Malware read and run

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by Tobbio, Oct 17, 2014.

  1. Tobbio

    Tobbio Private E-2

    Hey, I have read and followed all the instructions in the process of the "read and run", but I am not sure if I am totally free of malware. I have the anti virus Webroot and it keept detecting malware every once in a while in my computer, which I removed (before ever trying "read and run"). I was just wondering if I should proceed to the next step of enabling UAC, system restore, etc? Or just wait and see if any malware pops up again. Your help is appreciated.
     

    Attached Files:

    Tobbio, Oct 17, 2014
    #1
  2. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Before we continue I would like for you to use MSConfig to put this machine back into normal start up mode, if you haven't done so already.


    [​IMG] Fix items using RogueKiller.

    Double-click RogueKiller.exe to run. (Vista/7/8 right-click and select Run as Administrator)
    When it opens, press the Scan button
    Now click the Registry tab and locate these detections:

    • [Suspicious.Path] (X64) HKEY_USERS\S-1-5-21-514681628-3143843819-1411659263-1000\Software\Microsoft\Windows\CurrentVersion\Run | SearchProtection : "C:\Users\Antonio\AppData\Roaming\Search Protection\SearchProtection.EXE" /autostart -> Found
    • [Suspicious.Path] (X64) HKEY_USERS\S-1-5-21-514681628-3143843819-1411659263-1000\Software\Microsoft\Windows\CurrentVersion\Run | Search Protection : "C:\Users\Antonio\AppData\Roaming\Search Protection\SP.EXE" /autostart -> Found
    • [Suspicious.Path] (X86) HKEY_USERS\S-1-5-21-514681628-3143843819-1411659263-1000\Software\Microsoft\Windows\CurrentVersion\Run | SearchProtection : "C:\Users\Antonio\AppData\Roaming\Search Protection\SearchProtection.EXE" /autostart -> Found
    • [Suspicious.Path] (X86) HKEY_USERS\S-1-5-21-514681628-3143843819-1411659263-1000\Software\Microsoft\Windows\CurrentVersion\Run | Search Protection : "C:\Users\Antonio\AppData\Roaming\Search Protection\SP.EXE" /autostart -> Found

    Place a checkmark next to each of these items, leave the others unchecked.
    Now press the Delete button.
    When it is finished, there will be a log on your desktop called: RKreport[2].txt
    Attach RKreport[2].txt to your next message. (How to attach)
    Reboot the machine.


    • Now re run RK again (just a scan) attach new log also.
    • Explain how things are running.
     
    Kestrel13!, Oct 17, 2014
    #2
  3. Tobbio

    Tobbio Private E-2

    To be honest I was unaware I was suppose to be in a different start up mode and did everything in normal starup. I could do the process over again in a different mode if that's crucial, but I have attached the log to this message. Not sure if it's a big deal, but for some reason RKiller does not automatically save a log, I have to do it myself. After rebooting the "suspicious path"s are gone.
     

    Attached Files:

    Tobbio, Oct 17, 2014
    #3
  4. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Hi Tobbio :)

    Explain how things are running, please.
     
    Kestrel13!, Oct 17, 2014
    #4
  5. Tobbio

    Tobbio Private E-2

    Well no malware has been detected so far, but before when I had problems my antivirus would detect malware. I would delete the malware and a couple of days later it would detect more. Should I move to step 5 and enable the UAC, or just wait?
     
    Tobbio, Oct 18, 2014
    #5
  6. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Why don't you run a full system scan with your protection software and let me know the outcome?
     
    Kestrel13!, Oct 18, 2014
    #6
  7. Tobbio

    Tobbio Private E-2

    Just scanned and unfortunately it found another threat, which I removed. I tried to attached the scan log, but it kept failing. Ill show the most recent activity of the log.

    Sat 2014-10-18 00:42:06.0382 Scan Started: [ID: 492 - Flags: 1575/0]
    Sat 2014-10-18 00:45:16.0179 Connected to C3
    Sat 2014-10-18 00:45:16.0227 Infection detected: c:\program files (x86)\sendori\sendorisvc.exe [MD5: 10E8ED45F73016CE45F2A4E29626BA93] [3/00101000] [Pua.Installmonetizer]
    Sat 2014-10-18 00:45:16.0571 Scan Results: Files Scanned: 52096, Duration: 3m 10s, Malicious Files: 1
    Sat 2014-10-18 00:45:16.0614 Scan Finished: [ID: 492 - Seq: 2147000000]
    Sat 2014-10-18 01:01:41.0682 Begin passive write scan (1 file(s))
    Sat 2014-10-18 01:01:41.0928 End passive write scan (1 file(s))
    Sat 2014-10-18 01:18:09.0615 System shutting down.
    Sat 2014-10-18 01:18:19.0006 Configuration Saved: CSCS1F754077C2840D7EBF26EF83F8D1F0FF,00011,00021,00031,00041,00051,00061,00070,00081,00091,000A1,000B1,000C1,000D0,000E1,000F0,001010,001127,00120,00130,00140,00151,00161,00170,00181,00191,001A0,001B0,001C1,001D0,001E0,001F1,00201,00211,00221,00231,00240,00251,00260,00270,00281,00291,002A0,002B1,002C1,002D0,002E1,002F1,00301,00311,00321,00331,00341,00351,00361,00371,00381,00390,003A1,003B1,003C2,003D1,003E1,003F1,00401,00411,00421,00430,00441,00451,00461,00471,00481,00491,004A1,004B1,004C1,004D1,004E1,004F1,00501,00511,00521,00530,00541,00551,00561,00571,00581,00591,005A1,005B1,005C0,005D0,005E1,005F0,00601,00612,00621,00631,00641,00653,00662,00672,00681,00692,006A1,006B1,006C1,006D2,006E1,006F1,00701,00711,00721,00731,00741,00753,00761,00771,00781,00791,007A0,007B0,007C0,007D0,007E0,007F0,00800,00810,00820,00830,00840,00850,00861,00870,00880,00891,008A0,008B0,008C0,008D0,008E0,008F0,00900,00910,00920,00930,00940,00950,00960,00970,00980,00990,009A0,009B0,009C0,009D0,009E0,009F0,00A00,00A10,00A20,00A30,00A40,00A50,00A60,00A70,00A80,00A90,00AA0,00AB0,00AC0,00AD0,00AE0,00AF0,00B00,00B11,00B21,00B30,00B40,00B50,00B60,00B70,00B80,00B90,00BA0,00BB0,00BC0,00BD0,00BE0,00BF0,00C00,
    Sat 2014-10-18 01:18:19.0006 Keycode: SAE3AABBEF8F4824D66C
    Sat 2014-10-18 01:18:19.0006 <<< Service shut down successfully. Uptime: 149 minute(s)
    Sun 2014-10-19 00:07:10.0540 >>> Service started [v8.0.4.131]
    Sun 2014-10-19 00:07:12.0456 Infection detected: c:\program files (x86)\sendori\sendorisvc.exe [MD5: 10E8ED45F73016CE45F2A4E29626BA93] [3/00101000] [(null)]
    Sun 2014-10-19 00:07:12.0457 Performing cleanup entry: 1
    Sun 2014-10-19 00:07:13.0444 File blocked in realtime: c:\program files (x86)\sendori\sendorisvc.exe [MD5: 10E8ED45F73016CE45F2A4E29626BA93, Size: 120096 bytes] [1052672/00000003] [(null)]
    Sun 2014-10-19 00:07:43.0752 Connecting to 81 - 81
    Sun 2014-10-19 00:07:44.0845 User process connected successfully from PID 940, Session 1
    Sun 2014-10-19 00:07:45.0797 Begin passive write scan (2 file(s))
    Sun 2014-10-19 00:07:46.0389 End passive write scan (2 file(s))
    Sun 2014-10-19 00:07:57.0894 Begin passive write scan (1 file(s))
    Sun 2014-10-19 00:07:58.0308 End passive write scan (1 file(s))
    Sun 2014-10-19 00:09:33.0312 Begin passive write scan (1 file(s))
    Sun 2014-10-19 00:09:34.0393 End passive write scan (1 file(s))
    Sun 2014-10-19 00:10:53.0488 Scan Started: [ID: 493 - Flags: 551/16]
    Sun 2014-10-19 00:15:09.0780 Connected to C3
    Sun 2014-10-19 00:15:10.0185 Scan Results: Files Scanned: 58470, Duration: 4m 16s, Malicious Files: 0
    Sun 2014-10-19 00:15:10.0279 Scan Finished: [ID: 493 - Seq: 2147000000]
    Sun 2014-10-19 00:15:29.0171 Saved the product log to C:\Users\Antonio\Desktop\Scanlog.log
     
    Tobbio, Oct 19, 2014
    #7
  8. Tobbio

    Tobbio Private E-2

    I recently scanned and unfortunately found another threat, which I removed. I tried to attach my scan log for my antivirus, but it wouldn't let me. So I pasted the most recent activity below.

    Sat 2014-10-18 00:42:06.0382 Scan Started: [ID: 492 - Flags: 1575/0]
    Sat 2014-10-18 00:45:16.0179 Connected to C3
    Sat 2014-10-18 00:45:16.0227 Infection detected: c:\program files (x86)\sendori\sendorisvc.exe [MD5: 10E8ED45F73016CE45F2A4E29626BA93] [3/00101000] [Pua.Installmonetizer]
    Sat 2014-10-18 00:45:16.0571 Scan Results: Files Scanned: 52096, Duration: 3m 10s, Malicious Files: 1
    Sat 2014-10-18 00:45:16.0614 Scan Finished: [ID: 492 - Seq: 2147000000]
    Sat 2014-10-18 01:01:41.0682 Begin passive write scan (1 file(s))
    Sat 2014-10-18 01:01:41.0928 End passive write scan (1 file(s))
    Sat 2014-10-18 01:18:09.0615 System shutting down.
    Sat 2014-10-18 01:18:19.0006 Configuration Saved: CSCS1F754077C2840D7EBF26EF83F8D1F0FF,00011,00021,00031,00041,00051,(I deleted a portion in here),00BE0,00BF0,00C00,
    Sat 2014-10-18 01:18:19.0006 Keycode: SAE3AABBEF8F4824D66C
    Sat 2014-10-18 01:18:19.0006 <<< Service shut down successfully. Uptime: 149 minute(s)
    Sun 2014-10-19 00:07:10.0540 >>> Service started [v8.0.4.131]
    Sun 2014-10-19 00:07:12.0456 Infection detected: c:\program files (x86)\sendori\sendorisvc.exe [MD5: 10E8ED45F73016CE45F2A4E29626BA93] [3/00101000] [(null)]
    Sun 2014-10-19 00:07:12.0457 Performing cleanup entry: 1
    Sun 2014-10-19 00:07:13.0444 File blocked in realtime: c:\program files (x86)\sendori\sendorisvc.exe [MD5: 10E8ED45F73016CE45F2A4E29626BA93, Size: 120096 bytes] [1052672/00000003] [(null)]
    Sun 2014-10-19 00:07:43.0752 Connecting to 81 - 81
    Sun 2014-10-19 00:07:44.0845 User process connected successfully from PID 940, Session 1
    Sun 2014-10-19 00:07:45.0797 Begin passive write scan (2 file(s))
    Sun 2014-10-19 00:07:46.0389 End passive write scan (2 file(s))
    Sun 2014-10-19 00:07:57.0894 Begin passive write scan (1 file(s))
    Sun 2014-10-19 00:07:58.0308 End passive write scan (1 file(s))
    Sun 2014-10-19 00:09:33.0312 Begin passive write scan (1 file(s))
    Sun 2014-10-19 00:09:34.0393 End passive write scan (1 file(s))
    Sun 2014-10-19 00:10:53.0488 Scan Started: [ID: 493 - Flags: 551/16]
    Sun 2014-10-19 00:15:09.0780 Connected to C3
    Sun 2014-10-19 00:15:10.0185 Scan Results: Files Scanned: 58470, Duration: 4m 16s, Malicious Files: 0
    Sun 2014-10-19 00:15:10.0279 Scan Finished: [ID: 493 - Seq: 2147000000]
    Sun 2014-10-19 00:15:29.0171 Saved the product log to C:\Users\Antonio\Desktop\Scanlog.log
     
    Tobbio, Oct 19, 2014
    #8
  9. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    C:\Program Files (x86)\Sendori << Then delete the folder, then empty recycle bin (Sendori is not installed) and then see if your antivirus stops complaining. Let me know.
     
    Kestrel13!, Oct 19, 2014
    #9
  10. Tobbio

    Tobbio Private E-2

    I deleted sendori and nothing detected in a scan after. Ill give it some time and hopefully nothing new pops up. Ill let you know if anything happens or doesn't. I appreciate the help
     
    Tobbio, Oct 19, 2014
    #10
  11. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    OK, let me know later on today. :)
     
    Kestrel13!, Oct 20, 2014
    #11
  12. Tobbio

    Tobbio Private E-2

    Sorry I couldn't get back to you early, but after a scan another threat popped up in a different location.

    Tue 2014-10-21 00:38:08.0051 Scan Started: [ID: 496 - Flags: 1575/0]
    Tue 2014-10-21 00:42:14.0657 Infection detected: c:\users\antonio\appdata\local\temp\searchprotectionsetup.exe [MD5: 6E2F4F00B27EC2FD72AE757BD826EF8F] [3/00081000] [Pua.Spigot]
    Tue 2014-10-21 00:42:15.0015 Scan Results: Files Scanned: 51338, Duration: 4m 5s, Malicious Files: 1
    Tue 2014-10-21 00:42:15.0374 Scan Finished: [ID: 496 - Seq: 2147000000]
    Tue 2014-10-21 00:43:37.0370 Determination flags modified: c:\users\antonio\appdata\local\temp\searchprotectionsetup.exe - MD5: 6E2F4F00B27EC2FD72AE757BD826EF8F, Size: 3079656 bytes, Flags: 00000020
    Tue 2014-10-21 00:43:40.0069 Performing cleanup entry: 1
    Tue 2014-10-21 00:43:42.0455 Scan Started: [ID: 497 - Flags: 1575/128]
    Tue 2014-10-21 00:47:03.0637 Scan Results: Files Scanned: 50976, Duration: 3m 20s, Malicious Files: 0
    Tue 2014-10-21 00:47:03.0715 Scan Finished: [ID: 497 - Seq: 2147000000]
    Tue 2014-10-21 00:47:24.0761 Scan Started: [ID: 498 - Flags: 1575/0]
    Tue 2014-10-21 00:47:53.0840 Determination flags modified: c:\program files (x86)\sendori\libplds4.dll - MD5: 0F9A8C362098F0DD0CB210957EE6F87C, Size: 52512 bytes, Flags: 00000100
    Tue 2014-10-21 00:47:53.0856 Saved updated configuration
    Tue 2014-10-21 00:48:01.0700 Determination flags modified: c:\program files (x86)\sendori\libplds4.dll - MD5: 0F9A8C362098F0DD0CB210957EE6F87C, Size: 52512 bytes, Flags: 00000040
    Tue 2014-10-21 00:48:01.0700 Saved updated configuration
    Tue 2014-10-21 00:49:37.0272 Saved the product log to C:\Users\Antonio\Desktop\nj.log
     
    Tobbio, Oct 21, 2014
    #12
  13. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    SystemLook

    Please download SystemLook from DOWNLOAD MIRROR 2 and save it to your Desktop.
    Download Mirror #1
    Download Mirror #2
    • Double-click SystemLook.exe to run it.
    • Copy the content of the following codebox into the main textfield:
      Code:
      :filefind
SearchProtection
sendori
    • Click the Look button to start the scan.
    • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
    Note: The log can also be found on your Desktop entitled SystemLook.txt
     
    Kestrel13!, Oct 21, 2014
    #13
  14. Tobbio

    Tobbio Private E-2

    Hey, sorry I have been a bit busy these past couple of days, but I downloaded the program and followed the instructions. I posted the log below, but it didn't find those files. (by the way, no new threat has popped up since the last one)

    SystemLook 30.07.11 by jpshortstuff
    Log created at 21:06 on 24/10/2014 by Antonio
    Administrator - Elevation successful

    ========== filefind ==========

    Searching for "SearchProtection"
    No files found.

    Searching for "sendori"
    No files found.

    -= EOF =-
     
    Tobbio, Oct 24, 2014
    #14
  15. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Do you see these, are they visible to you?

    • c:\users\antonio\appdata\local\temp\searchprotectionsetup.exe
    • c:\program files (x86)\sendori
     
    Kestrel13!, Oct 24, 2014
    #15
  16. Tobbio

    Tobbio Private E-2

    I could not find searchprotectionsetup.exe, it stops at temp. Same as sendori, it stops at program files (x86).
     
    Tobbio, Oct 24, 2014
    #16
  17. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    And Webroot is detecting this?
     
    Kestrel13!, Oct 25, 2014
    #17
  18. Tobbio

    Tobbio Private E-2

    Not anymore, nothing has been detected so far.
     
    Tobbio, Oct 26, 2014
    #18
  19. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Any other outstanding issues relevant to this forum? :)
     
    Kestrel13!, Oct 26, 2014
    #19
  20. Tobbio

    Tobbio Private E-2

    Nope, everything else seems to be working fine. Thanks for help, much appreciation :)
     
    Tobbio, Oct 26, 2014
    #20
  21. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep Malwarebytes Anti-Malware for scanning/removal of malware.
    2. Renable your Disk Emulation software with Defogger if you had disabled it in step 4 of the READ & RUN ME.
    3. Go to add/remove programs and uninstall HijackThis. If you don't see it or it will not uninstall, don't worry about it. Just move on to the next step.
    4. If running Vista, Win 7 or Win 8, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    5. Now goto the C:\MGtools folder and find the MGclean.bat file. Double click ( if running Vista, Win7, or Win 8 Right Click and Run As Administrator ) on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
    6. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.

    7. After doing the above, you should work thru the below link:
     
    Kestrel13!, Oct 27, 2014
    #21

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds