Jump to content

HRUPPROG.DIE.NOW malware


Recommended Posts

Hello guys,
So, today I was on my pc, I wanted to get to a file that was on my User folder:
u1xlmxf.png
I got into the folder and wanted to access the file named after myself (Nuno Pinto) and I could but, next to that file, there was another one named "Nuno":
T6IVCoE.png
I didn't remember creating it, but it was there after all, so I took a look:
R3G1qje.png
I've never seen this files in my life, but for that DIE.NOW I knew it wasn't good. Because I'm really stupid, I open the .txt file to see what was inside, and it was simply written "100", don't know if I triggered a trap or something by doing that.
Next to the files there's the time they were created, I don't actually remember what I did that day and that hour, but since about that day I got some really annoying lag on my pc, so that's the problem I guess... I also go the idea of doing a system restore to before that date, but I prefer to get some opinion and help from someone who knows more than I do...
I've already followed the steps advised in this post. The Malwarebytes did nothing and I've run the dds.scr and created those two .txt files. I'll wait for a response from someone before posting them. Thanks for the help guys.

Link to post
Share on other sites

  • Root Admin

Please post the files from the DDS scan.

Then follow the directions below.

Please download Malwarebytes Anti-Rootkit from HERE

  • Unzip the contents to a folder in a convenient location.
  • Open the folder where the contents were unzipped and run mbar.exe
  • Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
  • Click on the Cleanup button to remove any threats and reboot if prompted to do so.
  • Wait while the system shuts down and the cleanup process is performed.
  • Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
  • When done, please post the two logs produced they will be in the MBAR folder... mbar-log.txt and system-log.txt
Link to post
Share on other sites

  • Root Admin

Please post the MBAR log once its ready and then uninstall ALL versions of Java as you show an older exploited version is installed.

 

Java 7 Update 11
Java Auto Updater

 

 

Also, please run this before we continue on much further.

 

Backup the Registry:

Modifying the Registry can create unforeseen problems, so it always wise to create a backup before doing so.
 

  • Please download ERUNT from one of the following links: Link1 | Link2 | Link3
  • ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.
  • Double click on erunt-setup.exe to Install ERUNT by following the prompts.
  • Start ERUNT either by double clicking on the desktop icon or choosing to start the program at the end of the setup process.
  • Choose a location for the backup.
    • Note: the default location is C:\Windows\ERDNT which is acceptable.
  • Make sure that at least the first two check boxes are selected.
  • Click on OK
  • Then click on YES to create the folder.

Note: if it is necessary to restore the registry, open the backup folder and start ERDNT.exe
 

 

Link to post
Share on other sites

  • Root Admin

Please visit this webpage for instructions on downloading and running ComboFix: How to use ComboFix

Please make sure you disable your security applications before running ComboFix.

Once Combofix has completed it will produce and open a log file. Please attach that log file to your next reply.

If needed the file can be located here: C:\combofix.txt

NOTE: If you receive the message "illegal operation has been attempted on a registry key that has been marked for deletion", just reboot the computer.

Link to post
Share on other sites

  • Root Admin

Great that seems to have cleared a lot of junk - please run the following steps now.

STEP 01

Please download AdwCleaner by Xplode to your desktop.

  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • If prompted by the User Account Control click Yes to allow it to run.
  • Under Actions click on the Delete button.
  • Click OK on all prompts.
  • You will be prompted to restart your computer. A text file will open after the restart.
  • Please post the entire contents of that logfile to your next reply.
  • You can find the logfile at C:\AdwCleaner[s1].txt where the number in brackets indicates how often it was run.

STEP 02

Please download Junkware Removal Tool to your desktop.


  • Shutdown your antivirus to avoid any conflicts.
  • Right click over JRT.exe and select Run as administrator on Windows Vista or Windows 7, double-click on XP.
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next reply message
  • When completed make sure to re-enable your antivirus


STEP 03
button_eos.gif

Please go here to run the online antivirus scannner from ESET.


  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked
  • Click on Advanced Settings and ensure these options are ticked:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Click Scan
  • Wait for the scan to finish
  • If any threats were found, click the 'List of found threats' , then click Export to text file....
  • Save it to your desktop, then please copy and paste that log as a reply to this topic.

 

Link to post
Share on other sites

Ok the results of the Adwcleaner are:

 

# AdwCleaner v2.303 - Logfile created 06/21/2013 at 22:31:12
# Updated 08/06/2013 by Xplode
# Operating system : Windows 7 Professional Service Pack 1 (64 bits)
# User : Nuno Pinto - NUNOPINTO-PC
# Boot Mode : Normal
# Running from : C:\Users\Nuno Pinto\Desktop\anti-malware\AdwCleaner.exe
# Option [Delete]


***** [services] *****


***** [Files / Folders] *****

Folder Deleted : C:\Users\Nuno Pinto\AppData\Local\SwvUpdater

***** [Registry] *****

Key Deleted : HKCU\Software\ilivid
Key Deleted : HKCU\Software\InstallCore
Key Deleted : HKCU\Software\Softonic
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{EEE6C360-6118-11DC-9C72-001320C79847}
Key Deleted : HKLM\SOFTWARE\Classes\Applications\ilividsetup.exe
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\BundleSweetIMSetup_RASAPI32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\BundleSweetIMSetup_RASMANCS
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\iLividSetup_RASAPI32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\iLividSetup_RASMANCS
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\SweetIM_RASAPI32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\SweetIM_RASMANCS
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\SweetPacksUpdateManager_RASAPI32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\SweetPacksUpdateManager_RASMANCS
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{EEE6C360-6118-11DC-9C72-001320C79847}

***** [internet Browsers] *****

-\\ Internet Explorer v10.0.9200.16611



-\\ Mozilla Firefox v21.0 (pt-PT)

File : C:\Users\Nuno Pinto\AppData\Roaming\Mozilla\Firefox\Profiles\5xvsvik5.default-1357515228540\prefs.js

[OK] File is clean.

-\\ Google Chrome v27.0.1453.116

File : C:\Users\Nuno Pinto\AppData\Local\Google\Chrome\User Data\Default\Preferences

[OK] File is clean.

*************************

AdwCleaner[s1].txt - [2078 octets] - [21/06/2013 22:31:12]

########## EOF - C:\AdwCleaner[s1].txt - [2138 octets] ##########
 

Junkware Removal Tool:

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 4.9.4 (05.06.2013:1)
OS: Windows 7 Professional x64
Ran by Nuno Pinto on 21-06-2013 at 22:37:55,81
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




~~~ Services



~~~ Registry Values



~~~ Registry Keys

Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\sweetim
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\sweetim



~~~ Files



~~~ Folders

Successfully deleted: [Folder] "C:\Windows\syswow64\ai_recyclebin"



~~~ FireFox

Successfully deleted: [File] "C:\Users\Nuno Pinto\AppData\Roaming\mozilla\firefox\profiles\5xvsvik5.default-1357515228540\extensions\jid0-irAmugmQgdURBSCIFZAcjR8ZQMg@jetpack.xpi"
Successfully deleted: [Folder] C:\Users\Nuno Pinto\AppData\Roaming\mozilla\firefox\profiles\5xvsvik5.default-1357515228540\extensions\jid0-2qiv5fkuGh0lTr6izdBsmkrqs5c@jetpack
Emptied folder: C:\Users\Nuno Pinto\AppData\Roaming\mozilla\firefox\profiles\5xvsvik5.default-1357515228540\minidumps [598 files]



~~~ Event Viewer Logs were cleared





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on 21-06-2013 at 22:40:59,78
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 

And finally, the ESET scanner:

 

C:\Program Files (x86)\Cheat Engine 6.2\cheatengine-i386.exe    a variant of Win32/HackTool.CheatEngine.AB application
C:\Program Files (x86)\Cheat Engine 6.2\standalonephase1.dat    a variant of Win32/HackTool.CheatEngine.AF application
 

Link to post
Share on other sites

  • Root Admin

I'm going to be away most of the night but I'll check back on you either later tonight or tomorrow.

 

 

So how is the computer running now and are there still any signs of an infection or issue related to malware?

 

Let me get one more new DDS scan and logs for review.

 

Next, download Security Check from here or here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

 

 

Link to post
Share on other sites

The computer is definitely faster but it’s too soon to say if the freezes are fixed. Another thing I find odd is even after all this, the actual files that made me post this in the first place is still there, next to a new file named AppData.

And my anti-virus is identifying the Security Check as a UDS:DangerousObject.Multi.Generic, don't know if that's suppose to happen.

dds.txt

attach.txt

Link to post
Share on other sites

  • 2 weeks later...
  • Root Admin

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.