Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Got infected with msiexec / powershell d2buh1bf1g584w.cloudfront.net fliparray


  • This topic is locked This topic is locked
5 replies to this topic

#1 Marco1607

Marco1607

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:22 PM

Posted 13 May 2017 - 06:05 AM

Hi

some days ago I got infected with with TORTUX malware.After that I ran malware bytes scan and HitmanPro also.

After all these I changed my host file also with MVPS hosts but i still got this

(msiexec d2buh1bf1g584w.cloudfront.net as well as in powershell with fliparray.info and other sites related to malware removal)

in my pc and i'm not able to get rid of this.

MalwareBytes is showing it as a threat and is blocking it while I am on the internet (happens 8-10 times a day) . i'm attaching the picture for clear info. Please Help me with this and how to remove it from my pc.

I have Roguekiller's scan results in reportrogue.txt as well as Farbar's scan results (Frst.txt and Addition.txt). I noticed they were suggested for other users (with success) so I just followed the instructions since the issue is pratically the same as the one I have. I can send directly to the responder upon reply.

Thanks in advance

Attached Files



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 38,933 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:22 PM

Posted 14 May 2017 - 08:28 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Please post the RogueKiller, FRST.txt and Addition.txt logs for my review.

Wait for further instructions.

#3 Marco1607

Marco1607
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:22 PM

Posted 14 May 2017 - 11:25 AM

Hi Nasdaq

See attached,

Just for your information I also did an adwcleaner log which I am also including.

Kind regards

Marco

Attached Files



#4 nasdaq

nasdaq

  • Malware Response Team
  • 38,933 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:22 PM

Posted 14 May 2017 - 12:49 PM

Please run the Roguekiller tool and Delete everything that was fouund.

==


Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.

Please copy the entire contents of the code box below to a new file.
 
Start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

HKLM-x32\...\Run: [] => [X]
ShellExecuteHooks: No Name - {6507AF1C-3084-11E7-AEE2-64006A5CFC23} -  -> No File
ShellExecuteHooks: No Name - {6DE8549C-316B-11E7-A1E9-64006A5CFC23} -  -> No File
GroupPolicy: Restriction - Chrome <======= ATTENTION
GroupPolicyScripts: Restriction <======= ATTENTION
HKU\S-1-5-21-2372369708-4087653311-89185977-1001\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0410&m=aspire_5736z&r=27360415f315l04c4z1h5v47324218
SearchScopes: HKU\S-1-5-21-2372369708-4087653311-89185977-1001 -> {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL =
Toolbar: HKU\S-1-5-21-2372369708-4087653311-89185977-1001 -> No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} -  No File
FF HKLM-x32\...\Firefox\Extensions: [{ABDE892B-13A8-4d1b-88E6-365A6E755758}] - C:\ProgramData\RealNetworks\RealDownloader\BrowserPlugins\Firefox\Ext => not found
FF SearchPlugin: C:\Program Files (x86)\mozilla firefox\browser\searchplugins\golliver.xml [2015-04-13]
FF Plugin-x32: @foxitsoftware.com/Foxit Reader Plugin,version=1.0,application/vnd.xdp -> C:\Program Files (x86)\Foxit Software\Foxit Reader\plugins\npFoxitReaderPlugin.dll [No File]
FF Plugin-x32: @foxitsoftware.com/Foxit Reader Plugin,version=1.0,application/vnd.xfdf -> C:\Program Files (x86)\Foxit Software\Foxit Reader\plugins\npFoxitReaderPlugin.dll [No File]
FF Plugin-x32: @videolan.org/vlc,version=2.2.0 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [No File]
CHR HomePage: ChromeDefaultData -> hxxp://www.initialpage123.com/?z=651145524b12a48278740d0g1z3t4z7c7gdz9tfc3m&from=amz&uid=SamsungXSSDX850XEVOX250GB_S2R6NX0J276636P&type=hp
CHR StartupUrls: ChromeDefaultData -> "hxxp://www.initialpage123.com/?z=651145524b12a48278740d0g1z3t4z7c7gdz9tfc3m&from=amz&uid=SamsungXSSDX850XEVOX250GB_S2R6NX0J276636P&type=hp"
CHR Profile: C:\Users\Marco\AppData\Local\Google\Chrome\User Data\ChromeDefaultData [2017-05-10] <==== ATTENTION
CHR Extension: (Pagamenti Chrome Web Store) - C:\Users\Marco\AppData\Local\Google\Chrome\User Data\ChromeDefaultData\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2017-05-09]
CHR Extension: (Chrome Media Router) - C:\Users\Marco\AppData\Local\Google\Chrome\User Data\ChromeDefaultData\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2017-05-09]
CHR Extension: (Golliver) - C:\Users\Marco\AppData\Local\Google\Chrome\User Data\ChromeDefaultData2\Extensions\bollbfeakabenkobaocgakdibphdnanj [2017-05-09]
CHR Extension: (Pagamenti Chrome Web Store) - C:\Users\Marco\AppData\Local\Google\Chrome\User Data\ChromeDefaultData2\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2015-11-16]
CHR Extension: (Pagamenti Chrome Web Store) - C:\Users\Marco\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2017-03-26]
CHR Extension: (Chrome Media Router) - C:\Users\Marco\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2017-05-05]
CHR HKLM-x32\...\Chrome\Extension: [bollbfeakabenkobaocgakdibphdnanj] - hxxp://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [npdicihegicnhaangkdmcgbjceoemeoo] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [peefembmkccmkodbcpgilfjgkligpbba] - hxxps://clients2.google.com/service/update2/crx
U3 idsvc; no ImagePath
CustomCLSID: HKU\S-1-5-21-2372369708-4087653311-89185977-1001_Classes\CLSID\{0E270DAA-1BE6-48F2-AC49-A8F89265890D}\InprocServer32 -> %%systemroot%%\system32\shell32.dll => No File
Task: {209F9DC0-E251-4E2C-B313-214A6F9DB967} - \Microsoft\Windows\Setup\gwx\refreshgwxcontent -> No File <==== ATTENTION
Task: {22F7F75C-9D65-4253-94BA-AAB0C0744D46} - \Microsoft\Windows\Setup\gwx\refreshgwxconfig -> No File <==== ATTENTION
Task: {4097BF35-715A-49B9-AFC2-6054057DAC26} - \Microsoft\Windows\Setup\GWXTriggers\Telemetry-4xd -> No File <==== ATTENTION
Task: {64DE6B81-8418-4443-B078-61FB94ED8FCB} - \Microsoft\Windows\Setup\gwx\refreshgwxconfigandcontent -> No File <==== ATTENTION
Task: {675D0687-4CF7-4E00-8D1A-62FF4664BFEA} - System32\Tasks\{C0C79C45-7C6D-41A6-8783-51D1A015E3AB} => Firefox.exe hxxp://www.skype.com/go/downloading?source=lightinstaller&amp;ver=7.16.0.102&amp;LastError=404
Task: {7B055353-AADA-4E40-B256-6562067CB8A3} - \Nizercultsteverty -> No File <==== ATTENTION
Task: {87D058C8-EB9A-4D4B-86B2-DF2FFDFB144B} - \Microsoft\Windows\Setup\GWXTriggers\MachineUnlock-5d -> No File <==== ATTENTION
Task: {BFE93B72-5E35-4C27-9FA2-8990D0254C27} - \Microsoft\Windows\Setup\GWXTriggers\OutOfSleep-5d -> No File <==== ATTENTION
Task: {C3077F1D-F3BE-45DB-9791-27DE259630C9} - System32\Tasks\oACRkRYe7O => C:\Program Files (x86)\gp467Q7v2Y\updengine.exe  <==== ATTENTION
Task: {C344B485-0600-417E-92B3-1ACBAB499EA5} - \Microsoft\Windows\Setup\GWXTriggers\Time-5d -> No File <==== ATTENTION
Task: {C39ADA49-4806-4AA4-B880-B916373727E8} - System32\Tasks\{F0FF5C2E-9965-4C62-A270-6BE5447F1277} => Firefox.exe hxxp://ui.skype.com/ui/0/7.8.0.102/it/go/help.faq.installer?source=lightinstaller&amp;LastError=1618
Task: {C94C5157-DC9D-4CA9-BCE3-763E16677ED8} - System32\Tasks\Lerfopervather Host => C:\Program Files (x86)\Jiricultclerroly\nahit.exe
Task: {CF30C97D-DD5C-46C9-96FC-B1B893D901AB} - System32\Tasks\{C8344029-488C-1EC2-D158-9126E28C8F75} => Regsvr32.exe /s /n /i:"/rt" "C:\PROGRA~3\317d9c67\2f90197a.dll" <==== ATTENTION
Task: {D6E65A8E-6EFD-4550-B819-2D1C35908160} - \Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B -> No File <==== ATTENTION
Task: {D931F323-2BA9-42F6-BE48-DC6394BCB186} - \Microsoft\Windows\Setup\GWXTriggers\OutOfIdle-5d -> No File <==== ATTENTION
Task: {DAA5B0EC-DFDF-4B93-87C0-85185D911AA2} - \Microsoft\Windows\Setup\GWXTriggers\Logon-5d -> No File <==== ATTENTION
Task: {E2C33F91-BCE1-4660-8485-ED50E6F6E038} - System32\Tasks\Quzose Host => C:\Program Files (x86)\Kerberpharejoge\ghlisp.exe
Task: {E98F39D0-22D1-4D95-BB9D-227CA07D588C} - System32\Tasks\AutoKMS => C:\Windows\AutoKMS\AutoKMS.exe
Task: {F2864426-D6C8-4A29-87EF-C2E5C01EBE13} - System32\Tasks\{55969A4F-4185-41C6-A76C-C6EC974CB42E} => Firefox.exe hxxp://www.skype.com/go/downloading?source=lightinstaller&amp;ver=7.16.0.102&amp;LastError=404
Task: {F3FCB0AB-3069-4BD7-BFB6-6ECD938B071A} - \Microsoft\Windows\Setup\gwx\launchtrayprocess -> No File <==== ATTENTION
AlternateDataStreams: C:\ProgramData\Temp:1AAB2E68 [183]
AlternateDataStreams: C:\ProgramData\Temp:B755D674 [134]
C:\Program Files (x86)\gp467Q7v2Y
C:\Program Files (x86)\Jiricultclerroly
C:\Program Files (x86)\Kerberpharejoge
C:\Windows\AutoKMS

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.
---

Reset the browsers that you use and have been compromised.

How To:
https://www.howtogeek.com/171924/how-to-reset-your-web-browser-to-its-default-settings/
===

Please let me know what problem persists with this computer.

#5 Marco1607

Marco1607
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:22 PM

Posted 14 May 2017 - 03:25 PM

Great I'm not getting that pop up now. I think it got fixed.

I ran Rogue Killer scan and deleted the files you have mentioned above.

I did Farbar fix also. Attached is the result..

Thank you so much for the help.

Marco

Attached Files



#6 nasdaq

nasdaq

  • Malware Response Team
  • 38,933 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:22 PM

Posted 15 May 2017 - 09:28 AM

Glad we could help.

If all is well.

To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/


https://www.bleepingcomputer.com/tutorials/keep-your-computer-safe-online/
Simple and easy ways to keep your computer safe and secure on the Internet.
===




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users