Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Got affected with (msiexec d2buh1bf1g584w.cloudfront.net)


  • This topic is locked This topic is locked
5 replies to this topic

#1 VishnuVardhanUppara

VishnuVardhanUppara

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:03:32 PM

Posted 08 April 2017 - 11:47 AM

hello

some days before my system got affected with TORTUX malware.After that I ran malware bytes scan and HitmanPro also.

After all these I changed my host file also with MVPS hosts but i still got this 

(msiexec d2buh1bf1g584w.cloudfront.net)

in my pc and i'm not able to get rid of this.

MalwareBytes is showing it as a threat and is blocking it whenever I try to access the internet. i'm attaching the picture for clear info. Help me with this and how to remove it from my pc.

Attached File  malware1.jpg   42.19KB   0 downloads



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 40,238 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:02 AM

Posted 09 April 2017 - 08:29 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

--RogueKiller--
  • Download & SAVE to your Desktop Download RogueKiller
  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or above, right-click the program file and select "Run as Administrator"
  • Accept the user agreements.
  • Execute the scan and wait until it has finished.
  • If a Windows opens to explain what [PUM's] are, read about it.
  • Click the RoguKiller icon on your taksbar to return to the report.
  • Click open the Report
  • Click Export TXT button
  • Save the file as ReportRogue.txt
  • Click the Remove button to delete the items in RED
  • Click Finish and close the program.
  • Locate the ReportRogue.txt file on your Desktop and copy/paste the contents in your next.
=======

Download the version of this tool for your operating system.
Farbar Recovery Scan Tool (64 bit)
Farbar Recovery Scan Tool (32 bit)
and save it to a folder on your computer's Desktop.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

How to attach a file to your reply:
In the Reply section in the bottom of the topic Click the "more reply Options" button.
attachlogs.png

Attach the file.
Select the "Choose a File" navigate to the location of the File.
Click the file you wish to Attach.

Click the Add reply button.
===

Please post the logs.

Wait for further instructions.

#3 VishnuVardhanUppara

VishnuVardhanUppara
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:03:32 PM

Posted 09 April 2017 - 12:54 PM

Thank you for the reply. I have done the process you told.

RogueKiller result Attached File  ReportRogue.txt   7.48KB   3 downloads

 

Farbar result..Attached File  FRST.txt   44.81KB   2 downloads   Attached File  Addition.txt   38.23KB   2 downloads

 



#4 nasdaq

nasdaq

  • Malware Response Team
  • 40,238 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:02 AM

Posted 10 April 2017 - 07:44 AM

Please run the RogueKiller tool and remove these entries.
 

[Suspicious.Path] (X64) HKEY_CLASSES_ROOT\CLSID\{7261E794-12E8-11E7-A249-64006A5CFC23} (C:\Users\dell\AppData\Roaming\Fioseprerlerk\Stertiyghpagh.dll) -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks | {7261E794-12E8-11E7-A249-64006A5CFC23} : (C:\Users\dell\AppData\Roaming\Fioseprerlerk\Stertiyghpagh.dll) [x] -> Found
[PUP.HackTool|Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\KMSEmulator ("C:\ProgramData\KMSAutoS\bin\KMSSS.exe" -Port 1688 -PWin RandomKMSPID -PO14 RandomKMSPID -PO15 RandomKMSPID -AI 43200 -RI 43200 KillProcessOnPort -Log -IP) -> Found
[PUP.HackTool|VT.not-a-virus:RiskTool.Win32.HackKMS.f] \AutoKMS -- C:\Windows\AutoKMS\AutoKMS.exe -> Found
[Suspicious.Path] \Video Rush -- C:\Windows\system32\rundll32.exe ("C:\Users\dell\AppData\Local\Video Rush\xBin\VideoRush.dll",#3) -> Found
[PUP.HackTool][Folder] C:\ProgramData\KMSAutoS -> Found
[PUP.HackTool][Folder] C:\Windows\AutoKMS -> Found
[PUP.HackTool][Folder] C:\ProgramData\KMSAutoS -> Found

===

Remove this program in bold via the Control Panel > Programs > Programs and Features.
UmmyVideoDownloader (HKLM-x32\...\{E028DBDA-EEE7-48A0-ADF7-D250589A02C5}_is1) (Version: 1.7.2.8 - ) <==== ATTENTION
<<<>>>

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.

Please copy the entire contents of the code box below to a new file.
 
Start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

HKU\S-1-5-21-582850833-256922532-1231204083-1001\...\Run: [AdobeBridge] => [X]
ShellExecuteHooks: No Name - {7261E794-12E8-11E7-A249-64006A5CFC23} - C:\Users\dell\AppData\Roaming\Fioseprerlerk\Stertiyghpagh.dll -> No File
SearchScopes: HKU\S-1-5-21-582850833-256922532-1231204083-1001 -> {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL = hxxp://www.google.com/search?q={sear
CHR Extension: (Chrome Web Store Payments) - C:\Users\dell\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2017-03-30]
CHR Extension: (Chrome Media Router) - C:\Users\dell\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2017-03-30]
S2 KMSEmulator; "C:\ProgramData\KMSAutoS\bin\KMSSS.exe" -Port 1688 -PWin RandomKMSPID -PO14 RandomKMSPID -PO15 RandomKMSPID -AI 43200 -RI 43200 KillProcessOnPort -Log -IP [X]
S3 MozillaMaintenance; "C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe" [X]
CustomCLSID: HKU\S-1-5-21-582850833-256922532-1231204083-1001_Classes\CLSID\{1423F872-3F7F-4E57-B621-8B1A9D49B448}\InprocServer32 -> C:\Users\dell\AppData\Local\Google\Update\1.3.27.5\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-582850833-256922532-1231204083-1001_Classes\CLSID\{5C8C2A98-6133-4EBA-BBCC-34D9EA01FC2E}\InprocServer32 -> C:\Users\dell\AppData\Local\Google\Update\1.3.28.1\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-582850833-256922532-1231204083-1001_Classes\CLSID\{78550997-5DEF-4A8A-BAF9-D5774E87AC98}\InprocServer32 -> C:\Users\dell\AppData\Local\Google\Update\1.3.28.13\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-582850833-256922532-1231204083-1001_Classes\CLSID\{90B3DFBF-AF6A-4EA0-8899-F332194690F8}\InprocServer32 -> C:\Users\dell\AppData\Local\Google\Update\1.3.24.15\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-582850833-256922532-1231204083-1001_Classes\CLSID\{C3BC25C0-FCD3-4F01-AFDD-41373F017C9A}\InprocServer32 -> C:\Users\dell\AppData\Local\Google\Update\1.3.26.9\psuser_64.dll => No File
Task: {3E34EA90-F8B2-4572-A528-E89F99C5DE7F} - \Buhukhjoly -> No File <==== ATTENTION
Task: {9025D3CD-F11B-4C88-94E6-9F9207FBA4E1} - System32\Tasks\Cogespghoqik Reports => C:\Program Files (x86)\Serentarepisp\xgriqaty.exe
Task: {B6938C0C-41FA-4E4E-AC88-A72D48EFE6D6} - System32\Tasks\Video Rush => Rundll32.exe "C:\Users\dell\AppData\Local\Video Rush\xBin\VideoRush.dll",#3 <==== ATTENTION
Shortcut: C:\Users\dell\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\UmmyVideoDownloader\Help\???????.lnk -> C:\Users\dell\AppData\Local\UmmyVideoDownloader\1.7.2.8\help\Ummy_rus.pdf () <===== Cyrillic
C:\Program Files (x86)\Serentarepisp
C:\Users\dell\AppData\Local\Video Rush
C:\Users\dell\AppData\Local\UmmyVideoDownloader

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.

You can manually check your present version and update as recommended.
https://www.java.com/en/download/installed.jsp

Be careful not to install malware posing as Java update!
Important read this blog.
http://blog.trendmicro.com/trendlabs-security-intelligence/malware-poses-as-an-update-for-java-0-day-fix/

Quoted from the page.
"In light of the recent events surrounding Java, users must seriously consider their use of Java. Do they really need it? If yes, make sure that users follow the steps we recommended and get the security update directly from the official oracle website." at:
http://www.oracle.com/technetwork/java/javase/downloads/index.html

How to disable Java in your browsers
http://www.infoworld.com/t/web-browsers/how-disable-java-in-your-browsers-210882

If still present after these updates remove these old version(s) via the Control Panel > Programs > Programs and Features.
Java 8 Update 51 (64-bit) (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F86418051F0}) (Version: 8.0.510 - Oracle Corporation)
Java 8 Update 51 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F83218051F0}) (Version: 8.0.510 - Oracle Corporation)
Java 8 Update 74 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F83218074F0}) (Version: 8.0.740.2 - Oracle Corporation)
Java SE Development Kit 8 Update 51 (64-bit) (HKLM\...\{64A3A4F4-B792-11D6-A78A-00B0D0180510}) (Version: 8.0.510.16 - Oracle Corporation)
Java SE Development Kit 8 Update 74 (HKLM-x32\...\{32A3A4F4-B792-11D6-A78A-00B0D0180740}) (Version: 8.0.740.2 - Oracle Corporation)
===

Please let me know what problem persists with this computer.

#5 VishnuVardhanUppara

VishnuVardhanUppara
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:03:32 PM

Posted 10 April 2017 - 10:54 AM

Great I'm not getting that pop up now. I think it got fixed.

I ran Rogue Killer scan and deleted the files you have mentioned above.

I did Farbar fix also. Here is the result..Attached File  Fixlog.txt   6.92KB   1 downloads.

Thank you for the help.

                                     -VISHNU

 



#6 nasdaq

nasdaq

  • Malware Response Team
  • 40,238 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:02 AM

Posted 11 April 2017 - 07:57 AM

If all is well.

To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/


https://www.bleepingcomputer.com/tutorials/keep-your-computer-safe-online/
Simple and easy ways to keep your computer safe and secure on the Internet.
===




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users