Obfuscator.xz detected w/ MSE

In Need Of Help · 24 Mar 2013

I see there's currently a thread with the same issue, and have also checked a few others, but from what I understand it's best to start a new thread. When I got my laptop back from my little brother, I ran a full scan using MSE and it detected Obfuscator.xz. After some research, I realized this happened because he downloaded and installed NBA2K13.

I was able to quarantine and remove it, but it showed up once again on a second scan. This time, it was unable to quarantine. I uninstalled and removed the NBA 2K13 iso and ran a full scan on MSE a third time, and it didn't show up this time.

I'm still extremely nervous about what this has done, considering it's been on my system for at least a month. I've used this laptop to log into my bank, log into the website I work for, and all of my other online accounts. I realize that I'm going to have to change all my passwords, but I want to make sure the system is completely clean before I do, so I know the new passwords are safe.

I would greatly appreciate any assistance you can offer, in helping me out with this situation. Let me know what my next step should be, and I'll be sure to follow through with your suggestions. Thanks in advance, for your time and help.

Golden · 24 Mar 2013

Hi,

The best thing you can do is change your online account passwords (on a known clean computer - NOT the current one) as you have already suggested.

In addition, perform some scans using a variety of different tools such as:

ESET On-line Scanner

and also this:

Windows Defender Offline

Finally, if you still have any doubts, many will suggest that you format everything and then perform a clean installation - its the only way to be 100% confident that anything malicious has been removed. Some think its overkill, but its up to you.

Regards,
Golden

cottonball · 24 Mar 2013

In Need Of Help,

After running the scans, please provide the reports for each.
Looking at their reports will provide information on what was found, and determine if any further action is necessary. This is better than taking things for granted, or, operating in the blind.

WDO:
The log files are stored in a MPLog-MM/DD/YYYY-HH/MM/SS.txt file in the folder below:
C:\Windows\Windows Defender Offline\Support

ESET:
To run the ESET Online Scanner:
ESET Online Scanner
Run it from Drive C:\, presuming it has Windows 7.

First, temporarily disable your Anti-Virus (MSE).
Info: How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs - BleepingComputer.com
Taking this action allows for ESET to run a little faster.

If possible, use Internet Explorer for this scan.

Right-click on the IE icon in the Start Menu and select: Run as Administrator

Accept the Terms of Use, then click on: Start
When prompted, allow the Add-On/Active X to install.

Under Scan Settings, make sure that the option Remove found threats is not checked, and the option Scan Archives is checked.

Click on Advanced Settings and select the following:
Scan for potentially unwanted applications
Scan for potentially unsafe applications
Enable Anti-Stealth Technology

Now, click on: Start
The virus signature database begins to download. (This make take some time.)

Next, the Online Scan begins automatically.
Please do not touch the Mouse or keyboard during the scan, otherwise it may stall.

When the scan completes, click: List Threats
Please copy and provide the information presented in your reply. (If no malware is found, a list is not presented.)
Click the Back button, and then click the Finish button.

Notes:
1. Quarantined files are stored in the folder: \Local settings\Application data\ESET\ESET NOD32 Antivirus\Quarantine
2. Make sure you re-enable your Anti-Virus when done.

In Need Of Help · 24 Mar 2013

WDO found nothing. This is what ESET found.

C:\Program Files (x86)\CustoPackTools\utils\ask\AskInstallChecker.exe a variant of Win32/Bundled.Toolbar.Ask application
C:\Program Files (x86)\CustoPackTools\utils\ask\askToolbarInstaller.exe a variant of Win32/Bundled.Toolbar.Ask application
C:\ProgramData\Ask\APN-Stub\MYC-ST\APNIC.dll a variant of Win32/Bundled.Toolbar.Ask application
C:\Users\All Users\Ask\APN-Stub\MYC-ST\APNIC.dll a variant of Win32/Bundled.Toolbar.Ask application

jimbo45 · 24 Mar 2013

Hi there
With ANY of this sort of stuff -- WIPE (Re-format) the disc and restore CLEAN version of your OS.

How can you possibly trust ANY A/V removal tool --especially when it's run on already a compromised system. - I just don't understand people's logic here -- they get an infection which does unknown things to their computer and then trust some other program which by nature of the beast can never be guaranteed to be 100% successful to run ON AN INFECTED SYSTEM and then "Hope" their computer is OK.

Also DO NOT USE ANY ONLINE SCANNERS IF THE MACHINE IS INFECTED.I just hope your Bank account isn't being emptied in some far off country. If you have an infected machine KEEP OFF THE NET until its fixed --you just don't know what the Hack is doing -- just because a program says it's virus xxxxx that doesn't mean to say it actually is xxxx. Using the internet on an infected machine is the best way to pass confidential stuff all over the internet.

From now on in (if you aren't already doing it) Take DAILY backups of your OS and archive user data regularly.

Would you if you possibly thought one wheel of your car might come off actually DRIVE it to the repair shop. -- That's the computer equivalent of using any program ON AN INFECTED MACHINE.

Cheers
jimbo

In Need Of Help · 24 Mar 2013

@jimbo45 Not everyone is as knowledgeable about this stuff as you, this is my first time experiencing something like this. Unfortunately, this is the only computer available to me at the moment, so I had no choice but to use it to research how serious it was, and to find out what to do. I'm aware that this is serious, and all of my stuff is at risk until I rectify it, and am just trying to figure out the best route to take to solve the problem, and ensure that it doesn't happen again.

@cottonball I have finished running WDO and it found nothing.

This is what ESET found.

C:\Program Files (x86)\CustoPackTools\utils\ask\AskInstallChecker.exe a variant of Win32/Bundled.Toolbar.Ask application
C:\Program Files (x86)\CustoPackTools\utils\ask\askToolbarInstaller.exe a variant of Win32/Bundled.Toolbar.Ask application
C:\ProgramData\Ask\APN-Stub\MYC-ST\APNIC.dll a variant of Win32/Bundled.Toolbar.Ask application
C:\Users\All Users\Ask\APN-Stub\MYC-ST\APNIC.dll a variant of Win32/Bundled.Toolbar.Ask application

Is jimbo right, when saying that the only way to be sure that this problem is solved is to do a clean install? If so, how do I go about doing that? Pardon my ignorance, but I've never done a clean install before. They did not send a disk with the laptop when I purchased it, so what would be my next step? Thanks again for anyone helping me out with this, it is very much appreciated.

Golden · 24 Mar 2013

In Need Of Help said:

Is jimbo right, when saying that the only way to be sure that this problem is solved is to do a clean install?

A clean install is an option if you can't wait any longer for cotton to reply, but its not necessarily the only way to solve the problem.

This explains how to do it, and how to create installation media (DVD or USB):

Clean Reinstall - Factory OEM Windows 7

However, if you aren't in a rush, wait for cottons next reply - she is a trained malware removal specialist, so I'm quite sure she knows what he is talking about.

Regards,
Golden

In Need Of Help · 24 Mar 2013

Golden said:

In Need Of Help said:

Is jimbo right, when saying that the only way to be sure that this problem is solved is to do a clean install?

A clean install is an option if you can't wait any longer for cotton to reply, but its not necessarily the only way to solve the problem.

This explains how to do it, and how to create installation media (DVD or USB):

Clean Reinstall - Factory OEM Windows 7

However, if you aren't in a rush, wait for cottons next reply - she is a trained malware removal specialist, so I'm quite sure she knows what he is talking about.

Regards,
Golden

That's what I figured, I appreciate the response.

Update: Thanks for the link as well, I do plan on doing a clean install once the process is finished. I'd just like to hopefully be able to safely get everything off of this computer and onto an external HD, if possible, before I do. I work from this computer, so there's a lot of stuff I would hate to lose.

In Need Of Help · 24 Mar 2013

I can say that the computer already seems to be running much smoother. There had been a lag whenever I try to load a page, it'd take like 2-3 seconds before it would start to load. And when I'd start a post in wordpress or something, it was doing this thing where the cursor would be in the text box on loading, then suddenly leave the box for a second or two, and return. It's no longer doing either of those things.

Also, the fan seemed to run when doing nearly anything... opening a new tab, constantly when in google reader or on facebook. It's as quiet as when I first got the laptop all of a sudden, and the fan hasn't started once.

I don't know for sure if these things are directly related, but it sure seems to have had a positive effect. Figured I would let you guys know, in case it helps in any way.

cottonball · 24 Mar 2013

Have you already done a clean install?

The entries that ESET is showing are not "big ticket" items.

You can easily get rid of them doing the following:

Please download AdwCleaner:
http://general-changelog-team.fr/fr/downloads/finish/20-outils-de-xplode/2-adwcleaner
Save to the desktop.

Close all open programs.

To run the program, right-click AdwCleaner.exe and select: Run as Administrator

Click on Search and confirm the prompt.

After it finishes, a text file report opens.

Please post the content of the AdwCleaner report to your reply.
(A copy of the log is also saved at C:\AdwCleaner[S1].txt)

This report is the result of the search. Once we look at it, then we perform a Delete.