Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Potential Malware: LonelyScreen Airplay Receiver


  • Please log in to reply
9 replies to this topic

#1 Zboo

Zboo

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:30 PM

Posted 31 January 2017 - 11:04 PM

I am operating Windows 10 on a Lenovo laptop.

 

As a little background to those who may assist me and to those who may find this thread in the future, the reason I am posting is that I recently downloaded and installed some suspicious software. When investigating some potential receiver software that would allow me to mirror my cell phone to my computer monitor, I came across numerous recommendations for the "LonelyScreen Airplay Receiver."  Unfortunately, despite knowing better, I went ahead and downloaded and installed it.  

 

Afterwards, I had second thoughts, and decided to look further into whether or not this software was trustworthy.  The website (lonelyscreen.com) is suspicious for a number of reasons and I believe LonelyScreen might be related to the iSkySoft and Wondershare brand networks, for which the web seems to have plenty of evidence that suggests they potentially push software that's not on the up-and-up.

 

Most alarmingly, I came across this link: https://www.hybrid-analysis.com/sample/221ff2e050170f8ba4d54d8b899ff3824574136099317af113890ac4e01d4588?environmentId=1, which suggests the install is malicious, to put it lightly.

 

So far I can't point to specific symptoms of being infected with any certainty, but I strongly suspect that I could be.  

 

As for the steps I've taken so far, they are a little clumsy due to the fact I wasn't initially convinced I was at risk.  I "uninstalled" the program shortly after installing using the windows "add and remove programs," but this actually left the LonelyScreen executable behind and it was still active on my system (another reason I am suspicious).  I also did a system restore, which I realize is not a virus removal tactic.  Malware Bytes and Iolo System Mechanic show no signs of infection, rootkits, or malware.  

 

So, can someone help me ensure my system is clean?

 

Thank you for any help you can provide and your hard work on these forums.



BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,597 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:30 PM

Posted 03 February 2017 - 05:39 PM

Hybrid-analysis indicates the lonelyscreen-win-installer.exe file had suspicious and malicious indicators but that does not necessarily mean it was malware. There are a lot of legitimate programs which may be detected in a similar manner.

How-To Geek has a tutorial for downloading and using LonelyScreen...see here...they are a reputable site which does not recommend or provide links to malware.

Usually when a computer is infected with malware there most likely will be obvious indications (signs of infection and malware symptoms) that something is wrong.

However, we can have you perform a few scans and see what turns up.

Please download Emsisoft Emergency Kit and perform a scan following these instructions.



After the scan completes, copy and paste the contents of EEK's scan log in your next reply.

Please download AdwCleaner and perform a scan following these instructions.


-- Note: The contents of the AdwCleaner log file may be confusing. Unless you see a program name or entry that you recognize and know should not be removed, don't worry about it. If you see an entry you want to keep, return to AdwCleaner before cleaning...all detected items will be listed (and checked) in each tab. Click on and uncheck any items you want to keep.

Copy and paste the contents of AdwCleaner[CX].txt in your next reply.

 


.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 Zboo

Zboo
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:30 PM

Posted 03 February 2017 - 09:17 PM

Thank you for the reply.  I will paste the Emisoft Emergency Kit scan results below.  The AdwCleaner download prompted me to download the newest version, but when I ran the new download link (tool libs:  https://toolslib.net/downloads/finish/1/) through VirusTotal it was claimed to be potentially malicious.  Would you be able to confirm a clean download of the newest version?  

The EEK results:

 

Emsisoft Emergency Kit - Version 12.0
Last update: 2/3/2017 7:02:42 PM
User account: Zoom-PC\Zoom
Computer name: ZOOM-PC
OS version: Windows 10x64 
 
Scan settings:
 
Scan type: Malware Scan
Objects: Rootkits, Memory, Traces, Files
 
Detect PUPs: On
Scan archives: Off
ADS Scan: On
File extension filter: Off
Direct disk access: Off
 
Scan start: 2/3/2017 7:05:46 PM
C:\ProgramData\partner detected: Application.AppInstall (A) []
Key: HKEY_USERS\S-1-5-21-605704067-3502455153-695327866-1001\SOFTWARE\APPDATALOW\SOFTWARE\CONDUIT detected: Application.Toolbar (A) []
Key: HKEY_USERS\S-1-5-21-605704067-3502455153-695327866-1001\SOFTWARE\CONDUIT detected: Application.InstallAd (A) []
Key: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432NODE\CONDUIT detected: Application.InstallAd (A) []
Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\KT_BHO.KETTLEBHO detected: Application.AdReg (A) []
Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\KT_BHO.KETTLEBHO.1 detected: Application.AdReg (A) []
 
Scanned 83654
Found 6
 
Scan end: 2/3/2017 7:43:08 PM
Scan time: 0:37:22


#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,597 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:30 PM

Posted 03 February 2017 - 09:39 PM

...The AdwCleaner download prompted me to download the newest version, but when I ran the new download link (tool libs:  https://toolslib.net/downloads/finish/1/) [/size]through VirusTotal it was claimed to be potentially malicious.

Bleeping Computer's hosted programs for download are trustworthy, safe and malware-free. However, depending on the product, some anti-virus software and other security scanners may flag certain programs as a threat for a variety of reasons when that is not the case. In these instances the detection is a "false positive" and can be ignored.

Most of the well known specialized tools we use against malware are written by experts/Security Colleagues at various security forums like Bleeping Computer, TechSupport, GeeksToGo, Emsisoft and other similar sites so they can be trusted...this includes any program hosted by BC for download. Unfortunately, many of these tools (or their embedded files) are falsely detected by various anti-virus programs from time to time.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 Zboo

Zboo
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:30 PM

Posted 03 February 2017 - 09:47 PM

Got it. I trusted the original BC download. It was just that it subsequently required me to download a new and separate update. I will follow through on your recommendation.

#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,597 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:30 PM

Posted 03 February 2017 - 10:08 PM

Ok.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 Zboo

Zboo
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:30 PM

Posted 03 February 2017 - 10:32 PM

Here is the adwcleaner log:

 

# AdwCleaner v6.043 - Logfile created 03/02/2017 at 21:27:15
# Updated on 27/01/2017 by Malwarebytes
# Database : 2017-02-03.2 [Server]
# Operating System : Windows 10 Home  (X64)
# Username : Zoom - ZOOM-PC
# Running from : C:\Users\Zoom\Downloads\adwcleaner_6.043 (1).exe
# Mode: Scan
 
 
 
***** [ Services ] *****
 
Service Found:  Partner Service
 
 
***** [ Folders ] *****
 
No malicious folders found.
 
 
***** [ Files ] *****
 
File Found:  C:\END
 
 
***** [ DLL ] *****
 
No malicious DLLs found.
 
 
***** [ WMI ] *****
 
No malicious keys found.
 
 
***** [ Shortcuts ] *****
 
No infected shortcut found.
 
 
***** [ Scheduled Tasks ] *****
 
No malicious task found.
 
 
***** [ Registry ] *****
 
Key Found:  HKLM\SOFTWARE\Classes\protector_dll.Protector
Key Found:  HKLM\SOFTWARE\Classes\protector_dll.Protector.1
Key Found:  HKLM\SOFTWARE\Classes\protector_dll.ProtectorLib
Key Found:  HKLM\SOFTWARE\Classes\protector_dll.ProtectorLib.1
Key Found:  [x64] HKLM\SOFTWARE\Classes\protector_dll.Protector
Key Found:  [x64] HKLM\SOFTWARE\Classes\protector_dll.Protector.1
Key Found:  [x64] HKLM\SOFTWARE\Classes\protector_dll.ProtectorLib
Key Found:  [x64] HKLM\SOFTWARE\Classes\protector_dll.ProtectorLib.1
Key Found:  HKLM\SOFTWARE\Classes\AppID\{28A88B70-D874-4F73-BBBA-9B2B222FB7D6}
Key Found:  HKLM\SOFTWARE\Classes\CLSID\{83FF80F4-8C74-4B80-B5BA-C8DDD434E5C4}
Key Found:  HKLM\SOFTWARE\Classes\TypeLib\{86676E13-D6D8-4652-9FCF-F2047F1FB000}
Key Found:  HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{83FF80F4-8C74-4B80-B5BA-C8DDD434E5C4}
Key Found:  HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{83FF80F4-8C74-4B80-B5BA-C8DDD434E5C4}
Key Found:  HKLM\SOFTWARE\Classes\AppID\kt_bho_dll.dll
 
 
***** [ Web browsers ] *****
 
No malicious Firefox based browser items found.
No malicious Chromium based browser items found.
 
*************************
 
C:\AdwCleaner\AdwCleaner[S0].txt - [1971 Bytes] - [03/02/2017 21:27:15]
 
########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [2044 Bytes] ##########


#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,597 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:30 PM

Posted 03 February 2017 - 11:10 PM

Now try doing an online scan to see if it finds anything else that the other scans may have missed.

Please perform a scan with Eset Online Anti-virus Scanner.
If using Mozilla Firefox, you will be prompted to download and use the ESET Smart Installer. Just double-click on esetsmartinstaller_enu.exe to install.
Vista/Windows 7/8 users need to run Internet Explorer/Firefox as Administrator.
To do this, right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run As Administrator from the context menu.
 

  • Click the green esetOnline.png button.
  • Read the End User License Agreement and check the box:
  • Check esetAcceptTerms.png.
  • Click the esetStart.png button.
  • Accept any security warnings from your browser and allow the download/installation of any require files.
  • Under scan settings, check esetScanArchives.png and check Remove found threats
  • Click Advanced settings and select the following:
    • Enable detection of potentially unwanted applications
    • Enable detection of potentially unsafe applications
    • Enable Anti-Stealth technology
  • Click the Start button.
  • ESET will install itself, download virus signature database updates, and begin scanning your computer.
  • Please be patient as the scan can take some time to complete...close all programs and do NOT use the computer while the scan is running.
    If given the option (when threats are found), choose "Quarantine" instead of delete.
  • When the scan completes, push esetListThreats.png
  • Push esetExport.png, and save the file to your desktop as ESETScan.txt.
  • Push the esetBack.png button, then Finish.
  • Copy and paste the contents of ESETScan.txt in your next reply. If no threats are found, there is no option to create a log.

If you have other antivirus, antispyware or anti-malware programs running on your computer, they may intercept the scan being performed by the ESET Online Scanner and hinder performance. You may wish to disable the real-time protection components of your other security software before running the ESET Online Scanner. Remember to turn them back on after you are finished.

ESET Online Scanner FAQs #5

-- Note: If you recognize any of the detections as legitimate programs, it's possible they are "false positives" and you can ignore them or get a second opinion if you're not sure. ESET's detection rate is high and can include legitimate files which it considers suspicious, a Risk Tool, Hacking Tool, Potentially Unwanted Program, a possible threat or even Malware (virus/trojan) when that is not always the case.

 


.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 Zboo

Zboo
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:30 PM

Posted 04 February 2017 - 12:05 AM

I'll run the scan shortly.  I meant to include in my first post that I also ran gmer a few days prior--it returned a few items.  Is it relevant? 

 



#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,597 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:30 PM

Posted 04 February 2017 - 07:39 AM

GMER is an older advanced tool that compares the output from system function calls directly into the operating system to output from calls generated by their own functions. We do not use it much any more and when we do, it's log is typically asked for in the Virus, Trojan, Spyware, and Malware Removal Logs Forum, not here.

Anyway, nothing of signficant concern showing in your logs thus far.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users