Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Some sort of malware (Mail.ru) is begin downloaded using cmds


  • This topic is locked This topic is locked
18 replies to this topic

#1 Computa

Computa

  • Members
  • 8 posts
  • OFFLINE
  •  

Posted 13 January 2018 - 04:45 PM

I recently downloaded a malware by accident it was 'Mail.ru' but using Malwarebytes and avast I removed it quickly.

 

Every 3 hours or so command prompt open and tries to download malware or virus, but Malwarebytes stop it before damage is done.

 

Is there any way to stop this.


Edited by hamluis, 13 January 2018 - 06:10 PM.
Moved from MRL to Am I Infected...moved back - Hamluis.


BC AdBot (Login to Remove)

 


#2 satchfan

satchfan

  • Malware Response Team
  • 2,668 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:03:02 PM

Posted 13 January 2018 - 05:29 PM

Hello Computa and welcome to the Bleeping Computer forum.

My name is Satchfan and I would be glad to help you with your computer problem.

Please read the following guidelines which will help to make cleaning your machine easier:

  • please follow all instructions in the order posted
  • please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear
  • all logs/reports, etc. must be posted in Notepad. Please ensure that word wrap is unchecked. In Notepad click Format, uncheck Word wrap if it is checked
  • if you don't understand something, please don't hesitate to ask for clarification before proceeding
  • the fixes are specific to your problem and should only be used for this issue on this machine.
  • please reply within 3 days. If you do not reply within this period I will post a reminder but topics with no reply in 4 days will be closed!

IMPORTANT:

Please DO NOT install/uninstall any programs unless asked to.
Please DO NOT run any scans other than those requested

===================================================

Note: Please run these in the order given in the instructions.

===================================================

Download and run AdwCleaner

Download AdwCleaner from here and save it to your desktop.

  • run AdwCleaner by clicking on Scan
  • when it has finished, leave everything that was found checked, (ticked), then click on Clean
  • if it asks to reboot, allow the reboot
  • on reboot a log will be produced; please attach the content of the log to your next reply.

===================================================

Run RogueKiller

IMPORTANT: Please remove any usb or external drives from the computer before you run this scan!

Close all running programs.


Download RogueKiller to your desktop

  • close all running programs
  • for Windows Vista/Seven, right click -> run as administrator, for XP simply double-click on RogueKiller.exe
  • when the pre-scan is finished, click on Scan
  • click on Report and copy/paste the content in your next post
  • NOTE: DO NOT attempt to remove anything that the scan detects –everything that is reported is not necessarily bad

If the program is blocked, continue to try it several times. If it still doesn’t work, (it could happen), rename it to winlogon.exe.

Please post the contents of the RKreport.txt in your next reply.

===================================================

Run Farbar Recovery Scan Tool

Please download Farbar Recovery Scan Tool and save it to your Desktop.

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

  • right click to run as administrator (XP users click run after receipt of Windows Security Warning - Open File). When the tool opens click Yes to disclaimer.
  • press Scan button
  • it will produce a log called Frst.txt in the same directory the tool is run from
  • please copy and paste log back here.
  • the first time the tool is run it generates another log (Addition.txt - also located in the same directory as FRST.exe/FRST64.exe). Please also paste that along with the Frst.txt into your reply.

Logs to include with next post:

AdwCleaner log
RKreport.txt
Frst.txt
Addition.txt


Thanks

Satchfan

 


My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#3 Computa

Computa
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  

Posted 14 January 2018 - 07:59 AM

Here the files you ask for. 

Attached Files



#4 satchfan

satchfan

  • Malware Response Team
  • 2,668 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:03:02 PM

Posted 14 January 2018 - 09:54 AM

Run RogueKiller

IMPORTANT: Do not reboot your computer if at all possible otherwise the malware will reactivate and you will have to run RogueKiller again

  • close all programs
  • double-click RogueKiller.exe - Windows 7/8//10: right-click the program and select Run as Administrator'
  • after it has completed it's prescan, click on Scan
  • when the scan is finished press the Delete button and post the log it produces.

Please then run it again and send the new log.

 

===================================================

Run AdwCleaner

Unfortunately you didn’t follow the instructions to ‘clean’ what was found.

  • run AdwCleaner by clicking on Scan
  • when it has finished, leave everything that was found checked, (ticked), then click on Clean
  • if it asks to reboot, allow the reboot
  • on reboot a log will be produced; please attach the content of the log to your next reply.

===================================================

Please run FRST again and make sure there is a checkmark next to ‘Addition.txt’ before you hit Scan.

Logs to include with next post:

RogueKiller log
AdwCleaner log
New Frst.txt
New Addition.txt


Thanks

Satchfan

 


My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#5 Computa

Computa
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  

Posted 14 January 2018 - 01:12 PM

Yes, I notice that my problem isn't fixed, you said I shouldn't reboot after using Rouge Killer but AdwCleaner asking to reboot. What should I do? 



#6 satchfan

satchfan

  • Malware Response Team
  • 2,668 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:03:02 PM

Posted 14 January 2018 - 02:03 PM

Reboot.


My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#7 Computa

Computa
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  

Posted 15 January 2018 - 02:41 PM

Here are the files.

Attached Files


Edited by Computa, 15 January 2018 - 02:42 PM.


#8 satchfan

satchfan

  • Malware Response Team
  • 2,668 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:03:02 PM

Posted 15 January 2018 - 05:57 PM

You need to move Farbar Recovery Scan Tool to your desktop otherwise fixes will not work.

  • go to your Downloads folder and locate Farbar Recovery Scan Tool
  • right click and select Cut
  • go to an empty spot on your desktop, right click and select Paste

Farbar Recovery Scan Tool should now be on your desktop.

================================================

Run Farbar Recovery Scan Tool

  • right-click FRST/FRST64 and select ‘Run as administrator’
  • highlight the contents of the code box below, then press Ctrl+c):
Start::
CloseProcesses:
HKLM Group Policy restriction on software: %systemroot%\system32\mrt.exe <==== ATTENTION
ShortcutTarget: IMVU.lnk -> C:\Users\pc\AppData\Roaming\IMVUClient\IMVUQualityAgent.exe (No File)
GroupPolicy: Restriction <==== ATTENTION
GroupPolicy\User: Restriction <==== ATTENTION
SearchScopes: HKLM -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKLM-x32 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKLM-x32 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-2131063633-297832682-1597634716-1000 -> DefaultScope {FFEBBF0A-C22C-4172-89FF-45215A135AC7} URL =
CHR Extension: (Chrome Web Store Payments) - C:\Users\pc\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2017-12-31]
CHR Extension: (Chrome Media Router) - C:\Users\pc\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2017-12-31]
2017-12-31 13:33 - 2018-01-15 18:52 - 000003534 _____ C:\WINDOWS\System32\Tasks\lAUbo
2017-12-31 13:33 - 2018-01-15 17:30 - 000003348 _____ C:\WINDOWS\System32\Tasks\VYyAeuERK
2017-12-31 13:33 - 2017-12-31 13:33 - 000000001 _____ C:\Users\pc\AppData\Local\WMI.ini
2017-12-31 13:33 - 2017-03-18 20:59 - 000000975 _____ C:\Program Files (x86)\EyOWXgMLzFYK
2017-12-31 13:33 - 2017-03-18 20:59 - 000000950 _____ C:\Users\pc\AppData\Roaming\FQXa
2017-12-31 13:33 - 2017-03-18 20:59 - 000000065 _____ C:\Users\pc\yIUNIofa
2017-12-31 13:33 - 2017-03-18 20:59 - 000000062 _____ C:\WINDOWS\LXseZ
2017-12-31 13:33 - 2017-03-18 20:58 - 000174592 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\kTMwIEu.exe
2017-12-31 13:31 - 2018-01-15 18:53 - 000000000 ____D C:\Users\pc\AppData\Local\CrashDumps
2017-03-18 20:59 - 2017-03-18 20:59 - 000000065 _____ () C:\Users\pc\yIUNIofa.bat
2017-12-31 13:33 - 2017-03-18 20:59 - 000000975 _____ () C:\Program Files (x86)\EyOWXgMLzFYK
2017-03-18 20:59 - 2017-03-18 20:59 - 000000975 _____ () C:\Program Files (x86)\EyOWXgMLzFYK.bat
2017-11-20 23:31 - 2018-01-03 16:51 - 000000132 _____ () C:\Users\pc\AppData\Roaming\Adobe PNG Format CS6 Prefs
2017-12-31 13:33 - 2017-03-18 20:59 - 000000950 _____ () C:\Users\pc\AppData\Roaming\FQXa
2017-03-18 20:59 - 2017-03-18 20:59 - 000000950 _____ () C:\Users\pc\AppData\Roaming\FQXa.bat
2017-12-31 13:33 - 2017-12-31 13:33 - 000000001 _____ () C:\Users\pc\AppData\Local\WMI.ini
2017-06-15 06:02 - 2017-06-15 06:02 - 000007915 _____ () C:\Users\pc\AppData\Local\Temp\142926197.exe
2017-06-15 06:02 - 2017-06-15 06:02 - 000007915 _____ () C:\Users\pc\AppData\Local\Temp\14805959.exe
2017-02-14 10:34 - 2017-02-14 10:34 - 000004039 _____ () C:\Users\pc\AppData\Local\Temp\153518773.exe
2017-06-15 06:02 - 2017-06-15 06:02 - 000007915 _____ () C:\Users\pc\AppData\Local\Temp\1583013793.exe
2017-06-15 06:02 - 2017-06-15 06:02 - 000007915 _____ () C:\Users\pc\AppData\Local\Temp\1679324730.exe
2017-06-15 06:02 - 2017-06-15 06:02 - 000007915 _____ () C:\Users\pc\AppData\Local\Temp\1738622319.exe
2017-06-15 06:02 - 2017-06-15 06:02 - 000007915 _____ () C:\Users\pc\AppData\Local\Temp\197653609.exe
2017-06-15 06:02 - 2017-06-15 06:02 - 000007915 _____ () C:\Users\pc\AppData\Local\Temp\3233521596.exe
2017-06-15 06:02 - 2017-06-15 06:02 - 000007915 _____ () C:\Users\pc\AppData\Local\Temp\392816358.exe
2018-01-14 11:24 - 2017-09-28 12:08 - 001930840 _____ (Microsoft Corporation)
Task: {1FFF72DB-EE66-4D26-B801-5AAA6D3D702D} - System32\Tasks\VYyAeuERK => C:\Users\pc\yIUNIofa.bat [2017-03-18] () <==== ATTENTION
Task: {A577D129-F83C-4209-81AC-03CA0AF06AC8} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2017-12-31] (Google Inc.)
Task: {BBAD37A1-896D-46B1-840B-E47180E7E326} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2017-12-31] (Google Inc.)
Task: {EF27C07A-B1CB-4ECA-BD69-B74309D6BB28} - System32\Tasks\lAUbo => C:\WINDOWS\LXseZ.bat [2017-03-18] () <==== ATTENTION
C:\WINDOWS\LXseZ.bat
EmptyTemp:
End::

NOTE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

  • in the FRST window, press the ‘Fix’ button once and wait
  • please reboot the computer if requested
  • it will create a log on your desktop, (Fixlog.txt); please post it to your reply.

Satchfan

 


My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#9 Computa

Computa
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  

Posted 16 January 2018 - 10:29 AM

The fix log is attached

Attached Files


Edited by Computa, 16 January 2018 - 10:29 AM.


#10 satchfan

satchfan

  • Malware Response Team
  • 2,668 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:03:02 PM

Posted 16 January 2018 - 11:24 AM

Please run FRST again and make sure there is a checkmark next to ‘Addition.txt’ before you hit Scan.

Logs to include with next post:

New Frst.txt
New Addition.txt


Can you tell me if there are any remaining problems.

Satchfan


My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#11 satchfan

satchfan

  • Malware Response Team
  • 2,668 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:03:02 PM

Posted 19 January 2018 - 10:30 AM

It has been several days since I asked you to send new logs.

Please let me know if you no longer need help.

Satchfan


My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#12 Computa

Computa
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  

Posted 20 January 2018 - 12:37 PM

Sorry i was away, heres the attached files

Attached Files



#13 satchfan

satchfan

  • Malware Response Team
  • 2,668 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:03:02 PM

Posted 20 January 2018 - 05:13 PM

Can you tell me if there are any remaining problems.

 
I'll look at your logs and reply tomorrow but I'd like a reply to my question.


My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#14 satchfan

satchfan

  • Malware Response Team
  • 2,668 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:03:02 PM

Posted 21 January 2018 - 05:41 AM

P2P - I see you have P2P software, (uTorrent), installed on your machine.

We are not here to pass judgment on file-sharing as a concept but we will warn you that engaging in this activity will always make your computer very susceptible to infection and re-infection.

If your computer is infected, it almost certainly contributed to your current situation.

Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are more often than not, infected. Those who write malware use P2P file-sharing as a major vehicle to spread their wares.

Please see this topic for more information:

P2P File Sharing Risks.

I would strongly recommend that you uninstall it now. You can do so via Control Panel, Programs, and then Programs and Features.

Should you decide to keep it, please don’t use it until we have finished up here.

===================================================
 

Again, you need to move Farbar Recovery Scan Tool to your desktop otherwise fixes will not work.

  • go to your Downloads folder and locate Farbar Recovery Scan Tool
  • right click and select Cut
  • go to an empty spot on your desktop, right click and select Paste

Farbar Recovery Scan Tool should now be on your desktop.

================================================

Run Farbar Recovery Scan Tool

  • right-click FRST/FRST64 and select ‘Run as administrator’
  • highlight the contents of the code box below, then press Ctrl+c):
Start::
CloseProcesses:
Startup: C:\Users\pc\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IMVU.lnk [2017-11-03]
ShortcutTarget: IMVU.lnk -> C:\Users\pc\AppData\Roaming\IMVUClient\IMVUQualityAgent.exe (No File)
SearchScopes: HKLM -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKLM-x32 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
CHR Extension: (Chrome Web Store Payments) - C:\Users\pc\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2017-12-31]
CHR Extension: (Chrome Media Router) - C:\Users\pc\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2017-12-31]
CHR HKLM-x32\...\Chrome\Extension: [eofcbnmajmjmplflapaojjnihcjkigck] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [gomekmidlodglbbmalcneegieacbdmki] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [ligncphnohhjkgekjkghahajihclailj] - hxxps://clients2.google.com/service/update2/crx
2017-12-28 21:34 - 2018-01-14 18:46 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Lavasoft
EmptyTemp:
End::

NOTE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

  • in the FRST window, press the ‘Fix’ button once and wait
  • please reboot the computer if requested
  • it will create a log on your desktop, (Fixlog.txt); please post it to your reply.

================================================

Run Emsisoft Emergency Kit

Please download Emsisoft Emergency Kit and save it to your desktop. Double click on the EmsisoftEmergencyKit file you downloaded to extract its contents and create a shortcut on the desktop. Leave all settings as they are and click the Extract button at the bottom. A folder named EEK will be created in the root of the drive (usually c:\).

  • after extraction, double-click on the new Start Emsisoft Emergency Kit icon on your desktop
  • the first time you launch it, Emsisoft Emergency Kit will recommend that you allow it to download updates: click Yes so that it downloads the latest database updates
  • when update the is complete, click Malware Scan. When asked if you want the scanner to scan for Potentially Unwanted Programs, click Yes. Emsisoft Emergency Kit will start scanning
  • when the scan has completed click Quarantine selected objects. Note, this option is only available if malicious objects were detected during the scan
  • when the threats have been quarantined, click the View report button in the lower-right corner and the scan log will open in Notepad
  • please save the Notepad log on your desktop and post the contents in your next reply
  • when you close Emsisoft Emergency Kit it will give you an option to sign up for a newsletter. This is optional, and is not necessary for the malware removal process.

Logs to include with next post:

Fixlog.txt
Emsisoft log

 

Can you tell me if there are any remaining problems.

Satchfan


Edited by satchfan, 21 January 2018 - 06:00 AM.

My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#15 Computa

Computa
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  

Posted 21 January 2018 - 01:17 PM

I am having no problem with my pc, the cmds doesn't open and download files.

Attached Files






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users