Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Downloaded OCCT from TechAdvisor then my antivirus detected viruses


  • Please log in to reply
10 replies to this topic

#1 Vultrio

Vultrio

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:12:22 AM

Posted 07 August 2017 - 02:54 PM

Hello, I've have little to no knowledge when it comes to viruses and stuff so let me explain. 

 

I recently got my new gaming computer Saturday and I wanted all the programs my old one had. The last program was OCCT which I use to check my core temperatures so a friend of mine said techadvisor was a safe place. I downloaded it from there blindly letting it through and boom my comodo detected problems.

 

Comodo detected two malware incursions:
One was called  Malware[at]#3orm6gfquetum in 
C:\Users\John\AppData\Local\Temp\D55821098924051.dat

The other was ApplicUnwnt[at]#20kefu0jrzjud in
C:\VTRoot\HarddiskVolume2\Users\John\AppData\Local\{C06DF631-E4C5-9A89-895D-BF61AD3543F9}\uninst.exe

VirusScope also blocked a Malaware called Generic.Infector.2 in the file 
C:\Users\Johns\Downloads\OCCT_4.5.0.exe

 

I also ran Malwarebytes just in case and it came up with 3 PUP's in the HKU\S: PUP.Optional.InstallCore and PUP.Optional.Productsetup as Registry keys and a PUP.Optional.ProductSetup as Registry Value.

 

I was further worried due to the fact I allowed a DMGR1.25_010D0G1V1E1R1T1Q2X1L1B1F1C1.25.exe access to my pc to which afterwards the OCCT requested access to install.

 

Afterwards I performed a quick scanned with comodo & malwarebytes twice after, scanned with ADWcleaner and TDSS Killer then used CCleaner clean up. Restarted in safe mode and quick scanned with malwarebytes. Recently turned my pc on and scanned again.

 

I've not noticed anything different with my pc other than a random avast desktop icon I deleted. Since I use Comodo I sent then the same message in the forums but so far have received nothing from my private messages or topic.

 

Later on still worried (still am honestly) I performed a custom scan with Malwarebytes of my C:Drive during which comodo caught this piece: 

TrojWare.VBS.Agent.DY[at]434468824 located at C:\VTRoot\HarddiskVolume2\Users\Johns\AppData\Roaming\Lomepibinute

 

and of course more alarm bells sounded. Near the end of the night before bed it was suggested to me to use Hitman Pro to which I did so and found this:

 

C:\Users\Johns\AppData\Local\Temp\DMGR1.25\DMGR1.25_0I0D0G1V1E1R1T1Q2X1L1B1F1C1.25.exe

which I was worried about earlier and 

C:\Users\Johns\AppData\Local\Temp\tmp10957888\figetero.exe

plus here's the data on them:
 C:\Users\Johns\AppData\Local\Temp\DMGR1.25\DMGR1.25_0I0D0G1V1E1R1T1Q2X1L1B1F1C1.25.exe -> Quarantined
      Size . . . . . . . : 1,313,917 bytes
      Age  . . . . . . . : 0.3 days (2017-08-06 16:23:24)
      Entropy  . . . . . : 8.0
      SHA-256  . . . . . : 6BD5AE5579A230E6B87BA99E84CB8943137AEB88BA1C0B3328B128E98F0839A3
      Product  . . . . . : Fuhu                                                        
      Publisher  . . . . : Lafami                                                      
      Description  . . . : Fuhu Setup                                                  
      Version  . . . . . : 3.7.2.4
      LanguageID . . . . : 0
    > HitmanPro  . . . . : Malware
      Fuzzy  . . . . . . : 110.0
      Forensic Cluster
         -2.8s C:\Users\Johns\AppData\Local\Temp\tmp10957888\
         -0.8s C:\Users\Johns\Downloads\OCCTPT4.5.0.exe
          0.0s C:\Users\Johns\AppData\Local\Temp\DMGR1.25\DMGR1.25_0I0D0G1V1E1R1T1Q2X1L1B1F1C1.25.exe
          0.1s C:\Users\Johns\AppData\Local\Temp\tmp10957888\figetero.exe
          0.2s C:\Users\Johns\AppData\Local\Temp\DMGR1.25\

   C:\Users\Johns\AppData\Local\Temp\tmp10957888\figetero.exe -> Quarantined
      Size . . . . . . . : 285,696 bytes
      Age  . . . . . . . : 0.3 days (2017-08-06 16:23:24)
      Entropy  . . . . . : 7.9
      SHA-256  . . . . . : BD9935078CC9B243B4A210BDF2FE966D05760B8C41F0F9838EEC63228396E2DF
      Product  . . . . . : Cuco Hecotege
      Publisher  . . . . : Sofapiku Software
      Description
      Version  . . . . . : 3.5.49.55
      Copyright  . . . . : Sofapiku Software
      LanguageID . . . . : 1033
    > Kaspersky  . . . . : not-a-virus:HEUR:AdWare.Win32.Generic
      Fuzzy  . . . . . . : 110.0
      Forensic Cluster
         -2.9s C:\Users\Johns\AppData\Local\Temp\tmp10957888\
         -0.9s C:\Users\Johns\Downloads\OCCTPT4.5.0.exe
         -0.1s C:\Users\Johns\AppData\Local\Temp\DMGR1.25\DMGR1.25_0I0D0G1V1E1R1T1Q2X1L1B1F1C1.25.exe
          0.0s C:\Users\Johns\AppData\Local\Temp\tmp10957888\figetero.exe
          0.2s C:\Users\Johns\AppData\Local\Temp\DMGR1.25\

 

Followed by a final custom scan from Malwarebytes which included Rootkits.

 

It's been a day and I've still heard nothing from comodo's forums. I've scanned again with comodo and malwarebytes and still not noticed anything wrong. However I need help and advice as my knowledge and capability on this is limited and my worrying is keeping me from gaming. I have since deleted OCCT and wished I never downloaded it.

 

So if anyone can tell me if I'm safe, what this information means or if I need to do more I'd really appreciate it.



BC AdBot (Login to Remove)

 


#2 buddy215

buddy215

  • Moderator
  • 13,496 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:05:22 PM

Posted 07 August 2017 - 03:44 PM

Once you get the adware/ malware off the computer then check out SpeedFan - Access temperature sensor in your computer

It's a program that I've used in Windows and liked it.

 

Suggest you uninstall Hitman pro.

 

Download 51a5f31352b88-icon_MBAR.pngMalwarebytes Anti-Rootkit (MBAR) to your desktop.

  • Warning! Malwarebytes Anti-Rootkit needs to be run from an account with administrator rights.
  • Double click on downloaded file. OK self extracting prompt.
  • MBAR will start. Click "Next" to continue.
  • Click in the following screen "Update" to obtain the latest malware definitions.
  • Once the update is complete select "Next" and click "Scan".
  • When the scan is finished and no malware has been found select "Exit".
  • If malware was detected, make sure to check all the items and click "Cleanup". Reboot your computer.
  • Open the MBAR folder located on your Desktop and paste the content of the following files in your next reply:
  • "mbar-log-{date} (xx-xx-xx).txt"

 

  • download Junkware Removal Tool to your desktop.
  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message

“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#3 Vultrio

Vultrio
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:12:22 AM

Posted 07 August 2017 - 03:57 PM

When you say shut down my protective software what do you mean by that?



#4 buddy215

buddy215

  • Moderator
  • 13,496 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:05:22 PM

Posted 07 August 2017 - 04:05 PM

Yes,...it is recommended that shut down Comodo if it is running in the background. Be sure to restart it once JRT's scan is completed and

you have rebooted if JRT requires it.


“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#5 Vultrio

Vultrio
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:12:22 AM

Posted 07 August 2017 - 04:11 PM

ok stupid question, how do I turn comodo off? I'm really new at this and junkware is waiting



#6 Vultrio

Vultrio
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:12:22 AM

Posted 07 August 2017 - 04:22 PM

I figured it out here's the resulted from Mbar

 

Malwarebytes Anti-Rootkit BETA 1.9.3.1001
www.malwarebytes.org
 
Database version:
  main:    v2017.08.07.09
  rootkit: v2017.08.02.01
 
Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 11.0.9600.18738
Johns :: JOHNS-PC [administrator]
 
07/08/2017 21:59:00
mbar-log-2017-08-07 (21-59-00).txt
 
Scan type: Quick scan
Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken
Scan options disabled: 
Objects scanned: 242722
Time elapsed: 6 minute(s), 9 second(s)
 
Memory Processes Detected: 0
(No malicious items detected)
 
Memory Modules Detected: 0
(No malicious items detected)
 
Registry Keys Detected: 0
(No malicious items detected)
 
Registry Values Detected: 0
(No malicious items detected)
 
Registry Data Items Detected: 0
(No malicious items detected)
 
Folders Detected: 0
(No malicious items detected)
 
Files Detected: 0
(No malicious items detected)
 
Physical Sectors Detected: 0
(No malicious items detected)
 
(end)
 
 
and Junkware tool 
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Malwarebytes
Version: 8.1.4 (07.09.2017)
Operating System: Windows 7 Professional x64 
Ran by Johns (Administrator) on 07/08/2017 at 22:15:25.43
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 
 
 
File System: 24 
 
Successfully deleted: C:\Users\Johns\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0PS72R2M (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\Johns\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2TR4K98O (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\Johns\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\51DW2IAH (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\Johns\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\62AXOPQ5 (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\Johns\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\639UGL7M (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\Johns\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FZG8CKJ5 (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\Johns\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I6ML7F3I (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\Johns\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LIXMVQOA (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\Johns\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\MK1TZOBF (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\Johns\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\OFWY04NS (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\Johns\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\U2I1HVYH (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\Johns\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\WWQSMZ57 (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0PS72R2M (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2TR4K98O (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\51DW2IAH (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\62AXOPQ5 (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\639UGL7M (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FZG8CKJ5 (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I6ML7F3I (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LIXMVQOA (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\MK1TZOBF (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\OFWY04NS (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\U2I1HVYH (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\WWQSMZ57 (Temporary Internet Files Folder) 
 
 
 
Registry: 0 
 
 
 
 
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on 07/08/2017 at 22:17:39.83
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 
So what does this mean exactly also when I disabled comodo's anti virus I was wondering what's the difference from On Access and Stateful?

 Just curious. Also wouldn't turning off the antivirus be dangerous?



#7 buddy215

buddy215

  • Moderator
  • 13,496 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:05:22 PM

Posted 07 August 2017 - 04:26 PM

No...turning off security programs temporarily is not dangerous. Just be sure to reactivate it.

 

Nothing was found. Are you experiencing any unusual ad activity or may sloooowness?

 

I am not familiar with Comodo settings. Are you using the free version? If so, it likely installed adware.


“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#8 Vultrio

Vultrio
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:12:22 AM

Posted 07 August 2017 - 04:31 PM

I've not noticed anything out of the ordinary then again I've only had this computer for 3 days and I am well aware of comodo's love installing it's crap I don't want, Geekbuddy, comodo dragon etc. Still it's got a good firewall. My computer seems fine. Nothing out the unusual other than that massive 184 windows update the other night but that's probably a side effect of the fact my dad failed to even properly install the service pack.

 

Does it look like I am in the clear buddy215?



#9 buddy215

buddy215

  • Moderator
  • 13,496 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:05:22 PM

Posted 07 August 2017 - 04:51 PM

Yes...I think you are good to go.

 

You can block third party cookies from installing. Those are the ad/ tracking cookies. Once you have blocked them from

installing, use CCleaner to remove the existing ones.

How to disable third-party cookies in all major web browsers

 

 

If you don't have an ad blocker installed I suggest using Adblock Plus. Once installed click on the ABP icon at the top of your

browsers and choose Filter Preferences. Then UNcheck the box next to Allow some non-intrusive advertisements.

Adblock Plus - Chrome Web Store   Adblock Plus :: Add-ons for Firefox   Adblock Plus for Edge browser   Adblock Plus for IE


“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#10 Vultrio

Vultrio
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:12:22 AM

Posted 07 August 2017 - 05:03 PM

Ok I did not know you could block those cookies. Now they are blocked and CCleaner has done it's job and I already use an adblocker.

 

While I'm sure my problem was not as serious as some others you've tackled I'd like to personally thank you and this site for helping me and providing a great service.

Your awesome, keep up the good work  :thumbsup2:

 

Is there any other advice you can give me before I head off to bed?



#11 buddy215

buddy215

  • Moderator
  • 13,496 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:05:22 PM

Posted 07 August 2017 - 05:13 PM

Nope...sweet dreams and don't let the bedbugs bite..:)   You're welcome...happy surfin'


“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users