1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

In Progress Is my Ursnif infection cleaned?

Discussion in 'Virus & Other Malware Removal' started by Scudstorm, Jul 13, 2019.

Thread Status:
Not open for further replies.
Advertisement
  1. Scudstorm

    Scudstorm Thread Starter

    Joined:
    Jun 24, 2010
    Messages:
    78
    Hi, I got infected by Ursnif yesterday on Windows 10 Home x64. The malware was activated by me carelessly double clicking on a suspicious file (the file type was shortcut so I thought it was harmless). Windows Defender picked it up right away (both the Trojan itself that somehow got into C:\Windows and the scheduled task it made) and quarantined them.

    Since then I have performed a full scan with Windows Defender and a local scan of C:\ with Microsoft Safety Scanner. No threats found.

    Is there anything more I should be doing to make sure it's completely gone? As it's a keylogger I'm quite a bit more anxious about this malware than the ol' regular virus that would at worst make me do a full reinstall. Haven't touched banking/payment sites since but I'd like to get my peace of mind back.

    Thanks!


    Tech Support Guy System Info Utility version 1.0.0.4
    OS Version: Microsoft Windows 10 Home, 64 bit
    Processor: Intel(R) Core(TM) i7 CPU 950 @ 3.07GHz, Intel64 Family 6 Model 26 Stepping 5
    Processor Count: 8
    RAM: 16382 Mb
    Graphics Card: NVIDIA GeForce GTX 960, -2048 Mb
    Hard Drives: C: 110 GB (60 GB Free); D: 310 GB (108 GB Free); E: 310 GB (28 GB Free); F: 310 GB (22 GB Free); G: 310 GB (134 GB Free); H: 310 GB (71 GB Free); I: 310 GB (59 GB Free); L: 465 GB (167 GB Free);
    Motherboard: Gigabyte Technology Co., Ltd., X58-USB3
    Antivirus: Windows Defender, Enabled and Updated
     
    Last edited: Jul 13, 2019
  2. iMacg3

    iMacg3 Malware Specialist

    Joined:
    Nov 3, 2018
    Messages:
    558
    Hi Scudstorm, Welcome to the Tech Support Guy malware removal forum.

    I am iMacg3 and will be helping you with your computer problems.

    Please keep the following information in mind before we begin:
    • Back up any important data before we continue.
      • Back up any important data on your computer to external media. I will not knowingly suggest any steps that will damage your computer; however, malware infections are often unpredictable and it may be necessary to reformat and reinstall your operating system depending on the infection.
    • Do not run any fixes or tools on your system unless I request that you do so.
      • Running additional tools on your system can interfere with the clean-up process, or cause issues such as false positives.
    • Please read all instructions carefully, and complete them in the order listed.
      • Items that are especially important will be highlighted in bold or red.
    • If your computer seems to start working normally, please don't abandon the topic.
      • Even if your system is behaving normally, there may still be some malware remnants left over. Additionally, malware can re-infect the computer if some remnants are left. Therefore, please complete all requested steps to make sure any malware is successfully eradicated from your PC.
    • If you have pirated or illegal software on your computer, uninstall it now before proceeding.
      • Using pirated/cracked software is an easy way to infect your computer - almost as easy as intentionally downloading malware. Therefore, please remove any, if present, before we begin the clean-up.
    • If you have questions at any time during the cleanup, feel free to ask.

    ---------------------------------------------------
    Farbar Recovery Scan Tool (FRST)

    Download Farbar Recovery Scan Tool - 64 bit and save it to your desktop.

    • Right-click FRST64.exe then click "Run as administrator"
    • When the tool opens, click Yes to the disclaimer.
    • Press the Scan button.
    • When finished, it will produce logs called FRST.txt and Addition.txt in the same directory the tool was run from.
    • Please copy and paste the logs in your next reply.

    ---------------------------------------------------

    In your next reply, please include:
    • FRST.txt
    • Addition.txt
     
  3. Scudstorm

    Scudstorm Thread Starter

    Joined:
    Jun 24, 2010
    Messages:
    78
    Hi, thanks for helping!

    First Chrome tried to prevent me from downloading FRST64 (because it's uncommon), now Windows Defender SmartScreen is preventing me from running it (because it's unrecognized and unsigned).

    Should I proceed? Do I have the right file? I'm a bit jumpy right now.
     
  4. iMacg3

    iMacg3 Malware Specialist

    Joined:
    Nov 3, 2018
    Messages:
    558
    Hi Scudstorm,

    Those detections are false positives - FRST is safe when downloaded from the provided link.

    Let me know if you have any issues downloading/running the program.
     
  5. Scudstorm

    Scudstorm Thread Starter

    Joined:
    Jun 24, 2010
    Messages:
    78
    Here they are:
     

    Attached Files:

  6. iMacg3

    iMacg3 Malware Specialist

    Joined:
    Nov 3, 2018
    Messages:
    558
    Hi Scudstorm,

    Do you use the Chrome extension Flash Video Downloader?

    Do you recognize this file?

    ---------------------------------------------------
    Going over your logs I noticed that you have qBittorrent installed.
    • Avoid gaming sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs.
    • They are a security risk which can make your computer susceptible to a wide variety of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites.
    • Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users.
    • The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications.
    It is pretty much certain that if you continue to use P2P programs, you will get infected again.
    I would recommend that you uninstall qBittorrent, however that choice is up to you. If you choose to remove these programs, you can do so via Start > Settings icon > Apps.
    If you wish to keep it, please do not use it until your computer is cleaned.

    ---------------------------------------------------
    Farbar Recovery Scan Tool - Fix

    • Highlight the contents of the below code box and press Ctrl + C on your keyboard:
      Code:
      Start::
      SystemRestore: On
      CreateRestorePoint:
      EmptyTemp:
      CloseProcesses:
      HKLM-x32\...\Run: [system_jconsole.jar] => C:\Program Files (x86)\Java\jre1.8.0_201\bin\javaw.exe -jar "C:\ProgramData\Comms\jconsole.jar" <==== ATTENTION
      HKU\S-1-5-21-2136537115-418046712-1330794144-1001\...\MountPoints2: {4016163e-104b-11e9-b664-1c6f653fdd64} - "J:\autorun.exe" 
      Unlock: C:\ProgramData\{96FD8796-515A-4917-A0CB-7D978F8426AF}
      2019-07-12 23:08 - 2019-07-12 23:09 - 000000000 __SHD C:\ProgramData\{96FD8796-515A-4917-A0CB-7D978F8426AF}
      2019-06-17 11:36 - 2019-01-09 17:19 - 000000000 ____D C:\ProgramData\boost_interprocess
      FirewallRules: [UDP Query User{9F1AE5DB-02A0-442E-8807-969211A20528}L:\program files (x86)\league of legends\rads\projects\league_client\releases\0.0.0.194\deploy\leagueclient.exe] => (Allow) L:\program files (x86)\league of legends\rads\projects\league_client\releases\0.0.0.194\deploy\leagueclient.exe No File
      FirewallRules: [TCP Query User{BC3A4F74-A67C-4FCE-900E-3C28EAEF2C8C}L:\program files (x86)\league of legends\rads\projects\league_client\releases\0.0.0.194\deploy\leagueclient.exe] => (Allow) L:\program files (x86)\league of legends\rads\projects\league_client\releases\0.0.0.194\deploy\leagueclient.exe No File
      FirewallRules: [UDP Query User{D918CE69-823F-497F-A60A-88EF6D69B0C4}L:\program files (x86)\league of legends\rads\projects\league_client\releases\0.0.0.193\deploy\leagueclient.exe] => (Allow) L:\program files (x86)\league of legends\rads\projects\league_client\releases\0.0.0.193\deploy\leagueclient.exe No File
      FirewallRules: [TCP Query User{CFFBEEA5-256F-4C62-9E1A-8F6FA666F8DE}L:\program files (x86)\league of legends\rads\projects\league_client\releases\0.0.0.193\deploy\leagueclient.exe] => (Allow) L:\program files (x86)\league of legends\rads\projects\league_client\releases\0.0.0.193\deploy\leagueclient.exe No File
      FirewallRules: [{4D978224-DF40-4E88-8B87-0587D8FE17AE}] => (Block) D:\program files\starcraft ii\versions\base72282\sc2_x64.exe No File
      FirewallRules: [{AC24B30B-A191-4D69-9DE9-2A6BA51878AE}] => (Block) D:\program files\starcraft ii\versions\base72282\sc2_x64.exe No File
      FirewallRules: [UDP Query User{EE28A865-9C64-4ED6-89EA-66168B45F97F}D:\program files\starcraft ii\versions\base72282\sc2_x64.exe] => (Allow) D:\program files\starcraft ii\versions\base72282\sc2_x64.exe No File
      FirewallRules: [TCP Query User{D5F516CE-2E74-4A75-9B52-4F5493FD750C}D:\program files\starcraft ii\versions\base72282\sc2_x64.exe] => (Allow) D:\program files\starcraft ii\versions\base72282\sc2_x64.exe No File
      FirewallRules: [{A76CF196-119C-4C95-BFC6-A3394ECCDF7C}] => (Block) L:\program files (x86)\league of legends\rads\projects\league_client\releases\0.0.0.192\deploy\leagueclient.exe No File
      FirewallRules: [{70C4BD16-FE1A-42F1-974F-FA802D93A4AA}] => (Block) L:\program files (x86)\league of legends\rads\projects\league_client\releases\0.0.0.192\deploy\leagueclient.exe No File
      FirewallRules: [UDP Query User{50109FDB-582A-46EA-BCB5-48BC16332ED8}L:\program files (x86)\league of legends\rads\projects\league_client\releases\0.0.0.192\deploy\leagueclient.exe] => (Allow) L:\program files (x86)\league of legends\rads\projects\league_client\releases\0.0.0.192\deploy\leagueclient.exe No File
      FirewallRules: [TCP Query User{B9712A18-4B31-40DC-A2CC-6BBF4E68B185}L:\program files (x86)\league of legends\rads\projects\league_client\releases\0.0.0.192\deploy\leagueclient.exe] => (Allow) L:\program files (x86)\league of legends\rads\projects\league_client\releases\0.0.0.192\deploy\leagueclient.exe No File
      FirewallRules: [{F6D535C9-FB4F-4E7D-8304-698A59C3AC45}] => (Block) D:\program files\heroes of the storm\versions\base72649\heroesofthestorm_x64.exe No File
      FirewallRules: [{5DCEF37C-3F05-46A7-9BD3-9B4F76F98559}] => (Block) D:\program files\heroes of the storm\versions\base72649\heroesofthestorm_x64.exe No File
      FirewallRules: [UDP Query User{7C942C3E-6239-4FD3-85BA-7F44D77EEA2A}D:\program files\heroes of the storm\versions\base72649\heroesofthestorm_x64.exe] => (Allow) D:\program files\heroes of the storm\versions\base72649\heroesofthestorm_x64.exe No File
      FirewallRules: [TCP Query User{825874CF-741F-46B7-A4DC-7AF917665657}D:\program files\heroes of the storm\versions\base72649\heroesofthestorm_x64.exe] => (Allow) D:\program files\heroes of the storm\versions\base72649\heroesofthestorm_x64.exe No File
      FirewallRules: [{8C30E6F1-8984-490F-A35F-70B52C2CED63}] => (Block) L:\program files (x86)\league of legends\rads\projects\league_client\releases\0.0.0.191\deploy\leagueclient.exe No File
      FirewallRules: [{C98A5B34-7EE0-46BF-9D74-D1743A2FBA5E}] => (Block) L:\program files (x86)\league of legends\rads\projects\league_client\releases\0.0.0.191\deploy\leagueclient.exe No File
      FirewallRules: [UDP Query User{3AFDA52E-8DB5-4AE8-B39F-1B0D9394E1A1}L:\program files (x86)\league of legends\rads\projects\league_client\releases\0.0.0.191\deploy\leagueclient.exe] => (Allow) L:\program files (x86)\league of legends\rads\projects\league_client\releases\0.0.0.191\deploy\leagueclient.exe No File
      FirewallRules: [TCP Query User{4BBA83B6-00CF-40C8-A23B-1361BE66CCE8}L:\program files (x86)\league of legends\rads\projects\league_client\releases\0.0.0.191\deploy\leagueclient.exe] => (Allow) L:\program files (x86)\league of legends\rads\projects\league_client\releases\0.0.0.191\deploy\leagueclient.exe No File
      FirewallRules: [{610549B6-E5DA-48E2-A0A2-B6C1B9B72A16}] => (Block) L:\program files (x86)\league of legends\rads\projects\league_client\releases\0.0.0.190\deploy\leagueclient.exe No File
      FirewallRules: [{59A96CDD-0BAD-4480-84C0-56E3A816F59F}] => (Block) L:\program files (x86)\league of legends\rads\projects\league_client\releases\0.0.0.190\deploy\leagueclient.exe No File
      FirewallRules: [UDP Query User{F0A0B2DC-0F1E-4B7C-967C-EC20121C9A54}L:\program files (x86)\league of legends\rads\projects\league_client\releases\0.0.0.190\deploy\leagueclient.exe] => (Allow) L:\program files (x86)\league of legends\rads\projects\league_client\releases\0.0.0.190\deploy\leagueclient.exe No File
      FirewallRules: [TCP Query User{76424F8A-CEAD-4E53-80F1-EA5C9FB12DEA}L:\program files (x86)\league of legends\rads\projects\league_client\releases\0.0.0.190\deploy\leagueclient.exe] => (Allow) L:\program files (x86)\league of legends\rads\projects\league_client\releases\0.0.0.190\deploy\leagueclient.exe No File
      FirewallRules: [{B20ED863-BB0A-408D-B643-DB5A82D2DE7E}] => (Block) L:\program files (x86)\league of legends\rads\projects\league_client\releases\0.0.0.189\deploy\leagueclient.exe No File
      FirewallRules: [{F0E0CC38-6816-473B-AECB-D61AAB5DA911}] => (Block) L:\program files (x86)\league of legends\rads\projects\league_client\releases\0.0.0.189\deploy\leagueclient.exe No File
      FirewallRules: [UDP Query User{08AACE60-9A47-44A9-8818-15F1DFF57E64}L:\program files (x86)\league of legends\rads\projects\league_client\releases\0.0.0.189\deploy\leagueclient.exe] => (Allow) L:\program files (x86)\league of legends\rads\projects\league_client\releases\0.0.0.189\deploy\leagueclient.exe No File
      FirewallRules: [TCP Query User{33C7185E-22C5-4595-8929-3D883F1DBDD7}L:\program files (x86)\league of legends\rads\projects\league_client\releases\0.0.0.189\deploy\leagueclient.exe] => (Allow) L:\program files (x86)\league of legends\rads\projects\league_client\releases\0.0.0.189\deploy\leagueclient.exe No File
      FirewallRules: [{2D04452A-44C2-429C-A636-389237C61D33}] => (Block) D:\program files\heroes of the storm\versions\base72481\heroesofthestorm_x64.exe No File
      FirewallRules: [{1D47DDDE-9D33-430C-9EE7-2A6D4F10DC14}] => (Block) D:\program files\heroes of the storm\versions\base72481\heroesofthestorm_x64.exe No File
      FirewallRules: [UDP Query User{A34D3E17-4FC7-41CF-B669-3A27DDB69887}D:\program files\heroes of the storm\versions\base72481\heroesofthestorm_x64.exe] => (Allow) D:\program files\heroes of the storm\versions\base72481\heroesofthestorm_x64.exe No File
      FirewallRules: [TCP Query User{5C75AF27-4D56-4E4A-9E95-84A7EAF0F735}D:\program files\heroes of the storm\versions\base72481\heroesofthestorm_x64.exe] => (Allow) D:\program files\heroes of the storm\versions\base72481\heroesofthestorm_x64.exe No File
      FirewallRules: [{8933A175-1824-45C0-8673-C3BF205CF7C2}] => (Block) L:\program files (x86)\league of legends\rads\projects\league_client\releases\0.0.0.188\deploy\leagueclient.exe No File
      FirewallRules: [{DCFA7A47-13A0-4D49-81D3-054762A1FAC0}] => (Block) L:\program files (x86)\league of legends\rads\projects\league_client\releases\0.0.0.188\deploy\leagueclient.exe No File
      FirewallRules: [UDP Query User{499730D1-F10E-47ED-B436-847FC2E1DABF}L:\program files (x86)\league of legends\rads\projects\league_client\releases\0.0.0.188\deploy\leagueclient.exe] => (Allow) L:\program files (x86)\league of legends\rads\projects\league_client\releases\0.0.0.188\deploy\leagueclient.exe No File
      FirewallRules: [TCP Query User{4615D1A1-4DFD-4545-B1B0-6DF088237848}L:\program files (x86)\league of legends\rads\projects\league_client\releases\0.0.0.188\deploy\leagueclient.exe] => (Allow) L:\program files (x86)\league of legends\rads\projects\league_client\releases\0.0.0.188\deploy\leagueclient.exe No File
      FirewallRules: [{3AEC0EDF-E375-4F0E-8139-DABA2E51B400}] => (Block) D:\program files\heroes of the storm\versions\base72307\heroesofthestorm_x64.exe No File
      FirewallRules: [{2403A5AE-9164-4039-B115-6D80D10CB3FD}] => (Block) D:\program files\heroes of the storm\versions\base72307\heroesofthestorm_x64.exe No File
      FirewallRules: [UDP Query User{D2F7C947-AA33-4C54-A5CC-9B76DA666FED}D:\program files\heroes of the storm\versions\base72307\heroesofthestorm_x64.exe] => (Allow) D:\program files\heroes of the storm\versions\base72307\heroesofthestorm_x64.exe No File
      FirewallRules: [TCP Query User{64D64743-3FC4-499B-B106-655368010D65}D:\program files\heroes of the storm\versions\base72307\heroesofthestorm_x64.exe] => (Allow) D:\program files\heroes of the storm\versions\base72307\heroesofthestorm_x64.exe No File
      FirewallRules: [UDP Query User{5931CC17-783A-45C5-B7F9-CAEA40B49190}L:\program files (x86)\league of legends\rads\projects\league_client\releases\0.0.0.187\deploy\leagueclient.exe] => (Allow) L:\program files (x86)\league of legends\rads\projects\league_client\releases\0.0.0.187\deploy\leagueclient.exe No File
      FirewallRules: [TCP Query User{C7DC81F7-FA87-4B93-9C69-27966BC7B1CD}L:\program files (x86)\league of legends\rads\projects\league_client\releases\0.0.0.187\deploy\leagueclient.exe] => (Allow) L:\program files (x86)\league of legends\rads\projects\league_client\releases\0.0.0.187\deploy\leagueclient.exe No File
      FirewallRules: [UDP Query User{A8705E14-17E3-4E90-9ED7-6ADED1924626}L:\program files (x86)\league of legends\rads\projects\league_client\releases\0.0.0.186\deploy\leagueclient.exe] => (Allow) L:\program files (x86)\league of legends\rads\projects\league_client\releases\0.0.0.186\deploy\leagueclient.exe No File
      FirewallRules: [TCP Query User{E45FAFB2-E914-4794-866C-917824D25DF4}L:\program files (x86)\league of legends\rads\projects\league_client\releases\0.0.0.186\deploy\leagueclient.exe] => (Allow) L:\program files (x86)\league of legends\rads\projects\league_client\releases\0.0.0.186\deploy\leagueclient.exe No File
      FirewallRules: [{6AD97F68-348D-4ED5-85D8-FFEEE9493F14}] => (Block) L:\program files (x86)\league of legends\rads\projects\league_client\releases\0.0.0.184\deploy\leagueclient.exe No File
      FirewallRules: [{CD188065-BA0F-40BB-9095-B293110F78B6}] => (Block) L:\program files (x86)\league of legends\rads\projects\league_client\releases\0.0.0.184\deploy\leagueclient.exe No File
      FirewallRules: [UDP Query User{15632BB5-7ADD-4C26-9F41-1FCC1088EC79}L:\program files (x86)\league of legends\rads\projects\league_client\releases\0.0.0.184\deploy\leagueclient.exe] => (Allow) L:\program files (x86)\league of legends\rads\projects\league_client\releases\0.0.0.184\deploy\leagueclient.exe No File
      FirewallRules: [TCP Query User{B1CEA59B-E7B6-43DA-B008-C89DC8939B8E}L:\program files (x86)\league of legends\rads\projects\league_client\releases\0.0.0.184\deploy\leagueclient.exe] => (Allow) L:\program files (x86)\league of legends\rads\projects\league_client\releases\0.0.0.184\deploy\leagueclient.exe No File
      FirewallRules: [{22501B55-AE3E-4EA9-8106-8ACDDD405C5F}] => (Block) H:\program files\league of legends\rads\projects\league_client\releases\0.0.0.184\deploy\leagueclient.exe No File
      FirewallRules: [{47805308-4078-4FF2-978F-79D7E31E7AC1}] => (Block) H:\program files\league of legends\rads\projects\league_client\releases\0.0.0.184\deploy\leagueclient.exe No File
      FirewallRules: [UDP Query User{F969632E-0849-4626-A53C-889CFB47E463}H:\program files\league of legends\rads\projects\league_client\releases\0.0.0.184\deploy\leagueclient.exe] => (Allow) H:\program files\league of legends\rads\projects\league_client\releases\0.0.0.184\deploy\leagueclient.exe No File
      FirewallRules: [TCP Query User{A70BA8B5-4EF8-4F75-98E0-E76BABBA73C8}H:\program files\league of legends\rads\projects\league_client\releases\0.0.0.184\deploy\leagueclient.exe] => (Allow) H:\program files\league of legends\rads\projects\league_client\releases\0.0.0.184\deploy\leagueclient.exe No File
      FirewallRules: [{F70DADD3-87B5-4177-8E95-32AD34D0FFB7}] => (Block) H:\program files\league of legends\rads\projects\league_client\releases\0.0.0.172\deploy\leagueclient.exe No File
      FirewallRules: [{FB08E988-E92E-41E3-A8CB-6B0931F5E3B1}] => (Block) H:\program files\league of legends\rads\projects\league_client\releases\0.0.0.172\deploy\leagueclient.exe No File
      FirewallRules: [UDP Query User{64C078E4-5B49-4C1F-823F-1D4CFDAC52A8}H:\program files\league of legends\rads\projects\league_client\releases\0.0.0.172\deploy\leagueclient.exe] => (Allow) H:\program files\league of legends\rads\projects\league_client\releases\0.0.0.172\deploy\leagueclient.exe No File
      FirewallRules: [TCP Query User{A0D77D0B-5F3D-4CA7-9D8C-4B66851576F4}H:\program files\league of legends\rads\projects\league_client\releases\0.0.0.172\deploy\leagueclient.exe] => (Allow) H:\program files\league of legends\rads\projects\league_client\releases\0.0.0.172\deploy\leagueclient.exe No File
      FirewallRules: [{4C870B08-2599-4291-AD49-15F028482F10}] => (Allow) E:\Program Files\Steam\bin\cef\cef.win7\steamwebhelper.exe No File
      FirewallRules: [{CE826C7B-655A-41F8-894F-9CD1E6C28C07}] => (Allow) E:\Program Files\Steam\bin\cef\cef.win7\steamwebhelper.exe No File
      FirewallRules: [TCP Query User{91AFE4D9-761C-458E-B676-E614ECEADAB8}D:\program files\heroes of the storm\versions\base73016\heroesofthestorm_x64.exe] => (Allow) D:\program files\heroes of the storm\versions\base73016\heroesofthestorm_x64.exe No File
      FirewallRules: [UDP Query User{9129C092-56A0-435F-8526-E4D786FE4F09}D:\program files\heroes of the storm\versions\base73016\heroesofthestorm_x64.exe] => (Allow) D:\program files\heroes of the storm\versions\base73016\heroesofthestorm_x64.exe No File
      FirewallRules: [TCP Query User{BBE6F3CC-FF4E-44AA-AB80-B23D92B3A3B4}L:\program files (x86)\league of legends\rads\projects\league_client\releases\0.0.0.195\deploy\leagueclient.exe] => (Allow) L:\program files (x86)\league of legends\rads\projects\league_client\releases\0.0.0.195\deploy\leagueclient.exe No File
      FirewallRules: [UDP Query User{EF0CB55F-4603-4B6A-AFD7-FCA489636989}L:\program files (x86)\league of legends\rads\projects\league_client\releases\0.0.0.195\deploy\leagueclient.exe] => (Allow) L:\program files (x86)\league of legends\rads\projects\league_client\releases\0.0.0.195\deploy\leagueclient.exe No File
      FirewallRules: [{C338BE84-4A67-4388-B640-8F67550AA4D2}] => (Block) L:\program files (x86)\league of legends\rads\projects\league_client\releases\0.0.0.195\deploy\leagueclient.exe No File
      FirewallRules: [{41D66050-E3E3-4CDE-BA54-746EDB588545}] => (Block) L:\program files (x86)\league of legends\rads\projects\league_client\releases\0.0.0.195\deploy\leagueclient.exe No File
      FirewallRules: [TCP Query User{47FED4CB-CA0C-4772-8D53-32145FEEBBBB}L:\program files (x86)\league of legends\rads\projects\league_client\releases\0.0.0.196\deploy\leagueclient.exe] => (Allow) L:\program files (x86)\league of legends\rads\projects\league_client\releases\0.0.0.196\deploy\leagueclient.exe No File
      FirewallRules: [UDP Query User{F74CDC4F-0C90-442D-8E41-DADED5EF49D8}L:\program files (x86)\league of legends\rads\projects\league_client\releases\0.0.0.196\deploy\leagueclient.exe] => (Allow) L:\program files (x86)\league of legends\rads\projects\league_client\releases\0.0.0.196\deploy\leagueclient.exe No File
      FirewallRules: [{9CC4BEA6-CAC7-4C75-B9EB-24FF4CCE791C}] => (Block) L:\program files (x86)\league of legends\rads\projects\league_client\releases\0.0.0.196\deploy\leagueclient.exe No File
      FirewallRules: [{00D40F55-8C52-4A82-82AD-3D01CAFF9F59}] => (Block) L:\program files (x86)\league of legends\rads\projects\league_client\releases\0.0.0.196\deploy\leagueclient.exe No File
      FirewallRules: [TCP Query User{F9920A12-C35F-4294-B000-A29C6E11AF11}D:\program files\starcraft ii\versions\base73286\sc2_x64.exe] => (Allow) D:\program files\starcraft ii\versions\base73286\sc2_x64.exe No File
      FirewallRules: [UDP Query User{AD59B438-D3D7-4377-91E5-7CC1C4F2B64F}D:\program files\starcraft ii\versions\base73286\sc2_x64.exe] => (Allow) D:\program files\starcraft ii\versions\base73286\sc2_x64.exe No File
      FirewallRules: [{88D54AFE-F638-416F-889F-DCFF7C4912AA}] => (Block) D:\program files\starcraft ii\versions\base73286\sc2_x64.exe No File
      FirewallRules: [{B04BE49E-7CF2-4128-A64D-EAE609B4A37B}] => (Block) D:\program files\starcraft ii\versions\base73286\sc2_x64.exe No File
      FirewallRules: [TCP Query User{C56BE35A-EB90-40F6-BFD1-10B63DF745BF}L:\program files (x86)\league of legends\rads\projects\league_client\releases\0.0.0.197\deploy\leagueclient.exe] => (Allow) L:\program files (x86)\league of legends\rads\projects\league_client\releases\0.0.0.197\deploy\leagueclient.exe No File
      FirewallRules: [UDP Query User{473EF3AC-6763-4B6D-96FD-4E81A176E007}L:\program files (x86)\league of legends\rads\projects\league_client\releases\0.0.0.197\deploy\leagueclient.exe] => (Allow) L:\program files (x86)\league of legends\rads\projects\league_client\releases\0.0.0.197\deploy\leagueclient.exe No File
      FirewallRules: [{0DA8BA0E-AC05-4265-8424-8A4A2F8165B1}] => (Block) L:\program files (x86)\league of legends\rads\projects\league_client\releases\0.0.0.197\deploy\leagueclient.exe No File
      FirewallRules: [{D6B08014-89A0-4FF8-B855-EBCA55363087}] => (Block) L:\program files (x86)\league of legends\rads\projects\league_client\releases\0.0.0.197\deploy\leagueclient.exe No File
      FirewallRules: [TCP Query User{B3691AC2-78AA-4104-8E8E-44513C84531B}D:\program files\heroes of the storm\versions\base73493\heroesofthestorm_x64.exe] => (Allow) D:\program files\heroes of the storm\versions\base73493\heroesofthestorm_x64.exe No File
      FirewallRules: [UDP Query User{B8BB553A-F02F-42B9-9997-0EF5A411CB37}D:\program files\heroes of the storm\versions\base73493\heroesofthestorm_x64.exe] => (Allow) D:\program files\heroes of the storm\versions\base73493\heroesofthestorm_x64.exe No File
      FirewallRules: [{49602B54-A7DE-43A8-BC44-778E52591A5B}] => (Block) D:\program files\heroes of the storm\versions\base73493\heroesofthestorm_x64.exe No File
      FirewallRules: [{67961267-9E63-4B7D-AAA0-62681F2DD94F}] => (Block) D:\program files\heroes of the storm\versions\base73493\heroesofthestorm_x64.exe No File
      FirewallRules: [TCP Query User{DA5E7B36-4300-42F9-AE40-7AD714A3F42F}L:\program files (x86)\league of legends\rads\projects\league_client\releases\0.0.0.198\deploy\leagueclient.exe] => (Allow) L:\program files (x86)\league of legends\rads\projects\league_client\releases\0.0.0.198\deploy\leagueclient.exe No File
      FirewallRules: [UDP Query User{4203FECC-AE03-48AE-85A6-001103F38E6A}L:\program files (x86)\league of legends\rads\projects\league_client\releases\0.0.0.198\deploy\leagueclient.exe] => (Allow) L:\program files (x86)\league of legends\rads\projects\league_client\releases\0.0.0.198\deploy\leagueclient.exe No File
      FirewallRules: [TCP Query User{8D4B3552-8A0F-4CD8-AC8C-4B5BC6B2EA62}D:\program files\heroes of the storm\versions\base73662\heroesofthestorm_x64.exe] => (Allow) D:\program files\heroes of the storm\versions\base73662\heroesofthestorm_x64.exe No File
      FirewallRules: [UDP Query User{1A074933-7227-470D-A121-E7A638414858}D:\program files\heroes of the storm\versions\base73662\heroesofthestorm_x64.exe] => (Allow) D:\program files\heroes of the storm\versions\base73662\heroesofthestorm_x64.exe No File
      FirewallRules: [TCP Query User{965101A5-EF76-48D6-B8D7-E6F7C39A98D4}L:\program files (x86)\league of legends\rads\projects\league_client\releases\0.0.0.199\deploy\leagueclient.exe] => (Allow) L:\program files (x86)\league of legends\rads\projects\league_client\releases\0.0.0.199\deploy\leagueclient.exe No File
      FirewallRules: [UDP Query User{54933BC3-D49D-43C6-8DAF-934BDA7C6FD5}L:\program files (x86)\league of legends\rads\projects\league_client\releases\0.0.0.199\deploy\leagueclient.exe] => (Allow) L:\program files (x86)\league of legends\rads\projects\league_client\releases\0.0.0.199\deploy\leagueclient.exe No File
      FirewallRules: [TCP Query User{FAFBAF13-9066-4CAD-B834-7A859C43EDB7}L:\program files (x86)\league of legends\rads\projects\league_client\releases\0.0.0.200\deploy\leagueclient.exe] => (Allow) L:\program files (x86)\league of legends\rads\projects\league_client\releases\0.0.0.200\deploy\leagueclient.exe No File
      FirewallRules: [UDP Query User{B4189F60-3CF7-467F-A3A2-2E00274D843A}L:\program files (x86)\league of legends\rads\projects\league_client\releases\0.0.0.200\deploy\leagueclient.exe] => (Allow) L:\program files (x86)\league of legends\rads\projects\league_client\releases\0.0.0.200\deploy\leagueclient.exe No File
      FirewallRules: [TCP Query User{DDBD5129-2B7F-4BE9-821A-354B11A64524}D:\program files\heroes of the storm\versions\base74238\heroesofthestorm_x64.exe] => (Allow) D:\program files\heroes of the storm\versions\base74238\heroesofthestorm_x64.exe No File
      FirewallRules: [UDP Query User{AD38BDBC-E49A-4766-BCF0-3A67B72A2A75}D:\program files\heroes of the storm\versions\base74238\heroesofthestorm_x64.exe] => (Allow) D:\program files\heroes of the storm\versions\base74238\heroesofthestorm_x64.exe No File
      FirewallRules: [TCP Query User{0D424C4C-8B4B-4B9E-906D-8A1CCDEC4840}D:\program files\heroes of the storm\versions\base74739\heroesofthestorm_x64.exe] => (Allow) D:\program files\heroes of the storm\versions\base74739\heroesofthestorm_x64.exe No File
      FirewallRules: [UDP Query User{77D8B302-3176-4B7C-889B-D1A186D44385}D:\program files\heroes of the storm\versions\base74739\heroesofthestorm_x64.exe] => (Allow) D:\program files\heroes of the storm\versions\base74739\heroesofthestorm_x64.exe No File
      FirewallRules: [TCP Query User{CDB5DAC4-FBF1-43B4-A252-2509BD50018F}L:\program files (x86)\the elder scrolls v skyrim special edition\server\server.exe] => (Allow) L:\program files (x86)\the elder scrolls v skyrim special edition\server\server.exe No File
      FirewallRules: [UDP Query User{2112D68F-C4AA-4275-9F76-6FCC78B5B795}L:\program files (x86)\the elder scrolls v skyrim special edition\server\server.exe] => (Allow) L:\program files (x86)\the elder scrolls v skyrim special edition\server\server.exe No File
      C:\ProgramData\Comms
      Folder: C:\Users\Nai\AppData\Roaming\Tera_Awesomium
      VirusTotal: C:\Users\Nai\AppData\Roaming\NoxSrv\NoxSrv.exe;C:\Users\Nai\AppData\Local\D23C00.tmp
      CMD: Bitsadmin /Reset /Allusers
      End::
    NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system
    • Double-click FRST.exe/FRST64.exe to run it.
    • Press the Fix button just once and wait.
    • Restart the computer if prompted.
    • When the fix is complete FRST will generate a log in the same location it was run from (Fixlog.txt)
    • Please copy and paste its contents into your reply.

    ---------------------------------------------------
    AdwCleaner

    Download AdwCleaner and save it to your desktop.
    • Right-click on the AdwCleaner icon and select Run as Administrator
    • Accept the EULA (I agree), then click on Scan.
    • When the scan is complete, click View Scan Log File. (Don't click the Clean and Repair button yet)
    • The scan log will open in Notepad.
    • Copy and paste its contents into your next reply.
    • Note: The log is also saved to C:\AdwCleaner\Logs\AdwCleaner[Sxx].txt

    ---------------------------------------------------

    In your next reply, please include:
    • Fixlog.txt
    • AdwCleaner[Sxx].txt
    • Let me know how the computer is doing.
     
  7. Scudstorm

    Scudstorm Thread Starter

    Joined:
    Jun 24, 2010
    Messages:
    78
    I do use Flash Video Downloader (very sparingly); it's not an add-on that weaseled itself into my system.

    I don't recognize that 7z file, shall I delete it?

    My computer never had any symptoms of infection (both pre and post Ursnif), beside the Ursnif detection by Windows Defender, so I can't really say much on how the computer is doing.

    One thing that I did notice after the FRST fix is that my Google Chrome no longer has the option to start a new Incognito window by right-clicking it on the taskbar (i.e. jumplist option is gone). I vaguely remember having this issue when I first installed Windows on this computer and forgot how I fixed it (it may have been a full reinstall as I had to do it for some other reason).
     

    Attached Files:

    Last edited: Jul 16, 2019
  8. iMacg3

    iMacg3 Malware Specialist

    Joined:
    Nov 3, 2018
    Messages:
    558
    Hi Scudstorm,

    Yes, please delete the .7z file.

    ---------------------------------------------------
    AdwCleaner - Clean

    • Double-click the AdwCleaner icon to run it.
    • Press the Scan button.
    • When the scan is complete, ensure that all the listed items are checked and click Clean and Repair.
    • Select Clean & Restart Now. AdwCleaner will restart the computer to complete the cleaning process.
    • After the restart, an AdwCleaner window will open. Select View Log File.
    • The scan log will open in Notepad.
    • Copy and paste its contents into your next reply.
    • Note: The log is also saved to C:\AdwCleaner\Logs\AdwCleaner[Cxx].txt

    ---------------------------------------------------
    FRST scan
    • Double-click FRST.exe/FRST64.exe to run it.
    • Press the Scan button.
    • When finished, it will produce logs called FRST.txt and Addition.txt in the same directory the tool was run from.
    • Please copy and paste the logs in your next reply.

    ---------------------------------------------------

    In your next reply, please include:
    • AdwCleaner[Cxx].txt
    • FRST.txt
    • Addition.txt
     
  9. Scudstorm

    Scudstorm Thread Starter

    Joined:
    Jun 24, 2010
    Messages:
    78
    Rectification: I did have an infection symptom in the form of Win Erx03 on my Internet Explorer. This was both before the Ursnif (for quite some time... I didn't think it was on my end and thought it was careless ad selection by MS as the redirects only occurred on MSN's webpages), and after all the cleanup we just did.

    I run IE without any protection (no uBlock Origin is available for it and AdBlock Plus was freaking out using my PC's resources), not because I like the browser but because some work requires me to use it.

    I have reset my IE settings as per this guide: http://www.myantispyware.com/2018/11/23/how-to-remove-win-erx03-pop-up-error-virus-removal-guide/ and so far it hasn't crept back up. I will keep watching the situation.
     

    Attached Files:

  10. iMacg3

    iMacg3 Malware Specialist

    Joined:
    Nov 3, 2018
    Messages:
    558
    Hi Scudstorm,

    ---------------------------------------------------
    ESET Online Scanner

    Download ESET Online Scanner and save it to your desktop.
    • Right-click on esetonlinescanner_enu.exe and select Run as Administrator.
    • When the tool opens, click Get Started.
    • Read and accept the license agreement.
    • At the Welcome to ESET Online Scanner window, click Get Started.
    • Select whether you would like to send anonymous data to ESET.
    • Note: if you see the "Welcome Back to ESET Online Scanner" screen, click Computer Scan > Full Scan.
    • Click on the Full Scan option.
    • Select Enable ESET to detect and remove potentially unwanted applications, then click Start scan.
    • ESET will now begin scanning your computer. This may take some time.
    • When the scan is finished and if threats have been detected, select Save scan log. Save it to your desktop as eset.txt. Click on Continue.
    • ESET Online Scanner may ask if you'd like to turn on the Periodic Scan feature. Click on Continue.
    • On the next screen, you can leave feedback about the program if you wish. Check the box for Delete application data on closing. If you left feedback, click Submit and continue. If not, Close without feedback.
    • Open the scan log on your desktop (eset.txt) and copy and paste its contents into your next reply.

    ---------------------------------------------------

    In your next reply, please include:
    • eset.txt
     
  11. Scudstorm

    Scudstorm Thread Starter

    Joined:
    Jun 24, 2010
    Messages:
    78
    Think it may have been a bit overzealous with my game mods/cheats (though those are admittedly potentially unsafe) :)

    EDIT

    Just after the scan and this post, IE showed up with Win Erx03 again... If it's of any relevance, this is right after IE prompted me to enable Windows Defender SmartScreen Filter and I said yes. Maybe it was actually a malware in disguise?

    I'm only mildly concerned with Win Erx03 however, it's Ursnif that scares me. Do you think Ursnif is gone by this point?
     

    Attached Files:

    Last edited: Jul 17, 2019
  12. iMacg3

    iMacg3 Malware Specialist

    Joined:
    Nov 3, 2018
    Messages:
    558
    Hi Scudstorm,

    Your logs are clear of malware. Please do this...

    ---------------------------------------------------
    Reset Internet Explorer

    Note: This step will remove personal customizations from Internet Explorer.
    • Press the Windows key + R.
    • Type inetcpl.cpl in the Run box and press Enter.
    • Select the Advanced tab.
    • Under Reset Internet Explorer settings, click Reset.
    • Check the Delete personal settings box and click OK.
    • Once complete click Close.

    ---------------------------------------------------

    In your next reply, please include:
    • Let me know how the computer is doing.
     
  13. Scudstorm

    Scudstorm Thread Starter

    Joined:
    Jun 24, 2010
    Messages:
    78
    I have run 1 day symptom free (although I don't use IE much).

    Then this morning, IE prompted me again to turn on SmartScreen Filter, and Win Erx03 came back almost right away. This is consistent with my last experience trying to fix the issue (both the fix and the timing of the Filter vs the symptom creeping back were identical).

    I now suspect a direct link between the two. I use IE 11 and the webpages that redirected to Win Erx03 were news pages of the MSN homepage.
     
  14. iMacg3

    iMacg3 Malware Specialist

    Joined:
    Nov 3, 2018
    Messages:
    558
    Hi Scudstorm,

    Can you post a screenshot of the SmartScreen Filter window? Instructions to do so can be found here.
     
  15. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Tags:
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/1229962

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice