Jump to content

PUP, possibly from a very long time ago


Recommended Posts

Greetings all.

I've decided to register and make a post here after something has recently caught my eye.

A while ago, and even longer before that, I kept noticing defrag software and MBAM scanning through a lot of files in a folder within %APPDATA% that hasn't been used in a very long time.

I went into the folder to find about 3000 files, all named in hexadecimal, anywhere between 120 and 180 bytes. Their contents are unintelligible, I'm lead to believe they're encrypted.

I have no idea how harmful this malware is, as I can use any all software, games, hardware etc without issues. Also I was able to delete all of the 3000 or so files before, but more are being created each day. The infection is creating a completely random amount of files, too. It can create between 1 and 8 files per day, sometimes none at all, but it keeps doing so.

In the past, MBAM, AdwKiller, JRT etc all failed to detect anything whatsoever, yet the creation dates for these unsolicited files went back as far as several years ago.

At the same time, this "malware" doesn't prevent me from using any anti-malware tools, but something is definitely here and I want it gone.

As per basic instructions from the sticky, I'm attaching the two FRST logs.

FRST.txt Addition.txt

Link to post
Share on other sites

  • Root Admin

Hello @F430 and :welcome:

The computer does not appear to be infected. We would need to see a listing of the files in question. If you can show me or let me know what folder so that I can give you a script to run to check the files.

This file is of potential concern but it may be perfectly fine and just locked from access in normal mode. You would probably need to boot from USB or CD disk or Recovery Console and copy the file to another location to upload to VirusTotal to have them check it or upload here for us to verify.

U3 ab2pj9m6; C:\Windows\System32\Drivers\ab2pj9m6.sys [0 0000-00-00] (Advanced Micro Devices) <==== ATTENTION (zero byte File/Folder)

 

If concerned you can also run the following antivirus scanner from Kaspersky as a secondary scanner. 

 

Please download and run the following Kaspersky antivirus scanner to remove any found threats

Kaspersky Virus Removal Tool

Let me know if it finds anything or not

Link to post
Share on other sites

@AdvancedSetup thanks very much for the reply, now here's the funny part.

The file you highlighted in system32/drivers doesn't actually exist, BUT I noticed that the "modified" date of said folder matches the creation date of the second most recent file that this malware produced, which is today at 4:24PM.

As for where it is. All the files were in "%APPDATA%\Dropbox\shellext\l". Dropbox for desktop is a tool that I haven't used in years and uninstalled completely. Now something appears to be masquerading as dropbox and creating files for unknown purposes. Here are a couple filenames from the folder: 5cebce81, 5cec5acc, 5cec7842, 5cec7a25 and so on. No extensions on any of the files.

I tried to get clever and enabled file/folder auditing under properties -> security -> auditing, but I'm unsure where to find logs in the system event viewer. Once that works, I can actually find the service/process responsible for creating these files.

I'll update this post once I finish the scan with KVRT, wish me luck.

Link to post
Share on other sites

Firstly, KVRT found nothing at all. I even ran MBAR under safe mode and it got no hits either.

I'm not all that savvy when it comes to command prompt. However, I did have a look through a snapshot [restore point] of system32/drivers from 2 hours prior to the file being deleted and it still wasn't there. If you can point me in the right direction, I'd appreciate that, I should be able to provide you the file.

But that aside, I might have figured out what actually creates the files. I wasn't able to pinpoint the program/service based on cpu usage BUT any time I would open an archive with winrar, a new file would be created in that shellext/l folder.

Yes, winrar appears to be the culprit behind all this, but it's still bizarre. Even if I didn't open any archives, the small hexadecimal files would still be created.

Anywho, I went ahead and deleted all registry entries containing "dropbox". Or at least most of them, after assessing that it was safe to do so. Afterwards I opened several random archives with winrar. No more files have been created in the dropbox folder. Having gone through the program's settings, I'm lead to believe it's some sort of history of all the files you opened, but why the dropbox folder? Why 3000+ files?

I'll continue to monitor the folder in case something keeps putting the files there, and I'll await your instructions regarding the missing system file, as I don't trust myself enough to attempt that on my own.

Thanks for the help, and I apologise for sort of wasting your time with this non-malware issue.

Link to post
Share on other sites

  • Root Admin

You should be able to boot to the System Recovery options by following the article listed below

https://www.sevenforums.com/tutorials/668-system-recovery-options.html

Then choose "Command Prompt"

Then type in the following

DIR   /A   C:\Windows\System32\Drivers\ab2pj9m6.sys

DIR   /A   D:\Windows\System32\Drivers\ab2pj9m6.sys

One of those should work (the C drive may change in the Recovery Mode)

If needed please take a picture with your phone or write down exactly what it says please.

Ron

 

 

Link to post
Share on other sites

Attached a picture of the command prompt from system repair.

Starting to think that this system file was deleted after FRST did its object enumeration but before it finished the whole scan, which would explain the zero byte alert, but I still wonder what deleted it in the first place, or what sort of driver it was.

Photo0413.jpg

Link to post
Share on other sites

  • Root Admin

Thanks, that would seem to verify the file is not there.

Are you sure you have the Dropbox issue sorted out now?

 

Let me leave you with this to help keep the system clean going forward.

 

 

Let's get real. If you're not backing up your data and you're still using Google Chrome then you're just not serious about Privacy, Safety, and protecting your data. Malwarebytes is a fantastic program but you still need to back up your data and you still need to block scripts and Ads in your browser. 
If you're still using Google Chrome I would highly suggest you consider using Firefox instead. For more advanced users you might consider installing NoScript as well (it does have a higher learning curve though)

Help Secure your browsers

Please install uBlock Origin for your browsers to better protect your system

FireFox, ChromeOpera , SafariMicrosoft Edge
AdBlock for Internet Explorer
How to use uBlock Origin to protect your online privacy and security | uBlock Origin tutorial 2018

This video tutorial above explains how to use uBlock Origin in advanced user mode and all the advanced settings to protect your online privacy and help prevent unwanted sites from changing your browser settings

Follow-up Reading

Everything you need to know about cybercrime
10 easy ways to prevent malware infection 
Keep your data backed up

Thank you for choosing Malwarebytes and tell your friends and family too. We're here to help.


Ron

 

 

Link to post
Share on other sites

Yep, thanks @AdvancedSetup

No new files have been created in the shellext folder, I uninstalled winrar and replaced it with 7z, also went through regedit again to make sure no dropbox entries remained, all seems fine for now.

Also, I was considering ditching ABP in favour of UBO, as more and more trash keeps circumventing it or flat-out disallowing me to use some sites. NS also sounds good.

Again, thanks for your time and assistance with this.

Link to post
Share on other sites

  • Root Admin

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Thanks

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.