Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Is this anything? Malwarebytes finds no errors


  • Please log in to reply
13 replies to this topic

#1 userinnorthamerica

userinnorthamerica

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:13 AM

Posted 23 June 2014 - 06:23 PM

I've been running MWB for quite a while.  I just upgraded to the latest edition over the weekend.

 

However, three days ago on the same web site, my system was 'attacked' sending out from Chrome communicationg with this very antagonistic advertiser claiming to be the "Lycos" network.  It posted a video with sound as an ad which is unusual. I shut off the sound, but the site was able to either turn it back on or get Chrome to.

 

 

Symantec recorded that it had seen "activity 2" of 2 trojans. 

 

1. "System Infected: Trojan.Boaxxe Activity 2 detected."
2. "System Infected: Trojan.Miuref Activity 2 detected."
 
And:
"Traffic has been blocked from this application: C:/Program Files (x86)/Google/Chrome/Application/chrome.exe"
 
 
Malware bytes did find 2 files using the memory scan and deleted them.  After this a full scan showed the system to be clean.  I then went to update the database, which installed the new version and I ran the new "Threat Scan." 
 
It came up clean.  I've run Threat Scan again and a Custom scan that looked at the Google Chrome directory and temporary files under user/Appdata/Roaming/ and Local/ for Chrome and it has found nothing.
 
I have read about the Boaxxe and Miuref trojans and several web pages list registry entries that these make.  I don't see these entries using regedit.
 
Also I have noticed no additional unusual behavior except for that one web site when the "lycos" ad rolled around.
 
Questions:
 
1. Is there something else to look for to see if this is a real problem or not?  
 
2. Note that the new MWB new version seems to have cleared out old logs from the old version. Do these still exist somewhere? (Not that important. The main question is - is there a problem).
 
Thanks!
 
MWBUser

Edited by hamluis, 23 June 2014 - 06:28 PM.
Moved from Win 7 to Am I Infected - Hamluis.


BC AdBot (Login to Remove)

 


#2 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:11:13 PM

Posted 23 June 2014 - 07:02 PM

Questions:
>> 1. Is there something else to look for to see if this is a real problem or not?  <<
Can you Copy and Paste the Malwarebytes Anti-Malware log that "found the infection(s)" ??
 
>> 2. Note that the new MWB new version seems to have cleared out old logs from the old version. Do these still exist somewhere? (Not that important. The main question is - is there a problem).<<
If you use the Clean install (preferred method) with a new version you will lose (not have listed) all records (unless saved).
Example : Please follow Free version removal methods. (link is to Malwarebytes site) if required. The reboot tool clears the memory ( but there is a way to get in there still ).
 

 

{{ Symantec recorded that it had seen "activity 2" of 2 trojans. }} It Detected the Trojan infections. that is its job. Activity 2 is the way Symantec describes the detection ( deadly / serious / not serious / etc )

1. "System Infected: Trojan.Boaxxe Activity 2 detected."

2. "System Infected: Trojan.Miuref Activity 2 detected."

 

Please note that my responses are only to the way you have written this topic. I will look at those infections etc in 5 minutes -



#3 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:11:13 PM

Posted 23 June 2014 - 07:28 PM

The response from Symantic is their Generic reply for these infections . See general script below >>

 

 

FOR BUSINESS USERS
If you are a Symantec business product user, we recommend you try the following resources to remove this risk.
Identifying and submitting suspect files
Submitting suspicious files to Symantec allows us to ensure that our protection capabilities keep up with the ever-changing threat landscape. Submitted files are analyzed by Symantec Security Response and, where necessary, updated definitions are immediately distributed through LiveUpdate™ to all Symantec end points. This ensures that other computers nearby are protected from attack. The following resources may help in identifying suspicious files for submission to Symantec.

Removal Tool

If you have an infected Windows system file, you may need to replace them using from the Windows installation CD.

 

 

All of these steps are not required, unless you still have on-going problems. Please tell us if ANY problems continue.

I would rescan with updated basic Symantec, and the same with Malwarebytes Anti-Malware. I have found that, unless required, Norton Power Eraser can at times be "too heavy" if the infection has already been removed.

It will look for items that are not infections if you just run it for the sake of running it.



#4 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:11:13 PM

Posted 23 June 2014 - 08:22 PM

Lycos search engine / And Email are still Very Active after about 10 years.

If you are not able to remove it try these links for reading and help

* How to Disable Extensions in Google Chrome - How to Uninstall Extensions in Google Chrome
* How To Disable Individual Plug-ins in Google Chrome <- try only if the above does not work
 

 

 

Please download and run RKill by Grinler.
A black DOS box will briefly flash and then disappear.
This is normal and indicates the tool ran successfully.

Please Copy / Paste the small log back here

 

 

Important: Do not reboot your computer until you complete the next step.

 

Now

Download AdwCleaner by Xplode and save to your Desktop.

•Double click on AdwCleaner.exe to run the tool.
•Vista/Windows 7/8 users right-click and select Run As Administrator
• Click on the Scan button.
• AdwCleaner will begin...be patient as the scan may take some time to complete.
• When it's done you'll see: Pending: Uncheck any elements you don't want removed.
• Now click on the Report button... (only once) a logfile (AdwCleaner[R0].txt) will open in Notepad for review.
• Look over the log especially under Files/Folders for any program you want to save.
• If there's a program you want to save, just uncheck it from AdwCleaner.
• If you're not sure, post the log for review.
NOW : If you're ready to clean it all up.....click the Clean button. (only once)

• You must confirm several times with OK to clean and Reboot your system
• After rebooting, a logfile report (AdwCleaner[S0].txt) will open automatically.
Copy and paste the contents of that logfile in your next reply.
 

• A copy of that logfile will also be saved in the C:\AdwCleaner folder.
• Items that are deleted are moved to the Quarantine Folder: C:\AdwCleaner\Quarantine
• To restore an item that has been deleted (if necessary):
• Go to Tools > Quarantine Manager > check what you want restored > now click on Restore.



#5 userinnorthamerica

userinnorthamerica
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:13 AM

Posted 23 June 2014 - 08:46 PM

Hi,

 

This is a response to your first reply:

 

I'll take these answers one at a time.
 
All I can find at this point from malwarebytes is log from a quickscan that found one file.  I saved this.  I can not see and don't know where to look for the earlier logs that came from 1.75 before it was replaced with the latest version.
 
If you can tell me where I should be able to find these old run logs, let me know.  But I don't know where to look.
 
Here are
1.  The last log from MWB 1.75 showing one file that I deleted. It was sitting in the recycle.
2.  Output from Symantec.  The version has not changed and I can go back and read these.

----------------------
1.  MWB 1.75 Output

Malwarebytes Anti-Malware (PRO) 1.75.0.1300
www.malwarebytes.org

Database version: v2014.06.22.01

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 11.0.9600.17126
NetworkAdministrator :: LAWRENCE-XPRES [administrator]

Protection: Enabled

6/22/2014 12:43:44 PM
mbam-log-2014-06-22 (12-43-44).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 360535
Time elapsed: 12 minute(s), 41 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 1
C:\$Recycle.Bin\S-1-5-21-1115961802-3937983802-623238440-1000\$RQWSAWO.exe (PUP.Optional.OptimumInstaller.A) -> No action taken.

(end)
----------------------

2.  Symantec Log Entries

 
2.1.  Detail Entries that are displayed when you look at the log

[SID: 27678] System Infected: Trojan.Miuref Activity 2 detected.
Traffic has been blocked from this application: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

[SID: 27678] System Infected: Trojan.Boaxxe Activity 2 detected.
Traffic has been blocked from this application: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

[SID: 27678] System Infected: Trojan.Boaxxe Activity 2 detected.
Traffic has been blocked from this application: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
 
2.2. Line items entries that correspond to the above detail entries
6/22/2014 12:01:50 PM    Intrusion Prevention    Critical    Outgoing    TCP    107.20.187.56    00-00-00-00-00-00    10.0.0.3    70-F1-A1-E5-43-54    C:\Program Files (x86)\Google\Chrome\Application\chrome.exe    richkatz    LAWRENCE-XPRES    Default    1    6/22/2014 12:00:47 PM    6/22/2014 12:00:47 PM   


6/21/2014 5:52:06 PM    Intrusion Prevention    Critical    Outgoing    TCP    107.20.187.56    00-00-00-00-00-00    10.0.0.3    70-F1-A1-E5-43-54    C:\Program Files (x86)\Google\Chrome\Application\chrome.exe    richkatz    LAWRENCE-XPRES    Default    1    6/21/2014 5:51:02 PM    6/21/2014 5:51:02 PM   


6/21/2014 9:30:58 AM    Intrusion Prevention    Critical    Outgoing    TCP    54.225.134.94    00-00-00-00-00-00    10.0.0.3    70-F1-A1-E5-43-54    C:\Program Files (x86)\Google\Chrome\Application\chrome.exe    richkatz    LAWRENCE-XPRES    Default    1    6/21/2014 9:29:55 AM    6/21/2014 9:29:55 AM   
------------------------------------
I will run a full scan with Symantec Endpoint and see if it comes up with anything. 
 
Do you know where the logs from the previous MWB version would be kept?  I have looked around but I don't see them and they don't come up in the UI. 
 

 

Questions:
>> 1. Is there something else to look for to see if this is a real problem or not?  <<
Can you Copy and Paste the Malwarebytes Anti-Malware log that "found the infection(s)" ??
 
>> 2. Note that the new MWB new version seems to have cleared out old logs from the old version. Do these still exist somewhere? (Not that important. The main question is - is there a problem).<<
If you use the Clean install (preferred method) with a new version you will lose (not have listed) all records (unless saved).
Example : Please follow Free version removal methods. (link is to Malwarebytes site) if required. The reboot tool clears the memory ( but there is a way to get in there still ).
 

 

{{ Symantec recorded that it had seen "activity 2" of 2 trojans. }} It Detected the Trojan infections. that is its job. Activity 2 is the way Symantec describes the detection ( deadly / serious / not serious / etc )

1. "System Infected: Trojan.Boaxxe Activity 2 detected."

2. "System Infected: Trojan.Miuref Activity 2 detected."

 

Please note that my responses are only to the way you have written this topic. I will look at those infections etc in 5 minutes -

 



#6 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:11:13 PM

Posted 23 June 2014 - 09:27 PM

No problems -

I am a bit busy, but a brief reply >> Files Detected: 1
C:\$Recycle.Bin\S-1-5-21-1115961802-3937983802-623238440-1000\$RQWSAWO.exe (PUP.Optional.OptimumInstaller.A) -> No action taken.

This should have been Removed / Deleted, as it is an Add-on that can cause minor problems.

 

There are several simple programs like "Recuva" that may find the old recent files, or I will ask at Malwarebytes for you.



#7 userinnorthamerica

userinnorthamerica
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:13 AM

Posted 24 June 2014 - 08:55 PM

Reply to 2nd message:

 

Re: Lycos.  This is just what the link said it was (why I put it in quotes).  In reality the two sites are from aws.amazon.com

Thanks for the info on getting rid of Chrome extensions.  

Re Rkill Log:

 

Program started at: 06/24/2014 06:18:54 PM in x64 mode.
Windows Version: Windows 7 Professional Service Pack 1
 
Checking for Windows services to stop:
 
 * No malware services found to stop.
 
Checking for processes to terminate:
 
 * No malware processes found to kill.
 
Checking Registry for malware related settings:
 
 * No issues found in the Registry.
 
Resetting .EXE, .COM, & .BAT associations in the Windows Registry.
 
Performing miscellaneous checks:
 
 * Windows Defender Disabled
 
   [HKLM\SOFTWARE\Microsoft\Windows Defender]
   "DisableAntiSpyware" = dword:00000001
 
Checking Windows Service Integrity:
 
 * Windows Defender (WinDefend) is not Running.
   Startup Type set to: Manual
 
Searching for Missing Digital Signatures:
 
 * No issues found.
 
Checking HOSTS File:
 
 * No issues found.
 
Program finished at: 06/24/2014 06:25:05 PM
Execution time: 0 hours(s), 6 minute(s), and 10 seconds(s)
 
 
 
 

 

Lycos search engine / And Email are still Very Active after about 10 years.

If you are not able to remove it try these links for reading and help

* How to Disable Extensions in Google Chrome - How to Uninstall Extensions in Google Chrome
* How To Disable Individual Plug-ins in Google Chrome <- try only if the above does not work
 

 

 

Please download and run RKill by Grinler.
A black DOS box will briefly flash and then disappear.
This is normal and indicates the tool ran successfully.

Please Copy / Paste the small log back here

 

 

Important: Do not reboot your computer until you complete the next step.

 

Now

Download AdwCleaner by Xplode and save to your Desktop.

•Double click on AdwCleaner.exe to run the tool.
•Vista/Windows 7/8 users right-click and select Run As Administrator
• Click on the Scan button.
• AdwCleaner will begin...be patient as the scan may take some time to complete.
• When it's done you'll see: Pending: Uncheck any elements you don't want removed.
• Now click on the Report button... (only once) a logfile (AdwCleaner[R0].txt) will open in Notepad for review.
• Look over the log especially under Files/Folders for any program you want to save.
• If there's a program you want to save, just uncheck it from AdwCleaner.
• If you're not sure, post the log for review.
NOW : If you're ready to clean it all up.....click the Clean button. (only once)

• You must confirm several times with OK to clean and Reboot your system
• After rebooting, a logfile report (AdwCleaner[S0].txt) will open automatically.
Copy and paste the contents of that logfile in your next reply.
 

• A copy of that logfile will also be saved in the C:\AdwCleaner folder.
• Items that are deleted are moved to the Quarantine Folder: C:\AdwCleaner\Quarantine
• To restore an item that has been deleted (if necessary):
• Go to Tools > Quarantine Manager > check what you want restored > now click on Restore.



#8 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:11:13 PM

Posted 24 June 2014 - 09:36 PM

If you have updated to the next version of MBAM (2.0.0.2) do not be concerned about old logs, unless it is important to you now.

Please just follow on with any directions and post a report on your current problems once finished -

 

 

Important: Do not reboot your computer until you complete the next step.

 

 

Now: Download AdwCleaner by Xplode and save to your Desktop.

Etc - etc - etc - as per original post.

NOW : If you're ready to clean it all up.....click the Clean button. (only once)

• You must confirm several times with OK to clean and Reboot your system
• After rebooting, a logfile report (AdwCleaner[S0].txt) will open automatically.
Copy and paste the contents of that logfile in your next reply.



#9 userinnorthamerica

userinnorthamerica
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:13 AM

Posted 24 June 2014 - 10:31 PM

Ok.  I did have to hibernate it.  Is that OK?

 

Otherwise, I'm ready to continue.   

 

Thanks

 

If you have updated to the next version of MBAM (2.0.0.2) do not be concerned about old logs, unless it is important to you now.

Please just follow on with any directions and post a report on your current problems once finished -

 

 

Important: Do not reboot your computer until you complete the next step.

 

 

Now: Download AdwCleaner by Xplode and save to your Desktop.

Etc - etc - etc - as per original post.

NOW : If you're ready to clean it all up.....click the Clean button. (only once)

• You must confirm several times with OK to clean and Reboot your system
• After rebooting, a logfile report (AdwCleaner[S0].txt) will open automatically.
Copy and paste the contents of that logfile in your next reply.



#10 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:11:13 PM

Posted 24 June 2014 - 10:42 PM

Continue - The option to not reboot is if it finds something .......



#11 userinnorthamerica

userinnorthamerica
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:13 AM

Posted 24 June 2014 - 10:43 PM

If hibernating in between is no problem, I'll start the next step.  Otherwise I can repeat Rkill although it found nothing.  

 

But we had to go out. This is on a  laptop and it has a lot of files.  So any time something says it might take a while I assume that means 4 to 14 hours.

 

Thanks


Continue - The option to not reboot is if it finds something .......

OK.



#12 userinnorthamerica

userinnorthamerica
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:13 AM

Posted 24 June 2014 - 11:06 PM

It didn't find any objects. I ran clean, rebooted and it came back up. 

 

Is there supposed to be anything else?

 

Thanks!



#13 userinnorthamerica

userinnorthamerica
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:13 AM

Posted 24 June 2014 - 11:13 PM

Re:
After rebooting, a logfile report (AdwCleaner[S0].txt) will open automatically.

Here's this log file:


# AdwCleaner v3.213 - Report created 24/06/2014 at 20:49:15
# Updated 23/06/2014 by Xplode
# Operating System : Windows 7 Professional Service Pack 1 (64 bits)
# Username : NetworkAdministrator - LAWRENCE-XPRES
# Running from : C:\Users\xxx\Desktop\AdwCleaner.exe
# Option : Clean

***** [ Services ] *****


***** [ Files / Folders ] *****

Folder Deleted : C:\Program Files (x86)\Common Files\Spigot
Folder Deleted : C:\Users\xxx\AppData\Local\Google\Chrome\User Data\Default\Extensions\cknebhggccemgcnbidipinkifmmegdel
File Deleted : C:\Users\xxx\AppData\Roaming\Mozilla\Firefox\Profiles\ijexj2xe.default\Extensions\{c0c9a2c7-2e5c-4447-bc53-97718bc91e1b}.xpi

***** [ Shortcuts ] *****


***** [ Registry ] *****

Key Deleted : HKLM\SOFTWARE\Classes\AppID\WLXQuickTimeShellExt.DLL
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\BingBar_RASMANCS

***** [ Browsers ] *****

-\\ Internet Explorer v11.0.9600.17126


-\\ Mozilla Firefox v15.0.1 (en-US)

[ File : C:\Users\NetworkAdministrator\AppData\Roaming\Mozilla\Firefox\Profiles\tu15sqc9.default\prefs.js ]


[ File : C:\Users\xxx\AppData\Roaming\Mozilla\Firefox\Profiles\ijexj2xe.default\prefs.js ]


-\\ Google Chrome v35.0.1916.153

[ File : C:\Users\xxx\AppData\Local\Google\Chrome\User Data\Default\preferences ]


[ File : C:\Users\NetworkAdministrator\AppData\Local\Google\Chrome\User Data\Default\preferences ]


[ File : C:\Users\xxx\AppData\Local\Google\Chrome\User Data\Default\preferences ]

Deleted [Search Provider] : hxxp://search.aol.com/aol/search?query={searchTerms}
Deleted [Search Provider] : hxxp://www.ask.com/web?q={searchTerms}
Deleted [Extension] : cknebhggccemgcnbidipinkifmmegdel

*************************

AdwCleaner[R0].txt - [1747 octets] - [24/06/2014 20:44:22]
AdwCleaner[S0].txt - [1832 octets] - [24/06/2014 20:49:15]

########## EOF - \AdwCleaner\AdwCleaner[S0].txt - [1892 octets] ##########


-------------

Thanks!

#14 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:11:13 PM

Posted 24 June 2014 - 11:28 PM

"and post a report on your current problems once finished" -

 

Only looks like minor bits and pieces that have been cleaned up.

 

If no problems at this time, then whatever was removed and just follow clean browsing habits.

I always like to ask you to take 5 minutes and look at Secunia PSI ( version 2 ), and install it if you wish.

Mine is a great help on silently reminding me with updates for Adobe, and many other programs.

 

Apart from that I see no current problems left -

 

Edit to add link http://secunia-psi.software.informer.com/


Edited by noknojon, 24 June 2014 - 11:37 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users