Cleanup after Adware findings in Temp folder

[shinra]

Dear Malwarebytes Forum staff,

 

today MBAM found 2 folders and 10 files in Temp folders of the two profiles on one of our computers.

Apparently they belonged to an Adware threat named Chinad.

They got quarantineed and deleted and it didn't look like the threat ever left the Temp folder.

 

Nevertheless, since this was the first infection of this machine I am aware of, I wanted to make sure that everything is fine, so I am kindly asking for your help here.

 

I did the FRST scans and everything looks fine (at least for my amateur eyes) except for two entries about user restrictions, whatever that may mean. Please have a look at the attached logs. I attached the two FRST logs, the log of the Adware findings, a log of an admin search after cleaning and a log of the scan before the findings.

If we have to do something soon (like doing something against these restrictions), I would be very happy if you could tell me in each step what exactly we are trying to accomplish. Thank you.

And please tell me if I have to worry about the machines integrity, since we are working with private details and doing online shopping with it. Thanks again.

 

Looking forward to hearing from you.

 

 

Addition.txt

FRST.txt

MBAM Scan After Cleaning (02-28).txt

MBAM Scan Last Time before Adware findings (02-24).txt

MBAM Scan with Adware (02-28).txt

Edited February 28, 2017 by shinra

[garioch7]

Shinra:

Malware Removal for Windows Forum.  My name is Phil and I would like to address you by your first name, if that is alright with you since we will be working together.

I will be assisting you with your computer issues.  I will endeavor to respond within a reasonable time, normally 48 hours after your last post.

I will need some time to review your FRST logs.  That could take a day or two.

PLEASE DO NOT RUN ANY ADDITIONAL SCANS OR ANTI-MALWARE REMOVAL TOOLS UNTIL YOU HAVE RECEIVED A RESPONSE FROM ME.
Doing so would complicate the situation and it would cause further delays in resolving your issues.  It could also potentially result in harm to your computer because my "fix" will be based on the FRST scan logs you have already submitted.

Thank you and have a great day.

Regards,
-Phil

[garioch7]

Shinra:

Thank you for your patience while I analyzed your FRST logs.

It would be helpful to me if you would, in the future, copy and paste all of the requested scan and fix logs into your replies.  It makes it faster for me to analyze them.  Thank you for your anticipated cooperation.

Second, it would be appreciated if you would rename FRST64.exe to FRST64English.exe.  I apologize, but I don't speak or comprehend German.  This will cause FRST to translate the logs into English.

Before we start dealing with the problems you are experiencing, I would ask that you to take note of the following points:

• I am a Malwarebytes Forum volunteer, so I ask you to be patient.  I know it is frustrating when your computer is not working properly, but malware removal takes time.
• Please also remember that I only dedicate a limited number of hours a day to helping people. We may live in different time zones, which may cause delays in responding.
• If I have not responded to you within 48 hours, please send me a personal message.  Likewise, I expect you to respond within 48 hours, and sooner is better because we can fix your computer faster.
• If I have not heard from you in three days, I will "bump" your post.  After five days of no response, I will consider that you no longer need my assistance and this thread will be closed.
• Logs can take a while to research, so please be patient.
• Some issues just cannot be solved so you must be prepared for this.
• Please read and follow the instructions in the exact sequence that they are posted to avoid making a bad situation worse.
• Please print or copy and save the instructions.
• Back up all your data and important files on another (external) drive before starting to run malware removal tools.
• You should try to limit your browsing with this computer until you are given the "All Clear."  Some malware applications steal passwords.
• Please do not install or uninstall any applications, unless directed.  Don't run any scripts or tools on your own because unsupervised usage may cause more harm than good.
• Please use only the tools you have been instructed to use.
• If you are using CD/DVD emulation software, this should be uninstalled or disabled as it can interfere with the removal of some malware.  It can be turned off with Defogger and then turned back on when you get the "All Clear."
• Please copy and paste the requested log files inside your post, unless otherwise instructed.
• There are no silly questions. Ask for clarification, if you have any questions or concerns.
• Malwarebytes does not support any piracy.  Evidence of  illegal OS, software, cracks/keygens, etc., will be revealed by scan logs, and if found, further assistance may be suspended.  Uninstall such software before proceeding!
• Any P2P software such as uTorrent, BitTorrent, Kazaa, etc. must be uninstalled or completely disabled.  P2P software is a major security risk to your computer and may have been the route the malware used to infect your computer.
• Failure to follow these guidelines may result in assistance being withdrawn and your thread being closed.
• I am volunteering my time to help you, and I will need you to help me.  Together, we can, hopefully, disinfect your computer and get if functioning properly again.  That is my only aim.

.

OK, let's get started ...

.

:step1:   Please run a FRST "Fix" for me.  I am going to remove the Group Policy restrictions that you saw in the "Registry" section of the FRST.txt log.  If you don't want those restrictions removed, please delete the two lines commencing with: "GroupPolicyUsers ... ".

Copy and paste the text in the code box below into Notepad and save the file as fixlist.txt to the Desktop.

NOTE: It is important that both files, FRST64English.exe and fixlist.txt are both in the same folder or the fix will not work.

NOTICE: This script was written specifically for this user, for use on this individual computer. Running this on another computer may cause damage to your operating system.

CreateRestorePoint:
CloseProcesses:
GroupPolicyUsers\S-1-5-21-1278656525-4151549656-3195628287-1002\User: Beschränkung <======= ACHTUNG
GroupPolicyUsers\S-1-5-21-1278656525-4151549656-3195628287-1001\User: Beschränkung <======= ACHTUNG
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKLM-x32 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-1278656525-4151549656-3195628287-1001 -> DefaultScope {F84F53BE-5396-4AD6-8E49-BF54DD5AB1AD} URL = 
SearchScopes: HKU\S-1-5-21-1278656525-4151549656-3195628287-1001 -> {F84F53BE-5396-4AD6-8E49-BF54DD5AB1AD} URL = 
FF Extension: (DealBeaver) - C:\Users\ZodiacStar\AppData\Roaming\Mozilla\Firefox\Profiles\2halojhz.default\Extensions\dealbeaver@dealbeaver.org.xpi [2015-08-19] [ist nicht signiert]
FF HKLM-x32\...\Thunderbird\Extensions: [msktbird@mcafee.com] - C:\Program Files\McAfee\MSK => nicht gefunden
S3 zlportio; \??\C:\Program Files (x86)\UltraStar Deluxe\zlportio.sys [X]

 

• Right click FRST64English.exe, and select "Run as Administrator".
• Then press the Fix button just once and wait.
• If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
• When finished FRST will generate a log on the Desktop (Fixlog.txt). Please copy and paste the contents into your reply.

Thank you and have a great day.

Regards,
-Phil

Edited March 3, 2017 by garioch7
Formatting issue in Fixlist.txt

[shinra]

Thank you very much for your reply and for taking some of your time to help me with my inquiry.

Since you offered in your post that I ask questions first, I would like to ask if these restrictions should be removed in your opinion. FRST gave me a warning about those, so that is why I contacted you to make sure that this is nothing to worry about and to get it corrected. Depending on your answer I will run the fix with or without removing the restrictions on the weekend.

Thank you very much in advance for your upcoming reply.

 

 

[garioch7]

shinra:

Thank you for your post.  My own FRST log has policy restrictions that I did not create, but have not posed any issues for my computer.  Software programs (and malware) can create these restrictions, some for legitimate reasons, and some for nefarious reasons.  If it were my computer, I would follow the old wise saying: "If it ain't broke, don't fix it!"

Unless you are experiencing issues that could be related to Group Policy Restrictions, I would omit those two lines from the FRST fix.  That was why I asked you about the Group Policy Restrictions.

At a later date, should you notice issues that might be related to Group Policy Restrictions, you can always return here for additional assistance.

You are most welcome for my assistance.  It is my pleasure.  Have a great weekend.

Regards,
-Phil

[shinra]

Thanks again for your quick reply.

I can totally relate to the saying you quoted, and I would like not to change or fix anything that isn't necessary.

Up until now this computer has never had any major problems I am aware of, but a malware alert makes you question the actual security (although I think that it probably was a false alert - in addition it were just files and folders in temp - so in my amateur impression this was nothing to be afraid of - please correct me if I am wrong). Since the alert the computer is running like before too without any problems.

If I understand you correctly, these restrictions are not harmful for the system by themselves, since they could be there legitimately, correct? As far as I know nobody has experienced any restrictions whatsoever before, so I would go with your decision to not remove these if they do not pose a security threat.

Should the fix without the Group Policy Restrictions be run anyway, because of the other things you added to the fix? Is there a huge risk for the computer by running this fix on it with FRST? Because I don't want to damage it although it is running fine. If you say everything is fine as it is, I would keep the computer in its current state. 

Seeing that neither Anti Virus nor MBAM found anything after the initially found files have been quarantineed and deleted, the system should be clean, right (especially seeing that there never has been another alert before)? This is my most important question right now.

Sorry for all these questions. Thanks again and looking forward to your reply.

[garioch7]

@shinra

Thank you for your post.  The odds are that your computer is not infected, although I did see a PUP (Potentially Unwanted Program): DealBeaver.

This is YOUR computer, so it is YOUR decision.  The FRST fix will remove the DealBeaver FF extension and do a minor clean-up of some orphans.  No one can GUARANTEE that any anti-malware tool, or script, will cause no unintended consequences.

So it is your call.  I would run the FRST fix, if it was my computer, since I was here anyways.

You are correct that legitimate software can create Group Policy Restrictions for legitimate reasons.  Because malware can also do that, FRST flags it for further examination by a qualified malware removal specialist.  In your case, there is no reason for me to believe that the Group Policy Restrictions were created by malware, so I would remove those two lines from the "fixlist.txt" file BEFORE running it.  Please note that I did edit that "fixlist.txt" file, after initially posting it, to correct a minor formatting issue, so make sure to copy the current "fixlist.txt" before running it, if you do run it.

Please let me know what you decide to do.  I would also recommend running an ESET online scan just to make sure that there is nothing hiding that your anti-virus, Malwarebytes, and FRST might have missed.  If you want to do that, let me know and I will provide instructions.

Thank you and have a great day.

Regards,
-Phil

[shinra]

Hello again.

I ran the fix, here is the fixlist:

--------------------------------------------------------------

Fix result of Farbar Recovery Scan Tool (x64) Version: 04-03-2017
Ran by ZodiacStar (05-03-2017 08:54:55) Run:1
Running from C:\Users\ZodiacStar\Desktop
Loaded Profiles: ZodiacStar (Available Profiles: ZodiacStar & RudyRoughknight)
Boot Mode: Normal
==============================================

fixlist content:
*****************
CreateRestorePoint:
CloseProcesses:
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKLM-x32 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-1278656525-4151549656-3195628287-1001 -> DefaultScope {F84F53BE-5396-4AD6-8E49-BF54DD5AB1AD} URL =
SearchScopes: HKU\S-1-5-21-1278656525-4151549656-3195628287-1001 -> {F84F53BE-5396-4AD6-8E49-BF54DD5AB1AD} URL =
FF Extension: (DealBeaver) - C:\Users\ZodiacStar\AppData\Roaming\Mozilla\Firefox\Profiles\2halojhz.default\Extensions\dealbeaver@dealbeaver.org.xpi [2015-08-19] [ist nicht signiert]
FF HKLM-x32\...\Thunderbird\Extensions: [msktbird@mcafee.com] - C:\Program Files\McAfee\MSK => nicht gefunden
S3 zlportio; \??\C:\Program Files (x86)\UltraStar Deluxe\zlportio.sys [X]
*****************

Restore point was successfully created.
Processes closed successfully.
HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} => key removed successfully
HKCR\CLSID\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} => key not found.
HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} => key removed successfully
HKCR\Wow6432Node\CLSID\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} => key not found.
HKU\S-1-5-21-1278656525-4151549656-3195628287-1001\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value removed successfully
HKU\S-1-5-21-1278656525-4151549656-3195628287-1001\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{F84F53BE-5396-4AD6-8E49-BF54DD5AB1AD} => key removed successfully
HKCR\CLSID\{F84F53BE-5396-4AD6-8E49-BF54DD5AB1AD} => key not found.
C:\Users\ZodiacStar\AppData\Roaming\Mozilla\Firefox\Profiles\2halojhz.default\Extensions\dealbeaver@dealbeaver.org.xpi => moved successfully
HKLM\Software\Wow6432Node\Mozilla\Thunderbird\Extensions\\msktbird@mcafee.com => value removed successfully
HKLM\System\CurrentControlSet\Services\zlportio => key removed successfully
zlportio => service removed successfully

The system needed a reboot.

==== End of Fixlog 08:56:06 ====

 

 

Seems like most (or all) of it worked, but I am curious why it just says "moved successfully" at dealbeaver instead of "removed" at the other entries. Is this right nevertheless?

Does the "key not found" mean that it is checked that it really is gone after removal from FRST?

 

-----------------

 

Concerning your ESET offer, I would like to do that together with you to be sure. Thank you so much.

 

 

[garioch7]

@shinra

Thank you for your post and the FRST fixlog.txt.  DealBeaver was an .xpi file, so it was "moved" to the FRST quarantine folder, which we will remove at the end of the topic.  Registry keys are simply deleted as they can be put back using any number of utilities.  FRST also checks for any CLSID entries when a registry key is deleted in another registry hive.  In your case, no corresponding registry entries were found in the CLSID hive.

ESET Online Scanner using Internet Explorer:

Note 1: These instructions are for Internet Explorer only! If you're using Chrome or Firefox, you will need to download and install the ESET Smart Installer tool before it can scan.  See instructions here.
Note 2: You will need to disable your currently installed Anti-Virus, how to do so can be found here.

• Download esetsmartinstaller_enu.exe and save it to your Desktop.
• Double click the icon.
• Check YES, I accept the Terms of Use.
• Click the Start button.
• Accept any security warnings from your browser.
• Click Advanced settings.
• Check the following items.

 

Enable detection of potentially unwanted applications

 

Remove found threats

 

 

Scan archives

 

 

Scan for potentially unsafe applications

 

 

Enable Anti-Stealth technology

 

 

• Click Change next to Current scan targets:
• Place a check mark in any additional drive you wish to scan then click OK.
• Click Start.
• ESET will then download updates and begin scanning your computer.
• If no threats are found simply click Uninstall application on close and hit Finish.
• If threats are found click List of found threats.
• Click Export to text file.
• Save the file on your Desktop as ESET.txt.
• Click Back.
• Check Uninstall application on close and Delete quarantined files.
• Click Finish.
• Close the ESET Online Scanner window.
• Copy and paste the contents of ESET.txt into your reply, if any threats were detected.

 

Don't forget to re-enable your antivirus when finished!

Thank you and have a great day.

 

Regards,-Phil

Edited March 5, 2017 by garioch7

[shinra]

Hi again and thanks for your last post and your description how to run ESET.

Since we use Firefox exclusively I hope that I did the correct thing by downloading the esetsmartinstaller file below your note 2 above and went from there. I didn't really understand how it should have been done with Internet Explorer instead.

Afterwards I ran the ESET scan (I used the regular non-admin profile but I had to enter the admin password, I hope this was fine since it wasn't said otherwise. I was a bit reluctant to lower antivirus in admin profile).

The scan only found the install file (avira_free4045_antivirus_de.exe) of our current Anti-Virus which apparently is or was bundled with a toolbar (a variant of Win32/Bundled.Toolbar.Ask.D potentially unsafe application    deleted) which we didn't install when we installed antivirus. Apart from that there was nothing else. The antivirus install file was deleted by ESET.

I hope that all these scans show that the system is safe and there are no threats roaming around.

Thanks again for your help. Looking forward to hearing from you again.

 

 

 

 

[garioch7]

@shinra

Thank you for your post.  The Ask.D toolbar was probably bundled with the Avira installer file, depending upon where you downloaded Avira from.  Lots of hosting sites bundle toolbars and other unwanted potentially unwanted programs (PUPs).  With many, unless you select "Custom Install", assuming you are given that option, the PUPs install themselves.  Nasty stuff!

I have no reason to believe that your computer is infected, so let's clean up.

STEP 1:

We will now remove the tools we used during this fix using Delfix.

Download Delfix from here and save it to your desktop.

• Ensure Remove disinfection tools is checked.
• Also place a checkmark next to:
  
  • Create registry backup
  • Purge system restore
    
  
  
• Click the Run button.
  

When the tool is finished, a log will open in notepad. Please copy and paste the log in your next reply.

.

:step2: . . . Some Final Advice . . .

The most common cause of an infected machine is the Trojan Horse, or programs which appear to be legitimate but which contain malicious payloads, or which are simply malicious in and of themselves. No antivirus, firewall, host-based intrusion prevention system (HIPS), or other security software can fully protect you against this kind of attack. The best way to project yourself is not to run email attachments from untrusted sources, and avoid software downloaded from the internet wherever possible. Remember, when you run an application, you are giving that application permission to do to your machine anything you can do to the machine, including create, modify, or destroy files or other data. In the Windows (and most other systems' such as Unix) security model, applications don't have privileges, users do.

The second most common cause of infection is out of date software. Leaving your system unpatched leaves holes through which attackers can execute code on your behalf without your consent. This goes for far more than common targets such as Windows and Internet Explorer. Most recent threats target other third party software, such as Adobe's Adobe Reader, Shockwave Player, or Flash Player, or Oracle's Java browser plugins. You can check your system for out of date software manually, or by using automated tools such as Secunia's Personal Software Inspector. This goes doubly for security applications such as antivirus and other antimalware products based on definition lists, where out-of-date lists mean no detection of newer malware.

Finally, occasionally you will be forced to run some potentially infected binary, or attackers will use a hole which is unpatched by software vendors, so a last line of defense is needed. That means turning on a firewall (Windows Firewall included with Windows Vista or later is fine) and leaving it on, and using and keeping up-to-date an antivirus solution such as Bitdefender. Antiviral solutions don't even have to cost money; for instance Microsoft Security Essentials provides perfectly acceptable protection for free. If for some reason you don't like MSE, there are other free products available as well:

• Avira (shows nag screen to purchase full product when updating, home use only)
• Bitdefender Free (home use only)
  

That should be fine for the majority of users. However, if you absolutely want additional protection, consider one or more of the following products:

• DNS based website blacklists, such as OpenDNS, Google Public DNS, or the MSMVPs Hosts File
• An additional (non-antivirus) antimalware solution, such as MalwareBytes Anti-Malware or Emsisoft Emergency Kit
• Internet Explorer zone blacklists such as those provided by SpywareBlaster or ZonedOut
  

If you want more information on methods malware uses to infect your computer, consider browsing the How did I get infected? topic.

.

It has been a pleasure assisting you and I hope that you will avoid any further infections in the future.  Your most important protection step is to ALWAYS HAVE MORE THAN ONE RECENT BACKUP OF YOUR ENTIRE SYSTEM on an external drive that is only connected to your computer long enough to backup or restore.  I do system images weekly.  With the free backup software out there (Easeus ToDo Backup Home, Macrium Reflect, etc.), and the very reasonable prices for external USB hard drives, there is no reason to not have a backup.

Please copy and paste the Delfix log into your next reply.  If all goes well, you will be on your way and I will have the Moderator conclude your topic.

On behalf of the Malwarebytes Forums, thank you for choosing our Forums to assist you with your computer issues, stay safe out there in cyberspace, and have a great day.

Regards,
-Phil

[shinra]

It is a relief to hear that you think the computer is clean.

I do hope it just was a false positive. Unfortunately I deleted the quarantineed files to give these over to MBAM staff to do a false positive check.

I ran DelFix. Here is the log:
(I am sorry, but the program gave out a german log again - but I can help interprete if necessary)

----------------------------

# DelFix v1.013 - Datei am 06/03/2017 um 16:14:46 erstellt
# Aktualisiert am 17/04/2016 von Xplode
# Benutzer : ZodiacStar - SILENTHILL
# Betriebssystem : Windows 8.1  (64 bits)

~ Entferne die Bereinigungsprogramme ...

Gelöscht : \FRST
Gelöscht : C:\Users\ZodiacStar\Desktop\FRST-OlderVersion
Gelöscht : C:\Users\ZodiacStar\Desktop\Addition.txt
Gelöscht : C:\Users\ZodiacStar\Desktop\Fixlog.txt
Gelöscht : C:\Users\ZodiacStar\Desktop\FRST.txt

~ Erstelle ein Backup der Registrierungsdatenbank ... OK

~ Lösche die Wiederherstellungspunkte ...

Gelöscht : RP #174 [Geplanter Prüfpunkt | 02/13/2017 14:21:56]
Gelöscht : RP #175 [Geplanter Prüfpunkt | 02/21/2017 12:00:43]
Gelöscht : RP #176 [Windows Modules Installer | 02/24/2017 12:46:43]
Gelöscht : RP #177 [Geplanter Prüfpunkt | 03/04/2017 14:52:52]
Gelöscht : RP #179 [Restore Point Created by FRST | 03/05/2017 07:55:02]

Ein neuer Wiederherstellungspunkt wurde erstellt !

########## - EOF - ##########

--------------------------

Considering your tip about having regular backups, what do you think is the best and safest option of doing a backup on an external USB medium in your opinion?

I am very thankful for your help. I really appreciate it that you took some of your precious time to help.

[garioch7]

@shinra

Thank you for your post and the Delfix log.  Looks good.

Personally, I dedicate a part of my Fridays to making full system images of all partitions on both of my computers.  I have seen too many lose too much!

Windows does have a backup program included, but I don't like it and it does not give the option of verifying that the backup images that it creates can be successfully restored.  Personally, I alternate my weekly backups using the paid versions of Easeus Todo Backup Home 10 and Macrium Reflect 7.  That is probably going overboard, but I like the security of knowing that I am more likely to be struck by lightning than to have system images from both programs fail to restore when needed.

I also keep four weeks worth of full backup images of all partitions, in the unlikely event that the most recent image, or images, was/were somehow infected with new, unidentified malware (zero-day malware).

Your backups should be kept on an external hard drive of sufficient capacity that is only plugged in long enough to make the backup images or restore from them.  That way, your precious backups are inaccessible to malware infections.

It is all a question of your risk tolerance.  Mine is very, very low!  Both of the companies that make my backup software also have free versions.  They tend to be a bit slower and lack some features that I like to have.  It is YOUR decision because it is YOUR computer!

You are most welcome for my time.  It has been my pleasure.

If you don't have any other questions, I will ask the Moderator to conclude your topic as resolved.  If you have more questions, please ask away.  I am here to help!

Have a great day.

Regards,
-Phil

[shinra]

Thank you again for your expertise. I will have to inform myself sometime about doing backups in more detail.

I really appreciate everything you did and I will hope that you will continually be able to help other people like you helped me. Please keep up the good work.

It has been a pleasure.

 

Thread can be closed now.

[garioch7]

@shinra

Thank you for your post and for so very kindly acknowledging my assistance.  It is much appreciated.  I do plan on continuing to assist people with computer issues.  It was a long, but enjoyable, nineteen months of training over at Bleeping Computer Study Hall to become qualified to assist users like yourself.  I have a visceral dislike of the people who author malware and use it to enrich themselves and destroy another person's enjoyment of their computer.

I will ask the Moderator to conclude your topic as resolved.  Thank you, have a great day, and please, stay safe out there in cyberspace.  It is, unfortunately, a dangerous place.

Regards,
-Phil

[AdvancedSetup]

Glad we could help. :)If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.Other members who need assistance please start your own topic in a new thread. Thanks!