Originally Posted By: sleddriver
That's the full-meal-deal! ESET did give it a clean bill of health, and it's highly recommended, thus I doubt it's infected with anything.
Update:
Well not exactly....
I executed each of the programs you suggested, in order, and dumped their output to .txt files if given the chance. You were wise to suggest running several and I was pre-mature in declaring her system was not infected, as it was!
Rkill didn't detect anything. I didn't run Combofix when it declared that MS forefront client security was still running and I wasn't able to turn it off. The other programs never mentioned this. TDSKiller didn't find anything either.
Malwarebytes found:
Quote:
C:\Users\All Users\lfhfkgoleofpabhibhaipbdcadbhphng\PBh.js JS/Kryptik.ATB trojan
C:\ProgramData\lfhfkgoleofpabhibhaipbdcadbhphng\PBh.js JS/Kryptik.ATB trojan cleaned by deleting - quarantined
C:\Users\...\Downloads\disk-defrag-setup.exe a variant of Win32/OpenCandy.C potentially unsafe application deleted - quarantined
C:\Users\...\Downloads\DownloadManagerSetup.exe a variant of Win32/InstallCore.SZ potentially unwanted application deleted - quarantined
Found numerous instances of JSKxxx on a web search.Not sure why it would hit on disk-defrag & download managerSetup unless these were corrupted/re-named/not what they appear, etc.
For grins, I re-ran ESET on-line, checked all the boxes and let her go. It found 78 registry keys referring to PUP.Optional.Multiplug and Multiplug.A! And something called WOW6432NODE, PUP.Optional.WowCoupon.A
Folders: 4
Rogue.Multiple, C:\ProgramData\1887373585, , [209f261ac0ca23130f38510249ba7888],
PUP.Optional.RandomDealApp.A, C:\ProgramData\RandomDealApp, , [ecd310300e7c8da90040f392cd36bf41],
PUP.Optional.WowCoupon.A, C:\ProgramData\WOwCoupon, , [8b345fe1a5e5f244236fe5a52dd62ad6],
PUP.Optional.CheapCoupon.A, C:\ProgramData\CheapCoupon, , [0bb448f8b4d60234787afe8d23e021df],
Files: 21
PUP.Optional.Multiplug, C:\Program Files (x86)\savveriBox\NbXyCpxKHMcqaN.x64.dll, , [a31cf24e98f28caa52cf18b21ce955ab],
PUP.Optional.Multiplug, C:\Program Files (x86)\dowNLooaditkeEp\k7MCB9vX0oZ0St.x64.dll, , [b708a29e97f35cdad24f7654bd48bb45],
PUP.Optional.Multiplug, C:\ProgramData\1887373585\BITA14.tmp, , [fcc381bf8703ac8a7a1e2efd7d851be5],
PUP.Optional.MultiPlug.A, C:\ProgramData\savearnet\yk4U1KDjfseFOZ.dll, , [3b841b25eb9fca6ca6813d8664a1ee12],
PUP.Optional.MultiPlug.A, C:\ProgramData\savearnet\yk4U1KDjfseFOZ.x64.dll, , [3b841b25eb9fca6ca6813d8664a1ee12],
PUP.Optional.MultiPlug.A, C:\ProgramData\taopBuyer\vhzlw7R7mJppVY.dll, , [dfe0f14f34560d299295bf04e421ea16],
PUP.Optional.MultiPlug.A, C:\ProgramData\taopBuyer\vhzlw7R7mJppVY.x64.dll, , [dfe0f14f34560d299295bf04e421ea16],
PUP.Optional.Multiplug, C:\ProgramData\WOwCoupon\sVj9ToOaq2jtvE.dll, , [506f83bd59318babbdda6cbfb9495da3],
PUP.Optional.Multiplug, C:\ProgramData\WOwCoupon\sVj9ToOaq2jtvE.x64.dll, , [506f83bd59318babbdda6cbfb9495da3],
PUP.Optional.Multiplug, C:\Program Files (x86)\ShOpPeeraMasteuR\OPCkXtxuNl8LWV.dll, , [ecd3ab9596f4d264efa8b774b052c040],
PUP.Optional.Multiplug, C:\Program Files (x86)\ShOpPeeraMasteuR\OPCkXtxuNl8LWV.x64.dll, , [ecd3ab9596f4d264efa8b774b052c040],
PUP.Optional.Multiplug, C:\Program Files (x86)\ShoppperMasster\CugYRki59QZBh1.dll, , [0cb39ea2e2a8bb7b7f1876b516ec44bc],
PUP.Optional.Multiplug, C:\Program Files (x86)\ShoppperMasster\CugYRki59QZBh1.x64.dll, , [0cb39ea2e2a8bb7b7f1876b516ec44bc],
PUP.Optional.Multiplug, C:\Program Files (x86)\PragmaProc\PragmaProc.dll, , [3e81b38df1992313f2a63bf0ce34c53b],
PUP.Optional.AirInstaller, C:\Users\...\Downloads\setup.exe, , [269954eca2e890a68029b0953dc44db3],
Rogue.Multiple, C:\ProgramData\1887373585\BITA14.tmp, , [209f261ac0ca23130f38510249ba7888],
PUP.Optional.RandomDealApp.A, C:\ProgramData\RandomDealApp\RandomDealApp.exe, , [ecd310300e7c8da90040f392cd36bf41],
PUP.Optional.WowCoupon.A, C:\ProgramData\WOwCoupon\sVj9ToOaq2jtvE.dat, , [8b345fe1a5e5f244236fe5a52dd62ad6],
PUP.Optional.WowCoupon.A, C:\ProgramData\WOwCoupon\sVj9ToOaq2jtvE.tlb, , [8b345fe1a5e5f244236fe5a52dd62ad6],
PUP.Optional.CheapCoupon.A, C:\ProgramData\CheapCoupon\CheapCoupon.exe, , [0bb448f8b4d60234787afe8d23e021df],
PUP.Optional.ResultHunters.A, C:\Users\\AppData\Roaming\Mozilla\Firefox\Profiles\default\prefs.js, Good: (), Bad: (), ,[b609bc840f7b1a1c815b42cee32317e9]
Previously, she said a friend who frequently visits uses her computer and "likes to shop". Evidently! Wowcoupon, cheapcoupon, resulthunters, ShOpPeeraMasteuR, ShopperMasster, taopBuyer, savearnet....one of these must have resulted in the sudden pop-ups I previously witnessed when looking at BITOG.
Very interesting...it pays to run multiple scanners! I finished with CCleaner and Auslogics disk-defrag.