Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Files appear in startup folder


  • Please log in to reply
2 replies to this topic

#1 Frano35

Frano35

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:08:27 PM

Posted 14 April 2017 - 07:25 AM

Hello,

I have win7 x64 and from nowhere this file apeared in startup folder "14df0115cfe9e68fdd76f4747911e2e2". Size is 200KB and can't delete it. So is it virus or some temporary file?


Edited by hamluis, 14 April 2017 - 03:16 PM.
Moved from Win 7 to Am I Infected - Hamluis.


BC AdBot (Login to Remove)

 


#2 Phemus

Phemus

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:27 PM

Posted 14 April 2017 - 02:43 PM

Hello,

Download Malwarebytes Antimalware from here: http://www.malwarebytes.org/mbam.php

Download the Free Version from the link above. Do a full scan. If viruses keep appearing even you delete them sometimes Trojans, Viruses, Malware, etc stop you installing and/or updating Programs to remove them.
If that happens, reboot into Safe Mode with Networking (from F8 list of Startup Options), and install, update and scan from there...

If it's still there, It'd be registry entry but seems suspicious to me.

#3 Frano35

Frano35
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:08:27 PM

Posted 15 April 2017 - 07:21 AM

Thank you for reply, I already runed Combofix and found out that program caused it. But problem was I couldn't run combofix normaly cuz PC rebooted automaticly so had to do it in safe mode and all went good,here is log file.

 

ComboFix 17-04-05.01 - Frano35 4.04.2017.  16:34:30.2.2 - x64 MINIMAL
Microsoft Windows 7 Ultimate   6.1.7601.1.1250.387.1033.18.4095.3161 [GMT 2:00]
Running from: c:\users\Frano35\Downloads\ComboFix.exe
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 * Created a new restore point
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Frano35\AppData\Roaming\System.exe
.
.
(((((((((((((((((((((((((   Files Created from 2017-03-14 to 2017-04-14  )))))))))))))))))))))))))))))))
.
.
2017-04-14 14:40 . 2017-04-14 14:40    --------    d-----w-    c:\users\Default\AppData\Local\temp
2017-04-14 14:25 . 2017-04-12 12:49    44032    ---ha-w-    C:\Java update.exe
2017-04-14 12:18 . 2017-04-14 12:18    --------    d-----w-    c:\program files\Common Files\ATI Technologies
2017-04-14 12:12 . 2017-04-14 12:19    --------    d-----w-    c:\program files\AMD
2017-04-14 12:11 . 2017-04-14 12:16    --------    d-----w-    C:\AMD
2017-04-11 14:46 . 2007-10-12 13:14    5081608    ----a-w-    c:\windows\system32\d3dx9_36.dll
2017-04-10 16:43 . 2017-04-10 17:17    --------    d-----w-    c:\program files (x86)\nLite
2017-04-09 14:16 . 2017-04-09 14:19    --------    d-----w-    c:\program files (x86)\VideoLAN
2017-04-08 13:31 . 2013-01-13 19:53    187392    ----a-w-    c:\windows\SysWow64\UIAnimation.dll
2017-04-08 13:31 . 2013-01-13 19:24    221184    ----a-w-    c:\windows\system32\UIAnimation.dll
2017-04-08 13:31 . 2013-01-04 06:11    2284544    ----a-w-    c:\windows\SysWow64\msmpeg2vdec.dll
2017-04-08 13:31 . 2013-01-04 06:11    2776576    ----a-w-    c:\windows\system32\msmpeg2vdec.dll
2017-04-08 13:31 . 2013-01-13 19:02    417792    ----a-w-    c:\windows\SysWow64\WMPhoto.dll
2017-04-08 13:31 . 2013-01-13 18:32    465920    ----a-w-    c:\windows\system32\WMPhoto.dll
2017-04-05 16:33 . 2017-04-05 16:33    --------    d-----w-    c:\program files\DIFX
2017-04-05 16:32 . 2017-04-05 16:32    --------    d---a-w-    C:\adb
2017-04-05 16:24 . 2017-04-05 16:41    --------    d-----w-    c:\programdata\SP_FT_Logs
2017-04-05 15:35 . 2017-04-05 15:36    --------    d-----w-    c:\program files\GIMP 2
2017-04-05 15:30 . 2017-04-05 15:30    --------    d-----w-    c:\program files (x86)\GPU-Z
2017-04-04 15:05 . 2017-04-04 15:05    --------    d-----w-    c:\users\Public\Thunder Network
2017-04-04 15:05 . 2017-04-04 15:05    --------    d-----w-    c:\programdata\Thunder Network
2017-04-04 15:03 . 2017-04-05 16:46    --------    d-----w-    C:\KOPLAYER
2017-04-04 12:38 . 2010-02-19 12:00    1533512    ----a-w-    c:\windows\system32\wudfupdate_01007.dll
2017-04-03 17:41 . 2017-04-03 17:41    --------    d-----w-    c:\program files\MPC-HC
2017-04-03 15:29 . 2017-04-03 15:29    --------    d-----w-    c:\windows\Migration
2017-04-03 15:17 . 2017-04-03 15:17    --------    d-----w-    c:\program files (x86)\Investintech.com Inc
2017-04-03 15:17 . 2017-04-03 15:17    --------    d-----w-    c:\program files (x86)\Common Files\SlimPDFReader
2017-04-02 18:23 . 2017-04-02 18:24    --------    d-----w-    c:\program files (x86)\A
2017-04-02 18:07 . 2017-04-02 18:07    --------    d-----w-    c:\program files (x86)\Microsoft Works
2017-04-02 18:07 . 2017-04-03 15:29    --------    d-----w-    c:\program files (x86)\Microsoft.NET
2017-04-02 18:07 . 2017-04-02 18:07    --------    d-----w-    c:\windows\PCHEALTH
2017-04-02 18:06 . 2017-04-02 18:06    --------    d-----w-    c:\program files\Microsoft Office
2017-04-02 18:05 . 2017-04-02 18:05    --------    d-----w-    c:\program files (x86)\Microsoft Visual Studio 8
2017-04-02 18:04 . 2017-04-02 18:04    --------    d-----r-    C:\MSOCache
2017-04-02 17:43 . 2017-04-02 18:08    --------    d-----w-    c:\programdata\Microsoft Help
2017-04-02 17:41 . 2017-04-02 17:41    --------    d-----w-    c:\program files (x86)\WinCDEmu
2017-04-02 15:30 . 2017-04-05 12:15    --------    d-----w-    c:\program files (x86)\Sony Ericsson
2017-04-02 15:26 . 2017-04-02 15:26    --------    d-----w-    c:\program files (x86)\Common Files\Java
2017-04-02 15:26 . 2017-04-02 15:26    472808    ----a-w-    c:\windows\SysWow64\deployJava1.dll
2017-04-02 15:26 . 2017-04-02 15:26    --------    d-----w-    c:\program files (x86)\Java
2017-04-02 15:23 . 2017-04-02 15:31    --------    d-----w-    C:\Flashtool
2017-03-31 14:20 . 2017-03-31 14:20    --------    d-----w-    c:\program files (x86)\Notepad++
2017-03-31 14:14 . 2017-03-31 14:14    --------    d-----w-    c:\program files\Nem's Tools
2017-03-31 14:14 . 2017-04-01 18:18    --------    d-----w-    c:\program files (x86)\VTFEdit
2017-03-31 13:53 . 2011-11-08 08:18    1998168    ----a-w-    c:\windows\SysWow64\D3DX9_43.dll
2017-03-31 13:53 . 2011-11-08 08:18    470880    ----a-w-    c:\windows\SysWow64\d3dx10_43.dll
2017-03-31 13:53 . 2011-11-08 08:18    248672    ----a-w-    c:\windows\SysWow64\d3dx11_43.dll
2017-03-31 13:53 . 2011-11-08 08:18    2106216    ----a-w-    c:\windows\SysWow64\D3DCompiler_43.dll
2017-03-31 13:53 . 2017-03-31 13:53    --------    d-----w-    c:\programdata\IObit
2017-03-31 13:53 . 2017-03-31 13:53    --------    d-----w-    c:\program files (x86)\IObit
2017-03-31 13:50 . 2017-04-14 12:18    --------    d-sh--w-    c:\windows\Installer
2017-03-31 13:46 . 2012-08-27 15:39    107912    ----a-w-    c:\windows\system32\drivers\nusb3hub.sys
2017-03-31 13:46 . 2012-08-27 15:42    227208    ----a-w-    c:\windows\system32\drivers\nusb3xhc.sys
2017-03-31 13:45 . 2017-04-02 19:32    --------    d-----w-    c:\program files\Light
2017-03-31 13:43 . 2011-12-26 05:38    81920    ----a-w-    c:\windows\system32\nusb3co3.dll
2017-03-31 13:41 . 2017-03-31 13:41    0    ----a-w-    c:\windows\ativpsrm.bin
2017-03-31 05:14 . 2017-03-30 19:20    --------    d-----w-    c:\windows\Panther
2017-03-31 05:13 . 2017-03-31 05:13    --------    d-----w-    C:\Boot
2017-03-30 19:29 . 2003-06-12 21:25    7062    ----a-w-    c:\windows\SysWow64\audiopid.vxd
2017-03-30 19:26 . 2017-03-30 19:26    --------    d-----w-    c:\program files (x86)\Common Files\Creative
2017-03-30 19:26 . 2017-03-30 19:26    --------    d--h--w-    c:\program files (x86)\Creative Installation Information
2017-03-30 19:26 . 2017-03-30 19:26    --------    d-----w-    c:\program files (x86)\Common Files\Creative Labs Shared
2017-03-30 19:24 . 2011-12-06 03:09    59392    ----a-w-    c:\windows\system32\atiedu64.dll
2017-03-30 19:24 . 2017-03-30 19:25    --------    d-----w-    c:\windows\SysWow64\Data
2017-03-30 19:24 . 2017-03-30 19:25    --------    d-----w-    c:\windows\system32\Data
2017-03-30 19:24 . 2010-05-06 00:19    12288    ----a-w-    c:\windows\system32\INRES.DLL
2017-03-30 19:24 . 2010-05-05 22:56    11776    ----a-w-    c:\windows\SysWow64\INRES.DLL
2017-03-30 19:24 . 2016-02-26 21:00    13408208    ----a-w-    c:\windows\system32\atidxx64.dll
2017-03-30 19:24 . 2016-02-26 21:00    1506000    ----a-w-    c:\windows\system32\aticfx64.dll
2017-03-30 19:24 . 2011-12-06 03:09    43520    ----a-w-    c:\windows\SysWow64\ati2edxx.dll
2017-03-30 19:24 . 2009-05-18 12:34    22691984    ----a-w-    c:\windows\SysWow64\AppSetup.exe
2017-03-30 19:24 . 2017-03-30 19:29    --------    d--h--w-    c:\program files (x86)\InstallShield Installation Information
2017-03-30 19:24 . 2017-03-30 19:24    --------    d-----w-    c:\program files (x86)\Common Files\InstallShield
2017-03-30 19:24 . 2011-12-06 02:18    58880    ----a-w-    c:\windows\system32\coinst.dll
2017-03-30 19:24 . 2011-12-06 03:12    466944    ----a-w-    c:\windows\system32\ATIDEMGX.dll
2017-03-30 19:22 . 2013-12-01 13:10    257624    ----a-w-    c:\windows\system32\unrar64.dll
2017-03-30 19:22 . 2013-12-01 13:10    218200    ----a-w-    c:\windows\SysWow64\unrar.dll
2017-03-30 19:22 . 2017-03-30 19:22    --------    d-----w-    c:\program files (x86)\K-Lite Codec Pack
2017-03-30 19:22 . 2017-04-14 14:24    --------    d-----w-    C:\Fraps
2017-03-30 19:20 . 2017-04-05 15:37    --------    d-----w-    c:\users\Frano35
2017-03-30 19:20 . 2017-03-30 19:20    --------    d-----w-    C:\Recovery
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-21 1475584]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"CTxfiHlp"="CTXFIHLP.EXE" [2010-05-05 25600]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
R2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe;c:\windows\SYSNATIVE\atiesrxx.exe [x]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]
R3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files (x86)\Common Files\Creative Labs Shared\Service\CTAELicensing.exe;c:\program files (x86)\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [x]
R3 CT20XUT.SYS;CT20XUT.SYS;c:\windows\System32\drivers\CT20XUT.SYS;c:\windows\SYSNATIVE\drivers\CT20XUT.SYS [x]
R3 CT20XUT;CT20XUT;c:\windows\system32\drivers\CT20XUT.SYS;c:\windows\SYSNATIVE\drivers\CT20XUT.SYS [x]
R3 CTEXFIFX.SYS;CTEXFIFX.SYS;c:\windows\System32\drivers\CTEXFIFX.SYS;c:\windows\SYSNATIVE\drivers\CTEXFIFX.SYS [x]
R3 CTEXFIFX;CTEXFIFX;c:\windows\system32\drivers\CTEXFIFX.SYS;c:\windows\SYSNATIVE\drivers\CTEXFIFX.SYS [x]
R3 CTHWIUT.SYS;CTHWIUT.SYS;c:\windows\System32\drivers\CTHWIUT.SYS;c:\windows\SYSNATIVE\drivers\CTHWIUT.SYS [x]
R3 CTHWIUT;CTHWIUT;c:\windows\system32\drivers\CTHWIUT.SYS;c:\windows\SYSNATIVE\drivers\CTHWIUT.SYS [x]
R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys;c:\windows\SYSNATIVE\drivers\dmvsc.sys [x]
R3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\DRIVERS\ggflt.sys;c:\windows\SYSNATIVE\DRIVERS\ggflt.sys [x]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys;c:\windows\SYSNATIVE\drivers\rdpvideominiport.sys [x]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys;c:\windows\SYSNATIVE\DRIVERS\Rt64win7.sys [x]
R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys;c:\windows\SYSNATIVE\drivers\synth3dvsc.sys [x]
R3 terminpt;Microsoft Remote Desktop Input Driver;c:\windows\system32\drivers\terminpt.sys;c:\windows\SYSNATIVE\drivers\terminpt.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys;c:\windows\SYSNATIVE\drivers\TsUsbGD.sys [x]
R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys;c:\windows\SYSNATIVE\drivers\tsusbhub.sys [x]
R3 TTDrv;TianTian Support Driver;c:\koplayer\vbox\TTDrv.sys;c:\koplayer\vbox\TTDrv.sys [x]
R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys;c:\windows\SYSNATIVE\drivers\rdvgkmd.sys [x]
R3 WinRing0_1_2_0;WinRing0_1_2_0;c:\program files (x86)\IObit\Game Booster 3\Driver\WinRing0x64.sys;c:\program files (x86)\IObit\Game Booster 3\Driver\WinRing0x64.sys [x]
S3 BazisVirtualCDBus;WinCDEmu Virtual Bus Driver;c:\windows\system32\DRIVERS\BazisVirtualCDBus.sys;c:\windows\SYSNATIVE\DRIVERS\BazisVirtualCDBus.sys [x]
S3 nusb3hub;Renesas Electronics USB 3.0 Hub Driver;c:\windows\system32\DRIVERS\nusb3hub.sys;c:\windows\SYSNATIVE\DRIVERS\nusb3hub.sys [x]
S3 nusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver;c:\windows\system32\DRIVERS\nusb3xhc.sys;c:\windows\SYSNATIVE\DRIVERS\nusb3xhc.sys [x]
.
.
.
--------- X64 Entries -----------
.
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.0.1
.
- - - - ORPHANS REMOVED - - - -
.
Wow6432Node-HKLM-Run-14df0115cfe9e68fdd76f4747911e2e2 - c:\users\Frano35\AppData\Local\Temp\System.exe
Wow6432Node-HKLM-Run-Windows Update - c:\users\Frano35\AppData\Roaming\System.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2017-04-14  16:41:21
ComboFix-quarantined-files.txt  2017-04-14 14:41
.
Pre-Run: 22.042.624.000 bytes free
Post-Run: 21.590.839.296 bytes free
.
- - End Of File - - 8A6B22B0BD6A479BFB19B5746621191F
A36C5E4F47E84449FF07ED3517B43A31
 

 

 






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users