Cannot open browser infected with WSE Rocket/Greener PC/AppCloudupdater and others

[amyfin35]

Hello,

 

My daughter downloaded something called Movie Maker Packages. NOT the Windows/microsoft Movie Maker. Now we have several programs we can't remove and we cannot open the browser on that PC. The programs listed that will not allow us to uninstall are:

 

WSE Rocket

Windows Movie Maker Packages

AppClooudUpdater

MyPC Backup

Greener Web

Also listed is a Norton Security Scan, but we don't have Norton.

 

We are running Malware Bytes Pro and Windows Defender and using Windows 8 and Chrome browser.

 

I ran a Hijack this log, but unable to post it since we can't use the browser on that computer. The Hijack This log said we were denied access to the hosts file and lists an 2 R0 entries, an F2 entry, and several 04 entries.

 

Any advice would be greatly appreciated!

[kevinf80]

Hello and

 

P2P/Piracy Warning:

 

   

If you're using Peer 2 Peer software such as uTorrent, BitTorrent or similar you must either fully uninstall them or completely disable them from running while being assisted here.

Failure to remove or disable such software will result in your topic being closed and no further assistance being provided.

If you have illegal/cracked software, cracks, keygens etc. on the system, please remove or uninstall them now and read the policy on Piracy.

 

Download Farbar Recovery Scan Tool and save it to your desktop.

 

Note: You need to run the version compatible with your system (32 bit or 64 bit). If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

• 
  

Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

 

Kevin...

[amyfin35]

Thanks so much for your reply. We tried downloading the Farbar Scan Recovery Tool, but it would not run. It gives and error message that says " Farbar Recovery Scan Tool has stopped working. A problem caused the program to stop working correctly. Windows will close the program and notify you if a solution is available." Any suggestions? 

[kevinf80]

Please download RogueKiller and save it to your desktop from the following link: http://www.bleepingcomputer.com/download/roguekiller/

 

• 
  

Quit all running programs.
For Windows XP, double-click to start.
For Vista,Windows 7/8, Right-click on the program and select Run as Administrator to start and when prompted allow it to run.
Read and accept the EULA (End User Licene Agreement)
Click Scan to scan the system.
When the scan completes Close the program > Don't Fix anything!
Post back the report which should be located on your desktop.

 

Kevin...

[amyfin35]

Thanks so much for your help. When I downloaded it I did not see an option to run as administrator, but I ran it anyway. This is what the report says:

 

RogueKiller V9.0.2.0 [Jun  3 2014] by Adlice Software

mail : http://www.adlice.com/contact/

Feedback : http://forum.adlice.com

Website : http://www.adlice.com/softwares/roguekiller/

Blog : http://www.adlice.com

 

Operating System : Windows 8.1 (6.3.9200 ) 64 bits version

Started in : Normal mode

User : Zachary [Admin rights]

Mode : Scan -- Date : 06/13/2014  22:34:59

 

¤¤¤ Bad processes : 0 ¤¤¤

 

¤¤¤ Registry Entries : 8 ¤¤¤

[PUM.Policies] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | DisableTaskMgr : 0  -> FOUND

[PUM.Policies] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | DisableRegistryTools : 0  -> FOUND

[PUM.Policies] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | DisableTaskMgr : 0  -> FOUND

[PUM.Policies] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | DisableRegistryTools : 0  -> FOUND

[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> FOUND

[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1  -> FOUND

[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> FOUND

[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1  -> FOUND

 

¤¤¤ Scheduled tasks : 4 ¤¤¤

[suspicious.Path] AppCloudUpdater.job -- C:\Users\Zachary\AppData\Roaming\APPCLO~1\UPDATE~1\UPDATE~1.EXE (/Check) -> FOUND

[suspicious.Path] Rocket Updater.job -- C:\Users\Zachary\AppData\Roaming\ROCKET~1\UPDATE~1\UPDATE~1.EXE (/Check) -> FOUND

[suspicious.Path] \\AppCloudUpdater -- C:\Users\Zachary\AppData\Roaming\APPCLO~1\UPDATE~1\UPDATE~1.EXE (/Check) -> FOUND

[suspicious.Path] \\Rocket Updater -- C:\Users\Zachary\AppData\Roaming\ROCKET~1\UPDATE~1\UPDATE~1.EXE (/Check) -> FOUND

 

¤¤¤ Files : 0 ¤¤¤

 

¤¤¤ HOSTS File : 0 ¤¤¤

 

¤¤¤ Antirootkit : 0 ¤¤¤

 

¤¤¤ Web browsers : 1 ¤¤¤

[PUP][CHROME:Addon] Default : Amazon 1Button App for Chrome [pbjikboenpfhbbejgkoklgkhjpfogcam] -> FOUND

 

¤¤¤ MBR Check : ¤¤¤

+++++ PhysicalDrive0: ST1000LM014-1EJ164 +++++

--- User ---

[MBR] fd9c45f893067b4140b808bdc8664c76

[bSP] f5d2fdebf049248a4e68d20ee572f3c3 : Unknown MBR Code

Partition table:

0 - [XXXXXX] UNKNOWN (0x0) [VISIBLE] Offset (sectors): 1 | Size: 2097151 MB

User = LL1 ... OK

User = LL2 ... OK

 

+++++ PhysicalDrive1: SD Card +++++

--- User ---

[MBR] fe4be206df91af37a17024a0dcbb4245

[bSP] 2a312c3a68583d38e22ec1469c9d3248 : Unknown MBR Code

Partition table:

0 - [ACTIVE] FAT16 (0x4) [VISIBLE] Offset (sectors): 95 | Size: 120 MB

User = LL1 ... OK

Error reading LL2 MBR! ([32] The request is not supported. )

 

 

============================================

RKreport_SCN_06132014_223135.log

[amyfin35]

UPDATE: My daughter said she was able to uninstall the suspicious programs except the norton security scan. Can we be sure they are gone if they aren't appearing in the programs list? Thanks again for your time, it is greatly appreciated. 

[kevinf80]

RogueKiller has flagged suspicious entries, run the following please:

 

Download OTL from any of the following links and save to your desktop.

 

http://itxassociates.com/OT-Tools/OTL.com

http://oldtimer.geekstogo.com/OTL.exe

http://www.itxassociates.com/OT-Tools/OTL.scr

 

Double click the OTL icon to start the tool. (Note: If you are running on Vista or Windows 7/8 accept UAC alert)

 

• 
  

  When the window appears, underneath Output at the top, make sure Standard output is selected.
Select Scan all users
Change Drivers to All
Under the Extra Registry section, check Use SafeList
In the lower right corner, checkmark "LOP Check" and checkmark "Purity Check".
Close out all browsers and turn off Security.
Click Run Scan and let the program run uninterrupted.
When the scan is complete, two text files will be created on your Desktop.
OTL.Txt <- this one will be opened
Extras.txt <- this one will be minimized

 

Kevin

[amyfin35]

Hi Kevin, I ran this and see the two reports, but it won't allow me to post them -- I get an error message that the post is too long. Should I try putting the report in multiple posts, or are here only certain sections you need to see? Thank you very much. 

[kevinf80]

Attach the logs to your reply if they exceed forum character limits.....

[AdvancedSetup]

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!