Accidently ran Malware on my system

Secondmineboy · May 19, 2014, 6:31pm

I just accidently ran malware on my real system, not in VMWare. About 8 Files i think. Without any Antivirus unfortunately.

I need to have a check cause this is really new malware and MBAM is maybe not detecting everything.

Logs are attached, except for aswMBR.

system · May 19, 2014, 7:06pm

So, wait why did you have Malware on your sysyem and without a active antivirus?

Secondmineboy · May 19, 2014, 7:09pm

I was playing around with malware in a VM and accidently had the folder on Desktop opened and i ran it there.

Avast is off cause the system would lag really bad when its on, also installed and running in the VM by the way.

I killed all memory processos as soon as i noticed, only one broken Autorun was set so nothing to major.

system · May 19, 2014, 7:56pm

Oh ok, makes sense. But still wouldn’t suggest mucking about Malware in a VM, unless you know what you are doing. And I still wouldn’t see that Avast would slow down the system, unless you have less than 1gb RAM. Anyway hopefully one of the Malware expects should be here to help you.

Secondmineboy · May 19, 2014, 7:59pm

I should be mostly off, i want to make sure that i got everything.

I have 6 Gigs of RAM here, i dont know why it is lagging so bad then.

avastuser3796 · May 19, 2014, 8:10pm

Hello Steven,
You have an IFEO Blacklist.
O27:64bit: - HKLM IFEO\converter.exe: Debugger - C:\Program Files (x86)\TuneUp Utilities 2014\TUAutoReactivator64.exe (TuneUp Software)
O27:64bit: - HKLM IFEO\creative cloud.exe: Debugger - C:\Program Files (x86)\TuneUp Utilities 2014\TUAutoReactivator64.exe (TuneUp Software)
O27:64bit: - HKLM IFEO\databasecompare.exe: Debugger - C:\Program Files (x86)\TuneUp Utilities 2014\TUAutoReactivator64.exe (TuneUp Software)
O27:64bit: - HKLM IFEO\excel.exe: Debugger - C:\Program Files (x86)\TuneUp Utilities 2014\TUAutoReactivator64.exe (TuneUp Software)
O27:64bit: - HKLM IFEO\infopath.exe: Debugger - C:\Program Files (x86)\TuneUp Utilities 2014\TUAutoReactivator64.exe (TuneUp Software)
O27:64bit: - HKLM IFEO\lync.exe: Debugger - C:\Program Files (x86)\TuneUp Utilities 2014\TUAutoReactivator64.exe (TuneUp Software)
O27:64bit: - HKLM IFEO\misc.exe: Debugger - C:\Program Files (x86)\TuneUp Utilities 2014\TUAutoReactivator64.exe (TuneUp Software)
O27:64bit: - HKLM IFEO\msaccess.exe: Debugger - C:\Program Files (x86)\TuneUp Utilities 2014\TUAutoReactivator64.exe (TuneUp Software)
O27:64bit: - HKLM IFEO\msoev.exe: Debugger - C:\Program Files (x86)\TuneUp Utilities 2014\TUAutoReactivator64.exe (TuneUp Software)
O27:64bit: - HKLM IFEO\msotd.exe: Debugger - C:\Program Files (x86)\TuneUp Utilities 2014\TUAutoReactivator64.exe (TuneUp Software)
O27:64bit: - HKLM IFEO\msoxmled.exe: Debugger - C:\Program Files (x86)\TuneUp Utilities 2014\TUAutoReactivator64.exe (TuneUp Software)
O27:64bit: - HKLM IFEO\mspub.exe: Debugger - C:\Program Files (x86)\TuneUp Utilities 2014\TUAutoReactivator64.exe (TuneUp Software)
O27:64bit: - HKLM IFEO\mydriveconnect.exe: Debugger - C:\Program Files (x86)\TuneUp Utilities 2014\TUAutoReactivator64.exe (TuneUp Software)
O27:64bit: - HKLM IFEO\ocpubmgr.exe: Debugger - C:\Program Files (x86)\TuneUp Utilities 2014\TUAutoReactivator64.exe (TuneUp Software)
O27:64bit: - HKLM IFEO\onenote.exe: Debugger - C:\Program Files (x86)\TuneUp Utilities 2014\TUAutoReactivator64.exe (TuneUp Software)
O27:64bit: - HKLM IFEO\outlook.exe: Debugger - C:\Program Files (x86)\TuneUp Utilities 2014\TUAutoReactivator64.exe (TuneUp Software)
O27:64bit: - HKLM IFEO\photoshop.exe: Debugger - C:\Program Files (x86)\TuneUp Utilities 2014\TUAutoReactivator64.exe (TuneUp Software)
O27:64bit: - HKLM IFEO\powerpnt.exe: Debugger - C:\Program Files (x86)\TuneUp Utilities 2014\TUAutoReactivator64.exe (TuneUp Software)
O27:64bit: - HKLM IFEO\quicktimeplayer.exe: Debugger - C:\Program Files (x86)\TuneUp Utilities 2014\TUAutoReactivator64.exe (TuneUp Software)
O27:64bit: - HKLM IFEO\spreadsheetcompare.exe: Debugger - C:\Program Files (x86)\TuneUp Utilities 2014\TUAutoReactivator64.exe (TuneUp Software)
O27:64bit: - HKLM IFEO\teamviewer.exe: Debugger - C:\Program Files (x86)\TuneUp Utilities 2014\TUAutoReactivator64.exe (TuneUp Software)
O27:64bit: - HKLM IFEO\unchecky.exe: Debugger - C:\Program Files (x86)\TuneUp Utilities 2014\TUAutoReactivator64.exe (TuneUp Software)
O27:64bit: - HKLM IFEO\uninstall mydriveconnect.exe: Debugger - C:\Program Files (x86)\TuneUp Utilities 2014\TUAutoReactivator64.exe (TuneUp Software)
O27:64bit: - HKLM IFEO\uninstall.exe: Debugger - C:\Program Files (x86)\TuneUp Utilities 2014\TUAutoReactivator64.exe (TuneUp Software)
O27:64bit: - HKLM IFEO\winword.exe: Debugger - C:\Program Files (x86)\TuneUp Utilities 2014\TUAutoReactivator64.exe (TuneUp Software)
O27 - HKLM IFEO\converter.exe: Debugger - C:\Program Files (x86)\TuneUp Utilities 2014\TUAutoReactivator64.exe (TuneUp Software)
O27 - HKLM IFEO\creative cloud.exe: Debugger - C:\Program Files (x86)\TuneUp Utilities 2014\TUAutoReactivator64.exe (TuneUp Software)
O27 - HKLM IFEO\databasecompare.exe: Debugger - C:\Program Files (x86)\TuneUp Utilities 2014\TUAutoReactivator64.exe (TuneUp Software)
O27 - HKLM IFEO\excel.exe: Debugger - C:\Program Files (x86)\TuneUp Utilities 2014\TUAutoReactivator64.exe (TuneUp Software)
O27 - HKLM IFEO\infopath.exe: Debugger - C:\Program Files (x86)\TuneUp Utilities 2014\TUAutoReactivator64.exe (TuneUp Software)
O27 - HKLM IFEO\lync.exe: Debugger - C:\Program Files (x86)\TuneUp Utilities 2014\TUAutoReactivator64.exe (TuneUp Software)
O27 - HKLM IFEO\misc.exe: Debugger - C:\Program Files (x86)\TuneUp Utilities 2014\TUAutoReactivator64.exe (TuneUp Software)
O27 - HKLM IFEO\msaccess.exe: Debugger - C:\Program Files (x86)\TuneUp Utilities 2014\TUAutoReactivator64.exe (TuneUp Software)
O27 - HKLM IFEO\msoev.exe: Debugger - C:\Program Files (x86)\TuneUp Utilities 2014\TUAutoReactivator64.exe (TuneUp Software)
O27 - HKLM IFEO\msotd.exe: Debugger - C:\Program Files (x86)\TuneUp Utilities 2014\TUAutoReactivator64.exe (TuneUp Software)
O27 - HKLM IFEO\msoxmled.exe: Debugger - C:\Program Files (x86)\TuneUp Utilities 2014\TUAutoReactivator64.exe (TuneUp Software)
O27 - HKLM IFEO\mspub.exe: Debugger - C:\Program Files (x86)\TuneUp Utilities 2014\TUAutoReactivator64.exe (TuneUp Software)
O27 - HKLM IFEO\mydriveconnect.exe: Debugger - C:\Program Files (x86)\TuneUp Utilities 2014\TUAutoReactivator64.exe (TuneUp Software)
O27 - HKLM IFEO\ocpubmgr.exe: Debugger - C:\Program Files (x86)\TuneUp Utilities 2014\TUAutoReactivator64.exe (TuneUp Software)
O27 - HKLM IFEO\onenote.exe: Debugger - C:\Program Files (x86)\TuneUp Utilities 2014\TUAutoReactivator64.exe (TuneUp Software)
O27 - HKLM IFEO\outlook.exe: Debugger - C:\Program Files (x86)\TuneUp Utilities 2014\TUAutoReactivator64.exe (TuneUp Software)
O27 - HKLM IFEO\photoshop.exe: Debugger - C:\Program Files (x86)\TuneUp Utilities 2014\TUAutoReactivator64.exe (TuneUp Software)
O27 - HKLM IFEO\powerpnt.exe: Debugger - C:\Program Files (x86)\TuneUp Utilities 2014\TUAutoReactivator64.exe (TuneUp Software)
O27 - HKLM IFEO\quicktimeplayer.exe: Debugger - C:\Program Files (x86)\TuneUp Utilities 2014\TUAutoReactivator64.exe (TuneUp Software)
O27 - HKLM IFEO\spreadsheetcompare.exe: Debugger - C:\Program Files (x86)\TuneUp Utilities 2014\TUAutoReactivator64.exe (TuneUp Software)
O27 - HKLM IFEO\teamviewer.exe: Debugger - C:\Program Files (x86)\TuneUp Utilities 2014\TUAutoReactivator64.exe (TuneUp Software)
O27 - HKLM IFEO\unchecky.exe: Debugger - C:\Program Files (x86)\TuneUp Utilities 2014\TUAutoReactivator64.exe (TuneUp Software)
O27 - HKLM IFEO\uninstall mydriveconnect.exe: Debugger - C:\Program Files (x86)\TuneUp Utilities 2014\TUAutoReactivator64.exe (TuneUp Software)
O27 - HKLM IFEO\uninstall.exe: Debugger - C:\Program Files (x86)\TuneUp Utilities 2014\TUAutoReactivator64.exe (TuneUp Software)
O27 - HKLM IFEO\winword.exe: Debugger - C:\Program Files (x86)\TuneUp Utilities 2014\TUAutoReactivator64.exe (TuneUp Software)

Not Normal : [2014.05.19 19:57:38 | 000,000,000 | RHSD | C] – C:\Users\Steven Winderlich\ddujzn885gz (Read, Hidden, System and Directory)

TECHNIC!! [2014.04.20 15:11:22 | 002,346,942 | ---- | C] () – C:\TechnicLauncher.exe

You may or may not have have ZA.

avastuser3796 · May 19, 2014, 8:13pm

Are you aware of What DarkKomet is? Backdoor.DarkKomet, C:\Program Files (x86)\update3.exe, In Quarantäne, [0af60bf509f740c02412037a9a675ca4],

You also appear to have a VBS infection (Removable media?) which would go along with this report looking for Mounted Drivers. Trojan.Agent.AIVB, C:\Users\Steven Winderlich\ddujzn885gz\91983.vbs, In Quarantäne, [3fc12fd1e7193ac62653ff9a9d65936d],

O33 - MountPoints2{0046c9e9-5ec0-11e3-bea1-74e5437c955c}\Shell - “” = AutoRun
O33 - MountPoints2{0046c9e9-5ec0-11e3-bea1-74e5437c955c}\Shell\AutoRun\command - “” = “E:\AutoRun.exe”
O33 - MountPoints2{0046caa3-5ec0-11e3-bea1-74e5437c955c}\Shell - “” = AutoRun
O33 - MountPoints2{0046caa3-5ec0-11e3-bea1-74e5437c955c}\Shell\AutoRun\command - “” = “E:\AutoRun.exe”

Regardless, did you PM a remover? Or should I?

Secondmineboy · May 20, 2014, 3:33am

You can pm a remover if you want please. That dark komet is from the malware i ran it wasnt there before. The vbs should also be the malware i ran. I cannot tell if the vbs junk was there before but i dont think so. I only used a external harddrive before i ran the malware. Wasnt connected since then.

TwinHeadedEagle · May 20, 2014, 9:02am

Hi,

Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them.
Only one of them will run on your system, that will be the right version.

[*]Double-click to run it. When the tool opens click Yes to disclaimer.
[*]Press Scan button.
[*]It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
[*]The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

avastuser3796 · May 20, 2014, 9:03am

Thank you Twin! Also Steven, change your passwords from a clean computer (School, Work). Any online banking, call them and notify them that you’ve potentially had your passwords hacked.

Secondmineboy · May 20, 2014, 9:52am

Will do this when im back home. Im at school now.

Secondmineboy · May 20, 2014, 3:31pm

Here are the logs.

TwinHeadedEagle · May 20, 2014, 8:25pm

Have you used some kind of software to make extensions policy restrictions?

Secondmineboy · May 21, 2014, 3:58am

No. Not that i remember.

TwinHeadedEagle · May 21, 2014, 5:42am

Download attached fixlist.txt to your Desktop.
NOTE: => It’s important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.
Note: If the tool warned you about the outdated version please download and run the updated version.

Secondmineboy · May 21, 2014, 6:32am

Heres the log

TwinHeadedEagle · May 21, 2014, 1:53pm

PC seems clean to me, how is computer now?

Secondmineboy · May 21, 2014, 2:05pm

Running fine. Good work.

Accidently ran Malware on my system

Announcements