Remove PUP application from DVD Drive (F:) CDROM

myrnsterMash · 04 Aug 2016

Hello:

I wanted to download a manual from a website, but when I tried to open the folder my DVD Drive F: CDROM had it as an application (.exe) showing a description of the properties in the image included below. I do not have anything in this (external) drive (CD/DVD) for it to exist there, nor did I want to save it. I scanned it with Avast before doing anything, and it came up as a PUP. How do I properly remove this .exe application from my computer? What will it do, possibly, to my F Drive sitting there?

I feel like an idiot, and why I come to you before I end up being an idiot for trying to remove this .exe from my Drive F:

Properties:
Type of file: Application (.exe)

Remove PUP application from DVD Drive (F:) CDROM-screenhunter_01-aug.-03-22.46.gif

You always helped me in SevenForums and trust only you for valid solutions. Thank you for your help!

eLPuSHeR · 05 Aug 2016

I don't understand one thing: cd/dvd media are usually not writeable. You should upload that executable file to VirusTotal - Free Online Virus, Malware and URL Scanner

simrick · 05 Aug 2016

myrnsterMash said:

Hello:

I wanted to download a manual from a website, but when I tried to open the folder my DVD Drive F: CDROM had it as an application (.exe) showing a description of the properties in the image included below. I do not have anything in this (external) drive (CD/DVD) for it to exist there, nor did I want to save it. I scanned it with Avast before doing anything, and it came up as a PUP. How do I properly remove this .exe application from my computer? What will it do, possibly, to my F Drive sitting there?

I feel like an idiot, and why I come to you before I end up being an idiot for trying to remove this .exe from my Drive F:

Properties:
Type of file: Application (.exe)

You always helped me in SevenForums and trust only you for valid solutions. Thank you for your help!

That is strange. Have you tried right-clicking the optical drive in Explorer and selecting EJECT? When Avast flagged it as a PUP, were you able to have it quarantined then?

If you're unable to do these things, please try running RKILL to disable whatever it is first, and then try to eject, or quarantine.

simrick · 05 Aug 2016

Here's something I found on it.
Pokemon_Soul_Silver_Randomizer_Download_downloader.exe Details. Is this file safe? Check the directory

Malware scan of holy.exe (Systexploitation Microsoft Windows) 36b7abd44fdf7f48ad10f4c618560d380f8af290 - herdProtect

https://www.virustotal.com/en/file/a...is/1458232948/

In the comments tab on VirusTotal, it says this:
Deepviz analysis

result: #malware
accuracy: 100.0%
10 matched behavioural rules:
Gathers system data
Steals local browser data
Binds network port
...
More info at Deepviz - Analyze

#dridex dropped by this https://www.virustotal.com/en/file/2...0bda/analysis/

I think, if you have Malwarebytes Antimalware on the system (free version is fine), you should be able to get rid of it that way. Just be sure to go into settings and check the box to scan for rootkits, then do a complete scan of your system drive, as well as your optical drive.

----------------------
Reading a little more on the executable Holy.exe makes me ask - what format was that document in that you downloaded? Word/Excel/RTF? If it was any of these, the chances are high that there was a malicious macro or embedded OLE Object which was executed. This may be the beginning of the Dridex Banking Trojan. I hope that's not the case for you.

myrnsterMash · 07 Aug 2016

Hello:
Thank you both for responding! I really do appreciate it. I did try right clicking and the "eject" option does not come up, only "mount" or "burn disc." Avast can not do anything, meaning "repair," "quarantine," or "delete," instead an "error" displays prompting me to run the Malwarebytes Anti-Malware scan. Thankfully, or so I thought, it was then quarantined. After restarting my lap top I decided to look for any evidence of its presence, and it is now in my C: Drive under Downloads, as an .iso file or Disc Image.

What is your best suggestion? As, of now it does not cause any problems I can notice, but I want it gone. Should I run the Malwarebytes, again to, hopefully, resolve it or is it pushing my luck?

Remove PUP application from DVD Drive (F:) CDROM-screenhunter_02-aug.-06-22.16.gif

simrick · 07 Aug 2016

Please try running RKILL to disable any malicious activity on the system first, and then try to delete that ISO. If successful, go into your recycle bin and also delete it from there.

Also, please answer my question: what format was that document in that you downloaded? Word/Excel/RTF? If it was any of these, the chances are high that there was a malicious macro or embedded OLE Object which was executed. This may be the beginning of the Dridex Banking Trojan. I hope that's not the case for you.

I am inclined to have you run ADWCleaner now, after RKILL and deleting that ISO.
Please post both logs - RKILL and ADWCleaner for us.

myrnsterMash · 08 Aug 2016

Hi!

Here is the RKill log, first:

Rkill 2.8.4 by Lawrence Abrams (Grinler)
BleepingComputer.com - News, Reviews, and Technical Support
Copyright 2008-2016 BleepingComputer.com
More Information about Rkill can be found at this link:
RKill - What it does and What it Doesnt - A brief introduction to the program - Anti-Virus, Anti-Malware, and Privacy Software

Program started at: 08/07/2016 10:37:00 PM in x86 mode.
Windows Version: Windows 10 Home

Checking for Windows services to stop:

* No malware services found to stop.

Checking for processes to terminate:

* No malware processes found to kill.

Checking Registry for malware related settings:

* No issues found in the Registry.

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks:

* Windows Defender Disabled

[HKLM\SOFTWARE\Microsoft\Windows Defender]
"DisableAntiSpyware" = dword:00000001

Checking Windows Service Integrity:

* b06bdrv [Missing Service]
* ebdrv [Missing Service]
* iaLPSSi_GPIO [Missing Service]
* iaLPSSi_I2C [Missing Service]
* ibbus [Missing Service]
* ksthunk [Missing Service]
* mlx4_bus [Missing Service]
* ndfltr [Missing Service]
* PerfHost [Missing Service]
* vpci [Missing Service]
* WinMad [Missing Service]
* WinVerbs [Missing Service]

* NetTcpPortSharing => %systemroot%\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe [Incorrect ImagePath]

* PrintNotify => C:\WINDOWS\system32\spool\drivers\W32X86\3\PrintConfig.dll [Incorrect ServiceDLL]

Searching for Missing Digital Signatures:

* No issues found.

Checking HOSTS File:

* No issues found.

Program finished at: 08/07/2016 10:40:35 PM
Execution time: 0 hours(s), 3 minute(s), and 35 seconds(s)

Slartybart · 08 Aug 2016

Just a thought:

If Macro protection is on in MSO, then myrnsterMash should know if she answered the allow prompt. I think it's on be default.

The ISO was mounted and became the F: drive (original post) ??
This PC window or a Disk management would have helped. Still might be useful to have something showing the F: drive, although if the ISO was mounted first as F: and then the ext Optical drive was connected as another letter, myrnsterMash might have mis-diagnosed the issue (habit expecting F: to be the ext OD and a mounted ISO looking like a OD).

The ISO in Downloads should be deleted.

Yes, run RKill, AdwCleaner (always download a fresh version), and Full scan Malwarebytes (settings>rootkits =yes) AND Full scan Avast

Please post the logs ... I see that you already ran RKill ... 3 more tools
Make sure all virus definitions and AV programs/tools are up-to-date

simrick · 08 Aug 2016

Full scan in Avast, yes, but will require you to set it up to scan archives, as not all archives are selected by default. I just went through this with a malicious attachment on a machine, which was caught by Windows Defender, but NOT by Avast with default settings. It was a ZIP file containing malicious javascript waiting to execute; a Trojan downloader which would bring in encryption malware and data stealing software, and possible DDoS botnet. The zip file was named task_0000880355.zip and the file inside it was named task_0000880355.doc.js. I don't believe there would be any user interaction to get that thing to execute.

But it appears the OP was having difficulty with Avast in trying to get rid of it in the first place.

p.s. RKILL log looks okay.

myrnsterMash · 08 Aug 2016

Hello, again:

Here is the AdwCleaner log, (after deleting the .iso in my Downloads and the Recycle Bin.) I have to ask, if
I am to "Clean" all of these items listed, because I am pretty sure it is all preexistent to this "holy.exe/.iso" crap. I have no problem in cleaning out unnecessary junk, especially if the pros outweigh the cons, significantly, or no cons associated with "cleaning." I fear it could affect programs using some of the same applications.

To answer your question regarding the download format, it was not specified (yes, I know...stooopid). The link is labeled with the manual I wanted to open (i.e. 1964 Chevy SS), with no extension. I knew it before clicking on that link not to do it, but....... I am hoping by not furthering my stupidity in opening it saved me, but too early to tell, I am guessing. I am including the url for the download here:

http://us1.springfile.org/how_to_rem...downloader.exe

What do you know...an .exe file! Ugh... if I had seen this description I would never consider it. I went to my browsers downloads log (showing the shortened description), right clicked it, and given the option to report it. When I clicked it opened the Microsoft page showing the full url. There you have it. Thanks again sooooo much! Could you, please let me know anything you find out about this? Do not forget to tell me whether I should "Clean" what ADW Cleaner suggested. You are the Best!

# AdwCleaner v5.201 - Logfile created 07/08/2016 at 22:49:55
# Updated 30/06/2016 by ToolsLib
# Database : 2016-08-07.1 [Server]
# Operating system : Windows 10 Home (X86)
# Username : MyrnaZ - MYRNAZ-HP
# Running from : C:\Users\MyrnaZ\Downloads\adwcleaner_5.201.exe
# Option : Scan
# Support : ToolsLib - Forum: Ask for help or share your experience.

***** [ Services ] *****

Service Found : YahooAUService

***** [ Folders ] *****

Folder Found : C:\Users\Public\Documents\Speedbit
Folder Found : C:\Program Files\DAP
Folder Found : C:\Users\MyrnaZ\AppData\LocalLow\Yahoo!\Companion

***** [ Files ] *****

***** [ DLL ] *****

***** [ WMI ] *****

***** [ Shortcuts ] *****

***** [ Scheduled tasks ] *****

***** [ Registry ] *****

Key Found : HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{7D2B3E1D-D096-4594-9D8F-A6667F12E0AC}
Key Found : HKLM\SOFTWARE\Google\Chrome\Extensions\bopakagnckmlgajfccecajhnimjiiedh
Key Found : HKLM\SOFTWARE\Classes\AniGIFCtrl.AniGIF
Key Found : HKLM\SOFTWARE\Classes\AniGIFPpg.AniGIFPpg
Key Found : HKLM\SOFTWARE\Classes\AniGIFPpg.AniGIFPpg.1
Key Found : HKLM\SOFTWARE\Classes\AniGIFPpg2.AniGIFPpg2
Key Found : HKLM\SOFTWARE\Classes\AniGIFPpg2.AniGIFPpg2.1
Key Found : HKLM\SOFTWARE\Classes\protector_dll.Protector
Key Found : HKLM\SOFTWARE\Classes\protector_dll.Protector.1
Key Found : HKLM\SOFTWARE\Classes\protector_dll.ProtectorBho
Key Found : HKLM\SOFTWARE\Classes\protector_dll.ProtectorBho.1
Key Found : HKLM\SOFTWARE\Classes\protector_dll.ProtectorLib
Key Found : HKLM\SOFTWARE\Classes\protector_dll.ProtectorLib.1
Key Found : HKLM\SOFTWARE\Classes\Sample.BrowserHandler
Key Found : HKLM\SOFTWARE\Classes\Sample.BrowserHandler.1
Key Found : HKLM\SOFTWARE\Classes\Sample.YTBPartnerSample
Key Found : HKLM\SOFTWARE\Classes\Sample.YTBPartnerSample.1
Key Found : HKLM\SOFTWARE\Classes\YBrowserToolbar.YBrowserToolbar
Key Found : HKLM\SOFTWARE\Classes\YBrowserToolbar.YBrowserToolbar.1
Key Found : HKLM\SOFTWARE\Classes\AppID\{7375D127-3955-4654-8E7D-1949A7A9C902}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{058F0E48-61CA-4964-9FBA-1978A1BB060D}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{18F33C35-8EF2-40D7-8BA4-932B0121B472}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{61AB12E1-A5FF-11D1-B2E9-444553540000}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{82351441-9094-11D1-A24B-00A0C932C7DF}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{6DC82D15-92F2-11D1-A255-00A0C932C7DF}
Key Found : HKLM\SOFTWARE\Classes\Interface\{371AD4A5-1520-4AA2-A8A4-F9AD3BAC6957}
Key Found : HKLM\SOFTWARE\Classes\Interface\{7F124846-5453-4BB8-A41D-E11481FFC9DF}
Key Found : HKLM\SOFTWARE\Classes\Interface\{8FD65019-BF09-45DA-AD81-E95AE911F1FD}
Key Found : HKLM\SOFTWARE\Classes\TypeLib\{82351433-9094-11D1-A24B-00A0C932C7DF}
Key Found : HKLM\SOFTWARE\Classes\TypeLib\{F6C2BABA-9E4C-425F-9AEC-24AB8F2B640D}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Found : HKCU\Software\Softonic
Key Found : HKCU\Software\SpeedBit
Key Found : HKCU\Software\Yahoo\Companion
Key Found : HKCU\Software\Yahoo\YFriendsBar
Key Found : HKCU\Software\YahooPartnerToolbar
Key Found : HKCU\Software\AppDataLow\Software\Yahoo\Companion
Key Found : HKLM\SOFTWARE\SpeedBit
Key Found : HKLM\SOFTWARE\Yahoo\Companion
Key Found : HKU\.DEFAULT\Software\SpeedBit
Key Found : HKU\S-1-5-21-2048041476-2006749296-819459500-1005\Software\Softonic
Key Found : HKU\S-1-5-21-2048041476-2006749296-819459500-1005\Software\SpeedBit
Key Found : HKU\S-1-5-21-2048041476-2006749296-819459500-1005\Software\Yahoo\Companion
Key Found : HKU\S-1-5-21-2048041476-2006749296-819459500-1005\Software\Yahoo\YFriendsBar
Key Found : HKU\S-1-5-21-2048041476-2006749296-819459500-1005\Software\YahooPartnerToolbar
Key Found : HKU\S-1-5-21-2048041476-2006749296-819459500-1005\Software\AppDataLow\Software\Yahoo\Companion
Key Found : HKCU\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-2048041476-2006749296-819459500-1005\Software\SpeedBit
Key Found : HKU\S-1-5-18\Software\SpeedBit
Value Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes [DoNotAskAgain]
Value Found : HKU\S-1-5-21-2048041476-2006749296-819459500-1005\Software\Microsoft\Internet Explorer\SearchScopes [DoNotAskAgain]
Key Found : HKCU\Software\Microsoft\Internet Explorer\DOMStorage\speedbit.com
Key Found : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\akamaihd.net
Key Found : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\azlyrics.com
Key Found : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\speedbit.com
Key Found : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\AZLyrics - Song Lyrics from A to Z

***** [ Web browsers ] *****

[C:\Users\MyrnaZ\AppData\Local\Google\Chrome\User Data\Default\Web data] [Search Provider] Found : aol.com
[C:\Users\MyrnaZ\AppData\Local\Google\Chrome\User Data\Default\Web data] [Search Provider] Found : ask.com

*************************

C:\AdwCleaner\AdwCleaner[S1].txt - [5410 bytes] - [07/08/2016 22:49:55]

########## EOF - C:\AdwCleaner\AdwCleaner[S1].txt - [5483 bytes] ##########