Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

infected with dropper.msil?


  • Please log in to reply
3 replies to this topic

#1 Exterial

Exterial

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:12:53 AM

Posted 05 December 2016 - 02:36 AM

im not sure if i am infected with a virus. but its likely i am.
so yesterday, i download this

http://s000.tinyupload.com/?file_id=00729452047374619658 .]http://s000.tinyupload.com/?file_id=00729452047374619658 .

google chrome blocked the download, but i told it to keep the file.
when i opened the zip and extracted the file, the file dissapeared, couldnt find it anywhere on the desktop.
a few seconds later avira popped up saying it got put in the quarantine, when i checked what the file was avira said that its a "dropper.msil"
i googled it and it seems preety serious, so i deleted the zip from my pc.
everything seemed fine until i restarted my pc, like usual for a while there was just a black screen with my mouse, however there was one other thing that was there.
for some reason cmd was turned on, the scary part was that it was the name of the program that was inside the zip. the cmd had no text whatsoever in it but in less then a second a few lines of text showed up and then instantly dissapeared, it happened so fast and because i didnt expect it i didnt get to see anything it said.
i googled a bit and what i got from it is that usually when something like that happens it means that your pc is probably infected.
so here i am now asking for help.
Ps: i uninstalled avira because its "on demand" scans were taking 50% of my cpu, but now that i think about it it was probably a bad idea to uninstall it so im installing it back again atm.
 
 
 
 
Mod Edit.
Moved to Am I Infected from Windows 8.

Link deactivated
NickAu


Edited by NickAu, 05 December 2016 - 03:05 AM.
Add mod edit


BC AdBot (Login to Remove)

 


#2 TsVk!

TsVk!

    penguin farmer


  • Members
  • 6,233 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Antipodes
  • Local time:09:53 AM

Posted 05 December 2016 - 05:28 AM

Hi,

 

The file is

 

https://virustotal.com/en/file/7eae6268dee9ebc5e6172ba03b95a3358ae13cc06ed7ed2834dcc5c623d6946f/analysis/1480933260/

 

But unless you double clicked it it did not infect you.

 

We can check for other malware while you're here if you like.

 

29bgcgg.jpg  Please download AdwCleaner and save to your Desktop.

  • Right click and "Run as Administrator"
  • Click on the Scan button.
  • After the scan has finished, click Clean and ok the reboot
  • When complete, your machine will restart and a log file will appear
  • A copy of all logfiles are saved in the C:\AdwCleaner folder which was created when running the tool.

 

2zh1g08.jpg  Please download Junkware Removal Tool to your desktop.

  • Shut down your protection software now to avoid potential conflicts.
  • Right click and "Run as Administrator".
  • The tool will open and start scanning your system.
  • On completion a log will open, note the saved JRT.txt on your desktop to copy into your reply

malwarebytes_icon_mini_by_linux_rules-d9  Please download and install MalwareBytes Anti-Malware.

  • Run the program. 
  • Click Scan Now.
  • If threats are detected, click Remove Selected. If you are prompted to reboot, click Yes.
  • Upon completion of the scan (or after the reboot), click the HISTORY tab.
  • Click Application Logs, followed by the first Scan Log.
  • Click Export, followed by Copy to ClipboardPaste the log in your next reply.

149nkg7.jpg Please download Farbar Service Scanner and run it

  • Please check all of the boxes then click Scan
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log into your reply.

Please include in your reply

  • ADWCleaner log
  • JRT log
  • MBAM log
  • FSS log
  • how is your machine running now

John



#3 Exterial

Exterial
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:12:53 AM

Posted 05 December 2016 - 06:45 AM

i did all the things you've asked and for the most part everything worked out well, except for awdcleaner. for some reason when i clicked on clean after the scan the program went unresponsive and i couldnt do anything. couldnt even turn my pc off i had to hard reset it, which is kinda bad since awdcleaner said i had 70 threats. my pc seems to be running the same as always, havent noticed any differences so far. i dont know how to post files here so i will just post the logs in text form.

FSS:
 
Farbar Service Scanner Version: 27-01-2016

Ran by lukas (administrator) on 05-12-2016 at 11:53:04

Running from "C:\Users\lukas\Desktop"

Microsoft Windows 8.1  (X64)

Boot Mode: Normal

****************************************************************

Internet Services:

============

 

Connection Status:

==============

Localhost is accessible.

LAN connected.

Google IP is accessible.

Google.com is accessible.

Yahoo.com is accessible.

 

Windows Firewall:

=============

 

Firewall Disabled Policy:

==================

 

System Restore:

============

System Restore Policy:

========================

 

Action Center:

============

 

Windows Update:

============

wuauserv Service is not running. Checking service configuration:

The start type of wuauserv service is set to Demand. The default start type is Auto.

The ImagePath of wuauserv service is OK.

The ServiceDll of wuauserv service is OK.

 

Windows Autoupdate Disabled Policy:

============================

 

Windows Defender:

==============

WinDefend Service is not running. Checking service configuration:

The start type of WinDefend service is set to Demand. The default start type is Auto.

The ImagePath of WinDefend: ""%ProgramFiles%\Windows Defender\MsMpEng.exe"".

 

Windows Defender Disabled Policy:

==========================

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]

"DisableAntiSpyware"=DWORD:1

 

Other Services:

==============

 

File Check:

========

C:\Windows\System32\nsisvc.dll => File is digitally signed

C:\Windows\System32\drivers\nsiproxy.sys => File is digitally signed

C:\Windows\System32\dhcpcore.dll => File is digitally signed

C:\Windows\System32\drivers\afd.sys => File is digitally signed

C:\Windows\System32\drivers\tdx.sys => File is digitally signed

C:\Windows\System32\Drivers\tcpip.sys => File is digitally signed

C:\Windows\System32\dnsrslvr.dll => File is digitally signed

C:\Windows\System32\dnsapi.dll => File is digitally signed

C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed

C:\Windows\System32\mpssvc.dll => File is digitally signed

C:\Windows\System32\bfe.dll => File is digitally signed

C:\Windows\System32\drivers\mpsdrv.sys => File is digitally signed

C:\Windows\System32\wscsvc.dll => File is digitally signed

C:\Windows\System32\wbem\WMIsvc.dll => File is digitally signed

C:\Windows\System32\wuaueng.dll => File is digitally signed

C:\Windows\System32\qmgr.dll => File is digitally signed

C:\Windows\System32\es.dll => File is digitally signed

C:\Windows\System32\cryptsvc.dll => File is digitally signed

C:\Program Files\Windows Defender\MpSvc.dll => File is digitally signed

C:\Program Files\Windows Defender\MsMpEng.exe => File is digitally signed

C:\Windows\System32\ipnathlp.dll => File is digitally signed

C:\Windows\System32\iphlpsvc.dll => File is digitally signed

C:\Windows\System32\svchost.exe => File is digitally signed

C:\Windows\System32\rpcss.dll => File is digitally signed

 

**** End of log ****

 

JRT:

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Malwarebytes
Version: 8.0.9 (09.30.2016)
Operating System: Windows 8.1 x64 
Ran by lukas (Administrator) on 05/12/2016 at 11:46:00.29
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 
 
 
File System: 8 
 
Successfully deleted: C:\end (File) 
Successfully deleted: C:\ProgramData\mntemp (File) 
Successfully deleted: C:\Users\lukas\AppData\Local\{0F376500-DFBE-47DE-A1F0-B86761A82BF2} (Empty Folder)
Successfully deleted: C:\Users\lukas\AppData\Local\drivertoolkit (Folder) 
Successfully deleted: C:\users\Public\Documents\downloaded installers (Folder) 
Successfully deleted: C:\WINDOWS\system32\drivers\swdumon.sys (File) 
Successfully deleted: C:\WINDOWS\system32\Tasks\Avira System Speedup Tray (Task)
Successfully deleted: C:\Program Files (x86)\drivertoolkit (Folder) 
 
Deleted the following from C:\Users\lukas\AppData\Roaming\Mozilla\Firefox\Profiles\ky0h48pt.default\prefs.js
user_pref(browser.search.searchengine.hp, hxxp://www.trotux.com/?z=608161b3ed47d7bc585765eg7z4m4mdb4cdzdb3o5z&from=icb&uid=WDCXWD10EZEX-60ZF5A0_WD-WMC1S336585865858&type=hp
user_pref(browser.search.searchengine.sp, hxxp://www.trotux.com/search/?from=icb&q={searchTerms}&type=sp&uid=WDCXWD10EZEX-60ZF5A0_WD-WMC1S336585865858&z=608161b3ed47d7bc585
user_pref(browser.search.searchengine.uid, WDCXWD10EZEX-60ZF5A0_WD-WMC1S336585865858);
user_pref(browser.search.searchengine.url, hxxp://www.trotux.com/search/?from=icb&q={searchTerms}&type=sp&uid=WDCXWD10EZEX-60ZF5A0_WD-WMC1S336585865858&z=608161b3ed47d7bc58
user_pref(browser.urlbar.suggest.searches, true);
 
 
 
Registry: 3 
 
Successfully deleted: HKLM\SYSTEM\CurrentControlSet\services\SWDUMon (Registry Key) 
Successfully deleted: HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{4B95EF14-5441-419F-A42E-4DD2039B8486} (Registry Key)
Successfully deleted: HKLM\Software\Microsoft\Internet Explorer\SearchScopes\{4B95EF14-5441-419F-A42E-4DD2039B8486} (Registry Key)
 
 
 
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on 05/12/2016 at 11:51:16.21
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
malwarebytes:
 
Malwarebytes Anti-Malware
www.malwarebytes.org
 
Scan Date: 05/12/2016
Scan Time: 11:52
Logfile: 
Administrator: Yes
 
Version: 2.2.1.1043
Malware Database: v2016.12.05.04
Rootkit Database: v2016.11.20.01
License: Trial
Malware Protection: Enabled
Malicious Website Protection: Enabled
Self-protection: Disabled
 
OS: Windows 8.1
CPU: x64
File System: NTFS
User: lukas
 
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 350551
Time Elapsed: 20 min, 13 sec
 
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Warn
PUM: Enabled
 
Processes: 0
(No malicious items detected)
 
Modules: 0
(No malicious items detected)
 
Registry Keys: 10
PUP.Optional.NeoBar, HKLM\SOFTWARE\CLASSES\CLSID\{FF20459C-DA6E-41A7-80BC-8F4FEFD9C575}, No Action By User, [0fa96c77b1e9f34356871a3d6d95a957], 
PUP.Optional.NeoBar, HKLM\SOFTWARE\WOW6432NODE\CLASSES\CLSID\{FF20459C-DA6E-41A7-80BC-8F4FEFD9C575}, No Action By User, [0fa96c77b1e9f34356871a3d6d95a957], 
PUP.Optional.NeoBar, HKLM\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{FF20459C-DA6E-41A7-80BC-8F4FEFD9C575}, No Action By User, [0fa96c77b1e9f34356871a3d6d95a957], 
PUP.Optional.NeoBar, HKU\S-1-5-21-2599425825-2813226405-3453375949-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\SETTINGS\{FF20459C-DA6E-41A7-80BC-8F4FEFD9C575}, No Action By User, [0fa96c77b1e9f34356871a3d6d95a957], 
PUP.Optional.NeoBar, HKU\S-1-5-21-2599425825-2813226405-3453375949-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\STATS\{FF20459C-DA6E-41A7-80BC-8F4FEFD9C575}, No Action By User, [0fa96c77b1e9f34356871a3d6d95a957], 
PUP.Optional.WinZipDriverUpdater, HKLM\SOFTWARE\NICO MAK COMPUTING\WinZip Driver Updater, No Action By User, [4177c71cd5c5a294ccc32a718779fa06], 
PUP.Optional.Trotux, HKLM\SOFTWARE\WOW6432NODE\trotuxSoftware, No Action By User, [a810687bc5d590a6f9c100f43dc49e62], 
PUP.Optional.Elex, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\Tibeingshadaing, No Action By User, [01b707dc9cfedb5b13964959748c30d0], 
PUP.Optional.DriverAgentPlus, HKU\S-1-5-21-2599425825-2813226405-3453375949-1001\SOFTWARE\ESUPPORT.COM\DriverAgent, No Action By User, [00b8776c801a74c21635bcc120e308f8], 
PUP.Optional.Tuto4PC, HKU\S-1-5-21-2599425825-2813226405-3453375949-1001\SOFTWARE\MICROSOFT\wewewe, No Action By User, [3b7d9251425804328c7ed9b035cb827e], 
 
Registry Values: 1
PUP.Optional.Privoxy, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|Secured Net, "C:\WINDOWS\myfirstpc_020716\netsafe.exe", No Action By User, [d5e3edf65248ba7ce8206dade81809f7]
 
Registry Data: 0
(No malicious items detected)
 
Folders: 3
PUP.Optional.Elex.SHHKRST, C:\Users\lukas\AppData\Roaming\charagh, No Action By User, [ffb96b7815853cfa872ef0b2649c9d63], 
PUP.Optional.DriverAgentPlus, C:\Users\lukas\AppData\Roaming\DriverAgentPlus, No Action By User, [5761c1223961eb4bb508354e9d656799], 
PUP.Optional.Privoxy, C:\Windows\myfirstpc_020716, No Action By User, [546416cd7d1de353473934e7a15fcd33], 
 
Files: 43
PUP.Optional.Elex, C:\Program Files (x86)\ClockworkMod\dc30e1.dll, No Action By User, [9a1e6281f3a750e672b0145838c89a66], 
PUP.Optional.BundleInstaller, C:\Users\lukas\Downloads\Installer (1).exe, No Action By User, [5266d40fb0eaf343909f0365f20edc24], 
PUP.Optional.InstallMonster, C:\Users\lukas\Downloads\Microsoft Office 2016 pro Crack Full version Free Download.rar, No Action By User, [ac0cf4effb9ff5410931d0af1fe1659b], 
PUP.Optional.InstallMonster, C:\Users\lukas\Downloads\Microsoft Office 2016 Professional Free Download _Crack_.rar, No Action By User, [84344a991882092d2d0db6c94eb210f0], 
PUP.Optional.InstallMonster, C:\Users\lukas\Downloads\Microsoft_Office_2016_Professional_Plus_32_exe.rar, No Action By User, [7c3cce150496fd3912282d52c739e61a], 
PUP.Optional.BundleInstaller, C:\ProgramData\Avira\Antivirus\TEMP\AVSCAN-20161205-120313-CD035657\AVSCAN-20161205-120518-E5A4D2F0, No Action By User, [892f3da64c4e7db9210e08606b9521df], 
PUP.Optional.Privoxy, C:\Windows\myfirstpc_020716\netsafe.exe, No Action By User, [d5e3edf65248ba7ce8206dade81809f7], 
PUP.Optional.DriverAgentPlus, C:\Users\lukas\AppData\Roaming\DriverAgentPlus\DriverAgentPlus.downloads, No Action By User, [5761c1223961eb4bb508354e9d656799], 
PUP.Optional.DriverAgentPlus, C:\Users\lukas\AppData\Roaming\DriverAgentPlus\DriverAgentPlus.history, No Action By User, [5761c1223961eb4bb508354e9d656799], 
PUP.Optional.DriverAgentPlus, C:\Users\lukas\AppData\Roaming\DriverAgentPlus\DriverAgentPlus.settings, No Action By User, [5761c1223961eb4bb508354e9d656799], 
PUP.Optional.DriverAgentPlus, C:\Users\lukas\AppData\Roaming\DriverAgentPlus\scandata.bin, No Action By User, [5761c1223961eb4bb508354e9d656799], 
PUP.Optional.DriverAgentPlus, C:\Users\lukas\AppData\Roaming\DriverAgentPlus\sysinfo.bin, No Action By User, [5761c1223961eb4bb508354e9d656799], 
PUP.Optional.Amonetize, C:\Users\lukas\AppData\Local\Temp\amipixel.cfg, No Action By User, [e7d1e7fcedad8caa690a00de20e3a759], 
PUP.Optional.Trotux, C:\Users\lukas\AppData\Roaming\Mozilla\Firefox\Profiles\ky0h48pt.default\searchplugins\chxwl7c3.xml, No Action By User, [ad0ba63defabb086ef2a09d646bdee12], 
PUP.Optional.Trotux, C:\Users\lukas\AppData\Roaming\Mozilla\Firefox\Profiles\ky0h48pt.default\prefs.js, Good: (), Bad: (user_pref("browser.newtab.url", "http://www.trotux.com/?z=608161b3ed47d7bc585765eg7z4m4mdb4cdzdb3o5z&from=icb&uid=WDCXWD10EZEX-60ZF5A0_WD-WMC1S336585865858&type=hp");), No Action By User,[c4f4b52e8d0d4ceafd2609d67b88d828]
PUP.Optional.Trotux, C:\Users\lukas\AppData\Roaming\Mozilla\Firefox\Profiles\ky0h48pt.default\prefs.js, Good: (), Bad: (zilla.org\":{\"version\":\"1.0\",\"type\":\"extension\",\"descriptor\":\"C:\\\\Users\\\\lukas\\\\AppData\\\\Roaming\\\\Mozilla\\\\Firefox\\\\Profiles\\\\ky0h48pt.default\\\\features\\\\{16fac417-85a9-48b3-92b1-910427125ade}\\\\websensehelper@mozilla.org.xpi\",\"multiprocessCompatible\":false,\"runInSafeM), No Action By User,[42767172237760d6ce55a639c63d837d]
PUP.Optional.Trotux, C:\Users\lukas\AppData\Roaming\Profiles\Arajuchkerory.default\prefs.js, Good: (), Bad: (user_pref("browser.newtab.url", "http://www.trotux.com/?z=608161b3ed47d7bc585765eg7z4m4mdb4cdzdb3o5z&from=icb&uid=WDCXWD10EZEX-60ZF5A0_WD-WMC1S336585865858&type=hp");), No Action By User,[03b55f84009a90a6718ae8514fb132ce]
PUP.Optional.Trotux, C:\Users\lukas\AppData\Roaming\Profiles\Arajuchkerory.default\prefs.js, Good: (), Bad: (
user_pref("app.update.lastUpdateTime.search-engine-upda), No Action By User,[7e3a12d15149ed4920dbb48550b09e62]
PUP.Optional.Trotux, C:\Users\lukas\AppData\Roaming\Profiles\Arajuchkerory.default\prefs.js, Good: (), Bad: (s file.
 *
 * If you make changes to this file while the application is running,
 * the changes will be overwritten when the application exits.
 *
 * To make a manual change), No Action By User,[f1c7b231d9c1c670708b71c8e31dbf41]
PUP.Optional.Trotux, C:\Users\lukas\AppData\Roaming\Profiles\Arajuchkerory.default\prefs.js, Good: (), Bad: ( is running,
 * the changes will be overwritten when the application exits.
 *
 * To make a manual change to preferences, you can visit the URL about:config
 */
 
user_pref("accessibility.typeahea), No Action By User,[635541a23961da5c6299b5845ca47f81]
PUP.Optional.Trotux, C:\Users\lukas\AppData\Roaming\Profiles\Arajuchkerory.default\prefs.js, Good: (), Bad: (ferences, you can visit the URL about:config
 */
 
user_pref("accessibility.typeaheadfind", true);
user_pref("app.update.auto", false);
user_pref("app.update.enabled", false);
user_pref("app.update), No Action By User,[e3d5bf24fc9ee05629d20336e8187c84]
PUP.Optional.Trotux, C:\Users\lukas\AppData\Roaming\Profiles\Arajuchkerory.default\prefs.js, Good: (), Bad: (anges will be overwritten when the application exits.), No Action By User,[358363803763d165f00b2f0a6d93e11f]
PUP.Optional.Trotux, C:\Users\lukas\AppData\Roaming\Profiles\Arajuchkerory.default\prefs.js, Good: (), Bad: (lity.typeaheadfind", true);
user_pref("app.update.auto", false);
user_pref("app.update.enabled", false);
user_pref("app.update.lastUpdateTime.addon-background-update-tim), No Action By User,[8a2e974c7a2012248e6d7dbcca3626da]
PUP.Optional.Trotux, C:\Users\lukas\AppData\Roaming\Profiles\Arajuchkerory.default\searchplugins\chxwl7c3.xml, No Action By User, [6c4c667dfb9f9b9b8efb7f8b679921df], 
PUP.Optional.Privoxy, C:\Windows\myfirstpc_020716\config.txt, No Action By User, [546416cd7d1de353473934e7a15fcd33], 
PUP.Optional.Privoxy, C:\Windows\myfirstpc_020716\default.action, No Action By User, [546416cd7d1de353473934e7a15fcd33], 
PUP.Optional.Privoxy, C:\Windows\myfirstpc_020716\default.filter, No Action By User, [546416cd7d1de353473934e7a15fcd33], 
PUP.Optional.Privoxy, C:\Windows\myfirstpc_020716\Interop.SHDocVw.dll, No Action By User, [546416cd7d1de353473934e7a15fcd33], 
PUP.Optional.Privoxy, C:\Windows\myfirstpc_020716\mgwz.dll, No Action By User, [546416cd7d1de353473934e7a15fcd33], 
PUP.Optional.Privoxy, C:\Windows\myfirstpc_020716\netsafe.exe.config, No Action By User, [546416cd7d1de353473934e7a15fcd33], 
PUP.Optional.Privoxy, C:\Windows\myfirstpc_020716\oxy.exe, No Action By User, [546416cd7d1de353473934e7a15fcd33], 
PUP.Optional.Privoxy, C:\Windows\myfirstpc_020716\oxy.log, No Action By User, [546416cd7d1de353473934e7a15fcd33], 
PUP.Optional.Privoxy, C:\Windows\myfirstpc_020716\tbconfig.xml, No Action By User, [546416cd7d1de353473934e7a15fcd33], 
PUP.Optional.Privoxy, C:\Windows\myfirstpc_020716\tbinfo.xml, No Action By User, [546416cd7d1de353473934e7a15fcd33], 
PUP.Optional.Privoxy, C:\Windows\myfirstpc_020716\tblog.log, No Action By User, [546416cd7d1de353473934e7a15fcd33], 
PUP.Optional.Privoxy, C:\Windows\myfirstpc_020716\Trackerbird.Tracker.dll, No Action By User, [546416cd7d1de353473934e7a15fcd33], 
PUP.Optional.Privoxy, C:\Windows\myfirstpc_020716\Trackerbird.Tracker.xml, No Action By User, [546416cd7d1de353473934e7a15fcd33], 
PUP.Optional.Privoxy, C:\Windows\myfirstpc_020716\Trackerbird.x64.dll, No Action By User, [546416cd7d1de353473934e7a15fcd33], 
PUP.Optional.Privoxy, C:\Windows\myfirstpc_020716\Trackerbird.x86.dll, No Action By User, [546416cd7d1de353473934e7a15fcd33], 
PUP.Optional.AdServer, C:\Windows\ie.vbs, No Action By User, [c0f81ec5a2f864d2eba665b628d802fe], 
RiskWare.Tool.CK, C:\Users\lukas\Downloads\ezzHotFix.rar, Quarantined, [ae0aa241386279bdd8de2bfe51afcb35], 
Trojan.Agent.MSIL, C:\Users\lukas\Downloads\Sid-Meiers-Civilization-VI.zip, Quarantined, [c4f452917624c5717ccb554a26da53ad], 
Trojan.Dropper.Script, C:\Windows\taskmgr.exe, Quarantined, [4672f5ee3c5e999d229ff1cf30d141bf], 
 
Physical Sectors: 0
(No malicious items detected)
 
 
(end)

 

adwcleaner

 

# AdwCleaner v6.040 - Logfile created 05/12/2016 at 12:19:03
# Updated on 02/12/2016 by Malwarebytes
# Database : 2016-12-04.1 [Local]
# Operating System : Windows 8.1  (X64)
# Username : lukas - MYFIRSTPC
# Running from : C:\Users\lukas\Desktop\antivirus\AdwCleaner (1).exe
# Mode: Scan
 
 
 
***** [ Services ] *****
 
Service Found:  Updater
Service Found:  swdumon
Service Found:  UCBrowserSvc
Service Found:  UCGuard
 
 
***** [ Folders ] *****
 
Folder Found:  C:\Users\lukas\AppData\Roaming\DriverAgentPlus
Folder Found:  C:\Users\lukas\AppData\Roaming\Mozilla\Firefox\naweriweentcofise
 
 
***** [ Files ] *****
 
File Found:  C:\WINDOWS\SysNative\drivers\ucguard.sys
File Found:  C:\WINDOWS\ie.vbs
File Found:  C:\Users\lukas\AppData\Local\Google\Chrome\User Data\ChromeDefaultData\Local Storage\chrome-extension_efgoofhfkmknpnbeimpgoipcmghncipc_0.localstorage
File Found:  C:\Users\lukas\AppData\Local\Google\Chrome\User Data\ChromeDefaultData\Local Storage\chrome-extension_efgoofhfkmknpnbeimpgoipcmghncipc_0.localstorage-journal
 
 
***** [ DLL ] *****
 
No malicious DLLs found.
 
 
***** [ WMI ] *****
 
No malicious keys found.
 
 
***** [ Shortcuts ] *****
 
No infected shortcut found.
 
 
***** [ Scheduled Tasks ] *****
 
Task Found:  UCBrowserUpdaterCore
 
 
***** [ Registry ] *****
 
Key Found:  HKLM\SOFTWARE\Classes\UCHTML
Key Found:  HKLM\SOFTWARE\Classes\UCHTML.AssocFile.CRX
Key Found:  HKLM\SOFTWARE\Classes\UCHTML.AssocFile.HTM
Key Found:  HKLM\SOFTWARE\Classes\UCHTML.AssocFile.HTML
Key Found:  HKLM\SOFTWARE\Classes\UCHTML.AssocFile.MHT
Key Found:  HKLM\SOFTWARE\Classes\UCHTML.AssocFile.SHTM
Key Found:  HKLM\SOFTWARE\Classes\UCHTML.AssocFile.SHTML
Key Found:  HKLM\SOFTWARE\Classes\UCHTML.AssocFile.WEBP
Key Found:  HKLM\SOFTWARE\Classes\UCHTML.AssocFile.XHT
Key Found:  HKLM\SOFTWARE\Classes\UCHTML.AssocFile.XHTML
Key Found:  [x64] HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\services\UCBrowserSvc
Key Found:  HKLM\SOFTWARE\Classes\CLSID\{6E993643-8FBC-44FE-BC85-D318495C4D96}
Key Found:  HKLM\SOFTWARE\Classes\CLSID\{FF20459C-DA6E-41A7-80BC-8F4FEFD9C575}
Key Found:  HKLM\SOFTWARE\Classes\CLSID\{95E84BD3-3604-4AAC-B2CA-D9AC3E55B64B}
Key Found:  HKLM\SOFTWARE\Classes\CLSID\{D42C3A49-ABAF-464B-BBCE-991C3DD395E8}
Key Found:  HKLM\SOFTWARE\Classes\Interface\{BF8946CD-EEBE-436B-8282-B19A021C9EFE}
Key Found:  HKLM\SOFTWARE\Classes\TypeLib\{38DD0B4A-E4E0-4A57-99EE-DCCB185B4728}
Key Found:  HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FF20459C-DA6E-41A7-80BC-8F4FEFD9C575}
Key Found:  HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{95E84BD3-3604-4AAC-B2CA-D9AC3E55B64B}
Key Found:  HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{FF20459C-DA6E-41A7-80BC-8F4FEFD9C575}
Key Found:  HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{95E84BD3-3604-4AAC-B2CA-D9AC3E55B64B}
Key Found:  HKU\.DEFAULT\Software\ompndb
Key Found:  HKU\.DEFAULT\Software\jhdbca
Key Found:  HKU\S-1-5-18-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\Software\ompndb
Key Found:  HKU\S-1-5-18-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\Software\jhdbca
Key Found:  HKU\S-1-5-21-2599425825-2813226405-3453375949-1001\Software\DriverToolkit
Key Found:  HKU\S-1-5-21-2599425825-2813226405-3453375949-1001\Software\eSupport.com
Key Found:  HKU\S-1-5-21-2599425825-2813226405-3453375949-1001\Software\UCBrowser
Key Found:  HKU\S-1-5-21-2599425825-2813226405-3453375949-1001\Software\UCBrowserPID
Key Found:  HKU\S-1-5-21-2599425825-2813226405-3453375949-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\Software\DriverToolkit
Key Found:  HKU\S-1-5-21-2599425825-2813226405-3453375949-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\Software\eSupport.com
Key Found:  HKU\S-1-5-21-2599425825-2813226405-3453375949-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\Software\UCBrowser
Key Found:  HKU\S-1-5-21-2599425825-2813226405-3453375949-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\Software\UCBrowserPID
Key Found:  HKU\S-1-5-18\Software\ompndb
Key Found:  HKU\S-1-5-18\Software\jhdbca
Key Found:  HKCU\Software\DriverToolkit
Key Found:  HKCU\Software\eSupport.com
Key Found:  HKCU\Software\UCBrowser
Key Found:  HKCU\Software\UCBrowserPID
Key Found:  HKLM\SOFTWARE\UCBrowser
Key Found:  HKLM\SOFTWARE\UCBrowserPID
Key Found:  HKLM\SOFTWARE\trotuxSoftware
Key Found:  HKLM\SOFTWARE\ompndb
Key Found:  HKLM\SOFTWARE\jhdbca
Key Found:  [x64] HKCU\Software\DriverToolkit
Key Found:  [x64] HKCU\Software\eSupport.com
Key Found:  [x64] HKCU\Software\UCBrowser
Key Found:  [x64] HKCU\Software\UCBrowserPID
Key Found:  [x64] HKLM\SOFTWARE\Nico Mak Computing\WinZip Driver Updater
Key Found:  [x64] HKLM\SOFTWARE\ompndb
Key Found:  [x64] HKLM\SOFTWARE\jhdbca
Value Found:  HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run [Secured Net]
Value Found:  [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run32 [Secured Net]
Value Found:  [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run32 [BestCleaner]
Key Found:  HKLM\SOFTWARE\Clients\StartMenuInternet\UCBrowser
Key Found:  HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\UCBrowser.exe
Value Found:  HKLM\SOFTWARE\RegisteredApplications [UCBrowser]
Key Found:  HKLM\SOFTWARE\Microsoft\MediaPlayer\ShimInclusionList\UCBrowser.exe
 
 
***** [ Web browsers ] *****
 
No malicious Firefox based browser items found.
Chrome pref Found:  [C:\Users\lukas\AppData\Local\Google\Chrome\User Data\ChromeDefaultData\Secure Preferences] - hxxp://www.trotux.com/?z=608161b3ed47d7bc585765eg7z4m4mdb4cdzdb3o5z&from=icb&uid=WDCXWD10EZEX-60ZF5A0_WD-WM
Chrome pref Found:  [C:\Users\lukas\AppData\Local\Google\Chrome\User Data\ChromeDefaultData\Secure Preferences ] - hxxp://www.trotux.com/?z=608161b3ed47d7bc585765eg7z4m4mdb4cdzdb3o5z&from=icb&uid=WDCXWD10EZEX-60ZF5A0_WD-W
 
*************************
 
C:\AdwCleaner\AdwCleaner[S0].txt - [5447 Bytes] - [05/12/2016 11:55:32]
C:\AdwCleaner\AdwCleaner[S1].txt - [6009 Bytes] - [05/12/2016 12:19:03]
 
########## EOF - C:\AdwCleaner\AdwCleaner[S1].txt - [6082 Bytes] ##########

Edited by Exterial, 05 December 2016 - 06:46 AM.


#4 TsVk!

TsVk!

    penguin farmer


  • Members
  • 6,233 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Antipodes
  • Local time:09:53 AM

Posted 05 December 2016 - 05:24 PM

Hi Exterial,

 

Unfortunately some of the infections you have will require more advanced removal than what we do here in the "Am I Infected" forum.

 

Please refer to this guide and create a new topic in our malware removal forum.

 

John






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users