Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible Malware.


  • Please log in to reply
4 replies to this topic

#1 ImBackHerobrine

ImBackHerobrine

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Your Mother's Backyard.
  • Local time:10:35 PM

Posted 16 December 2014 - 08:41 PM

Hi, I recently noticed in my Temp folder a file. I scanned it with MBAM, and it said nothing. I went to Virustotal instead and I got this:

Avira detected it as ADWARE/MultiPlug.Gen4

ESET-NOD32 detected it as a variant of Win32/Adware.MultiPlug.ED

K7AntiVirus detected it as Unwanted-Program ( 0040f9a71 )

K7GW detected it as Unwanted-Program ( 0040f9a71 )

Panda detected it as Generic Suspicious

VBA32 suspected it as Heur.Malware-Cryptor.Multiplug

 

 

and in behaviors I got scared, as it said:

 

 Opened files

C:\eaf4b4f345f804011d1bc844a598f1672947a15f82b14198bba6fb68a1a06086 (successful)
\\.\PIPE\lsarpc (successful)
C:\WINDOWS\system32\winsock.dll (successful)
C:\WINDOWS\system32\drwtsn32.exe (successful)
C:\WINDOWS\system32\netmsg.dll (successful)

 Read files

C:\WINDOWS\system32\winsock.dll (successful)

 Created processes

C:\WINDOWS\system32\drwtsn32 -p 532 -e 632 -g (successful)

 Opened mutexes

ShimCacheMutex (successful)

 Runtime DLLs

advapi32.dll (successful)
shell32.dll (successful)
apphelp.dll (successful)
rpcrt4.dll (successful)
shlwapi.dll (successful)
version.dll (successful)
ntdll.dll (successful)
kernel32.dll (successful)

 Additional details

The file sends control codes directly to certain device drivers making use of the DeviceIoControl Windows API function.

 

Is this malware, or the Multiplug?

Also, in Task Manager, lsass.exe (checked if legit, was real) was using some CPU with Defrag.exe and dllhost.exe running. I tried the tool to remove Poweliks and it said it didn't find it, so it cannot be that.

When I once refreshed on this page, also, I got a redirect to google.

 

The link to the scan is at:

https://www.virustotal.com/en/file/eaf4b4f345f804011d1bc844a598f1672947a15f82b14198bba6fb68a1a06086/analysis/1418779807/

Thanks!

(EDIT: The things that was found was a modified version of what it said. The other one is non-modified.)

(EDIT Again: The same file as a shortcut was found on my desktop with the same name. A temp file was found right above it with the same name with no extension, but in properties it said the type of file was YoUtubeADBolocke in Temp.)


Edited by ImBackHerobrine, 16 December 2014 - 09:36 PM.


BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,323 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:35 PM

Posted 16 December 2014 - 09:45 PM

Hello, This is just a Low/Medium adware'''
AVIRA
Virus: ADWARE/MultiPlug.Gen4
Date discovered: 13/09/2014
Type: Adware
In the wild: Yes
Reported Infections: Low to medium
Distribution Potential: Low
Damage Potential: Low
Static file: No
VDF version: 7.11.171.232
Engine version: 8.3.24.26

Adware.Multiplug/Variant is a specific detection used by ESET Antivirus, AVG Internet Security and other antivirus products to indicate and detect a Potentially Unwanted Program.
A potentially unwanted application is a program that contains adware, installs toolbars or has other unclear objectives.

Adware.Multiplug/Variant it’s technically not a virus, but it does exhibit plenty of malicious traits, such as rootkit capabilities to hook deep into the operating system, browser hijacking, and in general just interfering with the user experience. The industry generally refers to it as a “PUP,” or potentially unwanted program.
The Adware.Multiplug/Variant infection is used to boost advertising revenue, as in the use of blackhat SEO, to inflate a site’s page ranking in search results.

Adware.Multiplug/Variant got on your computer after you have installed a freeware software (video recording/streaming, download-managers or PDF creators) that had bundled into their installation this browser hijacker. This Potentially Unwanted Program is also bundled within the custom installer on many download sites (examples: CNET, Brothersoft or Softonic), so if you have downloaded a software from these websites, chances are that Adware.Multiplug/Variant was installed during the software setup process.

Adware.Multiplug/Variant is an ad-supported (users may see additional banner, search, pop-up, pop-under, interstitial and in-text link advertisements) cross web browser plugin for Internet Explorer (BHO) and Firefox/Chrome (plugin) and distributed through various monetization platforms during installation. The browser extension includes various features that will modify the default or custom settings of the browser including the home page, search settings and in some cases will modify Internet Explorer’s load time threshold, place a lock file within Firefox to prevent competing software from changing its settings as well as disable the browser’s Content Security Policy in order to allow for cross site scripting of the plugin.
SOURCE


Only 6 out of 54 Virustotal scanners even flag it , so it not too serious.


Also run these:

ADW Cleaner

Please download AdwCleaner by Xplode and save to your Desktop.
  • Double-click on AdwCleaner.exe to run the tool.
    Vista/Windows 7/8 users right-click and select Run As Administrator.
  • Click on the Scan button.
  • AdwCleaner will begin...be patient as the scan may take some time to complete.
  • After the scan has finished, click on the Report button...a logfile (AdwCleaner[R0].txt) will open in Notepad for review.
  • After reviewing the log, click on the Clean button.
  • Press OK when asked to close all programs and follow the onscreen prompts.
  • Press OK again to allow AdwCleaner to restart the computer and complete the removal process.
  • After rebooting, a logfile report (AdwCleaner[S0].txt) will open automatically.
  • Copy and paste the contents of that logfile in your next reply.
  • A copy of all logfiles are saved in the C:\AdwCleaner folder which was created when running the tool.
  • -- Note: The contents of the AdwCleaner log file may be confusing. Unless you see a program name that you recognize and know should not be removed, don't worry about it. If you see an entry you want to keep, return to AdwCleaner before cleaning...all detected items will be listed (and checked) in each tab. Click on each one and uncheck any items you want to keep (except you cannot uncheck Chrome and Firefox preferences lines).


    .

    thisisujrt.gif Please download Junkware Removal Tool to your desktop.
  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.
  • .

    >>
    Empty your temp folders using TFC (Temporary File Cleaner)
    • Please download TFC by Old Timer and save it to your desktop.
      alternate download link
    • Save any unsaved work. (TFC will close ALL open programs including your browser!)
    • Double-click on TFC.exe to run it. (If you are using Vista or above, right-click on the file and choose "Run As Administrator".)
    • Click the Start button to begin the cleaning process and let it run uninterrupted to completion.
    • Important! If TFC prompts you to reboot, please do so immediately. If not prompted, manually reboot the machine anyway allowing Windows to load normally (not into Safe Mode) to ensure a complete clean.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 ImBackHerobrine

ImBackHerobrine
  • Topic Starter

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Your Mother's Backyard.
  • Local time:10:35 PM

Posted 17 December 2014 - 06:05 PM

ADWCleaner:

# AdwCleaner v4.105 - Report created 18/12/2014 at 17:24:58
# Updated 08/12/2014 by Xplode
# Database : 2014-12-16.1 [Live]
# Operating System : Windows 7 Home Premium Service Pack 1 (64 bits)
# Username : Tyler Shelby - TYLERSMOOSHROOM
# Running from : C:\Users\Tyler Shelby\Downloads\AdwCleaner (1).exe
# Option : Clean
 
***** [ Services ] *****
 
 
***** [ Files / Folders ] *****
 
Folder Deleted : C:\ProgramData\1277717570941502349
File Deleted : C:\Users\Tyler Shelby\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxps_static.olark.com_0.localstorage-journal
 
***** [ Scheduled Tasks ] *****
 
 
***** [ Shortcuts ] *****
 
 
***** [ Registry ] *****
 
Key Deleted : HKLM\SOFTWARE\Classes\BuyNsave.BuyNsave
Key Deleted : HKLM\SOFTWARE\Classes\BuyNsave.BuyNsave.9
Key Deleted : HKLM\SOFTWARE\Classes\.
Key Deleted : HKLM\SOFTWARE\Classes\..9
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{60eef669-9c55-456a-85e0-6f4445ecd9c3}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{a71ff67d-4bba-4702-9583-8bc0b82a483f}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{60eef669-9c55-456a-85e0-6f4445ecd9c3}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{a71ff67d-4bba-4702-9583-8bc0b82a483f}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{60eef669-9c55-456a-85e0-6f4445ecd9c3}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{a71ff67d-4bba-4702-9583-8bc0b82a483f}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{60eef669-9c55-456a-85e0-6f4445ecd9c3}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{a71ff67d-4bba-4702-9583-8bc0b82a483f}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{60eef669-9c55-456a-85e0-6f4445ecd9c3}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{a71ff67d-4bba-4702-9583-8bc0b82a483f}
Value Deleted : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{2318C2B1-4965-11D4-9B18-009027A5CD4F}]
Key Deleted : [x64] HKLM\SOFTWARE\Classes\CLSID\{60eef669-9c55-456a-85e0-6f4445ecd9c3}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\CLSID\{a71ff67d-4bba-4702-9583-8bc0b82a483f}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{60eef669-9c55-456a-85e0-6f4445ecd9c3}
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{a71ff67d-4bba-4702-9583-8bc0b82a483f}
Key Deleted : [x64] HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2537}
Key Deleted : [x64] HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472F-A0FF-E1416B8B2E3A}
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2537}
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472F-A0FF-E1416B8B2E3A}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2537}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{4820778D-AB0D-6D18-C316-52A6A0E1D507}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{842C4394-47F7-60DE-480B-C09116B63559}
 
***** [ Browsers ] *****
 
-\\ Internet Explorer v11.0.9600.17496
 
 
-\\ Google Chrome v39.0.2171.95
 
[C:\Users\Tyler Shelby\AppData\Local\Google\Chrome\User Data\Default\preferences] - Deleted [Extension] : fpmeembnagmagppkgghhfjfdfajdfcah
 
*************************
 
AdwCleaner[R0].txt - [1502 octets] - [31/07/2014 17:02:22]
AdwCleaner[R1].txt - [283 octets] - [31/07/2014 18:28:07]
AdwCleaner[R2].txt - [997 octets] - [31/07/2014 18:49:05]
AdwCleaner[R3].txt - [1051 octets] - [08/08/2014 11:46:07]
AdwCleaner[R4].txt - [1126 octets] - [22/09/2014 12:37:23]
AdwCleaner[R5].txt - [4887 octets] - [18/12/2014 17:20:40]
AdwCleaner[S0].txt - [1591 octets] - [31/07/2014 17:09:51]
AdwCleaner[S1].txt - [4285 octets] - [18/12/2014 17:24:58]
 
########## EOF - C:\AdwCleaner\AdwCleaner[S1].txt - [4345 octets] ##########


#4 ImBackHerobrine

ImBackHerobrine
  • Topic Starter

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Your Mother's Backyard.
  • Local time:10:35 PM

Posted 17 December 2014 - 06:18 PM

JRT:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.4.0 (11.29.2014:1)
OS: Windows 7 Home Premium x64
Ran by Tyler Shelby on Thu 12/18/2014 at 17:32:22.83
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 
 
 
~~~ Services
 
 
 
~~~ Registry Values
 
 
 
~~~ Registry Keys
 
Successfully deleted: [Registry Key - Orphan] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}
Successfully deleted: [Registry Key - Orphan] HKEY_CLASSES_ROOT\CLSID\{5C255C8A-E604-49b4-9D64-90988571CECB}
Successfully deleted: [Registry Key - Orphan] HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}
Successfully deleted: [Registry Key - Orphan] HKEY_CLASSES_ROOT\CLSID\{5C255C8A-E604-49b4-9D64-90988571CECB}
 
 
 
~~~ Files
 
 
 
~~~ Folders
 
 
 
~~~ Event Viewer Logs were cleared
 
 
 
 
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Thu 12/18/2014 at 17:40:00.19
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 
The file is still there on my desktop and in Temp, so neither found it, but TFC got it.


#5 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,323 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:35 PM

Posted 18 December 2014 - 04:06 PM

Good, should be OK now.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users