Confirm Clean

[Helpmeh]

Yesterday I encountered some odd virus, I'm not sure if it was a RAT or a simple password-stealer, but it managed to successfully take over some forum accounts and my gmail account (luckily I got that one back immediately) within a few hours of running it. This morning I booted into safe mode, deleted the entire thing and did a system restore to 2 days ago to try and clean it. Just to be certain, I did a full system scan with Comodo, MBAM, SAS, and S&D. All that came up were some cookies and a few false-positives, but I'd just like to make sure my system is clean before I do anything else on it.

AdwCleaner log
# AdwCleaner v2.304 - Logfile created 07/08/2013 at 15:04:41
# Updated 03/07/2013 by Xplode
# Operating system : Windows 7 Professional Service Pack 1 (64 bits)
# User : White Light - WHITELIGHT-PC
# Boot Mode : Normal
# Running from : C:\Users\White Light\Downloads\adwcleaner.exe
# Option [Search]


***** [Services] *****


***** [Files / Folders] *****

File Found : C:\Users\White Light\AppData\Roaming\Mozilla\Firefox\Profiles\3nonlqgs.default\foxydeal.sqlite
Folder Found : C:\ProgramData\APN
Folder Found : C:\ProgramData\boost_interprocess
Folder Found : C:\Users\White Light\AppData\Roaming\Mozilla\Firefox\Profiles\3nonlqgs.default\extensions\staged

***** [Registry] *****

Key Found : HKCU\Software\APN PIP
Key Found : HKLM\Software\InstallIQ
Key Found : HKLM\Software\PIP
Key Found : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{79FB5FC8-44B9-4AF5-BADD-CCE547F953E5}

***** [Internet Browsers] *****

-\\ Internet Explorer v9.0.8112.16490

[OK] Registry is clean.

-\\ Mozilla Firefox v19.0.2 (en-US)

File : C:\Users\White Light\AppData\Roaming\Mozilla\Firefox\Profiles\3nonlqgs.default\prefs.js

Found : user_pref("extensions.skipscreen.hostMatchStr", "hxxp://www.4shared.com/(get|audio|file|document|dir[...]

-\\ Google Chrome v27.0.1453.116

File : C:\Users\White Light\AppData\Local\Google\Chrome\User Data\Default\Preferences

[OK] File is clean.

*************************

AdwCleaner[R1].txt - [1442 octets] - [08/07/2013 15:04:41]

########## EOF - C:\AdwCleaner[R1].txt - [1502 octets] ##########

Malwarebytes' Anti-Malware (MBAM) log
Malwarebytes Anti-Malware (Trial) 1.75.0.1300
www.malwarebytes.org

Database version: v2013.07.08.05

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
White Light :: WHITELIGHT-PC [administrator]

Protection: Enabled

7/8/2013 12:09:54 PM
mbam-log-2013-07-08 (12-09-54).txt

Scan type: Full scan (C:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 482755
Time elapsed: 2 hour(s), 41 minute(s), 49 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 33
C:\Users\White Light\Downloads\pooler-cpuminer-2.2.3-win32 (1).zip (PUP.BitCoin) -> No action taken.
C:\Users\White Light\Downloads\pooler-cpuminer-2.2.3-win32.zip (PUP.BitCoin) -> No action taken.
C:\Windows\AutoKMS\AutoKMS.exe (Trojan.AutoKMS) -> No action taken.
C:\ProgramData\Comodo\Cis\Quarantine\data\{0DFA085A-C1F8-4FD5-99E6-3D648D3F7029} (HackTool.Binder) -> Quarantined and deleted successfully.
C:\ProgramData\Comodo\Cis\Quarantine\data\{157B0284-9C67-4B92-B0FB-DDFB94CBE9B0} (Trojan.Backdoor) -> Quarantined and deleted successfully.
C:\ProgramData\Comodo\Cis\Quarantine\data\{18A61399-4C11-4FD2-92B2-1232F4447860} (Trojan.Backdoor) -> Quarantined and deleted successfully.
C:\ProgramData\Comodo\Cis\Quarantine\data\{20676021-8FC6-4525-962D-3FE022F6662D} (HackTool.Binder) -> Quarantined and deleted successfully.
C:\ProgramData\Comodo\Cis\Quarantine\data\{2E3FE223-0AE8-4E90-8363-470F5A2BC2EC} (PUP.RiskwareTool.CK) -> Quarantined and deleted successfully.
C:\ProgramData\Comodo\Cis\Quarantine\data\{35653073-7B05-4B03-ACD9-AB88C5A03F90} (Trojan.Agent) -> Quarantined and deleted successfully.
C:\ProgramData\Comodo\Cis\Quarantine\data\{35654697-B7DC-49DA-AA6C-A22F7395F6D1} (Backdoor.Agent.DCRSAGen) -> Quarantined and deleted successfully.
C:\ProgramData\Comodo\Cis\Quarantine\data\{4606DF8D-C9FA-416A-85CE-EC7490A41C27} (PUP.RiskwareTool.CK) -> Quarantined and deleted successfully.
C:\ProgramData\Comodo\Cis\Quarantine\data\{4D798EF7-5127-4D11-9D91-F12630ED021C} (Trojan.Backdoor) -> Quarantined and deleted successfully.
C:\ProgramData\Comodo\Cis\Quarantine\data\{5A079A4A-BD71-4D06-9396-A675E32D3A24} (Trojan.Agent) -> Quarantined and deleted successfully.
C:\ProgramData\Comodo\Cis\Quarantine\data\{5BFA295D-B9EE-4FD7-A7E1-CF616D3BCBE2} (Trojan.Backdoor) -> Quarantined and deleted successfully.
C:\ProgramData\Comodo\Cis\Quarantine\data\{642446B5-C0BF-4215-A0C3-B3EAC2C351C1} (Trojan.Backdoor) -> Quarantined and deleted successfully.
C:\ProgramData\Comodo\Cis\Quarantine\data\{719C4328-45AC-4A26-A817-E48554132D11} (PUP.RiskwareTool.CK) -> Quarantined and deleted successfully.
C:\ProgramData\Comodo\Cis\Quarantine\data\{837595C3-5163-4304-BD86-01CE356F2BDB} (PUP.RiskwareTool.CK) -> Quarantined and deleted successfully.
C:\ProgramData\Comodo\Cis\Quarantine\data\{8A8CD256-BE12-4241-9BA3-9ECD61B616F6} (PUP.RiskwareTool.CK) -> Quarantined and deleted successfully.
C:\ProgramData\Comodo\Cis\Quarantine\data\{8B999078-43DA-4488-B27F-A05308CE44C9} (Trojan.Backdoor) -> Quarantined and deleted successfully.
C:\ProgramData\Comodo\Cis\Quarantine\data\{8E36A856-F3FD-422D-AD00-7BE7E78E9260} (PUP.PassView) -> Quarantined and deleted successfully.
C:\ProgramData\Comodo\Cis\Quarantine\data\{8EEDBBBA-2B86-4696-B491-996C82EBC590} (Trojan.BitMiner) -> Quarantined and deleted successfully.
C:\ProgramData\Comodo\Cis\Quarantine\data\{90DDECD5-BACC-4613-BF32-5702097E7B24} (PUP.RiskwareTool.CK) -> Quarantined and deleted successfully.
C:\ProgramData\Comodo\Cis\Quarantine\data\{96445AE3-B9EB-4A05-8ADA-76F31CB3E1EC} (Trojan.Agent) -> Quarantined and deleted successfully.
C:\ProgramData\Comodo\Cis\Quarantine\data\{A485B28F-D76B-413D-B049-379ED4F1DB61} (Trojan.Backdoor) -> Quarantined and deleted successfully.
C:\ProgramData\Comodo\Cis\Quarantine\data\{B5CEC9B3-F3E9-44FE-B4D0-2C87D8F9892A} (Trojan.BitMiner) -> Quarantined and deleted successfully.
C:\ProgramData\Comodo\Cis\Quarantine\data\{CA81CB4B-97CF-4E33-BE1D-B512697FD481} (Trojan.Backdoor) -> Quarantined and deleted successfully.
C:\ProgramData\Comodo\Cis\Quarantine\data\{D03BC1DA-462B-446C-AF71-8622AEDDDA90} (Trojan.Backdoor) -> Quarantined and deleted successfully.
C:\ProgramData\Comodo\Cis\Quarantine\data\{D5C7E1BF-2D7B-4E72-9587-0AC89E583E21} (Backdoor.Agent.DCRSAGen) -> Quarantined and deleted successfully.
C:\ProgramData\Comodo\Cis\Quarantine\data\{DBC1B9CE-0687-4CE3-97CF-731A295EBA0C} (PUP.RiskwareTool.CK) -> Quarantined and deleted successfully.
C:\ProgramData\Comodo\Cis\Quarantine\data\{F458468F-F4EE-4D7F-AAB6-562D25BD7629} (Trojan.Backdoor) -> Quarantined and deleted successfully.
C:\ProgramData\Comodo\Cis\Quarantine\data\{FA614DEE-2638-43BA-87A3-85B76C7C45E6} (PUP.RiskwareTool.CK) -> Quarantined and deleted successfully.
C:\ProgramData\Comodo\Cis\Quarantine\data\{FC1AB5E5-9869-4E1B-902D-30AEFA237C5E} (Trojan.Backdoor) -> Quarantined and deleted successfully.
C:\ProgramData\Comodo\Cis\Quarantine\data\{FC59C9DD-6CD4-4A9D-A8F7-56C6C00E77D0} (Trojan.Backdoor) -> Quarantined and deleted successfully.

(end)

Security Check log
 Results of screen317's Security Check version 0.99.68 
 Windows 7 Service Pack 1 x64 (UAC is enabled) 
 Internet Explorer 10 
``````````````Antivirus/Firewall Check:``````````````[/u]
 Windows Firewall Disabled! 
COMODO Antivirus   
 Antivirus up to date! 
`````````Anti-malware/Other Utilities Check:`````````[/u]
 Malwarebytes Anti-Malware version 1.75.0.1300 
 Visual Studio Extensions for Windows Library for JavaScript
 Java version out of Date!
 Adobe Flash Player 11.7.700.169 
 Mozilla Firefox 19.0.2 Firefox out of Date! 
 Google Chrome 27.0.1453.110 
 Google Chrome 27.0.1453.116 
````````Process Check: objlist.exe by Laurent````````[/u] 
 Malwarebytes Anti-Malware mbam.exe 
 Comodo Firewall cmdagent.exe
 Malwarebytes' Anti-Malware mbamscheduler.exe   
`````````````````System Health check`````````````````[/u]
 Total Fragmentation on Drive C: 0%
````````````````````End of Log``````````````````````[/u]

I have Java disabled and I don't use Firefox, hence why they're both out of date.

Really just hoping for a clean bill of health here.

[SuperDave]

Hello and welcome to Computer Hope Forum. My name is Dave. I will be helping you out with your particular problem on your computer.

1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.
2. The fixes are specific to your problem and should only be used for this issue on this machine.
3. If you don't know or understand something, please don't hesitate to ask.
4. Please DO NOT run any other tools or scans while I am helping you.
5. It is important that you reply to this thread. Do not start a new topic.
6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
7. Absence of symptoms does not mean that everything is clear.

If you can't access the internet with your infected computer you will have to download and transfer any programs to the computer you're using now and transfer them to the infected computer with a CD-RW or a USB storage device. I prefer a CD because a storage device can get infected. If you use a storage device hold the shift key down while inserting the USB storage device for about 10 secs. You will also have to transfer the logs you receive back to the good computer using the same method until we can get the computer back on-line.
*************************************************************************
Remove the Adware:

• Please close all open programs and internet browsers.
• Double click on adwcleaner.exe to run the tool.
  
• Click on Delete.
  
• Confirm each time with OK
  
• Your computer will be rebooted automatically. A text file will open after the restart.
• Please post the content of that logfile in your reply.
• You can find the logfile at C:\AdwCleaner[Sn].txt as well - n is the order number.
  

**********************************
There were three items in MBAM that were not cleaned. Please run it again and make sure everything is checked and removed.

One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and Download and Execute files

Read this article: Danger: Remote Access Trojans.

If your computer was used for online banking, has credit card information or other sensitive data on it, all passwords should be changed immediately to include those used for banking, email, eBay and forums. You should consider them to be compromised. They should be changed by using a different computer and not the infected one! If not, an attacker may get the new passwords and transaction information. Banking and credit card institutions should be notified of the possible security breach.

I would counsel you to disconnect this PC from the Internet immediately.

Though the Trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall?

We can attempt to clean this machine but i can't guarantee that it will be 100% secure afterwards.

Should you have any questions, please feel free to ask.

Please let us know what you have decided to do in your next post

[Helpmeh]

I used MBAM to remove the AutoKMS "trojan," simply because I don't need it. As others have said " it's "'antipiracy' detection, not malware detection. That's AVs doing the dirty work for Microsoft - that's not security protection."
As far as the other two, those are false-positives.

Malwarebytes Anti-Malware (Trial) 1.75.0.1300
www.malwarebytes.org

Database version: v2013.07.09.09

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
White Light :: WHITELIGHT-PC [administrator]

Protection: Disabled

7/9/2013 11:15:18 PM
mbam-log-2013-07-09 (23-15-18).txt

Scan type: Custom scan (C:\Windows\AutoKMS|)
Scan options enabled: File System | Heuristics/Shuriken | PUP | PUM
Scan options disabled: Memory | Startup | Registry | Heuristics/Extra | P2P
Objects scanned: 3
Time elapsed: 5 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 1
C:\Windows\AutoKMS\AutoKMS.exe (Trojan.AutoKMS) -> Quarantined and deleted successfully.

(end)



# AdwCleaner v2.304 - Logfile created 07/09/2013 at 23:08:24
# Updated 03/07/2013 by Xplode
# Operating system : Windows 7 Professional Service Pack 1 (64 bits)
# User : White Light - WHITELIGHT-PC
# Boot Mode : Normal
# Running from : C:\Users\White Light\Downloads\adwcleaner.exe
# Option [Delete]


***** [Services] *****


***** [Files / Folders] *****


***** [Registry] *****


***** [Internet Browsers] *****

-\\ Internet Explorer v9.0.8112.16490

[OK] Registry is clean.

-\\ Mozilla Firefox v19.0.2 (en-US)

File : C:\Users\White Light\AppData\Roaming\Mozilla\Firefox\Profiles\3nonlqgs.default\prefs.js

[OK] File is clean.

-\\ Google Chrome v27.0.1453.116

File : C:\Users\White Light\AppData\Local\Google\Chrome\User Data\Default\Preferences

[OK] File is clean.

*************************

AdwCleaner[R1].txt - [1571 octets] - [08/07/2013 15:04:41]
AdwCleaner[S1].txt - [902 octets] - [09/07/2013 23:08:24]

########## EOF - C:\AdwCleaner[S1].txt - [961 octets] ##########

[SuperDave]

Did you read the warning about about backdoor trojans? Do you want to go ahead with the cleaning or would you rather re-format and re-install?

[Helpmeh]

I have an empty 1TB partition on my main HDD. I think I'll just install on that partition and move any files I want to keep over from the other partition afterwards.

[SuperDave]

I have an empty 1TB partition on my main HDD. I think I'll just install on that partition and move any files I want to keep over from the other partition afterwards.

Ok, good luck.