Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Persistent Malware via Free MKV to AVI Converter


  • Please log in to reply
5 replies to this topic

#1 Rustum

Rustum

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cape Town, SA
  • Local time:08:33 AM

Posted 17 September 2014 - 04:14 AM

Operating System: Windows 7 Ultimate (32-bit)
Antivirus: Avira (and now also Emsisoft Internet Security)

Browser: Firefox 32

Hi.

A few days ago I installed "Free MKV to AVI Converter". Unwisely, I hastily clicked through the installation process (Is CNET no longer a trustworthy source?). Almost immediately, Avira alerted me to problem files and I noticed Shopping Pro and Neurowise in my Add/Remove window. Alas, my MBAM software was out of date.

 

I googled some guidelines and started running the gamut of scans and uninstallers, in sequences given by various guidelines: ADWCleaner, RevoUninstaller, HitmanPro, CCleaner, MBAM (updated), Emsisoft, over and over the last 4 days. Also in Safe Mode. Almost all would report malicious or PUP files, which would be cleaned, but then more files would return after a reboot.

 

I noticed also that User Appdata folders remained hidden even though I've set folder view options to show hidden and system files (the scanning software would often pick up files in these folders). In trying to gain access to these, I foolishly mucked around with user permissions as well and I believe I have made a hash of it. I've also tried installing MVP's host file, as a belated measure and not sure what exactly the malware is aiming at. One time it did replace the original hosts file, but now, when I run the batch file, I get "access denied" messages.

One of these files that persisted especially was a roaming profile for Firefox (pref.js) but, when reported by  ADWCleaner in their Firefox tab, the path and file name is blocked off by 5 hashtags at both ends. E.g.:

 

##### C:\Users\Guido\AppData\Roaming\Mozilla\Firefox\Profiles\hlvm6kan.default-1410647504070\prefs.js #####

And every now and again Shopping Pro or some other unknown software would reappear in my Add/Remove list. Other names that would be picked up by scanners and removal tools include: Linkury.Gen2, VO Package, Smartbar. I found and deleted, via CCleaner, Installer_geforce in my startup. On some occasions there would be other unknown files in the startup list as well; removed, but they would return.

I've tried restoring my machine to a point before I installed the malware, but Windows was unable to do so. In the mean time, out of desperation (I have a conference paper to write), I started, unwisely I suppose, to run more complicated scanners - Rootkiller before running ADWCleaner etc.

I would reset Firefox, hoping to get rid of that roaming profile, but no go. At some point I would get an error message when trying to open Firefox - that it was already running. I thus uninstalled it, installed an older Firefox, etc., but to no avail. (I'm back with the latest Firefox.)

 

Finally, last night, I ran scans based on a thread at Bleeping Computer (http://www.bleepingcomputer.com/forums/t/538539/vo-package-virussearch-protect-deleting-control-panel/):

 

  1. ADWCleaner
  2. SuperAntiSpyware
  3. HitmanPro
  4. Windows Repair (All-in-one)
  5. SuperAntiSpyware
  6. ESET online scanner
  7. MBAM
  8. Junkware Removal Tool
  9. TempFileCleaner

I then ran ran RogueKiller, AVast Browser Cleanup, and some of the above again. Avira also, which picked up about 70 Linkury.Gen2 files. But ADWCleaner still lists that hash-tagged roaming Firefox profile, so I doubt that, after 4 days of scans, I am rid of the malware.

The question now is: Cleaning via, hopefully, BleepingComputer help, or a reinstallation (and all the user tweaking and Windows updating that that involves)? And also, is it reasonably safe to work on this machine? (My documents are saved on another partition).

Thanks.



BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,430 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:02:33 AM

Posted 17 September 2014 - 10:16 AM

Having run all that , we will need a deeper lok to se where its hooked.

Please follow this Preparation Guide, do steps 6,7 and 8 and post in a new topic.
Let me know if all went well.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 Rustum

Rustum
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cape Town, SA
  • Local time:08:33 AM

Posted 17 September 2014 - 10:55 AM

Thanks, Boopme. I will do so in the next day or so (I have that paper to write). And that issue about hidden folders is resolved - I had forgotten to unhide folders on their General Properties tab.

 

 


 



#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,430 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:02:33 AM

Posted 17 September 2014 - 11:01 AM

Take your time.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 Rustum

Rustum
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cape Town, SA
  • Local time:08:33 AM

Posted 27 September 2014 - 05:39 AM

Hi Boopme

 

it seems I have cleaned out the muck. I eventually tracked down the startup files for the adware and my anti-virus, MBAM, Emsisoft all report no malicious files. I will in any case be switching to a new machine in the next few weeks, so I'll leave it at that.

 

Thanks for your time.



#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,430 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:02:33 AM

Posted 29 September 2014 - 02:33 PM

You're welcome and thanks for coming by!
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users