Win7 x64 logs detected Malware

Discussion in 'Malware Help (A Specialist Will Reply)' started by krmorgan, Feb 14, 2013.

  1. krmorgan

    krmorgan Private E-2

    I am attaching the logs for analysis as Malware has been detected and I have followed your instructions to the T. The only exception had been I had executed MalwareBytes Anti-Malware on 2012-12-08 as it Quarantined and deleted successfully 4 files as 2 registry items where false positives. Prior to executing your Win 7 Malware Removal/Cleaning Procedure I had restored these quarantined files so your scripted steps would do another scrubbing to ensure this computer will end up entirely clean after I take the next steps of instructions you provide to me. I am pasting below the mbam-log-2012-12-08 (15-39-09).txt results for reference only as I have attached all of (5) five logs from today's 2/14/2012 scans.

    Malwarebytes Anti-Malware 1.65.1.1000
    www.malwarebytes.org

    Database version: v2012.12.08.07

    Windows 7 Service Pack 1 x64 NTFS
    Internet Explorer 9.0.8112.16421
    Kevin Morgan :: KEVINMORGAN [administrator]

    12/8/2012 3:39:09 PM
    mbam-log-2012-12-08 (15-39-09).txt

    Scan type: Full scan (C:\|Q:\|)
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 629099
    Time elapsed: 44 minute(s), 37 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 0
    (No malicious items detected)

    Registry Values Detected: 0
    (No malicious items detected)

    Registry Data Items Detected: 2
    HKCR\scrfile\shell\open\command| (Broken.OpenCommand) -> Bad: (NOTEPAD.EXE "%1") Good: ("%1" /S) -> No action taken.
    HKCR\regfile\shell\open\command| (Broken.OpenCommand) -> Bad: (NOTEPAD.EXE "%1") Good: (regedit.exe "%1") -> No action taken.

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 4
    C:\Program Files\Adobe\Adobe Bridge CS6 (64 Bit)\AMTLib.dll (PUP.RiskwareTool.CK) -> Quarantined and deleted successfully.
    C:\Program Files\Adobe\Adobe Photoshop CS6 (64 Bit)\amtlib.dll (PUP.RiskwareTool.CK) -> Quarantined and deleted successfully.
    C:\Program Files (x86)\Adobe\Adobe Bridge CS6\AMTLib.dll (PUP.RiskwareTool.CK) -> Quarantined and deleted successfully.
    C:\Program Files (x86)\Adobe\Adobe Photoshop CS6\amtlib.dll (PUP.RiskwareTool.CK) -> Quarantined and deleted successfully.

    (end)


    Thank you kindly in advance for your assistance!
     

    Attached Files:

    krmorgan, Feb 14, 2013
    #1
  2. dr.moriarty

    dr.moriarty Malware Super Sleuth Staff Member

    Hello, krmorgan

    I am reviewing your logs and will get back to you with instructions as needed.
     
    dr.moriarty, Feb 15, 2013
    #2
  3. krmorgan

    krmorgan Private E-2

    Thanks Doc,

    I just wanted to inform you I had duplicated this albeit an unintentional "bump" to create and attach the logs as I had originally created on 2/13/12 another forum message entitled: Determine if Malware has infected WIN7 x64.

    If it is at all possible either to merge that one with this or just out right close the original so we don't get overlapping resources or further confusion?

    I had on that day just provided the context of some observations below and had not created logs to be analyzed:

    System has not been all that reliable with various alerts and strange behavior. I have run scans using Malwarebytes and SuperAntiSpyware and only founded and cleaned up tracking cookies. However I have been receiving periodic displays such as the following:

    Context:
    IntuitUpdater.exe - Corrupt File. The file or directory c:\Windows\assembly\NativeImages_v4.0.030319_32\System.Xml.Linq is corrupt and unreadable. Please run the Chkdsk utility. Problem is this Win7 x64 has a Solid State Disk drive and I have been informed by Lenovo support that you cannot run fix or recover check disk operations on a SSD. I recall have a similar alert for DivX as I am not convinced the updater program is functioning. Also encountered a pop-up dialog when after starting up that was asking me to choose a program to open a file. I was able to trace this file name to "Kevin" and was found in the directory path of: Computer > Windows7_OS (C:) > Users. When file is opened using NotePad the contents said: The given profile is not found. AVG-Free 2013 and Comodo Firewall has not detected or quarantined anything malicious. Malwarebytes did quarantine on 12/8/2012 4 files attributed to vendor PUP.RiskwareTool.CK so there has been some prior history of Malware on this computer. At this stage I would like assistance in determining if the computer is still infected, so please send me a list of instructions that I'll need to follow to disable any software before running diagnostic reports to be analyzed with recommendations on the next steps.

    Thanks, Kevin

    P.S. Here are my computer system details in case it at all matters in applying the solutions:

    3443CTO ThinkPad X1
    Processor 2.30 gigahertz Intel Core i5-3427U
    Operating system Windows 7 Professional (x64) Service Pack 1 (build 7601)
    Total memory 8 GB PC3-10600 DDR3L
    Hard drive 256GB Solid State Drive SATA3
     
    krmorgan, Feb 15, 2013
    #3
  4. dr.moriarty

    dr.moriarty Malware Super Sleuth Staff Member

    Hello, krmorgan

    Did you run Defogger as requested in Step 4 of the R&R ME FIRST guide?
    Also, are you using a proxy server?

    Uninstall:
    Java 7 Update 9 <--- outdated software

    Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista/Windows7, don't double click, use right-click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    After clicking Fix, exit HJT.

    Please download OTM by Old Timer and save it to your Desktop.
    • Right-click OTM.exe and select Run as administrator to run it.
    • Copy the lines from the below codebox to the clipboard by highlighting ALL of them and pressing CTRL + C
      (or, after highlighting, right-click and choose Copy): Do not include the word Code: which is just a title line of the code box
    Code:
    :Processes
killallprocesses

:Files
C:\Users\Kevin Morgan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Spotify.lnk
C:\Users\Kevin Morgan\AppData\Roaming\Spotify
C:\ProgramData\Authentium
C:\ProgramData\Norton
C:\Program Files (x86)\Common Files\Symantec Shared

:Reg
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{95B7759C-8C7F-4BF1-B163-73684A933233}]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Spotify Web Helper"=-

:Commands
[purity]
[EMPTYFLASH]
[EmptyTemp]
[start explorer]
[Reboot]
    • Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow barand choose Paste.
    • Now click the large http://forums.majorgeeks.com/chaslang/images/MoveIt%21.png button.
    • If OTM asks to reboot your computer, allow it to do so. The report should appear in Notepad after the reboot.
    • Close OTM.
    Now navigate to the C:\_OTM\MovedFiles folder ( assuming your Windows drive is C). This is where your log will be
    saved in the form of Date and Time mmddyyyy_hhmmss.log. Just look for the most recent .log file. Attach
    this log file to your next message.

    http://imageshack.us/a/img841/7292/thisisujrt.gif Please download Junkware Removal Tool to your desktop.
    • Shut down your protection software now to avoid potential conflicts.
    • Run the tool by double-clicking it. If you are using Windows Vista or Seven, right-mouse click it and select Run as Administrator.
    • The tool will open and start scanning your system.
    • Please be patient as this can take a while to complete depending on your system's specifications.
    • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
    • Attach the JRT.txt to your next message.

    Please download and run Norton Removal Tool 20.0.0.21, then re-boot your pc.

    *Double-clicking something - please re-run RogueKiller... just a scan only and attach the new log.

    Now install the latest Sun Java Runtime Environment.

    Then run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Windows 7, use right click and select Run As Administrator).

    Please answer the questions that I asked and attach the below logs:
    • C:\MGlogs.zip
    • C:\_OTM\MovedFiles log
    • JRT.txt
    • updated RKreport.txt

    How is your pc running now?
     
    dr.moriarty, Feb 16, 2013
    #4
  5. krmorgan

    krmorgan Private E-2

    I feel as if we are making progress, but we are not quite there yet for various reasons:
    1) When I have suspended the computer for the night and close the lid on the laptop, when I return in the morning the computer fan is on and active ... so I feel as if the computer is being remotely being turned on and woken up.
    2) I thought Spotify was like Pandora, so I was rather surprised this is Adware. Along this similar theme are the logs showing "Smilebox" and if this is Adware, then I am not convinced it has been cleaned from this computer.
    3) When executing CCleaner I am still getting a dialog CCleaner64.exe - Corrupt File which is the same symptom I have been having with apparent damage from Malware. But these programs seem to function so I am not certain what to make of this?
    http://imageshack.us/photo/my-images/21/ccleaner64execorruptfil.jpg/
    4) I can resolve the Registry Fragmentation using CCleaner but I cannot get a similar utility of System Mechanic Professional to defragment the Registry. Sys Mech Pro did defragment the registry before getting infected while rebooting the computer prior to system profile user id and password prompt - it functioned similar to Check Disk but I have doubts since this was my original question on whether you can even run chkdsk on a Solid State Disk?
    http://imageshack.us/photo/my-images/841/ccleanerregistryfragmen.jpg/
    http://imageshack.us/photo/my-images/267/systemmechanicproregist.jpg/

    Doc, The bottom line is I am concerned I am getting those corrupt file notifications as that seems to be indicated the infection may have corrupted programs when if I uninstall CCleaner and reinstall it, I still get the same error message dialog with the yellow triangle appearing in the taskbar ... Please let me know what the next steps are if you discover more Malware and if not if it is your position that I deal with the Software forum then I will need some instructions on how to "transfer" this post over to them. Thank you for your thoroughness in taking the time to assist me as I really appreciate it! Kevin :major
     

    Attached Files:

    krmorgan, Feb 17, 2013
    #5
  6. krmorgan

    krmorgan Private E-2

    krmorgan, Feb 17, 2013
    #6
  7. krmorgan

    krmorgan Private E-2

    krmorgan, Feb 17, 2013
    #7
  8. dr.moriarty

    dr.moriarty Malware Super Sleuth Staff Member

    You're very welcome, Kevin.
    I will only present what I have read - that it's ok to run CKDSK on a SSD this way:
    1. Check the box that says "Automatically fix file system errors"
    2. Uncheck the box that says "Scan for and attempt recovery of bad sectors"

    *I do feel that you have way too many applications and services running, and would benefit from using a startup manager. See ---> Dealing with Startup Processes

    I am not finding any additional malware. We can run an online scan; but I have doubts that your problems will be solved in this forum.

    Using ESET's Online Scanner

    Please attach the ESETScan.txt after the scan completes.

    NOTE: When you post in the software forum about your problems, you can include this thread's link for referral ---> http://forums.majorgeeks.com/showthread.php?t=273457
     
    dr.moriarty, Feb 18, 2013
    #8
  9. krmorgan

    krmorgan Private E-2

    Doc,:major

    My reply is in blue text. ESET discovered more Malware = False Positives? Need your insight into whether any further steps need to be done to make sure the system is clean. Unfortunately, I am not making any progress in resolving the Check Disk cancellation.

    I have executed chkdsk.exe in read-only mode and attached the screen capture (chkdsk.exe read-only mode.jpg) to illustrate that either previous Blue Screens or forced power downs have most likely been the contributing factor to either the registry, drivers or the file location or file itself becoming corrupt and unreadable. My take away is that these errors are warnings and not a fatal errors as from what I can tell the programs functionality seems fine at least on the surface. Microsoft recommends three avenues of resolution: 1) the MS community 2) the OEM which in this situation I have a case open on Lenovo ThinkPlus Priority Support 3) Direct support by MS which is subject to billing expenses. I'm going to be working 1+2 in parallel with MG.



    Already did this but thanks!!! I am not sure if I am at the end of the road with your teams insight, but none the less appreciate your professionalism and recommendations made thus far!
     

    Attached Files:

    krmorgan, Feb 20, 2013
    #9
  10. dr.moriarty

    dr.moriarty Malware Super Sleuth Staff Member

    The only False Positive was C:\MGtools\Process.exe, OpenCandy and variants of Win32/Bundled.Toolbar.Ask are undesirables. The primary concern with using any of the applications suggested in the "Dealing With Startup Processes" link is first determining what programs you actually need to start at bootup, any others can be manually started and ended as you need them. Once you've determined that, the hard part is over and you only have to choose an application that you are comfortable with.

    However, I feel that determining the health of your SSD, then your OS, and finally controlling startups is the proper order of things...this is beyond the scope of the malware removal forum. I'll now give instructions for cleaning up after running our removal procedures and hope that you will ask for further help in our Software forum. There are some very knowledgeable techs who hangout there!

    * If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep Malwarebytes Anti-Malware for scanning/removal of malware. It provides no "real-time" protection unless you purchase it and does not use any significant amount of resources ( except a little disk space ) until you run a scan.
    2. Go back to step 4 of the READ ME and re-enable your Disk Emulation software with Defogger if you had disabled it.
    3. If running Vista or Win 7, it is time to make sure you have re-enabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    4. Go to add/remove programs and uninstall HijackThis.
    5. Go to the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
    6. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others) and running MGclean.bat did not remove, you can delete these files now.
    7. Any other miscellaneous tools we may have had you install or download can be uninstalled and/or deleted.
    8. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures pointed to by step 6 of the READ ME
        for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    9. After doing the above, you should work through the below link:
    Safe surfing! http://i268.photobucket.com/albums/jj5/drmoriarty/Emoticons/char145.gif
     
    dr.moriarty, Feb 20, 2013
    #10
  11. krmorgan

    krmorgan Private E-2

    Doc :major, My comments are below in blue text as a final level set to close this post. Thank you kindly for your knowledge and can do attitude of support!!!

    I will be sure to give you THANKS! on all of these posts ... :cool
     
    krmorgan, Feb 21, 2013
    #11
  12. dr.moriarty

    dr.moriarty Malware Super Sleuth Staff Member

    :cool You've welcome, Kevin!

    Best wishes for a quick and successful remedy to your pc's problems.
    dr.m
     
    dr.moriarty, Feb 21, 2013
    #12

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds