Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Optimizer Pro/PennyBee/DealKeeper Infection?


  • This topic is locked This topic is locked
4 replies to this topic

#1 darkonex

darkonex

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:01:58 PM

Posted 05 August 2014 - 02:22 PM

Wanted to start by stating that I have worked as a Windows system admin for the past 10 years and clean up viruses all the time, and this is one thing I have never seen before and cannot figure this out.  I didn't notice any issues with my PC, I just happened to pull up services for one reason or another, think I was going to disable iTunes helper or something and I noticed an odd one called PennyBee Service and it showed running and claims to be running from c:\program files (x86)\PennyBee.  The really odd thing about it is there is no such folder, and it's not simply hidden it's really not there, or for whatever reason I cannot see it even as a hidden folder.  I can start and stop the service, and it shows running so it has to be somewhere, and even more strange it doesn't show up in Task Manager either.  I ended up finding 3 other odd ones just like this, Util Deal Keeper and Update Deal Keeper showing running from c:\program files (x86)\Deal Keeper and Optimizer Pro Crash Monitor running from c:\program files (x86)\Optimizer Pro\ again which neither one of those folders exist, and you cannot see these tasks running except for under services.

 

I was able to simply switch all of them to disabled and reboot, but somhow the Update Deal Keeper service loads on startup still but the other 3 do not.  I tried running sc delete "Update Deal Keeper" and same on the other services and it claims those services don't exist even though I plainly see them, and am using the correct service name to try deleting.  I have used every tool I could find to search for/clean this stuff including MalwareBytes antimalware and anti root kit, SuperAntiSpyware, Windows Defender, Kaspersky, ESET, McAfee, TDSSKiller, Sophos, McAfee Rootkit Killer, and even if I run WindowexeAllKiller which basically gives you an absolute list of every exe, service,etc running on your system none of these things show up in this list.   I have checked over the entire registry and lookd in scheduled tasks and nothing in there.  Also none of these services show up under the services section in the registry, so whatever this stuff is somehow it's hidden more than anything I've ever seen and I just don't see how this is possible.  

 

Again at this point the only thing actually running is Update Deal Killer service even though it's set to disabled it somehow starts up when I reboot, but the other 3 never start up, and I cannot delete them and the folders/files for these absolutely don't appear to exist.  I'm running Windows 8.1 Pro 64bit.  Any ideas?  I mean I could wipe and start fresh but damn I really don't want to go through all that if I don't have to :)


Edited by darkonex, 05 August 2014 - 02:23 PM.


BC AdBot (Login to Remove)

 


m

#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:58 PM

Posted 08 August 2014 - 06:53 AM





Hello darkonex

I would like to welcome you to the Malware Removal section of the forum.

Around here they call me Gringo and I will be glad to help you with your malware problems.

Very Important --> Please read this post completely, I have spent my time to put together somethings for you to keep in mind while I am helping you to make things go easier, faster and smoother for both of us!

  • Please do not run any tools unless instructed to do so.
    • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
  • Please do not attach logs or use code boxes, just copy and paste the text.
    • Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.
  • Please read every post completely before doing anything.
    • Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.
  • Please provide feedback about your experience as we go.
    • A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.
NOTE: At the top of your post, click on the "Follow This Topic" Button, make sure that the "Receive notification" box is checked and that it is set to "Instantly" - This will send you an e-mail as soon as I reply to your topic, allowing us to resolve the issue faster.

NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of heartaches if things don't go as planed. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.

I would like you to run this program for me.

Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.
  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.
Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 darkonex

darkonex
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:01:58 PM

Posted 08 August 2014 - 08:00 AM

I meant to update this yesterday and forgot.  What I found was somehow when I was opening services on my laptop, which was the one I was talking about here, it was connecting automagically to the services on my desktop.  So all the time it was my desktop that was infected and not my laptop.  I've never seen services.msc remember a connection before and just auto connect to it when opening, not sure why it was doing that.  Finally realized that yesterday when I logged into my desktop and actually saw the Optimizer Pro icon on my desktop, my kids had installed some game on it Monday night and obviously it was infested with this junk and I got it all cleaned up.  Thanks though!



#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:58 PM

Posted 08 August 2014 - 08:02 AM

Thank you for letting us know.

gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:58 PM

Posted 11 August 2014 - 07:02 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users