Backdoor:Win32/Fynloski.A - Could use help to see if I'm in the clear

[MBrown90]

Microsoft Security Essentials flagged this earlier tonight with its real time protection and I removed it immediately.  After reading about it a little a few posts on here stated that it would keep coming back after a system restart, so after running a scan with MSE I restarted and ran another quick scan with MSE and a threat scan with Malwarebytes.  None of the scans found any signs of infection, however this one seems fairly nasty and I'd really like to make certain it's gone if possible.  I have done nothing since the notification of it being caught apart from running scans, and now making this post.

I did notice that rootkit scan was turned off with Mbytes after it was finished, is this something I need to turn on and rescan with?  I know it's impossible to give any exact answer, but how much longer would this scan take if the original threat scan was roughly 20 minutes?

 

Thanks

MBytesTextReport.txt

Addition.txt

FRST.txt

[MBrown90]

Could still use some help. 

[AdvancedSetup]

Hello @MBrown90 and

Please uninstall Java 7 Update 67 from your Control Panel, Programs, Add/Remove. Then reboot the computer and run the following again.

 

Please run the following steps and post back the logs as an attachment when ready.

STEP 01

• If you're already running Malwarebytes 3 then open Malwarebytes and check for updates. Then click on the Scan tab and select Threat Scan and click on Start Scan button.
• If you don't have Malwarebytes 3 installed yet please download it from here and install it.
• Once installed then open Malwarebytes and check for updates. Then click on the Scan tab and select Threat Scan and click on Start Scan button.
• Once the scan is completed click on the Export Summary button and save the file as a Text file to your desktop or other location you can find, and attach that log on your next reply.
• If Malwarebytes won't run then please skip to the next step and let me know on your next reply.

STEP 02

Please download AdwCleaner by Malwarebytes and save the file to your Desktop.

• Right-click on the program and select Run as Administrator to start the tool.
• Accept the Terms of use.
• Wait until the database is updated.
• Click Scan.
• When finished, please click Clean.
• Your PC should reboot now if any items were found.
• After reboot, a log file will be opened. Copy its content into your next reply.

 

RESTART THE COMPUTER AGAIN before running Step 3

STEP 03
Please download the Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system. You can check here if you're not sure if your computer is 32-bit or 64-bit

• Double-click to run it. When the tool opens, click Yes to disclaimer.
• Press the Scan button.
• It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
• The first time the tool is run, it also makes another log (Addition.txt). If you've, run the tool before you need to place a check mark here.
• Please attach the Additions.txt log to your reply as well.

 

Thanks

Ron

 

[MBrown90]

Sorry about the wait, I left for work about 10 minutes after your reply.  I've gone through and done all the steps, only thing was with AdwCleaner it generated a log immediately on completion as well as the one after the reboot.  You only mentioned the post reboot one, but I've attached both just in case.  AdwCleaner[S0] was immediately after the scan and AdwCleaner[C0] was after the reboot.

 

 

MBytesSummary.txt

AdwCleaner[S0].txt

AdwCleaner[C0].txt

FRST.txt

Addition.txt

[AdvancedSetup]

Okay, due to the infection in the Chrome browser you need to disable your Google Sync if you're using it.

https://support.google.com/chrome/answer/3097271

Then I'd recommend you run the Chrome Cleanup Tool which has recently been updated by Google

 

There is an odd, custom entry under your Tasks as well. Did you create this task yourself or are you familiar with what it's used for?

Task: {EBE21BE1-599C-46E8-8B1A-2325011BE62F} - System32\Tasks\goloader1 => wscript /B "C:\ProgramData\SsiRecord\recovery.vbs" "C:\ProgramData\SsiRecord\goloader-recovery.bat"

 

One of your hard drives is having an issue as well and you need to run a disk check on that drive.

From an elevated admin command prompt you can type the following.

CHKDSK   C:   /R

It will say it cannot lock the drive. Press the Y on the keyboard to say yes to run it after a restart. Then restart and let the disk check run.

 

[MBrown90]

I am not using Google Sync, not sure if there's anything for me to do there as I'm not logged into any account to disconnect from?  I also ran the cleanup tool and it said there were no programs found.  I'm unfamiliar with what goloader is as well. 

 

With the checkdisk, where would I type that into?  I've never done anything with that before and I'm not familiar with it. 

Edited October 31, 2017 by MBrown90
Added in goloader comment

[AdvancedSetup]

Okay, give me a couple minutes and I'll write a script to run the removal of the goloader as well as tell it to run the disk check for you.

 

[AdvancedSetup]

You're also having an issue with Bonjour which was probably installed by iTunes. Your version of iTunes is way out of date. If you wish to use those programs I'd highly recommend you uninstall the current versions and install the latest version of iTunes.

Error: (10/30/2017 03:49:09 PM) (Source: Bonjour Service) (EventID: 100) (User: )
Description: Task Scheduling Error: m->NextScheduledSPRetry 4009

 

 

Please run the following.

NOTE: This will also run a full disk check on your hard drive. This could take a few hours to run depending on the speed of the computer and hardware. Please keep this in mind when you run the fix.

 

Please download the attached fixlist.txt file and save it to the Desktop.
NOTE. It's important that both files, FRST or FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system.

Run FRST or FRST64 and press the Fix button just once and wait.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Desktop (Fixlog.txt). Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

fixlist.txt

 

Thank you

Ron

 

[MBrown90]

I'm heading to bed in about 30 minutes so thank you for the heads up about the length on the chkdisk.  I'm off tomorrow so I'll be available all day, I can run it tomorrow morning.

As for the iTunes, yeah, I haven't really used it in years which is why it's so dated.  Could having that potentially cause any problems or was it just a notification of being outdated? 

[AdvancedSetup]

It's the Bonjour service that is having issues. If you're not using iTunes or Bonjour then I'd recommend you uninstall them. They are not an infection and are not causing an issue for our program. Just information on getting your computer running a bit better as we work on the infection issue as well.

Might be a good idea to run the fix script tonight. That way the disk check will be done for you by the time you wake up. :-)

Cheers

Ron

 

[MBrown90]

Alright, so I ran the fixlist and it went up through the restart, however I never saw anything with disk check.  After signing in following the restart a cmd window appeared instead of going to my desktop, but that was up for maybe 15 seconds or so.  Either it was significantly faster than I was expecting or it never ran at all? 

Fixlog.txt

[AdvancedSetup]

Sometimes security software or other drivers can cause issues with CHKDSK starting. Please try to shut down the computer and leave it powered off for a couple minutes. Then start it back up again and see if the Disk Check runs.

This may not work for you since you may have an old version of PowerShell but you can try it. It will try to grab the latest disk check log from the Event Logs for you.

 

 

Check Disk report:

• Press the + R on your keyboard at the same time. Type powershell.exe and click OK.
• Copy and paste the following command inside the powershell window and press Enter:

  get-winevent -FilterHashTable @{logname="Application"; id="1001"}| ?{$_.providername –match "wininit"} | fl timecreated, message | out-file Desktop\CHKDSKResults.txt

• This will create a log file named CHKDSKResults.txt on your desktop.
• Paste the contents of that log into your next reply please.

 

Thanks

Ron

 

 

[MBrown90]

Shut down and let it sit for a little over 5 minutes, nothing else came up once powering back on.

I have the CHKDSKResults file however there was nothing inside of it to copy/paste, it's just an empty txt file. 

[AdvancedSetup]

Yeah, it did not run.

Do you know how to get into the Windows Recovery Environment?

https://support.microsoft.com/en-us/help/17423/windows-7-create-system-repair-disc

Check out this post which will show you how to run a disk check from Recovery Console

Let me know how that goes

Ron

 

[MBrown90]

I have never done that before.  Looking at the steps in the first link taking me to create a system repair disk, will doing that put me into the Recovery Console needed for the post in the second link? I got this laptop through college some years back now and don't remember it ever coming with installation discs. 

[AdvancedSetup]

Look at the link for the Windows 7 forums. They have links on how to get into the Recovery Console. If you can't get in then you'd need to make the disk. You could also create a Windows 10 USB disk if needed and run the Disk Check from that disk.

 

[MBrown90]

Alright, think I understand how to get to it.  Going to grab some lunch first, but once I get into it should I also run the "sfc /scannow" command listed in the post or just the disk check since that's what we were going for in the first place? 

[AdvancedSetup]

No, should not need the SFC /scannow command. That is to check for missing or invalid OS files. Currently the logs don't seem to indicate an issue with that.

 

[MBrown90]

Ok, I went into the command prompt and after typing in the command I had the message

"This type of file system is NTSF.

Cannot lock current drive.

Windows cannot run disk checking on this volume because it is write protected."

I remember you mentioning something earlier about it being locked and to input y to let it run anyways, however this just returned a line saying it wasn't an internal/external command that could be recognized.

[AdvancedSetup]

That has to be in a Normal Windows environment. In the Recovery Console the drive cannot be locked by the OS.

Can you take a picture with a phone or something and show me what you're in?

 

 

[MBrown90]

I actually did so I could make sure I had the message correct, though it's not the best picture. 

 

[AdvancedSetup]

Please try the following and let me know if it works.

 

CHKDSK     C:    /R

 

[MBrown90]

Ok, that went through relatively fast. Attached two images with the results.

 

[AdvancedSetup]

Okay, that must not be your Windows drive. See if you can type in NOTEPAD.EXE and run that. Then do File, Open which should show a browser type interface to allow you to chose a drive. See what other drives you have available please.

 

[MBrown90]

I have System reserved(C:), Local Disk(D:), and Boot(X:) shown.