Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Mystery virus. No symptoms yet. I have the file/website.


  • Please log in to reply
15 replies to this topic

#1 FML fo real

FML fo real

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:18 AM

Posted 05 January 2014 - 02:57 PM

I feel like such an idiot. I'm usually a pretty computer savvy guy.

I clicked a link from Google (WOT, which rates websites, said there weren't enough rating to make a conclusion, not all that uncommon.) which redirected me to a site that was rated as malicious. I only reached one of the screens that tells you to turn back, actually an overlay from WOT rather than one of googles'. Normal so far, right? What happens next makes me seriously question Chrome's security.

 

A file automatically downloads, starts, and disappears after beginning to run. I check the task manager for odd processes and notice nothing out of the ordinary. I check Norton to see if it silently deleted the file; it didn't. This is an old desktop, one that makes lots of noise when processing something. It was making the same amount of noise it does when under load for the next few minutes.

 

I ran through this in Sandboxie to check what changes the file made. In Sandboxie it triggered a much shorter burst of noise, and didn't delete itself. Scanning the file directly comes up clean. It's from a known distributor of malware, though.

 

A quick scan in Norton came up with nothing, and I'm running a full scan right now. I don't expect much. Norton File Insight said that the file is under a week old, so it's not used to dealing with it.

 

I can post the link to the site, and am only refraining to do so because posting a link like that might possibly be against this website's policy.

 

I plead for your assistance, gods and goddesses of computer problems.



BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,911 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:18 AM

Posted 05 January 2014 - 07:23 PM

Yes, please do not post active links to malware or possible malware related sites to include links which may lead to sites where infections have been contracted and spread. If it is malicious, we don't want other members accidentally clicking on such a link and infecting their machines.

Since you have the file...anytime you come across a suspicious file or you want a second opinion, submit it to one of the following online services that analyzes suspicious files:--In the "File to Scan" (Upload or Submit) box, browse to the location of the suspicious file(s) and submit (upload) it for scanning/analysis. If you get a message saying "File has already been analyzed", click Reanalyze or Scan again.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 FML fo real

FML fo real
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:18 AM

Posted 06 January 2014 - 09:25 PM

Norton came up with nothing.

 

Niiiiice websites. Sorry for not responding for so long. (I'll be busy tomorrow, too, though. :P)

 

Jotti had a positive from

ESET: Win32/YourFileDownloader.A

(1/23)

http://virusscan.jotti.org/en/scanresult/e7c3baa7b82db59728125574c50a2d6276f74dde

 

VirusTotal had positives from

Avast: Win32:Downloader-UEO [PUP]

ESET-NOD32: probably a variant of Win32/YourFileDownloader.A

Malwarebytes: PUP.Optional.YourfileDownloader

VIPRE: Via Advertising (fs)

(4/47)

https://www.virustotal.com/en/file/04e6606b8e07b216bea38dff81e9ed9a06595fe8ced9ac9bb623d4c4139111b4/analysis/1389060804/

 

VirSCAN upload stalled out the first time then returned an error the second time.

 

Would I be right to install Malwarebytes and try to clean it with that?

 

I'm concerned that it won't be able to detect the installed ware as easily as the installation file. :P



#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,911 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:18 AM

Posted 06 January 2014 - 09:36 PM


Please perform a scan with Emsisoft Web Malware Scanner which contains the same dual-engine scanner features of Emsisoft Anti-Malware to include cleaning and quarantine.
-- Vista/Windows 7/8 users need to run Internet Explorer as Administrator. To do this, right-click on the Internet Explorer icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run As Administrator from the context menu.

Note: This scanner is based on ActiveX technology and only supports Internet Explorer with ActiveX enabled to run correctly.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,911 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:18 AM

Posted 06 January 2014 - 09:37 PM

Then perform a scan with Eset Online Anti-virus Scanner.
If using Mozilla Firefox, you will be prompted to download and use the ESET Smart Installer. Just double-click on esetsmartinstaller_enu.exe to install.
Vista/Windows 7/8 users need to run Internet Explorer/Firefox as Administrator.
To do this, right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run As Administrator from the context menu.
  • Click the green esetOnline.png button.
  • Read the End User License Agreement and check the box:
  • Check esetAcceptTerms.png.
  • Click the esetStart.png button.
  • Accept any security warnings from your browser and allow the download/installation of any require files.
  • Under scan settings, check esetScanArchives.png and check Remove found threats
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • Click the Start button.
  • ESET will install itself, download virus signature database updates, and begin scanning your computer.
  • The scan can take some time to complete...close all programs and do NOT use the computer while the scan is running.
    If given the option (when threats are found), choose "Quarantine" instead of delete.
  • When the scan completes, push esetListThreats.png
  • Push esetExport.png, and save the file to your desktop as ESETScan.txt.
  • Push the esetBack.png button, then Finish.
  • Copy and paste the contents of ESETScan.txt in your next reply. If no threats are found, there is no option to create a log.
  • -- Note: If you recognize any of the detections as legitimate programs, it's possible they are "false positives" and you can ignore them or get a second opinion if you're not sure. Eset's detection rate is high and can include legitimate files which it considers suspicious, a Risk Tool, Hacking Tool, Potentially Unwanted Program, a possible threat or even Malware (virus/trojan) when that is not always the case. Be careful what you choose to remove. If in doubt, ask before taking action.


.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#6 FML fo real

FML fo real
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:18 AM

Posted 07 January 2014 - 12:17 PM

The Emisoft link you posted is dead, (redirects,) just a heads up. Oh and also the Microsoft MVP link in your signature.

 

Amusingly enough, ESET doesn't recognize IE11.

 

ESETScan.txt:

C:\Sandbox\*******\VirusTest\user\current\Downloads\Video-Spread-Eagled-For-Teasing_downloader.exe probably a variant of Win32/YourFileDownloader.A application cleaned by deleting - quarantined
C:\Users\*****\AppData\Local\Temp\tmp5324.exe a variant of Win32/Amonetize.B application cleaned by deleting - quarantined
C:\Users\*****\AppData\Local\Temp\tmp5DEF.exe a variant of Win32/Amonetize.B application cleaned by deleting - quarantined
C:\Users\*****\AppData\Local\Temp\tmp7B06.exe a variant of Win32/Amonetize.B application cleaned by deleting - quarantined
C:\Users\*****\AppData\Local\Temp\tmpADAB.exe a variant of Win32/Amonetize.H application cleaned by deleting - quarantined
C:\Users\*****\AppData\Local\Temp\tmpBA0C.exe a variant of Win32/Amonetize.B application cleaned by deleting - quarantined
C:\Users\*******\AppData\Local\Temp\AskSLib.dll a variant of Win32/Bundled.Toolbar.Ask application cleaned by deleting - quarantined
C:\Users\*******\AppData\Local\Temp\is-3I2FJ.tmp\OCSetupHlp.dll Win32/OpenCandy application cleaned by deleting - quarantined
C:\Users\*******\Programs\Cool Timer\Harmony_Hollow_Software.exe multiple threats cleaned by deleting - quarantined
C:\Windows\System32\Adobe\Shockwave 12\gt.exe Win32/Bundled.Toolbar.Google.D application cleaned by deleting - quarantined
 

90% chance that Harmony_Hollow_Software.exe is a false positive, but I don't use the program anyway.

 

It seems to have not found the installed exploit, unless it's Win32/OpenCandy.

 

Edit: Link for you: http://mvp.microsoft.com/en-us/mvp/Russ Stamm-37025


Edited by FML fo real, 07 January 2014 - 12:22 PM.


#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,911 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:18 AM

Posted 07 January 2014 - 01:38 PM

It appears the Emsisoft Web Malware Scanner is no longer available and they removed the link. According to one of their web sites links Emsisoft detects and removes YourFileDownloader.

I don't know what happened to my signature link but its fixed. Thanks for letting me know.

Anyway you can go ahead and install /scan with Malwarebytes Anti-Malware.

BTW, YourFileDownloader appears to be classified as a PUP.

A Potentially Unwanted Program (PUP) is a very broad threat category which can encompass any number of different programs to include those which are benign as well as malicious. Thus, this type of detection does not always necessarily mean the file is malicious or a bad program. PUPs in and of themselves are not always bad...many are generally known, non-malicious but unwanted software usually bundled with other free third-party software to include toolbars, add-ons/plug-ins and browser extensions. PUPs are considered unwanted because they can cause undesirable system performance or other problems and are sometimes installed without the user's consent since they are often included when downloading legitimate programs. PUPs may also be defined somewhat differently by various security vendors and may or may not be detected/removed based on that definition. That fact adds to confusion and a lot of complaints from end users asking why a detection was not made on a particular file (program) they are having issues with.

To learn how you get PUPs, please read: About those Toolbars and Add-ons which change your browser settings
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,911 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:18 AM

Posted 07 January 2014 - 01:40 PM

It seems to have not found the installed exploit, unless it's Win32/OpenCandy.

See my explanation in regards to OpenCandy in this topic.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 FML fo real

FML fo real
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:18 AM

Posted 07 January 2014 - 02:10 PM

I don't think it's exactly YourFileDownloader. The research I made before posting to this thread shows that most people were asking how to uninstall "YourFileDownloader," which appeared in their Control Panel's list of programs and (with its name in plaintext in) their registry. My issue manifests in neither place. (For registry, at least not in the same way. I don't claim to have scoured the entire registry.)

 

It was downloaded from a website bearing the same name, likely also the distributor of YourFileDownloader.

 

One potentially embarrassing possibility is that it is YourFileDownloader, but was automatically removed before it could install. That doesn't fully explain the noise of my computer's exertion, though. Nor that it appeared to have ran. (In the Google Chrome download bar, iirc it acted as if clicked, saying "Opening...." I am not sure about this, though.)

 

I'll run Malwarebytes then post about the results.



#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,911 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:18 AM

Posted 07 January 2014 - 02:52 PM

Ok....I thought you submitted the file to Jotti and Virus Total for analysis and were aware of the actual name.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#11 FML fo real

FML fo real
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:18 AM

Posted 08 January 2014 - 05:37 PM

?
 
I did submit my sample. I knew the name "YourFileDownloader" before that because I inspected the file's properties.
 
Maybe it's just my inexperience with this field. I'd think that two pieces of malware that install different things are different, but maybe they are named instead for the method of delivery or their source, rather than effect?
 
I'm not sure I understand you.
 
Malawarebytes detected:
 
C:\Users\*******\AppData\Local\Apps\2.0\RHPCDXDK.5QH\HJCHRH2G.OEV\macr...exe_0a345d07a48f8f00_0005.0006_none_9afe817851bd965c\extp.etl (Trojan.Dropper.CL) -> No action taken.
C:\Users\*******\AppData\Local\Apps\2.0\RHPCDXDK.5QH\HJCHRH2G.OEV\macr..tion_0a345d07a48f8f00_0005.0006_2c2c28435787bc80\extp.etl (Trojan.Dropper.CL) -> No action taken.


#12 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,911 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:18 AM

Posted 08 January 2014 - 07:12 PM

Your Malwarebytes Anti-Malware log shows "No action taken". This usually occurs if you forget to click "Remove Selected" and instead just click "Save Logfile" or save the report before having Malwarebytes remove the threats. To confirm if everything was removed:
  • Rescan again (Quick Scan) in normal mode.
  • Don't forgot to check for database definition updates through the program's interface (preferable method) before scanning.
  • Make sure that everything detected is checked and then click the Remove Selected button.
  • Then click the Logs tab and copy/paste the contents of the new report in your next reply.
If Malwarebytes encounters a file that is difficult to remove, you will be asked to reboot your computer so it can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally will prevent Malwarebytes from removing all the malware.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#13 FML fo real

FML fo real
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:18 AM

Posted 09 January 2014 - 04:49 PM

I removed those two after saving the log, ignoring the others which I am confident were false positives. I rebooted immediately.

 

I ran a quick scan, which came up with nothing.



#14 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,911 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:18 AM

Posted 09 January 2014 - 07:07 PM

How is your computer running now?
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#15 FML fo real

FML fo real
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:18 AM

Posted 11 January 2014 - 12:25 PM

Unfortunately, I never had any symptoms.

 

The next step that I'd think of is to try to decompile the .exe and check its contents.

 

If your experience tells you that there is probably no infection, then I might reconsider.

 

Personally I think that this means I should be even more determined. The file deleted itself, that much I know. For some reason I doubt that it did so after failing to install anything onto my system.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users