SVC miner, trojan

Hi, I recently removed a bunch of bad stuff via MBAM, MBR, MSE, etc. and I'm trying to see if I'm still at risk/clean everything completely.

Here's the dds.txt:

to BleepingComputer.

Hi there,

my name is Jo and I will help you with your computer problems.

• Read and follow the instructions in the sequence they are posted.
• print or copy & save instructions.
• back up all your private data / music / important files on another (external) drive before using our tools.
• Do not install / uninstall any applications, unless otherwise instructed.
• Use only that tools you have been instructed to use.
• Copy and Paste the log files inside your post, unless otherwise instructed.
• Ask for clarification, if you have any questions.
• Stay with this topic til you get the all clean post.
• My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.

***

• Save it to your Desktop.
• Close your security software to avoid potential conflicts.
• Double click RGSA.exe
• Click OK on the copyright-disclaimer
• When finished, a Notepad window will open with the results of the scan.
• The log named SALog.txt can also be found on the Desktop or in the same folder from where the tool is run if installed elsewhere.
• Please copy and paste the contents of that log in this topic.
• Note:

***

• Be sure to print out and follow the instructions provided on that same page.
• Caution: This is a beta version so please be sure to read the disclaimer and back up all your data before using.
• Double click on downloaded file. OK self extracting prompt.
• MBAR will start. Click in the introduction screen "next" to continue.
• Click in the following screen "Update" to obtain the latest malware definitions.
• Once the update is complete select "Next" and click "Scan".

• 'Could not load protection driver'. Click 'OK'.
• 'Could not load DDA driver'. Click 'Yes' to this message, to allow the driver to load after a restart. Allow the computer to restart. Continue with the rest of these instructions.

• If malware is found - do not press the Clean up button, please go to the MBAR folder and then copy/paste the contents of the MBAR-log-***.txt file to your next reply.
• If there is no malware found, please let me know as well.

***

Please download AdwCleaner by Xplode and save to your Desktop.

• Click on the Scan button.
• AdwCleaner will begin...be patient as the scan may take some time to complete.
• After the scan has finished, click on the Logfile button...a logfile (AdwCleaner[R0].txt) will open in Notepad for review.
• The contents of the log file may be confusing. Unless you see a program name that you know should not be removed, don't worry about it.
  If you see an entry you want to keep, let me know about it.
• Copy and paste the contents of that logfile in your next reply.
• A copy of all logfiles are saved in the C:\AdwCleaner folder which was created when running the tool.

***

• Right-click FRST then click "Run as administrator" (XP users: click run after receipt of Windows Security Warning - Open File).
• When the tool opens, click Yes to disclaimer.
• Press the Scan button.
• When finished, it will produce a log called FRST.txt in the same directory the tool was run from.
• Please copy and paste the log in your next reply.

Edited by rm540, 05 July 2017 - 03:16 PM.

Edited by rm540, 05 July 2017 - 03:19 PM.

• Scan your system for malware
• If malware is found, click on the Cleanup button to remove any threats and reboot if prompted to do so.
• Wait while the system shuts down and the cleanup process is performed.
• then please go to the MBAR folder and then copy/paste the contents of the MBAR-log-***.txt file to your next reply.
• If there is no malware found, please let me know as well.

***

• Click on the Scan button.
• AdwCleaner will begin...be patient as the scan may take some time to complete.
• After the scan has finished, click on the Clean button.
• Press OK when asked to close all programs and follow the onscreen prompts.
• Press OK again to allow AdwCleaner to restart the computer and complete the removal process.
• After rebooting, a logfile report (AdwCleaner[C#].txt) will open automatically (where the largest value of # represents the most recent report).
• Copy and paste the contents of that logfile in your next reply.
• A copy of that logfile will also be saved in the C:\AdwCleaner folder.

***

• JRT will begin to backup your registry and start scanning your system.
• Please be patient as this can take a while to complete depending on your system's specifications.
• On completion, the log JRT.txt is saved on your desktop and will automatically open.

***

***

• Right-click FRST / FSRT64 then click "Run as administrator" (XP users: click run after receipt of Windows Security Warning - Open File).
• When the tool opens, click Yes to disclaimer.
• Put a check into the boxes next to Addition.txt and Shortcut.txt. Then press the Scan button.
• When finished, it will produce logs called FRST.txt, Shortcut.txt and Addition.txt in the same directory the tool was run from.
• Please copy and paste both logs in your next reply.

I'm not sure why  C:\Users\editor\Desktop\Dig Deep is being flagged, I don't see anything other than video files and video editing project files. I have hidden files turned on. Mbar didn't find anything.

I manually discovered the culprit of at least some of the unauthorized remote access. I'm not sure how this user got there, if it's safe to delete, etc.

C:\Users\Default.AVID4\Desktop\

C:\Users\Default.AVID4\Desktop\RDP Admin Restore

C:\Users\Default.AVID4\Desktop\RDP Admin Restore\02_disable_NLA.reg

C:\Users\Default.AVID4\Desktop\RDP Admin Restore\reset_p.bat

C:\Users\Default.AVID4\Desktop\RDP Admin Restore\Your ID.txt

C:\Users\Default.AVID4\Desktop\RDP Watcher

C:\Users\Default.AVID4\Desktop\RDP Watcher\disable_UI0Detect.bat

C:\Users\Default.AVID4\Desktop\RDP Watcher\disable_win_Firewall.bat

C:\Users\Default.AVID4\Desktop\RDP Watcher\Your ID.txt

C:\Users\Default.AVID4\Desktop\UniversalTermsrvPatch_20090425

C:\Users\Default.AVID4\Desktop\UniversalTermsrvPatch_20090425\Readme.txt

C:\Users\Default.AVID4\Desktop\UniversalTermsrvPatch_20090425\vista.reg

C:\Users\Default.AVID4\Desktop\UniversalTermsrvPatch_20090425\xp.reg

C:\Users\Default.AVID4\Desktop\GoogleChromePortable_57.0.2987.133_online.paf.exe

I read the contents of each file and reversed most of the changes. Unfortunately these files are not malware alone, and are therefore not detected, but obviously they have enabled remote execution of code by enabling unrestricted terminal service access. I'm hoping the hardware firewall will block this in the future, but how can I be sure? 

reset_p.bat I don't know how to prevent - I will PM the full code if you like. It essentially can give the remote user admin privs - I believe it's the first step into compromising further. 

The main part of the code gives the remote user admin privileges through a .vbs script and deletes evidence of doing so. This second part enables sticky keys to enable an exploit, but I'm not sure what to do about this as I couldn't find these registry entries:

REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe" /v Debugger /t REG_SZ /d "C:\Windows\PreInstall\uddi.exe"

Actually, at least some of the suspicious programs were detected by another scanner, unfortunately I've been running a lot of them so I don't remember which one generated this log file "SCK.txt". It was possibly esetonlinescanner.

Here are the contents of that log:

I'm not sure why  C:\Users\editor\Desktop\Dig Deep is being flagged, I don't see anything other than video files and video editing project files. I have hidden files turned on. Mbar didn't find anything.
 
I manually discovered the culprit of at least some of the unauthorized remote access. I'm not sure how this user got there, if it's safe to delete, etc.
 
C:\Users\Default.AVID4\Desktop\
C:\Users\Default.AVID4\Desktop\RDP Admin Restore
C:\Users\Default.AVID4\Desktop\RDP Admin Restore\02_disable_NLA.reg
C:\Users\Default.AVID4\Desktop\RDP Admin Restore\reset_p.bat
C:\Users\Default.AVID4\Desktop\RDP Admin Restore\Your ID.txt
C:\Users\Default.AVID4\Desktop\RDP Watcher
C:\Users\Default.AVID4\Desktop\RDP Watcher\disable_UI0Detect.bat
C:\Users\Default.AVID4\Desktop\RDP Watcher\disable_win_Firewall.bat
C:\Users\Default.AVID4\Desktop\RDP Watcher\Your ID.txt
C:\Users\Default.AVID4\Desktop\UniversalTermsrvPatch_20090425
C:\Users\Default.AVID4\Desktop\UniversalTermsrvPatch_20090425\Readme.txt
C:\Users\Default.AVID4\Desktop\UniversalTermsrvPatch_20090425\vista.reg
C:\Users\Default.AVID4\Desktop\UniversalTermsrvPatch_20090425\xp.reg
C:\Users\Default.AVID4\Desktop\GoogleChromePortable_57.0.2987.133_online.paf.exe
 
 
I read the contents of each file and reversed most of the changes. Unfortunately these files are not malware alone, and are therefore not detected, but obviously they have enabled remote execution of code by enabling unrestricted terminal service access. I'm hoping the hardware firewall will block this in the future, but how can I be sure? 
 
reset_p.bat I don't know how to prevent - I will PM the full code if you like. It essentially can give the remote user admin privs - I believe it's the first step into compromising further. 
 
The main part of the code gives the remote user admin privileges through a .vbs script and deletes evidence of doing so. This second part enables sticky keys to enable an exploit, but I'm not sure what to do about this as I couldn't find these registry entries:
 
REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe" /v Debugger /t REG_SZ /d "C:\Windows\PreInstall\uddi.exe"

Start
CreateRestorePoint:
CloseProcesses:
HKU\S-1-5-21-3225783554-34173836-2973484787-1001\...\Run: [AdobeBridge] => [X]
GroupPolicy: Restriction <==== ATTENTION
GroupPolicy\User: Restriction <==== ATTENTION
GroupPolicyScripts: Restriction <==== ATTENTION
GroupPolicyScripts\User: Restriction <==== ATTENTION
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-21-3225783554-34173836-2973484787-500 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.bing.com/search?q={searchTerms}&form=CMDTDF&pc=CMDTDF&src=IE-SearchBox
FF HKLM-x32\...\Firefox\Extensions: [ISAllmytube@iSkysoft.com] - C:\ProgramData\iSkysoft\iTube Studio\ISAllmytube@iSkysoft.com
FF Extension: (iSkysoft iTube Studio) - C:\ProgramData\iSkysoft\iTube Studio\ISAllmytube@iSkysoft.com [2015-11-24] [not signed]
CHR Extension: (Chrome Media Router) - C:\Users\editor\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2017-06-28]
S4 TermService; %ProgramFiles%\RDP Wrapper\rdpwrap.dll [X]
2017-07-05 12:17 - 2017-07-05 12:17 - 00528106 _____ C:\Users\editor\Downloads\Silent Runners.vbs
CustomCLSID: HKU\S-1-5-21-3225783554-34173836-2973484787-1001_Classes\CLSID\{073CB204-6B29-46FC-AB98-451F1D068741}\InprocServer32 -> C:\Program Files\Autodesk\3ds Max 2018\Inventor Server\Bin\TestServer.dll => No File
CustomCLSID: HKU\S-1-5-21-3225783554-34173836-2973484787-1001_Classes\CLSID\{8C23B656-4E6E-4B45-9920-9617168D39A3}\InprocServer32 -> C:\Program Files\Autodesk\3ds Max 2018\Inventor Server\Bin\TestServer.dll => No File
CustomCLSID: HKU\S-1-5-21-3225783554-34173836-2973484787-1001_Classes\CLSID\{E5B0515D-48D2-4F04-906D-0192ED65A2DD}\InprocServer32 -> C:\Program Files\Autodesk\3ds Max 2018\Inventor Server\Bin\TestServer.dll => No File
ContextMenuHandlers01: [WinRAR32] -> {B41DB860-8EE4-11D2-9906-E49FADC173CA} =>  -> No File
ContextMenuHandlers04: [MSSE] -> {0365FE2C-F183-4091-AC82-BFC39FB75C49} =>  -> No File
ContextMenuHandlers06: [WinRAR32] -> {B41DB860-8EE4-11D2-9906-E49FADC173CA} =>  -> No File
AlternateDataStreams: C:\ProgramData\Microsoft:0LzQmy2yLXIkuOxWrd [1910]
AlternateDataStreams: C:\ProgramData\Microsoft:kcBk6PcxHyvHjtR8 [2314]
AlternateDataStreams: C:\ProgramData\Microsoft:lIp54pnOEvBhOzqQjZpz2nn [2310]
AlternateDataStreams: C:\ProgramData\Microsoft:Ocomea4gZtY3lSOUf5iphCE [2038]
AlternateDataStreams: C:\ProgramData\Microsoft:v3g4yepAVzDTtez7meXIUiueJ [1956]
AlternateDataStreams: C:\ProgramData\Microsoft:Xm9UIZv3H4zTt7eqpuDLw7zIg [2260]
AlternateDataStreams: C:\ProgramData\PACE:B90686C2DDD4C048 [217]
AlternateDataStreams: C:\Users\editor\Cookies:EOqXQzoQSm4Yr9HXggRR4KKY [1930]
AlternateDataStreams: C:\Users\editor\Downloads\PICKUPS1.avb:BINSTATE_RSRC [131074]
AlternateDataStreams: C:\Users\editor\Downloads\TrueLife_FullScreenCredits_CreditCrunch.avb:BINSTATE_RSRC [131074]
AlternateDataStreams: C:\Users\editor\AppData\Local\Temporary Internet Files:KXXPwIqcZrAoHR5V6MIVZYrg [2354]
End

Edited by rm540, 06 July 2017 - 11:57 AM.

Also, I'm not certain that the users IUSR_Servs and Default.AVID4 (where I found the remote exploits) were created by the malware, but I did not create them. Can I still delete them? Their C:\Users folders were created at the exact same time, but only IUSR_Servs is listed in the "User Profiles" section of system properties. 

Edited by rm540, 06 July 2017 - 12:04 PM.

• rkill.exe
• rkill.com
• rkill.scr
• WiNlOgOn.exe
• uSeRiNiT.exe

---

• Double-click mb3-setup-1878.1878-3.4.5.2467.exe and follow the prompts to install the program.
• At the end, be sure a checkmark is placed next to the following:
  • Launch Malwarebytes Anti-Malware
  • A 14 day trial of the Premium features is pre-selected. You may deselect this if you wish, and it will not diminish the scanning and removal capabilities of the program.
• Click Finish.
• On the Dashboard, click the 'Update Now >>' link
• After the update completes, click the 'Scan Now >>' button.
• Or, on the Dashboard, click the Scan Now >> button.
• If an update is available, click the Update Now button.
• A Threat Scan will begin.
• When the scan is complete, if there have been detections, click Apply Actions to allow MBAM to clean what was detected.
• In most cases, a restart will be required.
• Wait for the prompt to restart the computer to appear, then click on Yes.

• After the restart once you are back at your desktop, open MBAM once more.
• Click on the History tab > Application Logs.
• Double click on the scan log which shows the Date and time of the scan just performed.
• Click 'Export'.
• Click 'Text file (*.txt)'
• In the Save File dialog box which appears, click on Desktop.
• In the File name: box type a name for your scan log.
• A message box named 'File Saved' should appear stating "Your file has been successfully exported".
• Click Ok
• Attach that saved log to your next reply.

• After the restart once you are back at your desktop, open MBAM once more.
• Click on the History tab > Application Logs.
• Double click on the scan log which shows the Date and time of the scan just performed.
• Click 'Copy to Clipboard'
• Paste the contents of the clipboard into your reply.

---

• Click here to download Emsisoft Emergency Kit. The download will automatically start after a moment.
• Save EmsisoftEmergencyKit.exe to your Desktop.
• Double click on EmsisoftEmergencyKit.exe (Windows Vista/7/8 users: Accept UAC warning if it is enabled). A screen like this will appear:
  
• Leave everything as it is, then click Extract. This will unpack Emsisoft Emergency Kit to the EEK folder located in the root drive (usually C:\).
• Once the extraction is done, an icon will appear on your Desktop. Double click it to start Emsisoft Emergency Kit.
• Wait for Emsisoft Emergency Kit to finish loading signatures. A screen like this should appear:
  
• Choose Yes, then wait for EEK to finish updating.
• Choose Malware Scan under the Scan button. When EEK asks to activate PUP detection, choose Yes.
• Wait for the scan to finish.
  
• If EEK detects something, all detected items will be displayed. Place a checkmark before everything, then choose Quarantine Selected.
• If Emsisoft Emergency Kit asks to reboot, please do so immediately.
• The scan log is located in Logs -> Scan Logs. Click on the entry of the latest scan, choose Export and save the report on your Desktop.
  
• Please Copy and Paste the contents of the scan log in your next reply.

***

***

Edited by rm540, 06 July 2017 - 03:12 PM.