Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan.Dorkbot.ED Detected by Malwarebytes Pro


  • Please log in to reply
14 replies to this topic

#1 Justa

Justa

  • Members
  • 222 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Texas
  • Local time:08:30 AM

Posted 18 December 2013 - 10:49 PM

Tonight Malwarebytes Pro during a full scan detected 7 instances Trojan.Dorkbot.ED.

I was shocked as I have been running daily quick scans by Malwarebytes Pro and SuperAntiSpyware.  About once a week I have been running full scans.  I also run daily scans by WebRoot but have poor confidence in the effectiveness of this anti-virus.

I don’t remember clicking on anything suspicious today or every but I cleared a ton of E-Mails from Outlook 2013.  As I screened them the preview feature was on I didn’t click on anything but the doc preview was running.

The laptop is only a few months old.  I did screw up setting it up for the first time.  I was having trouble with my eyes when I did a search for Mozilla Firefox to load it.  I didn’t notice but Google put adds right at the top of the search now and the shading to different is almost impossible to see.  I since figured out how to shut these adds off.

It looked like a real Mozilla Firefox page, I gave it permission to run and the laptop seemed to freeze up.  I immediately tried to shut down but it didn’t respond so I quickly removed the battery in an attempt to stop the infection.

I did a complete reload of all software after wiping all space on drive C.  Later I realized that there might have been an infections on the recover partition D that I did not wipe.

Could you please advise on what preliminary actions I should take to curb any attempted fraud attempts.  Possibly making matters much worse is that I have been running Last Pass as my password manager and worry that it may have been compromised.

If need be I will shut this machine down and pick up an inexpensive laptop to communicate with and leave the wireless off on the infected machine while cleaning out the malware.

I also suspect my Galaxy S4 may be a BOT as it responds much slower than usual and it always seems to be sending from emails.  I would also appreciate if you could advise me on what to do with the phone.

Another nasty problem is that I have been backing up on a fairly regular basis with Acronis to a WD passport.  All my recovery documents are here including a complete back up of my old laptop that I will need to reload docs and data to my infected machine once cleared of infections.

Than



BC AdBot (Login to Remove)

 


#2 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:11:30 PM

Posted 19 December 2013 - 12:29 AM

Hello -

First Steps -

 

Please post that "Infected" MBAM log back here.

If you open the program, along the top is Logs, open that and find the "infected log".

 

Now Update the program and run a Full Manual Scan of MBAM and also post the New and Old logs back here.

 

Next -

Please download and run RKill by Grinler. A black DOS box will briefly flash and then disappear.
This is normal and indicates the tool ran successfully.

At worst the tool will run for about 2 minutes

Important: Do not reboot your computer until you complete the next step.

Now -

* Please download AdwCleaner by Xplode and save to your Desktop.
* Double-click on AdwCleaner.exe to run the tool.
* Vista/Windows 7/8 users right-click and select Run As Administrator.
* Click on the Scan button (only once)
* AdwCleaner will begin...be patient as the scan may take some time to complete.
* After the scan has finished, click on the Report button...a logfile (AdwCleaner[R0].txt) will open in Notepad for review.
* Click on the Clean button (only once)
* Press OK when asked to close all programs and follow the onscreen prompts.
* Press OK again to allow AdwCleaner to restart the computer and complete the removal process.
* After rebooting, a logfile report (AdwCleaner[S0].txt) will open automatically.
* Copy and paste the contents of that logfile in your next reply.
* A copy of all logfiles are saved in the C:\AdwCleaner folder which was created when running the tool.

 

 

Last -

Clear Cache/Temp Files
Download TFC by OldTimer to your desktop
• Please double-click TFC.exe to run it.
For Vista, Win 7 / 8 right-click on the file and choose (Run As Administrator).
• It will close all programs when run, so make sure you have saved all your work before you begin.
• Click the Start button to begin the process.
• Once it's finished it may reboot your machine.
• If it does not, please manually reboot the machine yourself to ensure a complete clean.

No log is produced, so do not look for one -

 

Thank You -



#3 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:11:30 PM

Posted 19 December 2013 - 12:46 AM

Hi

A quick research found this ..........

Posted Yesterday, 07:18 PM
Topic: https://forums.malwa...562#entry766006
C:\Program Files\Synaptics\SynTP\SynZMetr.exe (Trojan.Dorkbot.ED) -> Quarantined and deleted successfully.
c:\windows\system32\driverstore\filerepository\synpd.inf_amd64_802c25c846e036db\synzmetr.exe (Trojan.Dorkbot.ED) -> Quarantined and deleted successfully.

That could be a false positive.
https://www.virustot...d6733/analysis/
https://www.virustot...d6733/analysis/

 

NOTE : This is from "Malwarebytes Research Dept" -

- Thanks everyone, this should be fixed in the next database update.

 

You can still run the scans that I requested to make sure, but chances are that you will not find it -

 

This is why we always ask you to keep fully Updated when you scan -

 

Thank You -



#4 Justa

Justa
  • Topic Starter

  • Members
  • 222 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Texas
  • Local time:08:30 AM

Posted 19 December 2013 - 10:34 AM

Nokno,

Thank you very much for the quick and detailed reply.  I will log the first Malwarebytes log when the infection was detected.  This log is very short and it appears to be the important data.

 

I will also post the log from the Malwarebyte scan post infection detection.

 

BYI,

I run Malwarebytes Pro and the infection was discovered during a "On Demand" scan.

 

I checked my whole disk backups and I do have one from 12/12/13 if needed.  Of course it has been attached to this PC with a USB cable and may also be infected.

 

Data to come, thanks Randy



#5 Justa

Justa
  • Topic Starter

  • Members
  • 222 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Texas
  • Local time:08:30 AM

Posted 19 December 2013 - 10:50 AM

First Malwarebyte log where infection was detected.

 

Malwarebytes Anti-Malware (PRO) 1.75.0.1300
www.malwarebytes.org

Database version: v2013.12.19.02

Windows 8 x64 NTFS
Internet Explorer 11.0.9600.16476
Randal :: BLUE [administrator]

Protection: Enabled

12/18/2013 7:31:52 PM
mbam-log-2013-12-18 (19-31-52).txt

Scan type: Full scan (C:\|D:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 402288
Time elapsed: 35 minute(s), 14 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 7
C:\Program Files\Synaptics\SynTP\SynZMetr.exe (Trojan.Dorkbot.ED) -> Quarantined and deleted successfully.
C:\SWSetup\Drivers\SynTP\WinWDF\x64\SynZMetr.exe (Trojan.Dorkbot.ED) -> Quarantined and deleted successfully.
C:\SWSetup\Drivers\SynTP\WinWDF\x86\SynZMetr.exe (Trojan.Dorkbot.ED) -> Quarantined and deleted successfully.
C:\SWSetup\sp63417\WinWDF\x64\SynZMetr.exe (Trojan.Dorkbot.ED) -> Quarantined and deleted successfully.
C:\SWSetup\sp63417\WinWDF\x86\SynZMetr.exe (Trojan.Dorkbot.ED) -> Quarantined and deleted successfully.
c:\windows\system32\driverstore\filerepository\synpd.inf_amd64_420780d6fe0b577b\synzmetr.exe (Trojan.Dorkbot.ED) -> Quarantined and deleted successfully.
c:\windows\system32\driverstore\filerepository\synpd.inf_amd64_8f295e7d280d8d7c\synzmetr.exe (Trojan.Dorkbot.ED) -> Quarantined and deleted successfully.

(end)
 



#6 Justa

Justa
  • Topic Starter

  • Members
  • 222 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Texas
  • Local time:08:30 AM

Posted 19 December 2013 - 11:41 AM

2nd Malwarebytes Scan Results

 

Malwarebytes Anti-Malware (PRO) 1.75.0.1300
www.malwarebytes.org

Database version: v2013.12.19.08

Windows 8 x64 NTFS
Internet Explorer 11.0.9600.16476
Randal :: BLUE [administrator]

Protection: Enabled

12/19/2013 9:52:49 AM
mbam-log-2013-12-19 (09-52-49).txt

Scan type: Full scan (C:\|D:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 402763
Time elapsed: 35 minute(s), 12 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)
 



#7 Justa

Justa
  • Topic Starter

  • Members
  • 222 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Texas
  • Local time:08:30 AM

Posted 19 December 2013 - 12:22 PM

Noknojon,

I stopped to investigate the false positive (Trojan.Dorkbot.ED) identified by you in the Malwarebytes forum.  Thanks so much for finding this.  I don't remember having any false positives for Malwarebytes for years and I have had a couple this year.  I guess I was so panicked I was not thinking clearly as the first place I should have gone was to the Malwarebytes forum to check for false positives.

 

At this point it is extremely important not to delete files quaranteened by Malwarebytes identified as malware until you check the Malwarebytes forum for false positives.

 

Noknojon thanks for saving the day!!  I have been watching your posts for a while now and you do an absolutely amazing job.  I really appreciate the way you generously donate your time to help others

 

Have a nice holiday,

Randy



#8 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:11:30 PM

Posted 19 December 2013 - 03:11 PM

The following were all False Positives from Malwarebytes program.

These should not be shown as detected again -

 

 

Files Detected: 7
C:\Program Files\Synaptics\SynTP\SynZMetr.exe (Trojan.Dorkbot.ED) -> Quarantined and deleted successfully.
C:\SWSetup\Drivers\SynTP\WinWDF\x64\SynZMetr.exe (Trojan.Dorkbot.ED) -> Quarantined and deleted successfully.
C:\SWSetup\Drivers\SynTP\WinWDF\x86\SynZMetr.exe (Trojan.Dorkbot.ED) -> Quarantined and deleted successfully.
C:\SWSetup\sp63417\WinWDF\x64\SynZMetr.exe (Trojan.Dorkbot.ED) -> Quarantined and deleted successfully.
C:\SWSetup\sp63417\WinWDF\x86\SynZMetr.exe (Trojan.Dorkbot.ED) -> Quarantined and deleted successfully.
c:\windows\system32\driverstore\filerepository\synpd.inf_amd64_420780d6fe0b577b\synzmetr.exe (Trojan.Dorkbot.ED) -> Quarantined and deleted successfully.
c:\windows\system32\driverstore\filerepository\synpd.inf_amd64_8f295e7d280d8d7c\synzmetr.exe (Trojan.Dorkbot.ED) -> Quarantined and deleted successfully.


It was just a one time thing that you found these, as no other tools would point to them.

This is another reason why MBAM saves old scans (for you to check).

You should be clean now, and no harm has been done -

 

Good Luck -



#9 Tamy

Tamy

  • Members
  • 78 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Idaho, US
  • Local time:06:30 AM

Posted 19 December 2013 - 08:52 PM

I too had this - but I also had a Trojan.Trace show up on the quick scan - so I ran a full scan and found 9 of these Dorkbots.

So was the Trojan Trace part of that too?

 

Thanks,

Tammy



#10 Justa

Justa
  • Topic Starter

  • Members
  • 222 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Texas
  • Local time:08:30 AM

Posted 19 December 2013 - 09:29 PM

As a followup...

 After learning of the false positives I went back into Malwarebytes Quarantine where I restored all 7 false detections.  I then updated Malwarebytes definitions, ran a full scan and I was 100% clean.



#11 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:11:30 PM

Posted 19 December 2013 - 10:33 PM

@  Tammy -

So was the Trojan Trace part of that too? <= Can you list or Copy / Paste the other items found ??

 

Any item found with Trojan.Dorkbot.ED (or related items) are not going to harm your system.

This may have been a fake or joke infection made by someone or a game or toy or a new tool.

 

These turn up on a regular basis, and when found they are removed from detection databases.

 

Many of our Malware Removal tools show up as infections, but they are 100% harmless -

An example is Security Check by Screen317 detected by Norton only, but I still use it here every day.

You will also find that MBAM has steppd up the detection of many more items, so they need to adjust their program several times per day (8 to 10 updates is not unusual).

 

Thank You -



#12 Tamy

Tamy

  • Members
  • 78 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Idaho, US
  • Local time:06:30 AM

Posted 19 December 2013 - 11:26 PM

Hi Aussie,

 

That was the strange part.

 

So here is the events in order:

 

Last night Malwarebytes - on the quick scan - alerted me to the Trojan.trace.

 

So I quarantined it, and then ran a full scan with MWB, which then picked up 9 of the Dorkbot.ED Trojans.

 

So I quarantined them as well and restarted, And that's where they were this morning.

 

So this morning when I started my computer I ran it in safe mode and ran Rkill several times and then ran a qiuick scan with MWB and it picked up nothing - but I was worried because the Dorkbot didn't show up until I ran a full scan - so I decided to do that.

 

About an 1 hr into that scan my computer died - just shut down and I had a hard time getting it to come back on. When I did get it back up I didn't put it back in safe mode, I just ran the full scan again and it came up clean and did not shut my computer off, BUT - it had deleted my quarantine (everything that was in there) and it has deleted reports that showed all the info on the Trojans.

 

I was able to save a flash scan report that shows it deleted the reports. I then went into setting to see if I had something set wrong - which shouldn't of been the case as I hadn't changed anything and I don't see where you can set it to delete the reports through the flash scan or any other way.

 

If you think that I might still have a problem - I would be ever so grateful for any help.

 

I did also run Hitman pro and Adware with not much results - but I did save the reports on those, and also on the Rkills and the Flash scan.

 

I need to head to bed for some sleep for work tomorrow.. but will check in the morning to see if you have sent your thoughts or ideas on the matter.

 

Thanks Bunches,

Tammy



#13 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:11:30 PM

Posted 20 December 2013 - 01:35 AM

Any scans from MBAM are saved in LOGS - First open MBAM program.

Hit the Logs Tab across the top of the program and the past scans should be recorded.

 

Note that MBAM is Not designed to run / find infections in Safe Mode at any time.

 

If any item shown is not Trojan.Dorkbot.ED, please try to find it -

 

Thank You -



#14 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:11:30 PM

Posted 21 December 2013 - 05:04 PM

Hi -

I have been back to MBAM a couple of times and asked their Experts about this item.

All of the answers were that it was nothing and just ignore it -

 

Any other people that read this can be assured that there is nothing involved.

 

The exact source of the False Positive was not found, but it is now removed from MBAM data base.

 

Any and all problems should be fixed -

 

If you have a new problem, please start a new topic, since it is not related to this one

 

Thank You -



#15 CompWorksPro

CompWorksPro

  • Members
  • 112 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Webster, NY
  • Local time:09:30 AM

Posted 03 January 2014 - 10:48 AM

Here are some photos of this virus that I stumbled upon and initially thought was Cryptolocker, because it had reference to RSA encryption.  

MalwareBytes found it as a Trojan though -> Trojan.Dorkbot.ED and I used to Rogue Killer to remove all traces of it.

 

http://i1028.photobucket.com/albums/y343/compworkspro/2014-01-02163746_zps423aea01.jpg

 

http://i1028.photobucket.com/albums/y343/compworkspro/2014-01-02163715_zps01b2b32d.jpg

 

http://i1028.photobucket.com/albums/y343/compworkspro/2014-01-02163707_zps23d72903.jpg






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users