Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with worms and/or trojan


  • Please log in to reply
9 replies to this topic

#1 troubledcomputer

troubledcomputer

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:01:37 PM

Posted 20 November 2015 - 06:47 AM

Hi,

 

I recently purchased a new laptop pc (Asus Transformer Book Flip). I think it is infected with virus or malware which I think came from the external HDD which I used in my friend's laptop that is heavily infected by virus. 

 

I would appreciate it very much if you can help me.

 

Thanks

Attached Files



BC AdBot (Login to Remove)

 


#2 shelf life

shelf life

  • Malware Response Team
  • 2,651 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:02:37 PM

Posted 23 November 2015 - 05:33 PM

hi,

 

At a glance I dont see anything that looks bad. Is a updated Defender, Malwarebytes and Superantispyware coming up clean? Looks like you have also done some online scans. What are the signs your seeing on your machine that could be malware?

You can find the file below then go to one of the websites listed, browse for the file on your machine then upload the file using the send/submit file button.

Once the scan is done you can copy paste the URL in your reply.

 

File:

C:\Windows\AutoKMS

 

​scanner:

https://virusscan.jotti.org/

 

https://www.virustotal.com/


How Can I Reduce My Risk to Malware?


#3 troubledcomputer

troubledcomputer
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:01:37 PM

Posted 23 November 2015 - 09:16 PM

Hi,

 

Yes I did some online scans already but the ESET online scan did not push through because the downloading of files for eset always stop. So I tried bit defender.

 

I suspected some malware because when I tried to transfer files from C: to D: some files or folders remained in C; even when all have been moved already to D:. I tried to open the files and folders that remained in C: but those files can't be opened. Also, I saw a lot of desktop.ini and #RECYCLEBIN folders in every folder or files.

 

I don't know for sure if the above observations are signs of malware or virus infections.

 

Below is the URL of the online scan

 

https://virusscan.jotti.org/en-US/filescanjob/j5oc6hw00k

 

Thanks.



#4 shelf life

shelf life

  • Malware Response Team
  • 2,651 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:02:37 PM

Posted 24 November 2015 - 06:30 PM

Getting a better look at the logs today.

You dont see a AutoKMS.exe? You uploaded a .ini file.

​Can you go here: C:\Windows\system32\{A6D608F0-0BDE-491A-97AE-5C4B05D86E01}.bat

​Copy the .bat file to your desktop. Once its on your desktop, right click on it and change the extension to .txt

​Next, copy/paste the txt in your reply.

​You can also go here: C:\ProgramData and delete the files listed below:

 

C:\ProgramData\DP45977C.lfl
C:\ProgramData\RefreshReg.vbs

C:\ProgramData\SetStretch.cmd
 C:\ProgramData\SetStretch.exe
C:\ProgramData\SetStretch.VBS


How Can I Reduce My Risk to Malware?


#5 troubledcomputer

troubledcomputer
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:01:37 PM

Posted 25 November 2015 - 02:44 AM

Hi,

 

There is no AutoKMS.exe, only .ini file.

 

Also, there is no Program Data folder in C:, only Program Files and Program Files (x86). I looked into the said folders and saw no files you listed above.

 

Below is the text of the .txt file you instructed:

 

@echo off
start igfxEM.exe /RegServerPerUser
start igfxEM.exe
start igfxHK.exe
start igfxTray.exe
attrib +R +H +S +A *.cui
del /Q {A6D608F0-0BDE-491A-97AE-5C4B05D86E01}.bat
 
 
Thanks


#6 shelf life

shelf life

  • Malware Response Team
  • 2,651 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:02:37 PM

Posted 25 November 2015 - 09:58 AM

Ok. Looks safe enough. you can delete the .txt file off your desktop.

​We will use FRST to remove some items.

Copy/paste whats below into notepad. Save it as fixlist.txt in the same location you have FRST located.

​Start FRST like before except this time click on the Fix button once. Machine may reboot to finish. Upon reboot you will find a fixlog.txt in the same location you have FRST. Please post the fixlog.txt in your reply.

2014-08-29 19:08 - 2014-08-29 19:08 - 0000000 ____H () C:\ProgramData\DP45977C.lfl
2014-08-29 19:23 - 2014-03-26 09:11 - 0000137 _____ () C:\ProgramData\RefreshReg.vbs
2014-05-24 10:27 - 2014-03-27 04:50 - 0000124 _____ () C:\ProgramData\SetStretch.cmd
2014-05-24 10:27 - 2009-07-22 18:04 - 0024576 _____ () C:\ProgramData\SetStretch.exe
2014-05-24 10:27 - 2012-09-07 19:37 - 0000103 _____ () C:\ProgramData\SetStretch.VBS
C:\ProgramData\RefreshReg.vbs
EmptyTemp:


How Can I Reduce My Risk to Malware?


#7 troubledcomputer

troubledcomputer
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:01:37 PM

Posted 25 November 2015 - 08:34 PM

Hi,

 

Below is the text of Fixlog.txt:

 

Fix result of Farbar Recovery Scan Tool (x64) Version:25-11-2015 02
Ran by RCL (2015-11-26 09:27:31) Run:1
Running from C:\Users\RCL\Downloads
Loaded Profiles: RCL (Available Profiles: RCL)
Boot Mode: Normal
==============================================
 
fixlist content:
*****************
2014-08-29 19:08 - 2014-08-29 19:08 - 0000000 ____H () C:\ProgramData\DP45977C.lfl
2014-08-29 19:23 - 2014-03-26 09:11 - 0000137 _____ () C:\ProgramData\RefreshReg.vbs
2014-05-24 10:27 - 2014-03-27 04:50 - 0000124 _____ () C:\ProgramData\SetStretch.cmd
2014-05-24 10:27 - 2009-07-22 18:04 - 0024576 _____ () C:\ProgramData\SetStretch.exe
2014-05-24 10:27 - 2012-09-07 19:37 - 0000103 _____ () C:\ProgramData\SetStretch.VBS
C:\ProgramData\RefreshReg.vbs
EmptyTemp:
*****************
 
C:\ProgramData\DP45977C.lfl => moved successfully
C:\ProgramData\RefreshReg.vbs => moved successfully
C:\ProgramData\SetStretch.cmd => moved successfully
C:\ProgramData\SetStretch.exe => moved successfully
C:\ProgramData\SetStretch.VBS => moved successfully
"C:\ProgramData\RefreshReg.vbs" => not found.
EmptyTemp: => 244.8 MB temporary data Removed.
 
 
The system needed a reboot.
 
==== End of Fixlog 09:27:37 ====
 
Perhaps I was just being paranoid because the external HDD I used seems to be infected.
 
Thanks.


#8 shelf life

shelf life

  • Malware Response Team
  • 2,651 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:02:37 PM

Posted 26 November 2015 - 09:10 AM

Other than what we used FRST to remove, really dont see anything else. Attaching a malware infected HD to a computer is a concern. Its possible malware could transfer.


How Can I Reduce My Risk to Malware?


#9 troubledcomputer

troubledcomputer
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:01:37 PM

Posted 27 November 2015 - 01:09 AM

Hi,

 

Thank you very much for your help. I really hope there's nothing unwanted in my pc.

 

I hope also that no malware transferred my external HD to my pc.

 

Again, thank you.



#10 shelf life

shelf life

  • Malware Response Team
  • 2,651 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:02:37 PM

Posted 27 November 2015 - 05:02 PM

No Problem, your welcome. You can delete the FRST icon and its logs as well as the FRST folder located in your root drive: C:/


How Can I Reduce My Risk to Malware?





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users