Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malware Packer and detection by Norton Power Eraser


  • Please log in to reply
12 replies to this topic

#1 Enterprise256

Enterprise256

  • Members
  • 78 posts
  • OFFLINE
  •  
  • Local time:12:48 AM

Posted 14 February 2015 - 08:48 PM

Ran a MBAM scan when I seemingly downloaded a dubious file. Result was a Malware.Packer.CV and Norton power eraser found a file in System 32 it was unable to delete.

 

The file it found was wqlhlnn.sys

 

Help is much appreciated at the earliest.

 

EDIT: I haven't launched the .exe file the malware was found in when it got detected.


Edited by Enterprise256, 14 February 2015 - 08:50 PM.


BC AdBot (Login to Remove)

 


#2 InadequateInfirmity

InadequateInfirmity

    I Gots Me A Certified Edumication


  • Banned
  • 5,180 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:48 AM

Posted 14 February 2015 - 09:34 PM

Can you post the entire file location path?

 

Reason I ask is you can boot into safe mode and paste the entire file location into File Assassin it should delete it.

https://www.malwarebytes.org/fileassassin/



#3 Enterprise256

Enterprise256
  • Topic Starter

  • Members
  • 78 posts
  • OFFLINE
  •  
  • Local time:12:48 AM

Posted 14 February 2015 - 09:46 PM

Can you post the entire file location path?

 

Reason I ask is you can boot into safe mode and paste the entire file location into File Assassin it should delete it.

https://www.malwarebytes.org/fileassassin/

It was found in C Windows System32

 

I will locate the file now with File Assasin and report back here in a few.



#4 Enterprise256

Enterprise256
  • Topic Starter

  • Members
  • 78 posts
  • OFFLINE
  •  
  • Local time:12:48 AM

Posted 14 February 2015 - 09:52 PM

File is no longer there. Could it be NPE successfully removed it? After that NPE scan in the regular boot environment I booted into safemode to run system scans again using MBAM and Norton while in safe mode. On that reboot NPE told me it did not successfully fix the problem.

 

MBAM and Norton scans in safemode came back with clean results aside from 4 tracking cookies. Also did a Spybot S&D scan and that deleted more cookies and a couple other low risk items.



#5 InadequateInfirmity

InadequateInfirmity

    I Gots Me A Certified Edumication


  • Banned
  • 5,180 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:48 AM

Posted 14 February 2015 - 09:57 PM

While we work on your machine uninstall spybot.

 

Download Malwarebytes Anti-Rootkit to your desktop.

  • Double-click the icon to start the tool.
  • It will ask you where to extract make sure it is on the desktop.
  • Malwarebytes Anti-Rootkit needs to be run from an account with admin rights.
  • Click next to continue.
  • Then Click Update
  • Once the update is Finished select Next then Scan.
  • If no malware has been found, at the end of scan select Exit
  • If an infection was found, make sure to select all items and click Cleanup.
  • Reboot your machine.
  • Open the MBAR folder and paste the content of the following into your next reply:
  • mbar-log-{date} (xx-xx-xx).txt
  • system-log.txt

[/*]

 

 
Disable your antivirus prior to running this scan.
 
 
 esetonlinebtn.png
 

  • Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
  • Double click on the esetsmartinstaller_enu.png icon on your desktop.
  • Check "YES, I accept the Terms of Use."
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Under scan settings, check "Scan Archives" and "Remove found threats"
  • Click Advanced settings and select the following:
  • Scan potentially unwanted applications
  • Scan for potentially unsafe applications
  • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click List Threats
  • Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Click the Back button.
  • Click the Finish button.
  • NOTE:Sometimes if ESET finds no infections it will not create a log.



#6 Enterprise256

Enterprise256
  • Topic Starter

  • Members
  • 78 posts
  • OFFLINE
  •  
  • Local time:12:48 AM

Posted 14 February 2015 - 10:02 PM

Should I run those in SafeMode or the regular desktop environment? Also should I have all my storage drives plugged in during the scan?



#7 InadequateInfirmity

InadequateInfirmity

    I Gots Me A Certified Edumication


  • Banned
  • 5,180 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:48 AM

Posted 14 February 2015 - 10:16 PM

Normal mode, as far as the devices you may leave them. :)



#8 Enterprise256

Enterprise256
  • Topic Starter

  • Members
  • 78 posts
  • OFFLINE
  •  
  • Local time:12:48 AM

Posted 14 February 2015 - 11:28 PM

Still scanning right now but I'd like to report that it's found "a variant of Win32/Packed.VMProtect.AAA.trojan

 

Should I stop and do somethingabout it ASAP orlet it continue?



#9 InadequateInfirmity

InadequateInfirmity

    I Gots Me A Certified Edumication


  • Banned
  • 5,180 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:48 AM

Posted 14 February 2015 - 11:41 PM

Allow the scan to continue, if you stop it will not remove the infection,



#10 Enterprise256

Enterprise256
  • Topic Starter

  • Members
  • 78 posts
  • OFFLINE
  •  
  • Local time:12:48 AM

Posted 15 February 2015 - 08:22 AM

Here it is.

 

=========================================================

 

Malwarebytes Anti-Rootkit BETA 1.08.3.1004
www.malwarebytes.org
 
Database version:
  main:    v2015.02.15.01
  rootkit: v2015.02.03.01
 
Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 11.0.9600.17633
ENTERPRISE :: ENTERPRISE-PC [administrator]
 
2/15/2015 11:26:56 AM
mbar-log-2015-02-15 (11-26-56).txt
 
Scan type: Quick scan
Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken
Scan options disabled: 
Objects scanned: 399596
Time elapsed: 3 minute(s), 23 second(s)
 
Memory Processes Detected: 0
(No malicious items detected)
 
Memory Modules Detected: 0
(No malicious items detected)
 
Registry Keys Detected: 0
(No malicious items detected)
 
Registry Values Detected: 0
(No malicious items detected)
 
Registry Data Items Detected: 0
(No malicious items detected)
 
Folders Detected: 0
(No malicious items detected)
 
Files Detected: 0
(No malicious items detected)
 
Physical Sectors Detected: 0
(No malicious items detected)
 
(end)
 
====================================================================================================
 
E:\Program Files (x86)\Microsoft Games\Fable III\paul.dll a variant of Win32/Packed.VMProtect.AAA trojan
 
E:\Program Files (x86)\Rockstar Games\Grand Theft Auto IV\LaunchGTAIV.exe Win32/HackTool.Crack.BC potentially unsafe application
 
C:\Program Files (x86)\Microsoft Games\Fable III\paul.dll a variant of Win32/Packed.VMProtect.AAA trojan cleaned by deleting - quarantined
 
C:\Program Files (x86)\Rockstar Games\Grand Theft Auto IV\LaunchGTAIV.exe Win32/HackTool.Crack.BC potentially unsafe application deleted - quarantined
 
C:\Users\Enterprise\AppData\Local\Viber\Helper.dll Win32/Toolbar.SearchSuite.W potentially unwanted application deleted - quarantined
 
C:\Users\Enterprise\AppData\Local\Viber\Uninstall.exe a variant of Win32/Toolbar.SearchSuite.W.gen potentially unwanted application deleted - quarantined
 
C:\Users\Enterprise\Desktop\EZCA-Update-1.16.zip a variant of Win32/Packed.Themida potentially unwanted application deleted - quarantined
 
G:\Games\PC\Installers\Fable.III\sr-fable3.iso a variant of Win32/Packed.VMProtect.AAA trojan deleted - quarantined
 
H:\Software\Sorted Software\Z77 OC Formula Drivers\Done\Marvell_RAID_Win7-64_Win7_Vista64_Vista_XP64_XP(v4.1.0.2002).zip Win32/PrcView potentially unsafe application deleted - quarantined
 
H:\Software\Sorted Software\Z77 OC Formula Drivers\Done\Marvell_RAID_Win7-64_Win7_Vista64_Vista_XP64_XP(v4.1.0.2002)\SATA_Utility(v4.1.0.2002)\MSUSetup.exe Win32/PrcView potentially unsafe application deleted - quarantined
 
H:\Software\Unsorted Software\disk-defrag-setup.exe a variant of Win32/Bundled.Toolbar.Ask potentially unsafe application deleted - quarantined
 
I:\cellphone backups\cloudfone\Download\com.sinyee.babybus.movebubble-1.apk a variant of Android/Domob.G potentially unwanted application deleted - quarantined
 
I:\cellphone backups\cloudfone\Download\com.sinyee.babybus.movebubble.apk a variant of Android/Domob.G potentially unwanted application deleted - quarantined
 

======================================================================================================

 

I'm using Junctions hence why some entries might not have been removed like the first result. I've checked and it's indeed not there anymore.



#11 InadequateInfirmity

InadequateInfirmity

    I Gots Me A Certified Edumication


  • Banned
  • 5,180 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:48 AM

Posted 15 February 2015 - 08:23 PM

Since it seems that we have removed some ask toolbar remnants we will run these tools to remove any remaining registry keys.

 

 
Step 1: Junkware Removal Tool.
 
Please download Junkware Removal Tool and save it on your desktop.

  • Shut down your anti-virus, anti-spyware, and firewall software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista or Windows 7, right-click it and select Run as administrator.
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log is saved to your desktop and will automatically open.
  • Please post the JRT log.

Step 2: Adware Cleaner.
 
Please download AdwCleaner by Xplode onto your desktop.


  • Close all open programs and internet browsers.
  • Double click on adwcleaner.exe to run the tool.
  • Click on Scan button.
  • When the scan has finished click on Clean button.
  • Your computer will be rebooted automatically. A text file will open after the restart.
  • Please post the contents of that logfile with your next reply.
  • You can find the logfile at C:\AdwCleaner[S1].txt as well.

 

 

Can you tell me if anything else is wrong with your machine.


Edited by InadequateInfirmity, 15 February 2015 - 08:23 PM.


#12 Enterprise256

Enterprise256
  • Topic Starter

  • Members
  • 78 posts
  • OFFLINE
  •  
  • Local time:12:48 AM

Posted 15 February 2015 - 09:14 PM

Here they are;

 

==============================================================

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.4.2 (02.02.2015:1)
OS: Windows 7 Ultimate x64
Ran by Enterprise on Mon 02/16/2015 at 10:02:29.35
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 
 
 
~~~ Services
 
 
 
~~~ Registry Values
 
 
 
~~~ Registry Keys
 
 
 
~~~ Files
 
 
 
~~~ Folders
 
Successfully deleted: [Folder] "C:\Windows\syswow64\ai_recyclebin"
 
 
 
~~~ FireFox
 
Successfully deleted the following from C:\Users\Enterprise\AppData\Roaming\mozilla\firefox\profiles\hrumfxqr.default\prefs.js
 
user_pref("extensions.lastpass.80728d0d2f91cf7c28c1f815971af93bf58891ad83b2d6a36e49a225d4c1bd43.searchforsiteswithinaddressbar", false);
user_pref("extensions.lastpass.searchforsiteswithinaddressbar", false);
 
 
 
~~~ Event Viewer Logs were cleared
 
 
 
 
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Mon 02/16/2015 at 10:04:27.98
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 
========================================================================
 
# AdwCleaner v4.110 - Logfile created 16/02/2015 at 10:08:53
# Updated 05/02/2015 by Xplode
# Database : 2015-02-14.2 [Server]
# Operating system : Windows 7 Ultimate Service Pack 1 (x64)
# Username : Enterprise - Enterprise-PC
# Running from : C:\Users\Enterprise\Desktop\adwcleaner_4.110.exe
# Option : Cleaning
 
***** [ Services ] *****
 
 
***** [ Files / Folders ] *****
 
Folder Deleted : C:\Users\Enterprise\AppData\Local\CrashRpt
Folder Deleted : C:\Users\Enterprise\AppData\Local\Google\Chrome\User Data\Default\Extensions\mkfokfffehpeedafpekjeddnmnjhmcmk
File Deleted : C:\Users\Enterprise\AppData\Roaming\Opera Software\Opera Stable\Local Storage\hxxps_static.olark.com_0.localstorage-journal
 
***** [ Scheduled tasks ] *****
 
 
***** [ Shortcuts ] *****
 
 
***** [ Registry ] *****
 
Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\mkfokfffehpeedafpekjeddnmnjhmcmk
Key Deleted : [x64] HKLM\SOFTWARE\Google\Chrome\Extensions\mkfokfffehpeedafpekjeddnmnjhmcmk
Data Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings [ProxyOverride] - *.local
 
***** [ Web browsers ] *****
 
-\\ Internet Explorer v11.0.9600.17631
 
 
-\\ Mozilla Firefox v34.0.5 (x86 en-US)
 
 
-\\ Google Chrome v40.0.2214.111
 
[C:\Users\Enterprise\AppData\Local\Google\Chrome\User Data\Default\Web Data] - Deleted [Search Provider] : hxxp://search.aol.com/aol/search?q={searchTerms}
[C:\Users\Enterprise\AppData\Local\Google\Chrome\User Data\Default\Web Data] - Deleted [Search Provider] : hxxp://www.ask.com/web?q={searchTerms}
[C:\Users\Enterprise\AppData\Roaming\Opera Software\Opera Stable\Web Data] - Deleted [Search Provider] : hxxp://www.daemon-search.com/search?q={searchTerms}
[C:\Users\Enterprise\AppData\Roaming\Opera Software\Opera Stable\Web Data] - Deleted [Search Provider] : hxxp://www.daemon-search.com/search?q={searchTerms}
 
-\\ Opera v27.0.1689.69
 
[C:\Users\Enterprise\AppData\Local\Google\Chrome\User Data\Default\Web Data] - Deleted [Search Provider] : hxxp://search.aol.com/aol/search?q={searchTerms}
[C:\Users\Enterprise\AppData\Local\Google\Chrome\User Data\Default\Web Data] - Deleted [Search Provider] : hxxp://www.ask.com/web?q={searchTerms}
[C:\Users\Enterprise\AppData\Roaming\Opera Software\Opera Stable\Web Data] - Deleted [Search Provider] : hxxp://www.daemon-search.com/search?q={searchTerms}
[C:\Users\Enterprise\AppData\Roaming\Opera Software\Opera Stable\Web Data] - Deleted [Search Provider] : hxxp://www.daemon-search.com/search?q={searchTerms}
 
*************************
 
AdwCleaner[R0].txt - [2013 bytes] - [16/02/2015 10:06:59]
AdwCleaner[S0].txt - [2560 bytes] - [16/02/2015 10:08:53]
 
########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [2619  bytes] ##########
 
=====================================================================================
 
I don't think I have any other problems.
 
How would I uninstall and/or remove traces of all the tools we used?


#13 InadequateInfirmity

InadequateInfirmity

    I Gots Me A Certified Edumication


  • Banned
  • 5,180 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:48 AM

Posted 18 February 2015 - 05:47 AM

Download System Ninja To remove junk files from your machine. Get the portable version, it must be ran from inside the folder.

TooWiz Smart Defrag Obviously to defrag.

Qualys BrowserCheck To update plugins.

Safe Browsing Tool Web of trust to keep away from shady sites.

Unchecky  To avoid bundled software.

Adblock Plus  To browse the web ad free.

Malwarebytes Anti-Exploit To block Zero day attacks.

Malwarebytes | StartUpLITE To disable un-needed start ups.

 

 

 

Download DelFix by "Xplode" to your Desktop.
Right Click the tool and Run as Admin ( Xp Users Double Click)
Put a check mark next the items below:


Remove disinfection tools
Create registry backup
Purge System Restore




Now click on "Run" button.
allow the program to complete its work.
all the tools we used will be removed.
Tool will create and open a log report (DelFix.txt)
Note: The report can be located at the following location C:\DelFix.txt






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users