Removed fileless malware, is it clean now?

[Greenknight]

Malwarebytes Free wouldn't open when I was trying to run routine scans in Win 10 a few days ago, just the tray app would. Came here for help, but download link for FRST crashed any browser I tried. Link from MajorGeeks did the same, attempt to visit BleepingComputer also caused crash. Downloaded FRST with laptop, but it crashed on opening. Convinced there was an infection, tried ESET online scan, found nothing. Booted into safe mode and ran Malwarebytes, found and quarantined fileless malware in the registry (log attached).

Everything works now, and I've deleted restore points and recent disk images. I'd like to verify that the system is really clean before I do anything that might expose sensitive information. I got a fresh download of FRST and ran a scan (logs attached), I'd appreciate it if someone could check them over. Any other free tools you could recommend (my financial resources are very limited, on a fixed income) I would also be grateful for.

FRST.txt

Addition.txt

MBAM results.txt

[Valinorum]

Hi ,

My name is Valinorum and I will be the acolyte today. Before we proceed, please, acknowledge yourself the following(s):

• Please do not create any new threads on this while we are working on your system as it wastes another volunteer's time. If you are being helped/have solved the issue/no longer wish to continue, notify me in your reply and I will quickly close this thread. Failing to comply will result in denial of future assistance.
• Please do not install any new software while we are working on this system as it may hinder our process.
• Malware removal is a complicated process and so don't stop following the steps even if the symptoms are not found. Keep up with me until I declare you clean.
• Please do not try to fix anything without being asked.
• Please do not attach your logs or put them inside code/quote tags. Do a Copy/Paste of the entire contents of the log file and submit it inside your post unless directed otherwise.
• Please print or save the instructions I give you for quick reference. We may be using Safe mode which will cut you off from the internet and you will not always be able to access this thread.
• Back up your data. I will not knowingly suggest you any course that might damage your system but sometimes Malware infections are so severe that only option we have is to re-format and re-install the operating system.
• If you are confused about any instruction, stop and ask. Do not keep on going.
• Do not repeat the steps if you face any problems.
• I am not an omniscient. There are things even I cannot foresee. But what I know took years to learn and perfect the skill. This site is run by volunteers who help people in need in their own free time. I would ask you to respect their time and be patient as sometimes real life demands our time and replies to you can be delayed.
• Private Message(PM) if and only if I have not responded to your thread within three days or your query is offtopic and personal. Do not PM me under any other circumstances. Your thread is the only medium of communication.
• The fixes are for your system only. Please refrain from using these fixes on another system as it may do serious damage.
  

---

Can you give me a fresh MBAM scan log, please?

[Greenknight]

Thank you for your response (that was fast!).

I always back up my data, backups are on an external HD. The system partition is imaged by Macrium Reflect, I can boot into a Win PE and go back up to 6 months. In case that fails, user files are backed up by 2 other programs.

Fresh scan log:

Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 8/19/17
Scan Time: 11:04 PM
Log File:
Administrator: Yes

-Software Information-
Version: 3.1.2.1733
Components Version: 1.0.160
Update Package Version: 1.0.2622
License: Free

-System Information-
OS: Windows 10 (Build 15063.540)
CPU: x64
File System: NTFS
User: BLACKY\Spence

-Scan Summary-
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 704266
Threats Detected: 0
(No malicious items detected)
Threats Quarantined: 0
(No malicious items detected)
Time Elapsed: 9 min, 43 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Disabled
PUM: Enabled

-Scan Details-
Process: 0
(No malicious items detected)

Module: 0
(No malicious items detected)

Registry Key: 0
(No malicious items detected)

Registry Value: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 0
(No malicious items detected)

File: 0
(No malicious items detected)

Physical Sector: 0
(No malicious items detected)

(end)

[Valinorum]

Looks good. 

• Step # ESET Online Scanner
  Disable your security programs which includes but not limited to anti-virus, anti-malware, anti-spyware et cetera. Peruse this for additional information. 
  
  • Download esetsmartinstaller_enu.exe by clicking here.
  • Right-click on the program and choose Run as administrator.
  • Accept their terms and condition and proceed.
  • Install Add-On/Active X if prompted.
  • From the Computer Scan Setting check the following box --
    
    • Enable detection for potentially unwanted programs
  • Click on Advanced Setting --
    
    • Check the box beside Remove Found Threats;
    • Check the box beside Scan archives
    • Check the box beside Scan for potentially unsafe applications
    • Check the box beside Enable Anti-Stealth Technology
  • Click on Start and wait for the virus signature database to update.
  • The online scan will begin automatically and can take several hours.
    
    • Note: Do not touch either the Mouse or keyboard during the scan. Otherwise it may stall.
  • After the Scan finishes --
    
    • If no threats were found:
      
      • Put a checkmark in Uninstall application on close.
      • Close the program and report that nothing was found
    • If threats were found:
      
      • Open the file located in C:\Program Files\ESET\ESET Online Scanner\log.txt (32-bit) or C:\Program Files (x86)\ESET\ESET Online Scanner\log.txt (64-bit).
      • Copy and Paste contents of the log file in your next reply.
  
  Note: Enable your security programs afterwards.

---

[Greenknight]

Started the ESET scanner per instructions and went to bed - I left the external HDD with the backups connected, so it was sure to take a while. When I got up I saw there were detections, but nothing new, nothing active - outdated downloads and backups. Need to do some housecleaning, clearly. Anyway, here's the log:

ESETSmartInstaller@High as downloader log:
all ok
# product=EOS
# version=8
# OnlineScannerApp.exe=1.0.0.1
# EOSSerial=b9b386e02710464bb00eae0153e0de44
# end=init
# utc_time=2017-08-21 10:18:12
# local_time=2017-08-21 03:18:12 (-0800, Pacific Daylight Time)
# country="United States"
# osver=6.2.9200 NT
Update Init
Update Download
esets_scanner_update returned -1 esets_gle=41221
Update Finalize
Updated modules version: 0
Old modules - leave modules
Update Init
Update Download
Update Init
Update Download
Update Finalize
Updated modules version: 34470
# product=EOS
# version=8
# OnlineScannerApp.exe=1.0.0.1
# EOSSerial=b9b386e02710464bb00eae0153e0de44
# end=updated
# utc_time=2017-08-21 10:53:43
# local_time=2017-08-21 03:53:43 (-0800, Pacific Daylight Time)
# country="United States"
# osver=6.2.9200 NT
# product=EOS
# version=8
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.7777
# api_version=3.1.1
# EOSSerial=b9b386e02710464bb00eae0153e0de44
# engine=34470
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2017-08-21 03:41:17
# local_time=2017-08-21 08:41:17 (-0800, Pacific Daylight Time)
# country="United States"
# lang=1033
# osver=6.2.9200 NT
# compatibility_mode_1='Avira Antivirus'
# compatibility_mode=1815 16777213 100 97 0 54469229 0 0
# compatibility_mode_1=''
# compatibility_mode=5893 16776573 100 94 0 13373073 0 0
# scanned=370860
# found=26
# cleaned=26
# scan_time=17253
sh=5E89F51ED6EC3C92F40DAC107DB319083153D6A3 ft=1 fh=d632244ea46baf26 vn="a variant of Win32/FusionCore.I potentially unwanted application (cleaned by deleting)" ac=C fn="D:\Downloads\burnaware_free_9.2.exe"
sh=19876B0C21073CE7AC4725124851FC36B7EA7301 ft=1 fh=31b372839de59c7b vn="a variant of Win32/CNETInstaller.B potentially unwanted application (cleaned by deleting)" ac=C fn="D:\Downloads\cbsidlm-cbsi188-Wise_Disk_Cleaner-BP-10613345.exe"
sh=50B528A2F9F75E6BBFD7BBD02B105A12D13E6C8A ft=1 fh=a88b6274d514f260 vn="Win32/Bundled.Toolbar.Google.D potentially unsafe application (cleaned by deleting)" ac=C fn="D:\Downloads\ccsetup530.exe"
sh=75369141B44BEB2ABC6EABAEE30420153AFEDEA5 ft=1 fh=e2a8c87a94a31088 vn="Win32/Bundled.Toolbar.Google.D potentially unsafe application (cleaned by deleting)" ac=C fn="D:\Downloads\ccsetup531.exe"
sh=5AAD85B186804613F4D62DB809B99B5C251006D0 ft=1 fh=758aa1f0b019b275 vn="Win32/Bundled.Toolbar.Google.D potentially unsafe application (cleaned by deleting)" ac=C fn="D:\Downloads\ccsetup532.exe"
sh=44CA9080A2F65B67D53B8E7B22775DA58EC31397 ft=0 fh=0000000000000000 vn="JS/TrojanDownloader.Agent.QKT trojan (cleaned by deleting)" ac=C fn="D:\Downloads\firefox-patch(1).js"
sh=EBEB8F42C5CB76282AA250EB80564CC46EC5358F ft=0 fh=0000000000000000 vn="JS/TrojanDownloader.Agent.QKT trojan (cleaned by deleting)" ac=C fn="D:\Downloads\firefox-patch(2).js"
sh=7DBBEB971DE364E7F3B0F7FF0C1CC565A7168E9B ft=0 fh=0000000000000000 vn="JS/TrojanDownloader.Agent.QKT trojan (cleaned by deleting)" ac=C fn="D:\Downloads\firefox-patch.js"
sh=52DFB0CD90922BFCC9D22228EFB46C807EF6ADA8 ft=0 fh=0000000000000000 vn="JS/TrojanDownloader.Agent.QKT trojan (cleaned by deleting)" ac=C fn="D:\Downloads\firefox-update(1).js"
sh=6BA47DD73C25E6F50FBD65BE94998C9AEBAA1277 ft=0 fh=0000000000000000 vn="JS/TrojanDownloader.Agent.QKT trojan (cleaned by deleting)" ac=C fn="D:\Downloads\firefox-update(2).js"
sh=F119A4F7DBAB48922292706E454E9C7581EFF61D ft=0 fh=0000000000000000 vn="JS/TrojanDownloader.Agent.QKT trojan (cleaned by deleting)" ac=C fn="D:\Downloads\firefox-update(3).js"
sh=1DB7C9092C8812AB6162F1580A1EAB5D626929B2 ft=0 fh=0000000000000000 vn="JS/TrojanDownloader.Agent.QKT trojan (cleaned by deleting)" ac=C fn="D:\Downloads\firefox-update.js"
sh=012428EBFCFC3379028851DD80E38781B5A1192C ft=1 fh=43bf8528b5e5d571 vn="Win32/Bundled.Toolbar.Google.D potentially unsafe application (cleaned by deleting)" ac=C fn="D:\Downloads\spsetup129.exe"
sh=379710B7A4F592A002C47CB2A14598B4E0F45FF6 ft=1 fh=3d996f3d97ae2a8b vn="a variant of Win32/TFTPD32.A potentially unsafe application (cleaned by deleting)" ac=C fn="D:\Downloads\tb_free(1).exe"
sh=96F1C308AB04872D6728D2F7E0C0AAB0839097E8 ft=1 fh=5aa1bf1224021df0 vn="a variant of Win32/TFTPD32.A potentially unsafe application (cleaned by deleting)" ac=C fn="D:\Downloads\tb_free(2).exe"
sh=379710B7A4F592A002C47CB2A14598B4E0F45FF6 ft=1 fh=3d996f3d97ae2a8b vn="a variant of Win32/TFTPD32.A potentially unsafe application (cleaned by deleting)" ac=C fn="D:\Downloads\tb_free.exe"
sh=90C3833746A821733FA1049D99A7CBE3CD5EFF55 ft=1 fh=7d6ac13ca0504a91 vn="a variant of Win32/OpenCandy.A potentially unsafe application (cleaned by deleting)" ac=C fn="D:\Spence\Documents\XP-Update-Extender-1.0.0.0-Setup.exe"
sh=9A65CFB29BD09E2373A489B8A9CC34D0EE6DFF3C ft=1 fh=4d448d6dc70d35fc vn="Win32/SmartInstaller.A potentially unwanted application (cleaned by deleting)" ac=C fn="D:\Users\Hope\Downloads\HeroesofHellas_252259(1).exe"
sh=9A65CFB29BD09E2373A489B8A9CC34D0EE6DFF3C ft=1 fh=4d448d6dc70d35fc vn="Win32/SmartInstaller.A potentially unwanted application (cleaned by deleting)" ac=C fn="D:\Users\Hope\Downloads\HeroesofHellas_252259.exe"
sh=D0787622A4C9C1B3C1126D2D3AD3520F08A47FB1 ft=0 fh=0000000000000000 vn="Win32/SmartInstaller.A potentially unwanted application (deleted)" ac=C fn="F:\BLACKY\Backup Set 2017-06-18 190002\Backup Files 2017-06-18 190002\Backup files 19.zip"
sh=26EFDACDEC1CE73A96991AF3A43ACC33D2073C78 ft=0 fh=0000000000000000 vn="a variant of Win32/OpenCandy.A potentially unsafe application (deleted)" ac=C fn="F:\BLACKY\Backup Set 2017-06-18 190002\Backup Files 2017-07-10 075637\Backup files 2.zip"
sh=373E4654DB2B5717C23653A6AE67DD68B657B0AD ft=0 fh=0000000000000000 vn="Win32/SmartInstaller.A potentially unwanted application (deleted)" ac=C fn="F:\Fbackup\Users Backup\33_D.zip"
sh=616D97DB1189893B6550770E0354FED7866D2332 ft=0 fh=0000000000000000 vn="Win32/SmartInstaller.A potentially unwanted application (deleted)" ac=C fn="F:\Fbackup\Users Backup\51_D.zip"
sh=9A65CFB29BD09E2373A489B8A9CC34D0EE6DFF3C ft=1 fh=4d448d6dc70d35fc vn="Win32/SmartInstaller.A potentially unwanted application (cleaned by deleting)" ac=C fn="F:\ZBack\Hope\Downloads\HeroesofHellas_252259(1).exe"
sh=9A65CFB29BD09E2373A489B8A9CC34D0EE6DFF3C ft=1 fh=4d448d6dc70d35fc vn="Win32/SmartInstaller.A potentially unwanted application (cleaned by deleting)" ac=C fn="F:\ZBack\Hope\Downloads\HeroesofHellas_252259.exe"
sh=122C61A35E6D238A8707E4D414EA1CDCC3A88F15 ft=1 fh=f48babca103875b7 vn="Win32/DownWare.AC potentially unwanted application (cleaned by deleting)" ac=C fn="F:\ZBack\Hope\Downloads\ReimageRepair.exe"

[Greenknight]

I take it back, there was something new, "D:\Downloads\firefox-patch.js" and "D:\Downloads\firefox-update.js" . Fake Firefox updates, as described here - https://support.mozilla.org/en-US/kb/i-found-fake-firefox-update

Can't believe I bit on that, but it appeared to be coming through the browser update UI - I'd get a legitimate update prompt, click on it a popup appeared as shown in the link. Downloaded from it, it didn't seem to do anything. The popup closed then, and I could get the real update. This was in Nightly test builds, after the update to v. 57. I thought they might be testing a new update system. Intended to look into it, but I got distracted by real world stuff. I guess the real reason I got that was the new extension system, which disabled NoScript. I was on the Yahoo home page when it happened, must have been infected ads there. I need to report this to Mozilla, looks like a new wrinkle in this malware.

I wasn't too worried about that stuff, my file system is pretty well locked down - but I hadn't heard about fileless malware. Now I'm spooked.

[Valinorum]

How is your system now? Can I look into a fresh set of FRST scan logs?

[Greenknight]

Working fine, no more problems. No unusual resource usage (monitored with Process Explorer). FRST logs attached.

FRST.txt

Addition.txt

[Valinorum]

Acknowledged.

[AdvancedSetup]

Glad we could help. :)If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.Other members who need assistance please start your own topic in a new thread. Thanks!