Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help cleanup infection remnants that Antivirus isn't catching


  • This topic is locked This topic is locked
21 replies to this topic

#1 User_7

User_7

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:23 PM

Posted 04 April 2018 - 05:31 PM

Hi. Looking for some help with an infection that my antivirus isn't completely catching. First off I briefly looked at other posts on this forum and this current topic sounds extremely similar to mine so thinking a similar approach might work.

 

So foolishly I downloaded and ran a dodgy .exe installer. I dodged a couple of bloatware-agreement prompts but nevertheless, during installation, Bit Defender - my always-on antivirus, flashed up saying it was quarantining files. So I aborted installation and deleted the installer. But it was too late. Strange audio snippets started playing through my speakers and task manager showed many instances of 'Backflow.exe' and 'Tupelo.exe'.

 

I started a Malwarebytes scan and ended the processes, but they would reappear about 20 seconds later. Malwarebytes and Bitdefender quarantined many threats and prompted for restart which I did. However the processes remained in Task Manager. I re-ran Malwarebytes, Bitdefender as well as Adwcleaner and Spybot Search & Destroy with restarts once or twice until they stopped detecting threats. Also tried Emsisoft Emergency Kit. Simultaneously I was killing Tupelo and Backflow processes, and tracking them to their file location and deleting the .exe, which was possible whilst all active processes were killed. They were appearing in \Program Files (x86)\rimmer\, \Program Files (x86)\manmade\, and \Program Files (x86)\fireflies\, as well as \AppData\Local\. I also deleted a file called pangea.exe in \Program Files (x86)\docherty because it occurred today too and looks suspicious.

 

After the final restart only backflow.exe was showing in Task Manager, and would always reappear but only in \AppData\Local\. So I put a blank .txt file there and renamed it backflow.exe. It hasn't overwritten this and so is no longer running on my system, however clearly something is still lurking about waiting to make a new one which I'm not happy about. I've also scanned the registry and deleted several references to backflow.exe and tupelo.exe.

 

Another effect of the virus was to display ads in my google results, but removing a couple of chrome extensions sorted that. However still, when I click a web link in an external application, Chrome will open, but only at my home page - it won't follow the link.

 

How can I find and destroy whats left of this infection? I've included a copy of my FRST log and the Addition it created, as well as a copy of backflow.exe with the extension changed to .txt in case anyone can analyse it! I looked at it with Resource Hacker but couldn't get any useful information.

 

Help much appreciated.

 

 

Attached Files



BC AdBot (Login to Remove)

 


#2 User_7

User_7
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:23 PM

Posted 04 April 2018 - 06:38 PM

Update - Backflow came back, my text file trick didn't endure - it has been overwritten. I've now tried locking it with Easy File Locker, to see if that stops it being overwritten.



#3 User_7

User_7
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:23 PM

Posted 04 April 2018 - 08:15 PM

File lock is holding out. I've also now tired RogueKiller following advice on the similar case I linked in my original post. It found several threats the other scans didn't, including some referencing backflow.exe and tupelo as well as a Wajam rootkit, so I was hopeful it would resolve my issues. However upon disabling my spoof backflow.exe lock and restarting, the process is back!

 

I've attached the Log here. It has recorded 'ERROR [80070002]' under 'Tasks'. These were scheduled tasks which I saw it had found and checked out myself before the scan was complete. I found more than the 4 which it listed so I manually deleted them all, hence it being unable to clean them itself.

Attached Files



#4 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,697 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:23 AM

Posted 05 April 2018 - 06:52 AM

Hi User_7 :)

My name is Aura and I'll be assisting you with your malware issue. Since we'll be working together, you can call me Aura or Yoan, which is my real name, it's up to you! Now that we've broke the ice, I'll just ask you a few things during the time we'll be working together to clean your system and get it back to an operational state.
  • As you'll notice, the logs we are asking for here are quite lenghty, so it's normal for me to not reply exactly after you post them. This is because I need some time to analyse them and then act accordingly. However, I'll always reply within 24 hours, 48 hours at most if something unexpected happens
  • As long as I'm assisting you on BleepingComputer, in this thread, I'll ask you to not seek assistance anywhere else for any issue related to the system we are working on. If you have an issue, question, etc. about your computer, please ask it in this thread and I'll assist you
  • The same principle applies to any modifications you make to your system, I would like you to ask me before you do any manipulations that aren't in the instructions I posted. This is to ensure that we are operating in sync and I know exactly what's happening on your system
  • If you aren't sure about an instruction I'm giving you, ask me about it. This is to ensure that the clean-up process goes without any issue. I'll answer you and even give you more precise instructions/explanations if you need. There's no shame in asking questions here, better be safe than sorry!
  • If you don't reply to your thread within 3 days, I'll bump this thread to let you know that I'm waiting for you. If you don't reply after 5 days, it'll be closed. If you return after that period, you can send me a PM to get it unlocked and we'll continue where we left off
  • Since malware can work quickly, we want to get rid of them as fast as we can, before they make unknown changes to the system. This being said, I would appreciate if you could reply to this thread within 24 hours of me posting. This way, we'll have a good clean-up rhythm and the chances of complications will be reduced
  • I'm against any form of pirated, illegal and counterfeit software and material. So if you have any installed on your system, I'll ask you to uninstall them right now. You don't have to tell me if you indeed had some or not, I'll give you the benefit of the doubt. Plus, this would be against BleepingComputer's rules
  • In the end, you are the one asking for assistance here. So if you wish to go a different way during the clean-up, like format and reinstall Windows, you are free to do so. I would appreciate you to let me know about it first, and if you need, I can also assist you in the process
  • I would appreciate if you were to stay with me until the end, which means, until I declare your system clean. Just because your system isn't behaving weirdly anymore, or is running better than before, it doesn't mean that the infection is completely gone
    This being said, I have a full time job so sometimes it'll take longer for me to reply to you. Don't worry, you'll be my first priority as soon as I get home and have time to look at your thread
This being said, it's time to clean-up some malware, so let's get started, shall we? :)

Please give me some time to review your logs and get back to you.

animinionsmalltext.gif
unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#5 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,697 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:23 AM

Posted 05 April 2018 - 12:27 PM

First, start by uninstalling Google Chrome, since it has been infected by the malware. Then follow the instructions below.

iO3R662.pngFarbar Recovery Scan Tool (FRST) - Fix mode
Follow the instructions below to execute a fix on your system using FRST, and provide the log in your next reply.
  • Download the attached fixlist.txt file, and save it on your Desktop (or wherever your FRST.exe/FRST64.exe executable is located)
  • Right-click on the FRST executable and select Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users)
  • Click on the Fix button
    NYA5Cbr.png
  • On completion, a message will come up saying that the fix has been completed and it'll open a log in Notepad
  • Copy and paste its content in your next reply

Attached Files


animinionsmalltext.gif
unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#6 User_7

User_7
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:23 PM

Posted 05 April 2018 - 05:18 PM

Hi, thanks for getting back to me. Before I go into your post I should let you know that before your message I decided to try Malwarebytes Anti-Rootkit tool. This found one threat called molder.exe in my windows directory, as well as a load of the files I manually deleted in the Recycle Bin. I cleaned and restarted and voila, No more backflow processes! I've attached the log here.

 

However before this I did have a page randomly open in Chrome with some ad/spam site and still, links from non-browser applications weren't opening (Chrome would open but just on the home page). Also, I'm sure my Chrome taskbar icon looks slightly different. So I'm keen to follow your advice and see this through.

 

So... I ran Farbar with your fix file. The computer restarted itself without telling me - would have been handy to know this could happen as I had stuff open! Upon restart the text file was open and I've attached it here.

 

Unfortunately however, this has caused Chrome to not open. I click the icon and a loading ring comes up for a moment but nothing happens. No task even flashes up in Task Manager. I've tried launching the chrome.exe directly from program files too, to no avail. I'm guessing this has happened because Chrome was infected.

 

So now I'm on Edge. I don't normally use Edge so I don't know if it's related to this infection or what, but half the time I have a lot of trouble using the space bar in this text box - it will take other letters but not space, then I'll get it to work :-S It's probably nothing. But also, I tried Internet Explorer and this was having a really hard time loading bleepingcomputer's forum. Taking ages to load, timing out and crashing. Again, I don't use Internet Explorer and don't know if this issue was pre-existing but it's strange that all my browsers are playing up.

 

If you think it's a good idea, I'd like to go ahead and uninstall and reinstall Chrome. What do you think?

 

UPDATE: OK, so I needed to use Chrome so I just went ahead and ran the installer. It didn't do a full install, seemed to know I just wanted to repair. Within a minute Chrome is working perfectly (so far) and the icon is back to normal! For anyone interested, the icon on the right was the infected Chrome and on the left is the original restored logo. That little shine on the top of the infected version really glared at me and made the whole logo look tacky! I guess it's an old version.

 

fPlMutJ.png

 

I thought I'd run a  Farbar scan in case you wanted to review it so here are the logs.

Attached Files


Edited by User_7, 06 April 2018 - 05:11 AM.


#7 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,697 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:23 AM

Posted 06 April 2018 - 07:07 AM

Your Google Chrome was indeed infected, hence why it needed to be reinstalled. The executable was also replaced with a custom one that was more of an adware than anything else.
C:\Program Files (x86)\Google\Chrome\Application\chrome334.exe
Looking at your logs, it seems that Google Chrome is still infected.
CHR res: Infected resources.pak (Adware script). Reinstall Chrome. <==== ATTENTION
Can you uninstall it, then run a new scan with FRST and provide me the FRST.txt log? Do not reinstall Google Chrome until I give you the go ahead.

animinionsmalltext.gif
unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#8 User_7

User_7
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:23 PM

Posted 07 April 2018 - 03:14 AM

Ok, thanks. Uninstalled and scanned.

Attached Files

  • Attached File  FRST.txt   87.87KB   3 downloads


#9 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,697 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:23 AM

Posted 07 April 2018 - 10:06 AM

Did you reinstall Google Chrome already? According to your log, it is still installed:
Chrome: 
=======
CHR HomePage: Default -> hxxp://www.google.com/
CHR StartupUrls: Default -> "hxxps://www.google.co.uk/"
CHR DefaultSearchURL: Default -> hxxps://duckduckgo.com/?q={searchTerms}
CHR DefaultSearchKeyword: Default -> duckduckgo.com
CHR DefaultSuggestURL: Default -> hxxps://duckduckgo.com/ac/?q={searchTerms}&type=list
CHR Profile: C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default [2018-04-07]
CHR Extension: (Google Translate) - C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapbdbdomjkkjkaonfhkkikfgjllcleb [2017-11-24]
CHR Extension: (Slides) - C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2017-10-12]
CHR Extension: (Docs) - C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2017-10-12]
CHR Extension: (Google Drive) - C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2016-06-22]
CHR Extension: (DuckDuckGo) - C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\bkdgflcldnnnapblkhphbgpggdiikppg [2018-04-02]
CHR Extension: (YouTube) - C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2016-06-22]
CHR Extension: (Sheets) - C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2017-10-12]
CHR Extension: (Google Docs Offline) - C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2016-06-22]
CHR Extension: (Kami - PDF and Document Markup) - C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\iljojpiodmlhoehoecppliohmplbgeij [2017-03-19]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2018-04-04]
CHR Extension: (Verbatim Search) - C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\occcfdnjdbgjglcbpolkmjnjillkgbcm [2017-11-18]
CHR Extension: (Gmail) - C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2016-06-22]
CHR Extension: (Chrome Media Router) - C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2018-03-24]

animinionsmalltext.gif
unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#10 User_7

User_7
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:23 PM

Posted 07 April 2018 - 02:40 PM

No, haven't reinstalled Chrome. No sign of it in Add and Remove Programs or Program Files either. Just re-ran Farbar scan in case I sent you an old log and can confirm that those lines are definitely still present. When I uninstalled Chrome, there was an option to delete 'browsing history' too - I chose No. Could it have saved these settings too?



#11 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,697 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:23 AM

Posted 07 April 2018 - 02:49 PM

Hum... can you tell me if the C:\Users\Admin\AppData\Local\Google\Chrome exists?

animinionsmalltext.gif
unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#12 User_7

User_7
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:23 PM

Posted 07 April 2018 - 04:46 PM

Yes, it exists. In it is a single folder called 'User Data', which has more folders inside.

 

 

There is also '...\AppData\Local\Google\Chrome Cleanup Tool' with 'chrome_cleanup_tool.log' inside (attached), and '...\AppData\Local\Google\Software Reporter Tool', with a couple of logs: ​'software_reporter_tool.log' (attached), 'software_reporter_tool-crashpad.log' and 'software_reporter_tool-sandbox.log'. And '...AppData\Local\Google\CrashReports' (empty).

Attached Files



#13 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,697 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:23 AM

Posted 07 April 2018 - 04:58 PM

Alright, can you run a scan with FRST and provide me both logs? I'll see why Google Chrome is still installed.

animinionsmalltext.gif
unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#14 User_7

User_7
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:23 PM

Posted 07 April 2018 - 05:18 PM

Here you go

 

Note: Just realised that you asked me to uninstall Chrome in your second post. Sorry that I missed that at the time, but it was uninstalled when stated.

Attached Files


Edited by User_7, 07 April 2018 - 06:19 PM.


#15 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,697 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:23 AM

Posted 07 April 2018 - 09:14 PM

Yeah there's something weird. I don't see Google Chrome installed, yet the folders for it are still there. Can you reinstall it, run FRST and provide me a fresh set of logs? It doesn't look infected anymore.

animinionsmalltext.gif
unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users