Windows Script Host error and blocked outbound connections

[sfxes]

I was previous infected with a Trojan, which I was able to remove using Malwarebytes. However, after that I kept getting "Website blocked" popups from Malwarebytes that all show the same IP (173.33.7.199). Also, each time I restart my laptop, I get a Windows Script Host error. I was wondering how I might go about fixing these issues? Malwarebytes threat scan no longer shows any problems. I ran a scan with FRST64 (attached logs)

 

FRST.txt

Addition.txt

[TwinHeadedEagle]

Hello and

Do you still have this file on your system?

 

C:\Users\dawn\AppData\Roaming\smoti2\smoti2.vbs

[sfxes]

Hi 

Yes, the file is still there.

[TwinHeadedEagle]

Can you scan it on VirusTotal?

https://virustotal.com/

Then copy the download link and paste it here.

[sfxes]

Do you mean this link? 

https://virustotal.com/en/file/e22a6e1218add0cb14ff24e21b1d9ba026fbcb0eebef7f4da6e99a437a24551f/analysis/1500027957/

[TwinHeadedEagle]

Yes. There is a detection for this file, I don't know what is the problem. When you scan with MalwareBytes, are you getting any detection?

[sfxes]

Nope, I'm not - Malwarebytes doesn't detect anything on my entire computer.

[TwinHeadedEagle]

Can you export previous MalwareBytes scan logs and upload them here?

[sfxes]

Here are two of them, one before and one after dealing with what was detected in the first scan. 

mb_scan_1.txt

mb_scan_2.txt

[TwinHeadedEagle]

Thank you.

Let's continue with removal.

 

Fix with AdwCleaner

Please download AdwCleaner by Xplode and save the file to your Desktop.

• Right-click on icon and select Run as Administrator to start the tool.
• Accept the Terms of use.
• Wait until the database is updated.
• Click Scan.
• When finished, please click Clean.
• Your PC should reboot now.
• After reboot, logfile will be opened. Copy its content into your next reply.

Note: Reports will be saved in your system partition, usually at C:\Adwcleaner

 

Scan with Farbar Recovery Scan Tool

Please re-run Farbar Recovery Scan Tool to give me a fresh look at your system.

• Right-click on icon and select Run as Administrator to start the tool.
  (XP users click run after receipt of Windows Security Warning - Open File).
• Make sure that Addition.txt option is checked. option is checked.

  

• Press Scan button and wait.
  

• The tool will produce two logfiles on your desktop: FRST.txt and Addition.txt.
  

Please attach report into your next reply.

[sfxes]

Just FYI, I ended up deleting the smoti2 folder in system32 yesterday just to see what would happen. So I ran adwcleaner and FRST after I deleted that folder. 

FRST.txt

Addition.txt

[TwinHeadedEagle]

Please uninstall the following software:

DragonBoost (HKU\S-1-5-21-696593026-2107197769-1213877881-1000\...\119) (Version:  - ) <==== ATTENTION
ICBCChromeExtension (HKLM-x32\...\{ECDCDC1B-3B15-4664-AC51-56438284DD40}) (Version: 1.0.9.0 - ICBC) <==== ATTENTION
ICBCNewChromeExtension (HKLM-x32\...\{04C0D9B6-9B21-45AC-8EB1-A6F547A9DFCF}) (Version: 1.0.3.0 - ICBC) <==== ATTENTION
Popcorn Time (HKLM-x32\...\Popcorn Time_is1) (Version: 5.6.1.0 - Popcorn Time) <==== ATTENTION
英雄联盟 (HKLM-x32\...\英雄联盟) (Version:  - Tencent)
 

 

Fix with Farbar Recovery Scan Tool

This fix was created for this user for use on that particular machine.

Running it on another one may cause damage and render the system unstable.

Download attached fixlist.txt file and save it to the Desktop:

Both files, FRST and fixlist.txt have to be in the same location or the fix will not work!

• Right-click on icon and select Run as Administrator to start the tool.
  (XP users click run after receipt of Windows Security Warning - Open File).
• Press the Fix button just once and wait.
• If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
• When finishes FRST will generate a log on the Desktop, called Fixlog.txt.
  

Please attach it to your reply.

fixlist.txt

[sfxes]

DragonBoost  << I can't find this anywhere on my laptop, so I have no idea how to uninstall this. 

And I know these are safe software.. should I still uninstall them? I would have to reinstall them in the future even if I do uninstall them now. 
ICBCChromeExtension (HKLM-x32\...\{ECDCDC1B-3B15-4664-AC51-56438284DD40}) (Version: 1.0.9.0 - ICBC) <==== ATTENTION
ICBCNewChromeExtension (HKLM-x32\...\{04C0D9B6-9B21-45AC-8EB1-A6F547A9DFCF}) (Version: 1.0.3.0 - ICBC) <==== ATTENTION
英雄联盟 (HKLM-x32\...\英雄联盟) (Version:  - Tencent)

I've removed the other one.

Edited July 17, 2017 by sfxes

[TwinHeadedEagle]

Did you install Tencent software?

[sfxes]

Yes, I did. I know that there is no problem with it. However, malware removal tools keep flagging it and messing up the software, and then I have to repair/reinstall the software.. 

[TwinHeadedEagle]

Yes, Tencent is known to be distributed along with other potentially unwanted software e.g. Browser Hijackers, BitCoinMiners, Adware etc. so it is flagged by many tools.

How is your computer behaving now?

[sfxes]

It seems to behave normally/like before, as far as I can tell. 

[TwinHeadedEagle]

Glad to hear that. You were infected with BitCoin Miner and that .vbs file was there to start it and download again if it is deleted.

[sfxes]

I see, thank you for the help!