Solved

ESET online scanner found some trojans... worried that more may be hidden.

Posted on 2016-09-26
27
66 Views
Last Modified: 2016-10-14
Hello experts, my old IBM Thinkpad laptop has been acting rather slow for the last while - particularly while in Firefox. A couple of weeks ago my eBay account was hacked into and some bogus items were purchased on my credit card, so I'm fearing some sort of backdoor trojan has infiltrated my laptop. I ran ESET online scanner yesterday and it found and cleaned these viruses:

C:\Documents and Settings\All Users\Application Data\RoboSoft\dump\APP-00FA03289C1\SITE-00F811B52A1.htm	HTML/Iframe.B trojan	deleted
C:\Documents and Settings\JD\Local Settings\Application Data\Sun\Java\Deployment\cache\6.0\45\16bab12d-3a388b4c	multiple threats,a variant of Java/Exploit.Agent.RSM trojan,a variant of Java/Exploit.Agent.PNG trojan,a variant of Java/Exploit.Agent.PNF trojan	cleaned by deleting
C:\Documents and Settings\JD\My Documents\Downloads\190unlocker.exe	Win32/Adware.ADON potentially unwanted application	deleted
C:\PMAIL\MAIL\FOL06413.PMM	HTML/ScrInject.B trojan	deleted
C:\RECYCLER\S-1-5-21-1455450049-4218601970-2604882262-1005\HELP_DECRYPT.HTML	Win32/Filecoder.CryptoWall.CR trojan	deleted
C:\RECYCLER\S-1-5-21-1455450049-4218601970-2604882262-1005\HELP_DECRYPT.TXT	Win32/Filecoder.CryptoWall.CR trojan	deleted
C:\WINDOWS\uninstac.exe	a variant of Win32/PCCleaners.A potentially unwanted application	cleaned by deleting

Open in new window


... now I'm rather worried there might be more lurking. Regarding what you see above for "Win32/Filecoder.CryptoWall.CR" - I did have this trojan over a year ago... it encrypted a lot of my files but fortunately I had a good backup and restored and cleaned out the trojan at that time. I guess the ESET scan found an old "RECYCLER" folder with those two files as a remnant of my old cleaning.
   Anyway, would someone be able to give me some guidance on how to do a really good and thorough malware check just to make sure everything is clean now? I've run malwarebytes recently and it found nothing.

Thanks!
   Shawn
0
Comment
Question by:shawn857
  • 15
  • 12
27 Comments
 
LVL 47

Expert Comment

by:dbrunton
Comment Utility
>>  I've run malwarebytes recently and it found nothing.

Run Malwarebytes again.  You haven't used it since the ESET scanner so now use it again.

Also use Adwcleaner  http://www.bleepingcomputer.com/download/adwcleaner/ as well.

If you aren't using Windows 10 also try Combofix  http://www.bleepingcomputer.com/download/combofix/

Use CCleaner (free version) https://www.piriform.com/ccleaner/download to clean up your system.

Check your Firefox extensions.  Do you need all of them?  Do you know how reputable they are?
0
 

Author Comment

by:shawn857
Comment Utility
Thanks dbrunton. OK I ran Malwarebytes again last night, it found nothing. Then I ran Adwcleaner. It found a few things, none I don't think were too serious. Here was the output:


# AdwCleaner v6.020 - Logfile created 27/09/2016 at 05:22:05
# Updated on 14/09/2016 by ToolsLib
# Database : 2016-09-27.1 [Server]
# Operating System : Microsoft Windows XP Service Pack 3 (X86)
# Username : JD - IBM-CA399E2B0C9
# Running from : C:\Documents and Settings\JD\My Documents\Downloads\AdwCleaner.exe
# Mode: Clean
# Support : https://toolslib.net/forum



***** [ Services ] *****



***** [ Folders ] *****

[-] Folder deleted: C:\Documents and Settings\All Users\Start Menu\Programs\Codec
[-] Folder deleted: C:\Documents and Settings\JD\Local Settings\Application Data\Geckofx


***** [ Files ] *****

[-] File deleted: C:\user.js


***** [ DLL ] *****



***** [ WMI ] *****



***** [ Shortcuts ] *****



***** [ Scheduled Tasks ] *****



***** [ Registry ] *****

[-] Key deleted: HKLM\SOFTWARE\Classes\SlimBrowserHtml
[-] Key deleted: HKLM\SOFTWARE\Classes\vbalTBar.cToolbar
[-] Key deleted: HKLM\SOFTWARE\Classes\vbalTBar.cToolbarHost
[-] Key deleted: HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{7854F00C-DC77-477E-A10E-603F48442D3B}
[-] Key deleted: HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{C55BBCD6-41AD-48AD-9953-3609C48EACC7}
[-] Key deleted: HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{C55BBCD6-41AD-48AD-9953-3609C48EACC7}
[-] Key deleted: HKU\S-1-5-21-1455450049-4218601970-2604882262-1005\Software\ProgSense
[-] Key deleted: HKU\S-1-5-21-1455450049-4218601970-2604882262-1005\Software\AppDataLow\Software\adawarebp
[#] Key deleted on reboot: HKCU\Software\ProgSense
[#] Key deleted on reboot: HKCU\Software\AppDataLow\Software\adawarebp
[-] Key deleted: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\Coupon Companion Plugin
[#] Key deleted on reboot: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\coupon companion plugin


***** [ Web browsers ] *****



*************************

:: "Tracing" keys deleted
:: Winsock settings cleared

*************************

C:\AdwCleaner\AdwCleaner[C0].txt - [2062 Bytes] - [27/09/2016 05:22:05]
C:\AdwCleaner\AdwCleaner[S0].txt - [2255 Bytes] - [27/09/2016 05:18:23]

########## EOF - C:\AdwCleaner\AdwCleaner[C0].txt - [2208 Bytes] ##########

Open in new window



Then I tried Combofix (my laptop has XP Professional)... I ran into some snags here and it did not complete its run.  I use a free firewall called "PrivateFirewall 7.0". When I install new software, it always pops up little windows asking to accept/decline this or that.. it's normal. During the installation of Combofix it asked for confirmation of what must have been 40 or 50 EXE's - I don't know if this is normal or not. Then later in the installation, it popped up a window saying that I needed to have "Microsoft Recovery Console" installed (and I didn't), so it offered to install it for me. It popped up another window asking if I had "Windows XP Home version", to which I clicked NO, as I have XP Pro. Then the Combofix window displayed that it was setting a system restore point, and and it never got much further than that. After about 20 minutes of nothing, no disk activity or anything, I just moved my mouse and tapped a key on my keyboard and found that everything was frozen - no response... so I rebooted. That's where things stand right now.

Also, I did a complete fresh re-install of Firefox a week or so ago... so there are no extensions or anything. I will try another browser "refresh" right now as well.

Thanks
   Shawn
0
 
LVL 47

Expert Comment

by:dbrunton
Comment Utility
Possibly clashed with Private Firewall.  Private Firewall is good.  Leave Combofix alone then.

Leave things as they are for a couple of weeks and then run Adwcleaner, Mbam and Eset again in that order.  If nothing else shows after that time you are probably good.
0
 

Author Comment

by:shawn857
Comment Utility
well, thanks, but I don't know how comfortable with just the "wait and see" approach. Wait until more I get charged with more bogus purchases or have my system wiped out? I'm afraid my browser might bes omehow hijacked because every now and then while I'm browsing, I get the hourglass cursor and everything just freezes up for maybe 20 seconds or so. Other times, I'll be typing something into the browser, and the characters appear only one by one very slowly on the screen... like something could be logging them. I did a full uninstall and re-download and installed Firefox a couple of weeks ago and it seemed to work better for a while, then kinda went to hell again. Maybe I should do that again since I've ran ESET and Adwcleaner...?

Thanks
    Shawn
0
 
LVL 47

Accepted Solution

by:
dbrunton earned 500 total points
Comment Utility
Won't hurt to remove and reinstall Firefox.

If you want security use Google Chrome for online banking and purchases.  Don't save passwords in the browser.  Use a password manager.  I recommend Keepass2.  You can backup the password file to a USB stick or the Internet.  Slightly more awkward that having the passwords saved in the browser.

I presume you are surfing as a Restricted User rather than an Administrator?

Remove Java from your system and Flash as well.  If you need to see Flash documents use Chrome to do that.

Remove Adobe Acrobat from your system and use PDF viewer (free version).

Run the Kapersky Root Kit killer http://usa.kaspersky.com/downloads/TDSSKiller over your system as well.
0
 

Author Comment

by:shawn857
Comment Utility
Thanks dbrunton, good advice. You wrote:


Won't hurt to remove and reinstall Firefox.

>> Have completely uninstalled and will no longer be using.

If you want security use Google Chrome for online banking and purchases.  Don't save passwords in the browser.  Use a password manager.  I recommend Keepass2.  You can backup the password file to a USB stick or the Internet.  Slightly more awkward that having the passwords saved in the browser.

>> I imported all my old Firefox bookmarks into Chrome and will be using it exclusively now. Only thing is - it says it is no longer supported and no more updates cause I'm still on Windows XP. Should this be a concern?

I presume you are surfing as a Restricted User rather than an Administrator?

>> I bought this machine 2nd hand from someone about 5 years ago... the "user" he had set up at that time was called "JD" and I just kept using that - I don't know if I am "Administrator" or not. When I boot up it just goes right into the "JD" account with no need for passwords or anything.

Remove Java from your system and Flash as well.  If you need to see Flash documents use Chrome to do that.

>> OK, I will do so, thanks.

Remove Adobe Acrobat from your system and use PDF viewer (free version).

>> I don't have Acrobat, I use Foxit PDF reader. I do have Adobe AIR though... I don't even know what that does really. Should I get rid of it?

Run the Kapersky Root Kit killer http://usa.kaspersky.com/downloads/TDSSKiller over your system as well.

>> Will do... thanks!


I'll let you know how all this goes....

Thanks
   Shawn
0
 

Author Comment

by:shawn857
Comment Utility
Remove Java altogether as well? Don't I need this for a lot of things?

Thanks
   Shawn
0
 

Author Comment

by:shawn857
Comment Utility
dbrunton, I already went ahead and ran the Kaspersky Rootkit utility. I set every option in the utility "on" - including to scan for unsigned certificates. I attached screenshots of the results it gave. It found 11 "threats" - all of which to be of the "unsigned file" variety. I just wanted to run these by you before I delete/skip them. You'll see some that say "Shock" something something - this IBM laptop has some kind of "anti-shock" system utility built-in for whenever the laptop is ever abruptly physically moved. So I guess those files are okay... the others, I'm not so sure of.

Thanks!
   Shawn
kaspersky1.jpg
kaspersky2.jpg
0
 
LVL 47

Expert Comment

by:dbrunton
Comment Utility
I think most of them are OK.  I'll check them out in the next 24 hours.  For example vtserver appears to be fingerprint software for the ThinkVantage or IBM.
0
 

Author Comment

by:shawn857
Comment Utility
Thank you Sir.

Shawn
0
 
LVL 47

Expert Comment

by:dbrunton
Comment Utility
AegisP  See http://www.bleepingcomputer.com/startups/AegisP.sys-27398.html for more information and if that seems correct to you it should be OK.

IBMTPCHK  See http://www.bleepingcomputer.com/startups/IBMBLDID.SYS-23443.html for more information

PMEM  Can't find anything about this one.

QCNDISIF  See http://www.runscanner.net/lib/qcndisif.sys.html for more information.

Shockmgr  See http://www.bleepingcomputer.com/startups/ShockMgr.sys-24161.html for more information.

Shockprf  See http://www.bleepingcomputer.com/startups/Shockprf.sys-24154.html for more information.

ShmiHlp  See http://www.bleepingcomputer.com/startups/SMI_helper_driver-24164.html for more information.

ssrtln  Most likely a driver from Sonic Solutions for writing to CDs or DVDs.  Can't get a good confirmation on this.

TPDiskPM  See http://www.bleepingcomputer.com/startups/TPDiskPM.sys-24155.html for more information on this.

vtserver  See http://www.file.net/process/vtserver.exe.html for more information.  Check this file location in your machine as against what is in the link here but I suspect it is safe and for fingerprint logins.

WmcCds  See http://www.file.net/process/wmccds.exe.html  Possibly but not necessarily for XBox.  Check file size and location in your machine as against what is shown in the link here.

OK, I've been through your list and can't find anything about a file called PMEM.  Can you find this on your system and what folder it is in?  Also ssrtln, can you do the same as well?
0
 

Author Comment

by:shawn857
Comment Utility
Thanks for that. Mostly all these files look okay and are part of IBM thinkpad system stuff. PMEM seems okay according to this:

http://www.paraesthesia.com/archive/2005/06/30/pmem-service-failure.aspx/

The only one that I'm wondering about is WmcCds - I scanned my whole C drive and could not find a file by that name, so I'm going to quarantine it. If it's for Xbox or something like that, which I don't use, then I don't need it.


Going back a couple of messages I had asked the following things.. could you give me your thoughts on them please?

>> I imported all my old Firefox bookmarks into Chrome and will be using it exclusively now. Only thing is - it says it is no longer supported and no more updates cause I'm still on Windows XP. Should this be a concern?

>> I bought this machine 2nd hand from someone about 5 years ago... the "user" he had set up at that time was called "JD" and I just kept using that - I don't know if I am "Administrator" or not. When I boot up it just goes right into the "JD" account with no need for passwords or anything.

>> I don't have Acrobat, I use Foxit PDF reader. I do have Adobe AIR though... I don't even know what that does really. Should I get rid of it?

>> Remove Java altogether as well? Don't I need this for a lot of things?


Thanks!
    Shawn
0
 
LVL 47

Expert Comment

by:dbrunton
Comment Utility
Foxit is OK.

Adobe AIR, keep it, unless you have install media and serial number for it

Java.  Unless you have specific applications that use it and you have a need for or Internet sites that need it get rid of it.  Not recommended for use on Internet as a good way to get into a computer.  Check what version you have and note it somewhere.  Then uninstall Java.  If some application doesn't work you know what version of Java to download for it.

Chrome is no longer supported on XP and Firefox is going that way as well.  So you are sort of stuck there ...

Go to Control Panel and follow the tutorial here http://www.free-computer-tutorials.net/windows-xp-tutorials-controlpanel.html to see what account yours is and how to add new accounts.  If you account is an Administrator one then create a new one and make it a Limited User.  You don't need a .NET passport.  Reboot as a Limited User and see how it works.  You'll probably have to switch back and forth between the two accounts to copy all of your data across.  But you'll surf much safer using a Limited User account.

Don't quarantine WmcCds.  Just move it aside to another folder taking note of where you got it from.  If multimedia doesn't work then put it back.  I suspect it isn't harmful.
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 

Author Comment

by:shawn857
Comment Utility
dbrunton, regarding CCleaner (I haven't run it yet)... there's something about it that makes me uneasy - it seems kind of vague about what it is set up. See the attached screenshot... under the "Applications" tab it had all these applications checked bu default that I do use - does that mean it was going to delete them? I  certainly don't want that...

Thanks
   Shawn
ccleaner.JPG
0
 
LVL 47

Expert Comment

by:dbrunton
Comment Utility
Nope.

It's going to clean up all of the temporary files that those applications generate.  If you want to keep those files eg cookies from Internet browsing then untick the application concerned.  Only the temporary files it deletes and not actual data.

For example if you have Word documents it will keep those but if there are temp files generated by Word that are not actual data, it will delete those.
0
 

Author Comment

by:shawn857
Comment Utility
OK thanks, I will run CCleaner soon. Also last night I ran "HitmanPro". It found a lot of harmless tracking cookies which I deleted, but it also found these two files it said were "Suspicious":

c:\windows\PEV.exe
c:\windows\system32\stdvcl32.dll

Would you have any thoughts on those please?

Thanks
    Shawn
0
 
LVL 47

Expert Comment

by:dbrunton
Comment Utility
PEV.exe is probably part of Combofix.  Check the date, it should be within the last week when you tried to run it.

Also see http://slickdeals.net/f/1444479-solved-mysterious-file-pev-exe-component-of-combofix

The second is a standard Delphi file installed by some application.
0
 

Author Comment

by:shawn857
Comment Utility
PEV.exe is probably part of Combofix.  Check the date, it should be within the last week when you tried to run it.
Also see http://slickdeals.net/f/1444479-solved-mysterious-file-pev-exe-component-of-combofix

>> Creation date last week - Sept 27. About that ComboFix - I can't find anywhere to uninstall it off my system. Not in the Add/Remove Programs. There is a C:\Combofix folder when I browse my directories in Windows Explorer, but take a look at the screenshot attached... the contents of that ComboFix folder seem to be all my *other* folders on my hard drive! Is that normal??


The second is a standard Delphi file installed by some application.

>> OK, no problem, that's fine.
combofix.JPG
0
 
LVL 47

Expert Comment

by:dbrunton
Comment Utility
0
 

Author Comment

by:shawn857
Comment Utility
Sorry for the absence there... got sidetracked on some other matters. OK, picking up where we left off - things seem to be pretty good. Did the full uninstall for Combofix as per your suggested site and that worked fine. Computer seems to be running fine, just a couple of final lingering questions please:


>>Don't quarantine WmcCds.  Just move it aside to another folder taking note of where you got it from.  If multimedia doesn't work then put it back.  I suspect it isn't harmful.

This was from the Kaspersky Rootkit run. It found this "suspicious" file, but when I searched my hard drive for it, I couldn't even find it, so I wound up quarantining it. Doesn't so doesn't seem to have caused any problems.

>>Go to Control Panel and follow the tutorial here http://www.free-computer-tutorials.net/windows-xp-tutorials-controlpanel.html to see what account yours is and how to add new accounts.  If you account is an Administrator one then create a new one and make it a Limited User.  You don't need a .NET passport.  Reboot as a Limited User and see how it works.  You'll probably have to switch back and forth between the two accounts to copy all of your data across.  But you'll surf much safer using a Limited User account.

Well truth is, I don't even know if this existing "JD" account I use is even an Administrator account - I'm thinking it is cause there's never seemed to be any restrictions on this computer. I'm not sure though. I'm hesitant to create another "Limited" type account cause I do have lots of stuff (programs, 3rd party components, data, etc... I'm a Delphi programmer), that I would have to copy over, and that sounds like it could be a real rats nest of problems.

Thanks!
     Shawn
0
 
LVL 47

Expert Comment

by:dbrunton
Comment Utility
>>  I'm hesitant to create another "Limited" type account

Create two more Administrator accounts and give them passwords.  Check they work OK by logging in and out of them.  Then using one of the Administrator accounts turn the JD account into a Limited account.

Test the JD account and see if you can do all of your work.  If you can then you are all set to go.  If it doesn't work then use the other Administrator account to turn the JD back to Administrator.
0
 

Author Comment

by:shawn857
Comment Utility
Thanks db, I will try that. I guess I am alright now... but just a couple of last questions please:

- should I try and run Combofix again... this time first disabling my Private Firewall?
- Chrome works okay for the most part, but I sometimes find it painfully slow to load some pages (big pages with videos, ads, etc... even facebook sometimes). Would Opera browser be a viable option instead?

Thanks!
   Shawn
0
 
LVL 47

Expert Comment

by:dbrunton
Comment Utility
Leave Combofix out of it at present, unless something else pops up.

Now as for your Thinkpad, how much memory does it have and what is the processor?  Chrome is a bit of a memory hog and if you run with a number of Tabs open you can easily chew up memory.  If you've got addins then they too can slow the browser down.

If you run AdBlock for Chrome then that will cut down on the number of ads you get presented with.
0
 

Author Comment

by:shawn857
Comment Utility
Leave Combofix out of it at present, unless something else pops up.

>> OK

Now as for your Thinkpad, how much memory does it have and what is the processor?  

>> 2 GHZ processor and 1 gig of RAM running XP Pro. She's a bit of an oldie.

Chrome is a bit of a memory hog and if you run with a number of Tabs open you can easily chew up memory.  If you've got addins then they too can slow the browser down.


>> Yeah I've noticed this. No, no addins... just Chrome straight out of the box.


If you run AdBlock for Chrome then that will cut down on the number of ads you get presented with.

>> OK, I might do that. That's a Chrome plugin, I take it?

I've been trying Opera browser for the last few days... it's not bad but something that is really annoying is when I open a new type, punch in a URL and it just sits there with "Speeddial" showing in the browser tab for like 30 seconds before it finally brings up the site. "Speeddial" alright!! is that normal for Opera... or is something mis-configured I wonder?

Thanks
   Shawn
0
 
LVL 47

Expert Comment

by:dbrunton
Comment Utility
Possibly too many entries in Speed Dial.  I'm not familiar with Opera.

AdBlock for Chrome is an addin.  https://chrome.google.com/webstore/detail/adblock/gighmmpiobklfepjocnamgkkbiglidom

You've got 1 Gb of memory.  If possible add more.  Windows XP will thank you.  Don't know which model of Thinkpad it is but if you can max it up to 4 Gb.  If it is a single core see if a dual core processor exists.
0
 

Author Comment

by:shawn857
Comment Utility
my old laptop can take 2 gigs... I might get some more if it's cheap enough. OK db, I have taken enough of your time - thank you so much for the top-notch help!

Cheers
   Shawn
0
 

Author Closing Comment

by:shawn857
Comment Utility
Excellent!
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

The purpose of this Article is to provide information for a newly released variant of malware – with the assumption that many EE Members will have need of the information. According to “Computerworld”, well over one million web sites have been co…
Some of the most commonly posted questions in the "Virus & Malware" Zones are related to the family of rogue malware with the date "2012" somewhere in the title. Examples: XP Antispyware 2012 XP Antivirus 2012 XP Security 2012   XP Home Sec…
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now