Jump to content

No idea what I'm doing or how to read my scan results. Help?

Recommended Posts

Here's my scan log. What are my next steps? Thanks in advance.


Malwarebytes Anti-Malware



Database version: v2013.08.03.05


Windows Vista Service Pack 2 x64 NTFS

Internet Explorer 9.0.8112.16421

Shoegazer :: SHOEGAZER-PC [administrator]


8/3/2013 11:09:49 AM

MBAM-log-2013-08-03 (12-36-31).txt


Scan type: Full scan (C:\|)

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 468946

Time elapsed: 1 hour(s), 26 minute(s), 28 second(s)


Memory Processes Detected: 2

C:\Users\Shoegazer\AppData\Roaming\WinRAR\hkcmd.exe (Heuristics.Shuriken) -> 3244 -> No action taken.

C:\Users\Shoegazer\AppData\Local\Temp\hscvikffis\cxxqnqqrkqk.exe (Heuristics.Shuriken) -> 5236 -> No action taken.


Memory Modules Detected: 0

(No malicious items detected)


Registry Keys Detected: 0

(No malicious items detected)


Registry Values Detected: 1

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|Keyboard Inf. (Heuristics.Shuriken) -> Data: C:\Users\Shoegazer\AppData\Roaming\WinRAR\hkcmd.exe -> No action taken.


Registry Data Items Detected: 1

HKCU\SOFTWARE\Microsoft\Internet Explorer\Main|Start Page (PUP.Optional.Conduit) -> Bad: (http://search.conduit.com?SearchSource=10&CUI=UN25421739872257645&UM=2&ctid=CT3299568) Good: (http://www.google.com) -> No action taken.


Folders Detected: 0

(No malicious items detected)


Files Detected: 10

C:\Users\Shoegazer\AppData\Roaming\WinRAR\hkcmd.exe (Heuristics.Shuriken) -> No action taken.

C:\Users\Shoegazer\AppData\Local\Temp\hscvikffis\cxxqnqqrkqk.exe (Heuristics.Shuriken) -> No action taken.

C:\Users\Shoegazer\AppData\Local\Temp\ToolbarHelper.exe (PUP.Optional.Conduit.A) -> No action taken.

C:\Users\Shoegazer\AppData\Local\Temp\ct3299568\ctbe.exe (PUP.Optional.Conduit.A) -> No action taken.

C:\Users\Shoegazer\AppData\Local\Temp\ct3299568\ieLogic.exe (PUP.Optional.Conduit.A) -> No action taken.

C:\Users\Shoegazer\AppData\Local\Temp\ct3299568\statisticsStub.exe (PUP.Optional.Conduit.A) -> No action taken.

C:\Users\Shoegazer\AppData\Local\Temp\pghqsaunbskwbpkj\ljpbwoewwxug.exe (Heuristics.Shuriken) -> No action taken.

C:\Users\Shoegazer\AppData\Roaming\AccurateRip\hkcmd.exe (Heuristics.Shuriken) -> No action taken.

C:\Users\Shoegazer\AppData\Roaming\Adobe\hkcmd.exe (Heuristics.Shuriken) -> No action taken.

C:\Users\Shoegazer\AppData\Roaming\OpenCandy\F883B10D1FD84A83BB6CB62B84A97EBF\mconduitinstaller.exe (PUP.Optional.Conduit.A) -> No action taken.



Link to post
Share on other sites

I kept receiving a program error for 'hkcmd.exe' so I ran a full scan with MBAM and got those results.


I googled 'Heuristics.Shuriken' and 'PUP.Optional.Conduit.A' and received a bunch of sites and forum posts with complicated instructions involving RogueKiller, etc. The logs for those problems seemed dissimilar to my own, so I didn't know what to do.

Link to post
Share on other sites

RogueKiller is a good place to start:

Please download and run RogueKiller 32 Bit to your desktop.

RogueKiller 64 Bit <---use this one for 64 bit systems

Quit all running programs.

For Windows XP, double-click to start.

For Vista or Windows 7-8, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

Click Scan to scan the system.

When the scan completes > Close out the program > Don't Fix anything!

Don't run any other options, they're not all bad!!!!!!!

Post back the report which should be located on your desktop.

(please don't put logs in code or quotes)


Link to post
Share on other sites

RogueKiller V8.6.4 _x64_ [Jul 29 2013] by Tigzy

mail : tigzyRK<at>gmail<dot>com


Operating System : Windows Vista (6.0.6002 Service Pack 2) 64 bits version

Started in : Normal mode

User : Shoegazer [Admin rights]

Mode : Scan -- Date : 08/03/2013 14:38:05

| ARK || FAK || MBR |


¤¤¤ Bad processes : 0 ¤¤¤


¤¤¤ Registry Entries : 4 ¤¤¤

[HJ POL] HKLM\[...]\System : EnableLUA (0) -> FOUND

[HJ POL] HKLM\[...]\Wow6432Node\[...]\System : EnableLUA (0) -> FOUND

[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND

[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND


¤¤¤ Scheduled tasks : 0 ¤¤¤


¤¤¤ Startup Entries : 0 ¤¤¤


¤¤¤ Web browsers : 0 ¤¤¤


¤¤¤ Particular Files / Folders: ¤¤¤


¤¤¤ Driver : [NOT LOADED 0x0] ¤¤¤


¤¤¤ External Hives: ¤¤¤


¤¤¤ Infection :  ¤¤¤


¤¤¤ HOSTS File: ¤¤¤

--> %SystemRoot%\System32\drivers\etc\hosts       localhost

::1             localhost



¤¤¤ MBR Check: ¤¤¤


+++++ PhysicalDrive0: ST375052 8AS SCSI Disk Device +++++

--- User ---

[MBR] 427e00a2a3cb63d9cd10f86a25f31d1b

[bSP] cbe1a3892920c024e3e7b9efc684338e : MBR Code unknown

Partition table:

0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 701204 Mo

1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 1436066415 | Size: 14198 Mo

User = LL1 ... OK!

Error reading LL2 MBR!


+++++ PhysicalDrive1: ST375052 8AS SCSI Disk Device +++++

Error reading User MBR!

User = LL1 ... OK!

Error reading LL2 MBR!


Finished : << RKreport[0]_S_08032013_143805.txt >>

Link to post
Share on other sites

That looks OK.....Next:

Please download AdwCleaner from here and save it on your Desktop.

AdwCleaner is a reliable removal tool for Adware, Foistware, toolbars and potentially unwanted programs.

AdwCleaner is a tool that deletes :

· Adwares (software ads)

· PUP/LPI (Potentially Undesirable Program)

· Toolbars

· Hijacker (Hijack of the browser's homepage)

It works with a Search and Deletion method. It can be easily uninstalled using the "Uninstall" mode.

  • Right-click on adwcleaner.exe and select Run As Administrator (for XP just double click) to launch the application.
  • Now click on the Search tab.
  • Please post the contents of the log-file created in your next post.
Note: The log can also be located at C:\ >> AdwCleaner[XX].txt >> XX <-- Denotes the number of times the application has been ran, so in this should be something like R1.


Please look over what was found......especially any folders, we're going to permanently delete it all in the next step....if there's something you may want to keep...please let me know and I'll explain to why it shouldn't be on your system.

If you see AVG Secure Search being targeted for deletion, Here's Why and Here. You can always Reinstall it.

Please note that Antivir Webguard uses ASK Toolbar as part of its web security. If you remove ASK by using Adwcleaner, Antivir Webguard will no longer work properly. Therefore, if you use this program please use the instructions below to access the options screen where you should enable /DisableAskDetections before using AdwCleaner.

You can click on the question mark (?) in the upper left corner of the program and then click on Options. You will then be presented with a dialog where you can disable various detections. These options are described below:

/DisableAskDetection - This option disables Ask Toolbar detection.


Link to post
Share on other sites

I don't see anything I want to keep.


# AdwCleaner v2.306 - Logfile created 08/03/2013 at 15:36:30

# Updated 19/07/2013 by Xplode

# Operating system : Windows Vista Home Premium Service Pack 2 (64 bits)

# User : Shoegazer - SHOEGAZER-PC

# Boot Mode : Normal

# Running from : C:\Users\Shoegazer\Desktop\adwcleaner.exe

# Option [search]



***** [services] *****



***** [Files / Folders] *****


File Found : C:\END

File Found : C:\Users\Shoegazer\AppData\Roaming\Mozilla\Firefox\Profiles\krm7eab7.default\searchplugins\Conduit.xml

Folder Found : C:\Program Files (x86)\Conduit

Folder Found : C:\Users\SHOEGA~1\AppData\Local\Temp\CT3299568

Folder Found : C:\Users\Shoegazer\AppData\Local\Conduit

Folder Found : C:\Users\Shoegazer\AppData\LocalLow\Conduit

Folder Found : C:\Users\Shoegazer\AppData\Roaming\Mozilla\Firefox\Profiles\krm7eab7.default\CT3299568

Folder Found : C:\Users\Shoegazer\AppData\Roaming\Mozilla\Firefox\Profiles\krm7eab7.default\extensions\{77beece6-3997-403a-92fa-0055bfcf88e5}

Folder Found : C:\Users\Shoegazer\AppData\Roaming\OpenCandy


***** [Registry] *****


Key Found : HKCU\Software\AppDataLow\Software\Conduit

Key Found : HKCU\Software\AppDataLow\Software\ConduitSearchScopes

Key Found : HKCU\Software\AppDataLow\Software\SmartBar

Key Found : HKCU\Software\Conduit

Key Found : HKCU\Software\Softonic

Key Found : HKLM\Software\Conduit

Key Found : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{3C471948-F874-49F5-B338-4F214A2EE0B1}


***** [internet Browsers] *****


-\\ Internet Explorer v9.0.8112.16496


[OK] Registry is clean.


-\\ Mozilla Firefox v18.0.1 (en-US)


File : C:\Users\Shoegazer\AppData\Roaming\Mozilla\Firefox\Profiles\krm7eab7.default\prefs.js


Found : user_pref("CT3299568.FF19Solved", "true");

Found : user_pref("CT3299568.UserID", "UN33640493412220023");

Found : user_pref("CT3299568.addressUrlXPETakeover", "true");

Found : user_pref("CT3299568.autoDisableScopes", -1);

Found : user_pref("CT3299568.browser.search.defaultthis.engineName", "true");

Found : user_pref("CT3299568.defaultSearchXPETakeover", "true");

Found : user_pref("CT3299568.fullUserID", "UN33640493412220023.IN.20130706133902");

Found : user_pref("CT3299568.installDate", "06/07/2013 13:39:02");

Found : user_pref("CT3299568.installSessionId", "{0C0ADF2E-4777-44C8-8C1F-8C3EEFE60BFE}");

Found : user_pref("CT3299568.installSp", "TRUE");

Found : user_pref("CT3299568.installerVersion", "");

Found : user_pref("CT3299568.keyword", "true");

Found : user_pref("CT3299568.originalHomepage", "about:home");

Found : user_pref("CT3299568.originalSearchAddressUrl", "");

Found : user_pref("CT3299568.originalSearchEngine", "");

Found : user_pref("CT3299568.searchRevert", "false");

Found : user_pref("CT3299568.searchUserMode", "2");

Found : user_pref("CT3299568.smartbar.homepage", "true");

Found : user_pref("CT3299568.startPageXPETakeover", "true");

Found : user_pref("CT3299568.versionFromInstaller", "");

Found : user_pref("Smartbar.SearchFromAddressBarSavedUrl", "");

Found : user_pref("browser.search.defaultthis.engineName", "entrusted11 Customized Web Search");

Found : user_pref("browser.search.selectedEngine", "entrusted11 Customized Web Search");

Found : user_pref("smartbar.addressBarOwnerCTID", "CT3299568");

Found : user_pref("smartbar.defaultSearchOwnerCTID", "CT3299568");

Found : user_pref("smartbar.homePageOwnerCTID", "CT3299568");

Found : user_pref("smartbar.machineId", "RGN+EG+9+Q7APAG2GDUUU80SRQLIUZBJ+3JW9GPVJCPFBUV7LSOJGBLQIU7USFGD3P4[...]


-\\ Google Chrome v28.0.1500.95


File : C:\Users\Shoegazer\AppData\Local\Google\Chrome\User Data\Default\Preferences





AdwCleaner[R1].txt - [4558 octets] - [03/08/2013 15:36:30]


########## EOF - C:\AdwCleaner[R1].txt - [4618 octets] ##########

Link to post
Share on other sites

Some adware found....lets clear it out.....

  • Please re-run AdwCleaner
  • Click on Delete button.
  • Your computer will be rebooted automatically. A text file will open after the restart. Please post the content of that logfile in your reply.
Note: You can find the logfile at C:\AdwCleaner[sn].txt as well - n is the order number.


Open up Malwarebytes > Settings Tab > Scanner Settings > Under action for PUP > Select Show in Results List and Check for removal.

Please Update and run a Quick Scan with Malwarebytes Anti-Malware, post the report.

Make sure that everything is checked, and click Remove Selected.

Please let me know how computer is running now, MrC

Link to post
Share on other sites

Seems fine. Thanks for your time and assistance.


Malwarebytes Anti-Malware
Database version: v2013.08.03.05
Windows Vista Service Pack 2 x64 NTFS
Internet Explorer 9.0.8112.16421
Shoegazer :: SHOEGAZER-PC [administrator]
8/3/2013 5:21:37 PM
mbam-log-2013-08-03 (17-21-37).txt
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 245517
Time elapsed: 5 minute(s), 37 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 0
(No malicious items detected)
Link to post
Share on other sites


Lets check your computers security before you go and we have a little cleanup to do also:

Download Security Check by screen317 from HERE or HERE.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • If you get "Unsupported operating system. Aborting now", just reboot and try again.
  • A Notepad document should open automatically called checkup.txt.
  • Please Post the contents of that document.
  • Do Not Attach It!!!
Link to post
Share on other sites

Results of screen317's Security Check version 0.99.71  

 Windows Vista Service Pack 2 x64 (UAC is disabled!)  

 Internet Explorer 9  

 Internet Explorer 8  

``````````````Antivirus/Firewall Check:`````````````` 

 Windows Firewall Enabled!  

Microsoft Security Essentials   

 Antivirus up to date!  

`````````Anti-malware/Other Utilities Check:````````` 

 Malwarebytes Anti-Malware version  

 JavaFX 2.1.1    

 Java 7 Update 25  

 Adobe Flash Player 11.7.700.224  

 Adobe Reader 10.1.7 Adobe Reader out of Date!  

 Mozilla Firefox 18.0.1 Firefox out of Date!  

 Google Chrome 28.0.1500.72  

 Google Chrome 28.0.1500.95  

````````Process Check: objlist.exe by Laurent````````  

 Microsoft Security Essentials MSMpEng.exe 

 Microsoft Security Essentials msseces.exe 

`````````````````System Health check````````````````` 

 Total Fragmentation on Drive C: 0 % 

````````````````````End of Log`````````````````````` 
Link to post
Share on other sites

Out dated programs on the system are vulnerable to malware.
Please update or uninstall them:


Adobe Reader 10.1.7 Adobe Reader out of Date! <---please check for an update if available or uninstall and download and install Foxit Reader which is less vulnerable to malware and much better than Adobe. Don't install any toolbars that may come with it (ASK Toolbar).



Mozilla Firefox 18.0.1 Firefox out of Date! <---please check for an update if available


Google Chrome 28.0.1500.72 <-----OLD
Google Chrome 28.0.1500.95 <-----OK

You have old versions of Google Chrome on the system.
Please download and run OldChromeRemover.
@Windows Vista/Windows 7-8 users must use “Run As Administrator.”


A little clean up to do....

Please Uninstall ComboFix: (if you used it)

Press the Windows logo key + R to bring up the "run box"

Copy and paste next command in the field:

ComboFix /uninstall

Make sure there's a space between Combofix and /


Then hit enter.
This will uninstall Combofix, delete its related folders and files, hide file extensions, hide the system/hidden files and clears System Restore cache and create new Restore point

(If that doesn't work.....you can simply rename ComboFix.exe to Uninstall.exe and double click it to complete the uninstall or download and run the uninstaller)


If you used DeFogger to disable your CD Emulation drivers, please re-enable them.


Please download OTC to your desktop.

Double-click OTC to run it. (Vista and up users, please right click on OTC and select "Run as an Administrator")
Click on the CleanUp! button and follow the prompts.
(If you get a warning from your firewall or other security programs regarding OTC attempting to contact the Internet, please allow the connection.)
You will be asked to reboot the machine to finish the Cleanup process, choose Yes.
After the reboot all the tools we used should be gone.
Note: Some more recently created tools may not yet be removed by OTC. Feel free to manually delete any tools it leaves behind.

Any other programs or logs you can manually delete.
IE: RogueKiller.exe, RKreport.txt, RK_Quarantine folder, C:\FRST, MBAR, etc....AdwCleaner > just run the program and click uninstall.


Any questions...please post back.

If you think I've helped you, please leave a comment > click on my avatar picture > click Profile Feed.

Take a look at My Preventive Maintenance to avoid being infected again. (may be down right now)
Cached version:

Good Luck and Thanks for using the forum, MrC

Link to post
Share on other sites

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.