Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Suspicious file temp\rarsfx1\installer.exe


  • Please log in to reply
9 replies to this topic

#1 desk7

desk7

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:03:08 AM

Posted 06 October 2017 - 02:52 PM

Some days ago I noticed that Bitdefender allowed temp\rarsfx1\installer.exe to access to Internet.

This is the notification:

Path: E:temp\rarsfx1\installer.exe (I have a RAMDisk where temp files are stored)

Destination: 192.168.1.1

Protocol: UDP(17)

Port: DNS (17)

 

192.168.1.1 is the administration page of my router.

 

Am I infected?



BC AdBot (Login to Remove)

 


#2 buddy215

buddy215

  • Moderator
  • 13,410 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:08:08 PM

Posted 08 October 2017 - 04:52 AM

You don't mention any programs you used to scan for malware or adware...so, use the programs below to clean,

remove malware and remove adware. What info you gave is not enough to determine what was installed.

 

Use CCleaner to remove Temporary files, program caches, cookies, logs, etc. Use the Default settings. No need to use the

Registry Cleaning Tool...risky. Pay close attention while installing and UNcheck offers of toolbars....especially Google.

After install, open CCleaner and run by clicking on the Run Cleaner button in the bottom right corner.

CCleaner - PC Optimization and Cleaning - Free Download

 

Malwarebytes - Clean Mode

  • Download and install the free version of Malwarebytes
    Note: If you have Malwarebytes already installed, you don't need to install it again. Simply start from the next bullet point
  • Once Malwarebytes is installed, launch it and let it update his database. You might have to click on the little arrow by Scan Status in the middle right pane for it to do so
  • Once the database update is complete, click on the Scan tab, then select the Threat Scan button and click on Start Scan
  • Let the scan run, the time required to complete the scan depends of your system and computer specs
  • Once the scan is complete, make sure that the first checkbox at the top is checked (which will automatically check every detected item), then click on the Quarantine Selected button
    • If it asks you to restart your computer to complete the removal, do so
  • Click on Export Summary after the deletion (in the bottom-left corner) and select Copy to Clipboard. Paste the content in your next reply

If you are unable to run a scan using MBAM:

Follow the instructions in the thread below. Make sure to download the MBAR linked in it. Let me know if you're not able to launch it and run a scan.
https://forums.malwarebytes.com/topic/198907-requested-resource-is-in-use-error-unable-to-start-malwarebytes/

 

 

Download AdwCleaner by Xplode onto your desktop. (compatible with Windows 7, 8 and 10)

  • Close all open programs and internet browsers.
  • Double click on adwcleaner.exe to run the tool.
  • Click on Scan button.
  • When the scan has finished click on Clean button.
  • Your computer will be rebooted automatically. A text file will open after the restart.
  • Please post the contents of that logfile with your next reply.
  • You can find the logfile at C:\AdwCleaner[S1].txt as well.
  • download Junkware Removal Tool to your desktop.
  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message

“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#3 desk7

desk7
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:03:08 AM

Posted 08 October 2017 - 09:23 AM

 

You don't mention any programs you used to scan for malware or adware...so, use the programs below to clean,

remove malware and remove adware. What info you gave is not enough to determine what was installed.

 

Use CCleaner to remove Temporary files, program caches, cookies, logs, etc. Use the Default settings. No need to use the

Registry Cleaning Tool...risky. Pay close attention while installing and UNcheck offers of toolbars....especially Google.

After install, open CCleaner and run by clicking on the Run Cleaner button in the bottom right corner.

CCleaner - PC Optimization and Cleaning - Free Download

 

Malwarebytes - Clean Mode

  • Download and install the free version of Malwarebytes
    Note: If you have Malwarebytes already installed, you don't need to install it again. Simply start from the next bullet point
  • Once Malwarebytes is installed, launch it and let it update his database. You might have to click on the little arrow by Scan Status in the middle right pane for it to do so
  • Once the database update is complete, click on the Scan tab, then select the Threat Scan button and click on Start Scan
  • Let the scan run, the time required to complete the scan depends of your system and computer specs
  • Once the scan is complete, make sure that the first checkbox at the top is checked (which will automatically check every detected item), then click on the Quarantine Selected button
    • If it asks you to restart your computer to complete the removal, do so
  • Click on Export Summary after the deletion (in the bottom-left corner) and select Copy to Clipboard. Paste the content in your next reply

If you are unable to run a scan using MBAM:

Follow the instructions in the thread below. Make sure to download the MBAR linked in it. Let me know if you're not able to launch it and run a scan.
https://forums.malwarebytes.com/topic/198907-requested-resource-is-in-use-error-unable-to-start-malwarebytes/

 

 

Download AdwCleaner by Xplode onto your desktop. (compatible with Windows 7, 8 and 10)

  • Close all open programs and internet browsers.
  • Double click on adwcleaner.exe to run the tool.
  • Click on Scan button.
  • When the scan has finished click on Clean button.
  • Your computer will be rebooted automatically. A text file will open after the restart.
  • Please post the contents of that logfile with your next reply.
  • You can find the logfile at C:\AdwCleaner[S1].txt as well.
  • download Junkware Removal Tool to your desktop.
  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message

 

Malwarebytes:

Malwarebytes
www.malwarebytes.com
 
-Dettagli log-
Data scansione: 08/10/17
Ora scansione: 16:05
File di log: mb.txt
Amministratore: Sì
 
-Informazioni software-
Versione: 3.1.2.1733
Versione componenti: 1.0.160
Aggiorna versione pacchetto: 1.0.2975
Licenza: Free
 
-Informazioni sistema-
SO: Windows 10 (Build 15063.632)
CPU: x64
File system: NTFS
Utente: ROBERTO\rdima
 
-Riepilogo scansione-
Tipo di scansione: Ricerca elementi nocivi
Risultati: Completata
Elementi analizzati: 479445
Minacce rilevate: 0
(Nessun elemento nocivo rilevato)
Minacce messe in quarantena: 0
(Nessun elemento nocivo rilevato)
Tempo impiegato: 4 min, 10 sec
 
-Opzioni di scansione-
Memoria: Attivata
Esecuzioni automatiche: Attivata
File system: Attivata
Archivi compressi: Attivata
Rootkit: Disattivata
Analisi euristica: Attivata
PUP: Attivata
PUM: Attivata
 
-Dettagli scansione-
Processo: 0
(Nessun elemento nocivo rilevato)
 
Modulo: 0
(Nessun elemento nocivo rilevato)
 
Chiave di registro: 0
(Nessun elemento nocivo rilevato)
 
Valore di registro: 0
(Nessun elemento nocivo rilevato)
 
Dati di registro: 0
(Nessun elemento nocivo rilevato)
 
Flusso di dati: 0
(Nessun elemento nocivo rilevato)
 
Cartella: 0
(Nessun elemento nocivo rilevato)
 
File: 0
(Nessun elemento nocivo rilevato)
 
Settore fisico: 0
(Nessun elemento nocivo rilevato)
 
 
(end)
 
# AdwCleaner 7.0.3.1 - Logfile created on Sun Oct 08 14:14:06 2017
# Updated on 2017/29/09 by Malwarebytes 
# Database: 10-04-2017.1
# Running on Windows 10 Pro (X64)
# Mode: scan
 
***** [ Services ] *****
 
No malicious services found.
 
***** [ Folders ] *****
 
No malicious folders found.
 
***** [ Files ] *****
 
No malicious files found.
 
***** [ DLL ] *****
 
No malicious DLLs found.
 
***** [ WMI ] *****
 
No malicious WMI found.
 
***** [ Shortcuts ] *****
 
No malicious shortcuts found.
 
***** [ Tasks ] *****
 
PUP.Adware.Heuristic, Bitdefender Agent WatchDog_65D6944A0EF74FDAB96E31112AD39864
PUP.Adware.Heuristic, Bitdefender AgentTask_AD394AE64E874073B10A89FEEC305A3C
------I haven't delete those files because they should belong to Bitdefender antivirus
 
***** [ Registry ] *****
 
No malicious registry entries found.
 
***** [ Firefox (and derivatives) ] *****
 
No malicious Firefox entries.
 
***** [ Chromium (and derivatives) ] *****
 
No malicious Chromium entries.
 
*************************
 
C:/AdwCleaner/AdwCleaner[S0].txt - [1080 B] - [2017/10/1 21:24:23]
 
 
########## EOF - C:\AdwCleaner\AdwCleaner[S1].txt ##########
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Malwarebytes
Version: 8.1.4 (07.09.2017)
Operating System: Windows 10 Pro x64 
Ran by rdima (Administrator) on 08/10/2017 at 16:17:34,90
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 
 
 
File System: 3 
 
Successfully deleted: C:\ProgramData\1479900070.bdinstall.bin (File) 
Successfully deleted: C:\Users\rdima\AppData\Roaming\wyupdate au (Folder) 
Successfully deleted: C:\WINDOWS\wininit.ini (File) 
 
Deleted the following from C:\Users\rdima\AppData\Roaming\Mozilla\Firefox\Profiles\n2te3p73.default\prefs.js
user_pref(browser.urlbar.suggest.searches, false);
 
 
 
Registry: 0 
 
 
 
 
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on 08/10/2017 at 16:19:02,00
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 


#4 buddy215

buddy215

  • Moderator
  • 13,410 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:08:08 PM

Posted 08 October 2017 - 09:52 AM

  • download Security Check by glax24 and save the file to the Desktop
  • Run the tool by accepting all the Security prompts
  • when complete the tool will produce a log file C:\SecurityCheck\SecurityCheck.txt and also copy the contents to the Clipboard
  • Simply Paste the log to your reply

“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#5 desk7

desk7
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:03:08 AM

Posted 08 October 2017 - 10:05 AM

The progam showed me no security prompts
SecurityCheck by glax24 & Severnyj v.1.4.0.52 [25.07.17]
WebSite: www.safezone.cc
DateLog: 08.10.2017 16:58:51
Path starting: E:\TEMP\SecurityCheck\SecurityCheck.exe
Log directory: C:\SecurityCheck\
IsAdmin: True
User: rdima
VersionXML: 4.66is-07.10.2017
___________________________________________________________________________
 
Windows 10(6.3.15063) (x64) Professional Release: 1703 Lang: Italian(0410)
Installation date OS: 05.04.2017 20:55:07
LicenseStatus: Office 16, Office16O365ProPlusR_Subscription1 edition Timebased activation will expire :66499 minutes
LicenseStatus: Windows®, Professional edition The machine is permanently activated.
Boot Mode: Normal
Default Browser: D:\Program Files (x86)\Mozilla Firefox\firefox.exe
SystemDrive: C: FS: [NTFS] Capacity: [95.4 Gb] Used: [53.3 Gb] Free: [42.1 Gb]
------------------------------- [ Windows ] -------------------------------
Internet Explorer 11.608.15063.0
User Account Control enabled
Automatically download and schedule installation
Windows Update (wuauserv) - The service has stopped
Centro sicurezza PC (wscsvc) - The service is running
Registro di sistema remoto (RemoteRegistry) - The service has stopped
Individuazione SSDP (SSDPSRV) - The service is running
Servizi Desktop remoto (TermService) - The service is running
Gestione remota Windows (WS-Management) (WinRM) - The service has stopped
System Restore Disable
------------------------------ [ MS Office ] ------------------------------
Microsoft Office 2007 v.12.0.6612.1000
---------------------------- [ Antivirus_WMI ] ----------------------------
Windows Defender (disabled and up to date)
Bitdefender Antivirus (enabled and up to date)
---------------------------- [ Firewall_WMI ] -----------------------------
Bitdefender Firewall (enabled)
--------------------------- [ AntiSpyware_WMI ] ---------------------------
Bitdefender Antispyware (enabled and up to date)
Windows Defender (disabled and up to date)
---------------------- [ AntiVirusFirewallInstall ] -----------------------
Bitdefender Total Security v.22.0.10.141
Bitdefender Agent v.21.0.25.59
Bitdefender Device Management v.22.0.8.114
-------------------------- [ SecurityUtilities ] --------------------------
Malwarebytes versione 3.1.2.1733 v.3.1.2.1733
WinPatrol v.33.6.2015.18
--------------------------- [ OtherUtilities ] ----------------------------
7-Zip 16.04 (x64) v.16.04
Foxit Reader v.8.3.2.25013
Microsoft Silverlight 5.1 v.5.1.5001 Warning! Download Update
------------------------------- [ Browser ] -------------------------------
Mozilla Firefox 53.0.2 (x64 it) v.53.0.2 Warning! Download Update
Mozilla Firefox 56.0 (x64 it) v.56.0 Warning! Download Update
Google Chrome v.61.0.3163.100
--------------------------- [ RunningProcess ] ----------------------------
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe v.61.0.3163.100
------------------ [ AntivirusFirewallProcessServices ] -------------------
C:\Program Files\Bitdefender\Bitdefender Security\bdagent.exe v.22.0.10.143
C:\Program Files\Bitdefender\Bitdefender Security\bdwtxag.exe v.22.0.10.143
Bitdefender Product Agent Service (ProductAgentService) - The service is running
C:\Program Files\Bitdefender Agent\ProductAgentService.exe v.21.0.25.56
Bitdefender Desktop Update Service (UPDATESRV) - The service is running
C:\Program Files\Bitdefender\Bitdefender Security\updatesrv.exe v.22.0.10.143
Bitdefender Virus Shield (VSSERV) - The service is running
C:\Program Files\Bitdefender\Bitdefender Security\vsserv.exe v.22.0.12.161
Malwarebytes Service (MBAMService) - The service has stopped
C:\Program Files\Windows Defender\MSASCuiL.exe v.4.11.15063.0
Servizio Windows Defender Antivirus  (WinDefend) - The service has stopped
Servizio Controllo rete di Windows Defender Antivirus (WdNisSvc) - The service has stopped
----------------------------- [ End of Log ] ------------------------------


#6 buddy215

buddy215

  • Moderator
  • 13,410 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:08:08 PM

Posted 08 October 2017 - 10:16 AM

Check your list of installed programs and if the two Firefox programs are listed then uninstall Mozilla Firefox 53.0.2 (x64 it) v.53.0.2

Firefox 56 should of replaced 53. Odd to see two installs.

 

Either update Microsoft Silverlight or uninstall....your choice.

 

Other than the above I don't see anything as a problem. If you haven't noticed any usual adware or malware action in the computer

then I would say you are good to go.


“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#7 desk7

desk7
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:03:08 AM

Posted 08 October 2017 - 10:26 AM

I didn't know to have silverlight installed. Revo unistaller doesn't list it. How can I unistall it?

About firefox, I have one installed but it seems that Windows still sees an old install



#8 desk7

desk7
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:03:08 AM

Posted 08 October 2017 - 11:07 AM

Another question:

Successfully deleted: C:\ProgramData\1479900070.bdinstall.bin (File) 
Successfully deleted: C:\Users\rdima\AppData\Roaming\wyupdate au (Folder) 
 
Are those files important?
 
Thanks for your help and your time!


#9 desk7

desk7
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:03:08 AM

Posted 08 October 2017 - 11:27 AM

Why is wupdate not running?

Windows Update (wuauserv) - The service has stopped



#10 buddy215

buddy215

  • Moderator
  • 13,410 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:08:08 PM

Posted 08 October 2017 - 11:50 AM

If Silverlight isn't in the list of installed programs....not a problem. Whatever the scanner found to think it was installed was likely some leftover.

 

Those two items that were deleted....I'm not sure why they were deleted as a search wasn't helpful.

 

As to the update service....the service will be stopped and started by the system as needed, and won't be running all the time.

 

You're welcome...happy surfin'


“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users