Jump to content

Removing traces of Bitcoin miner


Recommended Posts

I just scanned my brother's computer with Malwarebytes, and found a whole lot of Bitcoin mining processes. I quarantied them all but I would really like to delete all of the traces of it and make sure the PC is clear from any sort of viruses. Here is the MBAM log

 

Malwarebytes Anti-Malware
www.malwarebytes.org
 
Scan Date: 04/05/2014
Scan Time: 16:50:56
Logfile: 
Administrator: Yes
 
Version: 2.00.1.1004
Malware Database: v2014.05.04.03
Rootkit Database: v2014.03.27.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Chameleon: Disabled
 
OS: Windows 8.1
CPU: x64
File System: NTFS
User: user
 
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 295923
Time Elapsed: 24 min, 49 sec
 
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Shuriken: Enabled
PUP: Enabled
PUM: Enabled
 
Processes: 4
PUP.Optional.Cgminer, C:\Users\user\AppData\Local\Temp\sBGi7BwmrLJ.exe, 4460, Delete-on-Reboot, [bca70746a7d424124a149ea26e935ea2]
PUP.Optional.Cgminer, C:\Users\user\AppData\Local\Temp\m5IKzFKXe09.exe, 4792, Delete-on-Reboot, [e67da6a7d7a4ae885905b18f9f6211ef]
PUP.Optional.Cgminer, C:\Users\user\AppData\Local\Temp\RarSFX19\klp10svc.exe, 8188, Delete-on-Reboot, [9ac94c011f5c51e5e17df24e08f97e82]
PUP.Optional.Cgminer, C:\Users\user\AppData\Local\Temp\RarSFX18\klp10svc.exe, 8020, Delete-on-Reboot, [66fd6ae3f289bf77c49a68d8dc25649c]
 
Modules: 0
(No malicious items detected)
 
Registry Keys: 15
PUP.Optional.QuickShare.A, HKLM\SOFTWARE\CLASSES\CLSID\{31AD400D-1B06-4E33-A59A-90C2C140CBA0}, Quarantined, [f46f3c1196e57db9ca914d079072da26], 
PUP.Optional.QuickShare.A, HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{31AD400D-1B06-4E33-A59A-90C2C140CBA0}, Quarantined, [f46f3c1196e57db9ca914d079072da26], 
PUP.Optional.BrowseFox.A, HKLM\SOFTWARE\CLASSES\CLSID\{4AA46D49-459F-4358-B4D1-169048547C23}, Quarantined, [580b450815661b1b4ca0a5af907216ea], 
PUP.Optional.Datamngr.A, HKLM\SOFTWARE\CLASSES\CLSID\{A40DC6C5-79D0-4ca8-A185-8FF989AF1115}, Quarantined, [e38057f6daa174c2f2bbe96c1be71ee2], 
PUP.Optional.Datamngr.A, HKLM\SOFTWARE\CLASSES\CLSID\{CC1AC828-BB47-4361-AFB5-96EEE259DD87}, Quarantined, [fa690f3e19625ed8c7e773e2b1517f81], 
PUP.Optional.OutBrowse, HKLM\SOFTWARE\CLASSES\INTERFACE\{3408AC0D-510E-4808-8F7B-6B70B1F88534}, Quarantined, [72f150fd8af1b2843b108a96d32f9e62], 
PUP.Optional.OutBrowse, HKLM\SOFTWARE\CLASSES\TypeLib\{DCABB943-792E-44C4-9029-ECBEE6265AF9}, Quarantined, [6ff487c66b10f541f754ba6620e28f71], 
PUP.Optional.Amonetize.A, HKLM\SOFTWARE\CLASSES\TYPELIB\{363BB65D-1747-4826-B445-1DA6244E2037}, Quarantined, [60034706afccc1752d662a184eb22fd1], 
PUP.Optional.Amonetize.A, HKLM\SOFTWARE\CLASSES\INTERFACE\{9EDC0C90-2B5B-4512-953E-35767BAD5C67}, Quarantined, [60034706afccc1752d662a184eb22fd1], 
PUP.Optional.Amonetize.A, HKLM\SOFTWARE\WOW6432NODE\CLASSES\INTERFACE\{9EDC0C90-2B5B-4512-953E-35767BAD5C67}, Quarantined, [60034706afccc1752d662a184eb22fd1], 
PUP.Optional.Amonetize.A, HKLM\SOFTWARE\WOW6432NODE\CLASSES\TYPELIB\{363BB65D-1747-4826-B445-1DA6244E2037}, Quarantined, [60034706afccc1752d662a184eb22fd1], 
PUP.Optional.MusicToolBar.A, HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{6fcaba44-a441-481f-895e-bddfd81a6cc2}, Quarantined, [c99a91bc81fa3afc521c5be1df25bc44], 
PUP.Optional.MusicToolBar.A, HKLM\SOFTWARE\CLASSES\CLSID\{6FCABA44-A441-481F-895E-BDDFD81A6CC2}, Quarantined, [c99a91bc81fa3afc521c5be1df25bc44], 
PUP.Optional.MusicToolBar.A, HKU\S-1-5-21-1375052093-4268391962-1033398323-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\STATS\{6FCABA44-A441-481F-895E-BDDFD81A6CC2}, Quarantined, [c99a91bc81fa3afc521c5be1df25bc44], 
PUP.Optional.MusicToolBar.A, HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\PREAPPROVED\{6FCABA44-A441-481F-895E-BDDFD81A6CC2}, Quarantined, [c99a91bc81fa3afc521c5be1df25bc44], 
 
Registry Values: 1
PUP.Optional.MusicToolBar.A, HKLM\SOFTWARE\MICROSOFT\INTERNET EXPLORER\TOOLBAR|{6FCABA44-A441-481F-895E-BDDFD81A6CC2}, Music Toolbar (Dist. by Bandoo Media, Inc.), Quarantined, [c99a91bc81fa3afc521c5be1df25bc44]
 
Registry Data: 0
(No malicious items detected)
 
Folders: 0
(No malicious items detected)
 
Files: 15
PUP.Optional.Cgminer, C:\Users\user\AppData\Local\Temp\sBGi7BwmrLJ.exe, Delete-on-Reboot, [bca70746a7d424124a149ea26e935ea2], 
PUP.Optional.Cgminer, C:\Users\user\AppData\Local\Temp\m5IKzFKXe09.exe, Delete-on-Reboot, [e67da6a7d7a4ae885905b18f9f6211ef], 
PUP.Optional.Cgminer, C:\Users\user\AppData\Local\Temp\RarSFX19\klp10svc.exe, Quarantined, [9ac94c011f5c51e5e17df24e08f97e82], 
PUP.Optional.Cgminer, C:\Users\user\AppData\Local\Temp\RarSFX18\klp10svc.exe, Quarantined, [66fd6ae3f289bf77c49a68d8dc25649c], 
PUP.Optional.Cgminer, C:\Users\user\AppData\Local\Temp\w1qT7f5eqCe.exe, Quarantined, [b1b271dc1764241277e752eeed141de3], 
PUP.Optional.Cgminer, C:\Users\user\AppData\Local\Temp\lG6etMNYfZZ.exe, Quarantined, [abb874d9adcef54147171a2625dca858], 
PUP.Optional.Cgminer, C:\Users\user\AppData\Local\Temp\lvMOVB3wN1S.exe, Quarantined, [78ebd974cfacd0669fbf76caaf5207f9], 
PUP.Optional.Cgminer, C:\Users\user\AppData\Local\Temp\AuVZOXilPNL.exe, Quarantined, [2241450808730333f16d023e986948b8], 
PUP.Optional.Cgminer, C:\Users\user\AppData\Local\Temp\oLntYjPWLJo.exe, Quarantined, [90d3bc91a3d8a5911f3fec54c041768a], 
PUP.Optional.Cgminer, C:\Users\user\AppData\Local\Temp\38VzDw0FcJg.exe, Quarantined, [273c61ec196286b0d28c241cde23966a], 
PUP.Optional.Cgminer, C:\Users\user\AppData\Local\Temp\RarSFX14\klp10svc.exe, Quarantined, [f3706ae39be010267de1f24ee21f728e], 
PUP.Optional.Cgminer, C:\Users\user\AppData\Local\Temp\RarSFX15\klp10svc.exe, Quarantined, [baa959f4ec8f80b63b23f54ba85920e0], 
PUP.Optional.Cgminer, C:\Users\user\AppData\Local\Temp\RarSFX16\klp10svc.exe, Quarantined, [b0b3d07dc7b49b9bbda197a9c83940c0], 
PUP.Optional.Cgminer, C:\Users\user\AppData\Local\Temp\RarSFX17\klp10svc.exe, Quarantined, [6cf764e90c6f42f42f2ff24eec15639d], 
PUP.Optional.Amonetize.A, C:\Users\user\AppData\Local\41\a18467.exe, Quarantined, [60034706afccc1752d662a184eb22fd1], 
 
Physical Sectors: 0
(No malicious items detected)
 
 
(end)
 
FRST.txt is ran after malwarebytes has cleaned them up and has been attached due to it is too long to be posted here
 
 
Ran MBAM once again after FRST, the malware refuses to go away!
 
Malwarebytes Anti-Malware
www.malwarebytes.org
 
Scan Date: 04/05/2014
Scan Time: 20:26:52
Logfile: scabn2.txt
Administrator: Yes
 
Version: 2.00.1.1004
Malware Database: v2014.05.04.03
Rootkit Database: v2014.03.27.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Chameleon: Disabled
 
OS: Windows 8.1
CPU: x64
File System: NTFS
User: user
 
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 296369
Time Elapsed: 13 min, 13 sec
 
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Shuriken: Enabled
PUP: Enabled
PUM: Enabled
 
Processes: 4
PUP.Optional.Cgminer, C:\Users\user\AppData\Local\Temp\DaqLV5nhLkq.exe, 3864, Delete-on-Reboot, [5e052d203f3c91a5362870d0ad54cc34]
PUP.Optional.Cgminer, C:\Users\user\AppData\Local\Temp\tzUYHc5OCRt.exe, 5644, Delete-on-Reboot, [fc678ac3b5c61026203eed5337caa759]
PUP.Optional.Cgminer, C:\Users\user\AppData\Local\Temp\RarSFX21\klp10svc.exe, 1772, Delete-on-Reboot, [f56ee16c97e47abc9bc3bb8507fa2cd4]
PUP.Optional.Cgminer, C:\Users\user\AppData\Local\Temp\RarSFX20\klp10svc.exe, 1980, Delete-on-Reboot, [70f37ad32a51fa3c8bd3e8586a97857b]
 
Modules: 0
(No malicious items detected)
 
Registry Keys: 0
(No malicious items detected)
 
Registry Values: 0
(No malicious items detected)
 
Registry Data: 0
(No malicious items detected)
 
Folders: 0
(No malicious items detected)
 
Files: 6
PUP.Optional.Cgminer, C:\Users\user\AppData\Local\Temp\DaqLV5nhLkq.exe, Delete-on-Reboot, [5e052d203f3c91a5362870d0ad54cc34], 
PUP.Optional.Cgminer, C:\Users\user\AppData\Local\Temp\tzUYHc5OCRt.exe, Delete-on-Reboot, [fc678ac3b5c61026203eed5337caa759], 
PUP.Optional.Cgminer, C:\Users\user\AppData\Local\Temp\RarSFX21\klp10svc.exe, Quarantined, [f56ee16c97e47abc9bc3bb8507fa2cd4], 
PUP.Optional.Cgminer, C:\Users\user\AppData\Local\Temp\RarSFX20\klp10svc.exe, Quarantined, [70f37ad32a51fa3c8bd3e8586a97857b], 
PUP.Optional.Cgminer, C:\Users\user\AppData\Local\Temp\8gj2Me81k2u.exe, Quarantined, [3132ee5f7a018bab68f637097f8220e0], 
PUP.Optional.Cgminer, C:\Users\user\AppData\Local\Temp\RhvWSv21g0V.exe, Quarantined, [b4af3d103744cf67fd617ac60af7738d], 
 
Physical Sectors: 0
(No malicious items detected)
 
 
(end)
Link to post
Share on other sites

  • Root Admin

Please read the following and post back the logs when ready.

General P2P/Piracy Warning:

If you're using Peer 2 Peer software such as uTorrent, BitTorrent or similar you must either fully uninstall them or completely disable them from running while being assisted here.

Failure to remove or disable such software will result in your topic being closed and no further assistance being provided.

If you have illegal/cracked software, cracks, keygens etc. on the system, please remove or uninstall them now and read the policy on Piracy.

Before we proceed further, please read all of the following instructions carefully.

If there is anything that you do not understand kindly ask before proceeding.

If needed please print out these instructions.

  • Please do not post logs using CODE, QUOTE, or FONT tags. Just paste them as direct text.
  • If the log is too large then you can use attachments by clicking on the More Reply Options button.
  • Please enable your system to show hidden files: How to see hidden files in Windows
  • Make sure you're subscribed to this topic:
    • Click on the Follow This Topic Button (at the top right of this page), make sure that the Receive notification box is checked and that it is set to Instantly
  • Removing malware can be unpredictable...It is unlikely but things can go very wrong! Please make sure you Backup all files that cannot be replaced if something were to happen. You can copy them to a CD/DVD, external drive or a pen drive
  • Please don't run any other scans, download, install or uninstall any programs unless requested by me while I'm working with you.
  • The removal of malware is not instantaneous, please be patient. Often we are also on a different Time Zone.
  • Perform everything in the correct order. Sometimes one step requires the previous one.
  • If you have any problems while following my instructions, Stop there and tell me the exact nature of the issue.
  • You can check here if you're not sure if your computer is 32-bit or 64-bit
  • Please disable your antivirus while running any requested scanners so that they do not interfere with the scanners.
  • When we are done, I'll give you instructions on how to cleanup all the tools and logs
  • Please stick with me until I give you the "all clear" and Please don't waste my time by leaving before that.
  • Your topic will be closed if you haven't replied within 3 days
  • (If I have not responded within 24 hours, please send me a Private Message as a reminder)
STEP 0

RKill is a program that was developed at BleepingComputer.com that attempts to terminate known malware processes

so that your normal security software can then run and clean your computer of infections.

When RKill runs it will kill malware processes and then removes incorrect executable associations and fixes policies

that stop us from using certain tools. When finished it will display a log file that shows the processes that were

terminated while the program was running.

As RKill only terminates a program's running process, and does not delete any files, after running it you should not reboot

your computer as any malware processes that are configured to start automatically will just be started again.

Instead, after running RKill you should immediately scan your computer using the requested scans I've included.

Please download Rkill by Grinler from one of the links below and save it to your desktop.

Link 1

Link 2

  • On Windows XP double-click on the Rkill desktop icon to run the tool.
  • On Windows Vista/Windows 7 or 8, right-click on the Rkill desktop icon and select Run As Administrator
  • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
  • If not, delete the file, then download and use the one provided in Link 2.
  • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
  • If the tool does not run from any of the links provided, please let me know.
  • Do not reboot the computer, you will need to run the application again.
STEP 01

Backup the Registry:

Modifying the Registry can create unforeseen problems, so it always wise to create a backup before doing so.

  • Please download ERUNT from one of the following links: Link1 | Link2 | Link3
  • ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.
  • Double click on erunt-setup.exe to Install ERUNT by following the prompts.
  • NOTE: Do not choose to allow ERUNT to add an Entry to the Startup folder. Click NO.
  • Start ERUNT either by double clicking on the desktop icon or choosing to start the program at the end of the setup process.
  • Choose a location for the backup.
    • Note: the default location is C:\Windows\ERDNT which is acceptable.
  • Make sure that at least the first two check boxes are selected.
  • Click on OK
  • Then click on YES to create the folder.
  • Note: if it is necessary to restore the registry, open the backup folder and start ERDNT.exe
STEP 02

Please run a Threat Scan with MBAM. If you're unable to run or complete the scan as shown below please see the following: MBAM Clean Removal Process 2x

When reinstalling the program please try the latest beta version.

Right click and choose "Run as administrator" to open Malwarebytes Anti-Malware and from the Dashboard please Check for Updates by clicking the Update Now... link

Open up Malwarebytes > Settings > Detection and Protection > Enable Scan for rootkit and Under Non Malware Protection set both PUP and PUM to Treat detections as malware.

Click on the SCAN button and run a Threat Scan with Malwarebytes Anti-Malware by clicking the Scan Now>> button.

Once completed please click on the History > Application Logs and find your scan log and open it and then click on the "copy to clipboard" button and post back the results on your next reply.

STEP 03

Please download RogueKiller and save it to your desktop.

You can check here if you're not sure if your computer is 32-bit or 64-bit

  • RogueKiller 32-bit | RogueKiller 64-bit
  • Quit all running programs.
  • For Windows XP, double-click to start.
  • For Vista,Windows 7/8, Right-click on the program and select Run as Administrator to start and when prompted allow it to run.
  • Read and accept the EULA (End User Licene Agreement)
  • Click Scan to scan the system.
  • When the scan completes Close the program > Don't Fix anything!
  • Don't run any other options, they're not all bad!!
  • Post back the report which should be located on your desktop.
Thank you
Link to post
Share on other sites

Utorrent uninstalled, others I am not so sure

 

STEP 0 - DONE!

 

Here is the log for Rkill

 

Rkill 2.6.5 by Lawrence Abrams (Grinler)
Copyright 2008-2014 BleepingComputer.com
More Information about Rkill can be found at this link:
 
Program started at: 05/06/2014 06:46:58 PM in x64 mode.
Windows Version: Windows 8.1 
 
Checking for Windows services to stop:
 
 * No malware services found to stop.
 
Checking for processes to terminate:
 
 * C:\Windows\DAODx.exe (PID: 1664) [WD-HEUR]
 * C:\Users\user\AppData\Roaming\Systems Cache\IdleServ.exe (PID: 3804) [uP-HEUR]
 * C:\Users\user\AppData\Roaming\Systems Cache\IdleServ.exe (PID: 4144) [uP-HEUR]
 * C:\Users\user\AppData\Local\Temp\RarSFX27\SystemWhileIdle.exe (PID: 4432) [uP-HEUR]
 * C:\Users\user\AppData\Local\Temp\78asOTgh5S3.exe (PID: 4624) [uP-HEUR]
 * C:\Users\user\AppData\Local\Temp\RarSFX29\SystemWhileIdle.exe (PID: 4116) [uP-HEUR]
 
6 proccesses terminated!
 
Checking Registry for malware related settings:
 
 * No issues found in the Registry.
 
Resetting .EXE, .COM, & .BAT associations in the Windows Registry.
 
Performing miscellaneous checks:
 
 * No issues found.
 
Checking Windows Service Integrity: 
 
 * MsKeyboardFilter [Missing Service]
 * CSC [Missing Service]
 * E1G60 [Missing Service]
 * HdAudAddService [Missing Service]
 * kbldfltr [Missing Service]
 * storvsp [Missing Service]
 * Vid [Missing Service]
 * vmbusr [Missing Service]
 * vpcivsp [Missing Service]
 
Searching for Missing Digital Signatures: 
 
 * No issues found.
 
Checking HOSTS File: 
 
 * No issues found.
 
Program finished at: 05/06/2014 06:48:38 PM
Executi
on time: 0 hours(s), 1 minute(s), and 40 seconds(s)
STEP 01 - DONE!
 
STEP 02 - DONE! But I am having trouble with the MBAM UI, It will always freeze and wants me to close and relaunch the software for anything to be done. I also noticed that dgen.exe uses up the CPU
 
Malwarebytes Anti-Malware
www.malwarebytes.org
 
Scan Date: 06/05/2014
Scan Time: 19:19:28
Logfile: 
Administrator: Yes
 
Version: 2.00.1.1004
Malware Database: v2014.05.06.04
Rootkit Database: v2014.03.27.01
License: Trial
Malware Protection: Disabled
Malicious Website Protection: Disabled
Chameleon: Disabled
 
OS: Windows 8.1
CPU: x64
File System: NTFS
User: user
 
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 297222
Time Elapsed: 20 min, 37 sec
 
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Shuriken: Enabled
PUP: Enabled
PUM: Enabled
 
Processes: 0
(No malicious items detected)
 
Modules: 0
(No malicious items detected)
 
Registry Keys: 0
(No malicious items detected)
 
Registry Values: 0
(No malicious items detected)
 
Registry Data: 0
(No malicious items detected)
 
Folders: 0
(No malicious items detected)
 
Files: 11
PUP.Optional.Cgminer, C:\Users\user\AppData\Local\Temp\Nmh9QhQJO3l.exe, Quarantined, [7a861ae667998e72afed4cf4ed140af6], 
PUP.Optional.Cgminer, C:\Users\user\AppData\Local\Temp\78asOTgh5S3.exe, Quarantined, [2dd31ce4a55bae525d3f1a2615ecc33d], 
PUP.Optional.Cgminer, C:\Users\user\AppData\Local\Temp\gmfgcIprUN9.exe, Quarantined, [c7393fc123dd837d5c4094acaf523cc4], 
PUP.Optional.Cgminer, C:\Users\user\AppData\Local\Temp\GygjIthMK7W.exe, Quarantined, [4ab69b65da26b8484c505be515ec28d8], 
PUP.Optional.Cgminer, C:\Users\user\AppData\Local\Temp\H9WeyGCJb5t.exe, Quarantined, [60a0ef11db25758b3a62b38d30d134cc], 
PUP.Optional.Cgminer, C:\Users\user\AppData\Local\Temp\iCFzlBL6lv9.exe, Quarantined, [42bebb450af6847cd9c3c878857c8878], 
PUP.Optional.Cgminer, C:\Users\user\AppData\Local\Temp\uNvqayO2qOn.exe, Quarantined, [22de51afd729a15fa9f31927b54c9d63], 
PUP.Optional.Cgminer, C:\Users\user\AppData\Local\Temp\VED725qM7UD.exe, Quarantined, [f709728eba462bd5d5c70f313ec32bd5], 
PUP.Optional.Cgminer, C:\Users\user\AppData\Local\Temp\Q7AegZ6cD1x.exe, Quarantined, [a15fbf41f20e59a717854ef2de233cc4], 
PUP.Optional.Cgminer, C:\Users\user\AppData\Local\Temp\BgCxQbXbZCv.exe, Quarantined, [53ad827e4ab60cf49dff48f824ddf20e], 
PUP.Optional.Cgminer, C:\Users\user\AppData\Local\Temp\a8RE9pxJCeU.exe, Quarantined, [09f708f8f80828d82973dc64857c867a], 
 
Physical Sectors: 0
(No malicious items detected)
 
 
(end)

 

STEP 03 - DONE! logs

 

RogueKiller V8.8.15 _x64_ [Mar 27 2014] by Adlice Software
 
Operating System : Windows 8.1 (6.3.9200 ) 64 bits version
Started in : Normal mode
User : user [Admin rights]
Mode : Scan -- Date : 05/06/2014 19:24:04
| ARK || FAK || MBR |
 
¤¤¤ Bad processes : 0 ¤¤¤
 
¤¤¤ Registry Entries : 33 ¤¤¤
[RUN][sUSP PATH] HKCU\[...]\Run : System Idle (C:\Users\user\AppData\Roaming\Systems Cache\IdleServ.exe [-]) -> FOUND
[RUN][sUSP PATH] HKCU\[...]\Run : CrashHandle (C:\Users\user\AppData\Local\Temp\RarSFX28\SystemWhileIdle.exe [x]) -> FOUND
[RUN][sUSP PATH] HKLM\[...]\Run : System Idle (C:\Users\user\AppData\Roaming\Systems Cache\IdleServ.exe [-]) -> FOUND
[RUN][sUSP PATH] HKUS\S-1-5-21-1375052093-4268391962-1033398323-1001\[...]\Run : System Idle (C:\Users\user\AppData\Roaming\Systems Cache\IdleServ.exe [-]) -> FOUND
[RUN][sUSP PATH] HKUS\S-1-5-21-1375052093-4268391962-1033398323-1001\[...]\Run : CrashHandle (C:\Users\user\AppData\Local\Temp\RarSFX28\SystemWhileIdle.exe [x]) -> FOUND
[iFEO] HKLM\[...]\bitguard.exe : Debugger (tasklist.exe [-]) -> FOUND
[iFEO] HKLM\[...]\bprotect.exe : Debugger (tasklist.exe [-]) -> FOUND
[iFEO] HKLM\[...]\bpsvc.exe : Debugger (tasklist.exe [-]) -> FOUND
[iFEO] HKLM\[...]\browserdefender.exe : Debugger (tasklist.exe [-]) -> FOUND
[iFEO] HKLM\[...]\browserprotect.exe : Debugger (tasklist.exe [-]) -> FOUND
[iFEO] HKLM\[...]\browsersafeguard.exe : Debugger (tasklist.exe [-]) -> FOUND
[iFEO] HKLM\[...]\dprotectsvc.exe : Debugger (tasklist.exe [-]) -> FOUND
[iFEO] HKLM\[...]\jumpflip : Debugger (tasklist.exe [-]) -> FOUND
[iFEO] HKLM\[...]\protectedsearch.exe : Debugger (tasklist.exe [-]) -> FOUND
[iFEO] HKLM\[...]\searchinstaller.exe : Debugger (tasklist.exe [-]) -> FOUND
[iFEO] HKLM\[...]\searchprotection.exe : Debugger (tasklist.exe [-]) -> FOUND
[iFEO] HKLM\[...]\searchprotector.exe : Debugger (tasklist.exe [-]) -> FOUND
[iFEO] HKLM\[...]\searchsettings.exe : Debugger (tasklist.exe [-]) -> FOUND
[iFEO] HKLM\[...]\searchsettings64.exe : Debugger (tasklist.exe [-]) -> FOUND
[iFEO] HKLM\[...]\snapdo.exe : Debugger (tasklist.exe [-]) -> FOUND
[iFEO] HKLM\[...]\stinst32.exe : Debugger (tasklist.exe [-]) -> FOUND
[iFEO] HKLM\[...]\stinst64.exe : Debugger (tasklist.exe [-]) -> FOUND
[iFEO] HKLM\[...]\umbrella.exe : Debugger (tasklist.exe [-]) -> FOUND
[iFEO] HKLM\[...]\utiljumpflip.exe : Debugger (tasklist.exe [-]) -> FOUND
[iFEO] HKLM\[...]\volaro : Debugger (tasklist.exe [-]) -> FOUND
[iFEO] HKLM\[...]\vonteera : Debugger (tasklist.exe [-]) -> FOUND
[iFEO] HKLM\[...]\websteroids.exe : Debugger (tasklist.exe [-]) -> FOUND
[iFEO] HKLM\[...]\websteroidsservice.exe : Debugger (tasklist.exe [-]) -> FOUND
[HJ POL][PUM] HKCU\[...]\System : DisableTaskMgr (0) -> FOUND
[HJ POL][PUM] HKCU\[...]\System : DisableRegistryTools (0) -> FOUND
[HJ POL][PUM] HKCU\[...]\System : EnableLUA (0) -> FOUND
[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
 
¤¤¤ Scheduled tasks : 5 ¤¤¤
[V1][ROGUE ST] Upd Inst-S-5153193369.job : c:\programdata\superbapp\upd inst\Upd Inst.exe - /schedule /profile "c:\programdata\superbapp\upd inst\5153193369.ini" [x][-] -> FOUND
[V1][ROGUE ST] WS.Booster-S-667284051.job : c:\programdata\hostit\ws.booster\WS.Booster.exe - /schedule /profile "c:\programdata\hostit\ws.booster\667284051.ini" [x][-] -> FOUND
[V2][ROGUE ST] 4628 : wscript.exe - C:\Users\user\AppData\Local\Temp\launchie.vbs //B -> FOUND
[V2][sUSP PATH] PileFile logon : C:\Users\user\AppData\Local\Temp\{Steam Wallet Hack 2014}Download_8E4C\{Steam_Wallet_Hack_2014}_Downloader.exe [x] -> FOUND
[V2][sUSP PATH] RunDAOD : C:\Windows\DAODx.exe [-] -> FOUND
 
¤¤¤ Startup Entries : 1 ¤¤¤
[user][ROGUE ST] start.lnk : C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\start.lnk @C:\Users\user\bmmqu\70124.vbs [-][-] -> FOUND
 
¤¤¤ Web browsers : 0 ¤¤¤
 
¤¤¤ Browser Addons : 0 ¤¤¤
 
¤¤¤ Particular Files / Folders: ¤¤¤
 
¤¤¤ Driver : [NOT LOADED 0x0] ¤¤¤
[Address] EAT @explorer.exe (AsyncGetClassBits) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x185070B0)
[Address] EAT @explorer.exe (AsyncInstallDistributionUnit) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x18507210)
[Address] EAT @explorer.exe (BindAsyncMoniker) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x184F1F90)
[Address] EAT @explorer.exe (CDLGetLongPathNameA) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x185078D0)
[Address] EAT @explorer.exe (CDLGetLongPathNameW) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x185078E8)
[Address] EAT @explorer.exe (CORPolicyProvider) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x184F1674)
[Address] EAT @explorer.exe (CoGetClassObjectFromURL) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x185073FC)
[Address] EAT @explorer.exe (CoInstall) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x18507460)
[Address] EAT @explorer.exe (CoInternetCanonicalizeIUri) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x184B5660)
[Address] EAT @explorer.exe (CoInternetCombineIUri) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x184B80A0)
[Address] EAT @explorer.exe (CoInternetCombineUrl) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x184A46A4)
[Address] EAT @explorer.exe (CoInternetCombineUrlEx) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x184A43C0)
[Address] EAT @explorer.exe (CoInternetCompareUrl) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x184F5280)
[Address] EAT @explorer.exe (CoInternetCreateSecurityManager) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x18471EE0)
[Address] EAT @explorer.exe (CoInternetCreateZoneManager) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x18480810)
[Address] EAT @explorer.exe (CoInternetFeatureSettingsChanged) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x18530284)
[Address] EAT @explorer.exe (CoInternetGetProtocolFlags) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x184F537C)
[Address] EAT @explorer.exe (CoInternetGetSecurityUrl) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x184F53D0)
[Address] EAT @explorer.exe (CoInternetGetSecurityUrlEx) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x184B9CD0)
[Address] EAT @explorer.exe (CoInternetGetSession) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x18472460)
[Address] EAT @explorer.exe (CoInternetIsFeatureEnabled) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x184B8DC0)
[Address] EAT @explorer.exe (CoInternetIsFeatureEnabledForIUri) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x184B51B8)
[Address] EAT @explorer.exe (CoInternetIsFeatureEnabledForUrl) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x184B1820)
[Address] EAT @explorer.exe (CoInternetIsFeatureZoneElevationEnabled) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x184F586C)
[Address] EAT @explorer.exe (CoInternetParseIUri) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x184A56A8)
[Address] EAT @explorer.exe (CoInternetParseUrl) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x18481490)
[Address] EAT @explorer.exe (CoInternetQueryInfo) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x184B7C50)
[Address] EAT @explorer.exe (CoInternetSetFeatureEnabled) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x184F5AF4)
[Address] EAT @explorer.exe (CompareSecurityIds) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x1848D1A4)
[Address] EAT @explorer.exe (CompatFlagsFromClsid) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x184B4044)
[Address] EAT @explorer.exe (CopyBindInfo) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x18503020)
[Address] EAT @explorer.exe (CopyStgMedium) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x1847BA0C)
[Address] EAT @explorer.exe (CreateAsyncBindCtx) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x184C86C0)
[Address] EAT @explorer.exe (CreateAsyncBindCtxEx) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x184B3D14)
[Address] EAT @explorer.exe (CreateFormatEnumerator) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x184968E0)
[Address] EAT @explorer.exe (CreateIUriBuilder) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x18473660)
[Address] EAT @explorer.exe (CreateURLMoniker) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x184CCCF4)
[Address] EAT @explorer.exe (CreateURLMonikerEx) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x184778D0)
[Address] EAT @explorer.exe (CreateURLMonikerEx2) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x184B40F0)
[Address] EAT @explorer.exe (CreateUri) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x184716F0)
[Address] EAT @explorer.exe (CreateUriFromMultiByteString) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x184F1EE4)
[Address] EAT @explorer.exe (CreateUriPriv) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x184F1EF8)
[Address] EAT @explorer.exe (CreateUriWithFragment) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x184F1F40)
[Address] EAT @explorer.exe (DllCanUnloadNow) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x18471600)
[Address] EAT @explorer.exe (DllGetClassObject) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x184BAB3C)
[Address] EAT @explorer.exe (DllInstall) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x184F2458)
[Address] EAT @explorer.exe (DllRegisterServer) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x184F2464)
[Address] EAT @explorer.exe (DllRegisterServerEx) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x184CE070)
[Address] EAT @explorer.exe (DllUnregisterServer) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x184F2470)
[Address] EAT @explorer.exe (Extract) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x18507F74)
[Address] EAT @explorer.exe (FaultInIEFeature) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x18508FE8)
[Address] EAT @explorer.exe (FileBearsMarkOfTheWeb) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x184A6B60)
[Address] EAT @explorer.exe (FindMediaType) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x184F2E9C)
[Address] EAT @explorer.exe (FindMediaTypeClass) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x18496080)
[Address] EAT @explorer.exe (FindMimeFromData) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x184B50BC)
[Address] EAT @explorer.exe (GetAddSitesFileUrl) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x185302B0)
[Address] EAT @explorer.exe (GetClassFileOrMime) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x184CB8EC)
[Address] EAT @explorer.exe (GetClassURL) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x184F2074)
[Address] EAT @explorer.exe (GetComponentIDFromCLSSPEC) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x185092E8)
[Address] EAT @explorer.exe (GetIDNFlagsForUri) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x1848C7F0)
[Address] EAT @explorer.exe (GetIUriPriv) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x184F1F60)
[Address] EAT @explorer.exe (GetIUriPriv2) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x184F1F50)
[Address] EAT @explorer.exe (GetLabelsFromNamedHost) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x18538B54)
[Address] EAT @explorer.exe (GetMarkOfTheWeb) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x18529390)
[Address] EAT @explorer.exe (GetPortFromUrlScheme) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x184F1E94)
[Address] EAT @explorer.exe (GetPropertyFromName) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x184F1EA4)
[Address] EAT @explorer.exe (GetPropertyName) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x184F1EB4)
[Address] EAT @explorer.exe (GetSoftwareUpdateInfo) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x184CE070)
[Address] EAT @explorer.exe (GetUrlmonThreadNotificationHwnd) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x184CDEB4)
[Address] EAT @explorer.exe (GetZoneFromAlternateDataStreamEx) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x18476D90)
[Address] EAT @explorer.exe (HlinkGoBack) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x18526E78)
[Address] EAT @explorer.exe (HlinkGoForward) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x18526F24)
[Address] EAT @explorer.exe (HlinkNavigateMoniker) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x18526FD0)
[Address] EAT @explorer.exe (HlinkNavigateString) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x18527004)
[Address] EAT @explorer.exe (HlinkSimpleNavigateToMoniker) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x18527038)
[Address] EAT @explorer.exe (HlinkSimpleNavigateToString) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x185275E8)
[Address] EAT @explorer.exe (IECompatLogCSSFix) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x185012FC)
[Address] EAT @explorer.exe (IEDllLoader) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x184F26F0)
[Address] EAT @explorer.exe (IEGetUserPrivateNamespaceName) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x18503244)
[Address] EAT @explorer.exe (IEInstallScope) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x18507554)
[Address] EAT @explorer.exe (IntlPercentEncodeNormalize) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x184F1F70)
[Address] EAT @explorer.exe (IsAsyncMoniker) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x184B21FC)
[Address] EAT @explorer.exe (IsDWORDProperty) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x184F1EC4)
[Address] EAT @explorer.exe (IsIntranetAvailable) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x18530668)
[Address] EAT @explorer.exe (IsJITInProgress) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x1848B328)
[Address] EAT @explorer.exe (IsLoggingEnabledA) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x1852855C)
[Address] EAT @explorer.exe (IsLoggingEnabledW) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x18528688)
[Address] EAT @explorer.exe (IsStringProperty) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x184F1ED4)
[Address] EAT @explorer.exe (IsValidURL) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x184A7610)
[Address] EAT @explorer.exe (MkParseDisplayNameEx) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x184C92F0)
[Address] EAT @explorer.exe (ObtainUserAgentString) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x184FDCE0)
[Address] EAT @explorer.exe (PrivateCoInstall) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x18507560)
[Address] EAT @explorer.exe (QueryAssociations) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x1848E9C0)
[Address] EAT @explorer.exe (QueryClsidAssociation) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x18500A8C)
[Address] EAT @explorer.exe (RegisterBindStatusCallback) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x184AF600)
[Address] EAT @explorer.exe (RegisterFormatEnumerator) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x184B1C6C)
[Address] EAT @explorer.exe (RegisterMediaTypeClass) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x184F20C0)
[Address] EAT @explorer.exe (RegisterMediaTypes) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x184F2210)
[Address] EAT @explorer.exe (RegisterWebPlatformPermanentSecurityManager) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x184A8C54)
[Address] EAT @explorer.exe (ReleaseBindInfo) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x18477D40)
[Address] EAT @explorer.exe (RevokeBindStatusCallback) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x184AFBF0)
[Address] EAT @explorer.exe (RevokeFormatEnumerator) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x184F22CC)
[Address] EAT @explorer.exe (SetAccessForIEAppContainer) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x18503258)
[Address] EAT @explorer.exe (SetSoftwareUpdateAdvertisementState) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x184CE070)
[Address] EAT @explorer.exe (ShouldDisplayPunycodeForUri) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x184FDE50)
[Address] EAT @explorer.exe (ShouldShowIntranetWarningSecband) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x184B3A3C)
[Address] EAT @explorer.exe (ShowTrustAlertDialog) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x18530820)
[Address] EAT @explorer.exe (URLDownloadA) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x184F5CC4)
[Address] EAT @explorer.exe (URLDownloadToCacheFileA) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x18527D9C)
[Address] EAT @explorer.exe (URLDownloadToCacheFileW) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x1849A0C4)
[Address] EAT @explorer.exe (URLDownloadToFileA) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x18527F10)
[Address] EAT @explorer.exe (URLDownloadToFileW) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x1849EFD0)
[Address] EAT @explorer.exe (URLDownloadW) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x184F5D78)
[Address] EAT @explorer.exe (URLOpenBlockingStreamA) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x18528058)
[Address] EAT @explorer.exe (URLOpenBlockingStreamW) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x18528138)
[Address] EAT @explorer.exe (URLOpenPullStreamA) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x1852821C)
[Address] EAT @explorer.exe (URLOpenPullStreamW) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x185282E0)
[Address] EAT @explorer.exe (URLOpenStreamA) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x18528408)
[Address] EAT @explorer.exe (URLOpenStreamW) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x185284D0)
[Address] EAT @explorer.exe (UnregisterWebPlatformPermanentSecurityManager) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x184CC9B4)
[Address] EAT @explorer.exe (UrlMkBuildVersion) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x184F2804)
[Address] EAT @explorer.exe (UrlMkGetSessionOption) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x18483E60)
[Address] EAT @explorer.exe (UrlMkSetSessionOption) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x184AD0E4)
[Address] EAT @explorer.exe (UrlmonCleanupCurrentThread) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x1849A27C)
[Address] EAT @explorer.exe (WriteHitLogging) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x185285D0)
[Address] EAT @explorer.exe (ZonesReInit) : MrmCoreR.dll -> HOOKED (C:\WINDOWS\system32\urlmon.dll @ 0x18529C30)
 
¤¤¤ External Hives: ¤¤¤
 
¤¤¤ Infection :  ¤¤¤
 
¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts
 
 
 
 
¤¤¤ MBR Check: ¤¤¤
 
+++++ PhysicalDrive0: (\\.\PHYSICALDRIVE0 @ IDE) ST500DM0 02-1BD142 SATA Disk Device +++++
--- User ---
[MBR] 41bd6bb869f4ad0c0f5f70a8d6370e12
[bSP] 93658ce8b919d1b3c513c145d70de0aa : Windows 7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 350 MB
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 718848 | Size: 99649 MB
2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 204800000 | Size: 376939 MB
User = LL1 ... OK!
User = LL2 ... OK!
 
Finished : << RKreport[0]_S_05062014_192404.txt >>
Link to post
Share on other sites

  • Root Admin

Please go ahead and run through the following steps and post back the logs when ready.
 
STEP 04
Please download Junkware Removal Tool to your desktop.

  • Shutdown your antivirus to avoid any conflicts.
  • Right click over JRT.exe and select Run as administrator on Windows Vista or Windows 7, double-click on XP.
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next reply message
  • When completed make sure to re-enable your antivirus

STEP 05
Lets clean out any adware now: (this will require a reboot so save all your work)

Please download AdwCleaner by Xplode and save to your Desktop.

  • Double click on AdwCleaner.exe to run the tool.
    Vista/Windows 7/8 users right-click and select Run As Administrator
  • Click on the Scan button.
  • AdwCleaner will begin...be patient as the scan may take some time to complete.
  • When it's done you'll see: Pending: Please uncheck elements you don't want removed.
  • Now click on the Report button...a logfile (AdwCleaner[R0].txt) will open in Notepad for review.
  • Look over the log especially under Files/Folders for any program you want to save.
  • If there's a program you may want to save, just uncheck it from AdwCleaner.
  • If you're not sure, post the log for review. (all items found are adware/spyware/foistware)
  • If you're ready to clean it all up.....click the Clean button.
  • After rebooting, a logfile report (AdwCleaner[s0].txt) will open automatically.
  • Copy and paste the contents of that logfile in your next reply.
  • A copy of that logfile will also be saved in the C:\AdwCleaner folder.
  • Items that are deleted are moved to the Quarantine Folder: C:\AdwCleaner\Quarantine
  • To restore an item that has been deleted:
  • Go to Tools > Quarantine Manager > check what you want restored > now click on Restore.

STEP 06
button_eos.gif

Please go here to run the online antivirus scannner from ESET.

  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked
  • Click on Advanced Settings and ensure these options are ticked:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Click Scan
  • Wait for the scan to finish
  • If any threats were found, click the 'List of found threats' , then click Export to text file....
  • Save it to your desktop, then please copy and paste that log as a reply to this topic.

STEP 07
Please download the Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatibale with your system. You can check here if you're not sure if your computer is 32-bit or 64-bit

  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press the Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The first time the tool is run, it also makes another log (Addition.txt). Please attach it to your reply as well.
Link to post
Share on other sites

Step 04 - Done!

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.1.4 (04.06.2014:1)
OS: Windows 8.1 x64
Ran by user on 07/05/2014 at 20:51:52.01
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 
 
 
~~~ Services
 
 
 
~~~ Registry Values
 
Successfully deleted: [Registry Value] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\{ae07101b-46d4-4a98-af68-0333ea26e113}
Successfully repaired: [Registry Value] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\\Start Page
Successfully repaired: [Registry Value] HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main\\Start Page
Successfully repaired: [Registry Value] HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Main\\Start Page
Successfully repaired: [Registry Value] HKEY_USERS\S-1-5-19\Software\Microsoft\Internet Explorer\Main\\Start Page
Successfully repaired: [Registry Value] HKEY_USERS\S-1-5-20\Software\Microsoft\Internet Explorer\Main\\Start Page
Successfully repaired: [Registry Value] HKEY_USERS\S-1-5-21-1375052093-4268391962-1033398323-1001\Software\Microsoft\Internet Explorer\Main\\Start Page
Successfully repaired: [Registry Value] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchURL\\Default
Successfully repaired: [Registry Value] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\searchURL\\Default
 
 
 
~~~ Registry Keys
 
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\CLSID\{1AA60054-57D9-4F99-9A55-D0FBFBE7ECD3}
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\CLSID\{DE9028D0-5FFA-4E69-94E3-89EE8741F468}
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\CLSID\{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39}
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\CLSID\{FB684D26-01F4-4D9D-87CB-F486BEBA56DC}
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\Interface\{03E2A1F3-4402-4121-8B35-733216D61217}
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\Interface\{9E3B11F6-4179-4603-A71B-A55F4BCB0BEC}
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\TypeLib\{9C049BA6-EA47-4AC3-AED6-A66D8DC9E1D8}
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\defaulttab
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\smartbar
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\defaulttab
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\iesmartbar.bandobjectattribute
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\iesmartbar.dockingpanel
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\iesmartbar.iesmartbar
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\iesmartbar.iesmartbarbandobject
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\iesmartbar.smartbardisplaystate
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\iesmartbar.smartbarmenuform
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\updater.amiupd
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Classes\updater.amiupd.1
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\smartbar_rasapi32
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\smartbar_rasmancs
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\nation toolbar
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{006ee092-9658-4fd6-bd8e-a21a348e59f5}
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2102}
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{006ee092-9658-4fd6-bd8e-a21a348e59f5}
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2102}
 
 
 
~~~ Files
 
Successfully deleted: [File] "C:\Users\user\appdata\local\google\chrome\user data\default\local storage\http_app.mam.conduit.com_0.localstorage"
Successfully deleted: [File] "C:\Users\user\appdata\local\google\chrome\user data\default\local storage\http_app.mam.conduit.com_0.localstorage-journal"
Successfully deleted: [File] "C:\Users\user\appdata\local\google\chrome\user data\default\local storage\http_storage.conduit.com_0.localstorage"
 
 
 
~~~ Folders
 
Successfully deleted: [Folder] "C:\ProgramData\boost_interprocess"
Successfully deleted: [Folder] "C:\Users\user\AppData\Roaming\defaulttab"
Successfully deleted: [Folder] "C:\Users\user\appdata\locallow\conduit"
Successfully deleted: [Folder] "C:\Users\user\appdata\locallow\sitefinder"
Successfully deleted: [Folder] "C:\Users\user\appdata\locallow\smartbar"
Failed to delete: [Folder] "C:\Program Files (x86)\mobogenie"
Successfully deleted: [Folder] "C:\Program Files (x86)\similarsites"
Successfully deleted: [Folder] "C:\Program Files (x86)\surftastic"
Successfully deleted: [Folder] "C:\Program Files (x86)\your product"
Successfully deleted: [Folder] "C:\Users\user\AppData\Roaming\microsoft\windows\start menu\programs\mobogenie"
 
 
 
~~~ Chrome
 
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Google\Chrome\Extensions\kdidombaedgpfiiedeimiebkmbilgmlc
 
 
 
~~~ Event Viewer Logs were cleared
 
 
 
 
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on 07/05/2014 at 20:56:10.17
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

 
 
Step 05 - Done!
 
 
# AdwCleaner v3.207 - Report created 07/05/2014 at 21:01:37
# Updated 05/05/2014 by Xplode
# Operating System : Windows 8.1  (64 bits)
# Username : user - ADMIN
# Running from : C:\Users\user\Downloads\AdwCleaner.exe
# Option : Clean
 
***** [ Services ] *****
 
[#] Service Deleted : 1a34a8e0
 
***** [ Files / Folders ] *****
 
Folder Deleted : C:\ProgramData\SuperbApp
Folder Deleted : C:\ProgramData\WinterSoft
Folder Deleted : C:\Program Files (x86)\jZip
Folder Deleted : C:\Program Files (x86)\Mobogenie
Folder Deleted : C:\Program Files (x86)\Music Toolbar
Folder Deleted : C:\Program Files (x86)\Nation Toolbar
Folder Deleted : C:\users\user\AppData\Local\41
Folder Deleted : C:\users\user\AppData\Local\genienext
Folder Deleted : C:\users\user\AppData\Local\jZip
Folder Deleted : C:\users\user\AppData\Local\Mobogenie
Folder Deleted : C:\users\user\AppData\Local\NativeMessaging
Folder Deleted : C:\users\user\AppData\Local\torch
Folder Deleted : C:\users\user\AppData\Local\WhiteListing
Folder Deleted : C:\users\user\AppData\Roaming\Oxy
Folder Deleted : C:\users\user\Documents\Mobogenie
Folder Deleted : C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\lpmfcgjjpaapfhpadmgodkaibnebnlnc
Folder Deleted : C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\lpmfcgjjpaapfhpadmgodkaibnebnlnc
Folder Deleted : C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\lpmfcgjjpaapfhpadmgodkaibnebnlnc
Folder Deleted : C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\dgohhalecmoicdpmcfejjpoiinemgnol
File Deleted : C:\users\user\daemonprocess.txt
File Deleted : C:\users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\jZip.lnk
File Deleted : C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_storage.conduit.com_0.localstorage-journal
File Deleted : C:\WINDOWS\System32\Tasks\PileFile logon
File Deleted : C:\WINDOWS\System32\Tasks\PileFile reminder
File Deleted : C:\WINDOWS\Tasks\Upd Inst-S-5153193369.job
File Deleted : C:\WINDOWS\System32\Tasks\Upd Inst-S-5153193369
 
***** [ Shortcuts ] *****
 
Shortcut Disinfected : C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Search.lnk
 
***** [ Registry ] *****
 
Key Deleted : HKLM\SOFTWARE\Classes\jZip.file
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bitguard.exe
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bprotect.exe
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\browserdefender.exe
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\browserprotect.exe
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\Mobogenie.exe
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\MobogenieAdd
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AppPath\jZip.exe
Value Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run [mobilegeni daemon]
Value Deleted : HKLM\SYSTEM\ControlSet001\Control\Session Manager\AppCertDlls [x64]
Value Deleted : HKLM\SYSTEM\ControlSet001\Control\Session Manager\AppCertDlls [x86]
Key Deleted : HKCU\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\S-667284051
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5F189DF5-2D05-472B-9091-84D9848AE48B}{1a34a8e0}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5F189DF5-2D05-472B-9091-84D9848AE48B}{e9f32388}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{56561B2A-FB5D-363A-9631-4C03D6054209}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{A717364F-69F3-3A24-ADD5-3901A57F880E}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{AE07101B-46D4-4A98-AF68-0333EA26E113}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{CCB08265-B35D-30B2-A6AF-6986CA957358}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{CD92622E-49B9-33B7-98D1-EC51049457D7}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{E041E037-FA4B-364A-B440-7A1051EA0301}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{AE07101B-46D4-4A98-AF68-0333EA26E113}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{AE07101B-46D4-4A98-AF68-0333EA26E113}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{3614D305-2DBB-4991-9297-750DD60FFC73}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\CLSID\{56561B2A-FB5D-363A-9631-4C03D6054209}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\CLSID\{A717364F-69F3-3A24-ADD5-3901A57F880E}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\CLSID\{AE07101B-46D4-4A98-AF68-0333EA26E113}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\CLSID\{CCB08265-B35D-30B2-A6AF-6986CA957358}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\CLSID\{CD92622E-49B9-33B7-98D1-EC51049457D7}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\CLSID\{E041E037-FA4B-364A-B440-7A1051EA0301}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{03E2A1F3-4402-4121-8B35-733216D61217}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{1B730ACF-26A3-447B-9994-14AEE0EB72CC}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{1F8EDE97-36D5-422A-B8F0-9406E2D87C60}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{9E3B11F6-4179-4603-A71B-A55F4BCB0BEC}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}
Value Deleted : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{AE07101B-46D4-4A98-AF68-0333EA26E113}]
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2102}
Key Deleted : HKCU\Software\APNDTX
Key Deleted : HKCU\Software\Escolade
Key Deleted : HKCU\Software\jZip
Key Deleted : HKCU\Software\Nation Toolbar
Key Deleted : HKLM\Software\{3A7D3E19-1B79-4E4E-BD96-5467DA2C4EF0}
Key Deleted : HKLM\Software\{5F189DF5-2D05-472B-9091-84D9848AE48B}
Key Deleted : HKLM\Software\jZip
Key Deleted : HKLM\Software\Nation Toolbar
Key Deleted : HKLM\Software\Upd Inst
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\jZip
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mobogenie
Key Deleted : [x64] HKLM\SOFTWARE\Tarma Installer
Data Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows [AppInit_DLLs] - C:\PROGRA~2\ASSIST~2.DLL
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bpsvc.exe
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\browsersafeguard.exe
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dprotectsvc.exe
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\jumpflip
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\protectedsearch.exe
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\searchinstaller.exe
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\searchprotection.exe
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\searchprotector.exe
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\searchsettings.exe
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\searchsettings64.exe
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\snapdo.exe
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\stinst32.exe
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\stinst64.exe
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\umbrella.exe
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utiljumpflip.exe
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\volaro
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vonteera
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\websteroids.exe
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\websteroidsservice.exe
 
***** [ Browsers ] *****
 
-\\ Internet Explorer v11.0.9600.17037
 
 
-\\ Google Chrome v33.0.1750.154
 
[ File : C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\preferences ]
 
Deleted [Extension] : dgohhalecmoicdpmcfejjpoiinemgnol
Deleted [Extension] : lpmfcgjjpaapfhpadmgodkaibnebnlnc
Deleted [Extension] : ndibdjnfmopecpmkdieinmbadjfpblof
 
*************************
 
AdwCleaner[R0].txt - [9826 octets] - [07/05/2014 20:58:44]
AdwCleaner[s0].txt - [9326 octets] - [07/05/2014 21:01:37]
 
########## EOF - C:\AdwCleaner\AdwCleaner[s0].txt - [9386 octets] ##########
 
Link to post
Share on other sites

Step 06 - Done! Stopped the scan when  it was scanning my D drive though because it took too long, but here is the log

 

C:\AdwCleaner\Quarantine\C\Program Files (x86)\jZip\Helper.dll.vir a variant of Win32/Toolbar.SearchSuite.P potentially unwanted application
C:\AdwCleaner\Quarantine\C\Program Files (x86)\jZip\Uninstall.exe.vir a variant of Win32/Toolbar.SearchSuite.J potentially unwanted application
C:\AdwCleaner\Quarantine\C\Program Files (x86)\Mobogenie\DaemonProcess.exe.vir a variant of Win32/Mobogenie.A potentially unwanted application
C:\AdwCleaner\Quarantine\C\users\user\AppData\Local\Mobogenie\Version\OldVersion\Mobogenie\DaemonProcess.exe.vir a variant of Win32/Mobogenie.A potentially unwanted application
C:\AdwCleaner\Quarantine\C\users\user\AppData\Local\Mobogenie\Version\OldVersion\Mobogenie\Mobogenie.exe.vir a variant of Win32/Mobogenie.A potentially unwanted application
C:\AdwCleaner\Quarantine\C\users\user\AppData\Local\Mobogenie\Version\OldVersion\Mobogenie\nengine.dll.vir Win32/NextLive.A potentially unwanted application
C:\AdwCleaner\Quarantine\C\users\user\AppData\Local\Mobogenie\Version\OldVersion\Mobogenie\New_UpdateMoboGenie.exe.vir a variant of Win32/Mobogenie.A potentially unwanted application
C:\Program Files (x86)\Assistant_x64.dll a variant of Win64/SProtector.B potentially unwanted application
C:\Program Files (x86)\Cheat Engine 6.2\cheatengine-i386.exe a variant of Win32/HackTool.CheatEngine.AB potentially unsafe application
C:\Program Files (x86)\Cheat Engine 6.2\standalonephase1.dat a variant of Win32/HackTool.CheatEngine.AF potentially unsafe application
C:\Program Files (x86)\Cheat Engine 6.3\cheatengine-i386.exe a variant of Win32/HackTool.CheatEngine.AB potentially unsafe application
C:\Program Files (x86)\Cheat Engine 6.3\standalonephase1.dat a variant of Win32/HackTool.CheatEngine.AF potentially unsafe application
C:\Program Files (x86)\FromDocToPDF_65EI\Installr\1.bin\65EIPlug.dll Win32/Toolbar.MyWebSearch potentially unwanted application
C:\Program Files (x86)\FromDocToPDF_65EI\Installr\1.bin\65EZSETP.dll a variant of Win32/Toolbar.MyWebSearch.Q potentially unwanted application
C:\Program Files (x86)\FromDocToPDF_65EI\Installr\1.bin\NP65EISb.dll Win32/Toolbar.MyWebSearch potentially unwanted application
C:\Program Files (x86)\GS Supporter\Assistant_x64.dll a variant of Win64/SProtector.B potentially unwanted application
C:\Program Files (x86)\Minecraft\steam_api.dll a variant of Win32/Packed.VMProtect.ABD trojan
C:\Program Files (x86)\Minecraft\steam_api64.dll a variant of Win32/Packed.VMProtect.ABD trojan
C:\Program Files (x86)\PCData\cstart.bat BAT/CoinMiner.EY trojan
C:\Program Files (x86)\PCData\dgen.exe a variant of Win64/BitCoinMiner.U potentially unsafe application
C:\Program Files (x86)\PCData\nstart.bat BAT/CoinMiner.EY trojan
C:\Program Files (x86)\PCData\StartHelp.exe BAT/CoinMiner.EY trojan
C:\Program Files (x86)\R.G. Mechanics\Goat Simulator\Binaries\Win32\steam_api.dll a variant of Win32/HackTool.Crack.BL potentially unsafe application
C:\ProgramData\InstallMate\{00589B44-430B-4164-A38F-0B29DBBBB9B2}\Custom.dll Win32/InstalleRex.M potentially unwanted application
C:\ProgramData\InstallMate\{4EF49C61-DF86-4257-A0BC-97A49517BE97}\Custom.dll Win32/InstalleRex.M potentially unwanted application
C:\Users\All Users\InstallMate\{00589B44-430B-4164-A38F-0B29DBBBB9B2}\Custom.dll Win32/InstalleRex.M potentially unwanted application
C:\Users\All Users\InstallMate\{4EF49C61-DF86-4257-A0BC-97A49517BE97}\Custom.dll Win32/InstalleRex.M potentially unwanted application
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\180FMTN5\ShoppinHelper_Setup[1].exe a variant of Win32/Toolbar.Linkury.E potentially unwanted application
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\GJF8D6KH\agup[1].exe Win32/TrojanDownloader.Agent.AFD trojan
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\GJF8D6KH\DefaultTabSetup[1].exe a variant of Win32/Toolbar.DefaultTab.B potentially unwanted application
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\GSBFSSE9\tpq[1].exe a variant of Win32/SProtector.H potentially unwanted application
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\X8G4EGGI\Mobogenie_Setup_INT[1].exe Win32/Mobogenie.B potentially unwanted application
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Low\IE\E5XNMWMY\ie[2].js JS/Kryptik.I trojan
C:\Users\user\AppData\Local\Temp\DWLos23gyIi.exe a variant of Win32/BitCoinMiner.AF potentially unsafe application
C:\Users\user\AppData\Local\Temp\glknKopmOaM.exe a variant of Win32/BitCoinMiner.AF potentially unsafe application
C:\Users\user\AppData\Local\Temp\i2a6ZrkphUa.exe a variant of Win32/BitCoinMiner.AF potentially unsafe application
C:\Users\user\AppData\Local\Temp\tmp1916.exe a variant of Win32/Amonetize.AN potentially unwanted application
C:\Users\user\AppData\Local\Temp\tmp26D0.exe a variant of Win32/Amonetize.AN potentially unwanted application
C:\Users\user\AppData\Local\Temp\tmp29B5.exe a variant of Win32/Amonetize.AN potentially unwanted application
C:\Users\user\AppData\Local\Temp\tmp374F.exe a variant of Win32/Amonetize.AN potentially unwanted application
C:\Users\user\AppData\Local\Temp\tmp5849.exe a variant of Win32/Amonetize.AN potentially unwanted application
C:\Users\user\AppData\Local\Temp\tmp62E8.exe a variant of Win32/Amonetize.AN potentially unwanted application
C:\Users\user\AppData\Local\Temp\tmp6452.exe a variant of Win32/Amonetize.AN potentially unwanted application
C:\Users\user\AppData\Local\Temp\tmp665.exe a variant of Win32/Amonetize.AN potentially unwanted application
C:\Users\user\AppData\Local\Temp\tmp7AFF.exe a variant of Win32/Amonetize.AN potentially unwanted application
C:\Users\user\AppData\Local\Temp\tmp8336.exe a variant of Win32/Amonetize.AN potentially unwanted application
C:\Users\user\AppData\Local\Temp\tmp8556.exe a variant of Win32/Amonetize.AN potentially unwanted application
C:\Users\user\AppData\Local\Temp\tmp871A.exe a variant of Win32/Amonetize.AN potentially unwanted application
C:\Users\user\AppData\Local\Temp\tmp8E52.exe a variant of Win32/Amonetize.AN potentially unwanted application
C:\Users\user\AppData\Local\Temp\tmp92DC.exe a variant of Win32/Amonetize.AN potentially unwanted application
C:\Users\user\AppData\Local\Temp\tmp930E.exe a variant of Win32/Amonetize.AN potentially unwanted application
C:\Users\user\AppData\Local\Temp\tmp937E.exe a variant of Win32/Amonetize.AN potentially unwanted application
C:\Users\user\AppData\Local\Temp\tmp9B50.exe a variant of Win32/Amonetize.AN potentially unwanted application
C:\Users\user\AppData\Local\Temp\tmpA433.exe a variant of Win32/Amonetize.AN potentially unwanted application
C:\Users\user\AppData\Local\Temp\tmpAAD1.exe a variant of Win32/Amonetize.AN potentially unwanted application
C:\Users\user\AppData\Local\Temp\tmpAC96.exe a variant of Win32/Amonetize.AN potentially unwanted application
C:\Users\user\AppData\Local\Temp\tmpAD06.exe a variant of Win32/Amonetize.AN potentially unwanted application
C:\Users\user\AppData\Local\Temp\tmpBD59.exe a variant of Win32/Amonetize.AN potentially unwanted application
C:\Users\user\AppData\Local\Temp\tmpBE0D.exe a variant of Win32/Amonetize.AN potentially unwanted application
C:\Users\user\AppData\Local\Temp\tmpC315.exe a variant of Win32/Amonetize.AN potentially unwanted application
C:\Users\user\AppData\Local\Temp\tmpCB8F.exe a variant of Win32/Amonetize.AN potentially unwanted application
C:\Users\user\AppData\Local\Temp\tmpD52A.exe a variant of Win32/Amonetize.AN potentially unwanted application
C:\Users\user\AppData\Local\Temp\tmpDEF5.exe a variant of Win32/Amonetize.AN potentially unwanted application
C:\Users\user\AppData\Local\Temp\tmpE1F9.exe a variant of Win32/Amonetize.AN potentially unwanted application
C:\Users\user\AppData\Local\Temp\tmpE277.exe a variant of Win32/Amonetize.AN potentially unwanted application
C:\Users\user\AppData\Local\Temp\tmpE9BE.exe a variant of Win32/Amonetize.AN potentially unwanted application
C:\Users\user\AppData\Local\Temp\tmpF531.exe a variant of Win32/Amonetize.AN potentially unwanted application
C:\Users\user\AppData\Local\Temp\UF3QYJfpWTm.exe a variant of Win32/BitCoinMiner.AF potentially unsafe application
C:\Users\user\AppData\Local\Temp\xUzwlUi3LhU.exe a variant of Win32/BitCoinMiner.AF potentially unsafe application
C:\Users\user\AppData\Local\Temp\Download_10A2\{Steam_Wallet_Hack_2014}_Downloader.exe a variant of Win32/BundleInstaller.D potentially unwanted application
C:\Users\user\AppData\Local\Temp\Download_352A\{Steam_Wallet_Hack_2014}_Downloader.exe a variant of Win32/BundleInstaller.D potentially unwanted application
C:\Users\user\AppData\Local\Temp\Download_4541\{Steam_Wallet_Hack_2014}_Downloader.exe a variant of Win32/BundleInstaller.D potentially unwanted application
C:\Users\user\AppData\Local\Temp\Download_4AE9\{Steam_Wallet_Hack_2014}_Downloader.exe a variant of Win32/BundleInstaller.D potentially unwanted application
C:\Users\user\AppData\Local\Temp\Download_594E\{Steam_Wallet_Hack_2014}_Downloader.exe a variant of Win32/BundleInstaller.D potentially unwanted application
C:\Users\user\AppData\Local\Temp\Download_5A6F\{Steam_Wallet_Hack_2014}_Downloader.exe a variant of Win32/BundleInstaller.D potentially unwanted application
C:\Users\user\AppData\Local\Temp\Download_6514\{Steam_Wallet_Hack_2014}_Downloader.exe a variant of Win32/BundleInstaller.D potentially unwanted application
C:\Users\user\AppData\Local\Temp\Download_700A\{Steam_Wallet_Hack_2014}_Downloader.exe a variant of Win32/BundleInstaller.D potentially unwanted application
C:\Users\user\AppData\Local\Temp\Download_7E1F\{Steam_Wallet_Hack_2014}_Downloader.exe a variant of Win32/BundleInstaller.D potentially unwanted application
C:\Users\user\AppData\Local\Temp\Download_7F82\{Steam_Wallet_Hack_2014}_Downloader.exe a variant of Win32/BundleInstaller.D potentially unwanted application
C:\Users\user\AppData\Local\Temp\Download_A539\{Steam_Wallet_Hack_2014}_Downloader.exe a variant of Win32/BundleInstaller.D potentially unwanted application
C:\Users\user\AppData\Local\Temp\Download_A850\{Steam_Wallet_Hack_2014}_Downloader.exe a variant of Win32/BundleInstaller.D potentially unwanted application
C:\Users\user\AppData\Local\Temp\Download_C389\{Steam_Wallet_Hack_2014}_Downloader.exe a variant of Win32/BundleInstaller.D potentially unwanted application
C:\Users\user\AppData\Local\Temp\Download_E7EF\{Steam_Wallet_Hack_2014}_Downloader.exe a variant of Win32/BundleInstaller.D potentially unwanted application
C:\Users\user\AppData\Local\Temp\Download_F734\{Steam_Wallet_Hack_2014}_Downloader.exe a variant of Win32/BundleInstaller.D potentially unwanted application
C:\Users\user\AppData\Local\Temp\RarSFX16\klp11svc.exe a variant of Win32/BitCoinMiner.W potentially unsafe application
C:\Users\user\AppData\Local\Temp\RarSFX17\klp11svc.exe a variant of Win32/BitCoinMiner.W potentially unsafe application
C:\Users\user\AppData\Local\Temp\RarSFX18\klp11svc.exe a variant of Win32/BitCoinMiner.W potentially unsafe application
C:\Users\user\AppData\Local\Temp\RarSFX19\klp11svc.exe a variant of Win32/BitCoinMiner.W potentially unsafe application
C:\Users\user\AppData\Local\Temp\RarSFX20\klp11svc.exe a variant of Win32/BitCoinMiner.W potentially unsafe application
C:\Users\user\AppData\Local\Temp\RarSFX21\klp11svc.exe a variant of Win32/BitCoinMiner.W potentially unsafe application
C:\Users\user\AppData\Local\Temp\RarSFX22\klp11svc.exe a variant of Win32/BitCoinMiner.W potentially unsafe application
C:\Users\user\AppData\Local\Temp\RarSFX23\klp11svc.exe a variant of Win32/BitCoinMiner.W potentially unsafe application
C:\Users\user\AppData\Local\Temp\RarSFX24\klp11svc.exe a variant of Win32/BitCoinMiner.W potentially unsafe application
C:\Users\user\AppData\Local\Temp\RarSFX25\klp11svc.exe a variant of Win32/BitCoinMiner.W potentially unsafe application
C:\Users\user\AppData\Local\Temp\RarSFX26\klp11svc.exe a variant of Win32/BitCoinMiner.W potentially unsafe application
C:\Users\user\AppData\Local\Temp\RarSFX27\klp11svc.exe a variant of Win32/BitCoinMiner.W potentially unsafe application
C:\Users\user\AppData\Local\Temp\RarSFX28\klp10svc.exe a variant of Win32/BitCoinMiner.AF potentially unsafe application
C:\Users\user\AppData\Local\Temp\RarSFX28\klp11svc.exe a variant of Win32/BitCoinMiner.W potentially unsafe application
C:\Users\user\AppData\Local\Temp\RarSFX29\klp11svc.exe a variant of Win32/BitCoinMiner.W potentially unsafe application
C:\Users\user\AppData\Local\Temp\RarSFX30\klp10svc.exe a variant of Win32/BitCoinMiner.AF potentially unsafe application
C:\Users\user\AppData\Local\Temp\RarSFX30\klp11svc.exe a variant of Win32/BitCoinMiner.W potentially unsafe application
C:\Users\user\AppData\Local\Temp\RarSFX31\klp11svc.exe a variant of Win32/BitCoinMiner.W potentially unsafe application
C:\Users\user\AppData\Local\Temp\RarSFX32\klp11svc.exe a variant of Win32/BitCoinMiner.W potentially unsafe application
C:\Users\user\AppData\Local\Temp\RarSFX33\klp11svc.exe a variant of Win32/BitCoinMiner.W potentially unsafe application
C:\Users\user\AppData\Local\Temp\{Steam Wallet Hack 2014}Download_CA1C\{Steam_Wallet_Hack_2014}_Downloader.exe a variant of Win32/BundleInstaller.D potentially unwanted application
C:\Users\user\AppData\LocalLow\FromDocToPDF_65EI\Installr\Cache\030165F2.exe a variant of Win32/Toolbar.MyWebSearch.R potentially unwanted application
C:\Users\user\AppData\Roaming\tdd.exe a variant of MSIL/Agent.JU trojan
C:\Users\user\AppData\Roaming\wrk.exe a variant of MSIL/Agent.JU trojan
C:\Users\user\bmmqu\70124.vbs VBS/Runner.NBV trojan
C:\Users\user\Downloads\Tarding Hack - beta.exe multiple threats
 
Step 07 - Done! Post is too long, file is attached
 
Link to post
Share on other sites

  • Root Admin

Wow... this box certainly has a lot of junk malware and other stuff on it.  Let me have you do the following please.

 

Please Run TFC by OldTimer to clear temporary files:

  • Download TFC from here and save it to your desktop.
  • http://oldtimer.geekstogo.com/TFC.exe
  • Close any open programs and Internet browsers.
  • Double click TFC.exe to run it on XP (for Vista and Windows 7 right click and choose "Run as administrator") and once it opens click on the Start button on the lower left of the program to allow it to begin cleaning.
  • Please be patient as clearing out temp files may take a while.
  • Once it completes you may be prompted to restart your computer, please do so.
  • Once it's finished you may delete TFC.exe from your desktop or save it for later use for the cleaning of temporary files.

 

 

Once that's done please run this

 

Please visit this webpage and read the ComboFix User's Guide:

  • Once you've read the article and are ready to use the program you can download it directly from the link below.
  • Important! - Please make sure you save combofix to your desktop and do not run it from your browser
  • Direct download link for: ComboFix.exe
  • Please make sure you disable your security applications before running ComboFix.
  • Once Combofix has completed it will produce and open a log file.  Please be patient as it can take some time to load.
  • Please attach that log file to your next reply.
  • If needed the file can be located here:  C:\combofix.txt
  • NOTE: If you receive the message "illegal operation has been attempted on a registry key that has been marked for deletion", just reboot the computer.

 

 

Link to post
Share on other sites

Yep, loads of malware, this is what happens when u let a 10 year old use a PC unsupervised

 

TFC by Oldtimer - Done!

 

No logs? It deleted around 3GB's of file though.

 

Combofix

 

Got this error while trying to launch combofix.

 

HJB2z5v.png

 

Googled around and found out this program is not compatible with Windows 8.1. Any other solutions?

 

Oh, dgen.exe    is still running on the computer, hogging up 99% of the CPU, had to terminate it manually - UPDATE: Uninstalled "PCData" software which removed dgen.exe. 

Link to post
Share on other sites

Let me get a new fresh FRST scan also please check to include Addition file again.

 

Alright, here's some fresh new logs, sorry, they are too long to be copy pasted here...

 

FRST.txtAddition.txt

 

Oh, when I boot up the computer this pops up on the screen, not too sure where the program is located so that I can uninstall it..

 

yFF02QT.png

Link to post
Share on other sites

  • Root Admin

Please download the attached fixlist.txt file and save it to the Desktop.
NOTE. It's important that both files, FRST or FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system.

Run FRST or FRST64 and press the Fix button just once and wait.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Desktop (Fixlog.txt). Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.
 

fixlist.txt

Link to post
Share on other sites

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 10-05-2014

Ran by user at 2014-05-11 00:25:38 Run:1

Running from C:\Users\user\Desktop

Boot Mode: Normal

==============================================

 

Content of fixlist:

*****************

Task: {3993AF5B-B3D7-40BC-B9D6-DAE1464C9D8E} - \Upd Inst-S-5153193369 No Task File <==== ATTENTION

Task: {4E6A6D0D-53EA-4A7A-90C8-FC9B8BB04282} - System32\Tasks\WS.Booster-S-667284051 => c:\programdata\hostit\ws.booster\WS.Booster.exe

Task: {5E2431BA-E1D7-4123-993C-0FE0AB2BF585} - System32\Tasks\0 => Iexplore.exe  <==== ATTENTION

Task: {6E7EB8EC-32B3-4573-A71C-633AB04940C5} - \PileFile logon No Task File <==== ATTENTION

Task: {725C9621-E9C2-4884-A87A-F217CFA75775} - System32\Tasks\4628 => Wscript.exe C:\Users\user\AppData\Local\Temp\launchie.vbs //B <==== ATTENTION

Task: {BBFF87C7-C06B-4E13-A682-5C1BCC659944} - \PileFile reminder No Task File <==== ATTENTION

Task: {FA653ADE-8C41-47BF-B1D4-6A9ADF1609B4} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2013-06-26] (Google Inc.)

Task: C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe

Task: C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe

Task: C:\WINDOWS\Tasks\WS.Booster-S-667284051.job => c:\programdata\hostit\ws.booster\WS.Booster.exe

HKLM-x32\...\Run: [sunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [254336 2013-07-02] (Oracle Corporation)

HKU\S-1-5-21-1375052093-4268391962-1033398323-1001\...\Run: [CrashHandle] => C:\Users\user\AppData\Local\Temp\RarSFX3\SystemWhileIdle.exe [233984 2014-05-03] () <===== ATTENTION

HKU\S-1-5-21-1375052093-4268391962-1033398323-1001\...\MountPoints2: {3867d810-4370-11e2-be6f-50465d598758} - "F:\setup.exe" 

HKU\S-1-5-21-1375052093-4268391962-1033398323-1001\...\MountPoints2: {a321c301-5660-11e3-824f-806e6f6e6963} - "E:\Autorun.exe" 

HKU\S-1-5-21-1375052093-4268391962-1033398323-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\...\Run: [CrashHandle] => C:\Users\user\AppData\Local\Temp\RarSFX3\SystemWhileIdle.exe [233984 2014-05-03] () <===== ATTENTION

HKU\S-1-5-21-1375052093-4268391962-1033398323-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\...\MountPoints2: {3867d810-4370-11e2-be6f-50465d598758} - "F:\setup.exe" 

HKU\S-1-5-21-1375052093-4268391962-1033398323-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\...\MountPoints2: {a321c301-5660-11e3-824f-806e6f6e6963} - "E:\Autorun.exe" 

Startup: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\start.lnk

C:\Users\user\bmmqu\70124.vbs

GroupPolicyUsers\S-1-5-21-1375052093-4268391962-1033398323-1001\User: Group Policy restriction detected <======= ATTENTION

HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://t.uk.msn.com/

URLSearchHook: HKLM-x32 - Default Value = {CCC7B151-1D8C-11E3-B2AD-F3EF3D58318D}

BHO: DownSave - {EA628000-51FF-433D-2A22-304225D916C7} - C:\ProgramData\DownSave\379ByqtSBz.x64.dll No File

BHO-x32: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll (Oracle Corporation)

BHO-x32: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)

FF Plugin-x32: @java.com/DTPlugin,version=10.55.2 - C:\Program Files (x86)\Java\jre7\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)

FF Plugin-x32: @java.com/JavaPlugin,version=10.55.2 - C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)

CHR Plugin: (Java Platform SE 7 U21) - C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)

CHR Extension: (No Name) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\dgohhalecmoicdpmcfejjpoiinemgnol [2014-04-04]

CHR Extension: (No Name) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\lpmfcgjjpaapfhpadmgodkaibnebnlnc [2014-03-08]

CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION

S2 e9f32388; "C:\WINDOWS\system32\rundll32.exe" "c:\progra~2\gssupp~1\AssistantSvc.dll",service

S3 getbus; \??\C:\Users\user\AppData\Local\Temp\getbus.sys [X]

S3 xhunter1; \??\C:\WINDOWS\xhunter1.sys [X]

 

 

 

 

 

 

 

*****************

 

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{3993AF5B-B3D7-40BC-B9D6-DAE1464C9D8E} => Key deleted successfully.

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{3993AF5B-B3D7-40BC-B9D6-DAE1464C9D8E} => Key deleted successfully.

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Upd Inst-S-5153193369 => Key deleted successfully.

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{4E6A6D0D-53EA-4A7A-90C8-FC9B8BB04282} => Key deleted successfully.

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{4E6A6D0D-53EA-4A7A-90C8-FC9B8BB04282} => Key deleted successfully.

C:\Windows\System32\Tasks\WS.Booster-S-667284051 => Moved successfully.

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\WS.Booster-S-667284051 => Key deleted successfully.

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{5E2431BA-E1D7-4123-993C-0FE0AB2BF585} => Key deleted successfully.

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{5E2431BA-E1D7-4123-993C-0FE0AB2BF585} => Key deleted successfully.

C:\Windows\System32\Tasks\0 => Moved successfully.

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\0 => Key deleted successfully.

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{6E7EB8EC-32B3-4573-A71C-633AB04940C5} => Key deleted successfully.

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{6E7EB8EC-32B3-4573-A71C-633AB04940C5} => Key deleted successfully.

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\PileFile logon => Key deleted successfully.

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{725C9621-E9C2-4884-A87A-F217CFA75775} => Key deleted successfully.

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{725C9621-E9C2-4884-A87A-F217CFA75775} => Key deleted successfully.

C:\Windows\System32\Tasks\4628 => Moved successfully.

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\4628 => Key deleted successfully.

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{BBFF87C7-C06B-4E13-A682-5C1BCC659944} => Key deleted successfully.

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{BBFF87C7-C06B-4E13-A682-5C1BCC659944} => Key deleted successfully.

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\PileFile reminder => Key deleted successfully.

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{FA653ADE-8C41-47BF-B1D4-6A9ADF1609B4} => Key deleted successfully.

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{FA653ADE-8C41-47BF-B1D4-6A9ADF1609B4} => Key deleted successfully.

C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore => Moved successfully.

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\GoogleUpdateTaskMachineCore => Key deleted successfully.

C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job => Moved successfully.

C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job => Moved successfully.

C:\WINDOWS\Tasks\WS.Booster-S-667284051.job => Moved successfully.

HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\SunJavaUpdateSched => Value deleted successfully.

HKU\S-1-5-21-1375052093-4268391962-1033398323-1001\Software\Microsoft\Windows\CurrentVersion\Run\\CrashHandle => Value deleted successfully.

HKU\S-1-5-21-1375052093-4268391962-1033398323-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{3867d810-4370-11e2-be6f-50465d598758} => Key deleted successfully.

HKCR\CLSID\{3867d810-4370-11e2-be6f-50465d598758} => Key not found.

HKU\S-1-5-21-1375052093-4268391962-1033398323-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{a321c301-5660-11e3-824f-806e6f6e6963} => Key deleted successfully.

HKCR\CLSID\{a321c301-5660-11e3-824f-806e6f6e6963} => Key not found.

HKU\S-1-5-21-1375052093-4268391962-1033398323-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\Software\Microsoft\Windows\CurrentVersion\Run\\CrashHandle => Value not found.

HKU\S-1-5-21-1375052093-4268391962-1033398323-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\...\MountPoints2: {3867d810-4370-11e2-be6f-50465d598758} => Key not found.

HKCR\CLSID\{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\...\MountPoints2: {3867d810-4370-11e2-be6f-50465d598758} => Key not found.

HKU\S-1-5-21-1375052093-4268391962-1033398323-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\...\MountPoints2: {a321c301-5660-11e3-824f-806e6f6e6963} => Key not found.

HKCR\CLSID\{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\...\MountPoints2: {a321c301-5660-11e3-824f-806e6f6e6963} => Key not found.

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\start.lnk => Moved successfully.

C:\Users\user\bmmqu\70124.vbs => Moved successfully.

C:\WINDOWS\system32\GroupPolicyUsers\S-1-5-21-1375052093-4268391962-1033398323-1001\User => Moved successfully.

C:\WINDOWS\system32\GroupPolicy\GPT.ini => Moved successfully.

HKCU\Software\Microsoft\Internet Explorer\Main\\Start Page Redirect Cache => Value deleted successfully.

HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\URLSearchHooks\\ => Value deleted successfully.

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{EA628000-51FF-433D-2A22-304225D916C7} => Key deleted successfully.

HKCR\CLSID\{EA628000-51FF-433D-2A22-304225D916C7} => Key deleted successfully.

HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} => Key deleted successfully.

HKCR\Wow6432Node\CLSID\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} => Key deleted successfully.

HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9} => Key deleted successfully.

HKCR\Wow6432Node\CLSID\{DBC80044-A445-435b-BC74-9C25C1C588A9} => Key deleted successfully.

HKLM\Software\Wow6432Node\MozillaPlugins\@java.com/DTPlugin,version=10.55.2 => Key deleted successfully.

C:\Program Files (x86)\Java\jre7\bin\dtplugin\npDeployJava1.dll => Moved successfully.

HKLM\Software\Wow6432Node\MozillaPlugins\@java.com/JavaPlugin,version=10.55.2 => Key deleted successfully.

C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll => Moved successfully.

C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll not found.

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\dgohhalecmoicdpmcfejjpoiinemgnol directory not found.

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\lpmfcgjjpaapfhpadmgodkaibnebnlnc directory not found.

HKLM\SOFTWARE\Policies\Google => Key deleted successfully.

e9f32388 => Service deleted successfully.

getbus => Service deleted successfully.

xhunter1 => Service deleted successfully.

 

 

The system needed a reboot. 

 

==== End of Fixlog ====

Link to post
Share on other sites

  • Root Admin

Please go into Control Panel, Add/Remove and uninstall ALL versions of Java. Then run the following.
 
Please download JavaRa-1.16 and save it to your computer.

  • Double click to open the zip file and then select all and choose Copy.
  • Create a new folder on your Desktop named RemoveJava and paste the files into this new folder.
  • Quit all browsers and other running applications.
  • Right-click on JavaRa.exe in RemoveJava folder and choose Run as administrator to start the program.
  • From the drop-down menu, choose English and click on Select.
  • JavaRa will open; click on Remove Older Versions to remove the older versions of Java installed on your computer.
  • Click Yes when prompted. When JavaRa is done, a notice will appear that a logfile has been produced. Click OK.
  • A logfile will pop up. Please save it to a convenient location and post it in your next reply.

 

Then restart the computer and run the following after the restart.
 
Please download Security Check by screen317 from HERE or HERE.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • If you get Unsupported operating system. Aborting now, just reboot and try again.
  • A Notepad document should open automatically called checkup.txt.
  • Please Post the contents of that document.
  • Do Not Attach It!!!
Link to post
Share on other sites

All version of JAVA - Uninstall done!

 

JavaRa 

 

JavaRa 1.16 Removal Log.
 
Report follows after line.
 
------------------------------------
 
The JavaRa removal process was started on Wed May 14 16:42:18 2014
 
There was an error removing C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-ABCDEFFDCBA}. The error returned was 124.
 
There was an error removing C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0001-ABCDEFFDCBA}. The error returned was 124.
 
There was an error removing C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0002-ABCDEFFDCBA}. The error returned was 124.
 
There was an error removing C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0003-ABCDEFFDCBA}. The error returned was 124.
 
There was an error removing C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0004-ABCDEFFDCBA}. The error returned was 124.
 
There was an error removing C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0005-ABCDEFFDCBA}. The error returned was 124.
 
There was an error removing C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0006-ABCDEFFDCBA}. The error returned was 124.
 
There was an error removing C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0007-ABCDEFFDCBA}. The error returned was 124.
 
There was an error removing C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0008-ABCDEFFDCBA}. The error returned was 124.
 
There was an error removing C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0009-ABCDEFFDCBA}. The error returned was 124.
 
There was an error removing C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0010-ABCDEFFDCBA}. The error returned was 124.
 
There was an error removing C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0011-ABCDEFFDCBA}. The error returned was 124.
 
There was an error removing C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0012-ABCDEFFDCBA}. The error returned was 124.
 
There was an error removing C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0013-ABCDEFFDCBA}. The error returned was 124.
 
There was an error removing C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0014-ABCDEFFDCBA}. The error returned was 124.
 
There was an error removing C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0015-ABCDEFFDCBA}. The error returned was 124.
 
There was an error removing C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0016-ABCDEFFDCBA}. The error returned was 124.
 
There was an error removing C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0017-ABCDEFFDCBA}. The error returned was 124.
 
There was an error removing C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0018-ABCDEFFDCBA}. The error returned was 124.
 
There was an error removing C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0019-ABCDEFFDCBA}. The error returned was 124.
 
There was an error removing C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0020-ABCDEFFDCBA}. The error returned was 124.
 
There was an error removing C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0021-ABCDEFFDCBA}. The error returned was 124.
 
There was an error removing C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0022-ABCDEFFDCBA}. The error returned was 124.
 
Found and removed: SOFTWARE\Classes\CLSID\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}
 
Found and removed: SOFTWARE\Classes\CLSID\{5852F5ED-8BF4-11D4-A245-0080C6F74284}
 
Found and removed: SOFTWARE\Classes\CLSID\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}
 
Found and removed: SOFTWARE\Classes\CLSID\{DBC80044-A445-435b-BC74-9C25C1C588A9}
 
Found and removed: SOFTWARE\Classes\Interface\{5852F5EC-8BF4-11D4-A245-0080C6F74284}
 
Found and removed: SOFTWARE\Classes\MIME\Database\Content Type\application/java-deployment-toolkit
 
Found and removed: SOFTWARE\Classes\TypeLib\{5852F5E0-8BF4-11D4-A245-0080C6F74284}
 
Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
 
Found and removed: SOFTWARE\JavaSoft
 
Found and removed: SOFTWARE\JreMetrics
 
Found and removed: SOFTWARE\MozillaPlugins
 
------------------------------------
 
Finished reporting.
 
 

 

Security Check
 
 Results of screen317's Security Check version 0.99.83  
   x64 (UAC is enabled)  
 Internet Explorer 11  
``````````````Antivirus/Firewall Check:`````````````` 
 Windows Firewall Enabled!  
Windows Defender   
 WMI entry may not exist for antivirus; attempting automatic update. 
`````````Anti-malware/Other Utilities Check:````````` 
  Adobe Flash Player 11.5.502.146 Flash Player out of Date!  
 Google Chrome 33.0.1750.154  
 Google Chrome 34.0.1847.131  
````````Process Check: objlist.exe by Laurent````````  
 Windows Defender MSMpEng.exe 
 Malwarebytes Anti-Malware mbamscheduler.exe   
 Windows Defender MpCmdRun.exe   
`````````````````System Health check````````````````` 
 Total Fragmentation on Drive C:  % 
````````````````````End of Log`````````````````````` 
 
 
Malwarebytes scheduled scan seemed to detect something, but I didnt do anything, awaiting further instructions from you..
 
Link to post
Share on other sites

Yes, taskbar would occasionally freeze up, so do Malwarebytes..

 

This would popup when the computer is booted up

 

9BusOwx.png

 

 

This one also pops up often..

 

mQSlaIn.png

 

Today's MBAM activity log

 

Malwarebytes Anti-Malware
www.malwarebytes.org
 
 
Update, 14/05/2014 15:56:15, SYSTEM, ADMIN, Scheduler, Malware Database, 2014.5.12.2, 2014.5.14.2, 
Protection, 14/05/2014 15:56:19, SYSTEM, ADMIN, Protection, Refresh, Starting, 
Protection, 14/05/2014 15:56:19, SYSTEM, ADMIN, Protection, Malicious Website Protection, Stopping, 
Protection, 14/05/2014 15:56:19, SYSTEM, ADMIN, Protection, Malicious Website Protection, Stopped, 
Protection, 14/05/2014 15:56:33, SYSTEM, ADMIN, Protection, Refresh, Success, 
Protection, 14/05/2014 15:56:33, SYSTEM, ADMIN, Protection, Malicious Website Protection, Starting, 
Protection, 14/05/2014 15:56:34, SYSTEM, ADMIN, Protection, Malicious Website Protection, Started, 
Protection, 14/05/2014 17:13:11, SYSTEM, ADMIN, Protection, Malware Protection, Starting, 
Protection, 14/05/2014 17:13:11, SYSTEM, ADMIN, Protection, Malware Protection, Started, 
Protection, 14/05/2014 17:13:11, SYSTEM, ADMIN, Protection, Malicious Website Protection, Starting, 
Protection, 14/05/2014 17:13:11, SYSTEM, ADMIN, Protection, Malicious Website Protection, Started, 
Detection, 14/05/2014 17:16:34, user, ADMIN, Protection, Malware Protection, File, PUP.Optional.Cgminer, C:\Users\user\AppData\Local\Temp\RarSFX9\klp10svc.exe, Quarantine, [82c84d04e09bca6c0157ea58ba474fb1]
Detection, 14/05/2014 17:16:34, user, ADMIN, Protection, Malware Protection, File, PUP.Optional.Cgminer, C:\Users\user\AppData\Local\Temp\RarSFX10\klp10svc.exe, Quarantine, [7cce460beb9071c5c692172ba9584eb2]
Detection, 14/05/2014 17:44:16, SYSTEM, ADMIN, Protection, Malicious Website Protection, IP, 217.23.9.122, yuq.me, 52232, Outbound, C:\Program Files (x86)\Google\Chrome\Application\chrome.exe, 
Detection, 14/05/2014 17:44:16, SYSTEM, ADMIN, Protection, Malicious Website Protection, IP, 217.23.9.122, yuq.me, 52232, Outbound, C:\Program Files (x86)\Google\Chrome\Application\chrome.exe, 
Detection, 14/05/2014 17:44:38, SYSTEM, ADMIN, Protection, Malicious Website Protection, IP, 217.23.9.122, yuq.me, 52270, Outbound, C:\Program Files (x86)\Google\Chrome\Application\chrome.exe, 
Detection, 14/05/2014 17:44:38, SYSTEM, ADMIN, Protection, Malicious Website Protection, IP, 217.23.9.122, yuq.me, 52271, Outbound, C:\Program Files (x86)\Google\Chrome\Application\chrome.exe, 
Detection, 14/05/2014 17:44:38, SYSTEM, ADMIN, Protection, Malicious Website Protection, IP, 217.23.9.122, yuq.me, 52273, Outbound, C:\Program Files (x86)\Google\Chrome\Application\chrome.exe, 
Detection, 14/05/2014 17:46:00, SYSTEM, ADMIN, Protection, Malicious Website Protection, IP, 217.23.9.122, yuq.me, 52389, Outbound, C:\Program Files (x86)\Google\Chrome\Application\chrome.exe, 
Detection, 14/05/2014 17:46:22, SYSTEM, ADMIN, Protection, Malicious Website Protection, IP, 217.23.9.122, yuq.me, 52441, Outbound, C:\Program Files (x86)\Google\Chrome\Application\chrome.exe, 
Protection, 14/05/2014 18:51:17, SYSTEM, ADMIN, Protection, Malware Protection, Starting, 
Protection, 14/05/2014 18:51:17, SYSTEM, ADMIN, Protection, Malware Protection, Started, 
Protection, 14/05/2014 18:51:17, SYSTEM, ADMIN, Protection, Malicious Website Protection, Starting, 
Protection, 14/05/2014 18:51:18, SYSTEM, ADMIN, Protection, Malicious Website Protection, Started, 
Detection, 14/05/2014 18:51:29, user, ADMIN, Protection, Malware Protection, File, PUP.Optional.Cgminer, C:\Users\user\AppData\Local\Temp\RarSFX13\klp10svc.exe, Quarantine, [400aa4ad1c5f73c3d97fb88a33ceea16]
Update, 14/05/2014 18:51:31, SYSTEM, ADMIN, Scheduler, Malware Database, 2014.5.14.2, 2014.5.14.3, 
Protection, 14/05/2014 18:51:35, SYSTEM, ADMIN, Protection, Refresh, Starting, 
Protection, 14/05/2014 18:51:35, SYSTEM, ADMIN, Protection, Malicious Website Protection, Stopping, 
Protection, 14/05/2014 18:51:35, SYSTEM, ADMIN, Protection, Malicious Website Protection, Stopped, 
Protection, 14/05/2014 18:51:39, SYSTEM, ADMIN, Protection, Refresh, Success, 
Protection, 14/05/2014 18:51:39, SYSTEM, ADMIN, Protection, Malicious Website Protection, Starting, 
Protection, 14/05/2014 18:51:39, SYSTEM, ADMIN, Protection, Malicious Website Protection, Started, 
Protection, 14/05/2014 20:40:27, SYSTEM, ADMIN, Protection, Malicious Website Protection, Stopping, 
Protection, 14/05/2014 20:40:28, SYSTEM, ADMIN, Protection, Malicious Website Protection, Stopped, 
Protection, 14/05/2014 20:40:28, SYSTEM, ADMIN, Protection, Malware Protection, Stopping, 
Protection, 14/05/2014 20:42:45, SYSTEM, ADMIN, Protection, Malware Protection, Stopped, 
Protection, 14/05/2014 20:42:56, SYSTEM, ADMIN, Protection, Malware Protection, Starting, 
Protection, 14/05/2014 20:42:56, SYSTEM, ADMIN, Protection, Malware Protection, Started, 
Protection, 14/05/2014 20:42:56, SYSTEM, ADMIN, Protection, Malicious Website Protection, Starting, 
Protection, 14/05/2014 20:42:57, SYSTEM, ADMIN, Protection, Malicious Website Protection, Started, 
 
(end)
 
 
Malwarebytes Anti-Malware
www.malwarebytes.org
 
Scan Date: 14/05/2014
Scan Time: 21:21:17
Logfile: 
Administrator: Yes
 
Version: 2.00.1.1004
Malware Database: v2014.05.14.03
Rootkit Database: v2014.03.27.01
License: Trial
Malware Protection: Enabled
Malicious Website Protection: Enabled
Chameleon: Disabled
 
OS: Windows 8.1
CPU: x64
File System: NTFS
User: user
 
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 303666
Time Elapsed: 39 min, 57 sec
 
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Disabled
Rootkits: Disabled
Shuriken: Enabled
PUP: Enabled
PUM: Enabled
 
Processes: 0
(No malicious items detected)
 
Modules: 0
(No malicious items detected)
 
Registry Keys: 0
(No malicious items detected)
 
Registry Values: 0
(No malicious items detected)
 
Registry Data: 0
(No malicious items detected)
 
Folders: 0
(No malicious items detected)
 
Files: 5
PUP.Optional.Cgminer, C:\Users\user\AppData\Local\Temp\RarSFX12\klp10svc.exe, Quarantined, [252697bac3b80a2c3d24f052a75ae51b], 
PUP.Optional.Cgminer, C:\Users\user\AppData\Local\Temp\RarSFX4\klp10svc.exe, Quarantined, [6dde71e084f796a0273a63df728fb34d], 
PUP.Optional.Cgminer, C:\Users\user\AppData\Local\Temp\RarSFX5\klp10svc.exe, Quarantined, [e06b66eb4734c274e57c21213cc56b95], 
PUP.Optional.Superfish.A, C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_www.superfish.com_0.localstorage, Quarantined, [aba05ef3314a61d589c77b041ce67a86], 
PUP.Optional.Superfish.A, C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_www.superfish.com_0.localstorage-journal, Quarantined, [3b106be6d4a790a6143c95ead92954ac], 
 
Physical Sectors: 0
(No malicious items detected)
 
 
(end)
 
computer has been rebooted after the scan
Link to post
Share on other sites

  • Root Admin

Please download and run the following.

 

Create an Autoruns Log:

  • Please download Sysinternals Autoruns from here.
  • Save Autoruns.exe to your desktop and double-click it to run it.
  • Once it starts, please press the Esc key on your keyboard.
  • Now that scanning is stopped, click on the Options button at the top of the program and select Verify Code Signatures
  • Once that's done press the F5 key on your keyboard, this will start the scan again, this time let it finish.
  • When it's finished, please click on the File button at the top of the program and select Save and save the Autoruns.arn file to your desktop and close Autoruns.
  • Right click on the Autoruns.arn file on your desktop and hover your mouse over Send To and select Compressed (zipped) Folder
  • Attach the Autoruns.zip folder you just created to your next reply

Link to post
Share on other sites

  • Root Admin

Please review the following link that shows how to run an elevated admin command prompt to run some tasks.
How to Open an Elevated Command Prompt in Windows 8

Once you have an elevated admin command prompt open please type the following exactly and press the Enter key after each line. If  you get an error let me know.
 

REG DELETE "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run" /v "InstallValidator.exe.FA87EC44_C38F_4148_93A1_FF4A64A2B707" /fREG DELETE "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run" /v "System Idle" /fREG DELETE "HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects" /v "Java(tm) Plug-In 2 SSV Helper" /fREG DELETE "HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects" /v "Java(tm) Plug-In SSV Helper" /f

After that then run the following and restart the computer and post back the log.

 

Please download the attached fixlist.txt file and save it to the Desktop.
NOTE. It's important that both files, FRST or FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system.

Run FRST or FRST64 and press the Fix button just once and wait.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Desktop (Fixlog.txt). Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.
 

fixlist.txt

Link to post
Share on other sites

1st step done

 

fp2UAnO.png

 

Computer has been rebooted.

 

2nd step

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 17-05-2014
Ran by user at 2014-05-17 20:04:39 Run:2
Running from C:\Users\user\Desktop
Boot Mode: Normal
==============================================
 
Content of fixlist:
*****************
c:\program files (x86)\common files\java
c:\program files (x86)\java
c:\users\user\appdata\local\temp\rarsfx16
c:\users\user\appdata\local\temp\rarsfx16\systemwhileidle.exe
 
 
 
*****************
 
c:\program files (x86)\common files\java => Moved successfully.
c:\program files (x86)\java => Moved successfully.
c:\users\user\appdata\local\temp\rarsfx16 => Moved successfully.
"c:\users\user\appdata\local\temp\rarsfx16\systemwhileidle.exe" => File/Directory not found.
 
==== End of Fixlog ====
 
It didnt require a reboot. Launched task manager, unwanted processes are still running
 
EvxEGad.png
 
XJEx0hS.png
 
noticed that most of these processes are running from c:\users\user\appdata\local\temp\ . SystemWhileIdle.exe has their own folders like rarsfx17 and so on..
Link to post
Share on other sites

  • Root Admin

Run the following please. Make sure you right click and choose "Run as administrator" and temporarily disable your antivirus.

 

Please Run TFC by OldTimer to clear temporary files:

  • Download TFC from here and save it to your desktop.
  • http://oldtimer.geekstogo.com/TFC.exe
  • Close any open programs and Internet browsers.
  • Double click TFC.exe to run it on XP (for Vista and Windows 7 right click and choose "Run as administrator") and once it opens click on the Start button on the lower left of the program to allow it to begin cleaning.
  • Please be patient as clearing out temp files may take a while.
  • Once it completes you may be prompted to restart your computer, please do so.
  • Once it's finished you may delete TFC.exe from your desktop or save it for later use for the cleaning of temporary files.

 

Then run the FRST fix again but this time go ahead and restart the computer even if not asked and run the FRST and check for ADDITIONS and post back new logs after the restart.

Link to post
Share on other sites

Run the following please. Make sure you right click and choose "Run as administrator" and temporarily disable your antivirus. Please Run TFC by OldTimer to clear temporary files:

  • Download TFC from here and save it to your desktop.
  • http://oldtimer.geekstogo.com/TFC.exe
  • Close any open programs and Internet browsers.
  • Double click TFC.exe to run it on XP (for Vista and Windows 7 right click and choose "Run as administrator") and once it opens click on the Start button on the lower left of the program to allow it to begin cleaning.
  • Please be patient as clearing out temp files may take a while.
  • Once it completes you may be prompted to restart your computer, please do so.
  • Once it's finished you may delete TFC.exe from your desktop or save it for later use for the cleaning of temporary files.
 Then run the FRST fix again but this time go ahead and restart the computer even if not asked and run the FRST and check for ADDITIONS and post back new logs after the restart.

Using the same fixlist.txt as posted by you in the previous post?

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.