Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible infection


  • Please log in to reply
13 replies to this topic

#1 invisik

invisik

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:50 PM

Posted 03 April 2018 - 02:10 PM

Hi all,
 
I have a friend that said she received an e-mail that she now believes is malware.  She had ordered something online and thought the e-mail was the receipt for it.  She said she opened the Word document attachment, and then tried to open the embedded PDF and Excel files.  She then said her computer prompted her to restart, which she has not done yet.  The computer is otherwise running fine.  She is running ESET 5 and I started a full scan of her drives with it.  Her PC is running Windows 10 Pro 10.0.14393 64-bit.  Microsoft Office 2013 Standard 2013.
 

 

 



BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,190 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:50 PM

Posted 03 April 2018 - 02:16 PM

Hello, appears your ESET is a bit old.
  • Please download and run ESET Online Scanner
  • Check qy7AMI8.jpg (if available) and click on the ePL5oyv.jpg button.
  • [/list]
  • It is recommended to turn off your antivirus program. Click on the E5rfZI9.png button to see which antivirus is currently enabled:
  • c4VVzVO.png
  • Turn off your antivirus program. See here how to do this.
  • Check the option beside: Enable detection of potentially unwanted applications.
  • Now click on Advanced Settings and make sure that the option Clean threats automatically is NOT checked, and select the following:
  • Enable detection of potentially unsafe applications
    Enable detection of suspicious applications
    Scan archives
    Enable Anti-Stealth Technology
  • Click on the Change button and select only Operating memory, Autostart locations and drive C:\ to be scanned.
  • yKulboi.jpg
  • Push the dtoGjAL.png button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • 8L8IBHJ.png
  • When the scan completes a list of found threats will open automatically (if any malicious files are found).
  • imxEgHt.png
  • Push thecRhRYZ8.png button and save the file to your desktop using a unique name, such as ESETScan.txt. Include the contents of this report in your next reply.
  • Push the 9IjfdXq.png button.
  • Check the box beside RHzfZB1.png to uninstall the application when closed.
  • Push Vc3btaC.png and the close the application clicking the X in upper right corner.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 buddy215

buddy215

  • Moderator
  • 13,124 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:06:50 PM

Posted 03 April 2018 - 02:28 PM

I would also suggest you backup all important data. That may be ransomware. If it activates after reboot....it will become

impossible to open any important data, videos, pics, etc....

 

You might be able to block the malware from activating by doing a system restore to an earlier date.


“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#4 invisik

invisik
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:50 PM

Posted 03 April 2018 - 02:32 PM

Sorry, didn't realize BC doesn't do direct attachment uploads.

 

Here's the screenshots...

 

https://1drv.ms/f/s!At4mnpBUnIxJovITo6Zq-ByX8piE9Q

 

I numbered each screenshot 1-7 for the order they were created in.  

 

Thanks for any thoughts.

 

-m

 



#5 invisik

invisik
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:50 PM

Posted 03 April 2018 - 03:31 PM

I am running the ESET Online Scanner now.... (about 2/3 done)



#6 hamluis

hamluis

    Moderator


  • Moderator
  • 55,727 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:06:50 PM

Posted 03 April 2018 - 03:31 PM

The attachments function can be utilized by clicking on the button More Reply Options, which is at the lower right of the Reply To This Topic window.

 

Louis



#7 invisik

invisik
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:50 PM

Posted 03 April 2018 - 03:53 PM

Regarding attachments, ok so I get to the editor with the two-row toolbar on top....  None of those options seem like it will attach a file directly (not via a URL).  Is it something in My Media?

 

Thanks...

 

-m



#8 invisik

invisik
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:50 PM

Posted 03 April 2018 - 04:36 PM

Ok the ESET Online scan is done.  It found one thing, which I'm thinking is not really a problem.

 

C:\Users\gmarek\Downloads\ccsetup513.exe Win32/Bundled.Toolbar.Google.D potentially unsafe application 

 

The date on the file is 12-23-2015.

 

Let me know what you think and what I should do next....

 

Thanks!!

 

-m



#9 buddy215

buddy215

  • Moderator
  • 13,124 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:06:50 PM

Posted 03 April 2018 - 05:01 PM

Other than my suggestions in my first post...#3

 

Use CCleaner to remove Temporary files, program caches, cookies, logs, etc. Use the Default settings. No need to use the

Registry Cleaning Tool...risky. Pay close attention while installing and UNcheck offers of Google Chrome and Avast.

After install, open CCleaner and run by clicking on the Run Cleaner button in the bottom right corner.

CCleaner - PC Optimization and Cleaning - Free Download

 

Malwarebytes - Clean Mode

  • Download and install the free version of Malwarebytes
    Note: If you have Malwarebytes already installed, you don't need to install it again. Simply start from the next bullet point
  • Once Malwarebytes is installed, launch it and let it update its database. You might have to click on the little arrow by Scan Status in the middle right pane for it to do so
  • Once the database update is complete, click on the Scan tab, then select the Threat Scan button and click on Start Scan
  • Let the scan run, the time required to complete the scan depends of your system and computer specs
  • Once the scan is complete, make sure that the first checkbox at the top is checked (which will automatically check every detected item), then click on the Quarantine Selected button
    • If it asks you to restart your computer to complete the removal, do so
  • Click on Export Summary after the deletion (in the bottom-left corner) and select Copy to Clipboard. Paste the content in your next reply

Download AdwCleaner by Xplode onto your desktop. (compatible with Windows 7, 8 and 10)

  • Close all open programs and internet browsers.
  • Double click on adwcleaner.exe to run the tool.
  • Click on Scan button.
  • When the scan has finished click on Clean button.
  • Your computer will be rebooted automatically. A text file will open after the restart.
  • Please post the contents of that logfile with your next reply.
  • You can find the logfile at C:\AdwCleaner[S1].txt as well.

“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#10 buddy215

buddy215

  • Moderator
  • 13,124 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:06:50 PM

Posted 03 April 2018 - 05:09 PM

If you think Malwarebytes found the malware then you can allow it to reboot the computer....otherwise

don't allow it to reboot until you have backed up your documents, pics, etc. in case it is ransomware.

 

I would attempt to do a system restore before doing any of the above if it was my computer.


“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#11 invisik

invisik
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:50 PM

Posted 03 April 2018 - 05:37 PM

Running CCleaner on it.  It deleted a variety of cookies and whatnot. 
 
Running MalwareBytes on it.  The default Threat Scan.    Nothing major found, just a registry entry.
 
"Malwarebytes
www.malwarebytes.com
-Log Details-
Scan Date: 4/3/18
Scan Time: 5:26 PM
Log File: 0d53b2c4-378e-11e8-b7e5-dc4a3e6694a7.json
Administrator: Yes
-Software Information-
Version: 3.4.5.2467
Components Version: 1.0.342
Update Package Version: 1.0.4604
License: Trial
-System Information-
OS: Windows 10 (Build 14393.2125)
CPU: x64
File System: NTFS
User: System
-Scan Summary-
Scan Type: Threat Scan
Scan Initiated By: Manual
Result: Completed
Objects Scanned: 367594
Threats Detected: 1
Threats Quarantined: 1
Time Elapsed: 2 min, 37 sec
-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Detect
PUM: Detect
-Scan Details-
Process: 0
(No malicious items detected)
Module: 0
(No malicious items detected)
Registry Key: 0
(No malicious items detected)
Registry Value: 0
(No malicious items detected)
Registry Data: 1
PUM.Optional.DisabledSecurityCenter, HKLM\SOFTWARE\MICROSOFT\SECURITY CENTER|UPDATESDISABLENOTIFY, Replaced, [13414], [293296],1.0.4604
Data Stream: 0
(No malicious items detected)
Folder: 0
(No malicious items detected)
File: 0
(No malicious items detected)
Physical Sector: 0
(No malicious items detected)

(end)"
 
 

I did not run AdwCleaner as it says it will restart the computer to continue the scan.  I don't wait it rebooting at all right now.



#12 invisik

invisik
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:50 PM

Posted 03 April 2018 - 05:49 PM

I ran WhyReboot (http://exodusdev.com/products/whyreboot) and it came up with a number of temp files... which is quite interesting.  Au_.exe especially!

 

 

Whyreboot © 2003-2006 Exodus Development, Inc. http://exodusdev.com
 
Version 1.0.1.537
 
NOTE: These results may not reflect all pending operations, and you should use your own good sense in deciding whether to reboot your computer after an install.
 
Detected Windows NT, 2000, XP, or variant
 
Results:
 
REGISTRY: PendingFileRenameOperations
 > DELETE C:\AdwCleanerC:\Users\gmarek\AppData\Local\Temp\~nsuA.tmp\Au_.exe
 > DELETE C:\Users\gmarek\AppData\Local\Temp\~nsuA.tmp
 > DELETE C:\Users\gmarek\AppData\Local\Temp\nszD5AB.tmp\p\pfBL.dll
 > DELETE C:\Users\gmarek\AppData\Local\Temp\nszD5AB.tmp\p\
 > DELETE C:\Users\gmarek\AppData\Local\Temp\nszD5AB.tmp\
5 items were found and reported.
>> Log contents copied to clipboard.


#13 invisik

invisik
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:50 PM

Posted 03 April 2018 - 05:59 PM

Those Au_.exe and other files ended up being part of a legitimate uninstallation program.



#14 buddy215

buddy215

  • Moderator
  • 13,124 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:06:50 PM

Posted 03 April 2018 - 06:58 PM

Is doing a system restore to an earlier date a problem?


“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users