Driverpack-17 malicious code, wasn't cleared up by MB

[Jan_a]

Hi, I've installed new system and I'm struggling with drivers, so I was stupid and  downloaded a program named DriverPack Solution 17 ,because someone on forum advised it (and because I was so stupid). After some time I realised that program isn't very helpfull and it has problems installing any driver, so I went to Google for solutions and I found that this program is malicious.  Then I just deleted an exe file ( this program didnt have any instalation process, so I thought it's just one-file-program).

And some time later after I rebooted computer prior to installing one driver, something unexpected and shocking happened:

Firstly at the start appeared cmd.exe window with 3 second countdown. I ignored it, because I thought it's a part of driver instalation process. But 5 minutes later window with Driverpack-17 icon appeared out of nowhere and it was in the middle of installation ! It was installing some fishy distribution of Microsoft Visual C++ Redistributable - fishy, because there was a lot of strings in arabic or hindu and lots of strange characters passing in the log of installation (I regret I didn't make a screenshot,because you can't image something more virus-like). There was no way to stop it, to cancel the process, killing it by Process Manager didnt work. And at the end when it finished massage in German popped up !

 

TL;DR

I freaked out and restored system to the last restore point (just before the reboot). I installed Malwarebyte and it deleted C:\Users\user\AppData\Roaming\DPRsu\ and many register entries.

However it didn't remove everything. Everytime I start the system then that litte cmd.exe shows up, acompanied with error massage that "C:\Users\user\AppData\Roaming\DPRsu\PROGRAMS\DotNet.exe" cannot be found...

I've checked details in Process Explorer and it seems that cmd.exe is started by svchost with parameters:

/c start /min cmd /c bitsadmin /complete drp_bits_job && timeout 3 && start "" "C:\Users\User\AppData\Roaming\DRPsu\PROGRAMS\DotNet.exe"  

 

Does it mean my svchost is infected? Malwarebyte didn't even detect that issues. How to stop that script from executing at the start of system ? Is it still dangerous or it's just a leftover?

 

 

[nasdaq]

Hello, Welcome to Malwarebytes.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Please download Malwarebytes Anti-Malware from here
 

• Right-click on the MBAM icon and select Run as administrator to run the tool.
• Click Yes to accept any security warnings that may appear.
• Once the MBAM dashboard opens, on the right detail pane click on the word "Current" under the Scan Status to update the tool database.
• On the left menu pane click the Settings tab, and then select the Protection tab on the top.
• Under the Scan Options, turn on the button Scan for rootkits and Scan within archives.
• Click the Scan tab on the right detail pane, select Threat Scan and click the Start Scan button
• Note: The scan may take some time to finish, so please be patient.
• If potential threats are detected, ensure to check mark all the listed items, and click the Quarantine Selected button.
• While still on the Scan tab, click the View Report button, and in the window that opens click the Export button, select Text file (*.txt), and save the log to your Desktop.
• The log can also be viewed by clicking the log to select it, then clicking the View Report button.
  

Please post the log for my review.

Note: If asked to restart the computer, please do so immediately.
===

Please download AdwCleaner by Malwarebytes your Desktop.

• Close all open programs and internet browsers.
• Double click on AdwCleaner.exe to run the tool.
• Click the Scan button and wait for the process to complete.
• Click the LogFile button and the report will open in Notepad.
  

IMPORTANT

• If you click the Clean button all items listed in the report will be removed.
  

If you find some false positive items or programs that you wish to keep, Close the AdwCleaner windows.

• Close all open programs and internet browsers.
• Double click on AdwCleaner.exe to run the tool.
• Click the Scan button and wait for the process to complete.
• Check off the element(s) you wish to keep.
• Click on the Clean button follow the prompts.
• A log file will automatically open after the scan has finished.
• Please post the content of that log file with your next answer.
• You can find the log file at C:\AdwCleanerCx.txt (x is a number).
  

===

Download the version of this tool for your operating system.
Farbar Recovery Scan Tool (64 bit)
Farbar Recovery Scan Tool (32 bit)
and save it to a folder on your computer's Desktop.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

How to attach a file to your reply:
In the Reply section in the bottom of the topic Click the "more reply Options" button.

Attach the file.
Select the "Choose a File" navigate to the location of the File.
Click the file you wish to Attach.
Click Attach this file.
Click the Add reply button.
===

Please post the logs  for my review.

Let me know what problems persists.

Wait for further instructions

[nasdaq]

Are you still with us?

[AdvancedSetup]

Due to the lack of feedback, this topic is closed to prevent others from posting here.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this topic. Other members who need assistance please start your own topic in a new thread.

Thanks