Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 91698 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

Zbot issues [Solved]


  • This topic is locked This topic is locked
36 replies to this topic

#16 ----------------

----------------

    SuperMember

  • Authentic Member
  • PipPipPipPipPip
  • 1,095 posts

Posted 02 December 2013 - 03:40 AM

What I meant with "marked for deletion" was that FRST listed them as they should be deleted - not that the are marked for deletion by NTFS.

 

Yes, the files respawn with the same name every time, but the name itself seems to be generated randomly (what is a knwon behaviour of many infections.)

 

Sorry for misunderstanding the youtube video - I thought you´ve removed something depending on the instructions within the vid.

I apologize! (Truth to tell there are sometimes people who try do fix their machines with these tools on their own - that´s why we are a bit sensible for such things).

 

I´ll reply as soon as I have the files analyzed. Please be patient with me in the meantime.


Proud Member of UNITE & TB
 

    Advertisements

Register to Remove


#17 ----------------

----------------

    SuperMember

  • Authentic Member
  • PipPipPipPipPip
  • 1,095 posts

Posted 02 December 2013 - 04:03 AM

Fix with FRST (normal mode)
 

  • Open notepad (Start =>All Programs => Accessories => Notepad).
  • Please copy the entire contents of the code box below.
    (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste).
  • Save it to the same direction as frst.exe (or frst64.exe) as fixlist.txt.

    SearchScopes: HKLM - {2fa28606-de77-4029-af96-b231e3b8f827} URL = http://search.ask.co...&l=dis&o=HPDTDF
    SearchScopes: HKLM-x32 - DefaultScope {92C7AD02-E1BE-4C52-8BF2-20590FA6838C} URL =
    SearchScopes: HKLM-x32 - {2fa28606-de77-4029-af96-b231e3b8f827} URL = http://search.ask.co...&l=dis&o=HPDTDF
    SearchScopes: HKCU - DefaultScope {92C7AD02-E1BE-4C52-8BF2-20590FA6838C} URL = http://search.condui...2368384306&UM=2
    SearchScopes: HKCU - {2fa28606-de77-4029-af96-b231e3b8f827} URL = http://search.ask.co...&l=dis&o=HPDTDF
    SearchScopes: HKCU - {92C7AD02-E1BE-4C52-8BF2-20590FA6838C} URL = http://search.condui...2368384306&UM=2
    FF Keyword.URL: hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT3289663&SearchSource=2&CUI=UN15171913752729131&UM=2&q=
    2013-11-30 15:46 - 2013-11-30 15:46 - 00004897 _____ C:\ProgramData\giiynunu.mau
    2013-11-30 15:46 - 2013-11-30 15:46 - 00004867 _____ C:\ProgramData\zmlomobd.kxh
    AlternateDataStreams: C:\Windows:AstInfo
    AlternateDataStreams: C:\Windows:nlsPreferences
    AlternateDataStreams: C:\ProgramData\Temp:D287FACF
    AlternateDataStreams: C:\ProgramData\Temp:D3A96964
    
    NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system
  • Run frst.exe (on 64bit, run frst64.exe) and press the Fix button just once and wait.
  • The tool will make a log (Fixlog.txt) which you find where you saved FRST. Please post it to your reply.

 

 

 

Scan with ESET Online Scan

Please go to here to run the online scannner from ESET.

  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked
  • Click on Advanced Settings and ensure these options are ticked:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Click Scan
  • Wait for the scan to finish
  • If any threats were found, click the 'List of found threats' , then click Export to text file....
  • Save it to your desktop, then please copy and paste that log as a reply to this topic.


Proud Member of UNITE & TB
 

#18 hspindel

hspindel

    Authentic Member

  • Authentic Member
  • PipPip
  • 21 posts

Posted 02 December 2013 - 04:18 AM

Thanks for the explanation re: "should be deleted" and random names.

 

No problem re: the Youtube video. 

 

Anytime you have time to look at this is great - I realize this isn't your day job!  :-)



#19 hspindel

hspindel

    Authentic Member

  • Authentic Member
  • PipPip
  • 21 posts

Posted 02 December 2013 - 04:34 AM

The message I received via email is different than the message posted here.  After running FRST64, the email says to run MalwareBytes.  The post here says to run Eset.  Which is correct?

 

Here is fixlog.txt:

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 01-12-2013
Ran by howard at 2013-12-02 02:28:01 Run:1
Running from E:\download\Farbar
Boot Mode: Normal
==============================================

Content of fixlist:
*****************
SearchScopes: HKLM - {2fa28606-de77-4029-af96-b231e3b8f827} URL = http://search.ask.co...&l=dis&o=HPDTDF
SearchScopes: HKLM-x32 - DefaultScope {92C7AD02-E1BE-4C52-8BF2-20590FA6838C} URL =
SearchScopes: HKLM-x32 - {2fa28606-de77-4029-af96-b231e3b8f827} URL = http://search.ask.co...&l=dis&o=HPDTDF
SearchScopes: HKCU - DefaultScope {92C7AD02-E1BE-4C52-8BF2-20590FA6838C} URL = http://search.condui...2368384306&UM=2
SearchScopes: HKCU - {2fa28606-de77-4029-af96-b231e3b8f827} URL = http://search.ask.co...&l=dis&o=HPDTDF
SearchScopes: HKCU - {92C7AD02-E1BE-4C52-8BF2-20590FA6838C} URL = http://search.condui...2368384306&UM=2
FF Keyword.URL: hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT3289663&SearchSource=2&CUI=UN15171913752729131&UM=2&q=
2013-11-30 15:46 - 2013-11-30 15:46 -
00004897 _____ C:\ProgramData\giiynunu.mau
2013-11-30 15:46 - 2013-11-30 15:46 - 00004867 _____ C:\ProgramData\zmlomobd.kxh
AlternateDataStreams: C:\Windows:AstInfo
AlternateDataStreams: C:\Windows:nlsPreferences
AlternateDataStreams: C:\ProgramData\Temp:D287FACF
AlternateDataStreams: C:\ProgramData\Temp:D3A96964

*****************

HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{2fa28606-de77-4029-af96-b231e3b8f827} => Key deleted successfully.
HKCR\CLSID\{2fa28606-de77-4029-af96-b231e3b8f827} => Key not found.
HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => Value deleted successfully.
HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{2fa28606-de77-4029-af96-b231e3b8f827} => Key deleted successfully.
HKCR\Wow6432Node\CLSID\{2fa28606-de77-4029-af96-b231e3b8f827} => Key not found.
HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => Value deleted successfully.
HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{2fa28606-de77-4029-af96-b231e3b8f827} => Key deleted successfully.
HKCR\CLSID\{2fa28606-de77-4029-af96-b231e3b8f827} => Key not found.
HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{92C7AD02-E1BE-4C52-8BF2-20590FA6838C} => Key not found.
HKCR\CLSID\{92C7AD02-E1BE-4C52-8BF2-20590FA6838C} => Key not found.
Firefox Keyword.URL deleted successfully.
"2013-11-30 15:46 - 2013-11-30 15:46 -" => File/Directory not found.
C:\ProgramData\zmlomobd.kxh => Moved successfully.
C:\Windows => ":AstInfo" ADS removed successfully.
C:\Windows => ":nlsPreferences" ADS removed successfully.
C:\ProgramData\Temp => ":D287FACF" ADS removed successfully.
C:\ProgramData\Temp => ":D3A96964" ADS removed successfully.

==== End of Fixlog ====



#20 hspindel

hspindel

    Authentic Member

  • Authentic Member
  • PipPip
  • 21 posts

Posted 02 December 2013 - 04:46 AM

I just discovered that the files giiynunu.mau and zmlomobd.kxh are recreated by some program that runs during my reboot sequence (could be anything that is autorun).  Also, it is not anything recently added to my computer as backups from a couple months ago show these files present.

 

Do you know of a file watcher that would give the process name of the creating process?  The one I have (DirectoryMonitor) only tells me that the file was created.


Edited by hspindel, 02 December 2013 - 04:49 AM.


#21 ----------------

----------------

    SuperMember

  • Authentic Member
  • PipPipPipPipPip
  • 1,095 posts

Posted 02 December 2013 - 08:32 AM

We´ll see.

Please run the ESET scan now


Proud Member of UNITE & TB
 

#22 hspindel

hspindel

    Authentic Member

  • Authentic Member
  • PipPip
  • 21 posts

Posted 03 December 2013 - 02:21 AM

Following are the results of the eset scan, with some comments from me interspersed:

 

Comment: The following 4 reports are of some concern to me.  Do you know of a reason not to just delete them?

C:\Users\howard\AppData\Local\Bundled software uninstaller\bi_client.exe    Win32/Somoto.A application
C:\Users\howard\AppData\Local\FilesFrog Update Checker\update_checker.exe    a variant of Win32/Somoto.D application
C:\Users\howard\AppData\Local\Temp\OfferBrokerage_14111.exe    a variant of Win32/InstallIQ.A application
C:\Users\howard\AppData\Local\Temp\UpdateCheckerSetup.exe    a variant of Win32/Somoto.D application

 

Comment: I have seen many posts that Nirsoft software is unjustiably accused of being malware.  This entry does not concern me at all.
D:\Program Files\Nirsoft\wirelessnetview\WirelessNetView.exe    probably a variant of Win32/PSWTool.WirelessNetView.A application

 

Comment: All of the files stored in "E:\download" are the original installer files.  I realize that some applications contain attempts to get you to install other software.  None of these files are executed unless I install the program, and I always say "No" to additional software.  (All of the installer files passed Norton AV, or I wouldn't have installed them.) Some of these are installers for well-known commercial software (e.g., Nero, Epson printer tools 

E:\download\CrystalDiskMark\CrystalDiskInfo5_6_2-en.exe    Win32/OpenCandy application
E:\download\CrystalDiskMark\CrystalDiskMark3_0_2f-en.exe    Win32/OpenCandy application
E:\download\EaseUS\tb_free.exe    a variant of Win32/TFTPD32.A application
E:\download\epson\wf7520\epson14460.exe    a variant of Win32/Bundled.Toolbar.Ask.D application
E:\download\FileMenuTools\FileMenuTools-setup6_5.exe    Win32/InstallMonetizer.AF application
E:\download\FreeFileSync\FreeFileSync_5.18_Windows_Setup.exe    Win32/OpenCandy application
E:\download\izarc\IZArc4.1.6.exe    Win32/OpenCandy application
E:\download\izarc\IZArc4.1.7.exe    a variant of Win32/Somoto.A application
E:\download\Nero\Nero-7.10.1.0_eng_update.exe    Win32/Toolbar.AskSBar application
E:\download\syncios\syncios.exe    Win32/OpenCandy application
E:\download\unlocker\cbsidlm-tr1_14-Unlocker-ORG-10493998.exe    Win32/DownloadAdmin.G application

 

Comment: This is my email attachment directory.  I just deleted this file.  It's not something I ever clicked on.

E:\local_eudora\attach\NatWest Login Form.html    HTML/Phishing.Gen trojan

 

Comment: This does concern me.  Wish the scanner told me which running program contained Somoto.
Operating memory    a variant of Win32/Somoto.D application



#23 ----------------

----------------

    SuperMember

  • Authentic Member
  • PipPipPipPipPip
  • 1,095 posts

Posted 03 December 2013 - 03:37 AM

Comment: The following 4 reports are of some concern to me.  Do you know of a reason not to just delete them?

 

No - uninstall the tools they belong to/remove the files.

 

 

 

Comment: I have seen many posts that Nirsoft software is unjustiably accused of being malware.  This entry does not concern me at all.

It is not detected as malware but as a Network Monitoring tool. That´s ok, no action is needed. This is only for users who don´t know what these programs are able to do.

 

 

 

Comment: All of the files stored in "E:\download" are the original installer files.  I realize that some applications contain attempts to get you to install other software.  None of these files are executed unless I install the program, and I always say "No" to additional software.  (All of the installer files passed Norton AV, or I wouldn't have installed them.) Some of these are installers for well-known commercial software (e.g., Nero, Epson printer tools

 

You´re right - none of these files contain malware. ESET has just discovered potential unwanted software installations within these instalelrs or classified them as special administrative tools.

 

 

The program running within memory is one of the files within your first comment, I suggest. Somoto is a platform to provide additional software via installers just like OpenCandy, see here: http://www.sophos.co...d-analysis.aspx

 

I would recommend to uninstall the tools mentioned in your first comment, then run the following tools:

 

 

Delete junk with adwCleaner


Please download AdwCleaner to your desktop.


  • Run adwcleaner.exe
  • Hit Scan and wait for the scan to finish.
  • Confirm the message but don´t uncheck anything.
  • Hit Clean
  • When the run is finished, it will open up a text file
  • Please post its contents within your next reply
  • You´ll find the log file at C:\AdwCleaner[S1].txt also

 

 

 

Delete junk with JRT

thisisujrt.gif Please download Junkware Removal Tool to your desktop.

  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.

 

 

These programs are written by malware removal team members and will remove only things that are identified/classified as adware by the internal database.


Proud Member of UNITE & TB
 

#24 hspindel

hspindel

    Authentic Member

  • Authentic Member
  • PipPip
  • 21 posts

Posted 03 December 2013 - 03:58 AM

I found the FilesFrogUpdateChecker it my Add/Remove programs list.  Tried to remove it.  Got a popup that said FilesFrogUpdateChecker has stopped working.  Don't know if it uninstalled - got no confirmation of uninstallation.

 

For these three:

 

C:\Users\howard\AppData\Local\Bundled software uninstaller\bi_client.exe    Win32/Somoto.A application
C:\Users\howard\AppData\Local\Temp\OfferBrokerage_14111.exe    a variant of Win32/InstallIQ.A application
C:\Users\howard\AppData\Local\Temp\UpdateCheckerSetup.exe    a variant of Win32/Somoto.D application

 

I don't see anything in the Add/Remove Programs list that would correspond, and I don't know what program generated the files. 

 

Thanks for the pointers.


Edited by hspindel, 03 December 2013 - 04:26 AM.


#25 hspindel

hspindel

    Authentic Member

  • Authentic Member
  • PipPip
  • 21 posts

Posted 03 December 2013 - 04:13 AM

AdwCleaner Log (what it cleaned looks all good to me):

 

# AdwCleaner v3.014 - Report created 03/12/2013 at 02:07:26
# Updated 01/12/2013 by Xplode
# Operating System : Windows 7 Home Premium Service Pack 1 (64 bits)
# Username : howard - QUAD64
# Running from : E:\download\adwcleaner\adwcleaner.exe
# Option : Clean

***** [ Services ] *****


***** [ Files / Folders ] *****

Folder Deleted : C:\ProgramData\apn
Folder Deleted : C:\Program Files (x86)\Conduit
Folder Deleted : C:\Users\howard\AppData\Local\Bundled software uninstaller
Folder Deleted : C:\Users\howard\AppData\Local\FilesFrog Update Checker
Folder Deleted : C:\Users\howard\AppData\LocalLow\Conduit
Folder Deleted : C:\Users\StandardUser\AppData\Local\Temp\apn

***** [ Shortcuts ] *****


***** [ Registry ] *****

Key Deleted : HKLM\SOFTWARE\Classes\Toolbar.CT3289663
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{0A18A436-2A7A-49F3-A488-30538A2F6323}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{007EFBDF-8A5D-4930-97CC-A4B437CBA777}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{058F0E48-61CA-4964-9FBA-1978A1BB060D}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{18F33C35-8EF2-40D7-8BA4-932B0121B472}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{3C471948-F874-49F5-B338-4F214A2EE0B1}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{B7FCA997-D0FB-4FE0-8AFD-255E89CF9671}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{D43B3890-80C7-4010-A95D-1E77B5924DC3}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{B7FCA997-D0FB-4FE0-8AFD-255E89CF9671}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{D43B3890-80C7-4010-A95D-1E77B5924DC3}
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{B7FCA997-D0FB-4FE0-8AFD-255E89CF9671}
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{D43B3890-80C7-4010-A95D-1E77B5924DC3}
Key Deleted : HKCU\Software\BI
Key Deleted : HKCU\Software\AppDataLow\Software\SmartBar
Key Deleted : HKLM\Software\systweak
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\bi_uninstaller

***** [ Browsers ] *****

-\\ Internet Explorer v11.0.9600.16428


-\\ Mozilla Firefox v25.0.1 (en-US)

[ File : C:\Users\howard\AppData\Roaming\Mozilla\Firefox\Profiles\fy3cpfvy.default\prefs.js ]

Line Deleted : user_pref("CT3289663.FF19Solved", "true");
Line Deleted : user_pref("CT3289663.UserID", "UN15171913752729131");
Line Deleted : user_pref("CT3289663.browser.search.defaultthis.engineName", "true");
Line Deleted : user_pref("CT3289663.fullUserID", "UN15171913752729131.IN.20130924161034");
Line Deleted : user_pref("CT3289663.installDate", "24/09/2013 16:10:36");
Line Deleted : user_pref("CT3289663.installSessionId", "{722A2C40-58EC-4839-9F91-7D439F9AF915}");
Line Deleted : user_pref("CT3289663.installSp", "TRUE");
Line Deleted : user_pref("CT3289663.installerVersion", "1.7.1.4");
Line Deleted : user_pref("CT3289663.keyword", "true");
Line Deleted : user_pref("CT3289663.originalHomepage", "about:home");
Line Deleted : user_pref("CT3289663.originalSearchAddressUrl", "");
Line Deleted : user_pref("CT3289663.originalSearchEngine", "");
Line Deleted : user_pref("CT3289663.originalSearchEngineName", "");
Line Deleted : user_pref("CT3289663.searchRevert", "false");
Line Deleted : user_pref("CT3289663.searchUserMode", "2");
Line Deleted : user_pref("CT3289663.smartbar.homepage", "true");
Line Deleted : user_pref("CT3289663.versionFromInstaller", "10.20.1.101");
Line Deleted : user_pref("CT3289663.xpeMode", "0");
Line Deleted : user_pref("Smartbar.SearchFromAddressBarSavedUrl", "");
Line Deleted : user_pref("extensions.toolbar_EPN2V7@apn.ask.com.install-event-fired", true);
Line Deleted : user_pref("smartbar.addressBarOwnerCTID", "CT3289663");
Line Deleted : user_pref("smartbar.conduitHomepageList", "hxxp://search.conduit.com/?ctid=CT3289663&CUI=UN15171913752729131&UM=2&SearchSource=13");
Line Deleted : user_pref("smartbar.conduitSearchAddressUrlList", "hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT3289663&SearchSource=2&CUI=UN15171913752729131&UM=2&q=");
Line Deleted : user_pref("smartbar.defaultSearchOwnerCTID", "CT3289663");
Line Deleted : user_pref("smartbar.homePageOwnerCTID", "CT3289663");
Line Deleted : user_pref("smartbar.machineId", "HOCSJTKGPOZDIRD1NIVGVAQMCZZ4D1Z10P+IA1WONWDN0VLXWBAUF/FOFBDMC//XJRTVLAO4UDKGAALRGIE37A");

-\\ Google Chrome v31.0.1650.57

[ File : C:\Users\howard\AppData\Local\Google\Chrome\User Data\Default\preferences ]


*************************

AdwCleaner[R0].txt - [5218 octets] - [03/12/2013 02:01:25]
AdwCleaner[S0].txt - [4983 octets] - [03/12/2013 02:07:26]

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [5043 octets] ##########
 


Edited by hspindel, 03 December 2013 - 04:27 AM.

    Advertisements

Register to Remove


#26 hspindel

hspindel

    Authentic Member

  • Authentic Member
  • PipPip
  • 21 posts

Posted 03 December 2013 - 04:26 AM

JRT Log:

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.0.8 (11.05.2013:1)
OS: Windows 7 Home Premium x64
Ran by howard on Tue 12/03/2013 at  2:20:12.89
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




~~~ Services



~~~ Registry Values



~~~ Registry Keys

Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{D2593565-CC6B-430E-8F11-C38F6F84C6EE}
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{D2593565-CC6B-430E-8F11-C38F6F84C6EE}



~~~ Files



~~~ Folders



~~~ Event Viewer Logs were cleared





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Tue 12/03/2013 at  2:24:54.36
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 



#27 hspindel

hspindel

    Authentic Member

  • Authentic Member
  • PipPip
  • 21 posts

Posted 03 December 2013 - 04:33 AM

The two questionable files in ProgramData (giiynunu.mau and zmlobobd.kxh) continue to get recreated every system boot.

 

I ran them through a string checker program to see if they contained any recognizable identifying strings.  They do not.


Edited by hspindel, 03 December 2013 - 04:41 AM.


#28 ----------------

----------------

    SuperMember

  • Authentic Member
  • PipPipPipPipPip
  • 1,095 posts

Posted 06 December 2013 - 03:02 AM

Yes, I did that as well...weird thing, it is!

 

Please delete these files manually:

 

 

C:\Users\howard\AppData\Local\Bundled software uninstaller\bi_client.exe    Win32/Somoto.A application
C:\Users\howard\AppData\Local\Temp\OfferBrokerage_14111.exe    a variant of Win32/InstallIQ.A application
C:\Users\howard\AppData\Local\Temp\UpdateCheckerSetup.exe    a variant of Win32/Somoto.D application

 

Then rescan with ESET


Proud Member of UNITE & TB
 

#29 hspindel

hspindel

    Authentic Member

  • Authentic Member
  • PipPip
  • 21 posts

Posted 06 December 2013 - 04:33 PM

Latest ESET scan.  As before, all of the items in e:\download are just installers.  The 18146d.msi is not a new file - it's dated 1/18/2011 - so it may be a new addition to the scanning database.  It also may be a false positive as it's identified as part of Ancestry.Com's Family Tree Maker 2011, which is an application I have installed.  Neither Norton nor MalwareBytes thinks it's malicious.

 

C:\Windows\Installer\18146d.msi    a variant of Win32/HiddenStart.A application
D:\Program Files\Nirsoft\wirelessnetview\WirelessNetView.exe    probably a variant of Win32/PSWTool.WirelessNetView.A application
E:\download\CrystalDiskMark\CrystalDiskInfo5_6_2-en.exe    Win32/OpenCandy application
E:\download\CrystalDiskMark\CrystalDiskMark3_0_2f-en.exe    Win32/OpenCandy application
E:\download\EaseUS\tb_free.exe    a variant of Win32/TFTPD32.A application
E:\download\epson\wf7520\epson14460.exe    a variant of Win32/Bundled.Toolbar.Ask.D application
E:\download\FileMenuTools\FileMenuTools-setup6_5.exe    Win32/InstallMonetizer.AF application
E:\download\FreeFileSync\FreeFileSync_5.18_Windows_Setup.exe    Win32/OpenCandy application
E:\download\izarc\IZArc4.1.6.exe    Win32/OpenCandy application
E:\download\izarc\IZArc4.1.7.exe    a variant of Win32/Somoto.A application
E:\download\Nero\Nero-7.10.1.0_eng_update.exe    Win32/Toolbar.AskSBar application
E:\download\nirsoft\wirelessnetview\wirelessnetview.zip    probably a variant of Win32/PSWTool.WirelessNetView.A application
E:\download\syncios\syncios.exe    Win32/OpenCandy application
E:\download\unlocker\cbsidlm-tr1_14-Unlocker-ORG-10493998.exe    Win32/DownloadAdmin.G application
 



#30 ----------------

----------------

    SuperMember

  • Authentic Member
  • PipPipPipPipPip
  • 1,095 posts

Posted 08 December 2013 - 12:42 PM

 

C:\Windows\Installer\18146d.msi    a variant of Win32/HiddenStart.A application

This shows that the application has integrated functions to run within the background - it is no malware.

 

 

Then we can do the cleanup - if you are facing any issues, report that immediately.


SecurityCheck

Please download SecurityCheck: LINK1 LINK2

  • Save it to your desktop, start it and follow the instructions in the window.
  • After the scan finished the (checkup.txt) will open. Copy its content to your thread.


Proud Member of UNITE & TB
 

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users