Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Support
Windows Malware Removal Help & Support
Trojan.MSIL.Crypt.dowu
Message
<blockquote data-quote="decay" data-source="post: 633359" data-attributes="member: 62555"><p>Hello citizens =) I've launched an infected file accidentally. I was like 99% sure that it's an infected one but my hand wasn't act by my will. Fu hand :<</p><p></p><p>So. I've had already launched task manager so I almost immediately found and terminated a one suspicious process.</p><p></p><p>It was a <a href="https://www.virustotal.com/en/file/13d11a439a52db9d2b5c023937228879fb37e74ebd6e75209e164ee17a77f11c/analysis/" target="_blank">steamerrorreporter.exe</a> located in %AppData%\Local\Temp</p><p></p><p>Then I downloaded, installed and run Malwarebytes, started scan (rootkits including).</p><p></p><p>[SPOILER="log"]</p><p>Malwarebytes</p><p><a href="http://www.malwarebytes.com" target="_blank">www.malwarebytes.com</a></p><p></p><p>-Log Details-</p><p>Scan Date: 5/16/17</p><p>Scan Time: 4:33 AM</p><p>Log File: </p><p>Administrator: Yes</p><p></p><p>-Software Information-</p><p>Version: 3.1.2.1733</p><p>Components Version: 1.0.122</p><p>Update Package Version: 1.0.1947</p><p>License: Trial</p><p></p><p>-System Information-</p><p>OS: Windows 7 Service Pack 1</p><p>CPU: x64</p><p>File System: NTFS</p><p>User: Decadance\Decay</p><p></p><p>-Scan Summary-</p><p>Scan Type: Threat Scan</p><p>Result: Completed</p><p>Objects Scanned: 299038</p><p>Threats Detected: 77</p><p>Threats Quarantined: 21</p><p>Time Elapsed: 4 min, 25 sec</p><p></p><p>-Scan Options-</p><p>Memory: Enabled</p><p>Startup: Enabled</p><p>Filesystem: Enabled</p><p>Archives: Enabled</p><p>Rootkits: Enabled</p><p>Heuristics: Enabled</p><p>PUP: Enabled</p><p>PUM: Enabled</p><p></p><p>-Scan Details-</p><p>Process: 1</p><p>Trojan.Agent, C:\PROGRAMDATA\WinDefender.exe, Quarantined, [24], [224889],1.0.1947</p><p></p><p>Module: 1</p><p>Trojan.Agent, C:\PROGRAMDATA\WinDefender.exe, Quarantined, [24], [224889],1.0.1947</p><p></p><p>Registry Key: 20</p><p>PUP.Optional.AuslogicsBoostSpeed, HKLM\SOFTWARE\WOW6432NODE\AUSLOGICS\BoostSpeed, No Action By User, [1697], [341837],1.0.1947</p><p>PUP.Optional.AuslogicsDiskDefrag, HKLM\SOFTWARE\CLASSES\CLSID\{278029E0-2347-4254-A65E-204AC55E2508}, No Action By User, [1954], [380634],1.0.1947</p><p>PUP.Optional.AuslogicsDiskDefrag, HKLM\SOFTWARE\CLASSES\CLSID\{278029E0-2347-4254-A65E-204AC55E2508}\InprocServer32, No Action By User, [1954], [380634],1.0.1947</p><p>PUP.Optional.AuslogicsDiskDefrag, HKLM\SOFTWARE\CLASSES\TYPELIB\{FE9301D5-9266-4A2F-8767-85482115CAB0}, No Action By User, [1954], [380634],1.0.1947</p><p>PUP.Optional.AuslogicsDiskDefrag, HKLM\SOFTWARE\CLASSES\INTERFACE\{DCC049B0-CA04-4E58-B4C8-CE62AC6F5096}, No Action By User, [1954], [380634],1.0.1947</p><p>PUP.Optional.AuslogicsDiskDefrag, HKLM\SOFTWARE\CLASSES\WOW6432NODE\INTERFACE\{DCC049B0-CA04-4E58-B4C8-CE62AC6F5096}, No Action By User, [1954], [380634],1.0.1947</p><p>PUP.Optional.AuslogicsDiskDefrag, HKLM\SOFTWARE\WOW6432NODE\CLASSES\INTERFACE\{DCC049B0-CA04-4E58-B4C8-CE62AC6F5096}, No Action By User, [1954], [380634],1.0.1947</p><p>PUP.Optional.AuslogicsDiskDefrag, HKLM\SOFTWARE\WOW6432NODE\CLASSES\TYPELIB\{FE9301D5-9266-4A2F-8767-85482115CAB0}, No Action By User, [1954], [380634],1.0.1947</p><p>PUP.Optional.AuslogicsDiskDefrag, HKLM\SOFTWARE\CLASSES\WOW6432NODE\TYPELIB\{FE9301D5-9266-4A2F-8767-85482115CAB0}, No Action By User, [1954], [380634],1.0.1947</p><p>PUP.Optional.AuslogicsDiskDefrag, HKLM\SOFTWARE\CLASSES\APPID\{278029E0-2347-4254-A65E-204AC55E2508}, No Action By User, [1954], [380634],1.0.1947</p><p>PUP.Optional.AuslogicsDiskDefrag, HKLM\SOFTWARE\WOW6432NODE\CLASSES\APPID\{278029E0-2347-4254-A65E-204AC55E2508}, No Action By User, [1954], [380634],1.0.1947</p><p>PUP.Optional.AuslogicsDiskDefrag, HKLM\SOFTWARE\CLASSES\WOW6432NODE\APPID\{278029E0-2347-4254-A65E-204AC55E2508}, No Action By User, [1954], [380634],1.0.1947</p><p>PUP.Optional.AuslogicsDiskDefrag, HKLM\SOFTWARE\CLASSES\DISKDOCTORCHECKER.DISKCHECKER, No Action By User, [1954], [380634],1.0.1947</p><p>RiskWare.IFEOHijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\RSTRUI.EXE, Quarantined, [676], [249729],1.0.1947</p><p>RiskWare.IFEOHijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\RSTRUI.EXE, Quarantined, [676], [249729],1.0.1947</p><p>RiskWare.IFEOHijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MSCONFIG.EXE, Quarantined, [676], [249460],1.0.1947</p><p>PUP.Optional.AuslogicsBoostSpeed, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{56DB5FD1-9CD7-439D-8AC9-0305D3AB4EB5}, Quarantined, [1697], [383082],1.0.1947</p><p>PUP.Optional.AuslogicsBoostSpeed, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{7216871F-869E-437C-B9BF-2A13F2DCE63F}_is1, Quarantined, [1697], [341838],1.0.1947</p><p>PUP.Optional.AuslogicsBoostSpeed, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\AUSLOGICS\BoostSpeed, Quarantined, [1697], [383076],1.0.1947</p><p>RiskWare.IFEOHijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MSCONFIG.EXE, Quarantined, [676], [249460],1.0.1947</p><p></p><p>Registry Value: 7</p><p>PUM.Optional.LowRiskFileTypes, HKU\S-1-5-21-2757016799-914875450-2991146613-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\ASSOCIATIONS|LOWRISKFILETYPES, Quarantined, [15326], [251589],1.0.1947</p><p>PUP.Optional.AuslogicsDiskDefrag, HKLM\SOFTWARE\CLASSES\DISKDOCTORCHECKER.DISKCHECKER|, No Action By User, [1954], [380634],1.0.1947</p><p>RiskWare.IFEOHijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\RSTRUI.EXE|DEBUGGER, Quarantined, [676], [249729],1.0.1947</p><p>RiskWare.IFEOHijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\RSTRUI.EXE|DEBUGGER, Quarantined, [676], [249729],1.0.1947</p><p>RiskWare.IFEOHijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MSCONFIG.EXE|DEBUGGER, Quarantined, [676], [249460],1.0.1947</p><p>PUP.Optional.AuslogicsBoostSpeed, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{56DB5FD1-9CD7-439D-8AC9-0305D3AB4EB5}|PATH, Quarantined, [1697], [383082],1.0.1947</p><p>RiskWare.IFEOHijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MSCONFIG.EXE|DEBUGGER, Quarantined, [676], [249460],1.0.1947</p><p></p><p>Registry Data: 3</p><p>PUM.Optional.DisableCMDPrompt, HKU\S-1-5-21-2757016799-914875450-2991146613-1000\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\SYSTEM|DISABLECMD, Replaced, [16390], [293304],1.0.1947</p><p>PUM.Optional.DisableTaskMgr, HKU\S-1-5-21-2757016799-914875450-2991146613-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM|DISABLETASKMGR, Replaced, [16401], [293320],1.0.1947</p><p>PUM.Optional.DisableRegistryTools, HKU\S-1-5-21-2757016799-914875450-2991146613-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM|DISABLEREGISTRYTOOLS, No Action By User, [16393], [293310],1.0.1947</p><p></p><p>Data Stream: 0</p><p>(No malicious items detected)</p><p></p><p>Folder: 11</p><p>PUP.Optional.AuslogicsBoostSpeed, C:\ProgramData\Auslogics\BoostSpeed\9.x\RescueHidden\BoostSpeed, No Action By User, [1697], [341833],1.0.1947</p><p>PUP.Optional.AuslogicsBoostSpeed, C:\ProgramData\Auslogics\BoostSpeed\9.x\Rescue\Tweak Manager, No Action By User, [1697], [341833],1.0.1947</p><p>PUP.Optional.AuslogicsBoostSpeed, C:\ProgramData\Auslogics\BoostSpeed\9.x\Rescue\BoostSpeed, No Action By User, [1697], [341833],1.0.1947</p><p>PUP.Optional.AuslogicsBoostSpeed, C:\ProgramData\Auslogics\BoostSpeed\9.x\IgnoredLists, No Action By User, [1697], [341833],1.0.1947</p><p>PUP.Optional.AuslogicsBoostSpeed, C:\ProgramData\Auslogics\BoostSpeed\9.x\RescueHidden, No Action By User, [1697], [341833],1.0.1947</p><p>PUP.Optional.AuslogicsBoostSpeed, C:\ProgramData\Auslogics\BoostSpeed\9.x\Rescue, No Action By User, [1697], [341833],1.0.1947</p><p>PUP.Optional.AuslogicsBoostSpeed, C:\ProgramData\Auslogics\BoostSpeed\9.x\Logs, No Action By User, [1697], [341833],1.0.1947</p><p>PUP.Optional.AuslogicsBoostSpeed, C:\ProgramData\Auslogics\BoostSpeed\9.x, No Action By User, [1697], [341833],1.0.1947</p><p>PUP.Optional.AuslogicsBoostSpeed, C:\PROGRAMDATA\Auslogics\BoostSpeed, No Action By User, [1697], [341833],1.0.1947</p><p>Trojan.StolenData, C:\USERS\DECAY\APPDATA\ROAMING\IMMINENT\LOGS, Quarantined, [1075], [250104],1.0.1947</p><p>PUP.Optional.AuslogicsBoostSpeed, C:\WINDOWS\SYSTEM32\TASKS\AUSLOGICS\BOOSTSPEED, Quarantined, [1697], [341836],1.0.1947</p><p></p><p>File: 34</p><p>PUP.Optional.AuslogicsBoostSpeed, C:\ProgramData\Auslogics\BoostSpeed\9.x\IgnoredLists\SvcMgr_User.igl, No Action By User, [1697], [341833],1.0.1947</p><p>PUP.Optional.AuslogicsBoostSpeed, C:\ProgramData\Auslogics\BoostSpeed\9.x\IgnoredLists\TRE_User.igl, No Action By User, [1697], [341833],1.0.1947</p><p>PUP.Optional.AuslogicsBoostSpeed, C:\ProgramData\Auslogics\BoostSpeed\9.x\Logs\BoostSpeedLogic.log, No Action By User, [1697], [341833],1.0.1947</p><p>PUP.Optional.AuslogicsBoostSpeed, C:\ProgramData\Auslogics\BoostSpeed\9.x\Logs\InternetOptimizerStatistics.log, No Action By User, [1697], [341833],1.0.1947</p><p>PUP.Optional.AuslogicsBoostSpeed, C:\ProgramData\Auslogics\BoostSpeed\9.x\Logs\TweakManagerStatistics.log, No Action By User, [1697], [341833],1.0.1947</p><p>PUP.Optional.AuslogicsBoostSpeed, C:\ProgramData\Auslogics\BoostSpeed\9.x\Rescue\BoostSpeed\170515003242014.rsc, No Action By User, [1697], [341833],1.0.1947</p><p>PUP.Optional.AuslogicsBoostSpeed, C:\ProgramData\Auslogics\BoostSpeed\9.x\Rescue\BoostSpeed\170515003307306.rsc, No Action By User, [1697], [341833],1.0.1947</p><p>PUP.Optional.AuslogicsBoostSpeed, C:\ProgramData\Auslogics\BoostSpeed\9.x\Rescue\BoostSpeed\170515003325217.rsc, No Action By User, [1697], [341833],1.0.1947</p><p>PUP.Optional.AuslogicsBoostSpeed, C:\ProgramData\Auslogics\BoostSpeed\9.x\Rescue\BoostSpeed\170515003332343.rsc, No Action By User, [1697], [341833],1.0.1947</p><p>PUP.Optional.AuslogicsBoostSpeed, C:\ProgramData\Auslogics\BoostSpeed\9.x\Rescue\BoostSpeed\170515003340691.rsc, No Action By User, [1697], [341833],1.0.1947</p><p>PUP.Optional.AuslogicsBoostSpeed, C:\ProgramData\Auslogics\BoostSpeed\9.x\Rescue\BoostSpeed\170515003346103.rsc, No Action By User, [1697], [341833],1.0.1947</p><p>PUP.Optional.AuslogicsBoostSpeed, C:\ProgramData\Auslogics\BoostSpeed\9.x\Rescue\BoostSpeed\170515003400159.rsc, No Action By User, [1697], [341833],1.0.1947</p><p>PUP.Optional.AuslogicsBoostSpeed, C:\ProgramData\Auslogics\BoostSpeed\9.x\Rescue\BoostSpeed\170515003415581.rsc, No Action By User, [1697], [341833],1.0.1947</p><p>PUP.Optional.AuslogicsBoostSpeed, C:\ProgramData\Auslogics\BoostSpeed\9.x\Rescue\BoostSpeed\170515003638295.rsc, No Action By User, [1697], [341833],1.0.1947</p><p>PUP.Optional.AuslogicsBoostSpeed, C:\ProgramData\Auslogics\BoostSpeed\9.x\Rescue\BoostSpeed\170515150307762.rsc, No Action By User, [1697], [341833],1.0.1947</p><p>PUP.Optional.AuslogicsBoostSpeed, C:\ProgramData\Auslogics\BoostSpeed\9.x\Rescue\BoostSpeed\170515150307843.rsc, No Action By User, [1697], [341833],1.0.1947</p><p>PUP.Optional.AuslogicsBoostSpeed, C:\ProgramData\Auslogics\BoostSpeed\9.x\Rescue\BoostSpeed\170515150307855.rsc, No Action By User, [1697], [341833],1.0.1947</p><p>PUP.Optional.AuslogicsBoostSpeed, C:\ProgramData\Auslogics\BoostSpeed\9.x\Rescue\BoostSpeed\170515150308262.rsc, No Action By User, [1697], [341833],1.0.1947</p><p>PUP.Optional.AuslogicsBoostSpeed, C:\ProgramData\Auslogics\BoostSpeed\9.x\Rescue\BoostSpeed\170515150308345.rsc, No Action By User, [1697], [341833],1.0.1947</p><p>PUP.Optional.AuslogicsBoostSpeed, C:\ProgramData\Auslogics\BoostSpeed\9.x\Rescue\BoostSpeed\170515150308358.rsc, No Action By User, [1697], [341833],1.0.1947</p><p>PUP.Optional.AuslogicsBoostSpeed, C:\ProgramData\Auslogics\BoostSpeed\9.x\Rescue\Tweak Manager\170515004218204.rsc, No Action By User, [1697], [341833],1.0.1947</p><p>PUP.Optional.AuslogicsBoostSpeed, C:\ProgramData\Auslogics\BoostSpeed\9.x\Rescue\Tweak Manager\170515004232426.rsc, No Action By User, [1697], [341833],1.0.1947</p><p>PUP.Optional.AuslogicsBoostSpeed, C:\ProgramData\Auslogics\BoostSpeed\9.x\Rescue\Tweak Manager\170515004457456.rsc, No Action By User, [1697], [341833],1.0.1947</p><p>PUP.Optional.AuslogicsBoostSpeed, C:\ProgramData\Auslogics\BoostSpeed\9.x\Rescue\Tweak Manager\170515004545084.rsc, No Action By User, [1697], [341833],1.0.1947</p><p>PUP.Optional.AuslogicsBoostSpeed, C:\ProgramData\Auslogics\BoostSpeed\9.x\Rescue\Tweak Manager\170515004610312.rsc, No Action By User, [1697], [341833],1.0.1947</p><p>PUP.Optional.AuslogicsBoostSpeed, C:\ProgramData\Auslogics\BoostSpeed\9.x\Rescue\Tweak Manager\170515004750443.rsc, No Action By User, [1697], [341833],1.0.1947</p><p>PUP.Optional.AuslogicsBoostSpeed, C:\ProgramData\Auslogics\BoostSpeed\9.x\Rescue\Tweak Manager\170515004810616.rsc, No Action By User, [1697], [341833],1.0.1947</p><p>PUP.Optional.AuslogicsBoostSpeed, C:\ProgramData\Auslogics\BoostSpeed\9.x\Rescue\Tweak Manager\170515015129591.rsc, No Action By User, [1697], [341833],1.0.1947</p><p>PUP.Optional.AuslogicsBoostSpeed, C:\ProgramData\Auslogics\BoostSpeed\9.x\RescueHidden\BoostSpeed\170515150234855.rsc, No Action By User, [1697], [341833],1.0.1947</p><p>PUP.Optional.AuslogicsBoostSpeed, C:\ProgramData\Auslogics\BoostSpeed\9.x\StatDB.json, No Action By User, [1697], [341833],1.0.1947</p><p>Trojan.StolenData, C:\USERS\DECAY\APPDATA\ROAMING\IMMINENT\LOGS\16-05-2017, Quarantined, [1075], [250104],1.0.1947</p><p>Trojan.Agent, C:\PROGRAMDATA\WinDefender.exe, Removal Failed, [24], [224889],1.0.1947</p><p>PUP.Optional.AuslogicsDiskDefrag, D:\SOFT\AUSLOGICSBOOSTSPEED\DISKDOCTORCHECKER.X64.DLL, No Action By User, [1954], [380634],1.0.1947</p><p>PUP.Optional.AuslogicsBoostSpeed, C:\Windows\System32\Tasks\Auslogics\BoostSpeed\Scan and Repair, Quarantined, [1697], [341836],1.0.1947</p><p></p><p>Physical Sector: 0</p><p>(No malicious items detected)</p><p></p><p></p><p>(end)</p><p>[/SPOILER]</p><p></p><p>It found C:\PROGRAMDATA\WinDefender.exe that was launched, idk how I missed this one.</p><p></p><p>And we found %APPDATA%\ROAMING\IMMINENT directory =) Also I found BrTf1LX.exe in %temp%.</p><p></p><p>Also I found out that my task manager/msconfig/regedit and etc were disabled ))) Malwareytes fixed it so never mind.</p><p></p><p>What I did next: quarantined these files, did reboot, launched full scan again and... and found WinDefender.exe at the old place <: It wasn't run according to taskm but I was unable to delete it, so I decided that Malwarebytes blocked it (idk), so I went sleep.</p><p></p><p>The next day I quarantined and removed it. Then... Since I did know the exact time I started all of this I decided to find all fresh created/modified files.</p><p></p><p>So I started search via Total Commander. I found a windows task that launches WinDefender.exe, and checked when it the last time did a task.</p><p></p><p>It was 17:02, so I started another chaotic search through C:\</p><p></p><p>I found this </p><p>[SPOILER="shot"]<img src="http://speedcap.net/sharing/files/79/b4/79b49622d342f7c859ae636bd39a021e.png" alt="" class="fr-fic fr-dii fr-draggable " style="" /> [/SPOILER]</p><p></p><p>These folders looks suspicious to me because of their date, <strong>11/05/2017</strong>. I did install Windows two days ago at 14/05, wtf!</p><p></p><p>I also did some google research and found this article <a href="https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/tspy_heye.c" target="_blank">TSPY_HEYE.C - Threat Encyclopedia - Trend Micro USA</a></p><p></p><p>Some familiar files there: BrTf1LX.exe (not .ink), Imminent\Geo.dat, Logs\...</p><p></p><p>And I did step #3 (removed msvideo thread from register.).</p><p></p><p>I tried to track its actions in VBOX environment but seems it has vbox/sandbox detection, so it does nothing <:</p><p></p><p>I'm afraid that there are some leftovers. I wait for any help. Thanks.</p><p></p><p><a href="https://pastebin.com/6uYdXSCU" target="_blank">FRST.txt</a> <a href="https://pastebin.com/AyCwWPat" target="_blank">Addition.txt</a></p><p></p><p><a href="https://malwr.com/analysis/ZTExNzk0NDM4NjhhNGZlOGEyYjE0NzQ0MGMwNmUyZTM/" target="_blank">malwr.com analysis report</a></p><p></p><p>Also I scanned with <span style="font-size: 15px">TDSSKiller and roguekiller</span></p></blockquote><p></p>
[QUOTE="decay, post: 633359, member: 62555"] Hello citizens =) I've launched an infected file accidentally. I was like 99% sure that it's an infected one but my hand wasn't act by my will. Fu hand :< So. I've had already launched task manager so I almost immediately found and terminated a one suspicious process. It was a [URL='https://www.virustotal.com/en/file/13d11a439a52db9d2b5c023937228879fb37e74ebd6e75209e164ee17a77f11c/analysis/']steamerrorreporter.exe[/URL] located in %AppData%\Local\Temp Then I downloaded, installed and run Malwarebytes, started scan (rootkits including). [SPOILER="log"] Malwarebytes [URL="http://www.malwarebytes.com"]www.malwarebytes.com[/URL] -Log Details- Scan Date: 5/16/17 Scan Time: 4:33 AM Log File: Administrator: Yes -Software Information- Version: 3.1.2.1733 Components Version: 1.0.122 Update Package Version: 1.0.1947 License: Trial -System Information- OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: Decadance\Decay -Scan Summary- Scan Type: Threat Scan Result: Completed Objects Scanned: 299038 Threats Detected: 77 Threats Quarantined: 21 Time Elapsed: 4 min, 25 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Enabled PUM: Enabled -Scan Details- Process: 1 Trojan.Agent, C:\PROGRAMDATA\WinDefender.exe, Quarantined, [24], [224889],1.0.1947 Module: 1 Trojan.Agent, C:\PROGRAMDATA\WinDefender.exe, Quarantined, [24], [224889],1.0.1947 Registry Key: 20 PUP.Optional.AuslogicsBoostSpeed, HKLM\SOFTWARE\WOW6432NODE\AUSLOGICS\BoostSpeed, No Action By User, [1697], [341837],1.0.1947 PUP.Optional.AuslogicsDiskDefrag, HKLM\SOFTWARE\CLASSES\CLSID\{278029E0-2347-4254-A65E-204AC55E2508}, No Action By User, [1954], [380634],1.0.1947 PUP.Optional.AuslogicsDiskDefrag, HKLM\SOFTWARE\CLASSES\CLSID\{278029E0-2347-4254-A65E-204AC55E2508}\InprocServer32, No Action By User, [1954], [380634],1.0.1947 PUP.Optional.AuslogicsDiskDefrag, HKLM\SOFTWARE\CLASSES\TYPELIB\{FE9301D5-9266-4A2F-8767-85482115CAB0}, No Action By User, [1954], [380634],1.0.1947 PUP.Optional.AuslogicsDiskDefrag, HKLM\SOFTWARE\CLASSES\INTERFACE\{DCC049B0-CA04-4E58-B4C8-CE62AC6F5096}, No Action By User, [1954], [380634],1.0.1947 PUP.Optional.AuslogicsDiskDefrag, HKLM\SOFTWARE\CLASSES\WOW6432NODE\INTERFACE\{DCC049B0-CA04-4E58-B4C8-CE62AC6F5096}, No Action By User, [1954], [380634],1.0.1947 PUP.Optional.AuslogicsDiskDefrag, HKLM\SOFTWARE\WOW6432NODE\CLASSES\INTERFACE\{DCC049B0-CA04-4E58-B4C8-CE62AC6F5096}, No Action By User, [1954], [380634],1.0.1947 PUP.Optional.AuslogicsDiskDefrag, HKLM\SOFTWARE\WOW6432NODE\CLASSES\TYPELIB\{FE9301D5-9266-4A2F-8767-85482115CAB0}, No Action By User, [1954], [380634],1.0.1947 PUP.Optional.AuslogicsDiskDefrag, HKLM\SOFTWARE\CLASSES\WOW6432NODE\TYPELIB\{FE9301D5-9266-4A2F-8767-85482115CAB0}, No Action By User, [1954], [380634],1.0.1947 PUP.Optional.AuslogicsDiskDefrag, HKLM\SOFTWARE\CLASSES\APPID\{278029E0-2347-4254-A65E-204AC55E2508}, No Action By User, [1954], [380634],1.0.1947 PUP.Optional.AuslogicsDiskDefrag, HKLM\SOFTWARE\WOW6432NODE\CLASSES\APPID\{278029E0-2347-4254-A65E-204AC55E2508}, No Action By User, [1954], [380634],1.0.1947 PUP.Optional.AuslogicsDiskDefrag, HKLM\SOFTWARE\CLASSES\WOW6432NODE\APPID\{278029E0-2347-4254-A65E-204AC55E2508}, No Action By User, [1954], [380634],1.0.1947 PUP.Optional.AuslogicsDiskDefrag, HKLM\SOFTWARE\CLASSES\DISKDOCTORCHECKER.DISKCHECKER, No Action By User, [1954], [380634],1.0.1947 RiskWare.IFEOHijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\RSTRUI.EXE, Quarantined, [676], [249729],1.0.1947 RiskWare.IFEOHijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\RSTRUI.EXE, Quarantined, [676], [249729],1.0.1947 RiskWare.IFEOHijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MSCONFIG.EXE, Quarantined, [676], [249460],1.0.1947 PUP.Optional.AuslogicsBoostSpeed, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{56DB5FD1-9CD7-439D-8AC9-0305D3AB4EB5}, Quarantined, [1697], [383082],1.0.1947 PUP.Optional.AuslogicsBoostSpeed, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{7216871F-869E-437C-B9BF-2A13F2DCE63F}_is1, Quarantined, [1697], [341838],1.0.1947 PUP.Optional.AuslogicsBoostSpeed, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\AUSLOGICS\BoostSpeed, Quarantined, [1697], [383076],1.0.1947 RiskWare.IFEOHijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MSCONFIG.EXE, Quarantined, [676], [249460],1.0.1947 Registry Value: 7 PUM.Optional.LowRiskFileTypes, HKU\S-1-5-21-2757016799-914875450-2991146613-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\ASSOCIATIONS|LOWRISKFILETYPES, Quarantined, [15326], [251589],1.0.1947 PUP.Optional.AuslogicsDiskDefrag, HKLM\SOFTWARE\CLASSES\DISKDOCTORCHECKER.DISKCHECKER|, No Action By User, [1954], [380634],1.0.1947 RiskWare.IFEOHijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\RSTRUI.EXE|DEBUGGER, Quarantined, [676], [249729],1.0.1947 RiskWare.IFEOHijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\RSTRUI.EXE|DEBUGGER, Quarantined, [676], [249729],1.0.1947 RiskWare.IFEOHijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MSCONFIG.EXE|DEBUGGER, Quarantined, [676], [249460],1.0.1947 PUP.Optional.AuslogicsBoostSpeed, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{56DB5FD1-9CD7-439D-8AC9-0305D3AB4EB5}|PATH, Quarantined, [1697], [383082],1.0.1947 RiskWare.IFEOHijack, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MSCONFIG.EXE|DEBUGGER, Quarantined, [676], [249460],1.0.1947 Registry Data: 3 PUM.Optional.DisableCMDPrompt, HKU\S-1-5-21-2757016799-914875450-2991146613-1000\SOFTWARE\POLICIES\MICROSOFT\WINDOWS\SYSTEM|DISABLECMD, Replaced, [16390], [293304],1.0.1947 PUM.Optional.DisableTaskMgr, HKU\S-1-5-21-2757016799-914875450-2991146613-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM|DISABLETASKMGR, Replaced, [16401], [293320],1.0.1947 PUM.Optional.DisableRegistryTools, HKU\S-1-5-21-2757016799-914875450-2991146613-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM|DISABLEREGISTRYTOOLS, No Action By User, [16393], [293310],1.0.1947 Data Stream: 0 (No malicious items detected) Folder: 11 PUP.Optional.AuslogicsBoostSpeed, C:\ProgramData\Auslogics\BoostSpeed\9.x\RescueHidden\BoostSpeed, No Action By User, [1697], [341833],1.0.1947 PUP.Optional.AuslogicsBoostSpeed, C:\ProgramData\Auslogics\BoostSpeed\9.x\Rescue\Tweak Manager, No Action By User, [1697], [341833],1.0.1947 PUP.Optional.AuslogicsBoostSpeed, C:\ProgramData\Auslogics\BoostSpeed\9.x\Rescue\BoostSpeed, No Action By User, [1697], [341833],1.0.1947 PUP.Optional.AuslogicsBoostSpeed, C:\ProgramData\Auslogics\BoostSpeed\9.x\IgnoredLists, No Action By User, [1697], [341833],1.0.1947 PUP.Optional.AuslogicsBoostSpeed, C:\ProgramData\Auslogics\BoostSpeed\9.x\RescueHidden, No Action By User, [1697], [341833],1.0.1947 PUP.Optional.AuslogicsBoostSpeed, C:\ProgramData\Auslogics\BoostSpeed\9.x\Rescue, No Action By User, [1697], [341833],1.0.1947 PUP.Optional.AuslogicsBoostSpeed, C:\ProgramData\Auslogics\BoostSpeed\9.x\Logs, No Action By User, [1697], [341833],1.0.1947 PUP.Optional.AuslogicsBoostSpeed, C:\ProgramData\Auslogics\BoostSpeed\9.x, No Action By User, [1697], [341833],1.0.1947 PUP.Optional.AuslogicsBoostSpeed, C:\PROGRAMDATA\Auslogics\BoostSpeed, No Action By User, [1697], [341833],1.0.1947 Trojan.StolenData, C:\USERS\DECAY\APPDATA\ROAMING\IMMINENT\LOGS, Quarantined, [1075], [250104],1.0.1947 PUP.Optional.AuslogicsBoostSpeed, C:\WINDOWS\SYSTEM32\TASKS\AUSLOGICS\BOOSTSPEED, Quarantined, [1697], [341836],1.0.1947 File: 34 PUP.Optional.AuslogicsBoostSpeed, C:\ProgramData\Auslogics\BoostSpeed\9.x\IgnoredLists\SvcMgr_User.igl, No Action By User, [1697], [341833],1.0.1947 PUP.Optional.AuslogicsBoostSpeed, C:\ProgramData\Auslogics\BoostSpeed\9.x\IgnoredLists\TRE_User.igl, No Action By User, [1697], [341833],1.0.1947 PUP.Optional.AuslogicsBoostSpeed, C:\ProgramData\Auslogics\BoostSpeed\9.x\Logs\BoostSpeedLogic.log, No Action By User, [1697], [341833],1.0.1947 PUP.Optional.AuslogicsBoostSpeed, C:\ProgramData\Auslogics\BoostSpeed\9.x\Logs\InternetOptimizerStatistics.log, No Action By User, [1697], [341833],1.0.1947 PUP.Optional.AuslogicsBoostSpeed, C:\ProgramData\Auslogics\BoostSpeed\9.x\Logs\TweakManagerStatistics.log, No Action By User, [1697], [341833],1.0.1947 PUP.Optional.AuslogicsBoostSpeed, C:\ProgramData\Auslogics\BoostSpeed\9.x\Rescue\BoostSpeed\170515003242014.rsc, No Action By User, [1697], [341833],1.0.1947 PUP.Optional.AuslogicsBoostSpeed, C:\ProgramData\Auslogics\BoostSpeed\9.x\Rescue\BoostSpeed\170515003307306.rsc, No Action By User, [1697], [341833],1.0.1947 PUP.Optional.AuslogicsBoostSpeed, C:\ProgramData\Auslogics\BoostSpeed\9.x\Rescue\BoostSpeed\170515003325217.rsc, No Action By User, [1697], [341833],1.0.1947 PUP.Optional.AuslogicsBoostSpeed, C:\ProgramData\Auslogics\BoostSpeed\9.x\Rescue\BoostSpeed\170515003332343.rsc, No Action By User, [1697], [341833],1.0.1947 PUP.Optional.AuslogicsBoostSpeed, C:\ProgramData\Auslogics\BoostSpeed\9.x\Rescue\BoostSpeed\170515003340691.rsc, No Action By User, [1697], [341833],1.0.1947 PUP.Optional.AuslogicsBoostSpeed, C:\ProgramData\Auslogics\BoostSpeed\9.x\Rescue\BoostSpeed\170515003346103.rsc, No Action By User, [1697], [341833],1.0.1947 PUP.Optional.AuslogicsBoostSpeed, C:\ProgramData\Auslogics\BoostSpeed\9.x\Rescue\BoostSpeed\170515003400159.rsc, No Action By User, [1697], [341833],1.0.1947 PUP.Optional.AuslogicsBoostSpeed, C:\ProgramData\Auslogics\BoostSpeed\9.x\Rescue\BoostSpeed\170515003415581.rsc, No Action By User, [1697], [341833],1.0.1947 PUP.Optional.AuslogicsBoostSpeed, C:\ProgramData\Auslogics\BoostSpeed\9.x\Rescue\BoostSpeed\170515003638295.rsc, No Action By User, [1697], [341833],1.0.1947 PUP.Optional.AuslogicsBoostSpeed, C:\ProgramData\Auslogics\BoostSpeed\9.x\Rescue\BoostSpeed\170515150307762.rsc, No Action By User, [1697], [341833],1.0.1947 PUP.Optional.AuslogicsBoostSpeed, C:\ProgramData\Auslogics\BoostSpeed\9.x\Rescue\BoostSpeed\170515150307843.rsc, No Action By User, [1697], [341833],1.0.1947 PUP.Optional.AuslogicsBoostSpeed, C:\ProgramData\Auslogics\BoostSpeed\9.x\Rescue\BoostSpeed\170515150307855.rsc, No Action By User, [1697], [341833],1.0.1947 PUP.Optional.AuslogicsBoostSpeed, C:\ProgramData\Auslogics\BoostSpeed\9.x\Rescue\BoostSpeed\170515150308262.rsc, No Action By User, [1697], [341833],1.0.1947 PUP.Optional.AuslogicsBoostSpeed, C:\ProgramData\Auslogics\BoostSpeed\9.x\Rescue\BoostSpeed\170515150308345.rsc, No Action By User, [1697], [341833],1.0.1947 PUP.Optional.AuslogicsBoostSpeed, C:\ProgramData\Auslogics\BoostSpeed\9.x\Rescue\BoostSpeed\170515150308358.rsc, No Action By User, [1697], [341833],1.0.1947 PUP.Optional.AuslogicsBoostSpeed, C:\ProgramData\Auslogics\BoostSpeed\9.x\Rescue\Tweak Manager\170515004218204.rsc, No Action By User, [1697], [341833],1.0.1947 PUP.Optional.AuslogicsBoostSpeed, C:\ProgramData\Auslogics\BoostSpeed\9.x\Rescue\Tweak Manager\170515004232426.rsc, No Action By User, [1697], [341833],1.0.1947 PUP.Optional.AuslogicsBoostSpeed, C:\ProgramData\Auslogics\BoostSpeed\9.x\Rescue\Tweak Manager\170515004457456.rsc, No Action By User, [1697], [341833],1.0.1947 PUP.Optional.AuslogicsBoostSpeed, C:\ProgramData\Auslogics\BoostSpeed\9.x\Rescue\Tweak Manager\170515004545084.rsc, No Action By User, [1697], [341833],1.0.1947 PUP.Optional.AuslogicsBoostSpeed, C:\ProgramData\Auslogics\BoostSpeed\9.x\Rescue\Tweak Manager\170515004610312.rsc, No Action By User, [1697], [341833],1.0.1947 PUP.Optional.AuslogicsBoostSpeed, C:\ProgramData\Auslogics\BoostSpeed\9.x\Rescue\Tweak Manager\170515004750443.rsc, No Action By User, [1697], [341833],1.0.1947 PUP.Optional.AuslogicsBoostSpeed, C:\ProgramData\Auslogics\BoostSpeed\9.x\Rescue\Tweak Manager\170515004810616.rsc, No Action By User, [1697], [341833],1.0.1947 PUP.Optional.AuslogicsBoostSpeed, C:\ProgramData\Auslogics\BoostSpeed\9.x\Rescue\Tweak Manager\170515015129591.rsc, No Action By User, [1697], [341833],1.0.1947 PUP.Optional.AuslogicsBoostSpeed, C:\ProgramData\Auslogics\BoostSpeed\9.x\RescueHidden\BoostSpeed\170515150234855.rsc, No Action By User, [1697], [341833],1.0.1947 PUP.Optional.AuslogicsBoostSpeed, C:\ProgramData\Auslogics\BoostSpeed\9.x\StatDB.json, No Action By User, [1697], [341833],1.0.1947 Trojan.StolenData, C:\USERS\DECAY\APPDATA\ROAMING\IMMINENT\LOGS\16-05-2017, Quarantined, [1075], [250104],1.0.1947 Trojan.Agent, C:\PROGRAMDATA\WinDefender.exe, Removal Failed, [24], [224889],1.0.1947 PUP.Optional.AuslogicsDiskDefrag, D:\SOFT\AUSLOGICSBOOSTSPEED\DISKDOCTORCHECKER.X64.DLL, No Action By User, [1954], [380634],1.0.1947 PUP.Optional.AuslogicsBoostSpeed, C:\Windows\System32\Tasks\Auslogics\BoostSpeed\Scan and Repair, Quarantined, [1697], [341836],1.0.1947 Physical Sector: 0 (No malicious items detected) (end) [/SPOILER] It found C:\PROGRAMDATA\WinDefender.exe that was launched, idk how I missed this one. And we found %APPDATA%\ROAMING\IMMINENT directory =) Also I found BrTf1LX.exe in %temp%. Also I found out that my task manager/msconfig/regedit and etc were disabled ))) Malwareytes fixed it so never mind. What I did next: quarantined these files, did reboot, launched full scan again and... and found WinDefender.exe at the old place <: It wasn't run according to taskm but I was unable to delete it, so I decided that Malwarebytes blocked it (idk), so I went sleep. The next day I quarantined and removed it. Then... Since I did know the exact time I started all of this I decided to find all fresh created/modified files. So I started search via Total Commander. I found a windows task that launches WinDefender.exe, and checked when it the last time did a task. It was 17:02, so I started another chaotic search through C:\ I found this [SPOILER="shot"][IMG]http://speedcap.net/sharing/files/79/b4/79b49622d342f7c859ae636bd39a021e.png[/IMG] [/SPOILER] These folders looks suspicious to me because of their date, [B]11/05/2017[/B]. I did install Windows two days ago at 14/05, wtf! I also did some google research and found this article [URL="https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/tspy_heye.c"]TSPY_HEYE.C - Threat Encyclopedia - Trend Micro USA[/URL] Some familiar files there: BrTf1LX.exe (not .ink), Imminent\Geo.dat, Logs\... And I did step #3 (removed msvideo thread from register.). I tried to track its actions in VBOX environment but seems it has vbox/sandbox detection, so it does nothing <: I'm afraid that there are some leftovers. I wait for any help. Thanks. [URL='https://pastebin.com/6uYdXSCU']FRST.txt[/URL] [URL='https://pastebin.com/AyCwWPat']Addition.txt[/URL] [URL='https://malwr.com/analysis/ZTExNzk0NDM4NjhhNGZlOGEyYjE0NzQ0MGMwNmUyZTM/']malwr.com analysis report[/URL] Also I scanned with [SIZE=4]TDSSKiller and roguekiller[/SIZE] [/QUOTE]
Insert quotes…
Verification
Post reply
Top