Possible Malware - but cannot run exehelper, etc.

Hi!

Was getting my daughter's computer up to par but ran into a problem. The computer is running very slow and I am not sure what is slowing it down. I was able to run Malwarebytes, but couldn't run the other programs that were suggested in the forum before posting. Here is the log:
Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

Database version: v2013.12.14.06

Windows 7 x64 NTFS
Internet Explorer 9.0.8112.16421
Xsy :: XM [administrator]

12/14/2013 1:31:59 PM
mbam-log-2013-12-14 (13-31-59).txt

Scan type: Full scan (C:\|D:\|F:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 572187
Time elapsed: 1 hour(s), 33 minute(s), 24 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 1
C:\Users\Sonia\AppData\Roaming\OpenCandy (PUP.Optional.OpenCandy) -> Quarantined and deleted successfully.

Files Detected: 17
C:\Users\Sonia\AppData\Roaming\OpenCandy\DlMgrWrapper_KIS2010_Release3.exe (PUP.Optional.OpenCandy) -> Quarantined and deleted successfully.
C:\Users\Sonia\Downloads\FLVTube.exe (Adware.FlvTube) -> Quarantined and deleted successfully.
C:\Users\Xsy\AppData\Local\Temp\msimg32.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Users\Xsy\AppData\Local\Temp\ntzkkalowg (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\Users\Xsy\AppData\Local\Temp\oah.dll (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\Users\Xsy\AppData\Local\Temp\nscE2E8.tmp\o73irza.nmu (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Users\Xsy\AppData\Local\Temp\nscE2E8.tmp\obdrn0q.2g7 (Malware.Gen) -> Quarantined and deleted successfully.
C:\Users\Xsy\AppData\Roaming\FrostWire\.AppSpecialShare\frostwire-5.2.11.windows.exe (PUP.Optional.OpenCandy) -> Quarantined and deleted successfully.
C:\Users\Xsy\Downloads\frostwire-4.18.6.windows.exe (PUP.Optional.OpenCandy) -> Quarantined and deleted successfully.
C:\Users\Xsy\Downloads\frostwire-4.21.1.windows.exe (PUP.Optional.OpenCandy) -> Quarantined and deleted successfully.
F:\DATA\Backup\Adobe Photoshop CS2 ISO + Keygen\keygen\keygen.exe (Trojan.Agent.CK) -> Quarantined and deleted successfully.
F:\DATA\Backup\flash\Flash MX 2004\Crack\CORE10k.EXE (PUP.Keygen.Intro) -> Quarantined and deleted successfully.
F:\DATA\Backup\flash\Flash MX 2004\Crack\keygen.exe (Trojan.Agent.CK) -> Quarantined and deleted successfully.
F:\DATA\Backup\gpro\keygen.exe (Trojan.Backdoor) -> Quarantined and deleted successfully.
F:\DATA\Emachine files\Desktop\Adobe Photoshop CS2\KeyGen.exe (Trojan.Agent.CK) -> Quarantined and deleted successfully.
C:\Users\Xsy\AppData\Local\Temp\.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Users\Sonia\AppData\Roaming\OpenCandy\kis2010900736EN.exe (PUP.Optional.OpenCandy) -> Quarantined and deleted successfully.

(end)

I am going to attempt to run the other programs and if I am able to succeed, I will post the results. Thank you so much for your help!

Hello and welcome to GeekPolice.Net My name is Dave. I will be helping you out with your particular problem on your computer.

1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.
2. The fixes are specific to your problem and should only be used for this issue on this machine.
3. If you don't know or understand something, please don't hesitate to ask.
4. Please DO NOT run any other tools or scans while I am helping you.
5. It is important that you reply to this thread. Do not start a new topic.
6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
7. Absence of symptoms does not mean that everything is clear.

If you can't access the internet with your infected computer you will have to download and transfer any programs to the computer you're using now and transfer them to the infected computer with a CD-RW or a USB storage device. I prefer a CD because a storage device can get infected. If you use a storage device hold the shift key down while inserting the USB storage device for about 10 secs. You will also have to transfer the logs you receive back to the good computer using the same method until we can get the computer back on-line.
*************************************************************************
It appears your system is infected with a rootkit. A rootkit is a powerful piece of malware, that allows hackers full control over your computer for means of sending attacks over the Internet, or using your computer to generate revenue.

Malware experts have recommended that we make it clear that with the system under control of a hacker, your computer might become impossible to clean 100%.

Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. They can disable your antivirus and security tools to prevent detection and removal. This type of exploit allows them to steal sensitive information like passwords, personal and financial data which is sent back to the hacker. To learn more about these types of infections, you can refer to:

What danger is presented by rootkits?
Rootkits and how to combat them
r00tkit Analysis: What Is A Rootkit

If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable. Do NOT change passwords or do any transactions while using the infected computer because the attacker may get the new passwords and transaction information. (If using a router, you need to reset it with a strong logon/password so the malware cannot gain control before connecting again.) Banking and credit card institutions should be notified to apprise them of your situation (possible security breach). To protect your information that may have been compromised, I recommend reading these references:
How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
What Should I Do If I've Become A Victim Of Identity Theft?
Identity Theft Victims Guide - What to do
It is dangerous and incorrect to assume the computer is secure even if the malware appears to have been removed. In some instances an infection may have caused so much damage to your system that it cannot
be completely cleaned or repaired so you can never be sure that you have completely removed a rootkit. The malware may leave so many remnants behind that security tools cannot find them. Tools that claim to be able to remove rootkits cannot guarantee that all traces of it will be removed. Many experts in the security community believe that once infected with such a piece of malware, the best course of action would be a reformat and clean reinstall of the OS. This is something I don't like to recommend normally, but in most cases it is the best solution for your safety. Making this decision is based on what the computer is used for, and what information can be accessed from it. For more information, please read these references very carefully:
When should I re-format? How should I reinstall?
Help: I Got Hacked. Now What Do I Do?
Help: I Got Hacked. Now What Do I Do? Part II
Where to draw the line? When to recommend a format and reinstall?

Guides for format and reinstall:

how-to-reformat-and-reinstall-your-operating-system-the-easy-way

However, if you do not have the resources to reinstall your computer's OS and would like me to attempt to clean it, I will be happy to do so. But please consider carefully before deciding against a reformat.
If you do make that decision, I will do my best to help you clean the computer of any infections, but you must understand that once a machine has been taken over by this type of malware, I cannot guarantee that it will be 100% secure even after disinfection or that the removal will be successful.

Please let me know what you have decided to do in your next post. Should you have any questions, please feel free to ask.
***********************************************
Your computer has keygens, which is a form of software piracy. What is so bad about Cracks, Hacks, Pirated software, warez, or Keygens?

Most popular cracks or keygens I see, are for Adobe CS3, a lot of different games, Nero, Kaspersky antivirus, and much more. All of these cracks and keygens have what is called "cloaked malware," which is a form of spyware or viruses or trojans that hide themselves inside the keygen or crack files. Most hacks for games that come in the form of a program or installer, will also be infected. It is the opportunity for attackers to present a seemingly safe situation where the opportunity to steal something is in play, while the malware infects your system in the process. Yes, it will install what you were looking for, but also allow malware to potentially take control of your computer.

Lastly, it is illegal. I will counsel you that we do not report such incidents. However, it is not good practice to pirate software.

Hi Dave,

I am not very confident right now with this situation. You have helped me in the past with the my own computers but am not very familiar with my daughters. So I am hoping you can guide me...
First, you noted keygens, piracy on the computer. I did find Frostwire on her computer, which I uninstalled. Is there something else I should look for?
Second, I had done a backup on an external drive I have but now am concerned her backup will infect my storage drive. Should I delete the backup off of my drive?
Third, I created a system repair disc right, is that the same as the OS disc or recovery disc?
Sorry for the inconvenience of need more information /:

I did find Frostwire on her computer, which I uninstalled. Is there something else I should look for?

There were Adobe Photoshop CS2 ISO + Keygen\keygen\keygen.exe, Flash MX 2004\Crack\CORE10k.EXE (PUP.Keygen.Intro and Backup\gpro\keygen.exe (Trojan.Backdoor which were removed by MBAM. Keygenerators are used to run illegal software such as Photoshop. So if there is any software on the computer that has not been purchased it's probably illegal but I think there are only two.

I had done a backup on an external drive I have but now am concerned her backup will infect my storage drive. Should I delete the backup off of my drive?

It really depends on what was backed up but it really shouldn't affect your ext drive unless you open an infected file on that drive.
At this point what have you decided to do? I'm quite sure we can clean the computer but, as I mention previously, the computer can no longer be trusted with such information as financial or personal data.

I prefer to reformat it. I am not sure what sites she would visit...
I printed out the instructions on how to reformat but was not sure if the recovery disc I created yesterday is suffice. Please let me know (:

Also thank you for the information about the Keygen, etc. It was on my external drive. I have a lot of files backed up from the computer I had with my ex-husband, I need to do some spring cleaning, I don't know what some of the programs are , so if I haven't used them the past seven years, I don't think I need them!

I prefer to reformat it. I am not sure what sites she would visit...
I printed out the instructions on how to reformat but was not sure if the recovery disc I created yesterday is suffice. Please let me know (:.

Perhaps you should set her up with her own account with some restrictions. As for the Recovery disc, there's one way to find out if it will work and that is to boot with the disk the drive. If it ignores the disc you may have to change the BIOS to boot from the disc. There is an order and boot from the disc should in number 1.

If you do not know how to set your computer to boot from CD follow the steps here

I was finally able to get the recovery disc to boot, but then I got confused. It seemed like the only options I had were to do a system restore. Also there was an option about an image. Maybe I was not in the right place? I did not see anything about a partition. please advise, thanks (:

I forgot to ask about the backup and restore option on the computer:
Use a system image...
or
Return to factory condition...

Am I supposed to go through those avenues?

lachatnoir wrote:

I forgot to ask about the backup and restore option on the computer:
Use a system image...
or
Return to factory condition...

Am I supposed to go through those avenues?

The restore using the system image should bring your computer back to the last time the image was taken while return to factory condition will restore you computer back to the day you purchased it.

If I return it to factory settings, is that the same as reformatting? I just don't understand what to do since I didn't have the same prompts as the instructions:
Formatting partition and doing the reinstall

Note: This will totally wipe your OS parition and re-install a fresh copy of Windows.

"Continue with setup, and continue through the license agreement.
When dealing with the partition: you will need to install a fresh copy. Do not perform a repair or upgrade.
When formatting the partition, use the following option "Format the partition using the NTFS file system."
Allow it to format. Once done, OS setup will begin.
Going through setup, select keyboard and language options. Enter your product key. And allow the install to finish."

I am sorry that I am not catching it quickly ):

Note: This will totally wipe your OS parition and re-install a fresh copy of Windows.

Yes, that's the same as re-formatting. Any important documents, photos, videos and music you have on the computer will be gone. If you need to save any such information, now's the time to do it. Also make sure you have your product key before starting.

I was able to reformat the laptop successfully! The only concern I have is whether to put the backup back on the computer? Should I restore the files?

lachatnoir wrote:

I was able to reformat the laptop successfully! The only concern I have is whether to put the backup back on the computer? Should I restore the files?

Scan them with your AV and MBAM before putting them back on the laptop.

Thank you! I scanned everything and all is working well. I appreciate your help!!!