Hello citizens =) I've launched an infected file accidentally. I was like 99% sure that it's an infected one but my hand wasn't act by my will. Fu hand :<
So. I've had already launched task manager so I almost immediately found and terminated a one suspicious process.
It was a steamerrorreporter.exe located in %AppData%\Local\Temp
Then I downloaded, installed and run Malwarebytes, started scan (rootkits including).
It found C:\PROGRAMDATA\WinDefender.exe that was launched, idk how I missed this one.
And we found %APPDATA%\ROAMING\IMMINENT directory =) Also I found BrTf1LX.exe in %temp%.
Also I found out that my task manager/msconfig/regedit and etc were disabled ))) Malwareytes fixed it so never mind.
What I did next: quarantined these files, did reboot, launched full scan again and... and found WinDefender.exe at the old place <: It wasn't run according to taskm but I was unable to delete it, so I decided that Malwarebytes blocked it (idk), so I went sleep.
The next day I quarantined and removed it. Then... Since I did know the exact time I started all of this I decided to find all fresh created/modified files.
So I started search via Total Commander. I found a windows task that launches WinDefender.exe, and checked when it the last time did a task.
It was 17:02, so I started another chaotic search through C:\
I found this
These folders looks suspicious to me because of their date, 11/05/2017. I did install Windows two days ago at 14/05, wtf!
I also did some google research and found this article TSPY_HEYE.C - Threat Encyclopedia - Trend Micro USA
Some familiar files there: BrTf1LX.exe (not .ink), Imminent\Geo.dat, Logs\...
And I did step #3 (removed msvideo thread from register.).
I tried to track its actions in VBOX environment but seems it has vbox/sandbox detection, so it does nothing <:
I'm afraid that there are some leftovers. I wait for any help. Thanks.
FRST.txt Addition.txt
malwr.com analysis report
Also I scanned with TDSSKiller and roguekiller
So. I've had already launched task manager so I almost immediately found and terminated a one suspicious process.
It was a steamerrorreporter.exe located in %AppData%\Local\Temp
Then I downloaded, installed and run Malwarebytes, started scan (rootkits including).
Malwarebytes
www.malwarebytes.com
-Log Details-
Scan Date: 5/16/17
Scan Time: 4:33 AM
Log File:
Administrator: Yes
-Software Information-
Version: 3.1.2.1733
Components Version: 1.0.122
Update Package Version: 1.0.1947
License: Trial
-System Information-
OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: Decadance\Decay
-Scan Summary-
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 299038
Threats Detected: 77
Threats Quarantined: 21
Time Elapsed: 4 min, 25 sec
-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled
-Scan Details-
Process: 1
Trojan.Agent, C:\PROGRAMDATA\WinDefender.exe, Quarantined, [24], [224889],1.0.1947
Module: 1
Trojan.Agent, C:\PROGRAMDATA\WinDefender.exe, Quarantined, [24], [224889],1.0.1947
Registry Key: 20
PUP.Optional.AuslogicsBoostSpeed, HKLM\SOFTWARE\WOW6432NODE\AUSLOGICS\BoostSpeed, No Action By User, [1697], [341837],1.0.1947
PUP.Optional.AuslogicsDiskDefrag, HKLM\SOFTWARE\CLASSES\CLSID\{278029E0-2347-4254-A65E-204AC55E2508}, No Action By User, [1954], [380634],1.0.1947
PUP.Optional.AuslogicsDiskDefrag, HKLM\SOFTWARE\CLASSES\CLSID\{278029E0-2347-4254-A65E-204AC55E2508}\InprocServer32, No Action By User, [1954], [380634],1.0.1947
PUP.Optional.AuslogicsDiskDefrag, HKLM\SOFTWARE\CLASSES\TYPELIB\{FE9301D5-9266-4A2F-8767-85482115CAB0}, No Action By User, [1954], [380634],1.0.1947
PUP.Optional.AuslogicsDiskDefrag, HKLM\SOFTWARE\CLASSES\INTERFACE\{DCC049B0-CA04-4E58-B4C8-CE62AC6F5096}, No Action By User, [1954], [380634],1.0.1947
PUP.Optional.AuslogicsDiskDefrag, HKLM\SOFTWARE\CLASSES\WOW6432NODE\INTERFACE\{DCC049B0-CA04-4E58-B4C8-CE62AC6F5096}, No Action By User, [1954], [380634],1.0.1947
PUP.Optional.AuslogicsDiskDefrag, HKLM\SOFTWARE\WOW6432NODE\CLASSES\INTERFACE\{DCC049B0-CA04-4E58-B4C8-CE62AC6F5096}, No Action By User, [1954], [380634],1.0.1947
PUP.Optional.AuslogicsDiskDefrag, HKLM\SOFTWARE\WOW6432NODE\CLASSES\TYPELIB\{FE9301D5-9266-4A2F-8767-85482115CAB0}, No Action By User, [1954], [380634],1.0.1947
PUP.Optional.AuslogicsDiskDefrag, HKLM\SOFTWARE\CLASSES\WOW6432NODE\TYPELIB\{FE9301D5-9266-4A2F-8767-85482115CAB0}, No Action By User, [1954], [380634],1.0.1947
PUP.Optional.AuslogicsDiskDefrag, HKLM\SOFTWARE\CLASSES\APPID\{278029E0-2347-4254-A65E-204AC55E2508}, No Action By User, [1954], [380634],1.0.1947
PUP.Optional.AuslogicsDiskDefrag, HKLM\SOFTWARE\WOW6432NODE\CLASSES\APPID\{278029E0-2347-4254-A65E-204AC55E2508}, No Action By User, [1954], [380634],1.0.1947
PUP.Optional.AuslogicsDiskDefrag, HKLM\SOFTWARE\CLASSES\WOW6432NODE\APPID\{278029E0-2347-4254-A65E-204AC55E2508}, No Action By User, [1954], [380634],1.0.1947
PUP.Optional.AuslogicsDiskDefrag, HKLM\SOFTWARE\CLASSES\DISKDOCTORCHECKER.DISKCHECKER, No Action By User, [1954], [380634],1.0.1947
RiskWare.IFEOHijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\RSTRUI.EXE, Quarantined, [676], [249729],1.0.1947
RiskWare.IFEOHijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\RSTRUI.EXE, Quarantined, [676], [249729],1.0.1947
RiskWare.IFEOHijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MSCONFIG.EXE, Quarantined, [676], [249460],1.0.1947
PUP.Optional.AuslogicsBoostSpeed, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{56DB5FD1-9CD7-439D-8AC9-0305D3AB4EB5}, Quarantined, [1697], [383082],1.0.1947
PUP.Optional.AuslogicsBoostSpeed, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{7216871F-869E-437C-B9BF-2A13F2DCE63F}_is1, Quarantined, [1697], [341838],1.0.1947
PUP.Optional.AuslogicsBoostSpeed, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\AUSLOGICS\BoostSpeed, Quarantined, [1697], [383076],1.0.1947
RiskWare.IFEOHijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MSCONFIG.EXE, Quarantined, [676], [249460],1.0.1947
Registry Value: 7
PUM.Optional.LowRiskFileTypes, HKU\S-1-5-21-2757016799-914875450-2991146613-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\ASSOCIATIONS|LOWRISKFILETYPES, Quarantined, [15326], [251589],1.0.1947
PUP.Optional.AuslogicsDiskDefrag, HKLM\SOFTWARE\CLASSES\DISKDOCTORCHECKER.DISKCHECKER|, No Action By User, [1954], [380634],1.0.1947
RiskWare.IFEOHijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\RSTRUI.EXE|DEBUGGER, Quarantined, [676], [249729],1.0.1947
RiskWare.IFEOHijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\RSTRUI.EXE|DEBUGGER, Quarantined, [676], [249729],1.0.1947
RiskWare.IFEOHijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MSCONFIG.EXE|DEBUGGER, Quarantined, [676], [249460],1.0.1947
PUP.Optional.AuslogicsBoostSpeed, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{56DB5FD1-9CD7-439D-8AC9-0305D3AB4EB5}|PATH, Quarantined, [1697], [383082],1.0.1947
RiskWare.IFEOHijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MSCONFIG.EXE|DEBUGGER, Quarantined, [676], [249460],1.0.1947
Registry Data: 3
PUM.Optional.DisableCMDPrompt, HKU\S-1-5-21-2757016799-914875450-2991146613-1000\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\SYSTEM|DISABLECMD, Replaced, [16390], [293304],1.0.1947
PUM.Optional.DisableTaskMgr, HKU\S-1-5-21-2757016799-914875450-2991146613-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM|DISABLETASKMGR, Replaced, [16401], [293320],1.0.1947
PUM.Optional.DisableRegistryTools, HKU\S-1-5-21-2757016799-914875450-2991146613-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM|DISABLEREGISTRYTOOLS, No Action By User, [16393], [293310],1.0.1947
Data Stream: 0
(No malicious items detected)
Folder: 11
PUP.Optional.AuslogicsBoostSpeed, C:\ProgramData\Auslogics\BoostSpeed\9.x\RescueHidden\BoostSpeed, No Action By User, [1697], [341833],1.0.1947
PUP.Optional.AuslogicsBoostSpeed, C:\ProgramData\Auslogics\BoostSpeed\9.x\Rescue\Tweak Manager, No Action By User, [1697], [341833],1.0.1947
PUP.Optional.AuslogicsBoostSpeed, C:\ProgramData\Auslogics\BoostSpeed\9.x\Rescue\BoostSpeed, No Action By User, [1697], [341833],1.0.1947
PUP.Optional.AuslogicsBoostSpeed, C:\ProgramData\Auslogics\BoostSpeed\9.x\IgnoredLists, No Action By User, [1697], [341833],1.0.1947
PUP.Optional.AuslogicsBoostSpeed, C:\ProgramData\Auslogics\BoostSpeed\9.x\RescueHidden, No Action By User, [1697], [341833],1.0.1947
PUP.Optional.AuslogicsBoostSpeed, C:\ProgramData\Auslogics\BoostSpeed\9.x\Rescue, No Action By User, [1697], [341833],1.0.1947
PUP.Optional.AuslogicsBoostSpeed, C:\ProgramData\Auslogics\BoostSpeed\9.x\Logs, No Action By User, [1697], [341833],1.0.1947
PUP.Optional.AuslogicsBoostSpeed, C:\ProgramData\Auslogics\BoostSpeed\9.x, No Action By User, [1697], [341833],1.0.1947
PUP.Optional.AuslogicsBoostSpeed, C:\PROGRAMDATA\Auslogics\BoostSpeed, No Action By User, [1697], [341833],1.0.1947
Trojan.StolenData, C:\USERS\DECAY\APPDATA\ROAMING\IMMINENT\LOGS, Quarantined, [1075], [250104],1.0.1947
PUP.Optional.AuslogicsBoostSpeed, C:\WINDOWS\SYSTEM32\TASKS\AUSLOGICS\BOOSTSPEED, Quarantined, [1697], [341836],1.0.1947
File: 34
PUP.Optional.AuslogicsBoostSpeed, C:\ProgramData\Auslogics\BoostSpeed\9.x\IgnoredLists\SvcMgr_User.igl, No Action By User, [1697], [341833],1.0.1947
PUP.Optional.AuslogicsBoostSpeed, C:\ProgramData\Auslogics\BoostSpeed\9.x\IgnoredLists\TRE_User.igl, No Action By User, [1697], [341833],1.0.1947
PUP.Optional.AuslogicsBoostSpeed, C:\ProgramData\Auslogics\BoostSpeed\9.x\Logs\BoostSpeedLogic.log, No Action By User, [1697], [341833],1.0.1947
PUP.Optional.AuslogicsBoostSpeed, C:\ProgramData\Auslogics\BoostSpeed\9.x\Logs\InternetOptimizerStatistics.log, No Action By User, [1697], [341833],1.0.1947
PUP.Optional.AuslogicsBoostSpeed, C:\ProgramData\Auslogics\BoostSpeed\9.x\Logs\TweakManagerStatistics.log, No Action By User, [1697], [341833],1.0.1947
PUP.Optional.AuslogicsBoostSpeed, C:\ProgramData\Auslogics\BoostSpeed\9.x\Rescue\BoostSpeed\170515003242014.rsc, No Action By User, [1697], [341833],1.0.1947
PUP.Optional.AuslogicsBoostSpeed, C:\ProgramData\Auslogics\BoostSpeed\9.x\Rescue\BoostSpeed\170515003307306.rsc, No Action By User, [1697], [341833],1.0.1947
PUP.Optional.AuslogicsBoostSpeed, C:\ProgramData\Auslogics\BoostSpeed\9.x\Rescue\BoostSpeed\170515003325217.rsc, No Action By User, [1697], [341833],1.0.1947
PUP.Optional.AuslogicsBoostSpeed, C:\ProgramData\Auslogics\BoostSpeed\9.x\Rescue\BoostSpeed\170515003332343.rsc, No Action By User, [1697], [341833],1.0.1947
PUP.Optional.AuslogicsBoostSpeed, C:\ProgramData\Auslogics\BoostSpeed\9.x\Rescue\BoostSpeed\170515003340691.rsc, No Action By User, [1697], [341833],1.0.1947
PUP.Optional.AuslogicsBoostSpeed, C:\ProgramData\Auslogics\BoostSpeed\9.x\Rescue\BoostSpeed\170515003346103.rsc, No Action By User, [1697], [341833],1.0.1947
PUP.Optional.AuslogicsBoostSpeed, C:\ProgramData\Auslogics\BoostSpeed\9.x\Rescue\BoostSpeed\170515003400159.rsc, No Action By User, [1697], [341833],1.0.1947
PUP.Optional.AuslogicsBoostSpeed, C:\ProgramData\Auslogics\BoostSpeed\9.x\Rescue\BoostSpeed\170515003415581.rsc, No Action By User, [1697], [341833],1.0.1947
PUP.Optional.AuslogicsBoostSpeed, C:\ProgramData\Auslogics\BoostSpeed\9.x\Rescue\BoostSpeed\170515003638295.rsc, No Action By User, [1697], [341833],1.0.1947
PUP.Optional.AuslogicsBoostSpeed, C:\ProgramData\Auslogics\BoostSpeed\9.x\Rescue\BoostSpeed\170515150307762.rsc, No Action By User, [1697], [341833],1.0.1947
PUP.Optional.AuslogicsBoostSpeed, C:\ProgramData\Auslogics\BoostSpeed\9.x\Rescue\BoostSpeed\170515150307843.rsc, No Action By User, [1697], [341833],1.0.1947
PUP.Optional.AuslogicsBoostSpeed, C:\ProgramData\Auslogics\BoostSpeed\9.x\Rescue\BoostSpeed\170515150307855.rsc, No Action By User, [1697], [341833],1.0.1947
PUP.Optional.AuslogicsBoostSpeed, C:\ProgramData\Auslogics\BoostSpeed\9.x\Rescue\BoostSpeed\170515150308262.rsc, No Action By User, [1697], [341833],1.0.1947
PUP.Optional.AuslogicsBoostSpeed, C:\ProgramData\Auslogics\BoostSpeed\9.x\Rescue\BoostSpeed\170515150308345.rsc, No Action By User, [1697], [341833],1.0.1947
PUP.Optional.AuslogicsBoostSpeed, C:\ProgramData\Auslogics\BoostSpeed\9.x\Rescue\BoostSpeed\170515150308358.rsc, No Action By User, [1697], [341833],1.0.1947
PUP.Optional.AuslogicsBoostSpeed, C:\ProgramData\Auslogics\BoostSpeed\9.x\Rescue\Tweak Manager\170515004218204.rsc, No Action By User, [1697], [341833],1.0.1947
PUP.Optional.AuslogicsBoostSpeed, C:\ProgramData\Auslogics\BoostSpeed\9.x\Rescue\Tweak Manager\170515004232426.rsc, No Action By User, [1697], [341833],1.0.1947
PUP.Optional.AuslogicsBoostSpeed, C:\ProgramData\Auslogics\BoostSpeed\9.x\Rescue\Tweak Manager\170515004457456.rsc, No Action By User, [1697], [341833],1.0.1947
PUP.Optional.AuslogicsBoostSpeed, C:\ProgramData\Auslogics\BoostSpeed\9.x\Rescue\Tweak Manager\170515004545084.rsc, No Action By User, [1697], [341833],1.0.1947
PUP.Optional.AuslogicsBoostSpeed, C:\ProgramData\Auslogics\BoostSpeed\9.x\Rescue\Tweak Manager\170515004610312.rsc, No Action By User, [1697], [341833],1.0.1947
PUP.Optional.AuslogicsBoostSpeed, C:\ProgramData\Auslogics\BoostSpeed\9.x\Rescue\Tweak Manager\170515004750443.rsc, No Action By User, [1697], [341833],1.0.1947
PUP.Optional.AuslogicsBoostSpeed, C:\ProgramData\Auslogics\BoostSpeed\9.x\Rescue\Tweak Manager\170515004810616.rsc, No Action By User, [1697], [341833],1.0.1947
PUP.Optional.AuslogicsBoostSpeed, C:\ProgramData\Auslogics\BoostSpeed\9.x\Rescue\Tweak Manager\170515015129591.rsc, No Action By User, [1697], [341833],1.0.1947
PUP.Optional.AuslogicsBoostSpeed, C:\ProgramData\Auslogics\BoostSpeed\9.x\RescueHidden\BoostSpeed\170515150234855.rsc, No Action By User, [1697], [341833],1.0.1947
PUP.Optional.AuslogicsBoostSpeed, C:\ProgramData\Auslogics\BoostSpeed\9.x\StatDB.json, No Action By User, [1697], [341833],1.0.1947
Trojan.StolenData, C:\USERS\DECAY\APPDATA\ROAMING\IMMINENT\LOGS\16-05-2017, Quarantined, [1075], [250104],1.0.1947
Trojan.Agent, C:\PROGRAMDATA\WinDefender.exe, Removal Failed, [24], [224889],1.0.1947
PUP.Optional.AuslogicsDiskDefrag, D:\SOFT\AUSLOGICSBOOSTSPEED\DISKDOCTORCHECKER.X64.DLL, No Action By User, [1954], [380634],1.0.1947
PUP.Optional.AuslogicsBoostSpeed, C:\Windows\System32\Tasks\Auslogics\BoostSpeed\Scan and Repair, Quarantined, [1697], [341836],1.0.1947
Physical Sector: 0
(No malicious items detected)
(end)
www.malwarebytes.com
-Log Details-
Scan Date: 5/16/17
Scan Time: 4:33 AM
Log File:
Administrator: Yes
-Software Information-
Version: 3.1.2.1733
Components Version: 1.0.122
Update Package Version: 1.0.1947
License: Trial
-System Information-
OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: Decadance\Decay
-Scan Summary-
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 299038
Threats Detected: 77
Threats Quarantined: 21
Time Elapsed: 4 min, 25 sec
-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled
-Scan Details-
Process: 1
Trojan.Agent, C:\PROGRAMDATA\WinDefender.exe, Quarantined, [24], [224889],1.0.1947
Module: 1
Trojan.Agent, C:\PROGRAMDATA\WinDefender.exe, Quarantined, [24], [224889],1.0.1947
Registry Key: 20
PUP.Optional.AuslogicsBoostSpeed, HKLM\SOFTWARE\WOW6432NODE\AUSLOGICS\BoostSpeed, No Action By User, [1697], [341837],1.0.1947
PUP.Optional.AuslogicsDiskDefrag, HKLM\SOFTWARE\CLASSES\CLSID\{278029E0-2347-4254-A65E-204AC55E2508}, No Action By User, [1954], [380634],1.0.1947
PUP.Optional.AuslogicsDiskDefrag, HKLM\SOFTWARE\CLASSES\CLSID\{278029E0-2347-4254-A65E-204AC55E2508}\InprocServer32, No Action By User, [1954], [380634],1.0.1947
PUP.Optional.AuslogicsDiskDefrag, HKLM\SOFTWARE\CLASSES\TYPELIB\{FE9301D5-9266-4A2F-8767-85482115CAB0}, No Action By User, [1954], [380634],1.0.1947
PUP.Optional.AuslogicsDiskDefrag, HKLM\SOFTWARE\CLASSES\INTERFACE\{DCC049B0-CA04-4E58-B4C8-CE62AC6F5096}, No Action By User, [1954], [380634],1.0.1947
PUP.Optional.AuslogicsDiskDefrag, HKLM\SOFTWARE\CLASSES\WOW6432NODE\INTERFACE\{DCC049B0-CA04-4E58-B4C8-CE62AC6F5096}, No Action By User, [1954], [380634],1.0.1947
PUP.Optional.AuslogicsDiskDefrag, HKLM\SOFTWARE\WOW6432NODE\CLASSES\INTERFACE\{DCC049B0-CA04-4E58-B4C8-CE62AC6F5096}, No Action By User, [1954], [380634],1.0.1947
PUP.Optional.AuslogicsDiskDefrag, HKLM\SOFTWARE\WOW6432NODE\CLASSES\TYPELIB\{FE9301D5-9266-4A2F-8767-85482115CAB0}, No Action By User, [1954], [380634],1.0.1947
PUP.Optional.AuslogicsDiskDefrag, HKLM\SOFTWARE\CLASSES\WOW6432NODE\TYPELIB\{FE9301D5-9266-4A2F-8767-85482115CAB0}, No Action By User, [1954], [380634],1.0.1947
PUP.Optional.AuslogicsDiskDefrag, HKLM\SOFTWARE\CLASSES\APPID\{278029E0-2347-4254-A65E-204AC55E2508}, No Action By User, [1954], [380634],1.0.1947
PUP.Optional.AuslogicsDiskDefrag, HKLM\SOFTWARE\WOW6432NODE\CLASSES\APPID\{278029E0-2347-4254-A65E-204AC55E2508}, No Action By User, [1954], [380634],1.0.1947
PUP.Optional.AuslogicsDiskDefrag, HKLM\SOFTWARE\CLASSES\WOW6432NODE\APPID\{278029E0-2347-4254-A65E-204AC55E2508}, No Action By User, [1954], [380634],1.0.1947
PUP.Optional.AuslogicsDiskDefrag, HKLM\SOFTWARE\CLASSES\DISKDOCTORCHECKER.DISKCHECKER, No Action By User, [1954], [380634],1.0.1947
RiskWare.IFEOHijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\RSTRUI.EXE, Quarantined, [676], [249729],1.0.1947
RiskWare.IFEOHijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\RSTRUI.EXE, Quarantined, [676], [249729],1.0.1947
RiskWare.IFEOHijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MSCONFIG.EXE, Quarantined, [676], [249460],1.0.1947
PUP.Optional.AuslogicsBoostSpeed, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{56DB5FD1-9CD7-439D-8AC9-0305D3AB4EB5}, Quarantined, [1697], [383082],1.0.1947
PUP.Optional.AuslogicsBoostSpeed, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{7216871F-869E-437C-B9BF-2A13F2DCE63F}_is1, Quarantined, [1697], [341838],1.0.1947
PUP.Optional.AuslogicsBoostSpeed, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\AUSLOGICS\BoostSpeed, Quarantined, [1697], [383076],1.0.1947
RiskWare.IFEOHijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MSCONFIG.EXE, Quarantined, [676], [249460],1.0.1947
Registry Value: 7
PUM.Optional.LowRiskFileTypes, HKU\S-1-5-21-2757016799-914875450-2991146613-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\ASSOCIATIONS|LOWRISKFILETYPES, Quarantined, [15326], [251589],1.0.1947
PUP.Optional.AuslogicsDiskDefrag, HKLM\SOFTWARE\CLASSES\DISKDOCTORCHECKER.DISKCHECKER|, No Action By User, [1954], [380634],1.0.1947
RiskWare.IFEOHijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\RSTRUI.EXE|DEBUGGER, Quarantined, [676], [249729],1.0.1947
RiskWare.IFEOHijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\RSTRUI.EXE|DEBUGGER, Quarantined, [676], [249729],1.0.1947
RiskWare.IFEOHijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MSCONFIG.EXE|DEBUGGER, Quarantined, [676], [249460],1.0.1947
PUP.Optional.AuslogicsBoostSpeed, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{56DB5FD1-9CD7-439D-8AC9-0305D3AB4EB5}|PATH, Quarantined, [1697], [383082],1.0.1947
RiskWare.IFEOHijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MSCONFIG.EXE|DEBUGGER, Quarantined, [676], [249460],1.0.1947
Registry Data: 3
PUM.Optional.DisableCMDPrompt, HKU\S-1-5-21-2757016799-914875450-2991146613-1000\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\SYSTEM|DISABLECMD, Replaced, [16390], [293304],1.0.1947
PUM.Optional.DisableTaskMgr, HKU\S-1-5-21-2757016799-914875450-2991146613-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM|DISABLETASKMGR, Replaced, [16401], [293320],1.0.1947
PUM.Optional.DisableRegistryTools, HKU\S-1-5-21-2757016799-914875450-2991146613-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM|DISABLEREGISTRYTOOLS, No Action By User, [16393], [293310],1.0.1947
Data Stream: 0
(No malicious items detected)
Folder: 11
PUP.Optional.AuslogicsBoostSpeed, C:\ProgramData\Auslogics\BoostSpeed\9.x\RescueHidden\BoostSpeed, No Action By User, [1697], [341833],1.0.1947
PUP.Optional.AuslogicsBoostSpeed, C:\ProgramData\Auslogics\BoostSpeed\9.x\Rescue\Tweak Manager, No Action By User, [1697], [341833],1.0.1947
PUP.Optional.AuslogicsBoostSpeed, C:\ProgramData\Auslogics\BoostSpeed\9.x\Rescue\BoostSpeed, No Action By User, [1697], [341833],1.0.1947
PUP.Optional.AuslogicsBoostSpeed, C:\ProgramData\Auslogics\BoostSpeed\9.x\IgnoredLists, No Action By User, [1697], [341833],1.0.1947
PUP.Optional.AuslogicsBoostSpeed, C:\ProgramData\Auslogics\BoostSpeed\9.x\RescueHidden, No Action By User, [1697], [341833],1.0.1947
PUP.Optional.AuslogicsBoostSpeed, C:\ProgramData\Auslogics\BoostSpeed\9.x\Rescue, No Action By User, [1697], [341833],1.0.1947
PUP.Optional.AuslogicsBoostSpeed, C:\ProgramData\Auslogics\BoostSpeed\9.x\Logs, No Action By User, [1697], [341833],1.0.1947
PUP.Optional.AuslogicsBoostSpeed, C:\ProgramData\Auslogics\BoostSpeed\9.x, No Action By User, [1697], [341833],1.0.1947
PUP.Optional.AuslogicsBoostSpeed, C:\PROGRAMDATA\Auslogics\BoostSpeed, No Action By User, [1697], [341833],1.0.1947
Trojan.StolenData, C:\USERS\DECAY\APPDATA\ROAMING\IMMINENT\LOGS, Quarantined, [1075], [250104],1.0.1947
PUP.Optional.AuslogicsBoostSpeed, C:\WINDOWS\SYSTEM32\TASKS\AUSLOGICS\BOOSTSPEED, Quarantined, [1697], [341836],1.0.1947
File: 34
PUP.Optional.AuslogicsBoostSpeed, C:\ProgramData\Auslogics\BoostSpeed\9.x\IgnoredLists\SvcMgr_User.igl, No Action By User, [1697], [341833],1.0.1947
PUP.Optional.AuslogicsBoostSpeed, C:\ProgramData\Auslogics\BoostSpeed\9.x\IgnoredLists\TRE_User.igl, No Action By User, [1697], [341833],1.0.1947
PUP.Optional.AuslogicsBoostSpeed, C:\ProgramData\Auslogics\BoostSpeed\9.x\Logs\BoostSpeedLogic.log, No Action By User, [1697], [341833],1.0.1947
PUP.Optional.AuslogicsBoostSpeed, C:\ProgramData\Auslogics\BoostSpeed\9.x\Logs\InternetOptimizerStatistics.log, No Action By User, [1697], [341833],1.0.1947
PUP.Optional.AuslogicsBoostSpeed, C:\ProgramData\Auslogics\BoostSpeed\9.x\Logs\TweakManagerStatistics.log, No Action By User, [1697], [341833],1.0.1947
PUP.Optional.AuslogicsBoostSpeed, C:\ProgramData\Auslogics\BoostSpeed\9.x\Rescue\BoostSpeed\170515003242014.rsc, No Action By User, [1697], [341833],1.0.1947
PUP.Optional.AuslogicsBoostSpeed, C:\ProgramData\Auslogics\BoostSpeed\9.x\Rescue\BoostSpeed\170515003307306.rsc, No Action By User, [1697], [341833],1.0.1947
PUP.Optional.AuslogicsBoostSpeed, C:\ProgramData\Auslogics\BoostSpeed\9.x\Rescue\BoostSpeed\170515003325217.rsc, No Action By User, [1697], [341833],1.0.1947
PUP.Optional.AuslogicsBoostSpeed, C:\ProgramData\Auslogics\BoostSpeed\9.x\Rescue\BoostSpeed\170515003332343.rsc, No Action By User, [1697], [341833],1.0.1947
PUP.Optional.AuslogicsBoostSpeed, C:\ProgramData\Auslogics\BoostSpeed\9.x\Rescue\BoostSpeed\170515003340691.rsc, No Action By User, [1697], [341833],1.0.1947
PUP.Optional.AuslogicsBoostSpeed, C:\ProgramData\Auslogics\BoostSpeed\9.x\Rescue\BoostSpeed\170515003346103.rsc, No Action By User, [1697], [341833],1.0.1947
PUP.Optional.AuslogicsBoostSpeed, C:\ProgramData\Auslogics\BoostSpeed\9.x\Rescue\BoostSpeed\170515003400159.rsc, No Action By User, [1697], [341833],1.0.1947
PUP.Optional.AuslogicsBoostSpeed, C:\ProgramData\Auslogics\BoostSpeed\9.x\Rescue\BoostSpeed\170515003415581.rsc, No Action By User, [1697], [341833],1.0.1947
PUP.Optional.AuslogicsBoostSpeed, C:\ProgramData\Auslogics\BoostSpeed\9.x\Rescue\BoostSpeed\170515003638295.rsc, No Action By User, [1697], [341833],1.0.1947
PUP.Optional.AuslogicsBoostSpeed, C:\ProgramData\Auslogics\BoostSpeed\9.x\Rescue\BoostSpeed\170515150307762.rsc, No Action By User, [1697], [341833],1.0.1947
PUP.Optional.AuslogicsBoostSpeed, C:\ProgramData\Auslogics\BoostSpeed\9.x\Rescue\BoostSpeed\170515150307843.rsc, No Action By User, [1697], [341833],1.0.1947
PUP.Optional.AuslogicsBoostSpeed, C:\ProgramData\Auslogics\BoostSpeed\9.x\Rescue\BoostSpeed\170515150307855.rsc, No Action By User, [1697], [341833],1.0.1947
PUP.Optional.AuslogicsBoostSpeed, C:\ProgramData\Auslogics\BoostSpeed\9.x\Rescue\BoostSpeed\170515150308262.rsc, No Action By User, [1697], [341833],1.0.1947
PUP.Optional.AuslogicsBoostSpeed, C:\ProgramData\Auslogics\BoostSpeed\9.x\Rescue\BoostSpeed\170515150308345.rsc, No Action By User, [1697], [341833],1.0.1947
PUP.Optional.AuslogicsBoostSpeed, C:\ProgramData\Auslogics\BoostSpeed\9.x\Rescue\BoostSpeed\170515150308358.rsc, No Action By User, [1697], [341833],1.0.1947
PUP.Optional.AuslogicsBoostSpeed, C:\ProgramData\Auslogics\BoostSpeed\9.x\Rescue\Tweak Manager\170515004218204.rsc, No Action By User, [1697], [341833],1.0.1947
PUP.Optional.AuslogicsBoostSpeed, C:\ProgramData\Auslogics\BoostSpeed\9.x\Rescue\Tweak Manager\170515004232426.rsc, No Action By User, [1697], [341833],1.0.1947
PUP.Optional.AuslogicsBoostSpeed, C:\ProgramData\Auslogics\BoostSpeed\9.x\Rescue\Tweak Manager\170515004457456.rsc, No Action By User, [1697], [341833],1.0.1947
PUP.Optional.AuslogicsBoostSpeed, C:\ProgramData\Auslogics\BoostSpeed\9.x\Rescue\Tweak Manager\170515004545084.rsc, No Action By User, [1697], [341833],1.0.1947
PUP.Optional.AuslogicsBoostSpeed, C:\ProgramData\Auslogics\BoostSpeed\9.x\Rescue\Tweak Manager\170515004610312.rsc, No Action By User, [1697], [341833],1.0.1947
PUP.Optional.AuslogicsBoostSpeed, C:\ProgramData\Auslogics\BoostSpeed\9.x\Rescue\Tweak Manager\170515004750443.rsc, No Action By User, [1697], [341833],1.0.1947
PUP.Optional.AuslogicsBoostSpeed, C:\ProgramData\Auslogics\BoostSpeed\9.x\Rescue\Tweak Manager\170515004810616.rsc, No Action By User, [1697], [341833],1.0.1947
PUP.Optional.AuslogicsBoostSpeed, C:\ProgramData\Auslogics\BoostSpeed\9.x\Rescue\Tweak Manager\170515015129591.rsc, No Action By User, [1697], [341833],1.0.1947
PUP.Optional.AuslogicsBoostSpeed, C:\ProgramData\Auslogics\BoostSpeed\9.x\RescueHidden\BoostSpeed\170515150234855.rsc, No Action By User, [1697], [341833],1.0.1947
PUP.Optional.AuslogicsBoostSpeed, C:\ProgramData\Auslogics\BoostSpeed\9.x\StatDB.json, No Action By User, [1697], [341833],1.0.1947
Trojan.StolenData, C:\USERS\DECAY\APPDATA\ROAMING\IMMINENT\LOGS\16-05-2017, Quarantined, [1075], [250104],1.0.1947
Trojan.Agent, C:\PROGRAMDATA\WinDefender.exe, Removal Failed, [24], [224889],1.0.1947
PUP.Optional.AuslogicsDiskDefrag, D:\SOFT\AUSLOGICSBOOSTSPEED\DISKDOCTORCHECKER.X64.DLL, No Action By User, [1954], [380634],1.0.1947
PUP.Optional.AuslogicsBoostSpeed, C:\Windows\System32\Tasks\Auslogics\BoostSpeed\Scan and Repair, Quarantined, [1697], [341836],1.0.1947
Physical Sector: 0
(No malicious items detected)
(end)
It found C:\PROGRAMDATA\WinDefender.exe that was launched, idk how I missed this one.
And we found %APPDATA%\ROAMING\IMMINENT directory =) Also I found BrTf1LX.exe in %temp%.
Also I found out that my task manager/msconfig/regedit and etc were disabled ))) Malwareytes fixed it so never mind.
What I did next: quarantined these files, did reboot, launched full scan again and... and found WinDefender.exe at the old place <: It wasn't run according to taskm but I was unable to delete it, so I decided that Malwarebytes blocked it (idk), so I went sleep.
The next day I quarantined and removed it. Then... Since I did know the exact time I started all of this I decided to find all fresh created/modified files.
So I started search via Total Commander. I found a windows task that launches WinDefender.exe, and checked when it the last time did a task.
It was 17:02, so I started another chaotic search through C:\
I found this
These folders looks suspicious to me because of their date, 11/05/2017. I did install Windows two days ago at 14/05, wtf!
I also did some google research and found this article TSPY_HEYE.C - Threat Encyclopedia - Trend Micro USA
Some familiar files there: BrTf1LX.exe (not .ink), Imminent\Geo.dat, Logs\...
And I did step #3 (removed msvideo thread from register.).
I tried to track its actions in VBOX environment but seems it has vbox/sandbox detection, so it does nothing <:
I'm afraid that there are some leftovers. I wait for any help. Thanks.
FRST.txt Addition.txt
malwr.com analysis report
Also I scanned with TDSSKiller and roguekiller
