Jump to content
Sign in to follow this  
Row

Changing and recurring malware (incl. deal keeper, settings manager, appbud)

Recommended Posts

Hi,

 

I recently got malware that keeps mutating in terms of what is detected by SuperAntispyware (SAS) program. Particularly, first Deal keeper, then settings manager and now appbud.

 

However, the SAS says the removal is complete, the computer is restarted by request, but if you run SAS again, they reapper (and the pops keep coming). Below is the review of the last detection (seems like deal keeper and settings manager is no longer being detected, if still infected. Though it has reappeared and i uninstalled it again through the Control Panel route).

 

I tried to remove the programs using FixIt from microsoft. The programs would not appear, so I had to type in the 38 digit numbers. I did it one by one. But, I ran SAS again and it still detects the unwanted items, but does not effectively delete them.

 

Help would be greatly appreciated!!

 

Regards,

Row

 

 

Operating System Information
Windows 8.1 64-bit (Build 6.03.9200)
UAC On - Limited User

Memory items scanned      : 542
Memory threats detected   : 0
Registry items scanned    : 45860
Registry threats detected : 14
File items scanned        : 33696
File threats detected     : 2
 

PUP.AppBud
    (x86) HKLM\SOFTWARE\CLASSES\CLSID\{5A4E3A41-FA55-4BDA-AED7-CEBE6E7BCB52}
    (x64) HKLM\SOFTWARE\CLASSES\CLSID\{5A4E3A41-FA55-4BDA-AED7-CEBE6E7BCB52}\InprocServer32
    (x64) HKLM\SOFTWARE\CLASSES\CLSID\{5A4E3A41-FA55-4BDA-AED7-CEBE6E7BCB52}\InprocServer32#ThreadingModel
    (x64) HKLM\SOFTWARE\CLASSES\CLSID\{5A4E3A41-FA55-4BDA-AED7-CEBE6E7BCB52}\Programmable
    (x64) HKLM\SOFTWARE\CLASSES\CLSID\{5A4E3A41-FA55-4BDA-AED7-CEBE6E7BCB52}\TypeLib
    (x64) HKLM\SOFTWARE\CLASSES\CLSID\{5A4E3A41-FA55-4BDA-AED7-CEBE6E7BCB52}\Version
    (x64) HKLM\SOFTWARE\CLASSES\INTERFACE\{4E6354DE-9115-4AEE-BD21-C46C3E8A49DB}
    (x64) HKLM\SOFTWARE\CLASSES\INTERFACE\{4E6354DE-9115-4AEE-BD21-C46C3E8A49DB}\ProxyStubClsid32
    (x64) HKLM\SOFTWARE\CLASSES\INTERFACE\{4E6354DE-9115-4AEE-BD21-C46C3E8A49DB}\TypeLib
    (x64) HKLM\SOFTWARE\CLASSES\INTERFACE\{4E6354DE-9115-4AEE-BD21-C46C3E8A49DB}\TypeLib#Version
    (x64) HKLM\SOFTWARE\CLASSES\INTERFACE\{FC073BDA-C115-4A1D-9DF9-9B5C461482E5}
    (x64) HKLM\SOFTWARE\CLASSES\INTERFACE\{FC073BDA-C115-4A1D-9DF9-9B5C461482E5}\ProxyStubClsid32
    (x64) HKLM\SOFTWARE\CLASSES\INTERFACE\{FC073BDA-C115-4A1D-9DF9-9B5C461482E5}\TypeLib
    (x64) HKLM\SOFTWARE\CLASSES\INTERFACE\{FC073BDA-C115-4A1D-9DF9-9B5C461482E5}\TypeLib#Version

Adware.Tracking Cookie
    .doubleclick.net [ C:\USERS\DELL\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\ANBAETMJ.DEFAULT-1410999420544\COOKIES.SQLITE ]
    .doubleclick.net [ C:\USERS\DELL\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\ANBAETMJ.DEFAULT-1410999420544\COOKIES.SQLITE ]
 

post-37668-0-92574400-1411142387_thumb.png

post-37668-0-66840400-1411142390_thumb.png

Share this post


Link to post
Share on other sites

Hello Row,

 

Did you scan for unwanted programs or just do a regular scan?

 

The unwanted program scan can be done before a regular scan - there is a checkbox in Recommended Pre-Scan Actions. You can also access the unwanted program scan in the System Tools window - Uninstall Unwanted Programs.

 

SUPERAntiSpyware Malware Research

Share this post


Link to post
Share on other sites

Hi, Thanks for your response. Yes, now I did. I both went throught the Unwanted Programs check, and the Unwanted Programs deletion. However, the deletion does not effectively happen. It just gets recognized, after instruction to remove, the message is that it is deleted, after which a restart of the machine is required, but then when i scan again, the malware shows up again.

Share this post


Link to post
Share on other sites

I followed the instructions and instructed the computer to delete the files that appeared. However, I then ran SAS again, and the infections were detected stil. This a sticky set of malware! Below is the report of the AdwCleaner

 

# AdwCleaner v3.310 - Reporte Creado 19/09/2014 en 18:09:28
# Actualizado 12/09/2014 por Xplode
# Sistema Operativo : Windows 8.1  (64 bits)
# Nombre de usuario : DELL - PC
# Ejecutado desde : C:\Users\DELL\Downloads\AdwCleaner.exe
# Opción : Limpiar

***** [ Servicios ] *****

[#] Servicio Borrar : F06DEFF2-5B9C-490D-910F-35D3A91196222
[#] Servicio Borrar : Update Deal Keeper
[#] Servicio Borrar : Util Deal Keeper
Servicio Borrar : {55dce8ba-9dec-4013-937e-adbf9317d990}Gw64
Servicio Borrar : {55dce8ba-9dec-4013-937e-adbf9317d990}w64

***** [ Archivos / Carpetas ] *****

Carpeta Borrar : C:\ProgramData\ParetoLogic
Carpeta Borrar : C:\ProgramData\systemk
Carpeta Borrar : C:\Program Files (x86)\Settings Manager
Carpeta Borrar : C:\Program Files (x86)\SiteLookup
[!] Carpeta Borrar : C:\Program Files (x86)\Deal Keeper
Carpeta Borrar : C:\Users\DELL\AppData\Local\Linkey
Carpeta Borrar : C:\Users\DELL\AppData\LocalLow\DataMngr
Carpeta Borrar : C:\Users\DELL\AppData\Roaming\DriverCure
Carpeta Borrar : C:\Users\DELL\AppData\Roaming\ParetoLogic
Carpeta Borrar : C:\Users\DELL\AppData\Roaming\Settings Manager
Carpeta Borrar : C:\Users\DELL\AppData\Roaming\SimilarAddon
Carpeta Borrar : C:\Users\DELL\AppData\Roaming\Systweak
Carpeta Borrar : C:\Users\DELL\AppData\Local\Google\Chrome\User Data\Default\Extensions\eencbeelgfacnhekfiklkobllfleohce
Archivo Borrar : C:\Windows\System32\roboot64.exe
Archivo Borrar : C:\Windows\System32\drivers\{55dce8ba-9dec-4013-937e-adbf9317d990}Gw64.sys
Archivo Borrar : C:\Windows\System32\drivers\{55dce8ba-9dec-4013-937e-adbf9317d990}w64.sys
Archivo Borrar : C:\Program Files (x86)\Mozilla Firefox\browser\searchplugins\default-search.xml

***** [ Tareas ] *****


***** [ Accesos directos ] *****


***** [ Registro ] *****

Clave Borrar : HKLM\SOFTWARE\Microsoft\Tracing\AdvancedSystemProtector_RASAPI32
Clave Borrar : HKLM\SOFTWARE\Microsoft\Tracing\AdvancedSystemProtector_RASMANCS
Clave Borrar : HKLM\SOFTWARE\Microsoft\Tracing\DealKeeper_RASAPI32
Clave Borrar : HKLM\SOFTWARE\Microsoft\Tracing\DealKeeper_RASMANCS
Clave Borrar : HKLM\SOFTWARE\Microsoft\Tracing\updateDealKeeper_RASAPI32
Clave Borrar : HKLM\SOFTWARE\Microsoft\Tracing\updateDealKeeper_RASMANCS
Clave Borrar : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bitguard.exe
Clave Borrar : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bprotect.exe
Clave Borrar : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\browserdefender.exe
Clave Borrar : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\browserprotect.exe
Valor Borrar : HKLM\SYSTEM\ControlSet001\Control\Session Manager\AppCertDlls [x64]
Valor Borrar : HKLM\SYSTEM\ControlSet001\Control\Session Manager\AppCertDlls [x86]
Clave Borrar : HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Application\Update Deal Keeper
Clave Borrar : HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Application\Util Deal Keeper
Clave Borrar : HKLM\SOFTWARE\Classes\CLSID\{1AA60054-57D9-4F99-9A55-D0FBFBE7ECD3}
Clave Borrar : HKLM\SOFTWARE\Classes\CLSID\{4AA46D49-459F-4358-B4D1-169048547C23}
Clave Borrar : HKLM\SOFTWARE\Classes\CLSID\{5A4E3A41-FA55-4BDA-AED7-CEBE6E7BCB52}
Clave Borrar : HKLM\SOFTWARE\Classes\CLSID\{1ec8187a-6435-44e3-bbe4-6ce6d3c69254}
Clave Borrar : HKLM\SOFTWARE\Classes\Interface\{4E6354DE-9115-4AEE-BD21-C46C3E8A49DB}
Clave Borrar : HKLM\SOFTWARE\Classes\Interface\{FC073BDA-C115-4A1D-9DF9-9B5C461482E5}
Clave Borrar : HKLM\SOFTWARE\Classes\TypeLib\{ba0ab49b-34a1-4c36-bb3b-e6f458974507}
Clave Borrar : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1ec8187a-6435-44e3-bbe4-6ce6d3c69254}
Clave Borrar : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{1ec8187a-6435-44e3-bbe4-6ce6d3c69254}
Clave Borrar : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{1ec8187a-6435-44e3-bbe4-6ce6d3c69254}
Clave Borrar : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2492}
Clave Borrar : [x64] HKLM\SOFTWARE\Classes\CLSID\{4AA46D49-459F-4358-B4D1-169048547C23}
Clave Borrar : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2492}
Clave Borrar : HKCU\Software\Deal Keeper
Clave Borrar : HKCU\Software\InstallCore
Clave Borrar : HKCU\Software\ParetoLogic
Clave Borrar : HKCU\Software\SystemK
Clave Borrar : HKCU\Software\systweak
Clave Borrar : HKCU\Software\Tune
Clave Borrar : HKLM\SOFTWARE\Deal Keeper
Clave Borrar : HKLM\SOFTWARE\ParetoLogic
Clave Borrar : HKLM\SOFTWARE\Solvusoft
Clave Borrar : HKLM\SOFTWARE\SystemK
Clave Borrar : HKLM\SOFTWARE\systweak
Clave Borrar : HKLM\SOFTWARE\Tune
Clave Borrar : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bpsvc.exe
Clave Borrar : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\browsersafeguard.exe
Clave Borrar : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dprotectsvc.exe
Clave Borrar : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\jumpflip
Clave Borrar : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\protectedsearch.exe
Clave Borrar : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\searchinstaller.exe
Clave Borrar : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\searchprotection.exe
Clave Borrar : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\searchprotector.exe
Clave Borrar : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\searchsettings.exe
Clave Borrar : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\searchsettings64.exe
Clave Borrar : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\snapdo.exe
Clave Borrar : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\stinst32.exe
Clave Borrar : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\stinst64.exe
Clave Borrar : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\umbrella.exe
Clave Borrar : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utiljumpflip.exe
Clave Borrar : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\volaro
Clave Borrar : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vonteera
Clave Borrar : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\websteroids.exe
Clave Borrar : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\websteroidsservice.exe

***** [ Navegadores ] *****

-\\ Internet Explorer v11.0.9600.17278


-\\ Mozilla Firefox v32.0.2 (x86 en-US)

[ Archivo : C:\Users\DELL\AppData\Roaming\Mozilla\Firefox\Profiles\anbaetmj.default-1410999420544\prefs.js ]


-\\ Google Chrome v37.0.2062.120

[ Archivo : C:\Users\DELL\AppData\Local\Google\Chrome\User Data\Default\preferences ]

Borrar [startup_urls] : hxxp://www.default-search.net?sid=492&aid=121&itype=a&ver=13337&tm=413&src=hmp
Borrar [Homepage] : hxxp://www.default-search.net?sid=492&aid=121&itype=a&ver=13337&tm=413&src=hmp
Borrar [Extension] : eencbeelgfacnhekfiklkobllfleohce

*************************

AdwCleaner[R0].txt - [9185 octets] - [19/09/2014 18:05:57]
AdwCleaner[s0].txt - [7606 octets] - [19/09/2014 18:09:28]

########## EOF - C:\AdwCleaner\AdwCleaner[s0].txt - [7666 octets] ##########
 

Share this post


Link to post
Share on other sites

Look in installed programs and uninstall Dealkeeper.

 

Open up a Run box and type "msconfig" (minus quotations).

In the Startup tab uncheck Dealkeeper.

In the Services tab uncheck Dealkeeper.

 

Restart computer.

 

Remove websteroids from Firefox plugins.

Remove snap.do from FF plugins and search engines list.

Remove searchprotector from FF plugins.

Remove bitguard from FF. (if found)

Share this post


Link to post
Share on other sites

Thanks SAS Malware Research and Guilty Spark for your help. I did not find deal keeper and the rest of the plugins and applications instructed to be removed. However, after restarting the computer many of the threats are not being detected by SAS. Hopefully having been successfully removed! However, there are three that remain and do not successfully erase:

 

Adware.Tracking Cookie
    .imrworldwide.com [ C:\USERS\DELL\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\ANBAETMJ.DEFAULT-1410999420544\COOKIES.SQLITE ]
    .doubleclick.net [ C:\USERS\DELL\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\ANBAETMJ.DEFAULT-1410999420544\COOKIES.SQLITE ]
    .doubleclick.net [ C:\USERS\DELL\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\ANBAETMJ.DEFAULT-1410999420544\COOKIES.SQLITE ]
 

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  

×