Jump to content

PC infected with Trojan, blocking Malwarebytes from scanning etc


ADeWitt
 Share

Recommended Posts

My Gateway Desktop computer has been impacted by a maleware/trojan.  Malewarebytes can see some of the files but blocked in removing, other files not seen by Malewarebytes.  But Malewarebytes is not allowed to scan, I can't open it to force a scan etc.  Tried Chameleon and that saw some files but not able to remove, now Chameleon is no longer visible etc.

Tried your EEK.  Initially (before reading instructions) scanned in safe mode (as this is the only place malewarebytes even got to see the bad files) and that scan did find an infected file.  Dialog box said to run EEK, and Farbar in Normal mode and create the files to send to you.

I have done that and the scan report and FRST.txt and Addition.txt are attached. I'm also sending the scan log when I ran EEK in SafeMode so you can see the file it picked up.  Again, the safemode scan was done prior to the Normal scan as requested.

Thanks in advance for you rhelp.

FRST.txt

Addition.txt

scan_171104-202602 in normal mode.txt

scan_171103-212108 in safe mode.txt

Link to comment
Share on other sites

Empty the Thunderbird Junkmail folder.

According to your FRST logs you have both Malwarebytes Anti-Malwre v2 and Malwarebytes v3 installed.  Uninstall both and then reinstall Malwarebytes v3.

Uninstall BitDefender Agent from BitDefender.

Copy the below code to Notepad; Save As fixlist.txt to your Desktop.

HKU\S-1-5-19\Control Panel\Desktop\\SCRNSAVE.EXE ->
HKU\S-1-5-20\Control Panel\Desktop\\SCRNSAVE.EXE ->
HKU\S-1-5-18\Control Panel\Desktop\\SCRNSAVE.EXE ->
Startup: C:\Users\AD\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CNNAlerter.lnk [2016-10-24]
ShortcutTarget: CNNAlerter.lnk -> C:\Program Files (x86)\CNN.com Desktop Alerter\CNNAlerter.exe (No File)
SearchScopes: HKU\S-1-5-21-1039760926-455402857-927829855-500 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
2017-11-01 09:03 - 2017-11-03 18:19 - 000000000 ____D C:\Users\AD\AppData\Local\Ysmo
2017-11-01 09:03 - 2017-11-01 09:03 - 000000000 ____D C:\Users\AD\AppData\Local\Hxuf
2014-06-17 21:02 - 2014-06-17 21:02 - 006010880 _____ () C:\Program Files (x86)\GUTE13C.tmp
2014-12-27 18:32 - 2014-12-27 18:34 - 086546736 _____ (Seagate                                                      ) C:\Users\AD\AppData\Local\Temp\0b9c9bf0-3ef1-4bb0-96fb-74851454d9bc.setup.exe
2013-06-17 06:48 - 2013-06-17 06:50 - 095515832 _____ (Seagate                                                      ) C:\Users\AD\AppData\Local\Temp\19e6f770-23dd-443a-8717-72074e91480f.setup.exe
2015-04-21 07:04 - 2015-04-21 07:05 - 088745432 _____ (Seagate                                                      ) C:\Users\AD\AppData\Local\Temp\54bca190-f126-4822-b53e-a37987928d06.setup.exe
2014-04-05 12:39 - 2014-04-05 12:45 - 098477400 _____ (Seagate                                                      ) C:\Users\AD\AppData\Local\Temp\74d2d27f-09a6-44be-8940-1e32c6f83291.setup.exe
2015-03-10 14:10 - 2015-03-10 14:11 - 088738688 _____ (Seagate                                                      ) C:\Users\AD\AppData\Local\Temp\8f5397ad-5ab6-4658-b12b-2e526c323963.setup.exe
2016-06-27 07:32 - 2016-06-27 07:32 - 001396736 _____ (Social Security Administration) C:\Users\AD\AppData\Local\Temp\anypia32.exe
2014-12-30 10:24 - 2014-12-30 10:24 - 009028723 _____ () C:\Users\AD\AppData\Local\Temp\Aupeo_ACER_GA_setup.exe
2014-01-22 06:08 - 2014-01-22 06:13 - 096205424 _____ (Seagate                                                      ) C:\Users\AD\AppData\Local\Temp\d38d9a25-9271-4cdd-81c5-80f7d5fb45d5.setup.exe
2015-12-11 08:23 - 2015-12-11 08:23 - 000071168 _____ () C:\Users\AD\AppData\Local\Temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmpxdb5fb.dll
2014-07-19 17:13 - 2014-07-19 17:15 - 098302984 _____ (Seagate                                                      ) C:\Users\AD\AppData\Local\Temp\e399c7bd-8852-4f4c-af65-7328db8e911f.setup.exe
2013-01-30 17:58 - 2013-01-30 17:58 - 000897448 _____ (Oracle Corporation) C:\Users\AD\AppData\Local\Temp\jre-7u13-windows-i586-iftw.exe
2013-02-15 23:00 - 2013-02-15 23:00 - 000897448 _____ (Oracle Corporation) C:\Users\AD\AppData\Local\Temp\jre-7u15-windows-i586-iftw.exe
2013-03-01 14:00 - 2013-03-01 14:00 - 000897448 _____ (Oracle Corporation) C:\Users\AD\AppData\Local\Temp\jre-7u17-windows-i586-iftw.exe
2016-07-24 06:51 - 2016-07-24 06:51 - 000741440 _____ (Oracle Corporation) C:\Users\AD\AppData\Local\Temp\jre-8u101-windows-au.exe
2015-08-27 20:50 - 2015-08-27 20:50 - 000585824 _____ (Oracle Corporation) C:\Users\AD\AppData\Local\Temp\jre-8u60-windows-au.exe
2015-10-23 07:54 - 2015-10-23 07:54 - 000585824 _____ (Oracle Corporation) C:\Users\AD\AppData\Local\Temp\jre-8u65-windows-au.exe
2015-11-25 12:24 - 2015-11-25 12:24 - 000585824 _____ (Oracle Corporation) C:\Users\AD\AppData\Local\Temp\jre-8u66-windows-au.exe
2016-01-22 14:41 - 2016-01-22 14:41 - 000644704 _____ (Oracle Corporation) C:\Users\AD\AppData\Local\Temp\jre-8u71-windows-au.exe
2016-02-09 15:58 - 2016-02-09 15:58 - 000736352 _____ (Oracle Corporation) C:\Users\AD\AppData\Local\Temp\jre-8u73-windows-au.exe
2016-03-30 08:37 - 2016-03-30 08:37 - 000736320 _____ (Oracle Corporation) C:\Users\AD\AppData\Local\Temp\jre-8u77-windows-au.exe
2016-04-22 07:04 - 2016-04-22 07:04 - 000739904 _____ (Oracle Corporation) C:\Users\AD\AppData\Local\Temp\jre-8u91-windows-au.exe
2017-10-30 12:01 - 2017-10-26 10:30 - 071535032 _____ (Malwarebytes                                                ) C:\Users\AD\AppData\Local\Temp\mb3-setup-consumer-3.2.2.2029-1.0.212-1.0.2951.exe
2013-04-13 12:21 - 2013-04-13 12:24 - 095409536 _____ (Seagate                                                      ) C:\Users\AD\AppData\Local\Temp\setup.exe
2013-06-23 18:18 - 2015-01-05 19:19 - 044836968 _____ (Skype Technologies S.A.) C:\Users\AD\AppData\Local\Temp\SkypeSetup.exe
2015-04-06 23:13 - 2015-04-06 23:13 - 000122368 _____ () C:\Users\AD\AppData\Local\Temp\wperfenhancer.7533743e849747541ee66681591c8bc5e8f289c9.dll
2012-04-16 20:34 - 2012-04-16 20:34 - 007175288 _____ (                                                            ) C:\Users\andy\AppData\Local\Temp\2627.exe
2012-04-14 17:52 - 2012-04-14 17:52 - 000460800 _____ (Realtek Semiconductor Corp.) C:\Users\andy\AppData\Local\Temp\COMAP.EXE
2012-04-14 12:33 - 2012-04-14 12:33 - 004139680 _____ (Adobe Systems Incorporated) C:\Users\andy\AppData\Local\Temp\FP_PL_PFS_INSTALLER_32bit.exe
2013-01-12 15:09 - 2013-01-12 15:09 - 000896424 _____ (Oracle Corporation) C:\Users\andy\AppData\Local\Temp\jre-7u11-windows-i586-iftw.exe
2012-09-07 14:45 - 2012-09-07 14:45 - 000894952 _____ (Oracle Corporation) C:\Users\andy\AppData\Local\Temp\jre-7u7-windows-i586-iftw.exe
2012-09-27 15:56 - 2012-09-27 15:56 - 000895464 _____ (Oracle Corporation) C:\Users\andy\AppData\Local\Temp\jre-7u9-windows-i586-iftw.exe
2012-04-13 22:00 - 2013-01-07 20:30 - 029304496 _____ (Skype Technologies S.A.) C:\Users\andy\AppData\Local\Temp\SkypeSetup.exe
2013-01-30 16:00 - 2012-06-15 07:12 - 000513968 _____ (Corel Corporation) C:\Users\andy\AppData\Local\Temp\Uninst.exe
ShellIconOverlayIdentifiers: [DropboxExt1] -> {FB314ED9-A251-47B7-93E1-CDD82E34AF8B} =>  -> No File
ShellIconOverlayIdentifiers: [DropboxExt2] -> {FB314EDA-A251-47B7-93E1-CDD82E34AF8B} =>  -> No File
ShellIconOverlayIdentifiers: [DropboxExt3] -> {FB314EDB-A251-47B7-93E1-CDD82E34AF8B} =>  -> No File
ShellIconOverlayIdentifiers: [DropboxExt4] -> {FB314EDC-A251-47B7-93E1-CDD82E34AF8B} =>  -> No File
ShellIconOverlayIdentifiers-x32: [DropboxExt1] -> {FB314ED9-A251-47B7-93E1-CDD82E34AF8B} =>  -> No File
ShellIconOverlayIdentifiers-x32: [DropboxExt2] -> {FB314EDA-A251-47B7-93E1-CDD82E34AF8B} =>  -> No File
ShellIconOverlayIdentifiers-x32: [DropboxExt3] -> {FB314EDB-A251-47B7-93E1-CDD82E34AF8B} =>  -> No File
Task: {397CED0B-F478-44A3-B5C7-659410E2C350} - \ITECIR Filter Application for RCMM  -> No File <==== ATTENTION

Close Notepad.

NOTE: It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST64 and press the Fix button just once and wait.

If the tool needed a restart please make sure you let the system restart normally and let the tool complete its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Attach it to your reply.

Note: If the tool warns you about an outdated version please download and run the updated version.

Link to comment
Share on other sites

Hello,

Ran EEK and it needed updates for signatures which I did,  then started the scan.  The scan log is attached.

Then ran the FRST64 scan and that log along with addition is attached.

The EEK scan is still showing a bad file in Thunderbird junk, even though it looked like I had deleted all the junk emails per your instructions.  Perhaps you meant for me to eliminate the junk folders.

My external hard drives are still disconnected and the above scan is only on the computer so far.

Looking forward to next steps. 

Thanks in advance.

scan_171107-212735.txt

FRST Nov 8.txt

Addition Nov 8.txt

Link to comment
Share on other sites

No need to eliminate the Junk folders, just make sure that the the contents have been deleted.

Copy the below code to Notepad; Save As fixlist.txt to your Desktop.

HKU\S-1-5-21-1039760926-455402857-927829855-1006\...\Run: [Zoom] => [X]
SearchScopes: HKU\S-1-5-21-1039760926-455402857-927829855-1006 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-1039760926-455402857-927829855-1006 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
2017-10-25 09:35 - 2017-10-25 09:36 - 000000000 ____D C:\Users\AD\AppData\Local\Gdipni
CustomCLSID: HKU\S-1-5-21-1039760926-455402857-927829855-1006_Classes\CLSID\{0F22A205-CFB0-4679-8499-A6F44A80A208}\InprocServer32 -> C:\Users\AD\AppData\Local\Google\Update\1.3.25.5\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-1039760926-455402857-927829855-1006_Classes\CLSID\{1423F872-3F7F-4E57-B621-8B1A9D49B448}\InprocServer32 -> C:\Users\AD\AppData\Local\Google\Update\1.3.27.5\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-1039760926-455402857-927829855-1006_Classes\CLSID\{355EC88A-02E2-4547-9DEE-F87426484BD1}\InprocServer32 -> C:\Users\AD\AppData\Local\Google\Update\1.3.23.9\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-1039760926-455402857-927829855-1006_Classes\CLSID\{590C4387-5EBD-4D46-8A84-CD0BA2EF2856}\InprocServer32 -> C:\Users\AD\AppData\Local\Google\Update\1.3.30.3\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-1039760926-455402857-927829855-1006_Classes\CLSID\{59B55F04-DE14-4BB8-92FF-C4A22EF2E5F4}\InprocServer32 -> C:\Users\AD\AppData\Local\Google\Update\1.3.31.5\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-1039760926-455402857-927829855-1006_Classes\CLSID\{5C8C2A98-6133-4EBA-BBCC-34D9EA01FC2E}\InprocServer32 -> C:\Users\AD\AppData\Local\Google\Update\1.3.28.1\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-1039760926-455402857-927829855-1006_Classes\CLSID\{78550997-5DEF-4A8A-BAF9-D5774E87AC98}\InprocServer32 -> C:\Users\AD\AppData\Local\Google\Update\1.3.28.13\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-1039760926-455402857-927829855-1006_Classes\CLSID\{793EE463-1304-471C-ADF1-68C2FFB01247}\InprocServer32 -> C:\Users\AD\AppData\Local\Google\Update\1.3.29.5\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-1039760926-455402857-927829855-1006_Classes\CLSID\{8C46158B-D978-483C-A312-16EE5013BE04}\InprocServer32 -> C:\Users\AD\AppData\Local\Google\Update\1.3.33.3\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-1039760926-455402857-927829855-1006_Classes\CLSID\{90B3DFBF-AF6A-4EA0-8899-F332194690F8}\InprocServer32 -> C:\Users\AD\AppData\Local\Google\Update\1.3.24.15\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-1039760926-455402857-927829855-1006_Classes\CLSID\{C3BC25C0-FCD3-4F01-AFDD-41373F017C9A}\InprocServer32 -> C:\Users\AD\AppData\Local\Google\Update\1.3.26.9\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-1039760926-455402857-927829855-1006_Classes\CLSID\{CB492AF1-2CEF-4E58-BE47-471C77D0C8BA}\InprocServer32 -> C:\Users\AD\AppData\Local\Google\Update\1.3.32.7\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-1039760926-455402857-927829855-1006_Classes\CLSID\{CC182BE1-84CE-4A57-B85C-FD4BBDF78CB2}\InprocServer32 -> C:\Users\AD\AppData\Local\Google\Update\1.3.29.1\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-1039760926-455402857-927829855-1006_Classes\CLSID\{D0336C0B-7919-4C04-8CCE-2EBAE2ECE8C9}\InprocServer32 -> C:\Users\AD\AppData\Local\Google\Update\1.3.25.11\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-1039760926-455402857-927829855-1006_Classes\CLSID\{D1EDC4F5-7F4D-4B12-906A-614ECF66DDAF}\InprocServer32 -> C:\Users\AD\AppData\Local\Google\Update\1.3.28.15\psuser_64.dll => No File
C:\Users\AD\AppData\Roaming\Thunderbird\Profiles\t0e3is6o.default\ImapMail\mail.twc.com\Junkmail

Close Notepad.

NOTE: It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST64 and press the Fix button just once and wait.

If the tool needed a restart please make sure you let the system restart normally and let the tool complete its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Attach it to your reply.

Note: If the tool warns you about an outdated version please download and run the updated version.

Link to comment
Share on other sites

Thanks again,

Just  for future reference, when I attempted to delete Junk files in my Thunderbird files, I used the application itself to delete files in junk.  However I noticed I had several locations for junk files.  So I hopefully eliminated them by going into folders themselves and deleting.

Fix log for today is attached.

Fixlog Nov 9.txt

Link to comment
Share on other sites

Kevin,

Right now the machine seems OK.  I have run a quick Malewarebytes scan and OK, also the MS Essentials is running and did a quick scan around 6 p.m. (normal schedule for me)  found nothing.

What is different now is that I can open Malewarebyets manually, update, scan etc. Things the maleware / trojan prevented me from doing.  So I think OK.

I'm going to hook up my external hard drives and do a deep scan with malewarebytes then Essentials,  that will take some time.  Hopefully all will go OK.

Should I also scan with EMSISOFT after that to confirm all OK?

Thanks for your help.

Link to comment
Share on other sites

Hello Kevin,

 Not quite home yet.  

After hooking up my external hard drives, did deep scan with MS Essentials, it detected a two bad files, and it recommend removing immediately, I have not done that yet.  I can't export a text file so I'm repeating the data here.

Detected Item: PWS:HTML/Payphish, this is listed twice

Following Error Occurred: Error code 0x80508023

Category: Password Stealer

File:C:\User\AD\AppData\local\Temp\tmp000078b7\tmp007da8fb->(SCRIPT000)->(EmbeddedCode)->(Form)

File:C:\User\AD\AppData\local\Temp\tmp000078b7\tmp007dcce7->(SCRIPT000)->(EmbeddedCode)->(Form)

 

Then ran the EEK and not surprising, one of the external drives found the same file four times in a backup zip files. Four different backups I assume.

I'm attaching the Scan Log here.  I can easily delete the backup files, as they are only back up on the G drive, if that is your direction.

Thanks again in advance.

 

 

scan_171110-213700 Nov 11.txt

Link to comment
Share on other sites

Unless you are having problems, it is time to do the final steps.

Now to remove most of the tools that we have used in fixing your machine:

Download Delfix from here and save it to your desktop.

  • Ensure Remove disinfection tools is checked.
  • Also place a checkmark next to:
    • Create registry backup
    • Purge system restore
  • Click the Run button.

When the tool is finished, a log will open in notepad. I do not need the log. You can close Notepad.

Empty the Recycle Bin

You can delete and uninstall any programs I had you download, that you do not wish to keep on the system.

To Remove EEK simple delete the EEK for in the of your System Drive, normally C:\EEK

Run Windows Update and update your Windows Operating System.

Articles to Read:
How to Protect Your Computer From Malware
How to keep you and your Windows PC happy
Web, email, chat, password and kids safety
How Did I Get Infected?

That should take care of everything.

Safe Surfing!

Link to comment
Share on other sites

Thread Closed

Reason: Resolved

The procedures contained in this thread are for this user and this user only. Attempting to use the instructions in this thread on your system could result in damaging the Operating System beyond repair. Do Not use any of the tools mentioned in this thread without the supervision of a Malware Removal Specialist.

All posters requesting Malware Removal assistance are required to follow all procedures in the thread titled START HERE if you don't we are just going to send you back to this thread.

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...