Autoit infection via Skype?
redsky1531
Posted messages
21
Status
Member
-
Malekal_morte- Posted messages 178136 Registration date Status Moderator, Security Contributor Last intervention -
Malekal_morte- Posted messages 178136 Registration date Status Moderator, Security Contributor Last intervention -
Hello,
I am turning to your expertise to find a solution to my problem.
On a friend's PC, there is a run script window to open AutoIt files; this window, which has the AutoIt 3 logo, executes automatically at each startup.
Suspecting a malware or virus infection, I run the antivirus "Avira." Some elements are detected, and I delete them; I run a scan again, and everything is clean, but the window still opens.
I go through AdwCleaner, which detects certain registry elements; I do a clean, but it doesn't solve the window problem.
From these two scans, a folder named "skypee" comes up, which contains AutoIt 3 and a source file deleted by Avira.
I run MBAM, but it refuses to execute; the program closes as soon as it opens ("it doesn't run even in minimal startup or safe mode").
Lastly, I run an FRST scan and turn to you for more precision, hoping to find a solution.
Thank you in advance for your help.
https://pjjoint.malekal.com/files.php?id=FRST_20160910_n9d12f8b7u6
https://pjjoint.malekal.com/files.php?id=20160910_n7x13p13d11g9
https://pjjoint.malekal.com/files.php?id=20160910_q9f9m7f14s13
Configuration: Windows 7 / Chrome 53.0.2785.101
I am turning to your expertise to find a solution to my problem.
On a friend's PC, there is a run script window to open AutoIt files; this window, which has the AutoIt 3 logo, executes automatically at each startup.
Suspecting a malware or virus infection, I run the antivirus "Avira." Some elements are detected, and I delete them; I run a scan again, and everything is clean, but the window still opens.
I go through AdwCleaner, which detects certain registry elements; I do a clean, but it doesn't solve the window problem.
From these two scans, a folder named "skypee" comes up, which contains AutoIt 3 and a source file deleted by Avira.
I run MBAM, but it refuses to execute; the program closes as soon as it opens ("it doesn't run even in minimal startup or safe mode").
Lastly, I run an FRST scan and turn to you for more precision, hoping to find a solution.
Thank you in advance for your help.
https://pjjoint.malekal.com/files.php?id=FRST_20160910_n9d12f8b7u6
https://pjjoint.malekal.com/files.php?id=20160910_n7x13p13d11g9
https://pjjoint.malekal.com/files.php?id=20160910_q9f9m7f14s13
Configuration: Windows 7 / Chrome 53.0.2785.101
6 answers
Do not use a USB key for now.
Here is the correction to be made with FRST. You can refer to this explanatory note with screenshots.
Open Notepad: Windows key + R,
In the "Run" field, type notepad and OK.
Copy/Paste the following into it:
Once the text is pasted in Notepad,
File menu then "Save As",
On the left, go to Desktop,
In the bottom field, enter the file name: fixlist.txt
Click on "Save", it will create fixlist.txt on the Desktop.
Restart FRST and click on the "Fix" button
A restart may be necessary (not mandatory)
A text file will appear, copy/paste the contents here in a new message.
Restart the computer.
--
Please press any key to continue the disinfection...
Here is the correction to be made with FRST. You can refer to this explanatory note with screenshots.
Open Notepad: Windows key + R,
In the "Run" field, type notepad and OK.
Copy/Paste the following into it:
CreateRestorePoint:
CloseProcesses:
HKU\S-1-5-21-3033668385-1626477122-1689226782-1000\...\Run: [AdopeFlash] => C:\Google\AutoIt3.exe [750320 2012-01-29] (AutoIt Team)
2016-09-10 13:32 - 2015-05-28 12:28 - 00000000 _RSHD C:\Skypee
2016-09-10 13:32 - 2015-05-28 12:27 - 00000000 _RSHD C:\Google
2016-09-09 20:25 - 2016-09-09 20:25 - 0000000 _____ () C:\Users\user\AppData\Local\{B7EFE336-9603-4F6E-8F4D-A343D057642E}
Hosts:
EmptyTemp:
RemoveProxy:
Reboot:
Once the text is pasted in Notepad,
File menu then "Save As",
On the left, go to Desktop,
In the bottom field, enter the file name: fixlist.txt
Click on "Save", it will create fixlist.txt on the Desktop.
Restart FRST and click on the "Fix" button
A restart may be necessary (not mandatory)
A text file will appear, copy/paste the contents here in a new message.
Restart the computer.
--
Please press any key to continue the disinfection...
thank you for your response and your help
as for the USB key, I put one "my disinfection key with adwcl" which I formatted after the scan and it is no longer opening ??!
after applying the fixlist and restarting, the auto it window no longer appears at startup but mbam still does not launch, which leads me to think that skypee was not the cause
anyway here is the content of the fix log
Results of Farbar Recovery Scan Tool (x86) Version: 31-08-2016
Executed by user (10-09-2016 21:52:24) Run:1
Executed from C:\Users\user\Desktop
Loaded profiles: user (Available profiles: user)
Boot mode: Normal
==============================================
fixlist content:
CreateRestorePoint:
CloseProcesses:
HKU\S-1-5-21-3033668385-1626477122-1689226782-1000\...\Run: [AdopeFlash] => C:\Google\AutoIt3.exe [750320 2012-01-29] (AutoIt Team)
2016-09-10 13:32 - 2015-05-28 12:28 - 00000000 _RSHD C:\Skypee
2016-09-10 13:32 - 2015-05-28 12:27 - 00000000 _RSHD C:\Google
2016-09-09 20:25 - 2016-09-09 20:25 - 0000000 _____ () C:\Users\user\AppData\Local\{B7EFE336-9603-4F6E-8F4D-A343D057642E}
Hosts:
EmptyTemp:
RemoveProxy:
Reboot:
The restore point was successfully created.
Processes closed successfully.
HKU\S-1-5-21-3033668385-1626477122-1689226782-1000\Software\Microsoft\Windows\CurrentVersion\Run\\AdopeFlash => value successfully deleted
C:\Skypee => moved successfully
C:\Google => moved successfully
C:\Users\user\AppData\Local\{B7EFE336-9603-4F6E-8F4D-A343D057642E} => moved successfully
"C:\Windows\System32\Drivers\etc\hosts" => Unable to move.
Unable to restore Hosts.
========= RemoveProxy: =========
HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\DefaultConnectionSettings => value successfully deleted
HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\SavedLegacySettings => value successfully deleted
HKU\S-1-5-21-3033668385-1626477122-1689226782-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\DefaultConnectionSettings => value successfully deleted
HKU\S-1-5-21-3033668385-1626477122-1689226782-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\SavedLegacySettings => value successfully deleted
========= End of RemoveProxy: =========
=========== EmptyTemp: ==========
BITS transfer queue => 8388608 B
DOMStoree, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 27211233 B
Java, Flash, Steam htmlcache => 0 B
Windows/system/drivers => 232674873 B
Edge => 0 B
Chrome => 217798596 B
Firefox => 0 B
Opera => 0 B
Temp, IE cache, history, cookies, recent:
Default => 0 B
Public => 0 B
ProgramData => 0 B
systemprofile => 166340 B
LocalService => 66775 B
NetworkService => 67785 B
user => 711337352 B
RecycleBin => 0 B
EmptyTemp: => 1.1 GB of temporary data deleted.
================================
The system had to restart.
kind regards
as for the USB key, I put one "my disinfection key with adwcl" which I formatted after the scan and it is no longer opening ??!
after applying the fixlist and restarting, the auto it window no longer appears at startup but mbam still does not launch, which leads me to think that skypee was not the cause
anyway here is the content of the fix log
Results of Farbar Recovery Scan Tool (x86) Version: 31-08-2016
Executed by user (10-09-2016 21:52:24) Run:1
Executed from C:\Users\user\Desktop
Loaded profiles: user (Available profiles: user)
Boot mode: Normal
==============================================
fixlist content:
CreateRestorePoint:
CloseProcesses:
HKU\S-1-5-21-3033668385-1626477122-1689226782-1000\...\Run: [AdopeFlash] => C:\Google\AutoIt3.exe [750320 2012-01-29] (AutoIt Team)
2016-09-10 13:32 - 2015-05-28 12:28 - 00000000 _RSHD C:\Skypee
2016-09-10 13:32 - 2015-05-28 12:27 - 00000000 _RSHD C:\Google
2016-09-09 20:25 - 2016-09-09 20:25 - 0000000 _____ () C:\Users\user\AppData\Local\{B7EFE336-9603-4F6E-8F4D-A343D057642E}
Hosts:
EmptyTemp:
RemoveProxy:
Reboot:
The restore point was successfully created.
Processes closed successfully.
HKU\S-1-5-21-3033668385-1626477122-1689226782-1000\Software\Microsoft\Windows\CurrentVersion\Run\\AdopeFlash => value successfully deleted
C:\Skypee => moved successfully
C:\Google => moved successfully
C:\Users\user\AppData\Local\{B7EFE336-9603-4F6E-8F4D-A343D057642E} => moved successfully
"C:\Windows\System32\Drivers\etc\hosts" => Unable to move.
Unable to restore Hosts.
========= RemoveProxy: =========
HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\DefaultConnectionSettings => value successfully deleted
HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\SavedLegacySettings => value successfully deleted
HKU\S-1-5-21-3033668385-1626477122-1689226782-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\DefaultConnectionSettings => value successfully deleted
HKU\S-1-5-21-3033668385-1626477122-1689226782-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\SavedLegacySettings => value successfully deleted
========= End of RemoveProxy: =========
=========== EmptyTemp: ==========
BITS transfer queue => 8388608 B
DOMStoree, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 27211233 B
Java, Flash, Steam htmlcache => 0 B
Windows/system/drivers => 232674873 B
Edge => 0 B
Chrome => 217798596 B
Firefox => 0 B
Opera => 0 B
Temp, IE cache, history, cookies, recent:
Default => 0 B
Public => 0 B
ProgramData => 0 B
systemprofile => 166340 B
LocalService => 66775 B
NetworkService => 67785 B
user => 711337352 B
RecycleBin => 0 B
EmptyTemp: => 1.1 GB of temporary data deleted.
================================
The system had to restart.
End of Fixlog 21:53:33
a big thank you by the waykind regards
After several unsuccessful launches of MBAM Chameleon, I did a MBAM clean and a reinstallation for the free version
It works, and after scanning, several vulnerabilities were found and fixed; here is the result in a txt file
https://pjjoint.malekal.com/files.php?id=20160911_y8d5w5y15k10
Hoping this will put an end to this ordeal
Thank you again for taking your time
It works, and after scanning, several vulnerabilities were found and fixed; here is the result in a txt file
https://pjjoint.malekal.com/files.php?id=20160911_y8d5w5y15k10
Hoping this will put an end to this ordeal
Thank you again for taking your time