Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I am ruined by a click


  • Please log in to reply
14 replies to this topic

#1 Nilabhra

Nilabhra

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:53 PM

Posted 03 May 2014 - 04:48 AM

An unwanted click in a web ad ruined my system. I am slowly recovering from it but still a lot needs to be done.

I have found from regedit that there is a msi file that got installed. f5e9e18.msi

Can anybody tell me what is there in that installer if I upload it for study?

Is it possible to rollback changed in regedit of I click the uninstall option of the msi.

Please help me



BC AdBot (Login to Remove)

 


#2 Condobloke

Condobloke

    Outback Aussie @ 54.2101 N, 0.2906 W


  • Members
  • 6,085 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:53 PM

Posted 03 May 2014 - 05:06 AM

G'day Nilabhra, and :welcome:  to BC !!

 

Please give me some more detail....your Operating system, (xp, win 7 etc) and what exactly did you click on and what was the immediate result ?

What symptoms is the PC displaying right now..?

....any steps you have taken to rectify your problem...

.....and anything else you feel may be pertinent.


Condobloke ...Outback Australian  fed up with Windows antics...??....LINUX IS THE ANSWER....I USE LINUX MINT 18.3  EXCLUSIVELY.

“A man travels the world in search of what he needs and returns home to find it."

It has been said that time heals all wounds. I don't agree. The wounds remain. Time - the mind, protecting its sanity - covers them with some scar tissue and the pain lessens, but it is never gone. Rose Kennedy

 GcnI1aH.jpg

 

 


#3 Nilabhra

Nilabhra
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:53 PM

Posted 03 May 2014 - 06:20 AM

Thank you and thanks to humanity ! I got a reply.

Well let me provide you a short description
My system time was 6:46 PM when this malware ran in. Kaspersky did some immediate cleaning.
I was still not aware of what wwas wrong. At 7:00 PM I founf whatever site I was opening through whatever browser
a) ads jumping in B) Message showing Mediafile 12.2 needed to be installed.
I immediately ran
a) mawarebytes B) roguekiller c) adwcleaner .All found pups pums. I ran them again in succession.
Since then nothing is found.
But the problem is persisting. So I started my own exploration. I soon found a program provoxy.exe (not our old bening one) running in program files x86/MSR/provoxy/ . naturally I checked the browsers and I found all are set to localhost proxy port 8118.
So I killed provoxy , deleted the whole MSR directory and changed proxy to normal. Now things worked fine for a while.
But the system is automatically changing to proxy ssettings for all browsers. And if I restart (I guess so) the deleted MSR directory in program files x86 is returning back!
I checked the registry then I found that there was a installer named f5e9e18.msi that ran. I found the installer now. Currently I renamed it to a .problem extension so that the rogue program cannot run it.
I also found that the similar registry entries (specifically those at 6:46 PM) are also accessing a certain folder named System update kb70007 which is under c:/windows/microsoft folder. That folder has following files
Installer.dll
InstallerLibrary.dll

win32.reg -----------> can any messiah read and transform it from hive to text for me? I am uploading it it next reply.
Windowsupdater.exe

Currently I am trying to see if somehow I can find how Mozilla settings are getting changed
 


Edited by Nilabhra, 03 May 2014 - 06:36 AM.


#4 Nilabhra

Nilabhra
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:53 PM

Posted 03 May 2014 - 06:38 AM

Oh uploading a file is not possible in this forum ! :(



#5 Condobloke

Condobloke

    Outback Aussie @ 54.2101 N, 0.2906 W


  • Members
  • 6,085 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:53 PM

Posted 03 May 2014 - 06:51 AM

FYI....http://www.bleepingcomputer.com/startups/privoxy.exe-4203.html

 

 

Please run the following for me ..In The Order Listed

 

Please download MiniToolBox   to desktop and run it.
Checkmark the following boxes:

* List content of Hosts
* Flush DNS
* Report IE Proxy Settings
* Reset IE Proxy Settings
* Report FF Proxy Settings
* Reset FF Proxy Settings
* List last 10 Event Viewer log
* List Installed Programs
* List Users, Partitions and Memory size
Note: When using "Reset FF Proxy Settings" option Firefox should be closed.
Click Go and Copy / Paste the result. (result.txt)

 

 

Please download RKill by Grinler from the link below and save it to your desktop.

    RKill
    Before we begin, you should disable your anti-malware softwares you have installed so they do not interfere RKill running as some anti-malware softwares detect RKill as malicious. Please refer to this page if you are not sure how.
    Double-click on Rkill on your desktop to run it. (If you are using Windows Vista, please right-click on it and select Run As Administrator)
    A black screen will appear and then disappear. Please do not worry, that is normal. This means that the tool has been successfully executed.
    If nothing happens or if the tool does not run, please let me know in your next reply.
    A log pops up at the end of the run. This log file is located at C:\rkill.log.
    Please post the log in your next reply.

 

DO NOT REBOOT>>>>yet....

 

Download TDSSKiller and save it to your desktop.
Extract (unzip) its contents to your desktop.
Open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
If an infected file is detected, the default action will be Cure, click on Continue.
If a suspicious file is detected, the default action will be Skip, click on Continue.
It may ask you to reboot the computer to complete the process. Click on Reboot Now.
If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
If a reboot is required, the report can also be found in your root directory (usually C:\ folder) in the form of TDSSKiller_xxxx_log.txt. Please copy and paste the contents of that file here.


Condobloke ...Outback Australian  fed up with Windows antics...??....LINUX IS THE ANSWER....I USE LINUX MINT 18.3  EXCLUSIVELY.

“A man travels the world in search of what he needs and returns home to find it."

It has been said that time heals all wounds. I don't agree. The wounds remain. Time - the mind, protecting its sanity - covers them with some scar tissue and the pain lessens, but it is never gone. Rose Kennedy

 GcnI1aH.jpg

 

 


#6 Condobloke

Condobloke

    Outback Aussie @ 54.2101 N, 0.2906 W


  • Members
  • 6,085 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:53 PM

Posted 03 May 2014 - 07:50 AM

Tis snooze time here in this part of the world.....I will return in approx 10 hours.


Condobloke ...Outback Australian  fed up with Windows antics...??....LINUX IS THE ANSWER....I USE LINUX MINT 18.3  EXCLUSIVELY.

“A man travels the world in search of what he needs and returns home to find it."

It has been said that time heals all wounds. I don't agree. The wounds remain. Time - the mind, protecting its sanity - covers them with some scar tissue and the pain lessens, but it is never gone. Rose Kennedy

 GcnI1aH.jpg

 

 


#7 Nilabhra

Nilabhra
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:53 PM

Posted 04 May 2014 - 07:24 PM

Hi Condoblock...... thanks a lot for your help. I have resolved the problem. Though none of the softwares detected the malware, they helped me to identify the malware. The TDSSKiller repeatedly was finding one process and killing it. I tracked the process down to a service. "System Update kb70007". This is the rogue service which is calling the software I mentioned before : as c:\windows\microsoft\System Update kb70007\windowsupdater.exe . I have cleaned the registry, and the system manually and everything is working fine for now. From the trail I found there are some more malware backups in \local\Appdata\Roaming, which I removed. If you are interested to see what is inside those files I can zip them and send them to you. Definitely if you can read the malware's win32.reg hive file you can get a lot of info. I can provide you the prefetch file of the corrupt run at 6:46 PM to further dig into. Anybody working on it can post an email id in this forum, I will be too glad to send the details to hi,/her, if it helps.

I could do it myself, but I am not a virus cleaner. So I am not too keen to work on it. But I noticed more than one guys reported the same problem in this forum and still waiting for answer

Here are symptoms of the malware attack.
A) All the browsers display ads in all webpages that are opened.
B) Browsers inform "“This content requires Media Player 12.2 Update” whenever it encounters a media file in the webpage.
C) Browsers automatically change setting to proxy, localhost port 8118.

Thanks and Regards
N



#8 Condobloke

Condobloke

    Outback Aussie @ 54.2101 N, 0.2906 W


  • Members
  • 6,085 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:53 PM

Posted 04 May 2014 - 10:36 PM

All good. Hope it stays that way for you !


Condobloke ...Outback Australian  fed up with Windows antics...??....LINUX IS THE ANSWER....I USE LINUX MINT 18.3  EXCLUSIVELY.

“A man travels the world in search of what he needs and returns home to find it."

It has been said that time heals all wounds. I don't agree. The wounds remain. Time - the mind, protecting its sanity - covers them with some scar tissue and the pain lessens, but it is never gone. Rose Kennedy

 GcnI1aH.jpg

 

 


#9 Pat52

Pat52

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:07:53 AM

Posted 05 May 2014 - 03:13 AM

Hi N,
My wife's comp was infected last Friday. Same scenario as yours, An unintended click and then catastrophe. 
 
I noticed the Privoxy.exe, Tried Malaware Bytes, CCleaner, Glary Utilities, Hitman  to remove the infection. 49 PUPs and an assortment of negatives.  Running CCleaner, Simple Disk Clean had the progress bar stuck at 24% with System\Temp folder for longer than usual. If I am not mistaken, the current folder size is 24 G. "Local" kept repeating in the list of files being analysed. Did not know how to proceed. 
A friend suggested a new install, which I dread for no apparent reason.
My request to you,
 
Could you please forward me or the forum the list of tools and utilities you used to scan, read, and remove items from the registry, and the infected files and folders.
I have Win 8.1 on her computer.
 
Thanks
 
Pat


#10 Condobloke

Condobloke

    Outback Aussie @ 54.2101 N, 0.2906 W


  • Members
  • 6,085 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:53 PM

Posted 05 May 2014 - 03:50 AM

G'day Pat52, and :welcome:  to BC !!

While there may be some similarities appearing to you....there is No guarantee that what has "worked" for one will work for another....

 

I would strongly recommend you open a new topic of your own HERE   and allow the people here to proceed on the case by case basis that your Wife's PC deserves.

If in fact the PC turns out be badly infected, we have an Experts Area HERE  which I can recommend with no hesitation.. It has some of the best brains in the world, freely available.

 

proceed with care,

 

Regards,.

 

 

 


Condobloke ...Outback Australian  fed up with Windows antics...??....LINUX IS THE ANSWER....I USE LINUX MINT 18.3  EXCLUSIVELY.

“A man travels the world in search of what he needs and returns home to find it."

It has been said that time heals all wounds. I don't agree. The wounds remain. Time - the mind, protecting its sanity - covers them with some scar tissue and the pain lessens, but it is never gone. Rose Kennedy

 GcnI1aH.jpg

 

 


#11 Nilabhra

Nilabhra
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:53 PM

Posted 05 May 2014 - 04:21 AM

Hi Pat,

 

I haven't formulized what I have done and most of what I have done is manual. But I will try my best to help you. This program, (if it's the same as mine) is faking as a genuine microsoft service. That's why you cannot find it. Below are the steps on how you may find it and get rid of it. HOWEVER I WOULD SUGGEST TO HEED TO CONDOBLOKE RATHER THAN FOLLOWING ME.

1) download adwcleaner and rkill(link given above by condobloke) and TDSSKIller (link given above) 

2) Disconnect your internet, disable your existing antivirus.
3) run these softwares and see the output logs. Most of the rogue files in temporary folders will be cleaned. 
4) Now if you remember the date (preferable the hour ) the infection happened, go to the c:\windows and c:\windows\microsoft  .. Did you find any folder created in that date?
5) If so, one of these may be your culprit. My culprit folder's name was "System update kb70007 "
6) Go into the folder and see you find an .exe, atleast one .dll and and a .reg file 
My files were (web.reg, installer.dll, installerupdate.dll, windowsupdater.exe)
If you get windowsupdater.exe , you are "very sure" that you found out rogue. This file is a known offender.
7) Now restart the machine at this point, (but dont enable internet)
8) Go to the services, and check property of each service which are automatic and running. One of them will have the path to this executable. My service fortunately had the same with the folder (i,e, 
System update kb70007). So I didnt need to search much.
9) Immediately disable the service and change it to manual. Your major work is done. You will not be further disturbed.
10) run rkill. That settles your computer for good. The infection is still there but it will not bother you again. Report to experts here.
**********************
11) From this point on it becomes technical. Take a dump of regedit (it was 512 MB for me and it needed V@fileviewer.com to read it)
12) search the regedit to see at what time it got infected. Now you know the a search name for example, "windowsupdater.exe"
13) Check event log to see the prefetch files created at that time to flush out other locations where this program is residing.
14) When you are sure, remove the files, and rename the rogue folder in the windows\microsoft directory, just add an alphabet in the middle("
System update kb70007" to "System zupdate kb70007").
15) Take expert help to clean the registry manually. delete the existing renamed folder etc
***********************
16) Also run residentshield from AVG.... I found it flushing some more locations I missed.

* Note : The guys who have written the codes are also watching. So there's no guarantee that they haven't changed their policy by now.

Good luck... but I strongly recommend to take help of experts here rather than following me. And if you have found a better alternative, please let me know. Please note in this regard that you still need to know something about computer to do the technical stuff I mentioned. Though I am not an expert in this area, I have worked on Windows for last 20 years (since win 3.1) and that gives me some working knowledge that I shouldnt know :D 

With Regards
NIlabhra Banerjee



#12 Nilabhra

Nilabhra
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:53 PM

Posted 05 May 2014 - 04:25 AM

By the way, as Condobloke has mentioned, privoxy by itself is not a malware. But since this malware is using Privoxy, it will reinstall privoxy even if you delete the installation folder.



#13 cjens19

cjens19

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:07:53 AM

Posted 10 May 2014 - 10:31 AM

Just created an account so I could reply to this thread. I had a client become infected with the same malicious service "System Update kb70007". Thank God I saw this thread, as I had spent about 3 hours trying to clean up this infection and was about 5 minutes away from throwing in the towel and recommending a rebuild. So, thank you! My situation sounds pretty similar, user complained that emails were getting stuck in the Outbox. Upon investigating, noticed that Internet Proxy Settings were enabled to port 8118. He doesn't use privoxy so I began hunting for malware. MBAM cleaned about 100 items off, but after reach reboot, the proxy settings returned. Ran about every other tool I could think of, and the proxy settings would still return. Tried using gpedit to disable changes to proxy settings, no dice. 

 

My particular 'aha' moment was when, as a last ditch effort, I ran autoruns to try and see if anything subtle is inserting itself into the startup items. Didn't see anything so I continued going through all the tabs in Autoruns and came to the Services list and low and behold, the System Update kb70007 service. Was not able to delete the folder but after running RKill, I was. Deleted the folder and then rebooted. NO PROXY anymore!!! I'll reboot a couple more times to make sure, but hopefully this is fixed.

 

I also noticed something else very strange, in his C drive he has a folder named Syst68301037 and it appears to contain a bunch of backups of certain system folders/files. Did you notice the same folder in C:? I'm assuming yours would have a different 8 digits. 

 

Who knows, I still may recommend a rebuild, considering we won't know how deep this infection goes. But if his proxy is staying disabled from now on, that's probably a good start. He'll ask what I did to fix it, and then he'll ask why it took me 3 hours to do so. And then I'll remind him that it's not about the destination, it's about the journey :)  (or if I want to be blunt I'll tell him that hindsight is always 20/20 and stop clicking on bad sites)



#14 Nilabhra

Nilabhra
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:01:53 PM

Posted 10 May 2014 - 12:49 PM

Hi Cjens19,

 

It is all about a service !!!! Rkill will kill the service but will not remove it. So please go to Services and find that service (it will be of the same name as the folder), and make it manual and disable it. Once you habe done that, you will need not to worry about this malware again. If you want to remove the service altogether from registry, well and good. But I recommend not to manually edit the registry, you can use delserve or some tool to remove it. 

Cheers!
N



#15 cjens19

cjens19

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:07:53 AM

Posted 10 May 2014 - 01:30 PM

Hi Cjens19,

 

It is all about a service !!!! Rkill will kill the service but will not remove it. So please go to Services and find that service (it will be of the same name as the folder), and make it manual and disable it. Once you habe done that, you will need not to worry about this malware again. If you want to remove the service altogether from registry, well and good. But I recommend not to manually edit the registry, you can use delserve or some tool to remove it. 

Cheers!
N

Oh I've already removed the service. Once I used RKill to stop the process locking the service, I was able to delete the entire System Update kb70007 folder off the laptop, which contained the service. I also used Autoruns to remove the service from the list. Rebooted 3 times and didn't come back, so we should be good in regards to that. But the other folder in the root of C, I'm not sure about. If he continues to have issues I'm going to just reinstall OS. Basically I just posted on here to say thanks and that I had a very similar infection, and wanted to share how I got rid of it. :)


Edited by cjens19, 10 May 2014 - 01:30 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users