Public folders with unknown exe's triggering AVG

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by sabr49, Mar 11, 2015.

  1. sabr49

    sabr49 Private E-2

    AVG keeps telling me about exe files in the public folder in various directories. Attached are all of the logs.

    It keeps popping up even after Hitman claimed to remove it.

    AVG's remove is also ineffective.
     

    Attached Files:

  2. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Could you attach a log from AVG showing the issues?
     
  3. sabr49

    sabr49 Private E-2

    Thanks so much for your help with this. I exported the system scan and the resident shield scan results and attached them.
     

    Attached Files:

    • avg.zip
      File size:
      4.5 KB
      Views:
      4
  4. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    I think you are getting false positives, but lets run ComboFix to be sure:

    Please download ComboFix to your desktop. Turn off any AV software you have before you run it. Attach the log when finished. Do not do anything while it is running or it may stall the program.
     
  5. sabr49

    sabr49 Private E-2

    Here is the combo fix report - for some reason it reported before I began that AVG was still running even though I had uninstalled it and rebooted the computer. I am also attaching another malwarebytes report - it had popped up reporting some issues.
     

    Attached Files:

  6. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Boot into the Public account and run the scans. RogueKiller, Hitman and MBAM. Then run the MGtools.exe and attach the C:\MGLogs.zip
     
  7. sabr49

    sabr49 Private E-2

    When you say login as the public user is that the guest account?
     
  8. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    My mistake.

    List contents of C:\Users

    d-sh--w 0 2009-07-14 05:08:56 C:\Users\All Users
    d--h--r 0 2009-07-14 07:07:31 C:\Users\Default
    d-sh--w 0 2009-07-14 05:08:56 C:\Users\Default User
    --sha-w 174 2009-07-14 04:54:24 C:\Users\desktop.ini
    d-----r 0 2015-03-11 16:49:52 C:\Users\Public
    d-----w 0 2013-06-23 01:40:04 C:\Users\Shifra

    Attach the contents of the Public folder.
     
    Last edited: Mar 12, 2015
  9. sabr49

    sabr49 Private E-2

    Here you are:

    Folder PATH listing for volume TI106303W0D
    Volume serial number is 2211-C516
    C:\USERS\PUBLIC
    │ Public.exe

    ├───AppData
    │ └───Local
    │ └───temp
    ├───Book Place
    │ Book Place.exe
    │ Toshiba Free Book Flyer.xps

    ├───Documents
    │ Documents.exe

    ├───Downloads
    │ Downloads.exe

    ├───Music
    │ Music.exe

    ├───Pictures
    │ │ Pictures.exe
    │ │
    │ └───Sample Pictures
    │ Chrysanthemum.jpg
    │ Desert.jpg
    │ Hydrangeas.jpg
    │ Jellyfish.jpg
    │ Koala.jpg
    │ Lighthouse.jpg
    │ Penguins.jpg
    │ Sample Pictures.exe
    │ Tulips.jpg

    ├───Recorded TV
    │ └───Sample Media
    │ Sample Media.exe
    │ win7_scenic-demoshort_raw.wtv

    ├───TEMP
    └───Videos
    │ Videos.exe

    └───Sample Videos
    Sample Videos.exe
    Wildlife.wmv
     
  10. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    No! There is a Brontok infection as shown.
     
  11. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Download OTM by Old Timer and save it to your Desktop.


    • Run OTM.exe by double clicking on it (Note: if using Vista, Win7 or Win8, don't double click, use right click and select Run As Administrator).
    • Paste the following code under the [​IMG] area. Do not include the word Code.


    Code:
    :Processes
    explorer.exe
    
    :files
    C:\users\public\public.exe
    C:\windows\windows.exe
    C:\users\joeblow\documents\documents.exe
    C:\USERS\PUBLIC\Documents\Documents.exe
    C:\USERS\PUBLIC\Book Place\Book Place.exe
    C:\USERS\PUBLIC\Downloads\Downloads.exe
    C:\USERS\PUBLIC\Music\Music.exe
    C:\USERS\PUBLIC\Pictures\Pictures.exe
    C:\USERS\PUBLIC\Videos\Videos.exe
    C:\USERS\PUBLIC\Sample Videos\Sample Videos.exe
    
    :Commands
    [purity]
    [emptytemp]
    [start explorer]
    [Reboot]

    • Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.
    • Push the large [​IMG] button.
    • OTM may ask to reboot the machine. Please do so if asked.
    • Copy everything in the Results window (under the green bar), and paste it in your next reply.


    Now navigate to the C:\_OTM\MovedFiles folder ( assuming your Windows drive is C). This is where your log will be saved in the form of Date and Time mmddyyyy_hhmmss.log. Just look for the most recent .log file. Attach this log file to your next message.

    Now run this >> Using ESET's Online Scanner and attach the log from ESET.

    Keep running it until it comes up clean.
     
    Last edited: Mar 13, 2015
  12. sabr49

    sabr49 Private E-2

    So I followed the instructions and it seemed to work - after the first run of OTM and then the scanner (which deleted some files from the public folder) I scanned once more using ESET and it didn't register anything other. I also confirmed when I listed the contents of the public folders that there were no longer any .exe files.

    I mistakenly rebooted before capturing the contents of OTM but I did attach its log and the log from ESET.


    Thanks again for your help.
     

    Attached Files:

  13. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Good to know.

    If you are not having any other malware problems, it is time to do our final steps:

    1. We recommend you keep Malwarebytes Anti-Malware for scanning/removal of malware.
    2. Renable your Disk Emulation software with Defogger if you had disabled it in step 4 of the READ & RUN ME.
    3. Go to add/remove programs and uninstall HijackThis. If you don't see it or it will not uninstall, don't worry about it. Just move on to the next step.
    4. If running Vista, Win 7 or Win 8, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    5. Now go to the C:\MGtools folder and find the MGclean.bat file. Double click ( if running Vista, Win7, or Win 8 Right Click and Run As Administrator ) on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
    6. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    7. If you are running Win 8, Win 7, Vista, Windows XP or Windows ME, do the below to flush restore points:
      • Refer to the instructions for your WIndows version in this link: Disable And Enable System Restore
      • What we want you to do is to first disable System Restore to flush restore points some of which could be infected.
      • Then we want you to Enable System Restore to create a new clean Restore Point.

    8. After doing the above, you should work thru the below link:

     
  14. sabr49

    sabr49 Private E-2

    Thank you for your help.
     
  15. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    You are most welcome. Safe surfing. :)
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds