Win32:SmartBar-A Infected windows/installer file

Viruses and worms
1

I am using another computer to send this. This morning my DH was downloading a pdf using Mozzilla Firefox. He has been having trouble lately downloading pdf’s with Firefox, just hasn’t had time to fix extensions or whatever is needed. He attempted to download a pdf and somehow ended up clicked on an advertisement with the green download icon that he thought would help complete the download. He clicked and the download and Avast came up with a warning. We backed out and moved it to chest and thought all was well. I switched to Googlechrome and the PDf came up just fine. He shut off the computer and went to work. I turned the computer on and Avast immediately went into the bootscan.
It is still going or sitting waiting for me to give a command. So far it has moved to the chest; win32:Dropper-gen [Drp] ,
win32:Installer-J [PUP], win32:Mindspark-A [PUP], win32:SmartBar-A [PUP].

Before it got to the question it listed: File C:\users\Herman\Desktop\Games\DosBox\DosBox-o.63-install.exe|>$INSTDIR\dosbox.exe
Error 42145 {Installer archive is corrupted.}

The Avast has stopped the scan and is asking me a question. " C:windows\Installer\4472c.msi|>Smartbar.Cab|>LinkuryExeName Is infected by win32:SmartBar-A [PUP] Move to chest:File is windows folder, are you sure? 1-yes 2-yess all 3-no esc-exit
It is just sitting with that on the screen.
Please help, just tell me what to do on the infected computer. I don’t want to mess it up anymore than it is by deleting a Windows file I need without instruction how to get it back. Thank you :‘( :’( :cry:

2

PUP = not virus / Possible Unwanted Program …usually crap programs that comes bundled with freeware downloads

Some info
http://www.malwarebytes.org/pup/
http://blog.malwarebytes.org/news/2013/07/malwarebytes-adopts-aggressive-pup-policy/

3
Before it got to the question it listed: File C:\users\Herman\Desktop\Games\DosBox\DosBox-o.63-install.exe|>$INSTDIR\dosbox.exe Error 42145 {Installer archive is corrupted.}
This is just a scan error message
win32:Dropper-gen [Drp] ,
This is a real infection

If you want a check, follow instructions and attach Malwarebytes and OTL logs http://forum.avast.com/index.php?topic=53253.0

4

Thank you for the quick response. What about the question
“The Avast has stopped the scan and is asking me a question. " C:windows\Installer\4472c.msi|>Smartbar.Cab|>LinkuryExeName Is infected by win32:SmartBar-A [PUP] Move to chest:File is windows folder, are you sure? 1-yes 2-yess all 3-no esc-exit”

What do I do with this. I need to choose something?

5

It is some adware/toolbar crap
If you are unsure … select nr 3 … then when done attach the logs from the guide i linked to and a malware expert will help you

6

I chose Esc-Exit
I am downloading the " Malwarebytes and OTL logs http://forum.avast.com/index.php?topic=53253.0 "
I will post logs.

7

I just tried to run Malwarbytes and I got an erron on intalling. I attached screen shot.

8

Try Safe Mode. Should prevent any active malware from loading itself.

If safemode doesn’t work, skip it and move onto OTL

9

Ok, I will run in SafeMode. I ran OTL.
Extras attached

10

we need OTL.txt that is the important log

11

How do you attach 2 files?

12

you click more attachments

13

Hi lets clear you up :slight_smile:

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF


:Commands
[CREATERESTOREPOINT]

:OTL
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://search.coupons.com/
IE - HKLM\..\URLSearchHook: {52a3500f-fc3e-4253-8d2f-fa6303d5f7e2} - C:\Program Files\Swagbucks1\prxtbSwag.dll (Conduit Ltd.)
IE - HKLM\..\SearchScopes,DefaultScope = {9C547235-5A0B-45BF-B53B-81812EE54F5E}
IE - HKLM\..\SearchScopes\{E627DC4B-8C04-4234-A2D4-1D634EE01C41}: "URL" = http://fastestwebsearch.com/search?q={searchterms}
IE - HKU\S-1-5-21-1811611360-3008015903-2803298642-1002\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1
IE - HKU\S-1-5-21-1811611360-3008015903-2803298642-1002\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://search.coupons.com/
IE - HKU\S-1-5-21-1811611360-3008015903-2803298642-1002\..\URLSearchHook: {4c60e5ab-5c68-4c59-abaa-885010b24b32} - No CLSID value found
IE - HKU\S-1-5-21-1811611360-3008015903-2803298642-1002\..\URLSearchHook: {52a3500f-fc3e-4253-8d2f-fa6303d5f7e2} - C:\Program Files\Swagbucks1\prxtbSwag.dll (Conduit Ltd.)
IE - HKU\S-1-5-21-1811611360-3008015903-2803298642-1002\..\URLSearchHook: {81017EA9-9AA8-4A6A-9734-7AF40E7D593F} - No CLSID value found
IE - HKU\S-1-5-21-1811611360-3008015903-2803298642-1002\..\SearchScopes,DefaultScope = {9C547235-5A0B-45BF-B53B-81812EE54F5E}
IE - HKU\S-1-5-21-1811611360-3008015903-2803298642-1002\..\SearchScopes\{96bd48dd-741b-41ae-ac4a-aff96ba00f7e}: "URL" = http://search.coupons.com/search.asp?p=df&q={searchTerms}
IE - HKU\S-1-5-21-1811611360-3008015903-2803298642-1002\..\SearchScopes\{9C547235-5A0B-45BF-B53B-81812EE54F5E}: "URL" = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT3298566&CUI=UN18082061307899844&UM=2
IE - HKU\S-1-5-21-1811611360-3008015903-2803298642-1002\..\SearchScopes\{E627DC4B-8C04-4234-A2D4-1D634EE01C41}: "URL" = http://fastestwebsearch.com/search?q={searchterms}
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{1C43BAF1-00C2-40A8-A09E-F84CFD79546D}: C:\Program Files\Coupons.com CouponBar\firefox\{1C43BAF1-00C2-40A8-A09E-F84CFD79546D}\Coupons.com.xpi [2012/01/26 11:18:46 | 000,185,164 | ---- | M] ()
[2013/05/06 18:00:38 | 000,000,997 | ---- | M] () -- C:\Users\Family account\AppData\Roaming\Mozilla\Firefox\Profiles\1p54yyfv.default\searchplugins\conduit.xml
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O2 - BHO: (Swagbucks1 Toolbar) - {52a3500f-fc3e-4253-8d2f-fa6303d5f7e2} - C:\Program Files\Swagbucks1\prxtbSwag.dll (Conduit Ltd.)
O2 - BHO: (Search Assistant BHO) - {f236ca79-3123-4afb-9f74-e98117ad5625} - C:\Program Files\FromDocToPDF_65\bar\1.bin\65SrcAs.dll (MindSpark)
O2 - BHO: (TBSB07898 Class) - {FCBCCB87-9224-4B8D-B117-F56D924BEB18} - C:\Program Files\Coupons.com CouponBar\tbcore3.dll ()
O3 - HKLM\..\Toolbar: (Swagbucks1 Toolbar) - {52a3500f-fc3e-4253-8d2f-fa6303d5f7e2} - C:\Program Files\Swagbucks1\prxtbSwag.dll (Conduit Ltd.)
O3 - HKLM\..\Toolbar: (Coupons.com CouponBar) - {8660E5B3-6C41-44DE-8503-98D99BBECD41} - C:\Program Files\Coupons.com CouponBar\tbcore3.dll ()
O3 - HKU\S-1-5-21-1811611360-3008015903-2803298642-1002\..\Toolbar\WebBrowser: (Swagbucks1 Toolbar) - {52A3500F-FC3E-4253-8D2F-FA6303D5F7E2} - C:\Program Files\Swagbucks1\prxtbSwag.dll (Conduit Ltd.)
O4 - HKU\S-1-5-21-1811611360-3008015903-2803298642-1002..\Run: [LightShot] C:\Users\Family account\AppData\Local\Skillbrains\lightshot\LightShot.exe ()
O4 - HKU\S-1-5-21-1811611360-3008015903-2803298642-1002..\Run: [Pando Media Booster] C:\Program Files\Pando Networks\Media Booster\PMB.exe ()
[2014/04/16 06:19:54 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\LogMeIn Hamachi
[2014/04/16 06:19:51 | 000,000,000 | ---D | C] -- C:\Program Files\LogMeIn Hamachi
[2014/04/28 11:10:00 | 000,000,394 | ---- | M] () -- C:\Windows\tasks\update-sys.job
[2012/10/08 11:44:49 | 000,000,394 | ---- | C] () -- C:\Windows\Tasks\update-S-1-5-21-1811611360-3008015903-2803298642-1002.job
@Alternate Data Stream - 168 bytes -> C:\Users\Family account\Desktop\Durable Unlimited power of atorney 4.jpeg.jpeg.jpeg.jpeg:3or4kl4x13tuuug3Byamue2s4b
@Alternate Data Stream - 168 bytes -> C:\Users\Family account\Desktop\Durable Unlimited power of atorney 3.jpeg.jpeg.jpeg:3or4kl4x13tuuug3Byamue2s4b
@Alternate Data Stream - 168 bytes -> C:\Users\Family account\Desktop\Durable Unlimited power of atorney 2.jpeg.jpeg:3or4kl4x13tuuug3Byamue2s4b
@Alternate Data Stream - 168 bytes -> C:\Users\Family account\Desktop\Durable Unlimited power of atorney 1.jpeg:3or4kl4x13tuuug3Byamue2s4b

:Files
C:\Users\Family account\AppData\Local\Google\Chrome\User Data\Default\Extensions\gngocbkfmikdgphklgmmehbjjlfgdemm
C:\Program Files\Swagbucks1
C:\Program Files\Coupons.com CouponBar
C:\windows\Installer\4472c.msi

:Commands
[resethosts]
[emptytemp]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

THEN

Please download AdwCleaner by Xplode onto your desktop.

[*]Close all open programs and internet browsers.
[*]Double click on AdwCleaner.exe to run the tool.
[*]Click on Scan.
[*]After the scan is complete click on “Clean”
[*]Confirm each time with Ok.
[*]Your computer will be rebooted automatically. A text file will open after the restart.
[*]Please post the content of that logfile with your next answer.
[*]You can find the logfile at C:\AdwCleaner[S1].txt as well.

14

The computer is still scanning with Malwarebytes in Safe Mode. I will run OTL again with your custom scan fixes when it is done.

15

Okey dokey :slight_smile:

16

Downloaded AdwCleaner, will post log shortly.

17

Once adwcleaner has run could you let me know of any problems

18

Adwcleaner found problems listed in Folder, Files,Registry,IE, Firefox, Chrome. Do I need to delete all of the checked items? I have not done the report. Will it delete all of the check is has listed if i do the report?

19

As essexboy instructed… after scan click clean … and attach log

20

Sorry I forgot to click clean. :smiley: Almost done.