DMR_72

[TylerDoom]

Hello. I was trying to rename folders in my Steam directory tonight, and it would not allow me to do so. It kept saying this program is in use by another program. I tried different folders and they all said the same thing. (this was after a fresh boot, and also a reboot as well)

  So I ran Malwarebytes, and it found a few things containing the name "DMR_72"

After malwarebytes requested to reset in order to remove these items, the system froze in the reset screen.

This PC has Win 10 Home 64-bit. I wondering what this might be, and how serious it is, and mainly, how to get rid of it. Also thank you in advance for your time and assistance.

Here are my logs:

# AdwCleaner v6.045 - Logfile created 07/04/2017 at 03:04:19
# Updated on 28/03/2017 by Malwarebytes
# Database : 2017-04-06.1 [Server]
# Operating System : Windows 10 Home  (X64)
# Username : Ty - DESKTOP-3MSCKH3
# Running from : C:\Users\Ty\Downloads\adwcleaner_6.045.exe
# Mode: Scan
# Support : https://www.malwarebytes.com/support



***** [ Services ] *****

No malicious services found.


***** [ Folders ] *****

Folder Found:  C:\ProgramData\7123ed67-e5b9-4e86-8b46-0c748f950470
Folder Found:  C:\ProgramData\cb15a1f9-9e36-4b79-94b6-0a2851eb4b09


***** [ Files ] *****

No malicious files found.


***** [ DLL ] *****

No malicious DLLs found.


***** [ WMI ] *****

No malicious keys found.


***** [ Shortcuts ] *****

No infected shortcut found.


***** [ Scheduled Tasks ] *****

No malicious task found.


***** [ Registry ] *****

No malicious registry entries found.


***** [ Web browsers ] *****

No malicious Firefox based browser items found.
Chrome pref Found:  [C:\Users\Ty\AppData\Local\Google\Chrome\User Data\Default\Web data] - ask.com
Chrome pref Found:  [C:\Users\Ty\AppData\Local\Google\Chrome\User Data\Default\Web data] - aol.com

*************************

C:\AdwCleaner\AdwCleaner[S0].txt - [1250 Bytes] - [07/04/2017 03:04:19]

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [1323 Bytes] ##########

_______________________________________ _______________________________________ ____



Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 4/7/17
Scan Time: 2:24 AM
Logfile: Report.txt
Administrator: Yes

-Software Information-
Version: 3.0.6.1469
Components Version: 1.0.75
Update Package Version: 1.0.1678
License: Trial

-System Information-
OS: Windows 10
CPU: x64
File System: NTFS
User: DESKTOP-3MSCKH3\Ty

-Scan Summary-
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 354857
Time Elapsed: 3 min, 8 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

-Scan Details-
Process: 0
(No malicious items detected)

Module: 0
(No malicious items detected)

Registry Key: 0
(No malicious items detected)

Registry Value: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 4
Adware.ChinAd, C:\Users\Ty\AppData\Local\Temp\DMR\Downloads\3676090eded622c6bec547ed78bdf6d1\c37ff6dd7df8841c70cfbd03737e777f, Quarantined, [1044], [375557],1.0.1678
Adware.ChinAd, C:\Users\Ty\AppData\Local\Temp\DMR\Downloads\3676090eded622c6bec547ed78bdf6d1, Quarantined, [1044], [375557],1.0.1678
Adware.ChinAd, C:\Users\Ty\AppData\Local\Temp\DMR\Downloads, Quarantined, [1044], [375557],1.0.1678
Adware.ChinAd, C:\USERS\TY\APPDATA\LOCAL\TEMP\DMR, Quarantined, [1044], [375557],1.0.1678

File: 3
PUP.Optional.DownloadSponsor, C:\USERS\TY\APPDATA\LOCAL\TEMP\DMR\DMR_72.EXE, Quarantined, [467], [369859],1.0.1678
Adware.ChinAd, C:\USERS\TY\APPDATA\LOCAL\TEMP\DMR\PMFOBQRXILDMQXYX.DAT, Quarantined, [1044], [375557],1.0.1678
Adware.ChinAd, C:\Users\Ty\AppData\Local\Temp\DMR\Downloads\3676090eded622c6bec547ed78bdf6d1\c37ff6dd7df8841c70cfbd03737e777f\qbittorrent_3.3.10_setup.exe, Quarantined, [1044], [375557],1.0.1678

Physical Sector: 0
(No malicious items detected)


(end)


_______________________________________ _______________________________________ ____


 Results of screen317's Security Check version 1.014 --- 12/23/15 
   x64 (UAC is enabled) 
 Internet Explorer 11 
``````````````Antivirus/Firewall Check:``````````````[/u]
 Windows Firewall Enabled! 
Windows Defender   
 WMI entry may not exist for antivirus; attempting automatic update.
`````````Anti-malware/Other Utilities Check:`````````[/u]
 Google Chrome (57.0.2987.133)
 Google Chrome (SetupMetrics...)
````````Process Check: objlist.exe by Laurent````````[/u] 
 Windows Defender MSMpEng.exe
 Malwarebytes Anti-Malware mbamservice.exe 
 Malwarebytes Anti-Malware mbamtray.exe 
 Windows Defender MSASCuiL.exe   
 Windows Defender MpCmdRun.exe   
`````````````````System Health check`````````````````[/u]
 Total Fragmentation on Drive C:  %
````````````````````End of Log``````````````````````[/u]

[SuperDave]

Hello and welcome to Computer Hope Forum. My name is Dave. I will be helping you out with your particular problem on your computer.

1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.
2. The fixes are specific to your problem and should only be used for this issue on this machine.
3. If you don't know or understand something, please don't hesitate to ask.
4. Please DO NOT run any other tools or scans while I am helping you.
5. It is important that you reply to this thread. Do not start a new topic.
6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
7. Absence of symptoms does not mean that everything is clear.

If you can't access the internet with your infected computer you will have to download and transfer any programs to the computer you're using now and transfer them to the infected computer with a CD-RW or a USB storage device. I prefer a CD because a storage device can get infected. If you use a storage device hold the shift key down while inserting the USB storage device for about 10 secs. You will also have to transfer the logs you receive back to the good computer using the same method until we can get the computer back on-line.
*************************************************************************

this was after a fresh boot, and also a reboot as well)

What does this mean?
**********************************************
One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and Download and Execute files

Read this article: Danger: Remote Access Trojans.

If your computer was used for online banking, has credit card information or other sensitive data on it, all passwords should be changed immediately to include those used for banking, email, eBay and forums. You should consider them to be compromised. They should be changed by using a different computer and not the infected one! If not, an attacker may get the new passwords and transaction information. Banking and credit card institutions should be notified of the possible security breach.

I would counsel you to disconnect this PC from the Internet immediately.

Though the Trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall?

We can attempt to clean this machine but i can't guarantee that it will be 100% secure afterwards.

Should you have any questions, please feel free to ask.

Please let us know what you have decided to do in your next post

[TylerDoom]

Hello again superdave. Pardon my typing, as it's done on a phone atm. What I meant about the folders "being in use after reboot", was that as soon I started the computer, I tried to rename the folders and they did that. No programs of mine were running or using the folders.

  Now what I hope I can do is, save my computer. It's still under warranty,  if that helps. Also, I will do anything I can. Is it possible to get a new HD and do a clean install of windows while saving my windows key? If not, I will do what you feel is best in order for me to save this pc. Its only a few months old and it's my main machine and was bought with my tax refund. I hope I can save this pc.

  The pc still functions normally, can access Internet, and run things fine. I have disconnected it from Internet access, as well as shut it off. I have changed passwords to all accounts I used on that pc as well. I await your advice, and thank you ahead of time for anything you can do to help me.

[TylerDoom]

Also, I checked with the Dell site. There is a recovery image available for my specific model.

[SuperDave]

Is it possible to get a new HD and do a clean install of windows while saving my windows key? If not, I will do what you feel is best in order for me to save this pc. Its only a few months old and it's my main machine and was bought with my tax refund. I hope I can save this pc.

You just have to save your important data to memory sticks or CD/DVD's and run the Recovery.If you buy another hard drive you won't be able to run the Recovery.

[TylerDoom]

Ok, another question. Will a Dell recover to factory settings clear out my HD the same way?

[SuperDave]

Ok, another question. Will a Dell recover to factory settings clear out my HD the same way?

Yes, it will be just the first day you had your computer.

[TylerDoom]

OK, the pc has been restored with the factory image. Now is there anything I can do to check if there is anything still on the pc?

[SuperDave]

You can run these scans although they will most likely come up empty.
*************************************************************************
Please download AdwareCleaner onto your Desktop. AdwCleaner

Before starting AdwCleaner, close all open programs and internet browsers, then double-click on the AdwCleaner icon.



If Windows prompts you as to whether or not you wish to run AdwCleaner, please allow it to run.
When the AdwCleaner program will open, click on the Scan button as shown below.



AdwCleaner will now start to search for malicious files that may be installed on your computer.
To remove the files that were detected in the previous step, please click on the Clean button.



AdwCleaner will now prompt you to save any open files or data as the program will need to reboot the computer. Please do so and then click on the OK button. AdwCleaner will now delete all detected adware from your computer. When it is done it will display an alert that explains what PUPs (Potentially Unwanted Programs) and Adware are. Please read through this information and then press the OK button. You will now be presented with an alert that states AdwCleaner needs to reboot your computer.
Please click on the OK button to allow AdwCleaner reboot your computer.A log will be produced. Please copy and paste this log in your next reply.
*********************************************
Please download Malwarebytes Anti-Malware from here.
Double Click mbam-setup.exe to install the application.

• It should update automatically if the computer is connected to the internet.
• Click on Threat Scan and click on Scan Now.
  
• The scan may take some time to finish,so please be patient.
• When the scan is complete make sure all the infections have "quarantine" selected in the Action box.
  
• Click on "Apply actions" You may be asked to Restart your computer to completely remove the infections.
  
• When disinfection is completed you can click on "Copy to Clipboard".
  
• Paste the log in you next reply (CTRL+ V)

*************************************************
Please download Junkware Removal Tool to your desktop.

•Warning! Once the scan is complete JRT will shut down your browser with NO warning.

•Shut down your protection software now to avoid potential conflicts.

•Temporarily disable your Antivirus and any Antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.

•Run the tool by double-clicking it. If you are using Windows Vista or Windows 7, right-click JRT and select Run as Administrator

•The tool will open and start scanning your system.

•Please be patient as this can take a while to complete depending on your system's specifications.

•On completion, a log (JRT.txt) is saved to your desktop and will automatically open.

•Copy and Paste the JRT.txt log into your next message.
**********************************************************
Download Security Check by screen317 from the following link and save it to your desktop.

Security Check

* Double-click Security Check.bat
* Follow the on-screen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt
* Post the contents of that document in your next reply.

Note: If a security program requests permission from dig.exe to access the Internet, allow it to do so.

[TylerDoom]

Back with the logs. AdwCleaner found some "Folders", and JRT found 2 things that are related to what seems to be Dell Software.

                                            Logs:

# AdwCleaner v6.045 - Logfile created 11/04/2017 at 18:41:12
# Updated on 28/03/2017 by Malwarebytes
# Database : 2017-04-11.1 [Server]
# Operating System : Windows 10 Home  (X64)
# Username : *censored* PC - DESKTOP-KNV7U1H
# Running from : C:\Users\*censored* PC\Downloads\AdwCleaner.exe
# Mode: Scan
# Support : https://www.malwarebytes.com/support



***** [ Services ] *****

No malicious services found.


***** [ Folders ] *****

Folder Found:  C:\ProgramData\9f70d2dc-e051-4b88-8c71-6ef42ac2ae65
Folder Found:  C:\ProgramData\e8a202e5-f4d0-4957-a384-7a8711596b28
Folder Found:  C:\ProgramData\f00245c4-9bed-4f80-bbdd-e6dac3a84f59


***** [ Files ] *****

No malicious files found.


***** [ DLL ] *****

No malicious DLLs found.


***** [ WMI ] *****

No malicious keys found.


***** [ Shortcuts ] *****

No infected shortcut found.


***** [ Scheduled Tasks ] *****

No malicious task found.


***** [ Registry ] *****

No malicious registry entries found.


***** [ Web browsers ] *****

No malicious Firefox based browser items found.
No malicious Chromium based browser items found.

*************************

C:\AdwCleaner\AdwCleaner[S0].txt - [1172 Bytes] - [11/04/2017 18:41:12]

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [1245 Bytes] ##########
_______________________________________ _______________________________________ ______


Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 4/11/2017
Scan Time: 6:46 PM
Logfile: Mbam.txt
Administrator: Yes

Version: 2.2.1.1043
Malware Database: v2017.04.11.09
Rootkit Database: v2017.04.02.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows 10
CPU: x64
File System: NTFS
User: *censored* PC

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 256882
Time Elapsed: 5 min, 12 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)


(end)


_______________________________________ _______________________________________ _____


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Malwarebytes
Version: 8.1.3 (04.10.2017)
Operating System: Windows 10 Home x64
Ran by *censored* PC (Administrator) on Tue 04/11/2017 at 18:52:38.79
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




File System: 2

Successfully deleted: C:\WINDOWS\system32\Tasks\PCDEventLauncherTask (Task)
Successfully deleted: C:\WINDOWS\system32\Tasks\PCDoctorBackgroundMonitorTask (Task)



Registry: 0





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Tue 04/11/2017 at 18:53:35.81
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
_______________________________________ _______________________________________ __________________



 Results of screen317's Security Check version 1.014 --- 12/23/15 
   x64 (UAC is enabled) 
 Internet Explorer 11 
``````````````Antivirus/Firewall Check:``````````````[/u]
 Windows Firewall Enabled! 
Windows Defender   
 WMI entry may not exist for antivirus; attempting automatic update.
`````````Anti-malware/Other Utilities Check:`````````[/u]
 Google Chrome (57.0.2987.133)
 Google Chrome (SetupMetrics...)
````````Process Check: objlist.exe by Laurent````````[/u] 
 Windows Defender MSMpEng.exe
 Windows Defender MpCmdRun.exe   
 Windows Defender msascuil.exe   
`````````````````System Health check`````````````````[/u]
 Total Fragmentation on Drive C:  %
````````````````````End of Log``````````````````````[/u]

[SuperDave]

I would say that you're good to go. Is there anything else?

[TylerDoom]

Seems all is well, Thank you so much for your help SuperDave. I really appreciate what you do here. Hopefully I won't be back. ;p

[SuperDave]

Click Start> Computer> right click the C Drive and choose Properties> enter
Click Disk Cleanup from there.



Click OK on the Disk Cleanup Screen.
Click Yes on the Confirmation screen.



This runs the Disk Cleanup utility along with other selections if you have chosen any. (if you had a lot System Restore points, you will see a significant change in the free space in C drive)
***************************************
This step will remove all cleaning tools we used, it'll reset restore points (so you won't get reinfected by accidentally using some older restore point) and it'll make some other minor adjustments...
This is a very crucial step so make sure you don't skip it.
Download DelFix by Xplode to your desktop. Delfix will delete all the used tools and logfiles.

Double-click Delfix.exe to start the tool.
Make sure the following items are checked:

• Activate UAC (optional; some users prefer to keep it off)
• Remove disinfection tools
• Create Registry backup
• Purge System Restore Points
• Re-set system settings

Now click "Run" and wait patiently.
Once finished a logfile will be created. You don't have to attach it to your next reply.
********************************************
I suggest using WOT - Web of Trust. WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky website. It's easy and it's free.

Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future.

Also see Slow Computer? It may not be Malware for free cleaning/maintenance tools to help keep your computer running smoothly.
Safe Surfing!

[TylerDoom]

I did both of those steps. Anything else SuperDave?

[SuperDave]

You're welcome. We are done unless you have something else. I will lock this thread. If you need it re-opened, please send me a pm.