Question Lnk file malware?

Toggle sidebar Toggle sidebar
B

berseker_96

Honorable
Nov 18, 2018
30
0
10,530
Everytime I start my computer, avast detects a infected file, bill.lnk, located in C:\Desktop-DD7435Q. The file is not showing the desktop or the explorer. I always click on remove it, but appears again and again when restarting.

Following on register HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\lnk I've seen I think I should see a subkey named "UserChoice" which I don't have .
The threat is an "Au3Runner-A" acording to Avast. I'm looking into that but I can't find the meaning of it anywhere.

I also found these two files on recent files, but they do not appear on the desktop, where they should be. I can't delete them.
https://imgur.com/GTJs0xB
View: https://imgur.com/GTJs0xB
https://imgur.com/6FYM6DJ
View: https://imgur.com/6FYM6DJ
https://imgur.com/3VyIafd
View: https://imgur.com/3VyIafd


How do I completely delete it? Or is it not harmful?
 
Last edited:
Sort by date Sort by votes
B

berseker_96

Honorable
Nov 18, 2018
30
0
10,530
Hi, thanks for answering first of all. This is the log created
MrMoore said:
Hey Man,

To find and remove the malware can I ask the following;

download HitmanPro and run a scan, Please either post logs below or PM me and I can assist further :)

https://www.hitmanpro.com/en-us.aspx
Click to expand...

Hi, thanks for the reply first of all. I run the program and this is the log I got:

Code: 
HitmanPro 3.8.15.306
www.hitmanpro.com

   Computer name . . . . : DESKTOP-DD7435Q
   Windows . . . . . . . : 10.0.0.17763.X64/12
   User name . . . . . . : DESKTOP-DD7435Q\Juanfran
   UAC . . . . . . . . . : Enabled
   License . . . . . . . : Trial (31 days left)

   Scan date . . . . . . : 2019-09-01 17:28:27
   Scan mode . . . . . . : Normal
   Scan duration . . . . : 7m 0s
   Disk access mode  . . : Direct disk access (SRB)
   Cloud . . . . . . . . : Internet
   Reboot  . . . . . . . : Yes

   Threats . . . . . . . : 0
   Traces  . . . . . . . : 42

   Objects scanned . . . : 2.483.557
   Files scanned . . . . : 99.459
   Remnants scanned  . . : 831.302 files / 1.552.796 keys

Potential Unwanted Programs _________________________________________________

   HKLM\SOFTWARE\Classes\Software.OneClickProcessLauncherMachine.1.0\ (BoxoreOU) -> Deleted
   HKLM\SOFTWARE\Classes\Software.OneClickProcessLauncherMachine\ (BoxoreOU) -> Deleted
   HKU\S-1-5-21-3911303513-809247871-279957351-1001\Software\ProductSetup\1I1T1Q1S\ (TreasureTrack) -> Deleted

Cookies _____________________________________________________________________

   C:\Users\NitroPC\AppData\Local\Google\Chrome\User Data\Default\Cookies:addthis.com
   C:\Users\NitroPC\AppData\Local\Google\Chrome\User Data\Default\Cookies:adnxs.com
   C:\Users\NitroPC\AppData\Local\Google\Chrome\User Data\Default\Cookies:adobe.tt.omtrdc.net
   C:\Users\NitroPC\AppData\Local\Google\Chrome\User Data\Default\Cookies:adsrvr.org
   C:\Users\NitroPC\AppData\Local\Google\Chrome\User Data\Default\Cookies:adsymptotic.com
   C:\Users\NitroPC\AppData\Local\Google\Chrome\User Data\Default\Cookies:advertising.com
   C:\Users\NitroPC\AppData\Local\Google\Chrome\User Data\Default\Cookies:agkn.com
   C:\Users\NitroPC\AppData\Local\Google\Chrome\User Data\Default\Cookies:bidswitch.net
   C:\Users\NitroPC\AppData\Local\Google\Chrome\User Data\Default\Cookies:bluekai.com
   C:\Users\NitroPC\AppData\Local\Google\Chrome\User Data\Default\Cookies:casalemedia.com
   C:\Users\NitroPC\AppData\Local\Google\Chrome\User Data\Default\Cookies:demdex.net
   C:\Users\NitroPC\AppData\Local\Google\Chrome\User Data\Default\Cookies:dpm.demdex.net
   C:\Users\NitroPC\AppData\Local\Google\Chrome\User Data\Default\Cookies:everesttech.net
   C:\Users\NitroPC\AppData\Local\Google\Chrome\User Data\Default\Cookies:krxd.net
   C:\Users\NitroPC\AppData\Local\Google\Chrome\User Data\Default\Cookies:lijit.com
   C:\Users\NitroPC\AppData\Local\Google\Chrome\User Data\Default\Cookies:mathtag.com
   C:\Users\NitroPC\AppData\Local\Google\Chrome\User Data\Default\Cookies:mmstat.com
   C:\Users\NitroPC\AppData\Local\Google\Chrome\User Data\Default\Cookies:openx.net
   C:\Users\NitroPC\AppData\Local\Google\Chrome\User Data\Default\Cookies:pubmatic.com
   C:\Users\NitroPC\AppData\Local\Google\Chrome\User Data\Default\Cookies:rlcdn.com
   C:\Users\NitroPC\AppData\Local\Google\Chrome\User Data\Default\Cookies:rubiconproject.com
   C:\Users\NitroPC\AppData\Local\Google\Chrome\User Data\Default\Cookies:scorecardresearch.com
   C:\Users\NitroPC\AppData\Local\Google\Chrome\User Data\Default\Cookies:skimresources.com
   C:\Users\NitroPC\AppData\Local\Google\Chrome\User Data\Default\Cookies:w55c.net
   C:\Users\NitroPC\AppData\LocalLow\Microsoft\Internet Explorer\DOMStore\0Z3OQE18\ad.wease[1].xml
   C:\Users\NitroPC\AppData\LocalLow\Microsoft\Internet Explorer\DOMStore\0Z3OQE18\ads.pubmatic[1].xml
   C:\Users\NitroPC\AppData\LocalLow\Microsoft\Internet Explorer\DOMStore\0Z3OQE18\cdn.w55c[1].xml
   C:\Users\NitroPC\AppData\LocalLow\Microsoft\Internet Explorer\DOMStore\0Z3OQE18\widgets.outbrain[1].xml
   C:\Users\NitroPC\AppData\LocalLow\Microsoft\Internet Explorer\DOMStore\QQTY53OG\cdn.krxd[1].xml
   C:\Users\NitroPC\AppData\LocalLow\Microsoft\Internet Explorer\DOMStore\QQTY53OG\connexity[1].xml
   C:\Users\NitroPC\AppData\LocalLow\Microsoft\Internet Explorer\DOMStore\QQTY53OG\ib.adnxs[1].xml
   C:\Users\NitroPC\AppData\LocalLow\Microsoft\Internet Explorer\DOMStore\TL10BMAC\ads.pubmatic[1].xml
   C:\Users\NitroPC\AppData\LocalLow\Microsoft\Internet Explorer\DOMStore\TL10BMAC\cdn.flashtalking[1].xml
   C:\Users\NitroPC\AppData\LocalLow\Microsoft\Internet Explorer\DOMStore\TL10BMAC\connexity[1].xml
   C:\Users\NitroPC\AppData\LocalLow\Microsoft\Internet Explorer\DOMStore\TL10BMAC\secure-ds.serving-sys[1].xml
   C:\Users\NitroPC\AppData\LocalLow\Microsoft\Internet Explorer\DOMStore\TL10BMAC\widgets.outbrain[1].xml
   C:\Users\NitroPC\AppData\LocalLow\Microsoft\Internet Explorer\DOMStore\YW2E3GHN\a8230037.cdn.optimizely[1].xml
   C:\Users\NitroPC\AppData\LocalLow\Microsoft\Internet Explorer\DOMStore\YW2E3GHN\ams1-ib.adnxs[1].xml
   C:\Users\NitroPC\AppData\LocalLow\Microsoft\Internet Explorer\DOMStore\YW2E3GHN\secure-assets.rubiconproject[1].xml
 
Upvote 0 Downvote
B

berseker_96

Honorable
Nov 18, 2018
30
0
10,530
Okay so after running that and deleting some of the infected files, avast hasn't detected that lnk again after restarting multiple times. I'll keep watching but this found / deleted something that other programs have not.
 
Upvote 0 Downvote
You must log in or register to reply here.

TRENDING THREADS

Latest posts

Moderators online

Share this page

COMPANY
RESOURCES
FOLLOW
Top Bottom