Avast WEBforum

Other => Viruses and worms => Topic started by: REDACTED on October 22, 2016, 12:45:58 PM

Title: Infected PC
Post by: REDACTED on October 22, 2016, 12:45:58 PM

Hi, so I suspect my pc is infected via flash drive but the said flash drive has been scanned, no threats found and then reformatted. Add new files into it and see attached picture. I also did an earlier scan with avast with default parameters but no threats were found and malwarebytes but the problem still persists. As of posting, I am running a smart scan with parameters on 2nd pic. (http://i65.tinypic.com/fjnkzo.png)
(http://i64.tinypic.com/1zdprpz.png)

Title: Re: Infected PC
Post by: Eddy on October 22, 2016, 12:49:00 PM

https://forum.avast.com/index.php?topic=53253.0

Title: Re: Infected PC
Post by: REDACTED on October 22, 2016, 01:10:12 PM

Here's the logs so far based on the link that was provided.

Title: Re: Infected PC
Post by: dbrisendine on October 23, 2016, 08:57:59 AM

(https://sites.google.com/site/cannedfixes/farbar-recovery-scan-tool/FRST.gif) Fix with Farbar Recovery Scan Tool

(https://sites.google.com/site/cannedfixes/home/hosted-images-formatting/icon_exclaim.gif) This fix was created for this user for use on that particular machine. (https://sites.google.com/site/cannedfixes/home/hosted-images-formatting/icon_exclaim.gif)
(https://sites.google.com/site/cannedfixes/home/hosted-images-formatting/icon_exclaim.gif) Running it on another one may cause damage and render the system unstable. (https://sites.google.com/site/cannedfixes/home/hosted-images-formatting/icon_exclaim.gif)

Download attached fixlist.txt file and save it to the Desktop:

Both files, FRST and fixlist.txt have to be in the same location or the fix will not work!

• Right-click on (https://sites.google.com/site/cannedfixes/farbar-recovery-scan-tool/FRST.gif) icon and select (https://sites.google.com/site/cannedfixes/home/hosted-images-tools/RunAsAdmin.jpg) Run as Administrator to start the tool.
  (XP users click run after receipt of Windows Security Warning - Open File).
• Press the Fix button just once and wait.
• If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
• When finished FRST will generate a log on the Desktop, called Fixlog.txt.

Please attach it to your reply.

How is the system running now?

Title: Re: Infected PC
Post by: REDACTED on October 23, 2016, 03:20:38 PM

How can I can tell if the system is running okay now?
The only instances I could tell that my computer was infected is by inserting a flash drive(aside from that, no threats are being detected) but I'm not sure if the flash drives I have are clean. (I reformatted them all because the first pic happened, I plug them again, add files then same thing happen).

If I use mcshield and plug my flash drives right now, will my pc be safe?

Title: Re: Infected PC
Post by: Eddy on October 23, 2016, 03:31:55 PM

There is a reason why the instructions say to install McShield  ;)

Title: Re: Infected PC
Post by: REDACTED on October 23, 2016, 03:50:34 PM

So Mcshield said no malware was detected but the flash drive's content is still the same as first pic (the flash drive opened automatically. :( )

Edit:
So I tried to be brave and opened the flash drive again after the scan was made and now it has a "drive" folder in it.
(http://i65.tinypic.com/idatkp.png)
(http://i65.tinypic.com/2uonjug.png)

Title: Re: Infected PC
Post by: dbrisendine on October 23, 2016, 11:45:15 PM

Please start FRST that should be on your desktop by right clicking on it and selecting "Run as Administrator".  Once it finishes loading and tells you it is ready to run, click the scan button and wait for the log to open.  This time it should only make a FRST.txt file; please attach that here for my review.

Title: Re: Infected PC
Post by: REDACTED on October 24, 2016, 08:13:22 AM

Here's the log.

Title: Re: Infected PC
Post by: REDACTED on October 24, 2016, 08:44:44 AM

So I inserted another flash drive just to check and used mcshield.
Malware was detected the first time. It was a .exe setup copied from the pc days before. Deleted it and then ejected the drive.
Inserted it again, mcshield detected another .exe setup as malicious, I also proceeded to delete it.
Inserted it the 3rd time, same thing happened.
There's at least 4 installers copied on the flash drive.
Here's the log.

Meanwhile, Avast and Malwarebytes detected nothing.

Title: Re: Infected PC
Post by: Pondus on October 24, 2016, 09:03:28 AM

Because of some forum issue, MCShield logs look like chinese when attached so this log must be copy and paste

Title: Re: Infected PC
Post by: REDACTED on October 24, 2016, 09:08:45 AM

>>> MCShield AllScans.txt <<<

-----------------------------




MCShield ::Anti-Malware Tool:: http://www.mcshield.net/

>>> v 3.0.5.28 / DB: 2016.2.21.1 / Windows 8.1 <<<


10/23/2016 9:45:02 PM > Drive C: - scan started (no label ~931 GB, NTFS HDD )...



=> The drive is clean.


10/23/2016 9:45:07 PM > Drive D: - scan started (no label ~unknown size, FAT HDD )...



=> The drive is clean.





MCShield ::Anti-Malware Tool:: http://www.mcshield.net/

>>> v 3.0.5.28 / DB: 2016.2.21.1 / Windows 8.1 <<<


10/23/2016 9:46:01 PM > Drive H: - scan started (LAME ~7703 MB, FAT32 flash drive )...



=> The drive is clean.





MCShield ::Anti-Malware Tool:: http://www.mcshield.net/

>>> v 3.0.5.28 / DB: 2016.2.21.1 / Windows 8.1 <<<


10/23/2016 9:49:52 PM > Drive H: - scan started (LAME ~7703 MB, FAT32 flash drive )...



=> The drive is clean.





MCShield ::Anti-Malware Tool:: http://www.mcshield.net/

>>> v 3.0.5.28 / DB: 2016.2.21.1 / Windows 8.1 <<<


10/24/2016 2:07:58 PM > Drive C: - scan started (no label ~931 GB, NTFS HDD )...



=> The drive is clean.


10/24/2016 2:07:59 PM > Drive D: - scan started (no label ~unknown size, FAT HDD )...



=> The drive is clean.





MCShield ::Anti-Malware Tool:: http://www.mcshield.net/

>>> v 3.0.5.28 / DB: 2016.2.21.1 / Windows 8.1 <<<


10/24/2016 2:19:26 PM > Drive H: - scan started (LAME ~7703 MB, FAT32 flash drive )...



=> The drive is clean.





MCShield ::Anti-Malware Tool:: http://www.mcshield.net/

>>> v 3.0.5.28 / DB: 2016.2.21.1 / Windows 8.1 <<<


10/24/2016 2:24:01 PM > Drive H: - scan started (LAME ~7703 MB, FAT32 flash drive )...



=> The drive is clean.





MCShield ::Anti-Malware Tool:: http://www.mcshield.net/

>>> v 3.0.5.28 / DB: 2016.2.21.1 / Windows 8.1 <<<


10/24/2016 2:27:20 PM > Drive E: - scan started (no label ~7664 MB, FAT32 flash drive )...


>>> E:\spekwin32_install_en_1.72.2.exe - Malware > Deleted. (16.10.24. 14.28 spekwin32_install_en_1.72.2.exe.297375; MD5: 7005d281cb518583fc988d0e915317ff)

>>> E:\Everything Research\spekwin32_install_en_1.72.2.exe - Malware > Deleted. (16.10.24. 14.28 spekwin32_install_en_1.72.2.exe.997474; MD5: 7005d281cb518583fc988d0e915317ff)


=> Malicious files   : 2/2 deleted.

____________________________________________

::::: Scan duration: (Interactive mode) ::::
____________________________________________




MCShield ::Anti-Malware Tool:: http://www.mcshield.net/

>>> v 3.0.5.28 / DB: 2016.2.21.1 / Windows 8.1 <<<


10/24/2016 2:29:21 PM > Drive H: - scan started (LAME ~7703 MB, FAT32 flash drive )...



=> The drive is clean.





MCShield ::Anti-Malware Tool:: http://www.mcshield.net/

>>> v 3.0.5.28 / DB: 2016.2.21.1 / Windows 8.1 <<<


10/24/2016 2:29:49 PM > Drive E: - scan started (no label ~7664 MB, FAT32 flash drive )...


>>> E:\IRPalSetup.exe - Malware > Deleted. (16.10.24. 14.30 IRPalSetup.exe.292187; MD5: 4c9dde5a6ca5753b7d54c553384edbc9)

>>> E:\Everything Research\IRPalSetup.exe - Malware > Deleted. (16.10.24. 14.30 IRPalSetup.exe.318367; MD5: 4c9dde5a6ca5753b7d54c553384edbc9)


=> Malicious files   : 2/2 deleted.

____________________________________________

::::: Scan duration: (Interactive mode) ::::
____________________________________________




MCShield ::Anti-Malware Tool:: http://www.mcshield.net/

>>> v 3.0.5.28 / DB: 2016.2.21.1 / Windows 8.1 <<<


10/24/2016 2:32:53 PM > Drive E: - scan started (no label ~7664 MB, FAT32 flash drive )...


>>> E:\Everything Research\Origin2016Sr2No_H\setup.exe - Malware > Deleted. (16.10.24. 14.33 setup.exe.313427; MD5: bfef7d0d6e8047265ca91d573aae677c)

>>> E:\Everything Research\Research\setup.exe - Malware > Deleted. (16.10.24. 14.33 setup.exe.857536; MD5: bfef7d0d6e8047265ca91d573aae677c)

>>> E:\Origin2016Sr2No_H\setup.exe - Malware > Deleted. (16.10.24. 14.33 setup.exe.929220; MD5: bfef7d0d6e8047265ca91d573aae677c)

>>> E:\Research\setup.exe - Malware > Deleted. (16.10.24. 14.33 setup.exe.271618; MD5: bfef7d0d6e8047265ca91d573aae677c)


=> Malicious files   : 4/4 deleted.

____________________________________________

::::: Scan duration: (Interactive mode) ::::
____________________________________________

Title: Re: Infected PC
Post by: dbrisendine on October 24, 2016, 09:17:59 AM

Speckwin32 and/or Origin 2016 is infected (as is most files in demand that are downloaded with / from uTorrent).  Either the files that were downloaded or there is some infectors attached to the file(s).  The hash from the files deleted by MCShield leads to Origin2016 ( https://www.virustotal.com/en/file/38c7ca5ec86d167a345ccea822f8c89a51fe96f947675246cc06fdee5ad17736/analysis/ (https://www.virustotal.com/en/file/38c7ca5ec86d167a345ccea822f8c89a51fe96f947675246cc06fdee5ad17736/analysis/) ). 

Your call but I would remove or get legitimate copies of those softwares.  If they are legal and legitimate then you may have to contact their respective support channels to get non-malware copies (it has been known that files have been tampered with by hackers and the respective companies not aware of the fact).

Title: Re: Infected PC
Post by: REDACTED on October 24, 2016, 09:34:39 AM

They are legitimate copies. I have downloaded them straight from their respective websites. Origin is a 30 day trial version since I don't want to purchase programs that I won't really be using that much. While I was in direct contact with the developer of speckwin32 and gave me a non commercial full version of the program.
Both programs are also currently installed in my pc.
I copied their setups to my flash drive to avoid the hassle of redownloading them to my laptop (the possibility of my laptop being infected is high).
My theory is that my pc must have been already infected when I copied those files. I started suspecting the infection when a third flash drive was inserted last Saturday and all the files in it were ruined, aside from that, I had no idea. I just thought my drive was broken since malwarebytes detects nothing.

I have already removed them from the drive. Do I have to remove them from my pc or they are fine now after the fix?
Also, will you take a look at my laptop? If I don't check it and it is indeed infected, then I'm risking a repeat infection. I will post logs in a bit.

Title: Re: Infected PC
Post by: Eddy on October 24, 2016, 09:43:54 AM

Please copy/paste the content of that batch file here.
Let's see what it is supposed to do.

Title: Re: Infected PC
Post by: REDACTED on October 24, 2016, 09:45:52 AM

Which batch file?

Title: Re: Infected PC
Post by: Eddy on October 24, 2016, 09:47:39 AM

The one on the usb stick.

Title: Re: Infected PC
Post by: dbrisendine on October 24, 2016, 09:54:43 AM

Usually we ask for seperate threads for each system but since this seems to be a related infection please post the laptop files here but add laptop to the log names (you may have to do a Save as ... in Notepad).

And the contents of that batch file on the USB drive would be very informative.

Title: Re: Infected PC
Post by: REDACTED on October 24, 2016, 10:17:57 AM

I can't seem to find any batch files(.bat, .cmd, .btm) in it or I may have no idea what to look for.

Title: Re: Infected PC
Post by: Eddy on October 24, 2016, 10:38:18 AM

It does show in your images.
Could be you need to enable "show hidden files and folders"

Title: Re: Infected PC
Post by: REDACTED on October 24, 2016, 10:50:44 AM

Ah, I see.
It no longer shows on my pc but I inserted a drive on my laptop and it's back.

(http://i63.tinypic.com/wk0602.png)

Quote

cd Drive
start wscript "776\pdsxhav.js"
exit

that's the content.

Also, I can't seem to install malwarebytes on my laptop.
(http://i67.tinypic.com/2gwuu86.png)

Edit:

I can't install anything. Even Farbar won't run. It opens for a second then closes again. I made sure to run as admin. (and there are no other users in this laptop)

(http://i63.tinypic.com/2d6o07c.png)

(http://i66.tinypic.com/124g4ts.png)

Title: Re: Infected PC
Post by: REDACTED on October 24, 2016, 11:44:55 AM

Here's another one from the third usb stick.

Quote

cd Drive
start wscript "838\mhbne.js"
exit

(http://i65.tinypic.com/wc01fb.png)

both folders contain a js file that looks gibberish to me.
Here's one of them.

(http://i67.tinypic.com/1127sq9.png)

Title: Re: Infected PC
Post by: Eddy on October 24, 2016, 04:09:55 PM

The batch file + JavaScript are the culprit.
https://www.virustotal.com/en/file/cf4e4ff772986a87ccce3162e8e120003a21a33832173ba8c4650f2fe5735bc0/analysis/1477318103/

Title: Re: Infected PC
Post by: REDACTED on October 25, 2016, 05:09:47 AM

Mcshield doesn't detect those as malicious when I inserted the stick back to pc to clean it.

Title: Re: Infected PC
Post by: Eddy on October 25, 2016, 09:08:28 AM

Disable the automatic showing/opening of removable media.
Attach the usb stick and format it right away.

Title: Re: Infected PC
Post by: REDACTED on October 25, 2016, 10:34:38 AM

How do I fix my laptop then?

Title: Re: Infected PC
Post by: Eddy on October 25, 2016, 10:38:15 AM

Same way as you did with the pc.
Provide the log files and let one of the listed malware removers help you.

Title: Re: Infected PC
Post by: REDACTED on October 25, 2016, 11:20:47 AM

I can't install anything in it. I've provided screenshots of the dialogue boxes that pops up whenever I try to run the installers.

Title: Re: Infected PC
Post by: Eddy on October 25, 2016, 11:43:29 AM

Use a live cd/dvd/usb stick and run the tools from there, something like
https://forum.avast.com/index.php?topic=53253.0 > "If you cannot  Boot the computer"

Title: Re: Infected PC
Post by: REDACTED on October 29, 2016, 07:25:14 AM

I also cannot run OTLPENet.exe . It opens abruptly then closes.

Title: Re: Infected PC
Post by: dbrisendine on October 29, 2016, 10:54:57 AM

IF you have access to a clean system and USB stick (drive) then you can do the following:


Download the following three programmes to your desktop :
 
 
1.  Rufus (http://rufus.akeo.ie/)
 
For 64bit systems
2. Windows 8.1 64bit RC - sent link to you in PM not to be shared your use only
3. Farbar Recovery Scan Tool x64 (http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/)
 
Insert the USB stick Then run Rufus
 (https://dl.dropbox.com/u/73555776/RufusISO.JPG)

Select the ISO file on the desktop via the ISO icon.
 
Press Start Burn

Then copy FRST to the same USB 
 
(http://dl.dropbox.com/u/73555776/frstwintoboot.JPG) 
 
 
 
Insert the USB into the sick computer and start the computer.  First ensuring that the system is set to boot from USB
Note: If you are not sure how to do that follow the instructions Here (http://lifehacker.com/5991848/how-to-boot-from-a-cd-or-usb-drive-on-any-pc)
 
Windows 8 screen shots
 
When you reboot you will  see this.   
 
Select the language on this screen and keyboard on the next 
 
(https://dl.dropbox.com/u/73555776/select%20language8.JPG) 
 
Select the Trouble shoot option   
 
(https://dl.dropbox.com/u/73555776/Select%20option8.JPG) 
 
Select Advanced  option  
 
(https://dl.dropbox.com/u/73555776/advanced8.JPG) 
 
Select Command prompt   
 
(https://dl.dropbox.com/u/73555776/command%208.JPG) 
 
At the command prompt type the following  : 
 
(https://dl.dropbox.com/u/73555776/notepad.JPG)

The notepad opens. Under File menu select Open.
Select "Computer" and find your flash drive letter and close the notepad.
In the command window type e:\frst64.exe and press Enter
Note: Replace letter e with the drive letter of your flash drive.
The tool will start to run.
When the tool opens click Yes to disclaimer.
(https://dl.dropboxusercontent.com/u/73555776/frst.JPG)
Press Scan button.
It will make a log (FRST.txt) on the flash drive. Please copy and attach / paste it to your reply.

Title: Re: Infected PC
Post by: REDACTED on November 18, 2016, 06:17:20 AM

Sorry, it took me a while.

Title: Re: Infected PC
Post by: dbrisendine on November 18, 2016, 09:12:38 AM

That's OK; I seem to be able to stay busy elsewhere...  Anyway, run this Fixlist, post the Fixlog.txt file and tell me how your system is running now.  Thanks.


(https://sites.google.com/site/cannedfixes/farbar-recovery-scan-tool/FRST.gif) Fix with Farbar Recovery Scan Tool

(https://sites.google.com/site/cannedfixes/home/hosted-images-formatting/icon_exclaim.gif) This fix was created for this user for use on that particular machine. (https://sites.google.com/site/cannedfixes/home/hosted-images-formatting/icon_exclaim.gif)
(https://sites.google.com/site/cannedfixes/home/hosted-images-formatting/icon_exclaim.gif) Running it on another one may cause damage and render the system unstable. (https://sites.google.com/site/cannedfixes/home/hosted-images-formatting/icon_exclaim.gif)

Download attached fixlist.txt file and save it to the Desktop:

Both files, FRST and fixlist.txt have to be in the same location or the fix will not work!

• Right-click on (https://sites.google.com/site/cannedfixes/farbar-recovery-scan-tool/FRST.gif) icon and select (https://sites.google.com/site/cannedfixes/home/hosted-images-tools/RunAsAdmin.jpg) Run as Administrator to start the tool.
  (XP users click run after receipt of Windows Security Warning - Open File).
• Press the Fix button just once and wait.
• If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
• When finished FRST will generate a log on the Desktop, called Fixlog.txt.

Please attach it to your reply.