Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

SuperAntiSpyware Scan Critical Threat


  • Please log in to reply
16 replies to this topic

#1 yamcha

yamcha

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cleveland, Ohio
  • Local time:05:41 PM

Posted 12 July 2015 - 08:57 AM

Could this be a False Positive?.

===============================================================

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 07/11/2015 at 11:45 PM

Application Version : 6.0.1200
Database Version : 11959

Scan type       : Complete Scan
Total Scan Time : 01:13:19

Operating System Information
Windows XP Professional 32-bit, Service Pack 3 (Build 5.01.2600)
Administrator

Memory items scanned      : 311
Memory threats detected   : 0
Registry items scanned    : 37429
Registry threats detected : 0
File items scanned        : 19041
File threats detected     : 1

Trojan.Agent/Gen-Agent
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{7AF7AF49-351A-44EE-9A80-53C545648CDB}\RP1325\A0218540.EXE

============
 End of Log
============
 



BC AdBot (Login to Remove)

 


#2 Firehouse

Firehouse

  • Members
  • 637 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:41 PM

Posted 12 July 2015 - 09:01 AM

It's a system restore point,nothing bad. If you want to remove it download Delfix and select Purge system restore option only and problem is solved.


http://www.bleepingcomputer.com/download/delfix/



#3 buddy215

buddy215

  • Moderator
  • 13,517 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:03:41 PM

Posted 12 July 2015 - 10:26 AM

Before the trojan was copied to a restore point it existed elsewhere. I suggest you do more scans using the two programs below and CCleaner.

 

Use CCleaner to remove Temporary files, program caches, cookies, logs, etc. Use the Default settings. No need to use the

Registry Cleaning Tool...risky. Pay close attention while installing and UNcheck offers of toolbars....especially Google.

After install, open CCleaner and run by clicking on the Run Cleaner button in the bottom right corner.

CCleaner - PC Optimization and Cleaning - Free Download

 

Download Malwarebytes' Anti-Malware from Here
Double-click mbam-setup-2.X.X.XXXX.exe to install the application (X's are the current version number).

  • Make sure a checkmark is placed next to Launch Malwarebytes' Anti-Malware, then click Finish.
  • Once MBAM opens, when it says Your databases are out of date, click the Fix Now button.
  • Click the Settings tab at the top, and then in the left column, select Detections and Protections, and if not already checked place a checkmark in the selection box for Scan for rootkits.
  • Click the Scan tab at the top of the program window, select Threat Scan and click the Scan Now button.
  • If you receive a message that updates are available, click the Update Now button (the update will be downloaded, installed, and the scan will start).
  • The scan may take some time to finish,so please be patient.
  • If potential threats are detected, ensure that Quarantine is selected as the Action for all the listed items, and click the Apply Actions button.
  • While still on the Scan tab, click the link for View detailed log, and in the window that opens click the Export button, select Text file (*.txt), and save the log to your Desktop.
  • The log is automatically saved by MBAM and can also be viewed by clicking the History tab and then selecting Application Logs.

Hold down Control and click on this link to open ESET OnlineScan in a new window.

  • Click the esetonlinebtn.png button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
  • Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
  • Double click on the esetsmartinstaller_enu.png icon on your desktop.
  • Check "YES, I accept the Terms of Use."
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Under scan settings, check "Scan Archives" and "Remove found threats"
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click List Threats
  • Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Click the Back button.
  • Click the Finish button.
  • NOTE:Sometimes if ESET finds no infections it will not create a log.

“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#4 yamcha

yamcha
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cleveland, Ohio
  • Local time:05:41 PM

Posted 13 July 2015 - 11:00 AM

 

Before the trojan was copied to a restore point it existed elsewhere. I suggest you do more scans using the two programs below and CCleaner.

 

Use CCleaner to remove Temporary files, program caches, cookies, logs, etc. Use the Default settings. No need to use the

Registry Cleaning Tool...risky. Pay close attention while installing and UNcheck offers of toolbars....especially Google.

After install, open CCleaner and run by clicking on the Run Cleaner button in the bottom right corner.

CCleaner - PC Optimization and Cleaning - Free Download

 

Download Malwarebytes' Anti-Malware from Here
Double-click mbam-setup-2.X.X.XXXX.exe to install the application (X's are the current version number).

  • Make sure a checkmark is placed next to Launch Malwarebytes' Anti-Malware, then click Finish.
  • Once MBAM opens, when it says Your databases are out of date, click the Fix Now button.
  • Click the Settings tab at the top, and then in the left column, select Detections and Protections, and if not already checked place a checkmark in the selection box for Scan for rootkits.
  • Click the Scan tab at the top of the program window, select Threat Scan and click the Scan Now button.
  • If you receive a message that updates are available, click the Update Now button (the update will be downloaded, installed, and the scan will start).
  • The scan may take some time to finish,so please be patient.
  • If potential threats are detected, ensure that Quarantine is selected as the Action for all the listed items, and click the Apply Actions button.
  • While still on the Scan tab, click the link for View detailed log, and in the window that opens click the Export button, select Text file (*.txt), and save the log to your Desktop.
  • The log is automatically saved by MBAM and can also be viewed by clicking the History tab and then selecting Application Logs.

Hold down Control and click on this link to open ESET OnlineScan in a new window.

  • Click the esetonlinebtn.png button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
  • Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
  • Double click on the esetsmartinstaller_enu.png icon on your desktop.
  • Check "YES, I accept the Terms of Use."
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Under scan settings, check "Scan Archives" and "Remove found threats"
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click List Threats
  • Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Click the Back button.
  • Click the Finish button.
  • NOTE:Sometimes if ESET finds no infections it will not create a log.

 

 

ESET was just way too slow. I already have Malwarebytes AM Premium and Emsisoft AM (Anti-Virus) Premium so used those. Scanned again with SuperAntiSpyware after removing the critical threat it listed. It shows as clean now.

 

=========================================================================================================================================

 

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 07/13/2015 at 11:25 AM

Application Version : 6.0.1200
Database Version : 11959

Scan type       : Custom Scan
Total Scan Time : 00:12:10

Operating System Information
Windows XP Professional 32-bit, Service Pack 3 (Build 5.01.2600)
Administrator

Memory items scanned      : 260
Memory threats detected   : 0
Registry items scanned    : 24444
Registry threats detected : 0
File items scanned        : 4663
File threats detected     : 0

============
 End of Log
============

 

=========================================================================================================================================

 

These 8 findings are needed by a firefox extension I need and AT&T Support Plus PC Maintenance Toolbox so I ignore them everytime.

 

Emsisoft Anti-Malware - Version 10.0.0.5532
Last update: 7/13/2015 1:27:16 AM
User account: OWNER-5D2F50F2F\Dell Owner

Scan settings:

Scan type: Malware Scan
Objects: Rootkits, Memory, Traces, Files

Detect PUPs: On
Scan archives: Off
ADS Scan: On
File extension filter: Off
Advanced caching: On
Direct disk access: Off

Scan start:    7/13/2015 10:00:33 AM
C:\Documents and Settings\Dell Owner\Application Data\Mozilla\Firefox\Profiles\a0hndark.default\Extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}      Application.Win32.InstallExt (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\CLSID\{058F0E48-61CA-4964-9FBA-1978A1BB060D}      Application.AdReg (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\CLSID\{18F33C35-8EF2-40D7-8BA4-932B0121B472}      Application.AdReg (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\DNUPDATE      Application.AdReg (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\DNUPDATER.DOWNLOADUIBROWSER      Application.AdReg (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\DNUPDATER.DOWNLOADUIBROWSER.1      Application.AdReg (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\DNUPDATER.DOWNLOADUPDCONTROLLER      Application.AdReg (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\DNUPDATER.DOWNLOADUPDCONTROLLER.1      Application.AdReg (A)

Scanned    73725
Found    8

Scan end:    7/13/2015 10:24:05 AM
Scan time:    0:23:32

 

=========================================================================================================================================

 

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 7/13/2015
Scan Time: 7:53:40 AM
Logfile: MB Threat Scan.txt
Administrator: Yes

Version: 2.1.8.1057
Malware Database: v2015.07.13.02
Rootkit Database: v2015.07.10.01
License: Premium
Malware Protection: Enabled
Malicious Website Protection: Enabled
Self-protection: Disabled

OS: Windows XP Service Pack 3
CPU: x86
File System: NTFS
User: Dell Owner

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 490718
Time Elapsed: 1 hr, 42 min, 45 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)


(end)



#5 Sintharius

Sintharius

    Bleepin' Sniper


  • Members
  • 5,639 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Netherlands
  • Local time:10:41 PM

Posted 13 July 2015 - 11:43 AM

Hello,

You can whitelist those entries in Emsisoft Anti-Malware so it will stop detecting them. Just run a scan that detects them, then right click each and select Add to whitelist.

It is normal for ESET Online Scanner to take a long time.

#6 buddy215

buddy215

  • Moderator
  • 13,517 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:03:41 PM

Posted 13 July 2015 - 12:44 PM

C:\Documents and Settings\Dell Owner\Application Data\Mozilla\Firefox\Profiles\a0hndark.default\Extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}      Application.Win32.InstallExt (A)

{635abd67-4fe9-1b23-4f01-e679fa7484c1} Name: Yahoo! Toolbar

You sure you want to keep the Yahoo Toolbar??

 

You should remove all of the restore points except the last one. See info below.

 

Remove all but the most recent Restore Point on Windows XP - PC Self Help Articles and Guides - Malwarebytes Forum

 


“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#7 yamcha

yamcha
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cleveland, Ohio
  • Local time:05:41 PM

Posted 13 July 2015 - 12:53 PM

C:\Documents and Settings\Dell Owner\Application Data\Mozilla\Firefox\Profiles\a0hndark.default\Extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}      Application.Win32.InstallExt (A)

{635abd67-4fe9-1b23-4f01-e679fa7484c1} Name: Yahoo! Toolbar

You sure you want to keep the Yahoo Toolbar??

 

You should remove all of the restore points except the last one. See info below.

 

Remove all but the most recent Restore Point on Windows XP - PC Self Help Articles and Guides - Malwarebytes Forum

 

 

That's the AT&T Yahoo bar. I have had no problems with it. I delete all restore points but the most recent every 5 days. It saves lots of space.



#8 buddy215

buddy215

  • Moderator
  • 13,517 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:03:41 PM

Posted 13 July 2015 - 01:18 PM

Okay.....happy surfin'


“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#9 Sintharius

Sintharius

    Bleepin' Sniper


  • Members
  • 5,639 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Netherlands
  • Local time:10:41 PM

Posted 13 July 2015 - 01:20 PM

As a final note... Emsisoft's support for Windows XP will end April next year. Please consider that in the meantime.

#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,092 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:41 PM

Posted 13 July 2015 - 01:28 PM

Could this be a False Positive?.
===============================================================

Trojan.Agent/Gen-Agent
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{7AF7AF49-351A-44EE-9A80-53C545648CDB}\RP1325\A0218540.EXE

FYI: The detected _restore{GUID}\RP***\A00*****.xxx file(s) identified by your scan are in the System Volume Information Folder (SVI) which is a part of System Restore. The *** after 'RP' represents a sequential number automatically assigned by the operating system. The ***** after 'A00' also represents a sequential number where the original file(s) were backed up and renamed except for its extension. To learn more about this, refer to:System Restore is the feature that protects your computer by monitoring a core set of system and application files and by creating backups (snapshots saved as restore points) of vital system configurations, registry and files before changes are made. These restore points can be used to "roll back" your computer to a clean working state in the event of a problem. This makes it possible to undo harmful changes to your system configurations including registry modifications made by software or malware by reverting the operating systems configuration to an earlier date. See What's Restored when using System Restore and What's Not.

The SVI folder is protected by permissions that only allow the system to have access and is hidden by default on the root of every drive, partition or volume including most external drives, and some USB flash drives. For more detailed information, read System Restore Overview and How it works and How antivirus software and System Restore work together.

System Restore is enabled by default and will back up the good as well as malevolent files, so when malware is present on the system it gets included in restore points as an A00***** file. If you only get a detection on a file in the SVI folder, that means the original file was on your system in another location and at some point most likely was removed. However, when you scan your system with anti-virus or anti-malware tools, you may receive an alert that a malicious file was detected in the SVI folder (in System Restore points) but the anti-virus software was unable to remove it. Since the SVI folder is a protected directory, most anti-virus and scanning tools cannot access it to disinfect or delete these files. If not removed, they sometimes can reinfect your system if you accidentally use an old restore point.

If your anti-virus or anti-malware tool cannot move the file(s) to quarantine (or they keep returning as detections), they sometimes can reinfect your system if you accidentally use an old restore point. In order to avoid reinfection and remove these file(s) if your security tools cannot properly remove them, the easiest thing to do after disinfection is Create a New Restore Point to enable your computer to "roll-back" to a clean working state and use Disk Cleanup to remove all but the most recent restore point.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#11 yamcha

yamcha
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cleveland, Ohio
  • Local time:05:41 PM

Posted 14 July 2015 - 11:14 AM

 

Could this be a False Positive?.
===============================================================

Trojan.Agent/Gen-Agent
    C:\SYSTEM VOLUME INFORMATION\_RESTORE{7AF7AF49-351A-44EE-9A80-53C545648CDB}\RP1325\A0218540.EXE

FYI: The detected _restore{GUID}\RP***\A00*****.xxx file(s) identified by your scan are in the System Volume Information Folder (SVI) which is a part of System Restore. The *** after 'RP' represents a sequential number automatically assigned by the operating system. The ***** after 'A00' also represents a sequential number where the original file(s) were backed up and renamed except for its extension. To learn more about this, refer to: System Restore is the feature that protects your computer by monitoring a core set of system and application files and by creating backups (snapshots saved as restore points) of vital system configurations, registry and files before changes are made. These restore points can be used to "roll back" your computer to a clean working state in the event of a problem. This makes it possible to undo harmful changes to your system configurations including registry modifications made by software or malware by reverting the operating systems configuration to an earlier date. See What's Restored when using System Restore and What's Not.

The SVI folder is protected by permissions that only allow the system to have access and is hidden by default on the root of every drive, partition or volume including most external drives, and some USB flash drives. For more detailed information, read System Restore Overview and How it works and How antivirus software and System Restore work together.

System Restore is enabled by default and will back up the good as well as malevolent files, so when malware is present on the system it gets included in restore points as an A00***** file. If you only get a detection on a file in the SVI folder, that means the original file was on your system in another location and at some point most likely was removed. However, when you scan your system with anti-virus or anti-malware tools, you may receive an alert that a malicious file was detected in the SVI folder (in System Restore points) but the anti-virus software was unable to remove it. Since the SVI folder is a protected directory, most anti-virus and scanning tools cannot access it to disinfect or delete these files. If not removed, they sometimes can reinfect your system if you accidentally use an old restore point.

If your anti-virus or anti-malware tool cannot move the file(s) to quarantine (or they keep returning as detections), they sometimes can reinfect your system if you accidentally use an old restore point. In order to avoid reinfection and remove these file(s) if your security tools cannot properly remove them, the easiest thing to do after disinfection is Create a New Restore Point to enable your computer to "roll-back" to a clean working state and use Disk Cleanup to remove all but the most recent restore point.

 

 

I was aware of how windows restore points also save malware :) I created a new restore point and then deleted the previous one.

Windows XP manual restore points don't really restore all the user's registry hives though, which is why you should use ERUNT to create one that can be used after malware infestation.



#12 yamcha

yamcha
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cleveland, Ohio
  • Local time:05:41 PM

Posted 14 July 2015 - 11:33 AM

As a final note... Emsisoft's support for Windows XP will end April next year. Please consider that in the meantime.

 

I'm aware of that, I really like Emsisoft :(. My license expires in 169 days, so I'll have to pick another, perhaps Avira or Avast.



#13 Sintharius

Sintharius

    Bleepin' Sniper


  • Members
  • 5,639 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Netherlands
  • Local time:10:41 PM

Posted 14 July 2015 - 11:35 AM

From what I know a lot of vendors will stop their support for Windows XP soon - the last vendor to do that would be Webroot (2019).

Have you considered upgrading your OS? :)

#14 yamcha

yamcha
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cleveland, Ohio
  • Local time:05:41 PM

Posted 14 July 2015 - 12:26 PM

From what I know a lot of vendors will stop their support for Windows XP soon - the last vendor to do that would be Webroot (2019).

Have you considered upgrading your OS? :)

 

With 1 meg of RAM?, I don't think so. :D I have nothing left after paying for rent, insurance, utilities, phone/internet/cable, food...

I was lucky to get this one and two previous ones for free from a friend who makes a living fixing people's PCs.



#15 Sintharius

Sintharius

    Bleepin' Sniper


  • Members
  • 5,639 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Netherlands
  • Local time:10:41 PM

Posted 14 July 2015 - 12:30 PM

You can consider switching to Linux... Linux is fairly lightweight and is more secure :)

I've heard that some distros are made to ease people's transition from Windows to Linux.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users