deleted: C:\WINDOWS\prefetch\TREESIZEFREE.EXE-1BF65C1A.pf (File) 

 

 

 

Registry: 5 

 

Successfully deleted: HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{13D67BB7-DB5F-48AA-884D-7A5D94168509} (Registry Key)

Successfully deleted: HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B821BF60-5C2D-41EB-92DC-3E4CCD3A22E4} (Registry Key)

Successfully deleted: HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{13D67BB7-DB5F-48AA-884D-7A5D94168509} (Registry Key)

Successfully deleted: HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B821BF60-5C2D-41EB-92DC-3E4CCD3A22E4} (Registry Key)

Successfully deleted: HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Toolbar\\{B821BF60-5C2D-41EB-92DC-3E4CCD3A22E4} (Registry Value) 

 

 

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Scan was completed on Sat 09/03/2016 at  5:20:46.66

End of JRT log

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

 

16 hours ago, AdvancedSetup said:

STEP 03
Let's clean out any adware now: (this will require a reboot so save all your work)
.....

• After rebooting, a logfile report (AdwCleaner[S0].txt) will open automatically.
• Copy and paste the contents of that logfile in your next reply.

 

# AdwCleaner v6.010 - Logfile created 03/09/2016 at 05:29:02

# Updated on 12/08/2016 by ToolsLib

# Database : 2016-09-01.2 [Server]

# Operating System : Windows 10 Pro  (X64)

# Username : lr - LR-PC

# Running from : D:\SNR\Security\MBAM Forum Aug-Sep 2016\03_AdwCleaner by Xplode - AdwCleaner.exe

# Mode: Scan

# Support : https://toolslib.net/forum

 

 

 

***** [ Services ] *****

 

No malicious services found.

 

 

***** [ Folders ] *****

 

Folder Found:  C:\ProgramData\1b4fe5d6-fb4b-4797-9d10-7a1dd0e9a965

Folder Found:  C:\ProgramData\b34ee623-1d36-404f-9e5a-39221b7170d6

Folder Found:  C:\Users\lr\AppData\LocalLow\pandasecuritytb

Folder Found:  C:\Users\SR\AppData\LocalLow\pandasecuritytb

Folder Found:  C:\Program Files (x86)\pandasecuritytb

 

 

***** [ Files ] *****

 

File Found:  C:\Users\lr\AppData\Roaming\Mozilla\Firefox\Profiles\ebncjfps.default\extensions\{B821BF60-5C2D-41EB-92DC-3E4CCD3A22E4}.xpi

 

 

***** [ DLL ] *****

 

No malicious DLLs found.

 

 

***** [ WMI ] *****

 

No malicious keys found.

 

 

***** [ Shortcuts ] *****

 

No infected shortcut found.

 

 

***** [ Scheduled Tasks ] *****

 

Task Found:  FreeDownloadManagerNetworkMonitor

 

 

***** [ Registry ] *****

 

Key Found:  HKLM\SOFTWARE\Classes\PCSuiteContactsView

Key Found:  HKLM\SOFTWARE\Classes\PCSuiteMessagesView

Key Found:  [x64] HKLM\SOFTWARE\Classes\CLSID\{B821BF60-5C2D-41EB-92DC-3E4CCD3A22E4}

Key Found:  [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B821BF60-5C2D-41EB-92DC-3E4CCD3A22E4}

Value Found:  [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{B821BF60-5C2D-41EB-92DC-3E4CCD3A22E4}]

Key Found:  [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{62155D33-3CE2-401E-8967-5A270628A3D5}

Key Found:  [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{B821BF60-5C2D-41EB-92DC-3E4CCD3A22E4}

Key Found:  HKLM\SOFTWARE\Classes\CLSID\{B821BF60-5C2D-41EB-92DC-3E4CCD3A22E4}

Key Found:  HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B821BF60-5C2D-41EB-92DC-3E4CCD3A22E4}

Key Found:  HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{B821BF60-5C2D-41EB-92DC-3E4CCD3A22E4}

Value Found:  HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks [{B821BF60-5C2D-41EB-92DC-3E4CCD3A22E4}]

 

 

***** [ Web browsers ] *****

 

No malicious Firefox based browser items found.

Chrome pref Found:  [C:\Users\SR\AppData\Local\Google\Chrome\User Data\Default\Web data] - aol.com

Chrome pref Found:  [C:\Users\SR\AppData\Local\Google\Chrome\User Data\Default\Web data] - ask.com

 

*************************

 

C:\AdwCleaner\AdwCleaner[S0].txt - [2628 Bytes] - [03/09/2016 05:29:02]

 

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [2701 Bytes] ##########

 

 

16 hours ago, AdvancedSetup said:

STEP 04
......

• If no threats were found, please confirm that result.

 

After a full, long run, Sophos Virus Removal Tool declared that the "computer is clean"

 

16 hours ago, AdvancedSetup said:

STEP 05
.......

• It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
• The first time the tool is run, it also makes another log (Addition.txt). If you've, run the tool before you need to place a check mark here.
• Please attach the Additions.txt log to your reply as well.

 

Both are attached. I downloaded and ran the FRST tool on 31st, before logging this issue. Hence Addition.txt is of that date. FRST.txt is for today's run.

Thanks for you time.

Rgds, SRoy

 

05_Addition.txt

05_FRST.txt

[AdvancedSetup]

Step 3 with AdwCleaner only shows a SCAN log. Did you clean/remove the items found? Do you have that log? If not please run AdwCleaner again and remove the threats.

 

[SRoy]

Hi,

Regret the delay in response.

Yes, I do have the Action Taken Log: I am attaching it for your perusal.

I did "clean/remove the items found", except two registry entries related to Nokia PC Suite.

Thanks and Regards: SRoy

03_AdwCleaner[C0].txt

[AdvancedSetup]

Great, thanks. Please restart the computer 2 times and then run a new FRST scan. Make sure to place a check mark on the Additions.txt check box and post back both new logs as an Attachment and also let me know if you're still seeing any issues or if things look good now.

Thanks

 

 

 

[SRoy]

1. Restarted the computer twice (while feeling a bit awkward :-) )

2. Ran a new FRST scan with the check mark on the additions.txt check box (logs attached)

3. Haven't noticed the command prompts lately. you may want to share the culprit if it is apparent to you.

Thanks for your help, and regards: SRoy

Addition.txt

FRST.txt

[AdvancedSetup]

What is this batch file doing? Is it needed?

Shortcut: C:\Users\lr\NITIENetwkUpdate.bat.lnk -> D:\SNR\NITIENetwkUpdate.bat

Please click on START and type in MSCONFIG then click on NORMAL and restart the computer.

Then after the restart click on START again and type in MSCONFIG and make sure it's on NORMAL. If it is quit, if not click on NORMAL again and restart again.

Please read the following article concerning the use of MSCONFIG
Msconfig Is Not A Startup Manager

 

Make sure the following programs from MBAM are excluded, allowed access to the Internet in your firewall.

mbam.exe
mbamresearch.exe
mbamscheduler.exe

 

 

Please download the attached fixlist.txt file and save it to the Desktop.
NOTE. It's important that both files, FRST or FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system.

Run FRST or FRST64 and press the Fix button just once and wait.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Desktop (Fixlog.txt). Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

fixlist.txt

 

Thanks

 

 

[SRoy]

On 9/9/2016 at 5:00 AM, AdvancedSetup said:

What is this batch file doing? Is it needed?

It is reqd. only sporadically: it contains the following - 

ipconfig /release

ipconfig /renew

pause

On 9/9/2016 at 5:00 AM, AdvancedSetup said:

MSCONFIG then click on NORMAL

Done; after 1st restart it was still normal.

On 9/9/2016 at 5:00 AM, AdvancedSetup said:

Please read the following article

Have started using Autoruns64 V13.62

On 9/9/2016 at 5:00 AM, AdvancedSetup said:

Make sure the following programs from MBAM are excluded, allowed access to the Internet in your firewall.

I use Windows firewall: all outgoing Internet access are allowed. I haven't changed the default.

On 9/9/2016 at 5:00 AM, AdvancedSetup said:

The tool will make a log on the Desktop (Fixlog.txt). Please attach or post it to your next reply.

Attached. no warning about outdated versions

 

Thanks a lot for your help. Rgds, SRoy

Fixlog.txt

[AdvancedSetup]

Looks good.

How is the computer running now?

Are there still any signs of an infection?

 

 

[SRoy]

Thanks: its running okay now, and I do not see those command line prompts appearing 'out of the blue'; so I do not see any signs of infection.

Maybe you could spare some time to explain in layman's terms, what the problem was about (or rather, the way you saw the situation).

Thanks again, and regards: SRoy

[AdvancedSetup]

Just typical malware junk that we often see. Nothing too serious at this time.

 

At this time there are no more signs of an infection on your system.
However if you are still seeing any signs of an infection please let me know.

Let's go ahead and remove the tools and logs we've used during this process.

Most of the tools used are potentially dangerous to use unsupervised or if ran at the wrong time.
They are often updated daily so if you went to use them again in the future they would be outdated anyways.

The following procedures will implement some cleanup procedures to remove these tools.
 
Download Delfix from here and save it to your desktop. (you may already have this)

• Ensure Remove disinfection tools is checked.
• Click the Run button.
• Reboot

Any other programs or logs that are still remaining, you can manually delete. (right click.....Delete)
IE: RogueKiller.exe, RKreport.txt, RK_Quarantine folder, C:\FRST folder, FRST-OlderVersion folder, MBAR folder, etc....AdwCleaner > just run the program and click uninstall.

 
If there are any other left over Folders, Files, Logs then you can delete them on your own.
 
Please visit the following link to see how to delete old System Restore Points. Please delete all of them and create a new one at this time.
How to Delete System Protection Restore Points in Windows 7 and Windows 8

Remove all but the most recent Restore Point on Windows XP

As Java seems to get exploited on a regular basis I advise not using Java if possible but to at least disable java in your web browsers
How do I disable Java in my web browser? - Disable Java

A lot of reading here but if you take the time to read a bit of it you'll see why/how infections and general damage are so easily inflicted on the computer. There is also advice on how to prevent it and keep the system working well. Don't forget about good, solid backups of your data to an external drive that is not connected except when backing up your data. If you leave a backup drive connected and you do get infected it can easily damage, encrypt, delete, or corrupt your backups as well and then you'd lose all data.
Nothing is 100% bulletproof but with a little bit of education you can certainly swing things in your favor.

• How Malware Spreads - How did I get infected
• Best Practices for Safe Computing - Prevention of Malware Infection
• Avoiding those unwanted free applications
• A close look at how Oracle installs deceptive software with Java updates
• IAC / Ask.com toolbars
• Malwarebytes Unpacked Blog

If you're not currently using Malwarebytes Premium then you may want to consider purchasing the product which can also help greatly reduce the risk of a future infection.

 

[SRoy]

Thank you very much; I will read up on the material that you have mentioned.

I did not find mention of RogueKiller in your earlier replies to this issue; if that's an oversight and I need to do something now, kindly get back.

Regards, SRoy

[AdvancedSetup]

I used to use RogueKiller as a quick confirmation, however (IMHO) it is no longer quick or easy like it used to be. It now goes online and makes use of network resources to use. There are other tools that work to help find and remove infections that I think are easier to use. It's a great tool, just not something I use much anymore myself.

You should be all set now.

 

[AdvancedSetup]

Glad we could help. :)If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.Other members who need assistance please start your own topic in a new thread. Thanks!