Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trogan Gen-RoboNanny - need help evicting


  • Please log in to reply
10 replies to this topic

#1 alittlehelp

alittlehelp

  • Members
  • 88 posts
  • OFFLINE
  •  
  • Local time:08:31 AM

Posted 13 December 2013 - 02:53 PM

Greetings and thank you in advance for your technical support in helping me rid the cause for a bug that has recently caused a slow down in my PC's performance.

I'm currently running windows xp pro sp3, AVG 2013, SAS, MBAM, ESet, Kaspersky Tdss killer, CCleaner which are all updated regularly.

I am a novice, currently learning and attempting to build a new web site in Dreamweaver with css and Jquery resourced from tutorials by (seemingly) reputable websites I've used in the past. Although my site is not live yet and still undergoing tweaks;

I recently encountered a problem during a cross browser functionality test in IE8. I might first add that I never use IE as my web browser and haven't done so in 10 years. I am also not suggesting IE8 is the culprit. Albeit windows is up to date, IE is not; The symptoms nearly brought my PC to a crawl and were very apparent at the very onset during my test. AVG never alerted any threats. I Updated and ran a quick MBAM, SAS, AVG and Eset scan but all came up clean. I tried a Restore Point but it failed.
Tried again; After running a full SAS scan; SAS discovered and quarantined two counts of: Trojan.Agent/Gen-RoboNanny found in:
C:\program files\Macromedia\flash\mx\players\debug\install flash player.exe and C:\program files\Macromedia\flash\mx\players\release\install flash player.exe

After rebooting; The pc was still a bit quirky and sluggish. I again, ran all full scans with AVG, Mbam, KasperskyTDSS, RootRepeal, Eset which, again, all turned up clean. However, an attempt to roll back to another Restore Point, failed again which warrented reason to be concerned..

Fortunately another full SAS scan revealed and quarantined two more counts of RoboNanny compromising: c:\system volume information\_restore{fib82c3e-2851-4fde-9535-3479aae956ff}rp1076\a0133377.exe  and
c:\system volume information\_restore{fib82c3e-2851-4fde-9535-3479aae956ff}a013338.exe

I've tried to Google a "background check" on RoboNanny, but other than two mentions including one thread here on Bleeping - there is not much on the subject. Although, the current AV utilities that I've continue to rely on report no problems - I am not necessarily convinced that RoboNanny has't left "the door unlocked" on the way out and could really use some expert guidence - just to be sure.

 

Thanks

 



BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,933 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:31 AM

Posted 13 December 2013 - 04:47 PM

Do you have both AVG 2013 and Eset NOD32 anti-virus installed or were you referring to Eset's Online scan?

The detected _restore{GUID}\RP***\A00*****.xxx file(s) identified by your scan are in the System Volume Information Folder (SVI) which is a part of System Restore. The *** after 'RP' represents a sequential number automatically assigned by the operating system. The ***** after 'A00' also represents a sequential number where the original file(s) were backed up and renamed except for its extension. To learn more about this, refer to:System Restore is the feature that protects your computer by monitoring a core set of system and application files and by creating backups (snapshots saved as restore points) of vital system configurations, registry and files before changes are made. These restore points can be used to "roll back" your computer to a clean working state in the event of a problem. This makes it possible to undo harmful changes to your system configurations including registry modifications made by software or malware by reverting the operating systems configuration to an earlier date. See What's Restored when using System Restore and What's Not.

System Restore is enabled by default and will back up the good as well as malevolent files, so when malware is present on the system it gets included in restore points as an A00***** file. If you only get a detection on a file in the SVI folder, that means the original file was on your system in another location at some point and probably has been removed. However, when you scan your system with anti-virus or anti-malware tools, you may receive an alert that a malicious file was detected in the SVI folder (in System Restore points) and moved into quarantine. When a security program quarantines a file, that file is essentially disabled and prevented from causing any harm to your system. The quarantined file is safely held there and no longer a threat. Thereafter, you can delete it at any time.

If your anti-virus or anti-malware tool cannot move the file(s) to quarantine, they sometimes can reinfect your system if you accidentally use an old restore point. If your anti-virus or anti-malware tool is able to move (quarantine) the file(s) let it do so. When an anti-virus or security program quarantines a file and moves it into a virus vault (chest) or a dedicated Quarantine folder, that file is safely held there and no longer a threat. The file is essentially disabled and prevented from causing any harm to your system through security routines which may copy, rename, encrypt and password protect the file the file before moving. Quarantine is just an added safety measure which allows you to view and investigate the files while keeping them from harming your computer. When the quarantined file is known to be malicious, you can delete it at any time by launching the program which removed it, going to the Quarantine tab, and choosing the option to delete.


Each security vendor uses their own naming conventions to identify various types of malware. Names with Generic or Patched are a very broad category and differ widely from vendor to vendor.Agent/Gen-RoboNanny <- appears to more of a PUP/Monitoring Tool/Riskware detection as opposed to an actual trojan

Since SAS was the only scanning engine to detect this and the detection was related to install_flash_player.exe (Macromedia Flash MX Player setup), I'm inclined to suspect the detection was a "false positives".

Adobe Flash Player normally installs in these locations.
C:\Windows\system32\Macromed\Flash
C:\Windows\SysWOW64\Macromed\Flash (if you are using a 64-bit system)
%appdata%\Adobe\Flash Player
%appdata%\Macromedia\Flash Player

Macromedia Flash MX installs in this location:
C:\Program Files\macromedia\flash mx\flash.exe


Anytime you suspect a file detection may be a false positive, get a second opinion by submitting it to one of the following online services that analyzes suspicious files:In the "File to upload & scan" box, browse to the location of the suspicious file and submit (upload) it for scanning/analysis.

You can submit the file(s) directly to SUPERAntispyware for further analysis as follows:
  • Launch SUPERAntispyware.
  • From the Main Menu, click System Tools & Program Settings.
  • Under System Tools, click Submit Malware Samples.
  • Browse to the location of the file, click on it to highlight and click Open to send it to the malware research team.
Alternatively you can report it at the False Positives Forum but they will probably ask you to submit a sample.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 alittlehelp

alittlehelp
  • Topic Starter

  • Members
  • 88 posts
  • OFFLINE
  •  
  • Local time:08:31 AM

Posted 14 December 2013 - 11:52 AM

Hi Quietman7,
Thanks for your quick reponse and useful information.

I use AVG free 2013 as my main av and use the Eset online scan tool every so often as an extra measure.

Is it safe to assume then, that the named RoboNanny threat is nothing more than a harmless PUP and
I needn't be too concerned?

My machine still feels a little "diffrent", but certainly not like it did when It came to a crawl.

Although I just did a chkdsk a couple of days prior to this event, I went ahead and preformed another
defrag and chkdsk. The performance is a little better and I cannot find anything new  running processes
(32 total) or in subsequent av scans.
However, I did discover that I must have enabled AVG's 30 day trial Intenet security option in my haste to run a scan during the time of the event.

I clicked this by mistake thinking that it was part of the AVG free edition. I'm Not sure if this feature is running in the
background causing any latenancy, but will have to wait it out and see. It appears that an AVG "downgrader" tool is required to revert back to
the free edition. More crap in my box.

It is still a mystery to me what hit my machine so hard during that time.

I took the opportunity to read up on the wealth of information provided in the links. Very interesting
and revealing insight that I never knew about System Restore and System Volume folder associated/stored
restore points. This is an area I've heard mentioned before but much like the registry I tend not to
tinker in. Although I haven't tried to rollback to an earlier restore point since the SAS quarentine and
the first two restore attempts failed, I'm curious as to how far back other restore pionts have been
affected.

Thanks again for all your support in helping me understand what we're dealing with.



#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,933 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:31 AM

Posted 14 December 2013 - 05:42 PM

Is it safe to assume then, that the named RoboNanny threat is nothing more than a harmless PUP and
I needn't be too concerned?

The detection was a PUP/Monitoring Tool/Riskware. If the detection was a false positive, then calling it a PUP would not apply.


A Potentially Unwanted Program (PUP) is a very broad threat category which can encompass any number of different programs to include those which are benign as well as malicious. Thus, this type of detection does not always necessarily mean the file is malicious or a bad program. PUPs in and of themselves are not always bad...many are generally known, non-malicious but unwanted software usually bundled with other free third-party software to include toolbars, add-ons/plug-ins and browser extensions. PUPs are considered unwanted because they can cause undesirable system performance or other problems and are sometimes installed without the user's consent since they are often included when downloading legitimate programs.

PUPs may also be defined somewhat differently by various security vendors and may or may not be detected/removed based on that definition.To learn how you get PUPs, please read: About those Toolbars and Add-ons which change your browser settings

Some programs falling into the PUP category have legitimate uses in contexts where an authorized user or administrator has knowingly installed it. Since PUP detections do not necessarily mean the file is malicious or a bad program, in some cases the detection may be a "false positive". Anti-virus scanners cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert you or even automatically remove them.

Usually, if you installed or recognize the program, then you can ignore the detection. If not or you downloaded it from an untrusted site, then you need to investigate further.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,933 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:31 AM

Posted 14 December 2013 - 05:44 PM

If you want to do some more checking, continue as follows:

Please download and use the following tools (in the order listed) which will search for and remove many potentially unwanted programs (PUPs), adware, toolbars, browser hijackers, extensions, add-ons and other junkware as well as related registry entries (values, keys) and remnants.

RKill created by Grinler (aka Lawrence Abrams), the site owner of BleepingComputer.
AdwCleaner created by Xplode.
Junkware Removal Tool created by thisisu.

1. Double-click on RKill to launch the tool. A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.

Important: Do not reboot your computer until you complete the next step.

2. Double-click on AdwCleaner.exe to run the tool.
Vista/Windows 7/8 users right-click and select Run As Administrator.
  • Click on the Scan button.
  • AdwCleaner will begin...be patient as the scan may take some time to complete.
  • After the scan has finished, click on the Report button...a logfile (AdwCleaner[R0].txt) will open in Notepad for review.
  • After reviewing the log, click on the Clean button.
  • Press OK when asked to close all programs and follow the onscreen prompts.
  • Press OK again to allow AdwCleaner to restart the computer and complete the removal process.
  • After rebooting, a logfile report (AdwCleaner[S0].txt) will open automatically.
  • Copy and paste the contents of that logfile in your next reply.
  • A copy of all logfiles are saved in the C:\AdwCleaner folder which was created when running the tool.
-- Note: The contents of the AdwCleaner log file may be confusing. Unless you see a program name that you recognize and know should not be removed, don't worry about it. If you see an entry you want to keep, return to AdwCleaner before cleaning...all detected items will be listed (and checked) in each tab. Click on each one and uncheck any items you want to keep (except you cannot uncheck Chrome and Firefox preferences lines).


Close all open programs and shut down any protection/security software to avoid potential conflicts.

3. Double-click on JRT.exe to run the tool.
Vista/Windows 7/8 users right-click and select Run As Administrator.
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log file named JRT.txt will automatically open and be saved to your Desktop.
  • Copy and paste the contents of JRT.txt in your next reply.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#6 alittlehelp

alittlehelp
  • Topic Starter

  • Members
  • 88 posts
  • OFFLINE
  •  
  • Local time:08:31 AM

Posted 15 December 2013 - 01:55 PM

Thanks for the continued support Quietman7.
 
I just discovered a couple of minor things that I hadn't noticed before that may have led me to believe there is performance change in my pc. Most noticeably a shuddering lag if watching youtube videos. I eventually noticed a couple of minor issues 1) plugins in FireFox that were intsalled I was not aware of; ITunes application detector and Windows Presentation Foundation. 2) AVG internet 'personal identity protection' (which  mistakenly launched the trial) was indeed running in the background @ 20,000 k. Before I saw your recent post, I was able to undo/revert (kind of), back to AVG free via Add/Remove programs by selecting "change". Unfortunately, avgidsagent.exe still shows up as a running process in TM @8,000 k. It seems that there is no way of disabling it through (msconfig) and all of AVG's recommendations haven't worked.

Thanks very much for the tools - I will run them as suggested and post what comes up.



#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,933 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:31 AM

Posted 15 December 2013 - 01:58 PM

Not a problem.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#8 alittlehelp

alittlehelp
  • Topic Starter

  • Members
  • 88 posts
  • OFFLINE
  •  
  • Local time:08:31 AM

Posted 15 December 2013 - 03:58 PM

Thanks Quietman7,

Below are the two logs you requested :

 

 

# AdwCleaner v3.015 - Report created 15/12/2013 at 15:28:00
# Updated 10/12/2013 by Xplode
# Operating System : Microsoft Windows XP Service Pack 3 (32 bits)
# Username : pr - 8E47A630E4B6
# Running from : C:\Documents and Settings\pr\Desktop\AdwCleaner.exe
# Option : Clean

***** [ Services ] *****


***** [ Files / Folders ] *****

File Deleted : C:\Documents and Settings\pr\Application Data\Mozilla\Firefox\profiles\ix5lf4cg.default\user.js

***** [ Shortcuts ] *****


***** [ Registry ] *****

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{CCC7A320-B3CA-4199-B1A6-9F516DD69829}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{CCC7A320-B3CA-4199-B1A6-9F516DD69829}
Key Deleted : HKCU\Software\AVG SafeGuard toolbar
Key Deleted : HKCU\Software\Headlight
Key Deleted : HKLM\Software\AVG Secure Search
Key Deleted : HKLM\Software\AVG Security Toolbar
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\0FF2AEFF45EEA0A48A4B33C1973B6094
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\305B09CE8C53A214DB58887F62F25536

***** [ Browsers ] *****

-\\ Internet Explorer v8.0.6001.18702


-\\ Mozilla Firefox v23.0.1 (en-US)

[ File : C:\Documents and Settings\pr\Application Data\Mozilla\Firefox\profiles\ix5lf4cg.default\prefs.js ]


*************************

AdwCleaner[R0].txt - [2008 octets] - [15/12/2013 14:49:43]
AdwCleaner[R1].txt - [2068 octets] - [15/12/2013 15:10:58]
AdwCleaner[S0].txt - [2015 octets] - [15/12/2013 15:28:00]

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [2075 octets] ##########
 

 

------------------------------------------------------------------------------------------------------------------------------------

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.0.8 (11.05.2013:1)
OS: Microsoft Windows XP x86
Ran by pr on Sun 12/15/2013 at 15:35:21.15
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




~~~ Services



~~~ Registry Values

Successfully repaired: [Registry Value] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\\DisplayName
Successfully repaired: [Registry Value] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\\URL



~~~ Registry Keys



~~~ Files



~~~ Folders





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Sun 12/15/2013 at 15:40:17.03
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 



#9 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,933 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:31 AM

Posted 15 December 2013 - 04:01 PM

I suspected we would find a few more remnants....however, nothing serious or to be concerned about.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#10 alittlehelp

alittlehelp
  • Topic Starter

  • Members
  • 88 posts
  • OFFLINE
  •  
  • Local time:08:31 AM

Posted 15 December 2013 - 04:39 PM

That's great!

 

Thanks again for sharing your knowlege and all your support in helping me weed this stuff out.

Your kindness and patience is greatly appreciated!



#11 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,933 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:31 AM

Posted 15 December 2013 - 05:23 PM

You're welcome. Safe surfing and have a malware free day.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users