Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

New Adware (can't find anything about it)


  • This topic is locked This topic is locked
21 replies to this topic

#1 negzersqu

negzersqu

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:24 AM

Posted 04 April 2018 - 02:27 PM

Okay, let me just start out by saying, I think I may have discovered a new virus.
The story starts out like this; I was online searching for a program that would allow me to play WMD files on my computer so I didn't have to buy the $15 Windows 10 media player for viewing DVDs that I was only going to use once or twice. Illegal? I have no clue. My search led me to a semi-sketchy site for a file called CodecPack. The file was called CodecPack.z and contained a file called CodecPack.exe. Windows Defender immediatley picked up on this, but most of the time, in my case, Defender is wrong about it being a Trojan. It was not wrong this time. I looked at the readme file and it said to disable my antivirus, so I did. Like an idiot. Before I knew it my computer was freaking out, with 100% CPU usage and about 20 or so applications in my startup and task manager tabs called Abu.exe and Courthouse.exe. I disabled all of the startup apps, closed as many as I could (they kept reopening themselves, I had thought that maybe they were latching onto a system app or disguising itself as a system app so you wouldn't close it) and immediatly put all of my faith into Malwarebytes. Turns out this virus was a lot bigger than I expected.
Now before I get into just what the virus did and what it is currently doing, I shoud let you know that my System Information and added screenshots are below in case you want to see what kind of virus this is (and the loop bat file I used, just in case you'd want to see it for whatever reason).
It started out as normal adware, playing audio ads through random apps, but Malwarebytes quickly got rid of it. What it couldn't get rid of, no matter how hard I tried, was Abu and Courthouses. So first things first I went into Resource Monitor to see where the apps are coming from on the system, and to close as many of the duplicates at once as I could. I used the elevated CMD prompt to see what the apps were called so I could use the taskkill command to kill them all. I then created a batch file to automatically close these apps every 10 seconds, just so I could use my computer (at this point the system was grinding to a halt and I couldn't do anything) until I could find what app it was disguising itself as so I could delete it. In Resource Monitor it said the apps were coming from C:\$Bitmaps\, \$Mft\, \$LogFile\ and \$Extend\ in the Disk tab of the resource monitor (screenshot below). Now I figured out that these were NTFS file system files, so I couldn't access them unless I had System level authenitcation. The next thing I did was as much research as I could. I looked for courthouses.exe (this confused Google and it thought I was talking about actual courthouses, so I put in quotes and nothing came up) and Abu.exe, but both yielded little to no results, and when they did, they were no help. Now, after I couldn't find anything I decided to try to scan it a couple more times to see if it could find anything else, and in my opinion this is the most confusing and interesting part of this whole journey.
I first tried scanning with Defender and, get this; it disabled my antivirus (screenshot below). It was disabled when I opened it up, and when I tried to restart it, it gave me the most vague error message possible. Note that it was working perfectly fine before this. Then, the antivirus started messing with Malwarebytes. At this point, I was completely disconnected from my network, so it wouldn't spread. I don't know if it affected the scans, but I had just updated it this morning, so I doubt it. Around my third or fourth scan with Malwarebytes, it was still detecting viruses. Whether they were the same as the ones before, I don't know, but I would assume they were because of this one little fact: The virus was messing with it so it wouldn't quarantine the files. When I finished scanning, I downloaded the log file for the scan, and saw that the log said it DIDN'T do a heuristic analysis, and DIDN'T scan for rootkits, although I had them both selected. It seemed to gloss over the rootkit section of the scan, but it sure as hell did the heuristic analysis, as it took a considerable amout of time. And finally the cherry on top of the old log file; it said it found NO viruses, when before in the menu it said it found 12. This was about my third scan, however my next scan (the one I took screenshots of) recognized the files in the log and said I did scan for rootkits, however it said I didn't do the heuristic analysis. However, it didn't prompt me for a restart like it usually does, so that means it probably isn't detecting Abu and Courthouses. Either I could be an idiot and this is what a log is supposed to look like, or the virus is messing with my antivirus, but either way, whether it be a backup of a select few of my user files and a complete OS reinstall or some other method, this virus is getting off of my computer.
Thanks for reading my hellish story, and hope you can help.

Attached Files



BC AdBot (Login to Remove)

 


#2 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,227 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:10:24 AM

Posted 04 April 2018 - 03:20 PM

Hi

Welcome :)

I'll be helping you with your computer.

Please read this post completely before beginning. If there's anything that you do not understand, please don't hesitate to ask before proceeding.

Please take note of the guidelines for this fix:
  • Please note that I am a volunteer. I do have a family, a career, and other endeavors that may prevent immediate responses that meet your schedule. Do note that the differences in time zones could present a problem as well. Your patience and understanding will be greatly appreciated.
  • First of all, the procedures we are about to perform are specific to your problem and should only be used on this specific computer.
  • Do not make any changes to your computer that include installing/uninstalling programs, deleting files, modifying the registry, nor running scanners or tools of any kind unless specifically requested by me.
  • Please read ALL instructions carefully and perform the steps fully and in the order they are written.
  • If things appear to be better, let me know. Just because the symptoms no longer exist as before, does not mean that you are clean.
  • Continue to read and follow my instructions until I tell you that your machine is clean.
  • If you have any questions at all, please do not hesitate to ask before performing the task that I ask of you, and please wait for my reply before you proceed.
  • Scanning with programs and reading the logs do take a fair amount of time. Again, your patience will be necessary. :)
Let's begin... :)
  • Highlight the entire content of the quote box below.

Start::
C:\Users\adam\AppData\Local\abu.exe
C:\Users\adam\AppData\Local\Courthouses.exe
FF Plugin HKU\S-1-5-21-1752756485-4272382108-162662000-1002: @unity3d.com/UnityPlayer,version=1.0 -> C:\Users\adam\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll [2015-08-28] (Unity Technologies ApS)
2018-04-04 09:55 - 2018-04-04 09:55 - 000386427 _____ (AccessDigital ) C:\Users\adam\AppData\Local\Temp\access.exe
2018-03-22 22:05 - 2015-03-05 08:54 - 002212008 _____ (Adobe Systems Incorporated) C:\Users\adam\AppData\Local\Temp\AdobeApplicationManager.exe
2018-04-04 09:51 - 2018-04-04 09:51 - 000024576 _____ (Stennett) C:\Users\adam\AppData\Local\Temp\capi.exe
2018-04-04 09:51 - 2018-04-04 09:51 - 001793312 _____ () C:\Users\adam\AppData\Local\Temp\gimi.exe
2018-04-04 09:51 - 2018-04-04 09:51 - 002369536 _____ () C:\Users\adam\AppData\Local\Temp\MediaPlayer.exe
CustomCLSID: HKU\S-1-5-21-1752756485-4272382108-162662000-1002_Classes\CLSID\{DEE03C2B-0C0C-41A9-9877-FD4B4D7B6EA3}\InprocServer32 -> C:\Users\adam\AppData\Local\Roblox\Versions\version-7b8ced67462c404f\RobloxProxy64.dll => No File
Task: {58BAF61D-E398-4117-8CDE-9AE0B452E8BA} - System32\Tasks\matthews_scorecards => C:\Users\adam\AppData\Local\abu.exe [2018-04-04] ()
Task: {5A9F0C84-2BA5-4288-9A2B-B90514B80110} - System32\Tasks\tsbotany aghast infantsbotany aghast infants => C:\Users\adam\AppData\Local\Courthouses.exe [2018-04-04] ()
Task: {90950BE8-B25C-4131-A499-21AB90E010C6} - System32\Tasks\tsmatthews_scorecardsmatthews_scorecards => C:\Users\adam\AppData\Local\abu.exe [2018-04-04] ()
Task: {CB39B0C4-F5B2-437F-AE46-3428BBC44394} - System32\Tasks\botany aghast infants => C:\Users\adam\AppData\Local\Courthouses.exe [2018-04-04] ()
2018-04-04 09:06 - 2018-04-04 09:06 - 000013312 _____ () C:\Users\adam\AppData\Local\abu.exe
2018-04-04 09:06 - 2018-04-04 09:06 - 000013312 _____ () C:\Users\adam\AppData\Local\Courthouses.exe
Path: file:_C:\Users\adam\AppData\Local\Temp\Rar$EXa0.821\CodecPack.exe
Path: file:_C:\Users\adam\AppData\Local\Temp\insifucan.exe
FirewallRules: [{2A8AD012-5EF9-416A-A4AB-75913AEA9864}] => (Allow) LPort=82
FirewallRules: [{4C32DD0F-0DD4-4FB5-8598-F1AD1F8B6065}] => (Allow) LPort=1900
FirewallRules: [{75201C39-E953-425B-A585-ED8DAA504F8E}] => (Allow) LPort=2869
Task: {799772A9-71EB-4FB8-8661-F3E4C4569E99} - \Microsoft\Windows\UNP\RunCampaignManager -> No File <==== ATTENTION
ShortcutTarget: fenn.lnk -> C:\Program Files (x86)\Beirne\Courthouses.exe (No File)
C:\Program Files (x86)\Beirne
ShortcutTarget: fennfenn.lnk -> C:\Program Files (x86)\clamping\abu.exe (No File)
C:\Program Files (x86)\clamping
ShortcutTarget: McAfee Security Scan Plus.lnk -> C:\Program Files (x86)\McAfee Security Scan\3.11.266\SSScheduler.exe (No File)
FF Plugin HKU\S-1-5-21-1752756485-4272382108-162662000-1002: @nsroblox.roblox.com/launcher -> C:\Users\adam\AppData\Local\Roblox\Versions\version-7b8ced67462c404f\\NPRobloxProxy.dll [No File]
FF Plugin HKU\S-1-5-21-1752756485-4272382108-162662000-1002: @nsroblox.roblox.com/launcher64 -> C:\Users\adam\AppData\Local\Roblox\Versions\version-7b8ced67462c404f\\NPRobloxProxy64.dll [No File]
CustomCLSID: HKU\S-1-5-21-1752756485-4272382108-162662000-1002_Classes\CLSID\{DEE03C2B-0C0C-41A9-9877-FD4B4D7B6EA3}\InprocServer32 -> C:\Users\adam\AppData\Local\Roblox\Versions\version-7b8ced67462c404f\RobloxProxy64.dll => No File
ContextMenuHandlers2-x32: [AlcoholShellEx] -> {32020A01-506E-484D-A2A8-BE3CF17601C3} => C:\Program Files (x86)\Alcohol Soft\Alcohol 52\AxShlex.dll -> No File
ContextMenuHandlers2-x32: [AlcoholShellEx64] -> {AF67B665-D752-424E-9A03-C7C218F2844F} => C:\Program Files (x86)\Alcohol Soft\Alcohol 52\AxShlEx64.dll -> No File
Task: {799772A9-71EB-4FB8-8661-F3E4C4569E99} - \Microsoft\Windows\UNP\RunCampaignManager -> No File <==== ATTENTION
2018-04-04 09:55 - 2018-04-04 09:55 - 000386427 _____ (AccessDigital ) C:\Users\adam\AppData\Local\Temp\access.exe
2018-03-22 22:05 - 2015-03-05 08:54 - 002212008 _____ (Adobe Systems Incorporated) C:\Users\adam\AppData\Local\Temp\AdobeApplicationManager.exe
2018-04-04 09:51 - 2018-04-04 09:51 - 000024576 _____ (Stennett) C:\Users\adam\AppData\Local\Temp\capi.exe
2018-04-04 09:51 - 2018-04-04 09:51 - 001793312 _____ () C:\Users\adam\AppData\Local\Temp\gimi.exe
2018-04-04 09:51 - 2018-04-04 09:51 - 002369536 _____ () C:\Users\adam\AppData\Local\Temp\MediaPlayer.exe
C:\Users\adam\AppData\Local\Temp\Rar$EXa0.821
C:\Users\adam\AppData\Local\Temp\insifucan.exe
HOSTS:
Removeproxy:
CMD: netsh advfirewall reset
CMD: netsh advfirewall set allprofiles state ON
CMD: ipconfig /flushdns
CMD: netsh winsock reset catalog
CMD: netsh int ip reset C:\resettcpip.txt
CMD: FOR /F "usebackq delims==" %i IN (`wevtutil el`) DO wevtutil cl "%i"
CMD: Bitsadmin /Reset /Allusers
EMPTYTEMP:
Reboot:
End::

  • Right click on the highlighted text and select Copy.
  • Start FRST (FRST64) with Administrator privileges
  • Press the Fix button. FRST will process the lines copied above from the clipboard.
  • When finished, a log file (Fixlog.txt) will pop up and saved in the same location the tool was ran from.
Please copy and paste its contents in your next reply.

Download AdwCleaner from here. Save the file to the desktop.

NOTE: If you are using IE 8 or above you may get a warning that stops the program from downloading. Just click on the warning and allow the download to complete.

Close all open windows and browsers.
  • XP users: Double click the AdwCleaner icon to start the program.
  • Vista/7/8/10 users: Right click the AdwCleaner icon on the desktop, click Run as administrator and accept the UAC prompt to run AdwCleaner.
    You will see the following console:
65MBhLLb.png
  • Click the Scan button and wait for the scan to finish.
  • After the Scan has finished the window may or may not show what it found and above, in the progress bar, you will see: Pending. Please uncheck elements you don't want to remove.
  • Click the Clean button.
  • Everything checked will be moved to Quarantine.
  • When the program has finished cleaning a report appears.Once done it will ask to reboot, allow this
adwcleaner_delete_restart.jpg
  • On reboot a log will be produced please copy / paste that in your next reply. This report is also saved to C:\AdwCleaner\AdwCleaner[C0].txt

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#3 negzersqu

negzersqu
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:24 AM

Posted 04 April 2018 - 03:42 PM

Hi, thanks for your time!

Below I've attached the .txt log files for both.

The problem seems to have been fixed, now I just have to change my default search engine.

I'll keep you updated if anything else happens.

Again, thanks!

Attached Files



#4 negzersqu

negzersqu
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:24 AM

Posted 04 April 2018 - 05:33 PM

I stand corrected. The malware is still there, in the form of just the Courthouses.exe this time. Abu.exe is still on the computer (still in the startup apps tab of task manager) but does not run when the computer starts up. Still getting annoying ads played through the hozmkgzq.exe program. Is there anything else I can do?



#5 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,227 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:10:24 AM

Posted 04 April 2018 - 06:10 PM

Please rerun FRST and post New logs.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#6 negzersqu

negzersqu
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:24 AM

Posted 04 April 2018 - 06:15 PM

Here you go

Attached Files

  • Attached File  FRST.txt   60.65KB   4 downloads


#7 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,227 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:10:24 AM

Posted 04 April 2018 - 06:46 PM

  • Highlight the entire content of the quote box below.

Start::  
2018-04-04 18:28 - 2018-04-04 09:06 - 000013312 _____ C:\Users\adam\AppData\Local\Courthouses.exe
2018-04-04 18:28 - 2018-04-04 09:06 - 000013312 _____ () C:\Users\adam\AppData\Local\Courthouses.exe
C:\Program Files (x86)\Beirne
C:\Program Files (x86)\clamping
HKLM\...\Run: [flagged] => "C:\Program Files (x86)\Beirne\Courthouses.exe" ozmk
HKLM\...\Run: [flaggedflagged] => "C:\Program Files (x86)\Charter\Courthouses.exe" ozmk
C:\Program Files (x86)\Charter
HKLM-x32\...\Run: [molitor] => "C:\Program Files (x86)\Beirne\Courthouses.exe" ozmk
HKLM-x32\...\Run: [molitormolitor] => "C:\Program Files (x86)\Charter\Courthouses.exe" ozmk
HKU\S-1-5-21-1752756485-4272382108-162662000-1002\...\Run: [fairplay] => "C:\Program Files (x86)\Beirne\Courthouses.exe" ozmk
HKU\S-1-5-21-1752756485-4272382108-162662000-1002\...\Run: [fairplayfairplay] => "C:\Program Files (x86)\Charter\Courthouses.exe" ozmk
HKU\S-1-5-21-1752756485-4272382108-162662000-1002\...\Run: [futher] => "C:\Program Files (x86)\Beirne\Courthouses.exe" ozmk
HKU\S-1-5-21-1752756485-4272382108-162662000-1002\...\Run: [futherfuther] => "C:\Program Files (x86)\Charter\Courthouses.exe" ozmk
HKU\S-1-5-21-1752756485-4272382108-162662000-1002\...\Run: [themis] => "C:\Program Files (x86)\Beirne\Courthouses.exe" ozmk
2018-04-04 18:28 - 2018-04-04 09:06 - 000013312 _____ C:\Users\adam\AppData\Local\Courthouses.exe
2018-04-04 18:28 - 2018-04-04 09:06 - 000013312 _____ () C:\Users\adam\AppData\Local\Courthouses.exe
HKLM\...\Run: [flaggedfuther] => "C:\Program Files (x86)\clamping\abu.exe" ozmk
HKLM-x32\...\Run: [molitorfairplay] => "C:\Program Files (x86)\clamping\abu.exe" ozmk
HKU\S-1-5-21-1752756485-4272382108-162662000-1002\...\Run: [fairplaymolitor] => "C:\Program Files (x86)\clamping\abu.exe" ozmk
HKU\S-1-5-21-1752756485-4272382108-162662000-1002\...\Run: [futherflagged] => "C:\Program Files (x86)\clamping\abu.exe" ozmk
ShortcutTarget: fennfenn.lnk -> C:\Program Files (x86)\clamping\abu.exe (No File)
Unlock: "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{58BAF61D-E398-4117-8CDE-9AE0B452E8BA}"
Unlock: "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\matthews_scorecards"
Unlock: "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{5A9F0C84-2BA5-4288-9A2B-B90514B80110}"
Unlock: "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\tsbotany aghast infantsbotany aghast infants"
Unlock: "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{90950BE8-B25C-4131-A499-21AB90E010C6}"
Unlock: "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\tsmatthews_scorecardsmatthews_scorecards"
Unlock: "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{CB39B0C4-F5B2-437F-AE46-3428BBC44394}"
Unlock: "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\botany aghast infants"
Unlock: "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{799772A9-71EB-4FB8-8661-F3E4C4569E99}"
Unlock: "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\UNP\RunCampaignManager"
Unlock: "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{799772A9-71EB-4FB8-8661-F3E4C4569E99}"
Unlock: "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\UNP\RunCampaignManager"
Reg: Reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{58BAF61D-E398-4117-8CDE-9AE0B452E8BA}" /f
Reg: Reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\matthews_scorecards" /f
Reg: Reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{5A9F0C84-2BA5-4288-9A2B-B90514B80110}" /f
Reg: Reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\tsbotany aghast infantsbotany aghast infants" /f
Reg: Reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{90950BE8-B25C-4131-A499-21AB90E010C6}" /f
Reg: Reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\tsmatthews_scorecardsmatthews_scorecards" /f
Reg: Reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{CB39B0C4-F5B2-437F-AE46-3428BBC44394}" /f
Reg: Reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\botany aghast infants" /f
Reg: Reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{799772A9-71EB-4FB8-8661-F3E4C4569E99}" /f
Reg: Reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\UNP\RunCampaignManager" /f
Reg: Reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{799772A9-71EB-4FB8-8661-F3E4C4569E99}" /f
Reg: Reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\UNP\RunCampaignManager" /f
Reboot:
End::

  • Right click on the highlighted text and select Copy.
  • Start FRST (FRST64) with Administrator privileges
  • Press the Fix button. FRST will process the lines copied above from the clipboard.
  • When finished, a log file (Fixlog.txt) will pop up and saved in the same location the tool was ran from.

Please copy and paste its contents in your next reply.
 

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#8 negzersqu

negzersqu
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:24 AM

Posted 04 April 2018 - 06:50 PM

Alright, I ran it. Here's the results.

Attached Files



#9 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,227 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:10:24 AM

Posted 04 April 2018 - 06:51 PM

Also run RogueKiller:

 

RQKuhw1.pngRogueKiller

  • Download the right version of RogueKiller for your Windows version (32 or 64-bit)
  • Once done, move the executable file to your Desktop, right-click on it and select Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users)
  • Click on the Start Scan button in the right panel, which will bring you to another tab, and click on it again (this time it'll be in the bottom right corner)
  • Wait for the scan to complete
  • On completion, the results will be displayed
  • Check every single entry (threat found), and click on the Remove Selected button
  • On completion, the results will be displayed. Click on the Open Report button in the bottom left corner, followed by the Open TXT button (also in the bottom left corner)
  • This will open the report in Notepad. Copy/paste its content in your next reply

 

 


No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#10 negzersqu

negzersqu
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:24 AM

Posted 05 April 2018 - 06:04 AM

alright, done.

Attached Files



#11 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,227 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:10:24 AM

Posted 05 April 2018 - 09:16 AM

You posted the scan report. Did you remove those entries?

 

Run FRST once again.

 

  • Make sure that under Optional Scans, there is a checkmark on Addition.txt.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The tool will also produce another log (Addition.txt ). Please attach this to your reply.

 

 


No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#12 negzersqu

negzersqu
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:24 AM

Posted 05 April 2018 - 07:39 PM

Yes, I deleted the entities when prompted. Here's the updated FRST log and the Addition.txt file. I should also mention that in the Startup menu Courthouses and Abu have been not recognized and are now unknown programs. Screenshot included.

Attached Files



#13 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,227 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:10:24 AM

Posted 05 April 2018 - 08:26 PM

Those are part of the MSCONFIG/TASK MANAGER disabled items. Lets remove most of these.

 

 

  • Highlight the entire content of the quote box below.

Start::  
2018-04-04 20:01 - 2018-04-04 09:06 - 000013312 _____ C:\Users\adam\AppData\Local\Courthouses.exe
C:\Users\adam\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fenn*.lnk
Task: {00B96B3B-6FFA-454F-A789-33900A813270} - System32\Tasks\tsseverally_bokseverally_bok => C:\Program Files (x86)\Charter\Courthouses.exe
Task: {40D74B96-C67E-4512-96D6-F58309B17D28} - System32\Tasks\tsshoddyshoddy => C:\Program Files (x86)\Beirne\Courthouses.exe
Task: {5F464174-F0F0-4C88-954D-FDE25DB84692} - System32\Tasks\severally_bok => C:\Program Files (x86)\Charter\Courthouses.exe
Task: {B24FE584-6470-4B2F-8D51-0C8E6FAE8422} - System32\Tasks\shoddy => C:\Program Files (x86)\Beirne\Courthouses.exe
Task: {0494AE05-A5F2-487D-AA1D-91BDA9A4E427} - System32\Tasks\tscaren-subgroupcaren-subgroup => C:\Program Files (x86)\clamping\abu.exe
Task: {E633514C-BD55-4E2B-9AC1-89CFE93233FD} - System32\Tasks\caren-subgroup => C:\Program Files (x86)\clamping\abu.exe
Task: {F34297C7-F3C0-4916-A9E4-5943CD78F633} - System32\Tasks\tsmyopic galleriemyopic gallerie => C:\Program Files (x86)\Charter\abu.exe
Task: {FD058FF3-1844-44EA-A0F3-676755EA9FE6} - System32\Tasks\myopic gallerie => C:\Program Files (x86)\Charter\abu.exe
2018-03-22 22:05 - 2018-03-30 19:31 - 000000034 _____ () C:\Users\adam\AppData\Roaming\AdobeWLCMCache.dat
2017-06-08 22:17 - 2017-06-08 22:17 - 000001167 _____ () C:\Users\adam\AppData\Roaming\trace_FilterInstaller.txt
2017-06-08 22:17 - 2017-06-08 22:17 - 000000000 _____ () C:\Users\adam\AppData\Roaming\trace_FilterInstaller.txt-CRT.txt
2017-06-29 11:46 - 2017-06-29 11:46 - 000000044 _____ () C:\Users\adam\AppData\Roaming\WB.CFG
2018-04-04 20:01 - 2018-04-04 09:06 - 000013312 _____ () C:\Users\adam\AppData\Local\Courthouses.exe
2018-03-28 21:17 - 2018-03-28 21:17 - 000002971 _____ () C:\Users\adam\AppData\Local\recently-used.xbel
2017-02-27 00:01 - 2018-04-04 14:47 - 000007600 _____ () C:\Users\adam\AppData\Local\Resmon.ResmonCfg
C:\WINDOWS\b87911013
C:\WINDOWS\steroid.exe
C:\WINDOWS\System32\Tasks\severally_bok
C:\WINDOWS\System32\Tasks\myopic gallerie
C:\WINDOWS\System32\Tasks\caren-subgroup
C:\WINDOWS\System32\Tasks\arched
C:\WINDOWS\System32\Tasks\shoddy
C:\WINDOWS\System32\Tasks\tsseverally_bokseverally_bok
C:\WINDOWS\System32\Tasks\tsmyopic galleriemyopic gallerie
C:\WINDOWS\System32\Tasks\tscaren-subgroupcaren-subgroup
C:\WINDOWS\System32\Tasks\tsarchedarched
C:\WINDOWS\System32\Tasks\tsshoddyshoddy
Reg: Reg delete HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\StartupFolder /v "McAfee Security Scan Plus.lnk" /f
Reg: Reg delete HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run /v "SecurityHealth" /f
Reg: Reg delete HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run /v "SynTPEnh" /f
Reg: Reg delete HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run /v "RTHDVCPL" /f
Reg: Reg delete HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run /v "NvBackend" /f
Reg: Reg delete HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run /v "ShadowPlay" /f
Reg: Reg delete HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run /v "Wondershare Helper Compact.exe" /f
Reg: Reg delete HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run /v "iTunesHelper" /f
Reg: Reg delete HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run /v "WindowsDefender" /f
Reg: Reg delete HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run /v "AdobeAAMUpdater-1.0" /f
Reg: Reg delete HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run /v "flaggedflagged" /f
Reg: Reg delete HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run /v "flaggedfuther" /f
Reg: Reg delete HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run /v "flagged" /f
Reg: Reg delete HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run32 /v "RzWizard" /f
Reg: Reg delete HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run32 /v "Razer Synapse" /f
Reg: Reg delete HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run32 /v "QuickTime Task" /f
Reg: Reg delete HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run32 /v "SunJavaUpdateSched" /f
Reg: Reg delete HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run32 /v "Wondershare Helper Compact.exe" /f
Reg: Reg delete HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run32 /v "Live Update" /f
Reg: Reg delete HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run32 /v "Adobe Reader Speed Launcher" /f
Reg: Reg delete HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run32 /v "GammingApp" /f
Reg: Reg delete HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run32 /v "Dropbox" /f
Reg: Reg delete HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run32 /v "molitormolitor" /f
Reg: Reg delete HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run32 /v "molitorfairplay" /f
Reg: Reg delete HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run32 /v "molitor" /f
Reg: Reg delete HKU\S-1-5-21-1752756485-4272382108-162662000-1002HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\StartupFolder /v "Steam.lnk" /f
Reg: Reg delete HKU\S-1-5-21-1752756485-4272382108-162662000-1002HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\StartupFolder /v "Zenimax_Launcher.lnk" /f
Reg: Reg delete HKU\S-1-5-21-1752756485-4272382108-162662000-1002HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\StartupFolder /v "fennfenn.lnk" /f
Reg: Reg delete HKU\S-1-5-21-1752756485-4272382108-162662000-1002HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\StartupFolder /v "fenn.lnk" /f
Reg: Reg delete HKU\S-1-5-21-1752756485-4272382108-162662000-1002HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run /v "OneDrive" /f
Reg: Reg delete HKU\S-1-5-21-1752756485-4272382108-162662000-1002HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run /v "GoogleDriveSync" /f
Reg: Reg delete HKU\S-1-5-21-1752756485-4272382108-162662000-1002HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run /v "Skype" /f
Reg: Reg delete HKU\S-1-5-21-1752756485-4272382108-162662000-1002HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run /v "Spotify" /f
Reg: Reg delete HKU\S-1-5-21-1752756485-4272382108-162662000-1002HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run /v "Spotify Web Helper" /f
Reg: Reg delete HKU\S-1-5-21-1752756485-4272382108-162662000-1002HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run /v "Steam" /f
Reg: Reg delete HKU\S-1-5-21-1752756485-4272382108-162662000-1002HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run /v "Gyazo" /f
Reg: Reg delete HKU\S-1-5-21-1752756485-4272382108-162662000-1002HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run /v "AlcoholAutomount" /f
Reg: Reg delete HKU\S-1-5-21-1752756485-4272382108-162662000-1002HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run /v "iCloudServices" /f
Reg: Reg delete HKU\S-1-5-21-1752756485-4272382108-162662000-1002HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run /v "Discord" /f
Reg: Reg delete HKU\S-1-5-21-1752756485-4272382108-162662000-1002HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run /v "NetLimiter" /f
Reg: Reg delete HKU\S-1-5-21-1752756485-4272382108-162662000-1002HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run /v "iFunBox" /f
Reg: Reg delete HKU\S-1-5-21-1752756485-4272382108-162662000-1002HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run /v "SuperF4" /f
Reg: Reg delete HKU\S-1-5-21-1752756485-4272382108-162662000-1002HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run /v "GoogleChromeAutoLaunch_78333027A490755E982386F08F70094B" /f
Reg: Reg delete HKU\S-1-5-21-1752756485-4272382108-162662000-1002HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run /v "Chromium" /f
Reg: Reg delete HKU\S-1-5-21-1752756485-4272382108-162662000-1002HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run /v "Vivaldi Update Notifier" /f
Reg: Reg delete HKU\S-1-5-21-1752756485-4272382108-162662000-1002HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run /v "SandboxieControl" /f
Reg: Reg delete HKU\S-1-5-21-1752756485-4272382108-162662000-1002HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run /v "Speech Recognition" /f
Reg: Reg delete HKU\S-1-5-21-1752756485-4272382108-162662000-1002HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run /v "BitTorrent" /f
Reg: Reg delete HKU\S-1-5-21-1752756485-4272382108-162662000-1002HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run /v "uTorrent" /f
Reg: Reg delete HKU\S-1-5-21-1752756485-4272382108-162662000-1002HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run /v "themis" /f
Reg: Reg delete HKU\S-1-5-21-1752756485-4272382108-162662000-1002HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run /v "futherfuther" /f
Reg: Reg delete HKU\S-1-5-21-1752756485-4272382108-162662000-1002HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run /v "futherflagged" /f
Reg: Reg delete HKU\S-1-5-21-1752756485-4272382108-162662000-1002HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run /v "futher" /f
Reg: Reg delete HKU\S-1-5-21-1752756485-4272382108-162662000-1002HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run /v "fairplayfairplay" /f
Reg: Reg delete HKU\S-1-5-21-1752756485-4272382108-162662000-1002HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run /v "fairplaymolitor" /f
Reg: Reg delete HKU\S-1-5-21-1752756485-4272382108-162662000-1002HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run /v "fairplay" /f
End:::

  • Right click on the highlighted text and select Copy.
  • Start FRST (FRST64) with Administrator privileges
  • Press the Fix button. FRST will process the lines copied above from the clipboard.
  • When finished, a log file (Fixlog.txt) will pop up and saved in the same location the tool was ran from.

Please copy and paste its contents in your next reply.
 

 

Run FRST once again.

  • Make sure that under Optional Scans, there is a checkmark on Addition.txt.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The tool will also produce another log (Addition.txt ). Please attach this to your reply.

Edited by JSntgRvr, 05 April 2018 - 08:34 PM.
Modified Fix

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#14 negzersqu

negzersqu
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:24 AM

Posted 05 April 2018 - 08:29 PM

Ok, done. Should also mention Courthouses is still here. Very tame, I only have to close out of it once and it stays closed (may have relied on Abu, which is no longer on the system).

Attached Files



#15 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,227 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:10:24 AM

Posted 05 April 2018 - 08:38 PM

I am sorry. I modified the fix above. Please run it a gain and post new logs.


Edited by JSntgRvr, 05 April 2018 - 08:38 PM.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users