Alright, so I have 3 computer systems (by 3 separate users, and the other 2 aren’t very tech savvy, but I am not that knowledgeable either), and I know for a fact one is infected with some form of Win32 Malware and possible more, and another one I have suspicions is infected, and then I have my system which may be infected, but I believe has the lowest possible chance of it. I will update this post as more scans are run.

Anyway, the one that I have confirmed as infected has had a boot scan, and it detected 6 infected files. 5 of them were infected with Win32:InstallBrain-F [PUP] or something to that nature and usually were on some form of uninstaller file. The other one was a different, but similar Win32 infection under the name of Win32InstallCoreE-Q [PUP]. All of these files have been successfully transferred to the virus chest, and according to that, the files were last changed on the 28th of last month, which coincides with the initial appearance of the malware according to a virustotal check I did. That also means that some havoc was probably reaped upon the system, correct? Another suspicious note that I found was that the original location of 2 of the files were under users Kyle_2 which is interesting, considering there shouldn’t be a Kyle_2 user, only a kyle. Is this a product of the malware?

EDIT: Also, looking at the virus chest, there is also a file from the 29th that was put into the virus chest within a few hours of originating, which was described as Win32:Malware Gen and also has a very strange file name. Also, all of the [PUP] registered infections were changed at the same time or within a few minutes of each other.

What I want to know is what my next plan of action should be. I am glad that Avast was able to detect the files and move them to the chest, but I presume that there is a chance that more files remain. Is it safe to delete the files already transferred to virus chest, or would that trigger some havoc? I am posting this now, and will continue updating if for the time being, in hopes of an earlier response.

In regard to the other system that I have suspicions of, the computer is mainly used by my parent’s, and I wouldn’t trust them at all with being super safe internet users. (They still use IE, even though I tell them not to…) Anyway, the whole thing started today while one of my parents was browsing the internet, and up comes one of those browser “we have found a virus, download blahblahblah” under Microsoft Security Essentials (which I don’t even think is installed) while opening up a suspicious tab and I end having the Ctrl-Alt-Delete the browser several times, as it appeared to pop-up again, or was just laggy. Then I immediately cleared the cache and ran a quick and a full scan. No infected files were found, but the scan could not scan all the files (about 20 or so) because of some encrypted password thing on the files. They were all under the administrator user, which is also the one that my parents use, and I suspect those files may be infected to some degree. I have scheduled a boot-time scan, but nothing else has been done to the system. Advice on what to do here?

And then there is the system that I use. I had another one of those “we have found a virus, blahblahblah” browser things about 5 days ago, and did the exact same thing as I posted above. I ended up doing a quick scan and a boot-scan along with clearing my cache, with no infected files found. I did the same thing 2 days later in regards to scans to the same results of no infection. I did another quick scan while typing this, and again no infection. I also have another boot-scan scheduled, in case the reason that there were no infections found earlier were due to a definition change. Advice on what to do here?

EDIT: I just saw your post Pondus. 3 of the [PUP] were on uninstall.exe type of files, 1 on a BestCodecsPack.exe (suspicious?) under downloads folder, 1 on a softonic_ssk_conduit, and the other on ICReinstall_PDFReadersetup.

EDIT: Also, no torrents or anything of that nature are used on any of these machines, if it matters in regards to origin of the possible infections, since that is how a large portion of malware is transferred to my knowledge.

Win32:InstallBrain-F [PUP]

PUP - not a virus = Possible Unwanted Program http://searchsecurity.techtarget.com/definition/PUP avast is just telling you that you have a program that can be used fo good or bad if abused...... if you search the forum you will find factory installed program from HP and DELL detected as PUP.......so you have to find out what that file/program is for ;) and if you want it ?

PUP scan is default off in quick/full scan… but default on in boot scan

Is it safe to delete the files already transferred to virus chest, or would that trigger some havoc?

[b]Clean, Quarantine, or Delete?[/b] http://antivirus.about.com/b/2007/03/11/clean-quarantine-or-delete.htm

if you think you are infected, follow this guide and attach the logs (not copy and paste) Malwarebytes / OTL / aswMBR
http://forum.avast.com/index.php?topic=53253.0

Alright, I’ll try and post all of the logs and such from the machines, starting with the most problematic. How much longer will you be “available” for today? I may very well have to go to bed before it is possible to do all of the necessary work, so it might just be better to do all of this tomorrow. I also edited my original post with more information, in case you haven’t read it.

i am not the one analyzing the logs…that takes some training to do especially the OTL log

anyway Essexboy and the other removal specialists will be here tomorrow

EDIT: I just saw your post Pondus. 3 of the [PUP] were on uninstall.exe type of files, 1 on a BestCodecsPack.exe (suspicious?) under downloads folder, 1 on a softonic_ssk_conduit, and the other on ICReinstall_PDFReadersetup.

OBS any suspicious file you have can be tested at www.virustotal.com max 32mb file ( if scanned before click rescan) when you have the result, you can post the scan link here for us to see

Yeah, I’ve seen all the work Essexboy has done. I guess I will just shut the computers down for the night, schedule those boot-scans, then sort things out tomorrow. Thanks for the assistance so far. I am just going to leave all infected files under quarantine.

Okay, here is the MBAM log for the computer with the [PUP]. 15 infections were found, 13 of them registry keys, 2 of them files.

I have OTL prepped for a scan right now, with the instructions posted in the logs assistance page. I should go ahead and perform this yes?

yes and then aswMBR

Okay, going to post the OTL logs. I derped though, missed the registry change from SafeList to None. (I had one job…) Is a rescan in order?

Hi it looks to be toolbar city… This is where most of the pup detections are generated from

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF

:OTL IE - HKLM\..\URLSearchHook: {0cc09160-108c-4759-bab1-5c12c216e005} - C:\Program Files (x86)\appbario8\prxtbappb.dll (Conduit Ltd.) IE - HKLM\..\URLSearchHook: {0e38f85e-eee9-426a-ae1c-60c36b729951} - C:\Program Files (x86)\VisualBeeCommunity\prxtbVisu.dll (Conduit Ltd.) IE - HKU\S-1-5-21-4026222056-3464878822-743620478-1000\SOFTWARE\Microsoft\Internet Explorer\Main,bProtector Start Page = http://search.conduit.com?SearchSource=10&ctid=CT3227982 IE - HKU\S-1-5-21-4026222056-3464878822-743620478-1000\..\URLSearchHook: {0cc09160-108c-4759-bab1-5c12c216e005} - C:\Program Files (x86)\appbario8\prxtbappb.dll (Conduit Ltd.) IE - HKU\S-1-5-21-4026222056-3464878822-743620478-1000\..\URLSearchHook: {0e38f85e-eee9-426a-ae1c-60c36b729951} - C:\Program Files (x86)\VisualBeeCommunity\prxtbVisu.dll (Conduit Ltd.) FF - prefs.js..browser.search.defaultenginename: "appbario8 Customized Web Search" FF - prefs.js..browser.search.defaultthis.engineName: "appbario8 Customized Web Search" FF - prefs.js..browser.search.defaulturl: "http://search.conduit.com/ResultsExt.aspx?ctid=CT3227982&SearchSource=3&q={searchTerms}" FF - prefs.js..browser.search.order.1: "appbario8 Customized Web Search" FF - prefs.js..keyword.URL: "http://search.conduit.com/ResultsExt.aspx?ctid=CT3032526&SearchSource=2&q=" FF - HKEY_CURRENT_USER\software\mozilla\Firefox\Extensions\\{b64982b1-d112-42b5-b1e4-d3867c4533f8}: C:\ProgramData\Sidekick Manager\2.2.513.159\{6f06cdeb-5de2-4520-aef2-1aa556ca7a6b}\FirefoxExtension [2012/07/29 01:03:27 | 000,000,000 | ---D | M] [2012/07/29 01:03:48 | 000,000,000 | ---D | M] (appbario8 Community Toolbar) -- C:\Users\kyle\AppData\Roaming\mozilla\Firefox\Profiles\199uzlo5.default\extensions\{0cc09160-108c-4759-bab1-5c12c216e005} [2012/07/29 01:06:20 | 000,000,000 | ---D | M] (VisualBeeCommunity) -- C:\Users\kyle\AppData\Roaming\mozilla\Firefox\Profiles\199uzlo5.default\extensions\{0e38f85e-eee9-426a-ae1c-60c36b729951} [2012/07/29 01:03:19 | 000,000,000 | ---D | M] ("Savings Sidekick") -- C:\Users\kyle\AppData\Roaming\mozilla\Firefox\Profiles\199uzlo5.default\extensions\crossriderapp5060@crossrider.com [2012/07/26 15:22:00 | 000,000,921 | ---- | M] () -- C:\Users\kyle\AppData\Roaming\Mozilla\Firefox\Profiles\199uzlo5.default\searchplugins\bProtect.xml [2012/07/29 01:21:34 | 000,000,929 | ---- | M] () -- C:\Users\kyle\AppData\Roaming\Mozilla\Firefox\Profiles\199uzlo5.default\searchplugins\conduit.xml [2012/08/07 21:33:07 | 000,001,301 | ---- | M] () -- C:\Users\kyle\AppData\Roaming\Mozilla\Firefox\Profiles\199uzlo5.default\searchplugins\my-homepage.xml O2 - BHO: (appbario8 Toolbar) - {0cc09160-108c-4759-bab1-5c12c216e005} - C:\Program Files (x86)\appbario8\prxtbappb.dll (Conduit Ltd.) O2 - BHO: (VisualBeeCommunity Toolbar) - {0e38f85e-eee9-426a-ae1c-60c36b729951} - C:\Program Files (x86)\VisualBeeCommunity\prxtbVisu.dll (Conduit Ltd.) O2 - BHO: (Savings Sidekick) - {11111111-1111-1111-1111-110011501160} - C:\Program Files (x86)\Savings Sidekick\Savings Sidekick.dll (215 Apps) O2 - BHO: (WeCareReminder Class) - {D824F0DE-3D60-4F57-9EB1-66033ECD8ABB} - C:\ProgramData\WeCareReminder\IEHelperv2.5.0.dll (We-Care.com) O3 - HKLM\..\Toolbar: (no name) - {D0F4A166-B8D4-48b8-9D63-80849FE137CB} - No CLSID value found. O3 - HKU\S-1-5-21-4026222056-3464878822-743620478-1001\..\Toolbar\WebBrowser: (appbario8 Toolbar) - {0CC09160-108C-4759-BAB1-5C12C216E005} - C:\Program Files (x86)\appbario8\prxtbappb.dll (Conduit Ltd.) O3 - HKU\S-1-5-21-4026222056-3464878822-743620478-1001\..\Toolbar\WebBrowser: (VisualBeeCommunity Toolbar) - {0E38F85E-EEE9-426A-AE1C-60C36B729951} - C:\Program Files (x86)\VisualBeeCommunity\prxtbVisu.dll (Conduit Ltd.) O20 - AppInit_DLLs: (c:\progra~3\sideki~1\22513~1.159\{6f06c~1\sskmngr.dll) - c:\ProgramData\Sidekick Manager\2.2.513.159\{6f06cdeb-5de2-4520-aef2-1aa556ca7a6b}\sskmngr.dll () [2012/07/29 01:06:11 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\VisualBeeCommunity [2012/07/29 01:06:06 | 000,000,000 | ---D | C] -- C:\ProgramData\VisualBee [2012/07/29 01:04:04 | 000,000,000 | ---D | C] -- C:\ProgramData\IBUpdaterService [2012/07/29 01:03:43 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Conduit [2012/07/29 01:03:42 | 000,000,000 | ---D | C] -- C:\Users\kyle\AppData\Local\Conduit [2012/07/29 01:03:41 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\appbario8 [2012/07/29 01:03:33 | 000,000,000 | ---D | C] -- C:\Users\kyle\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Sidekick Manager [2012/07/29 01:03:31 | 000,000,000 | ---D | C] -- C:\Windows\SysWow64\searchplugins [2012/07/29 01:03:26 | 000,000,000 | ---D | C] -- C:\ProgramData\Sidekick Manager [2012/07/29 01:03:19 | 000,000,000 | ---D | C] -- C:\Users\kyle\AppData\Local\Savings Sidekick [2012/07/29 01:03:18 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Savings Sidekick

:Commands
[purity]
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

Okay, so I don’t need to re-scan with OTL (because of missing the none registry), just run this fix and follow your instructions? I also don’t need to do the 3rd scan log yet from the other program?

just run this fix and follow your instructions?

yes

I also don't need to do the 3rd scan log yet from the other program?

you can still do aswMBR.....it is quick..... but probably wont show anything mysterious

Okay, here are the logs as requested. The FixLog file was whatever OTL brought up after starting if from reboot. Not sure if it is needed. The other 2 are the post-fix files. EDIT: File looks to be too large, so looks like I will have to post multiple times? EDIT: Whoops, one got duplicated.

Here is the OTL post-fix scan log.

How is the computer behaving now ?

Well, the computer has/was/is appearing to be fine, the same as it usually is. Should I try running the programs that are usually ran on it to see if everything works out alright over the day? Even when the infection was still on, it didn’t appear to be effecting anything, or else the user (brother) would have definitely told me.

EDIT: Anyway, I think I am going to do an MBAM scan on the other system now, and see what that pulls up. Since it looks like the minor infection on this computer appears to be solved?

Okay, ran MBAM on parent’s computer, no malicious software was found, and on the boot scan I ran earlier nothing was found either. Should I go and post the log and do the OTL part, or is that system secure?

Okay, just ran MBAM on my system, and it detected 1 infection. It was a PUP, and I am pretty sure I remember the origin of the file. It was a coretemp scanner program, and it was installed by my father when we first bought the computer, thinking that he was helping. I remember him saying he downloaded something but that it came with some other stuff too, so he deleted it all. And that is where that came from. I would post the logs, but the computer isn’t connecting to the network for internet access.

EDIT: Re-ran MBAM, didn’t find an infection. Looks so far like it was a PUP, and MBAM took care of it.

You should always be carefull when downloading free software as they do come bundled with toolbars etc… So click slowly

If you are happy run OTL and hit the cleanup button to remove it