PC with .bat kapersky internet security 2017 malware

Viruses and worms
1

Dear All,

Need assistance here

I have my working Laptop cleared the above virus last week. here is my desktop, meant for gaming (mainly) which i observed also infected by the same virus earlier.

I am attaching all the required info (based on earlier thread ). my MS shield will be on the next post.

Thank you in advance. DO let me know if anything further that i need to do

2

MCShield AllScans.txt <<<

MCShield ::Anti-Malware Tool:: http://www.mcshield.net/

v 3.0.5.28 / DB: 2016.2.21.1 / Windows 7 <<<

14/12/2017 4:39:51 PM > Drive C: - scan started (no label ~98 GB, NTFS HDD )…

=> The drive is clean.

14/12/2017 4:39:51 PM > Drive D: - scan started (no label ~135 GB, NTFS HDD )…

=> The drive is clean.

MCShield ::Anti-Malware Tool:: http://www.mcshield.net/

v 3.0.5.28 / DB: 2016.2.21.1 / Windows 7 <<<

14/12/2017 4:42:32 PM > Drive F: - scan started (MAXXTEC 4GB ~3856 MB, FAT32 flash drive )…

=> The drive is clean.

3
  • Open Notepad (click Start button → type notepad.exe → press Enter)
  • Copy text from code block below and paste it into Notepad
Startup: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorers.lnk [2017-12-14]
ShortcutTarget: explorers.lnk -> C:\Users\user\AppData\Roaming\Kaspersky Internet Security 2017\explorers.exe ()
Startup: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\spoolsvc.lnk [2017-11-28]
ShortcutTarget: spoolsvc.lnk -> C:\Users\user\AppData\Roaming\Kaspersky Internet Security 2017\spoolsvc.exe ()
Startup: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.lnk [2017-12-14]
ShortcutTarget: svhost.lnk -> C:\Users\user\AppData\Roaming\Kaspersky Internet Security 2017\svhost.exe (No File)
HKU\S-1-5-21-1693882959-51571087-3292842602-1000\...\MountPoints2: {9dd7f51f-e1e9-11e6-8626-806e6f6e6963} - E:\DriverPackSolution.exe
HKU\S-1-5-21-1693882959-51571087-3292842602-1000\...\MountPoints2: {a9ecb3fc-701a-11e7-8bb6-025f65373537} - V:\setup.exe
GroupPolicy: Restriction <==== ATTENTION
GroupPolicy\User: Restriction <==== ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Restriction <==== ATTENTION
CHR HKLM\...\Chrome\Extension: [bkfajajhmehapdgmgjejilcbjmhmebkl] - hxxps://clients2.google.com/service/update2/crx
CHR HKU\S-1-5-21-1693882959-51571087-3292842602-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [bkfajajhmehapdgmgjejilcbjmhmebkl] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [bkfajajhmehapdgmgjejilcbjmhmebkl] - hxxps://clients2.google.com/service/update2/crx
2017-07-19 21:53 - 2017-07-19 21:53 - 000057584 _____ () C:\Users\user\AppData\Roaming\DMGR_0A1Q2W1F1C1I1Q0D0L0MtJ1V0A0V0A0S0T.txt
2017-12-03 14:49 - 2017-12-03 15:00 - 000000046 _____ () C:\Users\user\AppData\Roaming\MCVi2UserDetail.ini
2017-09-15 18:37 - 2017-09-15 18:37 - 000586752 _____ () C:\Users\user\AppData\Roaming\Mehari.exe
2017-07-31 07:22 - 2017-12-10 17:03 - 000000309 _____ () C:\Users\user\AppData\Roaming\WB.CFG
2017-12-13 16:50 - 2017-12-13 16:50 - 000000052 _____ () C:\Users\user\AppData\Local\HvpjdXLztn
C:\Windows\Tasks\{3855BD4D-4B69-8F16-7222-7D5DCE82C2D8}.job
C:\Windows\Tasks\{514DEFDF-9272-5F5C-B8CC-24FBB766E55D}.job
Task: {69150B8F-AFDF-46FF-8424-D16A05146AD9} - \ByteFence -> No File <==== ATTENTION
Task: {92922A99-583E-4A10-AB89-F88AA1866302} - System32\Tasks\Secured Yahoo Powered coris => C:\Windows\system32\wscript.exe "C:\ProgramData\{87C842AB-0D8A-C86D-8B4C-562F110EDDE1}\lofa.txt" "68747470733a2f2f6464756b6d716c2e636f6d" "433a5c50726f6772616d446174615c7b38374338343241422d304438412d433836442d384234432d3536324631313045444445317d5c64696c697361" "433a5c50726f6772616d446174615c7b38374338343241422d304438412d433836442d (the data entry has 84 more characters). <==== ATTENTION
Task: {B5691D2D-42BF-465D-99E7-71B30CF06346} - System32\Tasks\{514DEFDF-9272-5F5C-B8CC-24FBB766E55D} => C:\Program Files (x86)\Common Files\brick\synctask.exe [2013-04-22] () <==== ATTENTION
Task: C:\Windows\Tasks\{3855BD4D-4B69-8F16-7222-7D5DCE82C2D8}.job => C:\Users\user\AppData\Local\MANGAN~1\updtask.exe <==== ATTENTION
Task: C:\Windows\Tasks\{514DEFDF-9272-5F5C-B8CC-24FBB766E55D}.job => C:\PROGRA~2\COMMON~1\brick\synctask.exe <==== ATTENTION
VirusTotal: C:\ProgramData\{87C842AB-0D8A-C86D-8B4C-562F110EDDE1}\lofa.txt;C:\Program Files (x86)\Common Files\brick\synctask.exe;C:\Users\user\AppData\Local\MANGAN~1\updtask.exe;C:\Users\user\AppData\Roaming\Mehari.exe
C:\Users\user\AppData\Roaming\Kaspersky Internet Security 2017
C:\ProgramData\{87C842AB-0D8A-C86D-8B4C-562F110EDDE1}
C:\Program Files (x86)\Common Files\brick
C:\Users\user\AppData\Local\MANGAN~1
EmptyTemp:
  • Go to FileSave As
  • Make sure that UTF-8 is selected as Encoding (left side of Save button)
  • Save it as fixlist.txt on Desktop
  • Open again FRST and click on button Fix
  • Wait until FRST finishes
  • fixlog.txt should be genereted and opened. Attach it your post and wait further instructions.
4

Sass Drake,

Done as instructed.

here goes

5

What is now system status?

6

Apologies for delay in replying. been outstation.

Works fine already Sass Drake. thanks the assistance from you and your team.

7

The following will implement some post-cleanup procedures:

=> Please download DelFix by Xplode to your Desktop.
Run the tool and check the following boxes below;
[i]
http://www.mcshield.net/personal/magna86/Images/checkmark.png
Remove disinfection tools

http://www.mcshield.net/personal/magna86/Images/checkmark.png
Create registry backup

http://www.mcshield.net/personal/magna86/Images/checkmark.png
Purge System Restore [/i]
Click Run button and wait a few seconds for the programme completes his work.
At this point all the tools we used here should be gone. Tool will create an report for you (C:[b]DelFix.txt[/b])

The tool will also record healthy state of registry and make a backup using ERUNT program in %windir%\ERUNT\DelFix
Tool deletes old system restore points and create a fresh system restore point after cleaning.