[my_name]

My IP address has been blacklisted by the CBL at abuseat.org.  When I had my IP removed from this list, it was shortly re-listed because it was detected again to be the origin of malware.  "This was detected by observing this IP attempting to make contact to a corebot Command and Control server, with contents unique to corebot C&C command protocols. "

 

It had previously said we were detected to be infected with something else, so is this for real?  I have 2 Windows 10 and 1 Windows 7 computer on my wireless home network.  The Windows 7 computer seems the most likely candidate for anything since it's older and runs slow.

 

I ran typical virus scans and they found nothing on any computer.  Corebot sounds like a pretty serious threat so I definitely need to know if this threat is real.

[Advertisements]

Hi my_name,

Yes. This threat is real. Corebot is a Banker Trojan used in an attempt to obtain confidential information about online banking and payment systems. There is a decent write up about Trojan: Win32/Corebot here.

If any of your computers were used for online banking, has credit card information or other sensitive data on it, you should NOT reconnect any of them to the Internet until your systems are clean or have been reformatted.

ALL passwords should be changed immediately, even if you choose to reformat, to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised. You should change each password by using a CLEAN COMPUTER and not the infected ones. If not, an attacker may get the new passwords and transaction information. If using a router, you will need to reset it with a strong logon/password so the malware cannot gain control before connecting again. Banking and credit card institutions should be notified as soon as possible due to the possibility of the security breach.

Though the trojan has been identified and can possibly be cleansed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS.

Because your computer was compromised please read the following links:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

When should I re-format? How should I reinstall?

Let me know if you would like to proceed with trying to disinfect your computer(s). If so, I would prefer to start with your Windows 7 computer.

In order to see what we are dealing with, we will need to see some logs and since it is best to not connect the computer(s) to the internet we will need access to a known clean computer and a known clean USB drive to transfer files from and to the infected computer.

Donna

[DonnaB]

Hi my_name,

Yes. This threat is real. Corebot is a Banker Trojan used in an attempt to obtain confidential information about online banking and payment systems. There is a decent write up about Trojan: Win32/Corebot here.

If any of your computers were used for online banking, has credit card information or other sensitive data on it, you should NOT reconnect any of them to the Internet until your systems are clean or have been reformatted.

ALL passwords should be changed immediately, even if you choose to reformat, to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised. You should change each password by using a CLEAN COMPUTER and not the infected ones. If not, an attacker may get the new passwords and transaction information. If using a router, you will need to reset it with a strong logon/password so the malware cannot gain control before connecting again. Banking and credit card institutions should be notified as soon as possible due to the possibility of the security breach.

Though the trojan has been identified and can possibly be cleansed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS.

Because your computer was compromised please read the following links:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

When should I re-format? How should I reinstall?

Let me know if you would like to proceed with trying to disinfect your computer(s). If so, I would prefer to start with your Windows 7 computer.

In order to see what we are dealing with, we will need to see some logs and since it is best to not connect the computer(s) to the internet we will need access to a known clean computer and a known clean USB drive to transfer files from and to the infected computer.

Donna

[my_name]

Hi, Donna, thanks for replying.

 

I would like to continue with you in doing a cleanup.  You should know, however, that the Windows 7 computer has been upgraded to Windows 10 since I posted this, but everything old transferred over, obviously.  I don't have any way to know which computer is infected, unless you can help me with that.  I do know that one of the computers was asleep when the threat was originally detected, so if that eliminates the likelihood of this one being compromised, I am using this one for now.  It is also the newest computer in the house, having come pre-installed with Windows 10.

 

It's kind of complicated without knowing which computer(s) may be infected, and would be difficult to reformat all of them.  If an infection could be detected on a particular computer, I would definitely consider doing a clean install with some help.  The older computer sometimes has the fan rev really high and sometimes svchost is doing something in the background (could be harmless), but the other 2 computers don't seem to have any unusual activity.

 

Please let me know what my next step should be.

 

P.S.  I do have an Android phone on my wifi which I use to access my banking, etc.   Should I be okay with continuing to use that or changing my passwords using that?  I don't really have many options of internet access outside my home or using an insecure public hotspot.

Edited by my_name, 05 May 2016 - 08:14 AM.

[DonnaB]

Hi my_name,
 

Hi, Donna, thanks for replying.

You're welcome!
 

P.S. I do have an Android phone on my wifi which I use to access my banking, etc. Should I be okay with continuing to use that or changing my passwords using that?

Android are vulnerable as well. See here. If you don't have an AV installed on your Android already, I would suggest that you install one of these mobile AV's and do a scan to make sure the Android is clean since you use it for banking. I hear nothing but good things about Avast so if I were to recommend any on the list, Avast would be the one.

Let's check out the computer you're using now that came pre-installed with Windows 10 to make sure it is clean. Then we'll check out the other computers..

Please do as follows:

Download Farbar Recovery Scan Tool to your desktop from one of the links below:

For x32 (x86) bit systems download Farbar Recovery Scan Tool.
For x64 bit systems download Farbar Recovery Scan Tool x64.

• Right click on the FRST.exe and choose Run as administrator.
• When the tool opens click Yes to disclaimer.
• Under Optional Scan make sure there is a checkmark in the box for Addition.txt to ensure it creates that 2nd log.
• Press Scan button.
• Please attach both logs in your next reply.

[my_name]

Here are the logs you requested from my new laptop.  Please let me know what to do next or if you have any problems with the attachments.

 

By the way, I'm not getting email alerts when you reply to my topic.  I'm not sure why, because I thought I had my account set to send me alerts.  For now, I'm just intermittently refreshing this page to see new replies.

Attached Files

•  Addition.txt   27.73KB   176 downloads
•  FRST.txt   59.69KB   164 downloads

Edited by my_name, 05 May 2016 - 12:45 PM.

[DonnaB]

Hi my_name,
 

I'm not getting email alerts

Strange. Check your spam folder to make sure the notifications aren't going there.

I don't see any malware on this computer, though there are a few leftover items we need to clean up.

• Open notepad (Start orb > type notepad into Start Search > chose notepad from list.
• Please copy the entire contents of the code box below.
  (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste).
• Save it to the same directory as frst64.exe as fixlist.txt.
  
  

  CreateRestorePoint:
  SearchScopes: HKU\S-1-5-21-2969747411-772983379-2254464739-1001 -> DefaultScope {EC121D41-5DCC-409B-846F-BA5F10F79F58} URL = 
  SearchScopes: HKU\S-1-5-21-2969747411-772983379-2254464739-1001 -> {EC121D41-5DCC-409B-846F-BA5F10F79F58} URL = 
  R3 PCDSRVC{3B54B31B-D06B6431-06020200}_0; \??\c:\program files\dell\supportassist\pcdsrvc_x64.pkms [X]
  S3 rpcapd; "%ProgramFiles(x86)%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles(x86)%\WinPcap\rpcapd.ini" [X]
  EmptyTemp:
  

  NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system
• Run frst64.exe and press the Fix button just once and wait.
• The tool will make a log (Fixlog.txt) which you will find where you saved FRST. Please post it to your reply.

Next:

I see you have Malwarebytes Antimalware installed.

Malwarebytes 2.0, please run a Threat Scan

• Click on the Dashboard tab and to the right of Database Version, click the Update Now >> link.
• After the updates complete, click on the Settings tab at the top then click on Detection and Protection.
• Under Detection Options, make sure all 3 options are checked.
• Just below that, under Non-Malware Protection, click on the drop down arrow under PUP (Potentially Unwanted Program) detections: and choose Treat detections as malware.
• Click on the Scan tab at the top, then click on the Scan Now >> button. (There is also a Scan Now >> button on the Dashboard you can click as well.
• If you are offered to update again, go ahead and click the Update Now >> button. Once complete, the Threat Scan will begin.
• When the scan is complete, if there have been any detections, click Apply Actions to allow MBAM to clean what was detected.
• In most cases, a restart will be required.
• Wait for the prompt to restart the computer to appear, then click on Yes.

Post log:

• After the restart once you are back at your desktop, open MBAM once more.
• Click on the History tab > Application Logs
• Double click on the scan log which shows the Date and time of the scan just performed.
• Click Copy to Clipboard
• Paste the contents of the clipboard into your reply.

In your next reply, please post the following logs:

Fixlog.txt
MBAM LOG

[my_name]

Thanks, Donna, I followed your instructions and here are the logs:

 

Fix result of Farbar Recovery Scan Tool (x64) Version:06-05-2016 01
Ran by Z (2016-05-05 16:04:28) Run:1
Running from C:\Users\Z\Desktop
Loaded Profiles: Z (Available Profiles: Z)
Boot Mode: Normal
==============================================

fixlist content:
*****************
CreateRestorePoint:
SearchScopes: HKU\S-1-5-21-2969747411-772983379-2254464739-1001 -> DefaultScope {EC121D41-5DCC-409B-846F-BA5F10F79F58} URL =
SearchScopes: HKU\S-1-5-21-2969747411-772983379-2254464739-1001 -> {EC121D41-5DCC-409B-846F-BA5F10F79F58} URL =
R3 PCDSRVC{3B54B31B-D06B6431-06020200}_0; \??\c:\program files\dell\supportassist\pcdsrvc_x64.pkms [X]
S3 rpcapd; "%ProgramFiles(x86)%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles(x86)%\WinPcap\rpcapd.ini" [X]
EmptyTemp:
*****************

Restore point was successfully created.
HKU\S-1-5-21-2969747411-772983379-2254464739-1001\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value removed successfully
"HKU\S-1-5-21-2969747411-772983379-2254464739-1001\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{EC121D41-5DCC-409B-846F-BA5F10F79F58}" => key removed successfully
HKCR\CLSID\{EC121D41-5DCC-409B-846F-BA5F10F79F58} => key not found.
PCDSRVC{3B54B31B-D06B6431-06020200}_0 => Unable to stop service.
PCDSRVC{3B54B31B-D06B6431-06020200}_0 => service removed successfully
rpcapd => service removed successfully
EmptyTemp: => 2.1 GB temporary data Removed.


The system needed a reboot.

==== End of Fixlog 16:07:05 ====

 

 

 

 

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 5/5/2016
Scan Time: 4:17 PM
Logfile:
Administrator: Yes

Version: 2.2.1.1043
Malware Database: v2016.05.05.04
Rootkit Database: v2016.04.17.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows 10
CPU: x64
File System: NTFS
User: Z

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 402888
Time Elapsed: 21 min, 20 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)


(end)

[DonnaB]

Looks good. Were you able to install an AV on your Android and perform a scan? ? How did that turn out?

Let's do one more scan on this computer...

This scan can take forever! Please allow it run unhindered till it is complete.

Run ESET Online Scanner:

Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however need to disable your current installed Anti-Virus, how to do so can be found here.

Next:

• Please go here then click on:
  
  

  Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
  All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.

• Select the option YES, I accept the Terms of Use then click on:
• When prompted allow the Add-On/Active X to install.
• Uncheck the box beside Remove Found Threats
• Make sure that the option Scan archives is checked.
• Now click on Advanced Settings and select the following:
  • Scan for potentially unwanted applications
  • Scan for potentially unsafe applications
  • Enable Anti-Stealth Technology
• Now click on:
• The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
• When completed the Online Scan will begin automatically. The scan may take several hours.
• Wait for the scan to finish. Do not touch either the Mouse or keyboard during the scan. Otherwise it may stall.

When The Scan is Complete:

• If No Threats Were Found:
  • Put a checkmark in "Uninstall application on close"
  • Close the program
  • Report to me that nothing was found
• If Threats Were Found:
  • Click on "list of threats found"
  • Click on "export to text file" and save it to the desktop as ESET SCAN.txt
  • Click on Back
  • Put a checkmark in "Uninstall application on close" (Be sure you have saved the file first)
  • Click on Finish
  • Close the program
  • Copy and paste the report here

Note: Do not forget to re-enable your Anti-Virus application after running the above scan!

[my_name]

I did install Avast on my Android and its scan was clean.

 

Here are the results of the ESET scan:

 

C:\Downloads\Software\FreemakeVideoDownloaderSetup.exe    a variant of Win32/OpenCandy.A potentially unsafe application
C:\Downloads\Software\SetupImgBurn_2.5.8.0.exe    Win32/OpenCandy potentially unsafe application
C:\Program Files (x86)\Coupons\uninstall.exe    a variant of Win32/Adware.Coupons.AA application
C:\Program Files (x86)\Mozilla Firefox\browser\plugins\npMozCouponPrinter.dll    a variant of Win32/Adware.Coupons.AA application
C:\Windows\CouponPrinter.ocx    a variant of Win32/Adware.Coupons.AA application

Edited by my_name, 05 May 2016 - 06:12 PM.

[DonnaB]

I did install Avast on my Android and its scan was clean.

Good. Keep it updated with the latest virus definitions.

Let's remove the adware and PUP's that were found by ESET:

Please download Junkware Removal Tool to your desktop.

• Disable your AV protection software now to avoid potential conflicts.
• Run the tool by double-clicking on XP. Or right click and select Run as Administrator Vista/Win7 and above.
• The tool will open and start scanning your system.
• Please be patient as this can take a while to complete depending on your system's specifications.
• On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
• Post the contents of JRT.txt into your next message.

Next:

Please download AdwCleaner by Xplode onto your Desktop.

• Close all open programs and internet browsers.
• Double click on AdwCleaner.exe to run the tool.
• Click the Scan button and wait for the process to complete.
• Click the logfile button and the log will open in Notepad.
• Click on the Clean button follow the prompts.
• A log file will automatically open after the scan has finished and the PC has rebooted.
• Please post the content of that log file with your next answer.
• The report will be saved in the C:\AdwCleaner folder.

[my_name]

I noticed the coupon printers were deleted in the scans.  I print coupons from my computer.  Is this really harmful?

 

Here are the logs:

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Malwarebytes
Version: 8.0.6 (04.25.2016)
Operating System: Windows 10 Home x64
Ran by Z (Administrator) on Thu 05/05/2016 at 19:59:50.91
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




File System: 8

Failed to delete: C:\Program Files (x86)\coupons (Folder)
Successfully deleted: C:\ProgramData\Start Menu\Programs\coupons (Folder)
Successfully deleted: C:\WINDOWS\couponprinter.ocx (File)
Successfully deleted: C:\WINDOWS\system32\Tasks\PCDEventLauncherTask (Task)
Successfully deleted: C:\WINDOWS\system32\Tasks\PCDoctorBackgroundMonitorTask (Task)
Successfully deleted: C:\WINDOWS\prefetch\FREEMAKEUOS.EXE-1B002B59.pf (File)
Successfully deleted: C:\WINDOWS\prefetch\FREEMAKEVD.EXE-06FB7A72.pf (File)
Successfully deleted: C:\WINDOWS\prefetch\FREEMAKEVIDEODOWNLOADERFULL.T-CB89F0DF.pf (File)

Deleted the following from C:\Users\Z\AppData\Roaming\Mozilla\Firefox\Profiles\618cepn6.default\prefs.js
user_pref(browser.urlbar.suggest.searches, true);



Registry: 1

Successfully deleted: HKLM\SYSTEM\CurrentControlSet\services\CouponPrinterService (Registry Key)




~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Thu 05/05/2016 at 20:01:20.40
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 

 

 

# AdwCleaner v5.115 - Logfile created 05/05/2016 at 20:07:44
# Updated 01/05/2016 by Xplode
# Database : 2016-05-04.2 [Server]
# Operating system : Windows 10 Home  (X64)
# Username : Z - LAPTOP-68KCAO51
# Running from : C:\Users\Z\Desktop\adwcleaner_5.115.exe
# Option : Clean
# Support : http://toolslib.net/forum

***** [ Services ] *****

[-] Service Deleted : CouponPrinterService

***** [ Folders ] *****

[-] Folder Deleted : C:\Program Files (x86)\Coupons
[-] Folder Deleted : C:\Program Files (x86)\Digital Coupon Printer

***** [ Files ] *****


***** [ DLLs ] *****


***** [ WMI ] *****


***** [ Shortcuts ] *****


***** [ Scheduled tasks ] *****


***** [ Registry ] *****

[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{9522B3FB-7A2B-4646-8AF6-36E7F593073C}
[-] Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{9522B3FB-7A2B-4646-8AF6-36E7F593073C}
[-] Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{9522B3FB-7A2B-4646-8AF6-36E7F593073C}
[-] Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Coupon Printer for Windows5.0.1.6
[-] Key Deleted : HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\primeshare.tv
[-] Key Deleted : HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\primeshare.tv

***** [ Web browsers ] *****

[-] [C:\Users\Z\AppData\Local\Google\Chrome\User Data\Default\Web Data] [Search Provider] Deleted : aol.com
[-] [C:\Users\Z\AppData\Local\Google\Chrome\User Data\Default\Web Data] [Search Provider] Deleted : ask.com

*************************

:: "Tracing" keys deleted
:: Winsock settings cleared

*************************

C:\AdwCleaner\AdwCleaner[C1].txt - [1956 bytes] - [05/05/2016 20:07:44]
C:\AdwCleaner\AdwCleaner[S1].txt - [1953 bytes] - [05/05/2016 20:05:39]

########## EOF - C:\AdwCleaner\AdwCleaner[C1].txt - [2102 bytes] ##########
 

[DonnaB]

Perfect.

Go into your Downloads folder and delete these files.

C:\Downloads\Software\FreemakeVideoDownloaderSetup.exe
C:\Downloads\Software\SetupImgBurn_2.5.8.0.exe

They're only setup files and taking space on your hard drive..

As you can see in the files that ESET found, you need to pay closer attention when downloading files. Win32/OpenCandy was installed along side the programs that were installed. Always take time to read each and every options that is presented while installing software of any kind to ensure you uncheck anything bundled that is unwanted.

Besides that, how's that computer behaving?

[my_name]

Thanks, Donna.  I deleted the files you mentioned.  The computer is behaving normally.

[DonnaB]

Great. Let's go ahead and remove the tools from this computer.

Download DelFix by Xplode and save it to your desktop.

• Run the tool by right click on the icon and Run as administrator option.
• Make sure that these ones are checked:
  • Remove disinfection tools
  • Purge system restore
  • Reset system settings
• Push Run.
• The program will run for a few seconds and display a notepad report.
  Paste it for my review.

[my_name]

# DelFix v1.013 - Logfile created 05/05/2016 at 21:36:50
# Updated 17/04/2016 by Xplode
# Username : Z - LAPTOP-68KCAO51
# Operating System : Windows 10 Home  (64 bits)

~ Removing disinfection tools ...

Deleted : C:\FRST
Deleted : C:\AdwCleaner
Deleted : C:\Users\Z\Desktop\Addition.txt
Deleted : C:\Users\Z\Desktop\adwcleaner_5.115.exe
Deleted : C:\Users\Z\Desktop\Fixlog.txt
Deleted : C:\Users\Z\Desktop\FRST.txt
Deleted : C:\Users\Z\Desktop\FRST64.exe
Deleted : C:\Users\Z\Desktop\JRT.exe
Deleted : C:\Users\Z\Desktop\JRT.txt
Deleted : C:\Users\Z\Downloads\esetsmartinstaller_enu.exe

~ Cleaning system restore ...

Deleted : RP #28 [Scheduled Checkpoint | 04/15/2016 23:09:36]
Deleted : RP #29 [Revo Uninstaller's restore point - Freemake Video Downloader | 04/23/2016 14:10:42]
Deleted : RP #30 [Scheduled Checkpoint | 05/01/2016 01:53:05]
Deleted : RP #32 [Restore Point Created by FRST | 05/05/2016 21:04:29]
Deleted : RP #33 [JRT Pre-Junkware Removal | 05/06/2016 00:59:51]

New restore point created !

~ Resetting system settings ... OK

########## - EOF - ##########