Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

MPK virus, am I still infected?


  • This topic is locked This topic is locked
12 replies to this topic

#1 Bodum

Bodum

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:49 AM

Posted 26 January 2018 - 05:59 AM

Hello Bleeping Computer and thank you for your help!

 

I know you say not to run ComboFix, but I have used it before and followed your online instructions carefully. I use BitDefender Total Security 2018 as an AV and it found the following threats.

 

(It wont let me post the screenshots. They show .MPK files in syswow folder)

 

 

 

 

After that I ran ComboFix and I was hoping you could read the logs and help me understand if I am still infected, or if there is anything else I should do to check if I am still infected.

 

Thank you!

 

ComboFix logs attached below.

Attached Files



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 38,950 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:49 AM

Posted 26 January 2018 - 08:25 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

I need more information before suggesting that your computer is free of malware.

:step3:
Download the version of this tool for your operating system.
Farbar Recovery Scan Tool (64 bit)
Farbar Recovery Scan Tool (32 bit)
and save it to a folder on your computer's Desktop.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

How to attach a file to your reply:
In the Reply section in the bottom of the topic Click the "more reply Options" button.
attachlogs.png

Attach the file.
Select the "Choose a File" navigate to the location of the File.
Click the file you wish to Attach.
Click Attach this file.
Click the Add reply button.
===

Please post the logs for my review.

Lwt me know what problems you are having with this computer.

#3 Bodum

Bodum
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:49 AM

Posted 26 January 2018 - 09:07 AM

Hi Nasdaq! Thank you for your quick reply.

 

Here are the files: Attached File  FRST.txt   81.13KB   3 downloads Attached File  Addition.txt   57.26KB   2 downloads

 

I am not sure what the problems are exactly. I have noticed some strange behavior. For example, the fans in my laptop turn on before I even log in if I leave it on the login screen. And when I log in they seem to turn off. I didn't like that but I can't be sure it's malware. Mostly it was BitDefender detecting things. It found applications trying to install as well as malware files already on the computer. It looks like something keeps trying to install new malware on my computer.

 

Thank you for your help!


Edited by Bodum, 26 January 2018 - 09:10 AM.


#4 nasdaq

nasdaq

  • Malware Response Team
  • 38,950 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:49 AM

Posted 26 January 2018 - 10:54 AM



Hi,

Press the Windows key + r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.

Please copy the entire contents of the code box below to a new file.


Start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

CHR HKU\S-1-5-21-3067188377-994821594-1076259359-1000\SOFTWARE\Policies\Google: Restriction <==== ATTENTION
SearchScopes: HKLM-x32 -> DefaultScope {632F07F3-19A1-4d16-A23F-E6CE9486BAB5} URL = hxxp://www.bing.com/search?pc=cosp&ptag=A12318C5BE3&form=CONBDF&conlogo=CT3210127&q={searchTerms}
SearchScopes: HKLM-x32 -> {632F07F3-19A1-4d16-A23F-E6CE9486BAB5} URL = hxxp://www.bing.com/search?pc=cosp&ptag=A12318C5BE3&form=CONBDF&conlogo=CT3210127&q={searchTerms}
BHO: Google Toolbar Notifier BHO -> {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} -> No File
Toolbar: HKLM - No Name - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} -  No File
Toolbar: HKU\S-1-5-21-3067188377-994821594-1076259359-1000 -> No Name - {759D9886-0C6F-4498-BAB6-4A5F47C6C72F} -  No File
Toolbar: HKU\S-1-5-21-3067188377-994821594-1076259359-1000 -> No Name - {4BAAC1B8-0800-42C9-8FA6-08B211F356B8} -  No File
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} -  No File
FF Plugin HKU\S-1-5-21-3067188377-994821594-1076259359-1000: @Skype Limited.com/Facebook Video Calling Plugin -> C:\Users\Leslie\AppData\Local\Facebook\Video\Skype\npFacebookVideoCalling.dll [No File]
U5 AppMgmt; C:\windows\system32\svchost.exe [27136 2009-07-13] (Microsoft Corporation) <==== ATTENTION (no ServiceDLL)
S3 ALSysIO; \??\C:\Users\Leslie\AppData\Local\Temp\ALSysIO64.sys [X] <==== ATTENTION
S3 catchme; \??\C:\ComboFix\catchme.sys [X]
U3 iswSvc; no ImagePath
ShellIconOverlayIdentifiers: [00asw] -> {472083B0-C522-11CF-8763-00608CC02F24} =>  -> No File
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} =>  -> No File
ShellIconOverlayIdentifiers: [00avg] -> {472083B0-C522-11CF-8763-00608CC02F24} =>  -> No File
Task: {142608C1-5929-4775-853E-626D5C2B9784} - \RealPlayerRealUpgradeScheduledTaskS-1-5-21-3067188377-994821594-1076259359-1000 -> No File <==== ATTENTION
Task: {C30A9A5D-CE6E-46C5-9A1F-1BDD3502C1E2} - \RealPlayerRealUpgradeLogonTaskS-1-5-21-3067188377-994821594-1076259359-1000 -> No File <==== ATTENTION
Task: {FAA0ECA3-312E-4DD1-AEED-298C2466249A} - \AVGPCTuneUp_Task_BkGndMaintenance -> No File <==== ATTENTION

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Reset Chrome...
Open Google Chrome, click on menu icon google-chrome-setting-icon.png or the 3 vertical dots located right side top of the google chrome.
 
Click "Settings" then "Show advanced settings" at the bottom of the screen.
 
Click "Reset browser settings" button.
 
Restart Chrome.
===

If the problem persists run this program.
--RogueKiller--
  • Download & SAVE to your Desktop Download RogueKiller
  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or above, right-click the program file and select "Run as Administrator"
  • Accept the user agreements.
  • Execute the scan and wait until it has finished.
  • If a Windows opens to explain what [PUM's] are, read about it.
  • Click the RoguKiller icon on your taksbar to return to the report.
  • Click open the Report
  • Click Export TXT button
  • Save the file as ReportRogue.txt
  • Click the Remove button to delete the items in RED
  • Click Finish and close the program.
  • Locate the ReportRogue.txt file on your Desktop and copy/paste the contents in your next.
=======

Please let me know what problem persists with this computer.

#5 Bodum

Bodum
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:49 AM

Posted 26 January 2018 - 02:00 PM

Hello Nasdaq,

 

I ran the fix in FRST, here is the log:Attached File  Fixlog.txt   7.39KB   2 downloads .

 

I also ran Rogue Killer. It found 17 registry files, 8 were yellow and the rest were grey. I deleted all of them. They weren't red. I didn't realize you said to delete only the red items until afterwards. Well, I hope it was ok. Here is the log file: Attached File  ReportRogue.txt   11.07KB   2 downloads  .

 

One of these instances was with svchost.exe and some in the firewall (although it says svchost is a PUP... isn't that strange?). Should I be worried? I use BitDefender Total Security 2018 as a firewall.

 

Please tell me how to proceed from here.

 

Again, thank you for your help!

 

P.S. I reset the browser settings for Chrome before running Rogue Killer.


Edited by Bodum, 26 January 2018 - 02:01 PM.


#6 nasdaq

nasdaq

  • Malware Response Team
  • 38,950 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:49 AM

Posted 27 January 2018 - 08:33 AM



Hi,

It was OK to remove this items.

[PUP.Gen0] (X64) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost | bdx : [x] -> Found

It was only the removal of a registry key. The Svchost.exe was not deleted.

The others were deleted and if any were required the default was resetted.

===

Do you still have issues with this computer?

#7 Bodum

Bodum
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:49 AM

Posted 27 January 2018 - 09:00 AM

I don't have any issues currently. It looks good! But are there any other scans I should run to double check?

 

Thank you!



#8 nasdaq

nasdaq

  • Malware Response Team
  • 38,950 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:49 AM

Posted 27 January 2018 - 09:52 AM

Hi,

Sophos Virus Removal Tool

Please download Sophos Virus Removal Tool and save it to your computer's Desktop.
  • Right-click the icon and select Run as administrator.
  • Click Yes to accept any security warnings that may appear.
  • Click the Next button.
  • Select 'I accept the terms in the license agreement', then click Next twice.
  • Click the Install button and wait until the installation is complete.
  • Click the Finish button. The tool created a shortcut icon on the Desktop of your computer.
  • Now, double-click the Sophos Virus Removal Tool shortcut icon to run the tool.
  • Click Yes to accept any security warnings that may appear.
  • After it updates and a "Start Scanning" button appears in the lower right:
    • Disconnect from the Internet or physically unplug your Internet cable connection.
    • Close all open programs, scheduling/updating tasks and background processes that might activate during the scan including the screensaver.
    • Temporarily disable your anti-virus and real-time anti-spyware protection.
  • Click the "Start Scanning" button in the lower right to start the scan.
  • After starting the scan, do not use the computer until the scan has completed.
  • When finished, if it detected anything there will be a "Start Clean-up" button, click it and allow it to finish.
  • When finished, re-enable your anti-virus/anti-malware (or reboot) and then you can reconnect to the Internet.
  • If any threats are found click Details, then View Log file (bottom left-hand corner).
  • Copy and paste its contents in your next reply and note any errors encountered.
  • Close the Notepad document, close the Threat Details screen, then click Start cleanup.
  • Click Exit to close the program.
  • If no threats were found, please confirm that result.
Note: Whenever necessary, the log will be in the following location:

Windows Vista and above:
C:\ProgramData\Sophos\Sophos Virus Removal Tool\Logs\SophosVirusRemovalTool.log
 
Please post the contents of the log in your next reply and note any errors encountered.
===

#9 Bodum

Bodum
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:49 AM

Posted 27 January 2018 - 04:18 PM

Hi Nasdaq,

 

Sophos virus removal tool did not find any infected files. Here is the log file:Attached File  SophosVirusRemovalTool.log   9.45KB   0 downloads

 

When I rebooted my computer, I noticed some odd behavior from BitDefender, my AV. It said it wasn't responding and I should reboot. I did that and the computer seemed to stall with a black screen before the Windows 7 log in window. When I logged in, it seemed ok, however I noticed that my firewall in BitDefender was disabled when it logged in. That was odd. I reset the firewall rules, ran a deeper scan and am contacting BitDefender support for their help. It could be problems with the AV and it needs to be reinstalled or maybe I'm still infected.

 

Is there anything else you recommend doing?

 

Thank you!



#10 nasdaq

nasdaq

  • Malware Response Team
  • 38,950 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:49 AM

Posted 28 January 2018 - 08:04 AM

Hi,

I suspect that the Sophos's scan disabled the Bitdefender. After a restart or two the system should normalize.

Check with them and see what the have to suggest.

#11 Bodum

Bodum
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:49 AM

Posted 28 January 2018 - 08:09 AM

Thank you! I will do. Hopefully they will reply soon.



#12 nasdaq

nasdaq

  • Malware Response Team
  • 38,950 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:49 AM

Posted 03 February 2018 - 08:42 AM

Hi,

If all is well.

To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/


https://www.bleepingcomputer.com/tutorials/keep-your-computer-safe-online/
Simple and easy ways to keep your computer safe and secure on the Internet.
===

#13 Bodum

Bodum
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:49 AM

Posted 03 February 2018 - 09:28 AM

Hi Nasdaq, 

 

Thank you! This looks like a wealth of knowledge. I will read it as soon as I can. Thank you for your help! Bitdefender did not respond to any of my requests which means I will be switching to another AV when my contract with them runs out. I ended up doing a clean install of Windows and set up some more security just to be safe. Thank you for your help and the articles! Much appreciated. 






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users