Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

MBAM detects (PUP.Optional.Bandoo)


  • Please log in to reply
13 replies to this topic

#1 Gray ENG

Gray ENG

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:10:42 AM

Posted 20 October 2013 - 07:46 AM

Hi All,

First time in a couple of years i have had any malware problem!  Can someone assist please.

 

 

C:\Users\Work\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3YFCAY4K\mDesktopSetup1.6b4OC.exe (PUP.Optional.OpenCandy) -> Quarantined and deleted successfully.
C:\Users\Work\Downloads\mDesktopSetup1.6b4OC.exe (PUP.Optional.OpenCandy) -> Quarantined and deleted successfully.
E:\My Documents\Temp\AAGymlnn.exe.part (PUP.Optional.Bandoo) -> Quarantined and deleted successfully.

 

Detected yesterday during a full scan.  Previous scan on 3rd October using MBAM was clean.

Open Candy installed with a multiple window manager - not overly concerned

 

Worried about PUP.Optional.Bandoo - some sites it steals passwords, others say it tracks sites you visit.  What exactly does it do?  This is my home PC which i use for work - am i gonig have to change passwords for both personal and work logins?

 

 

Ran ADWCleaner - log as follows

# AdwCleaner v3.009 - Report created 20/10/2013 at 10:57:39
# Updated 19/10/2013 by Xplode
# Operating System : Windows 7 Home Premium Service Pack 1 (64 bits)
# Username : Graham - UBER2
# Running from : F:\AdwCleaner.exe
# Option : Scan
 
***** [ Services ] *****
 
 
***** [ Files / Folders ] *****
 
 
***** [ Shortcuts ] *****
 
 
***** [ Registry ] *****
 
Key Found : HKCU\Software\AppDataLow\Software\smartbar
Key Found : HKCU\Software\Conduit
Key Found : HKCU\Software\OCS
Key Found : [x64] HKCU\Software\Conduit
Key Found : [x64] HKCU\Software\OCS
Key Found : HKLM\SOFTWARE\Classes\AppID\{4D076AB4-7562-427A-B5D2-BD96E19DEE56}
Key Found : HKLM\SOFTWARE\Classes\AppID\secman.DLL
Key Found : HKLM\SOFTWARE\Classes\CLSID\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8EEE}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{826D7151-8D99-434B-8540-082B8C2AE556}
Key Found : HKLM\SOFTWARE\Classes\Interface\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8EEE}
Key Found : HKLM\SOFTWARE\Classes\Interface\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8FFE}
Key Found : HKLM\SOFTWARE\Classes\TypeLib\{11549FE4-7C5A-4C17-9FC3-56FC5162A994}
Key Found : HKLM\Software\Conduit
Key Found : [x64] HKLM\SOFTWARE\Classes\Interface\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8EEE}
Key Found : [x64] HKLM\SOFTWARE\Classes\Interface\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8FFE}
 
***** [ Browsers ] *****
 
-\\ Internet Explorer v10.0.9200.16720
 
 
-\\ Mozilla Firefox v24.0 (en-GB)
 
[ File : C:\Users\Graham\AppData\Roaming\Mozilla\Firefox\Profiles\xw5isgl8.default\prefs.js ]
 
 
[ File : C:\Users\Work\AppData\Roaming\Mozilla\Firefox\Profiles\qwyzerd8.default\prefs.js ]
 
 
*************************
 
AdwCleaner[R0].txt - [1650 octets] - [20/10/2013 10:57:39]
 
########## EOF - C:\AdwCleaner\AdwCleaner[R0].txt - [1710 octets] ##########

 

 

MBAM reports clean today

Kaspersky reports clean today.

 

Please advise.

Kind Regards

Graham


Edited by Orange Blossom, 20 October 2013 - 08:26 AM.
Moved to AII. ~ OB


BC AdBot (Login to Remove)

 


#2 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:09:42 AM

Posted 20 October 2013 - 09:17 AM

Can you post all of the Malwarebytes log?

#3 Gray ENG

Gray ENG
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:10:42 AM

Posted 20 October 2013 - 09:31 AM

Hi Bleepin Madman,

 

Sure

 

Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org
 
Database version: v2013.10.19.03
 
Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 10.0.9200.16721
Graham :: UBER2 [limited]
 
19/10/2013 18:44:42
mbam-log-2013-10-19 (18-44-42).txt
 
Scan type: Full scan (C:\|D:\|E:\|F:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 499520
Time elapsed: 32 minute(s), 12 second(s)
 
Memory Processes Detected: 0
(No malicious items detected)
 
Memory Modules Detected: 0
(No malicious items detected)
 
Registry Keys Detected: 0
(No malicious items detected)
 
Registry Values Detected: 0
(No malicious items detected)
 
Registry Data Items Detected: 0
(No malicious items detected)
 
Folders Detected: 0
(No malicious items detected)
 
Files Detected: 3
C:\Users\Work\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3YFCAY4K\mDesktopSetup1.6b4OC.exe (PUP.Optional.OpenCandy) -> Quarantined and deleted successfully.
C:\Users\Work\Downloads\mDesktopSetup1.6b4OC.exe (PUP.Optional.OpenCandy) -> Quarantined and deleted successfully.
E:\My Documents\Temp\AAGymlnn.exe.part (PUP.Optional.Bandoo) -> Quarantined and deleted successfully.
 
(end)

 

 

 

Todays scan

 

Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org
 
Database version: v2013.10.19.03
 
Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 10.0.9200.16721
Graham :: UBER2 [limited]
 
20/10/2013 10:31:51
mbam-log-2013-10-20 (10-31-51).txt
 
Scan type: Full scan (C:\|D:\|E:\|F:\|H:\|I:\|J:\|K:\|L:\|M:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 509248
Time elapsed: 24 minute(s), 10 second(s)
 
Memory Processes Detected: 0
(No malicious items detected)
 
Memory Modules Detected: 0
(No malicious items detected)
 
Registry Keys Detected: 0
(No malicious items detected)
 
Registry Values Detected: 0
(No malicious items detected)
 
Registry Data Items Detected: 0
(No malicious items detected)
 
Folders Detected: 0
(No malicious items detected)
 
Files Detected: 0
(No malicious items detected)
 
(end)

 

 

Hope this helps

Graham



#4 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:09:42 AM

Posted 20 October 2013 - 09:59 AM

Can you re-run malwarebytes but this time as administrator by right clicking on the executable and select Run As.

Same with Adwcleaner.

#5 Gray ENG

Gray ENG
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:10:42 AM

Posted 20 October 2013 - 10:00 AM

I should add that my concerns were raised because my PC would start running very slow after about 30-60 minutes of use (i only had to have the pc switched on and not actually doing anything) and only a reboot would fix the problem but it owuld always come back.  This happened at the start of October but MBAM came back clean, when this behavious started again Yesterday, this was th efirst sign of something and from what i can found out about Bandoo, it will doccupy teh resources of the PC


ok - will rerun as adminidtrator


Edited by Gray ENG, 20 October 2013 - 10:01 AM.


#6 Gray ENG

Gray ENG
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:10:42 AM

Posted 20 October 2013 - 11:26 AM

Please find both scans run from administrator

 

 

 

Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org
 
Database version: v2013.10.19.03
 
Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 10.0.9200.16721
Graham :: UBER2 [limited]
 
20/10/2013 15:47:34
mbam-log-2013-10-20 (15-47-34).txt
 
Scan type: Full scan (C:\|D:\|E:\|F:\|H:\|I:\|J:\|K:\|L:\|M:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 509347
Time elapsed: 28 minute(s), 45 second(s)
 
Memory Processes Detected: 0
(No malicious items detected)
 
Memory Modules Detected: 0
(No malicious items detected)
 
Registry Keys Detected: 0
(No malicious items detected)
 
Registry Values Detected: 0
(No malicious items detected)
 
Registry Data Items Detected: 0
(No malicious items detected)
 
Folders Detected: 0
(No malicious items detected)
 
Files Detected: 0
(No malicious items detected)
 
(end)

 

 

 

# AdwCleaner v3.009 - Report created 20/10/2013 at 16:17:12
# Updated 19/10/2013 by Xplode
# Operating System : Windows 7 Home Premium Service Pack 1 (64 bits)
# Username : Graham - UBER2
# Running from : F:\AdwCleaner.exe
# Option : Scan
 
***** [ Services ] *****
 
 
***** [ Files / Folders ] *****
 
 
***** [ Shortcuts ] *****
 
 
***** [ Registry ] *****
 
 
***** [ Browsers ] *****
 
-\\ Internet Explorer v10.0.9200.16720
 
 
-\\ Mozilla Firefox v24.0 (en-GB)
 
[ File : C:\Users\Graham\AppData\Roaming\Mozilla\Firefox\Profiles\xw5isgl8.default\prefs.js ]
 
 
[ File : C:\Users\Work\AppData\Roaming\Mozilla\Firefox\Profiles\qwyzerd8.default\prefs.js ]
 
 
*************************
 
AdwCleaner[R0].txt - [1806 octets] - [20/10/2013 10:57:39]
AdwCleaner[R1].txt - [769 octets] - [20/10/2013 16:17:12]
AdwCleaner[S0].txt - [1815 octets] - [20/10/2013 10:58:52]
 
########## EOF - C:\AdwCleaner\AdwCleaner[R1].txt - [888 octets] ##########



#7 Gray ENG

Gray ENG
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:10:42 AM

Posted 20 October 2013 - 11:28 AM

Can you tell me whart PUP.Optional.Bandoo does?  From reading around, some sites say it steals passwords, others say it tracks sites you visit.  What exactly does it do?  This is my home PC which i use for work - am i gonig have to change passwords for both personal and work logins?

 

Thanks

Graham



#8 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:09:42 AM

Posted 20 October 2013 - 11:35 AM

Its a Potentially Unwanted Program which could be malicious or benign in nature it all depends on what the coder or maker did to it that will determine the nature of the program.

#9 Gray ENG

Gray ENG
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:10:42 AM

Posted 20 October 2013 - 12:43 PM

Its wierd, i cannot find much info on it.  i cross referenced the name Bandoo against virus total and other vendors names, but that was pretty unfruitful and just led to me getting more confused if it was dangerous or not.



#10 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:09:42 AM

Posted 20 October 2013 - 12:48 PM

If you are concerned about having passwords stolen, then I recommend you change them all after you removed the PUP's.

#11 Gray ENG

Gray ENG
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:10:42 AM

Posted 21 October 2013 - 01:43 PM

I think i have reconstructed what has happened and believe i am safe.

 

I can see from my Firefox brower history that i was browsing the PESedit site and was downloading some updates for ProEvolution soccer.  The link i used took me to uploaded.net but this file launched a nmber of other browser windows and one of these was the Ilivid page - i saw the link to iLivid and thought i would give it a try, started the downlaod and cancelled it.  The file sits on my PC as AAGymlnn.exe.PART and was never fully downloaded.  Virus total identifies that the ilivid install is 1,628,904 bytes, i had also downlaoded 1,628,904 bytes but by virtue of the file still being .PART i assume i cancelled it before it was renamed.

 

I never ran the file and other then my hard drive starting to thrash around after 30 minutes or so i have no symptom - no home page redirects. 

 

So does this sound like i am clean and maybe just have a dodgy hard drive?



#12 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:09:42 AM

Posted 21 October 2013 - 05:34 PM

I would consider your computer clean.

#13 glynch8030

glynch8030

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:01:42 AM

Posted 16 November 2013 - 12:58 PM

Please help me.  I remove PUP.Optional.Bandoo.A using MBAM, but it keeps being placed back into the registry.  How do I remove the source on my computer that keeps re-inserting this malware?

 

Greg



#14 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:09:42 AM

Posted 16 November 2013 - 06:39 PM

glynch please start your own thread.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users