Android8888

Hello StaS and Please read the content of the topic I'm infected - What do I do now?, perform the scans and attach the requested logs for review. We need to see those logs in order to help you. Thank you. Rui

Hello starsKT and My screen name is Android8888 but if you wish you can call me Rui which is my real name. I will be helping you with your malware issues. Please ask questions if anything is unclear. I suggest printing out each set of instructions or copy them to a Notepad file and reading the entire post before proceeding. It will make following them easier. Please read the instructions carefully and follow the directions in the order listed. Please DO NOT run any tools on your own otherwise you can worsen the situation rather than solve it. Make sure to run all tools from the computer's Desktop and with Administrator privileges (i.e. right-click the tool icon and select Run as administrator). Please run one scan at a time. Once started the malware removal process has to be completed in order to ensure the success of the clean-up. Even if your computer appears to be running better after performing a first set of instructions, it may still be infected as some infections are difficult to remove and can leave remnants on the System. Please consider it clean and safe only when I declare it free of malware. With that being said let's start. Your System Restore is disabled. System Restore is an essencial protection feature to your system in case you need to recover the system to a prior date. Please read the instructions on this link How to Enable System Restore in Windows 7 and enable it. Your Windows Firewall is disabled. The Windows Firewall is designed to keep your computer safe from outsiders by preventing any program from entering or exiting your computer via the Internet. Please read the instructions on this link How to Enable the Windows 7 Firewall and enable it. I noticed that you have Torrent installed. Avoid gaming sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs. They are a security risk which can make your computer susceptible to a wide variety of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites. Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users. The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications. It is pretty much certain that if you continue to use P2P programs, you will get infected again. I would recommend that you uninstall Torrent, however that choice is up to you. If you choose to remove these programs, you can do so via Start > Control Panel > Programs and Features. If you wish to keep it, please do not use it until your computer is cleaned. Next, Open the Chrome browser; Type chrome://extensions in the address bar and press Enter; Click the trash can icon by the extensions below to completely remove them; BetterTTV Speed Dial 2 Новая вкладка A confirmation dialog appears, click Remove. Next, Follow the instructions below to execute a fix on your system using FRST, and provide the log in your next reply. Download the attached fixlist.txt file, and save it on your Desktop (or wherever your FRST64.exe executable is located); DO NOT open or modify that file! Right-click on the FRST executable and select Run as Administrator; Click on the Fix button; Credits: Aura On completion, a message will come up saying that the fix has been completed and it'll open a log in Notepad; Please attach the Fixlog.txt in your next reply; Next, Open Malwarebytes; On the left pane select Settings; Select the Protection tab; Scroll down to Scan Options and ensure Scan for Rootkits is on and leave all other settings to default. Go back to DashBoard and select the blue Scan Now tab; Note: The scan may take some time to finish, so please be patient. When the scan completes if potential threats are detected, ensure to checkmark all the listed items, and click the Quarantine Selectedbutton. While still on the Scan tab, click the View Report button, and in the window that opens click the Export button, select Text file (*.txt), give it a name and save it to your Desktop. The log can also be viewed by clicking the log to select it, then clicking the View Report button. Please attach the log in your next reply. Next, Download AdwCleaner and move it to your computer Desktop; Right-click on AdwCleaner.exe and select Run as Administrator; Accept the EULA (I accept), then click on Scan; Let the scan complete. Once it's done, make sure that every item listed in the different tabs is checked and click on the Clean button; Once the cleaning process is complete, AdwCleaner will ask to restart your computer, do it; After the restart, a log will open when logging in. Please attach that log in your next reply. After performing all the steps above please attach the following logs in your reply: Fixlog.txt Malwarebytes log. AdwCleaner clean log. How is the computer running at this point? Are you still having signs of CoinHive? Thank you. Rui fixlist.txt

Hello aperfectmjk and Please read the instructions in this topic I'm infected - What do I do now? and attach the requested logs. We need to see those logs in order to help you. Thank you. Android8888

You're most welcome. Come back whenever you need. If you run into more difficulty, we will certainly do what we can to help. Regards, Rui

Okay Andyjig, I will keep this thread open for a couple of days and then if nothing suspicious happen we can close the topic. Please keep me posted. Rui

You're welcome Andyjig! Okay, I don't see anything suspicious in the logs. Are there any questions or that is all? Rui

Hello Vicente. Yes some infections including rootkits usually compromise the system and can cause damage difficult to repair. Are there any questions or that is all? Rui

Hello Andyjig and My screen name is Android8888 but if you wish you can call me Rui which is my real name. I will be helping you with your malware issues. Please ask questions if anything is unclear. Please read the instructions carefully and follow the directions in the order listed. Now, download Malwarebytes Anti-Rootkit BETA and save it to your computer Desktop. Right-click on the icon and select Run as administrator to start the extraction of the program; Click Yes to accept the security warning that may appear; Click OK to extract it to your Desktop (MBAR will be launched shortly after the extraction); Click on Next, and then on the Update button to let it update its database. Once the database has been successfully updated, click on Next; Make sure all the checkboxes are checked, then click on the Scan button, and let it completes its scan (this can take a while); Once the scan is done, if threats are found, make sure that every item is checked, and click on the Cleanup button (a reboot might be required); After that (and the reboot, if one was required), go back in the mbar folder and look for a text file called mbar-log-TODAY'S-DATE.txt; Please attach that log in your next reply for my review. Thank you. Rui

Hello Vicente. I see in your logs signs of a rootkit infection. Please proceed with the instructions below. Download Malwarebytes Anti-Rootkit BETA and save it to your computer Desktop. Right-click on the icon and select Run as administrator to start the extraction of the program; Click Yes to accept the security warning that may appear; Click OK to extract it to your Desktop (MBAR will be launched shortly after the extraction); Click on Next, and then on the Update button to let it update its database. Once the database has been successfully updated, click on Next; Make sure all the checkboxes are checked, then click on the Scan button, and let it completes its scan (this can take a while); Once the scan is done, if threats are found, make sure that every item is checked, and click on the Cleanup button (a reboot might be required); After that (and the reboot, if one was required), go back in the mbar folder and look for a text file called mbar-log-TODAY'S-DATE.txt; Please attach that log in your next reply for my review. How is the system behaving at this point? Thank you. Rui

Hello Vicente. I'll review your logs as soon as possible and I'll get in touch later. Thank you for your understanding. Rui

Hi Elyzabeth. You're very welcome! I'm glad to hear that you were able to deal with the problem on your own. Yes, you thought and did well. Chromium is an open-source Web browser project started by Google but that does not mean that it could not be infected. Now I suggest that you run the following scans to check if the system is completely clean. Open Malwarebytes; On the left pane select Settings; Select the Protection tab; Scroll down to Scan Options and ensure Scan for Rootkits and Scan within Archives are both on and leave all other settings to default. Go back to DashBoard and select the blue Scan Now tab; Note: The scan may take some time to finish, so please be patient. When the scan completes if potential threats are detected, ensure to checkmark all the listed items, and click the Quarantine Selectedbutton. While still on the Scan tab, click the View Report button, and in the window that opens click the Export button, select Text file (*.txt), give it a name and save it to your Desktop. The log can also be viewed by clicking the log to select it, then clicking the View Report button. Please attach the log in your next reply. Please check for leftovers of infection by running ESET Online Scanner. Please note that this is a very thorough scan so it can take several hours to complete but it's worth it. Click on this link to open ESET Online Scanner in a new window. Click on the Scan Now button to download the esetonlinescanner_enu.exe file and save it to your computer Desktop. Close all your programs and browsers and disconnect any USB flash drives from the computer. Please disable your antivirus program to avoid potential conflicts, improve the performance and speed up the scan. Double click on esetonlinescanner_enu.exe to start ESET Online Scanner. It will open a window with the Terms of Use. Click the Accept button. Under Computer scan settings, check mark Enable detection of potentially unwanted applications. Then click Advanced settings and check mark the following options: Enable detection of potentially unsafe applications Clean threats automatically Click the Scan button. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time. When the scan completes, click List Threats. Click Export, and save the file to your Desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply. Click the Back button. Click the Finish button. Note: If nothing is found, it will not produce a log. Please re-enable your antivirus program. Please attach the Malwarebytes log and post the contents of ESET log (if it produced one). How is the system running at this point? Any issues or concerns? Thank you. Rui

Hello KathyD174 and If you still need help, please read this topic https://forums.malwarebytes.com/topic/9573-im-infected-what-do-i-do-now/ and post the requested logs for my review. We need to see those logs in order to help you. Thank you for your understanding. Android8888

You're welcome!

Hi Elyzabeth, Could you please re-run FRST and post a new set of logs for my review. Thank you. Rui

Hello waawaaaa and My screen name is Android8888 but if you wish you can call me Rui which is my real name. I will be helping you with your malware issues. Please ask questions if anything is unclear. I suggest printing out each set of instructions or copy them to a Notepad file and reading the entire post before proceeding. It will make following them easier. I noticed that you have qBittorrent installed. Avoid gaming sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs. They are a security risk which can make your computer susceptible to a wide variety of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites. Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users. The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications. It is pretty much certain that if you continue to use P2P programs, you will get infected again. I would recommend that you uninstall qBittorrent, however that choice is up to you. If you choose to remove these programs, you can do so via Start > Control Panel > Programs and Features. If you wish to keep it, please do not use it until your computer is cleaned. You also have two programs with malicious proposes installed on your system. I'll ask you to uninstall them since uninstalling such programs before running malware removal tools will ensure a better clean-up. KMSpico Driver Support If you have an issue when uninstalling a program, please let me know. Please remove the following extension from Chrome: In Google Chrome, enter chrome://extensions in the address bar and press on Enter In the Extensions page, uninstall these (by clicking on the little garbage can icon on their right) BetterTTV If you don't see the extension listed, it means that it's installed as an App. So enter chrome://apps in the address bar and press on Enter From the Apps page, look for the app, right-click on it and select Remove from Chrome Please read here and remove the following Firefox extension: McAfee WebAdvisor Next, Open Malwarebytes; On the left pane select Settings; Select the Protection tab; Scroll down to Scan Options and ensure Scan for Rootkits and Scan within Archives are both on and leave all other settings to default. Go back to DashBoard and select the blue Scan Now tab; Note: The scan may take some time to finish, so please be patient. When the scan completes if potential threats are detected, ensure to checkmark all the listed items, and click the Quarantine Selectedbutton. While still on the Scan tab, click the View Report button, and in the window that opens click the Export button, select Text file (*.txt), give it a name and save it to your Desktop. The log can also be viewed by clicking the log to select it, then clicking the View Report button. Please attach the log in your next reply. Next, Download Malwarebytes AdwCleaner and move it to your Desktop. Right-click on AdwCleaner.exe and select Run as Administrator. Accept the EULA (I accept), then click on Scan. Let the scan complete. Once it's done, make sure that every item listed in the different tabs is checked and click on the Clean button. This will kill all the active processes. Once the cleaning process is complete, AdwCleaner will ask to restart your computer, do it. After the restart, a log will open when logging in. Please attach that log in your next reply. Next, Follow the instructions below to execute a fix on your system using FRST, and provide the log in your next reply. Download the attached fixlist.txt file, and save it on your Desktop (or wherever your FRST64.exe executable is located); DO NOT open or modify that file! Right-click on the FRST executable and select Run as Administrator; Click on the Fix button; Credits: Aura On completion, a message will come up saying that the fix has been completed and it'll open a log in Notepad; Please attach the Fixlog.txt in your next reply; In your next reply please attach the following logs: Malwarebytes log. AdwCleaner clean log. Fixlog.txt Please let me know in detail what issues or concerns are you still experiencing with the computer. Rui fixlist.txt

Hello guys, Malwarebytes Anti-Bundleware is blocking this website: https://clubedohardware.com.br/ It is the Brazilian tech and malware removal website. Virus Total reports this https://www.virustotal.com/#/url/f7ff264c2a1b239a38122c2919e5d35b4f51ca127a0a39f4865957f42c04b8d9/detection The website is bundled with many advertisements but not necessary malicious, I think... Isn't it a False Positive? Thank you. Rui

Hello Elyzabeth and My screen name is Android8888 but if you wish you can call me Rui which is my real name. I will be helping you with your malware issues. Please ask questions if anything is unclear. I suggest printing out each set of instructions or copy them to a Notepad file and reading the entire post before proceeding. It will make following them easier. Going over your logs I noticed that you have Torrent installed. Avoid gaming sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs. They are a security risk which can make your computer susceptible to a wide variety of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites. Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users. The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications. It is pretty much certain that if you continue to use P2P programs, you will get infected again. I would recommend that you uninstall Torrent, however that choice is up to you. If you wish to keep it, please do not use it until your computer is cleaned. Next, Please remove the following program: Popcorn Time Next, Follow the instructions below to execute a fix on your system using FRST, and provide the log in your next reply. Download the attached fixlist.txt file, and save it on your Desktop (or wherever your FRST64.exe executable is located); DO NOT open or modify that file! Right-click on the FRST executable and select Run as Administrator; Click on the Fix button; Credits: Aura On completion, a message will come up saying that the fix has been completed and it'll open a log in Notepad; Please attach the Fixlog.txt in your next reply; Next, Download Malwarebytes AdwCleaner and move it to your computer Desktop. Right-click on AdwCleaner.exe and select Run as Administrator to start the tool. Accept the EULA (I accept), then click on Scan. Let the scan complete. Once it's done, make sure that every item listed in the different tabs is checked and click on the Clean button. This will kill all the active processes. Once the cleaning process is complete, AdwCleaner will ask to restart your computer, do it. After the restart, a log will open when logging in. Please attach that log in your next reply. Next, Please download Zemana Antimalware Portable and save it to your computer Desktop. Right-click on the icon and select Run as administrator to install the program. Click Yes to accept the User Account Control security warning that may appear. Wait a few seconds until the update of database signature is complete. Without changing any options, click the Scan button to begin. After the short scan is finished, if threats are detected click Next to remove them. Note: If restart is required to finish the cleaning process, you should click Reboot. If reboot isn't required, please re-boot your computer manually. Click on the Back button. On the top right corner click on Reports icon (the one with three bars) and double click on the latest report. Now click File > Save As, then choose your computer's Desktop and click the Save button. Please attach the saved report in your next reply. In your next reply please attach the following logs: Fixlog.txt AdwCleaner clean log. Zemana log. How is the computer running at this point? Any detections of "coinhive"? Rui fixlist.txt

Excellent! Now, let's just cleanup the tools we used by running DelFix. Follow the instructions below to download and execute DelFix. Download DelFix and move the executable to your Desktop; Right-click on DelFix.exe and select Run as Administrator; Check the following options : Activate UAC (this option will activate the User Account Control feature). Remove disinfection tools (this option will remove the tools used in the cleaning process). Create registry backup (this option will create a backup from the Windows Registry). Purge system restore (this option will remove all previous and possibly infected restore points, and will create a new and clean restore point of your system). Reset system settings (this option will reset any system settings back to default that were changed either by us during cleansing or by malware infection). Once the options mentioned above are checked, click on Run; After DelFix is done running, a log will open. I don't need to see the log. You can close and delete it. Please keep your programs up to date. This applies to most of the programs and all your Internet Browsers in particular. Vulnerabilities in the programs are often exploited in order to install malware on your PC. Run a program like Personal Software Inspector (PSI) or FileHippo Update Checker to see what programs need to be updated. To help keep malware off your system below I have included a number of recommendations for how to protect your computer in order to prevent future malware infections. Please consider using these ideas to help secure your computer. Keep your Windows Operating System up-to-date. Keep your Antivirus program up-to-date. Please note: Many installer offer third-party downloads that are installed automatically when you do not uncheck certain checkboxes. While most of the time not being malicious you usually do not want these on your computer. Be careful during the installation process and you will avoid seeing tons of new unwanted toolbars in your favorite web browser. Keep Malwarebytes Anti-Malware (MBAM) update and perform a regular scan to your system as it will make it harder for malware to reside on your computer. A tutorial on using MBAM can be found here and a complete guide here Please Note: Only the paid for version has real time capabilities. Please go here and scroll down to find a comparison list of the two versions. Please keep these programs up-to-date and run them whenever you suspect a problem to prevent malware problems. A number of programs have resident protection and it is a good idea to run the resident protection of one of each type of program to maintain protection. However, it is important to run only one resident program of each type since they can conflict and become less effective. That means only one antivirus, firewall and scanning anti-spyware program at a time. Note that there are a lot of rogue programs out there that want to scare you into giving them your money and some malware actually claims to be security programs. If you get a popup for a security program that you did not install yourself, do NOT click on it and ask for help immediately. It is very important to run an antivirus and firewall, but you can't always rely on reviews and ads for information. Ask in a security forum that you trust if you are not sure. A similar category of programs is now called "scareware." Scareware programs are active infections that will pop-up on your computer and tell you that you are infected. If you look closely, it will usually have a name that looks like it might be legitimate, but it is NOT one of the programs you installed. It tells you to click and install it right away. If you click on any part of it, including the 'X' to close it, you may actually help it infect your computer further. Keeping protection updated and running resident protection can help prevent these infections. If it happens anyway, get offline as quickly as you can. Pull the internet connection cable or shut down the computer if you have to. Contact someone to help by using another computer if possible. These programs are also sometimes called 'rogues', but they are different than the older version of rogues mentioned above. Another most feared threat at the moment is a Ransomware infection. A Ransomware infection is a program that ransoms the data or functionality of your computer until you perform an action. This action is typically to pay a ransom in the form of Bitcoins or another payment method. I advise you to read more info on this terrible threat here and here. Be careful with flash drives, as they can spread infections. See this post on USB/flash drive safety. Stay away from P2P software; even with a clean P2P program, their networks are often riddled with malware. Don't click on attachments or links in e-mail, and read your e-mail in text-only mode for the highest safety. Don't click on links received in instant message programs. A HOSTS file will prevent Internet Explorer from communicating with sites known to be associated with adware or spyware. A good regularly updated HOST file is MVPS HOSTS File, available here For much more useful and complete information, please read the following links to fully understand PC Security and Best Practices: So how did I get infected in the first place Answers to common security questions - Best Practices Hopefully these steps will help to keep you error and malware free. If you run into more difficulty, we will certainly do what we can to help. Happy surfing and stay safe. Android8888

Hello GuyboR and thank you for the logs. Zemana found some adware items, quarantined them all and repaired a suspicious browser setting. All the other logs you provided are clean. This is a normal behavior of RogueKiller, so nothing to worry about. Now let's perform one last scan with ESET Online Scanner to check for leftovers of infection. This is a very thorough scan and may take several hours to complete but it's worth it. Click on this link to open ESET Online Scanner in a new window. Click on the Scan Now button to download the esetonlinescanner_enu.exe file. Save it to your Desktop. Close all your programs and browsers and disconnect any USB flash drives from the computer. Please disable your antivirus program to avoid potential conflicts, improve the performance and speed up the scan. Double click on esetonlinescanner_enu.exe to start ESET Online Scanner. It will open a window with the Terms of Use. Check mark Download latest version of ESET Online Scanner and click the Accept button. Click Yes to accept any security warnings that may appear. Under Computer scan settings, check mark Enable detection of potentially unwanted applications. Then click Advanced settings and check mark the following options: Enable detection of potentially unsafe applications Clean threats automatically Click the Scan button. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time. When the scan completes, click List Threats. Click Export, and save the file to your Desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply. Click the Back button. Click the Finish button. Note: If nothing is found, it will not produce a log. Please re-enable your antivirus program and post the results of ESET (if it produced a log). How is the computer behaving at this point? Android8888

Hello GuyboR. Sorry for the delay in responding. You did well in deleting the content in Recycle Bin. It belongs to Zero Acess rootkit which is a nasty infection. It could be only remnants, however. Let's check it out further. Please proceed with the following tools in the order listed: Re-run RogueKiller and delete only the following entries: Under Registry tab: [Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | UDP Query User{2CFA3E4F-E0F9-4FE4-9662-DBAD168621F5}C:\users\guy\appdata\local\temp\joi40f6.tmp\join.me.exe : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Private|App=C:\users\guy\appdata\local\temp\joi40f6.tmp\join.me.exe|Name=join.me.exe|Desc=join.me.exe|Defer=User| [x] -> Found [Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | TCP Query User{16FA61DC-F70A-45EC-8D91-6AE3BDF0349B}C:\users\guy\appdata\local\temp\joi40f6.tmp\join.me.exe : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|App=C:\users\guy\appdata\local\temp\joi40f6.tmp\join.me.exe|Name=join.me.exe|Desc=join.me.exe|Defer=User| [x] -> Found [Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | UDP Query User{61F71B31-4D04-449E-AE2E-E0126EEC44E5}C:\users\guy\appdata\local\temp\joib612.tmp\join.me.exe : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Private|App=C:\users\guy\appdata\local\temp\joib612.tmp\join.me.exe|Name=join.me.exe|Desc=join.me.exe|Defer=User| [x] -> Found [Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | TCP Query User{A59C3065-14D2-4189-9B85-48DD0E477D2D}C:\users\guy\appdata\local\temp\joib612.tmp\join.me.exe : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|App=C:\users\guy\appdata\local\temp\joib612.tmp\join.me.exe|Name=join.me.exe|Desc=join.me.exe|Defer=User| [x] -> Found [Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | UDP Query User{08521074-D96F-45FC-933C-37272748B41F}C:\users\guy\appdata\local\temp\joi88ae.tmp\join.me.exe : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Private|App=C:\users\guy\appdata\local\temp\joi88ae.tmp\join.me.exe|Name=join.me.exe|Desc=join.me.exe|Defer=User| [x] -> Found [Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | TCP Query User{540FA811-02A4-4555-8AEC-93BF6C91E7CE}C:\users\guy\appdata\local\temp\joi88ae.tmp\join.me.exe : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|App=C:\users\guy\appdata\local\temp\joi88ae.tmp\join.me.exe|Name=join.me.exe|Desc=join.me.exe|Defer=User| [x] -> Found [Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | UDP Query User{A9E81469-8007-4471-86F4-F17F0CC44833}C:\users\guy\appdata\local\temp\joi62b0.tmp\join.me.exe : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Private|App=C:\users\guy\appdata\local\temp\joi62b0.tmp\join.me.exe|Name=join.me.exe|Desc=join.me.exe|Defer=User| [x] -> Found [Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | TCP Query User{E9662792-406E-43BF-B3A0-2891F568F6FF}C:\users\guy\appdata\local\temp\joi62b0.tmp\join.me.exe : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|App=C:\users\guy\appdata\local\temp\joi62b0.tmp\join.me.exe|Name=join.me.exe|Desc=join.me.exe|Defer=User| [x] -> Found [Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | UDP Query User{0C93CAC0-6C6B-4C0E-889A-C60AD57EA193}C:\users\guy.robertsons\appdata\local\temp\joi27ba.tmp\join.me.exe : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Domain|App=C:\users\guy.robertsons\appdata\local\temp\joi27ba.tmp\join.me.exe|Name=join.me.exe|Desc=join.me.exe|Defer=User| [x] -> Found [Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | TCP Query User{AB1D279D-9239-4092-AFF8-5CB77AED4FE5}C:\users\guy.robertsons\appdata\local\temp\joi27ba.tmp\join.me.exe : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Domain|App=C:\users\guy.robertsons\appdata\local\temp\joi27ba.tmp\join.me.exe|Name=join.me.exe|Desc=join.me.exe|Defer=User| [x] -> Found [Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | UDP Query User{9BF6EDC4-3D8F-411C-AA27-A20A29EE109D}C:\users\guy.robertsons\appdata\local\temp\joi77cc.tmp\join.me.exe : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Domain|App=C:\users\guy.robertsons\appdata\local\temp\joi77cc.tmp\join.me.exe|Name=join.me.exe|Desc=join.me.exe|Defer=User| [x] -> Found [Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | TCP Query User{916119F0-F3BB-4AAA-BE9D-7B4758093BAA}C:\users\guy.robertsons\appdata\local\temp\joi77cc.tmp\join.me.exe : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Domain|App=C:\users\guy.robertsons\appdata\local\temp\joi77cc.tmp\join.me.exe|Name=join.me.exe|Desc=join.me.exe|Defer=User| [x] -> Found [Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | TCP Query User{F231E009-2676-40A7-B5CF-6045C44B7C99}C:\users\guy.robertsons\appdata\local\cloudstation\cloudstation.app\bin\cloud-drive-connect.exe : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Domain|Profile=Private|App=C:\users\guy.robertsons\appdata\local\cloudstation\cloudstation.app\bin\cloud-drive-connect.exe|Name=cloud-drive-connect.exe|Desc=cloud-drive-connect.exe|Defer=User| [x] -> Found [Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | UDP Query User{7226CC87-8C1C-4BBF-BA3C-4676CB2BD922}C:\users\guy.robertsons\appdata\local\cloudstation\cloudstation.app\bin\cloud-drive-connect.exe : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Domain|Profile=Private|App=C:\users\guy.robertsons\appdata\local\cloudstation\cloudstation.app\bin\cloud-drive-connect.exe|Name=cloud-drive-connect.exe|Desc=cloud-drive-connect.exe|Defer=User| [x] -> Found [Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | TCP Query User{2A52B58D-F842-4F09-82D0-053839095D49}C:\users\guy.robertsons\appdata\local\cloudstation\cloudstation.app\bin\cloud-drive-ui.exe : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Domain|Profile=Private|App=C:\users\guy.robertsons\appdata\local\cloudstation\cloudstation.app\bin\cloud-drive-ui.exe|Name=cloud-drive-ui.exe|Desc=cloud-drive-ui.exe|Defer=User| [x] -> Found [Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | UDP Query User{EE2954BB-E6EF-4689-B5F2-425C03363A42}C:\users\guy.robertsons\appdata\local\cloudstation\cloudstation.app\bin\cloud-drive-ui.exe : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Domain|Profile=Private|App=C:\users\guy.robertsons\appdata\local\cloudstation\cloudstation.app\bin\cloud-drive-ui.exe|Name=cloud-drive-ui.exe|Desc=cloud-drive-ui.exe|Defer=User| [x] -> Found Under Files tab: [Root.ZeroAccess][Folder] C:\$RECYCLE.BIN\S-1-5-21-4193440681-3632957503-4194435524-1135\$RN8M0LT\COMP\NOC\L -> Found [Root.ZeroAccess][Folder] C:\$RECYCLE.BIN\S-1-5-21-4193440681-3632957503-4194435524-1135\$RN8M0LT\COMP\SPC\L -> Found [Root.ZeroAccess][Folder] C:\$RECYCLE.BIN\S-1-5-21-4193440681-3632957503-4194435524-1135\$RSGMENG\NOC\L -> Found [Root.ZeroAccess][Folder] C:\$RECYCLE.BIN\S-1-5-21-4193440681-3632957503-4194435524-1135\$RSGMENG\SPC\L -> Found Under Web browsers tab: [PUP.Gen0][Chrome:Addon] Default : DuckDuckGo for Chrome [bpphkkgodbfncbcpgopijlfakfgmclao] -> Found [PUP.Gen0][Chrome:Addon] Default : DuckDuckGo Home Page [ljkalbbbffedallekgkdheknngopfhif] -> Found [PUM.HomePage][Chrome:Config] Default [SecurePrefs] : homepage [chrome://apps/] -> Found [PUM.HomePage][Chrome:Config] Default [SecurePrefs] : session.startup_urls [https://www.google.com/calendar/render?tab=wc|https://docs.google.com/spreadsheet/ccc?key=0ApxUrBu01OlCdEs4MmdrdzlFZ0tMbWZyNHlmLWEtR0E#gid=0|chrome://apps/|http://www.robertsonmfg.com/ctc/site/index#/home] -> Found Next, Download TDSSKiller from BleepingComputer, then move the executable file on your Desktop; Right-click on tdsskiller.exe and select Run as Administrator; Accept the End User Licence Agreement (EULA) and the KSN Statement; Once the application is done initializing, click on the Change parameters button; In addition to the current checked boxes, check these two as well: Verify file digital signature; Detect TDLFS file system; Once done, click on Ok then click on Start scan; After the scan is complete, click on the Report button, in the top right corner; A report window will open with the scan log. Copy and paste it in your next reply; Next, Please download Zemana Antimalware Portable and save it to your computer Desktop. Right-click on the icon and select Run as administrator to install the program. Click Yes to accept the User Account Control security warning that may appear. Wait a few seconds until the update of database signature is complete. Without changing any options, click the Scan button to begin. After the short scan is finished, if threats are detected click Next to remove them. Note: If restart is required to finish the cleaning process, you should click Reboot. If reboot isn't required, please re-boot your computer manually. Click on the Back button. On the top right corner click on Reports icon (the one with three bars) and double click on the latest report. Now click File > Save As, then choose your computer's Desktop and click the Save button. Please attach the saved report in your next reply. To summarize please attach the RogueKiller log (RKlog.txt), the Zemana log and post the entire content of TDSSKiller log. Thank you. Android8888

Hello GuyboR. Okay, leave FRST for now. Please re-run Malwarebytes and AdwCleaner one more time: Open Malwarebytes; On the left pane select Settings; Select the Protection tab; Scroll down to Scan Options and ensure Scan for Rootkits and Scan within Archives are both on and leave all other settings to default. Go back to DashBoard and select the blue Scan Now tab; Note: The scan may take some time to finish, so please be patient. When the scan completes if potential threats are detected, ensure to check mark all the listed items, and click the Quarantine Selectedbutton. While still on the Scan tab, click the View Report button, and in the window that opens click the Export button, select Text file (*.txt), give it a name and save it to your Desktop. The log can also be viewed by clicking the log to select it, then clicking the View Report button. Please attach the log in your next reply. Next, Right-click on AdwCleaner.exe and select Run as Administrator. Accept the UAC warning, then click on Scan. Let the scan complete. Once it's done, make sure that every item listed in the different tabs is checked and click on the Clean button. This will kill all the active processes. Once the cleaning process is complete, AdwCleaner will ask to restart your computer, do it. After the restart, a log will open when logging in. Please attach that log in your next reply. Next, Please download RogueKiller_portable64.exe by Tigzy and save it to your computer Desktop. Now close all programs and Internet browsers and disconnect any USB or external drives from the computer before you run this scan! Right-click on the file RogueKiller_portable64.exeand select Run as administrator to start the tool. Click Yes to accept the User Account Control security warning that may appear. Once the tool is open, click the 'Scan' tab menu and the click the Start Scan button. Wait until the scan has finished. Note: This scan may take some time to complete; Warning: DO NOT remove any entry it found. They are not all bad and need to be carefully analyzed. Once finished the results will be displayed. Click on the Open Report button. It will open a new window. Click Export TXT to export the report as a text file, give a name to the file such as RKlog.txt and save it to your computer Desktop. Close RogueKiller. Please attach the RKlog.txt to your next reply. To summarize please attach the following logs: Malwarebytes log. AdwCleaner clean log. RogueKiller log (RKlog.txt). Please let me know in detail how is the computer behaving at this point. Thank you. Android8888

You're welcome! Okay, stay safe out there and come back whenever you need. Kindly Regards, Android8888

Excellent! Your machine appears to be clean and free of malware. Now, run a program like Personal Software Inspector (PSI) or FileHippo Update Checker to see what programs need to be updated. To help keep malware off your system below I have included a number of recommendations for how to protect your computer in order to prevent future malware infections. Please consider using these ideas to help secure your computer. Keep your Windows Operating System up-to-date. Keep your Antivirus program up-to-date. Please note: Many installer offer third-party downloads that are installed automatically when you do not uncheck certain checkboxes. While most of the time not being malicious you usually do not want these on your computer. Be careful during the installation process and you will avoid seeing tons of new unwanted toolbars in your favorite web browser. Keep Malwarebytes updated and perform a regular scan to your system as it will make it harder for malware to reside on your computer. A tutorial on using MBAM can be found here and a complete guide here Please Note: Only the paid for version has real time capabilities. Please go here and scroll down to find a comparison list of the two versions. A number of programs have resident protection and it is a good idea to run the resident protection of one of each type of program to maintain protection. However, it is important to run only one resident program of each type since they can conflict and become less effective. That means only one antivirus, firewall and scanning anti-spyware program with real time protection at a time . Note that there are a lot of rogue programs out there that want to scare you into giving them your money and some malware actually claims to be security programs. If you get a popup for a security program that you did not install yourself, do NOT click on it and ask for help immediately. It is very important to run an antivirus and firewall, but you can't always rely on reviews and ads for information. Ask in a security forum that you trust if you are not sure. A similar category of programs is now called "scareware." Scareware programs are active infections that will pop-up on your computer and tell you that you are infected. If you look closely, it will usually have a name that looks like it might be legitimate, but it is NOT one of the programs you installed. It tells you to click and install it right away. If you click on any part of it, including the 'X' to close it, you may actually help it infect your computer further. Keeping protection updated and running resident protection can help prevent these infections. If it happens anyway, get offline as quickly as you can. Pull the internet connection cable or shut down the computer if you have to. Contact someone to help by using another computer if possible. These programs are also sometimes called 'rogues', but they are different than the older version of rogues mentioned above. Another most feared threat at the moment is an infection by a Ransomware. A Ransomware infection is a program that ransoms the data or functionality of your computer until you perform an action. This action is typically to pay a ransom in the form of Bitcoins or another payment method. I advise you to read more info on this terrible threat here and here. Please keep your programs up to date. This applies to most of the programs and all your Internet Browsers in particular. Vulnerabilities in the programs are often exploited in order to install malware on your PC. Be careful with flash drives, as they can spread infections. See this post on USB/flash drive safety. Stay away from P2P software; even with a clean P2P program, their networks are often riddled with malware. Don't click on attachments or links in e-mail, and read your e-mail in text-only mode for the highest safety. Don't click on links received in instant message programs. A HOSTS file will prevent Internet Explorer from communicating with sites known to be associated with adware or spyware. A good regularly updated HOST file is MVPS HOSTS File, available here For much more useful and complete information, please read the following links to fully understand PC Security and Best Practices: So how did I get infected in the first place Answers to common security questions - Best Practices Hopefully these steps will help to keep you error and malware free. If you run into more difficulty, we will certainly do what we can to help. Are there any questions or concerns before we close this thread? Android8888

FRST was developed and optimized to run from the computer Desktop and should be run with Administrator privileges. No there is no need to close any processes. The script will do that in first place. Now delete the old fixlist.txt file and download the attached one. Re-run FRST, click the Fix button and see how it goes. Does it completed the fix or remain with the same error? fixlist.txt

Hello. Not for now. Okay, the FRST script ran well. The RogueKiller log: These entries are legit. They belong to Lenovo web site. [PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-1697640862-2283178921-85191061-1001\Software\Microsoft\Internet Explorer\Main | Start Page : http://lenovo15.msn.com/?pc=LCTE -> Gevonden [PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-1697640862-2283178921-85191061-1001\Software\Microsoft\Internet Explorer\Main | Start Page : http://lenovo15.msn.com/?pc=LCTE -> Gevonden [PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-1697640862-2283178921-85191061-1001\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : http://lenovo15.msn.com/?pc=LCTE -> Gevonden [PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-1697640862-2283178921-85191061-1001\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : http://lenovo15.msn.com/?pc=LCTE -> Gevonden The IP Address 84.116.46.22 on the following entries is owned by Liberty Global Operations B.V. located in Netherlands, which I presume that is your ISP (Internet Service Provider). If you know them, they are legitimate. [PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters | DhcpNameServer : 84.116.46.23 84.116.46.22 ([Netherlands][-]) -> Gevonden [PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{43d9ef7c-053a-4e4f-8065-c7ca4ee5f294} | DhcpNameServer : 84.116.46.23 84.116.46.22 ([Netherlands][-]) -> Gevonden Check here: https://db-ip.com/84.116.46.22 Now, please scan your computer with ESET Online Scanner to ensure that your computer is clean. Click on this link to open ESET Online Scanner in a new window. Click on the Scan Now button to download the esetonlinescanner_enu.exe file. Save it to your Desktop. Close all your programs and browsers and disconnect any USB flash drives from the computer. Please disable your antivirus program to avoid potential conflicts, improve the performance and speed up the scan. Double click on esetonlinescanner_enu.exe to start ESET Online Scanner. It will open a window with the Terms of Use. Check mark Download latest version of ESET Online Scanner and click the Accept button. Click Yes to accept any security warnings that may appear. Under Computer scan settings, check mark Enable detection of potentially unwanted applications. Then click Advanced settings and check mark the following options: Enable detection of potentially unsafe applications Clean threats automatically Click the Scan button. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time. When the scan completes, click List Threats. Click Export, and save the file to your Desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply. Click the Back button. Click the Finish button. Note: If nothing is found, it will not produce a log. Please re-enable your antivirus program. Please post the contents of the ESET log (if it produced one). Android8888