CMD activity after mail.ru browser hijacker...

Hi there. o/

Try as I might, I can’t completely remove a mail.ru infection. I’ve cleared the browser hijacker as far as I know as I no longer get any new tab pop-ups etc however I’m getting some cmd activity often. I run malwarebytes, remove the infected and scan again to be sure, within a few hours malwarebytes will pick up the same infected.

I appreciate any help, thanks in advance.

Attached mbam.txt, FRST.txt, Addition.txt and cmd_activity.jpg, thanks again.

  • Open Notepad (click Start button → type notepad.exe → press Enter)
  • Copy text from code block below and paste it into Notepad
C:\$AV_ASW
2017-12-07 02:05 - 2017-09-29 13:42 - 000000070 _____ () D:\Users\LCARTER\AppData\Local\BDLeYKo
2017-09-29 13:42 - 2017-09-29 13:42 - 000000070 _____ () D:\Users\LCARTER\AppData\Local\BDLeYKo.bat
2017-12-07 02:05 - 2017-09-29 13:42 - 000000071 _____ () D:\Users\LCARTER\AppData\Local\eOaaQIxlTj
2017-09-29 13:42 - 2017-09-29 13:42 - 000000071 _____ () D:\Users\LCARTER\AppData\Local\eOaaQIxlTj.bat
2017-12-07 02:05 - 2017-09-29 13:42 - 000001155 _____ () D:\Users\LCARTER\AppData\Local\ODBrYWkWn
2017-09-29 13:42 - 2017-09-29 13:42 - 000001155 _____ () D:\Users\LCARTER\AppData\Local\ODBrYWkWn.bat
2017-11-25 22:05 - 2017-11-26 22:08 - 000007606 _____ () D:\Users\LCARTER\AppData\Local\Resmon.ResmonCfg
2017-12-07 02:05 - 2017-12-07 02:05 - 000000001 _____ () D:\Users\LCARTER\AppData\Local\WMI.ini
2017-12-07 02:05 - 2017-09-29 13:42 - 000001146 _____ () D:\Users\LCARTER\AppData\Local\ZvOkFBDPXc
2017-09-29 13:42 - 2017-09-29 13:42 - 000001146 _____ () D:\Users\LCARTER\AppData\Local\ZvOkFBDPXc.bat
Task: {4951A69A-D70E-4367-B03E-B4AF509091E3} - System32\Tasks\ChCsSZWr => D:\Users\LCARTER\AppData\Local\BDLeYKo.bat [2017-09-29] () <==== ATTENTION
Task: {4962C29A-5F42-4851-BA4E-197A089C25E4} - System32\Tasks\ZqCQrfBW => D:\Users\LCARTER\AppData\Local\eOaaQIxlTj.bat [2017-09-29] () <==== ATTENTION
EmptyTemp:
  • Go to FileSave As
  • Make sure that UTF-8 is selected as Encoding (left side of Save button)
  • Save it as fixlist.txt on Desktop
  • Open again FRST and click on button Fix
  • Wait until FRST finishes
  • fixlog.txt should be genereted and opened. Attach it your post and wait further instructions.

Thanks for the reply.

Attached the Fixlog.txt, I had to reboot after.

Do you still have problems explained?

Not yet, I’ll report back at this topic if it happens again.

Thank you muchly for your time and assistance, was brilliant.

Seems to be gone.

No cmd activity and malwarebytes, zemana and avast haven’t picked anything up yet where they were doing so periodically.

Thanks again for your time, really thankful.

The following will implement some post-cleanup procedures:

=> Please download DelFix by Xplode to your Desktop.
Run the tool and check the following boxes below;
[i]
http://www.mcshield.net/personal/magna86/Images/checkmark.png
Remove disinfection tools

http://www.mcshield.net/personal/magna86/Images/checkmark.png
Create registry backup

http://www.mcshield.net/personal/magna86/Images/checkmark.png
Purge System Restore [/i]
Click Run button and wait a few seconds for the programme completes his work.
At this point all the tools we used here should be gone. Tool will create an report for you (C:[b]DelFix.txt[/b])

The tool will also record healthy state of registry and make a backup using ERUNT program in %windir%\ERUNT\DelFix
Tool deletes old system restore points and create a fresh system restore point after cleaning.