Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

attack via Windows Explorer


  • This topic is locked This topic is locked
8 replies to this topic

#1 MrHappyPants

MrHappyPants

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:10 PM

Posted 27 September 2017 - 08:57 PM

360 Total Security immediately flashed the following, immediately after installing it
 
Process Protection-Suspiccious Protection-Suspicious program attempting to execute-The following program is trying to attack the computer via Windows Explorer. Block this activity if it is unrecognized."
"Program:C:\Users\Mary\AppData\Local\cee80d36c2\libcef.dll" (Where "Mary" is the computer owner)
"Source: C:\Windows\SysWOW64\explorer.exe"
 
I ran a Macafee Security Scan (full) yesterday, which returned nothing. Then downloaded 360 Total Security, and it immediately begins to flash this, repeatedly. Upon clicking block, the popup box disappears, only to reappear an instant later.
 
Can someone help, please? I've been unable to turn up anything with a google search.
Thanks!

Edit: Moved topic from Windows 8 to the more appropriate forum. Also deleted duplicate topic in Malware Removal Logs forum due to lack of logs included in topic. ~ Animal

BC AdBot (Login to Remove)

 


#2 dc3

dc3

    Bleeping Treehugger


  • Members
  • 30,612 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sierra Foothills of Northern Ca.
  • Local time:03:10 PM

Posted 29 September 2017 - 10:20 AM

IMPORTANT NOTE: Using more than one anti-virus program is not advisable. Why? The primary concern with doing so is due to Windows resource management and significant conflicts that can arise especially when they are running in real-time protection mode simultaneously. Even if one of them is disabled for use as a stand-alone on demand scanner, it can affect the other and cause conflicts. Anti-virus software components insert themselves deep into the operating systems core where they install kernel mode drivers that load at boot-up regardless of whether real-time protection is enabled or not. Thus, using multiple anti-virus solutions can result in kernel mode conflicts causing system instability, catastrophic crashes, slow performance and waste vital system resources. When actively running in the background while connected to the Internet, each anti-virus may try to update their definition databases at the same time. As the programs compete for resources required to download the necessary files this often can result in sluggish system performance or unresponsive behavior.
 
After uninstalling one of the antivirus apps. please do the following.
 
Please download Malwarebytes Anti-Malware 2.2.

1)  Double-click on mbam-setup.exe, then click on Run to install the application, follow the prompts through the installation.

2)  Malwarebytes will automatically open, click on Update Now to update to the newest definitions.

3)  Click on Settings, when Settings opens click on Detection and Protection, then under Non-Malware Protection, click on the down arrow for PUP (Potentially Unwanted Programs) detections and select Treat detections as malware.  Under Detection Options place a check in the box for Scan for rootkits

4)  Click on Scan (next to Settings), then click on Scan Now.  The scan will automatically run now.

5)  When the scan is complete the results will be displayed.  Click on Delete All.

6)  Please post the Malwarebytes log.

To find the Malwarebytes log do the following.  Copy and paste the log in your topic.

*Open Malwarebytes Anti-Malware.
*Click the Scan Tab at the top.
*Click the View detailed log link on the right.
*Click Copy to Clipboard at the bottom...come back to this thread, click Add Reply, then right-click and choose Paste.
*Alternatively, you can click Export and save the log as a .txt file on yout Desktop or another location.
*Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
 
 
Please download Malwarebytes Antirootkit, follow the prompts to install it.

In the introduction page you will be asked to agree on the license agreement, by clicking Next you will be agreeing to the terms of the license.

You will be prompted to update the database, click on Update, then Next.

To start the scan click on Scan.

When the scan has completed it will display either Scan Finished: No malware found, or Malware Found.  Click on Next to continue.  

Be sure that each check box has a check in it, and make sure there is a check mark in the Create Restore point box.  Click on Cleanup.  Please click on Yes to restart the computer.
 
Please post the results in your topic.
 
 
Please download AdwCleaner and install it.

When AdwCleaner opens click on Scan to start the scan.

Once the search is complete a list of the pending items will be displayed.  If you see any which you do not want removed, remove the check mark next to it.

If there are no malicious programs are found you will receive a message informing you of this.  
 
Click on Clean to remove the selected items.  If you have any questions about any items in the list please copy and paste the list in your topic so we can review it.  
 
You will receive a message telling you that all programs will be closed so that the infections can be removed.  Click on OK.  The computer will be restarted to complete the cleaning process.
 
When the cleaning process is complete a log of what was removed will be presented.  Please copy and the paste this log in your topic.


Please run the ESET OnlineScan

This scan takes quite a long time to run, so be prepared to allow this to run
till it is completed.

***Please note. If you run this scan using Internet Explorer you won't need
to download the Eset Smartinstaller.***

ESET Online Scanner

  • Click here to download the installer for ESET Online Scanner and save it to your Desktop.
  • Disable all your antivirus and antimalware software - see how to do that
    here
    .
  • Right click on esetsmartinstaller_enu.exe and select Run as Administrator.
  • Place a checkmark in YES, I accept the Terms of Use, then click Start. Wait for ESET Online Scanner to load its components.
  • Select Enable detection of potentially unwanted applications.
  • Click Advanced Settings, then place a checkmark in the following:
    • Remove found threats
    • Scan archives
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • Click Start to begin scanning.
  • ESET Online Scanner will start downloading signatures and scan. Please be patient, as this scan can take quite some time.
  • If threats are found click on Save to text file in Documents.
  • Open Documents, find the report, copy and paste it in your topic.

Edited by dc3, 29 September 2017 - 10:21 AM.

Family and loved ones will always be a priority in my daily life.  You never know when one will leave you.

 

 

 

 


#3 MrHappyPants

MrHappyPants
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:10 PM

Posted 30 September 2017 - 09:11 AM

You're right regarding the conflicting antivirus programs, of course. I've always heard the same. I hadn't planned on keeping the 360, just using it to double check the subscription-package "Suite" the owner has, from Macafee.

 

Or had, I should say. After running a complete Full Scan, from the Macafee, as well as scanning some selected files individually, to double check...the Macafee scan turned up exactly nothing.

 

Then low and behold...the first scan I ran with Malwarebytes turned up two trojans, several rootkits, and even more "PUPs" of a variety I'm not familiar with (though that doesn't mean anything, I'm only just what could be considered tech-literate, after all).

 

So many thanks are in order, just off the top.

 

One small wrinkle, however-Is it possible that you and I have different versions of the Malwarebytes program? I downloaded mine via this site, and did nothing more to alter it, however several potentially important details are not only different, in several instances, but several options your instructions specified were unavailable in my version, or at least, I wasn't able to divine their location, myself, even after searching for them amongst the program settings, etc.

 

From your instructions, above

To wit:

 

"3)  Click on Settings, when Settings opens click on Detection and Protection, then under Non-Malware Protection, click on the down arrow for PUP (Potentially Unwanted Programs) detections and select Treat detections as malware.  Under Detection Options place a check in the box for Scan for rootkits"

 

My version offered no "Detection" category, to click, at all, at least not that I could find. And as for the Protection category, it did list the "PUP", as an option, but only on a "tile-select" function that included only the further options of "register  as threat" and "ignore" (or words to that effect. Unfortunately I neglected to begin my reply until after I ran the scan, and as I don't want to disturb the scan results, until I hear back from you, I can't access the original prescan menus, for the exact descriptions. I did locate the Scan for rootkits option, however, though the fact that it wasn't located in the place your instructions set forth, contributes to my suspicion that we may be working from different versions of the program.

 

Which is the reason I haven't acted on the scan...as my version does not include options you stipulated, specifically the "create a restore point"

4)  Click on Scan (next to Settings), then click on Scan Now.  The scan will automatically run now.

5)  When the scan is complete the results will be displayed.  Click on Delete All."

 

...So I did none of those things. Just left the scan results and notice sitting, as is, to await your forthcoming instructions, as my version seems to differ as well in the options provided post-scan, as well, namely

 

..."When the scan has completed it will display either Scan Finished: No malware found, or Malware Found.  Click on Next to continue.  

Be sure that each check box has a check in it, and make sure there is a check mark in the Create Restore point box.  Click on Cleanup.  Please click on Yes to restart the computer.
 
Please post the results in your topic."

 

I was unable to include the screenshot of the resulting scan/utility menu, as I couldn't locate an attachment function in the reply, that would attach, and it wouldn't paste, directly

The result is a scan including rootkits, and including PUPs as a threat. Those were the only options I could find.

 

But the options provided on as re the scan results only extended to "save results", "cancel", and "quarantine". No "delete", "create restore point", nor "cleanup" options were provided on my version, at least not that I could discover, in looking.

 

Have I goofed? Do I need to go back and change the parameters, and rescan?

 

I've downloaded the Malwarebytes Antirootkit AdwCleaner, as well, but haven't run them for the same reason-hoping to hear back from you first with further instructions, before I screw anything up.

 

Again, many many thanks for your detailed, thorough and prompt assistance. Hope you have a chance to get back to me as soon as possible.

 

Cheers

 

Here's the log:

 

Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 9/29/17
Scan Time: 5:38 PM
Log File: f39e2f30-a566-11e7-8fe6-00ffcf58dc79.json
Administrator: Yes

-Software Information-
Version: 3.2.2.2029
Components Version: 1.0.188
Update Package Version: 1.0.2917
License: Trial

-System Information-
OS: Windows 8.1
CPU: x64
File System: NTFS
User: CrappyPC\Mary

-Scan Summary-
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 316627
Threats Detected: 11
Threats Quarantined: 0
(No malicious items detected)
Time Elapsed: 6 min, 7 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Detect
PUM: Detect

-Scan Details-
Process: 0
(No malicious items detected)

Module: 0
(No malicious items detected)

Registry Key: 2
Rootkit.Fileless.MTGen, HKU\S-1-5-21-1992209377-382255440-3143550161-1001_Classes\38207d93\SHELL\OPEN\COMMAND, No Action By User, [1378], [261826],1.0.2917
Rootkit.Fileless.MTGen, HKU\S-1-5-21-1992209377-382255440-3143550161-1001_Classes\cqekijyt\SHELL\OPEN\COMMAND, No Action By User, [1378], [261826],1.0.2917

Registry Value: 4
Rootkit.Fileless.MTGen, HKU\S-1-5-21-1992209377-382255440-3143550161-1001_Classes\38207d93\SHELL\OPEN\COMMAND|, No Action By User, [1378], [261826],1.0.2917
Rootkit.Fileless.MTGen, HKU\S-1-5-21-1992209377-382255440-3143550161-1001_Classes\cqekijyt\SHELL\OPEN\COMMAND|, No Action By User, [1378], [261826],1.0.2917
Trojan.Fileless.MTGen, HKU\S-1-5-21-1992209377-382255440-3143550161-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|^PYOG, No Action By User, [364], [262349],1.0.2917
Trojan.Fileless.MTGen, HKU\S-1-5-21-1992209377-382255440-3143550161-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|^AGEC, No Action By User, [364], [262349],1.0.2917

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 2
PUP.Optional.Converter, C:\Users\Mary\AppData\Roaming\Mozilla\Firefox\Profiles\obg29jn7.default\jetpack\@Converter\simple-storage, No Action By User, [7828], [386988],1.0.2917
PUP.Optional.Converter, C:\USERS\MARY\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\OBG29JN7.DEFAULT\JETPACK\@CONVERTER, No Action By User, [7828], [386988],1.0.2917

File: 3
PUP.Optional.Converter, C:\USERS\MARY\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\OBG29JN7.DEFAULT\EXTENSIONS\@CONVERTER.XPI, No Action By User, [7828], [386989],1.0.2917
PUP.Optional.Converter, C:\Users\Mary\AppData\Roaming\Mozilla\Firefox\Profiles\obg29jn7.default\jetpack\@Converter\simple-storage\store.json, No Action By User, [7828], [386988],1.0.2917
PUP.Optional.OpenCandy, C:\USERS\MARY\DESKTOP\M\MARCO\HIJACKTHIS-D2C.EXE, No Action By User, [520], [297667],1.0.2917

Physical Sector: 0
(No malicious items detected)


(end)
This is a screen shot of the finished scan.
 


Edited by MrHappyPants, 30 September 2017 - 09:39 AM.


#4 dc3

dc3

    Bleeping Treehugger


  • Members
  • 30,612 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sierra Foothills of Northern Ca.
  • Local time:03:10 PM

Posted 30 September 2017 - 09:57 AM

You need to start a topic in the Virus, Trojan, Spyware, and Malware Removal Logs forum.  You will need to do the following prior to starting your topic.

Please follow the instructions in the Malware Removal and Log Section Preparation Guide starting at Step 6.

   * If you cannot complete a step, then skip it and continue with the next.
   * In Step 6 there are instructions for downloading and running FRST which will create two logs.

When you have done this, post your logs in the Virus, Trojan, Spyware, and Malware Removal Logs forum, NOT here, for assistance by the Malware Response Team.

Start a new topic and post your log(s) along with a brief description of your problem, a summary of any anti-malware tools you have used and a summary of any steps that you have performed on your own. If you cannot produce any of the required logs...start the new topic anyway. Explain that you followed the Prep. Guide, were unable to create the logs, and describe what happened when you tried to create them. A member of the Malware Removal Team will walk you through, step by step, on how to clean your computer.

After doing this, please reply back in this thread with a link to the new topic so this topic can be closed by a Moderator.

DO NOT bump your new topic. Wait for a response from one of the Malware Response Team Members.  The MRT members look for topics which have not been addressed.  If you bump your topic it will make it appear that your topic is being addressed.



 


Family and loved ones will always be a priority in my daily life.  You never know when one will leave you.

 

 

 

 


#5 MrHappyPants

MrHappyPants
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:10 PM

Posted 30 September 2017 - 10:57 AM

Again, thanks very much, and will do, straight away.



#6 MrHappyPants

MrHappyPants
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:10 PM

Posted 09 October 2017 - 12:32 PM

Unfortunately I must add one more reply/update to this thread, as I don't know where I'd post it otherwise: Whenever I've attempted to download the FRST, my Firefox browser crashes. Not only upon clicking on the direct link from this site...but THEN, after just running a separate google search for a different site to download the program. THEN...Firefox began crashing...WHENEVER I EVEN RAN A SEARCH FOR THE FRST DOWNLOAD. I literally can't even type "FRST Download" into Google search, without my Firefox browser crashing.

 

It's hard to imaging how this could be anything other than malware attempting to prevent me from downloading the program. What do I do now...as to proceed would seem to be dependent upon running the FRST scan?

 

Oh, by the way, I DID run the ESET scan, with the instructions you provided, and scanning for PUPs as well as threats, and turned off my other antispyware during same, but which turned up nothing whatsoever.

Curiouser and curiouser indeed.

 

Again, many thanks for your continuing help.


Edited by MrHappyPants, 09 October 2017 - 12:35 PM.


#7 dc3

dc3

    Bleeping Treehugger


  • Members
  • 30,612 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sierra Foothills of Northern Ca.
  • Local time:03:10 PM

Posted 09 October 2017 - 12:43 PM

Start the topic and explain that you are having trouble downloading the FRST.  The Malware Removal member who takes this topic will help you the rest of the way.


Family and loved ones will always be a priority in my daily life.  You never know when one will leave you.

 

 

 

 


#8 MrHappyPants

MrHappyPants
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:10 PM

Posted 09 October 2017 - 03:25 PM

Thanks



#9 hamluis

hamluis

    Moderator


  • Moderator
  • 55,902 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:05:10 PM

Posted 09 October 2017 - 04:26 PM

New topic in MRL:  https://www.bleepingcomputer.com/forums/t/659772/frst-download-attempts-crashing-browser-repeatedly-see-post-attack-via-windows/ .

 

This AII topic is now closed to avoid confusion.

 

Louis.


Edited by hamluis, 09 October 2017 - 04:27 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users