Jump to content

redgt00

Honorary Members
  • Posts

    32
  • Joined

  • Last visited

Posts posted by redgt00

  1. My PC was recently infected with a nasty rootkit virus. After trying everything I could find online to no avail, I came across these forums and decided to create my own thread to try and get some help. Aura was extremely patient and helpful in the removal of the malware that was on my system. The step by step instructions were very easy to follow and made getting rid of the virus a breeze (at least on my end ;) )

    It's really great to see a community like this with dedicated members who are more than willing to help those unfortunate enough to become infected with malware.

    Thanks again Aura, for all your help! Keep up the good work :)

  2. # AdwCleaner 7.0.1.0 - Logfile created on Tue Aug 15 13:49:11 2017
    # Updated on 2017/05/08 by Malwarebytes 
    # Running on Windows 10 Pro (X64)
    # Mode: clean
    # Support: https://www.malwarebytes.com/support

    ***** [ Services ] *****

    Deleted: AdAppMgrSvc


    ***** [ Folders ] *****

    No malicious folders deleted.

    ***** [ Files ] *****

    No malicious files deleted.

    ***** [ DLL ] *****

    No malicious DLLs cleaned.

    ***** [ WMI ] *****

    No malicious WMI cleaned.

    ***** [ Shortcuts ] *****

    No malicious shortcuts cleaned.

    ***** [ Tasks ] *****

    No malicious tasks deleted.

    ***** [ Registry ] *****

    Deleted: [Key] - HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\cmptch.com
    Deleted: [Key] - HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\static.cmptch.com
    Deleted: [Key] - HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\cmptch.com
    Deleted: [Key] - HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\static.cmptch.com


    ***** [ Firefox (and derivatives) ] *****

    No malicious Firefox entries deleted.

    ***** [ Chromium (and derivatives) ] *****

    No malicious Chromium entries deleted.

    *************************

    ::Tracing keys deleted
    ::Winsock settings cleared
    ::Additional Actions: 0

    *************************

    C:/AdwCleaner/AdwCleaner[S0].txt - [3085 B] - [2014/8/28 14:26:2]
    C:/AdwCleaner/AdwCleaner[S1].txt - [918 B] - [2014/8/28 18:56:25]
    C:/AdwCleaner/AdwCleaner[S2].txt - [1252 B] - [2014/8/28 19:56:54]
    C:/AdwCleaner/AdwCleaner[S3].txt - [2021 B] - [2017/8/15 13:48:46]


    ########## EOF - C:\AdwCleaner\AdwCleaner[C0].txt ##########

     

     

     

     

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    Junkware Removal Tool (JRT) by Malwarebytes
    Version: 8.1.4 (07.09.2017)
    Operating System: Windows 10 Pro x64 
    Ran by Michael (Administrator) on Tue 08/15/2017 at  9:52:02.52
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


    File System: 4 

    Successfully deleted: C:\Users\Michael\AppData\Local\{B5F70934-5E12-42d2-882D-62D42EA1FA67} (Empty Folder)
    Successfully deleted: C:\WINDOWS\system32\Tasks\update-sys (Task)
    Successfully deleted: C:\WINDOWS\Tasks\update-S-1-5-21-1747559312-1166520656-3094945707-1158.job (Task) 
    Successfully deleted: C:\WINDOWS\Tasks\update-sys.job (Task) 

    Registry: 1 

    Successfully deleted: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\\GoogleChromeAutoLaunch_1D7305B07635F8E0A4CF4B02D1C53C4D (Registry Value) 


    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    Scan was completed on Tue 08/15/2017 at  9:53:08.28
    End of JRT log
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     

  3. I think this was the first scan I did. I didn't export right away when I first ran it. Malwarebytes quarantined a bunch of items though. I restarted, then deleted them.

    Malwarebytes
    www.malwarebytes.com

    -Log Details-
    Scan Date: 8/15/17
    Scan Time: 9:32 AM
    Log File: 
    Administrator: Yes

    -Software Information-
    Version: 3.1.2.1733
    Components Version: 1.0.160
    Update Package Version: 1.0.2591
    License: Free

    -System Information-
    OS: Windows 10 (Build 15063.540)
    CPU: x64
    File System: NTFS
    User: MICHAEL\Michael

    -Scan Summary-
    Scan Type: Threat Scan
    Result: Completed
    Objects Scanned: 429438
    Threats Detected: 48
    Threats Quarantined: 48
    Time Elapsed: 0 min, 52 sec

    -Scan Options-
    Memory: Enabled
    Startup: Enabled
    Filesystem: Enabled
    Archives: Enabled
    Rootkits: Disabled
    Heuristics: Enabled
    PUP: Enabled
    PUM: Enabled

    -Scan Details-
    Process: 0
    (No malicious items detected)

    Module: 0
    (No malicious items detected)

    Registry Key: 20
    RiskWare.HeuristicsReservedWordExploit, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\EXPLORER.EXE, Quarantined, [14314], [293543],1.0.2591
    RiskWare.HeuristicsReservedWordExploit, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\EXPLORER.EXE, Quarantined, [14314], [293543],1.0.2591
    Adware.DotDo.DotPrx, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\NLASVC\PARAMETERS\INTERNET\MANUALPROXIES, Quarantined, [8184], [-1],0.0.0
    Adware.DotDo.DotPrx, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\12120012, Quarantined, [8184], [397745],1.0.2591
    Adware.DotDo.DotPrx, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\36556502, Quarantined, [8184], [397745],1.0.2591
    Adware.DotDo.DotPrx, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\38266672, Quarantined, [8184], [397745],1.0.2591
    Adware.Agent.Generic, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\k36556502, Quarantined, [1396], [402167],1.0.2591
    Adware.DotDo.DotPrx, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\ts1212001212120012, Quarantined, [8184], [409656],1.0.2591
    Adware.DotDo.DotPrx, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\ts3655650236556502, Quarantined, [8184], [409656],1.0.2591
    Adware.DotDo.DotPrx, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\ts3826667238266672, Quarantined, [8184], [409656],1.0.2591
    Adware.DotDo.DotPrx, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\tsk36556502k36556502, Quarantined, [8184], [397782],1.0.2591
    Adware.RunBooster, HKLM\SOFTWARE\RunBooster, Quarantined, [1849], [368690],1.0.2591
    Adware.DotDo.DotPrx, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{1A70C4B9-BA14-4F76-A67E-707419B1BF3A}, Quarantined, [8184], [409657],1.0.2591
    Adware.DotDo.DotPrx, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{442E8B2C-0659-460E-9FEE-878276FEE26D}, Quarantined, [8184], [397783],1.0.2591
    Adware.DotDo.DotPrx, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{5F461F21-99F7-4B51-AFA2-7FF3F62ACB01}, Quarantined, [8184], [409657],1.0.2591
    Adware.Agent.Generic, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{BEBCFF10-860C-47E8-9E6F-A717CDA4589E}, Quarantined, [1396], [402166],1.0.2591
    Adware.DotDo.DotPrx, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{CC4BF669-D840-44BC-B0B8-7BC9694DBD4A}, Quarantined, [8184], [407483],1.0.2591
    Adware.DotDo.DotPrx, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{E632E518-04C1-4CD3-BD7A-C6D6A3B054AA}, Quarantined, [8184], [407483],1.0.2591
    Adware.DotDo.DotPrx, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{E7291D11-282E-42FE-BA03-4F92A9E6203D}, Quarantined, [8184], [407483],1.0.2591
    Adware.DotDo.DotPrx, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{F422851C-75B0-4A6F-B906-D128A3C1F85F}, Quarantined, [8184], [409657],1.0.2591

    Registry Value: 12
    Adware.DotDo.DotPrx, HKU\S-1-5-18\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS|PROXYENABLE, Quarantined, [8184], [-1],0.0.0
    Adware.DotDo.DotPrx, HKU\S-1-5-21-1747559312-1166520656-3094945707-1158\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS|PROXYENABLE, Quarantined, [8184], [-1],0.0.0
    Adware.DotDo.DotPrx, HKU\S-1-5-21-1747559312-1166520656-3094945707-1158\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS|PROXYOVERRIDE, Quarantined, [8184], [-1],0.0.0
    Adware.DotDo.DotPrx, HKU\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS|PROXYENABLE, Quarantined, [8184], [-1],0.0.0
    Adware.DotDo.DotPrx, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{1A70C4B9-BA14-4F76-A67E-707419B1BF3A}|PATH, Quarantined, [8184], [409657],1.0.2591
    Adware.DotDo.DotPrx, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{442E8B2C-0659-460E-9FEE-878276FEE26D}|PATH, Quarantined, [8184], [397783],1.0.2591
    Adware.DotDo.DotPrx, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{5F461F21-99F7-4B51-AFA2-7FF3F62ACB01}|PATH, Quarantined, [8184], [409657],1.0.2591
    Adware.Agent.Generic, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{BEBCFF10-860C-47E8-9E6F-A717CDA4589E}|PATH, Quarantined, [1396], [402166],1.0.2591
    Adware.DotDo.DotPrx, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{CC4BF669-D840-44BC-B0B8-7BC9694DBD4A}|PATH, Quarantined, [8184], [407483],1.0.2591
    Adware.DotDo.DotPrx, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{E632E518-04C1-4CD3-BD7A-C6D6A3B054AA}|PATH, Quarantined, [8184], [407483],1.0.2591
    Adware.DotDo.DotPrx, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{E7291D11-282E-42FE-BA03-4F92A9E6203D}|PATH, Quarantined, [8184], [407483],1.0.2591
    Adware.DotDo.DotPrx, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{F422851C-75B0-4A6F-B906-D128A3C1F85F}|PATH, Quarantined, [8184], [409657],1.0.2591

    Registry Data: 0
    (No malicious items detected)

    Data Stream: 0
    (No malicious items detected)

    Folder: 0
    (No malicious items detected)

    File: 16
    HackTool.FilePatch, C:\$RECYCLE.BIN\S-1-5-21-1747559312-1166520656-3094945707-1158\$R2H4TMJ.EXE, Quarantined, [7440], [281135],1.0.2591
    RiskWare.HeuristicsReservedWordExploit, C:\USERS\MICHAEL\DESKTOP\EXPLORER.EXE, Quarantined, [14314], [293543],1.0.2591
    Adware.Yelloader, C:\USERS\MICHAEL\APPDATA\LOCAL\TEMP\1502733990\S5-20170325.ZIP, Quarantined, [1351], [425787],1.0.2591
    Trojan.Clicker, C:\USERS\MICHAEL\APPDATA\LOCAL\TEMP\1502733990\S5M_INSTALL_325.ZIP, Quarantined, [21], [387412],1.0.2591
    Adware.Yelloader, C:\USERS\MICHAEL\APPDATA\LOCAL\TEMP\460303562\IC-0.E1E2FB11073BA.EXE, Quarantined, [1351], [421829],1.0.2591
    Adware.Yelloader, C:\USERS\MICHAEL\APPDATA\LOCAL\TEMP\1502733990\S5-20170325.EXE, Quarantined, [1351], [425787],1.0.2591
    Adware.Yelloader, C:\USERS\MICHAEL\APPDATA\LOCAL\TEMP\460064906\IC-0.AE6FEC9CD148D.EXE, Quarantined, [1351], [421829],1.0.2591
    Trojan.Clicker, C:\USERS\MICHAEL\APPDATA\LOCAL\TEMP\1502733990\S5M_INSTALL_325.EXE, Quarantined, [21], [387412],1.0.2591
    Adware.DotDo.DotPrx, C:\WINDOWS\SYSTEM32\TASKS\12120012, Quarantined, [8184], [410000],1.0.2591
    Adware.DotDo.DotPrx, C:\WINDOWS\SYSTEM32\TASKS\36556502, Quarantined, [8184], [410000],1.0.2591
    Adware.DotDo.DotPrx, C:\WINDOWS\SYSTEM32\TASKS\38266672, Quarantined, [8184], [410000],1.0.2591
    Adware.DotDo.DotPrx, C:\WINDOWS\SYSTEM32\TASKS\ts1212001212120012, Quarantined, [8184], [409999],1.0.2591
    Adware.DotDo.DotPrx, C:\WINDOWS\SYSTEM32\TASKS\ts3655650236556502, Quarantined, [8184], [409999],1.0.2591
    Adware.DotDo.DotPrx, C:\WINDOWS\SYSTEM32\TASKS\ts3826667238266672, Quarantined, [8184], [409999],1.0.2591
    Adware.DotDo.DotPrx, C:\WINDOWS\SYSTEM32\TASKS\tsk36556502k36556502, Quarantined, [8184], [397781],1.0.2591
    Adware.Agent.Generic, C:\WINDOWS\SYSTEM32\TASKS\k36556502, Quarantined, [1396], [402165],1.0.2591

    Physical Sector: 0
    (No malicious items detected)


    (end)

  4. I'm just not having any luck with it :/

    I'm gonna head home and will bring the 8GB stick back to the office in the morning. Let me know what the next step is when you get a chance. I could maybe create the recovery media at home so it's ready to go when I get to work.

    I've read a lot of post and it seems that it's gotten harder and harder to get rid of.

    I really do appreciate you taking the time to help me out here.

  5. Microsoft Windows [Version 10.0.15063]
    (c) 2017 Microsoft Corporation. All rights reserved.

    C:\WINDOWS\system32>bcdedit

    Windows Boot Manager
    --------------------
    identifier              {bootmgr}
    device                  partition=\Device\HarddiskVolume2
    description             Windows Boot Manager
    locale                  en-US
    inherit                 {globalsettings}
    default                 {current}
    resumeobject            {6cae4a1a-767d-11e7-8356-a4a36db125b3}
    displayorder            {current}
    toolsdisplayorder       {memdiag}
    timeout                 0
    displaybootmenu         Yes

    Windows Boot Loader
    -------------------
    identifier              {current}
    device                  partition=C:
    path                    \WINDOWS\system32\winload.exe
    description             Windows 10
    locale                  en-US
    inherit                 {bootloadersettings}
    recoverysequence        {9674cd71-767d-11e7-8356-a4a36db125b3}
    displaymessageoverride  Recovery
    recoveryenabled         Yes
    allowedinmemorysettings 0x15000075
    osdevice                partition=C:
    systemroot              \WINDOWS
    resumeobject            {6cae4a1a-767d-11e7-8356-a4a36db125b3}
    nx                      OptIn
    bootmenupolicy          Standard

    C:\WINDOWS\system32>

  6. Fix result of Farbar Recovery Scan Tool (x64) Version: 12-08-2017
    Ran by Michael (14-08-2017 19:51:26) Run:2
    Running from C:\Users\Michael\Desktop
    Loaded Profiles: Michael (Available Profiles: Michael)
    Boot Mode: Normal
    ==============================================

    fixlist content:
    *****************
    CMD: bcdedit.exe /set {bootmgr} displaybootmenu yes
    CMD: bcdedit.exe /set {default} recoveryenabled yes
    *****************


    ========= bcdedit.exe /set {bootmgr} displaybootmenu yes =========

    The operation completed successfully.

    ========= End of CMD: =========


    ========= bcdedit.exe /set {default} recoveryenabled yes =========

    The operation completed successfully.

    ========= End of CMD: =========


    ==== End of Fixlog 19:51:26 ====

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.