Solved Infected with Savingsbull Filter malware

March 1, 2014 at 12:00:42
Specs: Windows 7

How to get rid of Savingsbull Filter Windows 8.1? None of the current easy removal agents help - malwarebytes, micro trend, etc.

See More: Infected with Savingsbull Filter malware

Report •


#1
March 1, 2014 at 12:59:10

A few ideas here to start the ball rolling:
http://answers.yahoo.com/question/i...

Always pop back and let us know the outcome - thanks


Report •

#2
Report •

#3
March 1, 2014 at 14:19:35
✔ Best Answer

1: Download & run Unhide
http://www.bleepingcomputer.com/for...
http://download.bleepingcomputer.co...
To run Unhide, simply download it to your Desktop and then double-click on the Unhide icon. The program will open a black box and start making the files on your fixed disks visible again. Please note, that this program will not unhide removable drives like flash cards and usb drives as the FakeHDD rogues do not target these types of drives. Once it has finished, the program will display a Windows alert stating that your files have been restored. You should then reboot your computer for all of the settings to go into effect.
When Unhide is complete, it will create a logfile on the Windows Desktop called Unhide.txt.
Copy & Paste the contents of the log in your next post please. Let me know if it doesn't produce a log.

2: Reboot

3: Run AdwCleaner
http://www.softpedia.com/get/Antivi...
http://www.softpedia.com/progScreen...
How to download from Softpedia
http://i.imgur.com/BWELEfV.gif
http://i.imgur.com/4luY3rU.gif
http://www.raymond.cc/blog/adwclean...
http://www.bleepingcomputer.com/dow...
Author's site
http://general-changelog-team.fr/en...
Tutorial
http://general-changelog-team.fr/en...
Please download AdwCleaner by Xplode onto your Desktop.
Close all open programs and internet browsers.
Double click on AdwCleaner.exe to run the tool.
Click on Clean.
Confirm each time with Ok.
Your computer will be rebooted automatically. A text file will open after the restart.
Please Copy & Paste the contents of that logfile with your next answer.
You can find the logfile at C:\AdwCleaner[S1].txt as well.

4: Run Junkware Removal Tool
http://www.softpedia.com/get/Securi...
http://www.softpedia.com/progScreen...
How to download from Softpedia
http://i.imgur.com/qO92huz.gif
http://i.imgur.com/qzTUYkX.gif
http://www.bleepingcomputer.com/dow...
http://thisisudax.blogspot.com.au/2...
Download Junkware Removal Tool to your Desktop.
Warning! Once the scan is complete JRT will shut down your browser with NO warning.
Shut down your protection software now to avoid potential conflicts.
Temporarily disable your antivirus and any antispyware real time protection before performing a scan.
Click this link to see a list of security programs that should be disabled and how to disable them.
http://www.bleepingcomputer.com/for...
http://www.techsupportforum.com/for...
Run the tool by double-clicking it. If you are using Windows Vista or Windows 7/8, right-click JRT and select Run as Administrator.
The tool will open and start scanning your system.
Please be patient as this can take a while to complete depending on your system's specifications.
On completion, a log (JRT.txt) is saved to your Desktop and will automatically open.
Copy and Paste the contents of the JRT.txt log please.

message edited by Johnw


Report •

Related Solutions

#4
March 1, 2014 at 15:35:25

Looks good! Thanks. Will report back as we try these - probably tomorrow. Thank goodness this isn't the only computer in the house!

Report •

#5
March 2, 2014 at 09:36:40

Windows Version: Windows 8

Please be patient while your files are made visible again.

Processing the C:\ drive
Finished processing the C:\ drive. 260068 files processed.

The C:\Users\Beth\AppData\Local\Temp\smtmp\ folder does not exist!!
Unhide cannot restore your missing shortcuts!!
Please see this topic in order to learn how to restore default
Start Menu shortcuts: http://www.bleepingcomputer.com/for...

Searching for Windows Registry changes made by FakeHDD rogues.
- Checking HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
* NoActiveDesktopChanges policy was found and deleted!
- Checking HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced

Program finished at: 03/02/2014 10:25:54 AM
Execution time: 0 hours(s), 5 minute(s), and 17 seconds(s)


Report •

#6
March 2, 2014 at 10:03:12

2nd reply - after AdwCleaner
# AdwCleaner v3.020 - Report created 02/03/2014 at 10:59:38
# Updated 27/02/2014 by Xplode
# Operating System : Windows 8.1 (64 bits)
# Username : Beth - BETHASUS
# Running from : C:\Users\Beth\Desktop\adwcleaner.exe
# Option : Clean

***** [ Services ] *****


***** [ Files / Folders ] *****

Folder Deleted : C:\Program Files\Level Quality Watcher
File Deleted : C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Search.lnk
File Deleted : C:\Users\Beth\AppData\Local\Temp\Uninstall.exe

***** [ Shortcuts ] *****


***** [ Registry ] *****

Key Deleted : HKLM\SOFTWARE\Classes\protector_dll.protectorbho
Key Deleted : HKLM\SOFTWARE\Classes\protector_dll.protectorbho.1
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{0A18A436-2A7A-49F3-A488-30538A2F6323}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{007EFBDF-8A5D-4930-97CC-A4B437CBA777}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{4C836512-BB70-11D2-A5A7-00105A9C91C6}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{DB797690-40E0-11D2-9BD5-0060082AE372}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{DB797681-40E0-11D2-9BD5-0060082AE372}
Key Deleted : HKCU\Software\AVG SafeGuard toolbar
Key Deleted : HKCU\Software\Softonic
Key Deleted : HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}
Key Deleted : HKLM\Software\{1146AC44-2F03-4431-B4FD-889BC837521F}
Key Deleted : HKLM\Software\{3A7D3E19-1B79-4E4E-BD96-5467DA2C4EF0}
Key Deleted : HKLM\Software\AVG SafeGuard toolbar
Key Deleted : HKLM\Software\AVG Security Toolbar

***** [ Browsers ] *****

-\\ Internet Explorer v11.0.9600.16518

Setting Restored : HKCU\Software\Microsoft\Internet Explorer\Main [Secondary Start Pages]

-\\ Mozilla Firefox v27.0.1 (en-US)

[ File : C:\Users\Beth\AppData\Roaming\Mozilla\Firefox\Profiles\hvr9vkyr.default\prefs.js ]


*************************

AdwCleaner[R0].txt - [2141 octets] - [02/03/2014 10:47:18]
AdwCleaner[S0].txt - [1906 octets] - [02/03/2014 10:59:38]

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [1966 octets] ##########


Report •

#7
March 2, 2014 at 10:27:06

3rd reply - after JRT scan
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.1.2 (02.20.2014:1)
OS: Windows 8.1 x64
Ran by Beth on Sun 03/02/2014 at 11:10:11.44
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


~~~ Services

~~~ Registry Values

~~~ Registry Keys

Failed to delete: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6C8DB2EC-499B-4897-A784-0E3186C97E9D}
Failed to delete: [Registry Key] HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6C8DB2EC-499B-4897-A784-0E3186C97E9D}

~~~ Files

~~~ Folders

~~~ FireFox

Emptied folder: C:\Users\Beth\AppData\Roaming\mozilla\firefox\profiles\hvr9vkyr.default\minidumps [2 files]

~~~ Event Viewer Logs were cleared



Report •

#8
March 2, 2014 at 10:32:46

So I did the Unhide, the AdwCleaner, and the JRT - none worked as it/they couldn't access the AppData files - Local, Temp etc...
I'm working with Win8.1 - don't know if that makes it more difficult.
I'm to the point of trying a full factory reset - hoping that will work? And then download/reload all the flipping updates and programs????
Any other suggestions?

Report •

#9
March 2, 2014 at 13:44:10

"Any other suggestions?
Yep, it is a step by step process of dismantling the nasties.

Here is the next step.

Run Malwarebytes' Anti-Malware ( MBAM ) Free Version. Use Quick scan. Copy and Paste the contents of the log please. Note how to avoid the trial period.
If you can't find the log, do a search for malwarebytes or look in here.
C:\Users\Pete\AppData\Roaming\Malwarebytes\Malwarebytes' Anti-Malware\Logs
Replace Pete with the User's name.
http://www.softpedia.com/get/Antivi...
http://www.softpedia.com/progScreen...
http://i.imgur.com/3DtG68Y.gif
http://www.malwarebytes.org/mbam.php
Make sure you Uncheck > Enable free trial at the End of the install.
http://i.imgur.com/tUFCbYz.gif
If your MBAM log indicates "No action taken". That's usually a result of NOT clicking the Remove Selected button after the scan.
Quick Scan versus Full Scan
http://forums.malwarebytes.org/inde...

message edited by Johnw


Report •

#10
March 2, 2014 at 14:49:11

Thanks John. I've done that one already. It found nothing... :(

Report •

#11
March 2, 2014 at 14:50:57

"Thanks John. I've done that one already. It found nothing... :( "
It needs to be run last, did you?

Report •

#12
March 2, 2014 at 15:01:54

"I'm working with Win8.1 - don't know if that makes it more difficult"
Good you mentioned that Beth, there are some programs we can't use.

Your specs show different.
beekaypee March 1, 2014 at 12:00:42
Specs: Windows 7


Report •

#13
March 3, 2014 at 08:35:58

That's the unit we're using to communicate on some stuff. The infected one was purchased last fall as a Win 8 but on Feb 17 I upgraded (ha!) to 8.1, the process somehow is the source of all my problems... I was not smart and downloaded it from a non official site because the Play Store connection refused to work.

I've now posted the text file from the last malwarebytes scan. Oops, I did full scan, not quick. It found 2 nasties.

But SavingsBull Filter is still in my program files and won't delete.

message edited by beekaypee


Report •

#14
March 3, 2014 at 08:42:53

Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

Database version: v2014.03.01.07

Windows 8 x64 NTFS
Internet Explorer 11.0.9600.16518
Beth :: BETHASUS [administrator]

3/2/2014 11:21:00 PM
mbam-log-2014-03-02 (23-21-00).txt

Scan type: Full scan (C:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P
Scan options disabled:
Objects scanned: 447162
Time elapsed: 1 hour(s), 11 minute(s), 6 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 2
C:\Users\Beth\AppData\Local\Temp\is-636NU.tmp\OCSetupHlp.dll (PUP.Optional.OpenCandy) -> Quarantined and deleted successfully.
C:\Users\Beth\AppData\Local\Temp\is-S3VUJ.tmp\OCSetupHlp.dll (PUP.Optional.OpenCandy) -> Quarantined and deleted successfully.

(end)


Report •

#15
March 3, 2014 at 13:48:53

Run Junkware Removal Tool again Beth.

Report •

#16
March 3, 2014 at 15:08:14

2nd run of JRT
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.1.2 (02.20.2014:1)
OS: Windows 8.1 x64
Ran by Beth on Mon 03/03/2014 at 15:55:31.06
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

~~~ Services

~~~ Registry Values

~~~ Registry Keys

Failed to delete: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6C8DB2EC-499B-4897-A784-0E3186C97E9D}
Failed to delete: [Registry Key] HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6C8DB2EC-499B-4897-A784-0E3186C97E9D}

~~~ Files

~~~ Folders

~~~ Event Viewer Logs were cleared

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Mon 03/03/2014 at 16:03:25.71
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Report •

#17
March 3, 2014 at 15:25:15

"Failed to delete:"
We shall come back & try again later.

Run RogueKiller
http://www.softpedia.com/get/Securi...
http://www.softpedia.com/progScreen...
http://majorgeeks.com/RogueKiller_d...
http://www.geekstogo.com/forum/file...
http://tigzy.geekstogo.com/roguekil...
http://www.sur-la-toile.com/RogueKi...
User Guide
http://www.adlice.com/softwares/rog...
Official tutorial
http://www.adlice.com/softwares/rog...
If RogueKiller won't run, open IE & turn off SmartScreen Filter.
http://windows.microsoft.com/en-AU/...
Download & SAVE to your Desktop.
Quit all programs that you may have started.
Shutdown your antivirus to avoid any conflicts.
Please disconnect any USB or external drives from the computer before you run this scan!
For Vista or Windows 7/8, right-click and select "Run as Administrator to start"
For Windows XP, double-click to start.
Wait until Prescan has finished ...
Then Click on "Scan" button
Wait until the Status box shows "Scan Finished"
click on "delete"
Wait until the Status box shows "Deleting Finished"
Click on "Report" and Copy & Paste the content of the Notepad into your next reply.
The log should be found in RKreport[1].txt on your Desktop.
Exit/Close RogueKiller.
When completed make sure to re-enable your antivirus.


Report •

#18
March 3, 2014 at 15:54:56

RogueKiller V8.8.10 [Feb 28 2014] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/rog...
Blog : http://www.adlice.com

Operating System : Windows 8.1 (6.3.9200 ) 64 bits version
Started in : Normal mode
User : Beth [Admin rights]
Mode : Remove -- Date : 03/03/2014 16:52:04
| ARK || FAK || MBR |

¤¤¤ Bad processes : 1 ¤¤¤
[SUSP PATH] AsPatchTouchPanel64.exe -- C:\ProgramData\AsTouchPanel\AsPatchTouchPanel64.exe [7] -> KILLED [TermProc]

¤¤¤ Registry Entries : 2 ¤¤¤
[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> REPLACED (0)
[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)

¤¤¤ Scheduled tasks : 1 ¤¤¤
[V2][SUSP PATH] ASUS Patch for Touch Panel : C:\ProgramData\AsTouchPanel\AsPatchTouchPanel64.exe [7] -> DELETED

¤¤¤ Startup Entries : 0 ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ Browser Addons : 0 ¤¤¤

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED 0x0] ¤¤¤

¤¤¤ External Hives: ¤¤¤

¤¤¤ Infection : ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts


Report •

#19
March 3, 2014 at 15:59:32

Run TDSSKiller. Copy & Paste the contents of the log in your next post please.
http://www.softpedia.com/get/Antivi...
http://www.softpedia.com/progScreen...
http://usa.kaspersky.com/downloads/...
http://support.kaspersky.com/faq/?q...
http://support.kaspersky.com/viruse...
Anti-rootkit utility TDSSKiller
http://support.kaspersky.com/faq/?q...
If TDSS doesn't run, use FixTDSS
http://www.symantec.com/content/en/...
Download FixTDSS and save it to your Desktop.
Double click on the FixTDSS.exe icon to run it.
Click the "I Accept" button, then the "Proceed" button to begin
The tool will restart your computer automatically - click OK to allow it to do so
The tool will begin it's scan on reboot > click "run" to begin
It will report if an infected MBR is found > click the "repair" button
If you do not specify a full pathname, TDSSKiller will save the log in the same folder that the executable resides in.

Report •

#20
March 3, 2014 at 16:22:18

I ran it. Did not restart. The report is lengthy and won't copy. Found no threats of objects to quarantine.


New question. Do I need to start a new one on a Start A Discussion? - What if we give up.... Husband wants to install a newly purchased Win 8.1 Pro after reformatting. But he can't figure out how to change the BIOS boot sequence so he can use a DVD to boot it to install the new version...
He went to the the BIOS, clicked on Boot tab, clicked on Boot Option #1 - gave a string "Windows Boot Manager (PO: ST1000LM024 HN-M101MBB)
Other choice is Add New Boot Option - but it wants a path, in the manner of "fsx:\path\filename.efi"


Report •

#21
March 3, 2014 at 16:33:02

"Do I need to start a new one on a Start A Discussion?"
No, it's Ok here Beth.

I am just going to google your model & see if I can get a SS ( screenshot ) of your bios.


Report •

#22
March 3, 2014 at 16:41:45

If the model number is correct, looks like that is a model bought outside of your area.

Can you take photos of the 1st bios page & then the Boot page & upload them to a site of your choosing. Give us the links please.


Report •

#23
March 3, 2014 at 17:06:19

Here are the A550 model numbers listed by Asus.
http://support.asus.com/Search.aspx...

Report •

#24
March 3, 2014 at 17:20:22

Sorry, John, if I posted it wrong - it's a Q550LF...
This should be a link to a photobucket site with photos.
http://s1300.photobucket.com/user/B...

Report •

#25
March 3, 2014 at 18:15:52

Good SS, thanks.

"gave a string "Windows Boot Manager (PO: ST1000LM024 HN-M101MBB)"

Can you right click on the drive in Computer or My Computer ( Step 4 ) & try the different names for the drive that are listed.
http://www.wikihow.com/Get-to-My-Co...


Report •

#26
March 3, 2014 at 21:36:52

Thank you. Thank you. Thank you. For all your help and handholding!!!! Husband finally beat it into shape and made it take the new Win 8.1 disk from scratch.
Yay! Hurrah! G'Day Mate!

Report •

#27
March 4, 2014 at 00:33:49

Nice work Beth & hubby.

Report •

#28
March 4, 2014 at 08:49:05

Nice conclusion - congratulations to all.

Always pop back and let us know the outcome - thanks


Report •


Ask Question