Jump to content

Infected Windows 10 - win32/Detrahere!reg


Recommended Posts

Defender says it removes it but still pops up every so often. Ran toolset and removed 80+ upon running 2nd time still a few not removed. Ran ADW 3 times and have removed everything and last scan was clean.. FRST and Zemana ran also logs attached. Please if anyone can help assist with this removal. Thank you!!!

 

 

2018.10.01-20.14.42-i0-t92-d6.txt

Addition.txt

Capture.PNG

FRST.txt

MalwareScan_20181001.txt

Rkill.txt

AdwCleaner[C00].txt

AdwCleaner[C01].txt

AdwCleaner[C02].txt

AdwCleaner[S00].txt

AdwCleaner[S01].txt

AdwCleaner[S02].txt

AdwCleaner[S03].txt

Edited by onphiya
Link to post
Share on other sites

  • Root Admin

Hi @onphiya

For Trend removal, please follow the directions from here.

https://esupport.trendmicro.com/en-us/home/pages/technical-support/1105809.aspx

If that does not take care of it we can remove things via WMI but this tool should take care of it for you.

I'll review the other logs and get back to you shortly. If you want to grab that and remove Trend

Thanks, Ron

 

Link to post
Share on other sites

2 minutes ago, AdvancedSetup said:

Hi @onphiya

For Trend removal, please follow the directions from here.

https://esupport.trendmicro.com/en-us/home/pages/technical-support/1105809.aspx

If that does not take care of it we can remove things via WMI but this tool should take care of it for you.

I'll review the other logs and get back to you shortly. If you want to grab that and remove Trend

Thanks, Ron

 

Yea i already tried that and it still shows in the toolkit thought it was something different than what i had already ran.

Link to post
Share on other sites

  • Root Admin

Remove Trend Micro WMI Registration

  1. Click on the Start menu.
     
     
  2. Select Run...
     
     
  3. Type wbemtest and click OK
     
     
  4. Click Connect
     
     
  5. Type (or copy/paste) root/SecurityCenter in the NameSpace box
     
     
  6. Click Connect
     
     
  7. Click on Query
     
     
  8. Type in or copy / paste
    SELECT * FROM AntiVirusProduct
    and click on Apply

 

If there is more than one result, it means there is more than one Antivirus program installed.

 

 

Double click on each result to view the properties for that Antivirus product.

 

 

Identify the product(s) installed and DELETE any records for

 

Trend Micro
 
 

 

 
Delete_AV_From_WMI.gif

 

 

Edited by AdvancedSetup
Updated information
Link to post
Share on other sites

  • Root Admin

Okay, here is a quick list of items found and recommendations. It does not currently address removal of Trend Micro from WMI. Let me check if we have another updated tool for that or if we'll need to manually remove from Registry.

 

 


Dropbox entry is old. I would recommend removal. Install latest Dropbox installer if needed
Task: {8CE50D50-0927-484E-B520-2987A4568D82} - System32\Tasks\DropboxOEM => C:\Program Files (x86)\Dropbox\DropboxOEM\DropboxOEM.exe [2016-11-30] (DropboxOEM)

Not sure what this entry is for. Google only shows a few entries which often may indicate a bad entry. You can search the Regisstry for that entry and see if you can find more information or check the Task for more details and disable or delete if not something good.
Task: {A42CF396-7532-4A1E-8EC7-7356BD8A73DE} - \{7412B369-A85F-AD64-92DE-54C6521775E7} -> No File <==== ATTENTION

Not sure what this is. Rarely do any computers nowadays need any special commands on startup. I'd look at the vbs code with notepad and see what it's doing and remove if not needed.
Task: {AD911676-2F35-466D-A991-AE8255B18E43} - System32\Tasks\Dell Cleanup => c:\windows\system32\oem\startmenufix.vbs [2016-09-14] ()

Again, update Dropbox or remove
Task: C:\WINDOWS\Tasks\DropboxUpdateTaskMachineCore.job => C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe
Task: C:\WINDOWS\Tasks\DropboxUpdateTaskMachineUA.job => C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe


Very unlikely this is needed. I would look and verify and if not needed remove
Task: C:\WINDOWS\Tasks\RunDLC.job => cmd c sc start Dell Help SupportWORKGROUP DESKTOP UFBO0ED


Not sure what this is for. I've seen a lot of logs and I've never seen an entry for Yahoo like this. Pleasea verify what it's doing and that it's not a security risk.
Task: C:\WINDOWS\Tasks\Secured Yahoo Powered fimif.job => Wscript.exe  C:\ProgramData\{6B15AE76-E157-24B0-6791-BAF2FDD3313C}\mira.txt <==== ATTENTION


Batch files to control Google Chrome looks odd. Please verify and remove if invalid
Shortcut: C:\Users\pannee\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Gооglе Сhrоmе.lnk -> C:\Users\pannee\AppData\Local\Google\Chrome\Application\chrome.bat (No File)


Del the ADS (we can have FRST remove this and the Tasks for us if you want, just let me know)
AlternateDataStreams: C:\ProgramData\Reprise:wupeogjxldtlfudivq`qsp`26hfm [0]

Remove the trusts in IE
IE trusted site: HKU\.DEFAULT\...\trendmicro.com -> hxxps://pwm.trendmicro.com
IE trusted site: HKU\S-1-5-21-626017937-3662907746-2311047881-1001\...\trendmicro.com -> hxxps://pwm.trendmicro.com


I do not recommend the use of MSCONFIG to control starup items. It is a Diagnostic tool. When used as a startup manager it cannot be used for Diagnostics.


There appears to be a possible disk, cable, controller, etc. issue for one of the hard drives
System errors:
=============
Error: (10/01/2018 08:07:05 PM) (Source: Disk) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Harddisk1\DR1.


Windows Defender is detecting and causing an issue with our Toolset. I'll report this to our team. In the meantime you can temporarily disable Defender while cleaning. Then re-enable it.


The computer is also running Zemana AntiMalware. I'm not aware of any conflict but wanted to bring it to your attention in case it may be interferring

Though a service restart is normal it's not normally done in this manner. I was not able to find a valid entry on Microsoft for that switch either. I would recommend removing this entry
HKU\S-1-5-18\...\RunOnce: [Application Restart #0] => C:\Program Files\internet explorer\iexplore.exe -restart /WERRESTART <==== ATTENTION


These 2 service entries are listed as files not found. That could be due to a locked file or could be that the drivers were removed but the service was never removed. I would recommend you try to validate these drivers and if not being used anymore remove the service.
S2 RNDBWM; "C:\Program Files\Rivet Networks\SmartByte\RNDBWMService.exe" [X]
S2 SmartByte Network Service x64; "C:\Program Files\Rivet Networks\SmartByte\SmartByteNetworkService.exe" [X]

 

Let me know what you think and if you want, I can write a FRST script to remove or fix most of this for you.

Ron

 

Link to post
Share on other sites

4 minutes ago, AdvancedSetup said:

Okay, here is a quick list of items found and recommendations. It does not currently address removal of Trend Micro from WMI. Let me check if we have another updated tool for that or if we'll need to manually remove from Registry.

 

 


Dropbox entry is old. I would recommend removal. Install latest Dropbox installer if needed
Task: {8CE50D50-0927-484E-B520-2987A4568D82} - System32\Tasks\DropboxOEM => C:\Program Files (x86)\Dropbox\DropboxOEM\DropboxOEM.exe [2016-11-30] (DropboxOEM)

Not sure what this entry is for. Google only shows a few entries which often may indicate a bad entry. You can search the Regisstry for that entry and see if you can find more information or check the Task for more details and disable or delete if not something good.
Task: {A42CF396-7532-4A1E-8EC7-7356BD8A73DE} - \{7412B369-A85F-AD64-92DE-54C6521775E7} -> No File <==== ATTENTION

Not sure what this is. Rarely do any computers nowadays need any special commands on startup. I'd look at the vbs code with notepad and see what it's doing and remove if not needed.
Task: {AD911676-2F35-466D-A991-AE8255B18E43} - System32\Tasks\Dell Cleanup => c:\windows\system32\oem\startmenufix.vbs [2016-09-14] ()

Again, update Dropbox or remove
Task: C:\WINDOWS\Tasks\DropboxUpdateTaskMachineCore.job => C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe
Task: C:\WINDOWS\Tasks\DropboxUpdateTaskMachineUA.job => C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe


Very unlikely this is needed. I would look and verify and if not needed remove
Task: C:\WINDOWS\Tasks\RunDLC.job => cmd c sc start Dell Help SupportWORKGROUP DESKTOP UFBO0ED


Not sure what this is for. I've seen a lot of logs and I've never seen an entry for Yahoo like this. Pleasea verify what it's doing and that it's not a security risk.
Task: C:\WINDOWS\Tasks\Secured Yahoo Powered fimif.job => Wscript.exe  C:\ProgramData\{6B15AE76-E157-24B0-6791-BAF2FDD3313C}\mira.txt <==== ATTENTION


Batch files to control Google Chrome looks odd. Please verify and remove if invalid
Shortcut: C:\Users\pannee\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Gооglе Сhrоmе.lnk -> C:\Users\pannee\AppData\Local\Google\Chrome\Application\chrome.bat (No File)


Del the ADS (we can have FRST remove this and the Tasks for us if you want, just let me know)
AlternateDataStreams: C:\ProgramData\Reprise:wupeogjxldtlfudivq`qsp`26hfm [0]

Remove the trusts in IE
IE trusted site: HKU\.DEFAULT\...\trendmicro.com -> hxxps://pwm.trendmicro.com
IE trusted site: HKU\S-1-5-21-626017937-3662907746-2311047881-1001\...\trendmicro.com -> hxxps://pwm.trendmicro.com


I do not recommend the use of MSCONFIG to control starup items. It is a Diagnostic tool. When used as a startup manager it cannot be used for Diagnostics.


There appears to be a possible disk, cable, controller, etc. issue for one of the hard drives
System errors:
=============
Error: (10/01/2018 08:07:05 PM) (Source: Disk) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Harddisk1\DR1.


Windows Defender is detecting and causing an issue with our Toolset. I'll report this to our team. In the meantime you can temporarily disable Defender while cleaning. Then re-enable it.


The computer is also running Zemana AntiMalware. I'm not aware of any conflict but wanted to bring it to your attention in case it may be interferring

Though a service restart is normal it's not normally done in this manner. I was not able to find a valid entry on Microsoft for that switch either. I would recommend removing this entry
HKU\S-1-5-18\...\RunOnce: [Application Restart #0] => C:\Program Files\internet explorer\iexplore.exe -restart /WERRESTART <==== ATTENTION


These 2 service entries are listed as files not found. That could be due to a locked file or could be that the drivers were removed but the service was never removed. I would recommend you try to validate these drivers and if not being used anymore remove the service.
S2 RNDBWM; "C:\Program Files\Rivet Networks\SmartByte\RNDBWMService.exe" [X]
S2 SmartByte Network Service x64; "C:\Program Files\Rivet Networks\SmartByte\SmartByteNetworkService.exe" [X]

 

Let me know what you think and if you want, I can write a FRST script to remove or fix most of this for you.

Ron

 

If you could create a fix list for FRST and i just loaded zemena just to run another to get the log i see form searching in the forum was what was stated in some replies to have so just trying to save the time.. I can remove.. Basically want to get this removed and put defender and mwb and thats it..  Still new to the FRST bit and how things are removed and what needs to be removed.. In OS or PE enviornment to get these badly infested one's removed. But i will uninstall dropbox right now and wait for any other suggestions to run the fix you put together

Link to post
Share on other sites

  • Root Admin

Please download the attached fixlist.txt file and save it to the Desktop.
NOTE. It's important that both files, FRST or FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system.

Run FRST or FRST64 and press the Fix button just once and wait.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Desktop (Fixlog.txt). Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

fixlist.txt

 

 

Thanks, Ron

 

Edited by AdvancedSetup
updated fixlist
Link to post
Share on other sites

5 minutes ago, AdvancedSetup said:

Please download the attached fixlist.txt file and save it to the Desktop.
NOTE. It's important that both files, FRST or FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system.

Run FRST or FRST64 and press the Fix button just once and wait.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Desktop (Fixlog.txt). Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

fixlist.txt

Thanks, Ron

 

OKay thanx... Running it Now.. Upon Restart want me to run another FRST and send logs?

Link to post
Share on other sites

  • Root Admin

Looks pretty good so far. Please run the following and we'll see if anything else comes up.

 

Please run the following steps and post back the logs as an attachment when ready.

STEP 01

  • If you're already running Malwarebytes 3 then open Malwarebytes and check for updates. Then click on the Scan tab and select Threat Scan and click on Start Scan button.
  • If you don't have Malwarebytes 3 installed yet please download it from here and install it.
  • Once installed then open Malwarebytes and check for updates. Then click on the Scan tab and select Threat Scan and click on Start Scan button.
  • Once the scan is completed click on the Export Summary button and save the file as a Text file to your desktop or other location you can find, and attach that log on your next reply.
  • If Malwarebytes won't run then please skip to the next step and let me know on your next reply.

STEP 02

Please download AdwCleaner by Malwarebytes and save the file to your Desktop.

  • Right-click on the program and select RunAsAdmin.jpg Run as Administrator to start the tool.
  • Accept the Terms of use.
  • Wait until the database is updated.
  • Click Scan Now.
  • When finished, please click Clean & Repair.
  • Your PC should reboot now if any items were found.
  • After reboot, a log file will be opened. Copy its content into your next reply.

 

RESTART THE COMPUTER Before running Step 3

STEP 03
Please download the Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system. You can check here if you're not sure if your computer is 32-bit or 64-bit

  • Double-click to run it. When the tool opens, click Yes to disclaimer.
  • Press the Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
  • The first time the tool is run, it also makes another log (Addition.txt). If you've, run the tool before you need to place a check mark here.
  • Please attach the Additions.txt log to your reply as well.

 

Thanks

Ron

 

Link to post
Share on other sites

I have the toolset will that work ?

1 minute ago, AdvancedSetup said:

Looks pretty good so far. Please run the following and we'll see if anything else comes up.

 

Please run the following steps and post back the logs as an attachment when ready.

STEP 01

  • If you're already running Malwarebytes 3 then open Malwarebytes and check for updates. Then click on the Scan tab and select Threat Scan and click on Start Scan button.
  • If you don't have Malwarebytes 3 installed yet please download it from here and install it.
  • Once installed then open Malwarebytes and check for updates. Then click on the Scan tab and select Threat Scan and click on Start Scan button.
  • Once the scan is completed click on the Export Summary button and save the file as a Text file to your desktop or other location you can find, and attach that log on your next reply.
  • If Malwarebytes won't run then please skip to the next step and let me know on your next reply.

STEP 02

Please download AdwCleaner by Malwarebytes and save the file to your Desktop.

  • Right-click on the program and select RunAsAdmin.jpg Run as Administrator to start the tool.
  • Accept the Terms of use.
  • Wait until the database is updated.
  • Click Scan Now.
  • When finished, please click Clean & Repair.
  • Your PC should reboot now if any items were found.
  • After reboot, a log file will be opened. Copy its content into your next reply.

 

RESTART THE COMPUTER Before running Step 3

STEP 03
Please download the Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system. You can check here if you're not sure if your computer is 32-bit or 64-bit

  • Double-click to run it. When the tool opens, click Yes to disclaimer.
  • Press the Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
  • The first time the tool is run, it also makes another log (Addition.txt). If you've, run the tool before you need to place a check mark here.
  • Please attach the Additions.txt log to your reply as well.

 

Thanks

Ron

 

 

Link to post
Share on other sites

  • Root Admin

Try this please

Please download the attached fixlist.txt file and save it to the Desktop.
NOTE. It's important that both files, FRST or FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system.

Run FRST or FRST64 and press the Fix button just once and wait.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Desktop (Fixlog.txt). Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

fixlist.txt

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.