Jump to content

Recommended Posts

Hi!

Welcome to Malwarebytes' Support Forums! I am Blackbird and I will help you removing any malware that might be present on your computer.

An important WARNING to all individuals reading this topic:
All advice in this topic was given specifically for this user and this computer!! Performing instructions given by me in this topic on other computers may harm your computer's infrastructure and can cause serious damage to them!!
Please don't perform the steps given by me or other Helpers in this topic when you are not the original Topic Starter, but start your own topic with a question for help. You will get help from a trained and qualified Helper to clean up your computer from any present malware when you do so.


General rules:
  • From now on, don't use this computer anymore to access your bank account or any other serious business where you have to login for, untill I've told you your computer is clean from malware.
  • Be patient waiting for my answer. I'm doing the best I can to answer to logs as soon as possible, but I'm handling multiple topics at the same time. Please feel free to remind me of your topic by sending a link to it by private message, when I didn't get back to you after 24 hours.
  • Don't change anything on your computer in the period I'm helping you, except when I tell you to do so. So don't add/remove any software (programs, drivers, etc.) and don't change any hardware. If you really need to change something that can't wait, please inform me directly, by posting it in this topic or - if private - send me a private message containing an explanation of the changes made by you. This gives me the possibility to give you good advice.


Rules about advices from me:
  • The Helpers active on this board first got a full training in removing malware and providing support to people who got infected. Also they were trained to resolve any problems caused by malware infections. Please use the programs I provide to you only when under supervision of a trained Helper. This, because using these programs without supervision can cause damage to your computer.
  • It's possible that your virus scanner, anti-spyware program or any other malware protection program or policy tries to block one or more of the programs provided by us. If that is the case, please always allow those programs to run and/or allow the provided changes to be made. If needed to run our tools properly, temporarily disable your anti-malware programs.
  • Always Save tools provided by me to your Desktop, unless I give you other instructions. Don't ever run tools directly from the internet, because this can stop them from working properly. Also never save tools to any other locations than your Desktop.
  • If you have any problems while following my instructions, stop there and tell me the exact nature of the issue.
  • Perform everything in the correct order. Sometimes one step requires the previous one.
  • You can check here if you're not sure if your computer is 32-bit or 64-bit.



Rules about posting results:

  • Always copy/paste the logfiles in your replies completely. If a logfile doesn't fit into one post, please add the logfile as an attachment instead. If this still won't work, please inform me.
  • Never change something in the logfiles!! Include them in your posts as they were provided by the tools. This way I'll get a clear view on your system's situation. If you change the logfiles, it will take more time to clean up your computer.
  • Don't post logs using CODE, QUOTE or FONT tags. Just post them as direct text.


Things I want you to do before performing the steps below:
  • Please enable your system to show hidden files: How to see hidden files in Windows.
  • Make sure you're subscribed to this topic. Click on the Follow This Topic button at the top right of this page, make sure that the Receive Notification box is checked and that it is set to Instantly.
  • Even though we do the best we can to help you, removing malware includes risks. Therefor I advise you to back-up all of your important files to a CD/DVD, external drive or flash drive. For instructions/help, take a look here.



-------------------------------------------------------------------------------------------------------------------------------------------------------
Thanks in advance for keeping above rules in mind. :)
Maybe they look like unnecessary rules, but practice teaches us they are needed to help.

Now, let's continue with the steps you need to do:
-------------------------------------------------------------------------------------------------------------------------------------------------------

1. We need to temporarily disable any cd-emulators active on your computer, as they can impede the interpretation of logfiles provided by our tools.

  • Download Defogger and save it to your Desktop.
  • Right-click Defogger.exe and select Run as Administrator.
  • When the program has opened, click the Disable button.
  • When Defogger asks for a confirmation, click Yes.
  • Wait untill you get the "Finished" message. Click OK.
  • When Defogger asks you to restart the system, please allow the program to do so immediately.


  • When an error occured while using Defogger, look for a file called "defogger_disable.txt", which should be located at your Desktop. Post the contents of this file into your next reply.
  • You can enable the cd-emulator software again by running Defogger again and clicking the "Re-enable" button. Only do this when I told you your computer is clean again.


2. Download AdwCleaner and save it to your Desktop.
  • Close all open windows.
  • Right-click AdwCleaner.exe and select Run as Administrator.
  • Click the Scan button.
  • When the scan has finished, please click the Report button and save the logfile that opens to the Desktop.
  • Post the contents of this logfile into your next reply.



3. Download Malwarebytes' Anti-Malware and save it to your Desktop.
If you already got Malwarebytes' Anti-Malware installed on your computer, please go to step 3-A.



3-A. Start Malwarebytes' Anti-Malware.

  • On the Dashboard tab, click the Update Now button, to update the definitions to the latest version.
  • Then click the Scan tab. Select Custom Scan and click the Start Scan button.
  • In the window that appears, check the box next to Scan for Rootkits. Also, select all drives, except for CD/DVD-drives. After you have done this, click Start Scan.
  • Follow the instructions given by Malwarebytes' Anti-Malware.
  • If any items were found during the scan process, Malwarebytes' Anti-Malware will ask you what you want to do with those items. Please quarantine all items.
  • It's possible the program asks you for permission to restart the computer. If so, please allow MBAM to do so immediately.
  • Save the logfile in txt-format and copy/paste it in your next reply.
  • Note: If you can't find the logfile, look at the "History" tab. Select the most recent logfile (you can see the creation date in the log's title).


4. Please read and perform the steps described on this page: I'm infected - What do I do now?.
Post the logfile from Farbar Recovery Scan Tool into your next reply.

5. Download GMER Rootkit Scanner and save it to your Desktop.
NOTE: Windows 8 users can skip this step. GMER Rootkit Scanner isn't compatible with Windows 8. Don't run it.
  • Right-click the GMER executable file (which's name will contain 8 digits/characters) and select Run as Administrator.
  • If GMER warns you about possible rootkit activity and asks you to scan for rootkits, DON'T allow GMER to do so.
  • Under "Files", put a checkmark next to Quick Scan.
  • Remove the checkmark next to Show all.
  • Now, click the Scan button.
  • Note: This scan often provides False Positives in the scan results. Never fix anything found by Gmer, unless I instructed you to do so!
  • If the scan's finished, click Save and save the log to your Desktop.
  • Post GMER's logfile into your next reply.



6. Please provide me a detailed description of any computer problems you're facing, together with the logfiles mentioned in step 1 - 6.

Good luck! :)

Link to post
Share on other sites

Hi Blackbird,

Thanks for your reply.

I did step 1-6 and attached the log in this reply.

 

My computer's problem is that cpu and memory can easily go up to 100% without any running program.

I checked the task mangers. There are some dllhst3g.exe *32, dvdupgrad.exe ... progress running with a lot of memory and cpus.

Please help me to check the logs.

 

Thanks

 

Tom

GMER.log

FRST.txt

Addition.txt

scanHistoryLog.txt

AdwCleanerS1.txt

defogger_disable.log

Link to post
Share on other sites

Hi,

 

There's a lot to do. :)

 

From now on, please include logfiles by using copy/paste instead of adding it as an attachment. Only add as an attachment when a logfile is too big to fit in one reply. Thanks in advance.

 

1. Just a question: Do you know this program?: C:\Program Files (x86)\Baofeng. Please tell me in your next reply.

 

2. Download RKill and save it to your Desktop.

  • Right-click RKill.exe and select Run as Administrator....
  • If a Windows Security prompt shows up, please allow the program to start.
  • The program will start immediately with it's tasks. When the program has finished, a logfile will appear.
    Please copy the contents of this logfile in your next reply.

 

3. Start NotePad.

  • Paste the bold text into the NotePad file:
    • Windows Registry Editor 4.00

      [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
      "BaiduYunGuanjia"=-
      [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
      "BaiduYunGuanjia"=-

    [*]Go to File > Save as...

    [*]At "File type" choose All files

    [*]In the "File name" field, type: fix.reg

    [*]Save it to your Desktop.

    [*]Double-click fix.reg and allow Windows to 'add the changes to the Windows registry'.

    [*]Tell me in your next reply if this was done succesfully.

 

4. Download fixlist.txt and make sure you save it in the same directory as FRST.exe or FRST64.exe.

 

5. Start Farbar Recovery Scan Tool by right-clicking it and selecting Run as Administrator.

  • Press the Fix button just once and wait.
  • If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
  • When finished FRST will generate a log on the Desktop, called fixlog.txt. Please include this logfile in your next reply.

 

6. Please go to VirusTotal
Upload this file: C:\Users\Joe\Downloads\Attachments_201511.zip
Please upload the results of the scan - when finished - in a txt-file as an attachment in your next reply.
Also do this with the following files:

  • C:\Users\Joe\Downloads\Lady Riva    .480.mp4
  • C:\Users\Joe\Downloads\RUBBER SISTERS.720 (1).mp4
  • C:\Users\Joe\Downloads\Holiday.rar

 
7. Delete fixlist.txt from your computer.
 
8. Please go to VirusTotal
Upload this file: C:\Users\Joe\Downloads\Attachments_201511.zip
Please upload the results of the scan - when finished - in a txt-file as an attachment in your next reply.
Also do this with the following files:
  • C:\Users\Joe\Downloads\Lady Riva    .480.mp4
  • C:\Users\Joe\Downloads\RUBBER SISTERS.720 (1).mp4
  • C:\Users\Joe\Downloads\Holiday.rar




-- Step 9 below is OPTIONAL. It might improve your system's speed. The entries that will be disabled by this step are NOT malware related!

9. Please press the Windows Key + R.

  • In the window that appears, type: msconfig and press the ENTER key.
  • MsConfig will open. Now navigate to the StartUp tab.
  • If you want, you can disable these entries by removing the checkmark on the left:
    • Adobe ARM
    • ASUSPRP
    • BrStsMon00
    • ControlCenter4
    • Google Update
    • IndexSearch
    • ISUSPM
    • PaperPort PTD
    • PDF5 Registry Controller
    • PDFHook
    • PPort12reminder

    [*]Click Apply and click OK to exit MsConfig. [*]When it asks for a restart, please allow.

 

10. Start Malwarebytes' Anti-Malware.

  • On the Dashboard tab, click the Update Now button, to update the definitions to the latest version.
  • Then click the Scan tab. Select Custom Scan and click the Start Scan button.
  • In the window that appears, check the box next to Scan for Rootkits. Also, select all drives, except for CD/DVD-drives. After you have done this, click Start Scan.
  • Follow the instructions given by Malwarebytes' Anti-Malware.
  • If any items were found during the scan process, Malwarebytes' Anti-Malware will ask you what you want to do with those items. Please quarantine all items.
  • It's possible the program asks you for permission to restart the computer. If so, please allow MBAM to do so immediately.
  • Save the logfile in txt-format and copy/paste it in your next reply.
  • Note: If you can't find the logfile, look at the "History" tab. Select the most recent logfile (you can see the creation date in the log's title).

 
11. Please perform a new scan with Farbar Recovery Scan Tool.
Post the results into your next reply.
 
12. Please tell me what problems you're still facing and also please post the logfiles/answers from/to:
  • the question in step 1
  • RKill
  • Farbar Recovery Scan Tool fixlist.txt
  • the results from the several files at VirusTotal
  • Farbar Recovery Scan Tool - New scan
  • Malwarebytes' Anti-Malware scan

fixlist.txt

Link to post
Share on other sites

Hi Blackbird,

Thanks for your reply.

1. This is just an empty directory. I just deleted it.

2. The log is

Rkill 2.6.9 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2015 BleepingComputer.com
More Information about Rkill can be found at this link:
 http://www.bleepingcomputer.com/forums/topic308364.html

Program started at: 01/02/2015 06:36:12 PM in x64 mode.
Windows Version: Windows 7 Home Premium Service Pack 1

Checking for Windows services to stop:

 * No malware services found to stop.

Checking for processes to terminate:

 * No malware processes found to kill.

Checking Registry for malware related settings:

 * No issues found in the Registry.

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks:

 * Windows Defender Disabled

   [HKLM\SOFTWARE\Microsoft\Windows Defender]
   "DisableAntiSpyware" = dword:00000001

Checking Windows Service Integrity:

 * Windows Defender (WinDefend) is not Running.
   Startup Type set to: Manual

Searching for Missing Digital Signatures:

 * No issues found.

Checking HOSTS File:

 * No issues found.

Program finished at: 01/02/2015 06:36:27 PM
Execution time: 0 hours(s), 0 minute(s), and 15 seconds(s)

 

3. I got following error:

Cannot import fix.reg: The specified file is not a registry script. You can only import binary registry files from within the register editor.

 

4. fixlog.txt has:

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 02-01-2015
Ran by Joe at 2015-01-02 18:41:29 Run:1
Running from C:\Users\Joe\Downloads
Loaded Profile: Joe (Available profiles: Joe)
Boot Mode: Normal
==============================================

Content of fixlist:
*****************
CustomCLSID: HKU\S-1-5-21-2428412701-502081269-2646495071-1000_Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\localserver32 -> rundll32.exe javascript:"\..\mshtml.dll,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf> (the data entry has 251 more characters). <==== Poweliks?
2014-03-10 01:11 - 2014-01-07 20:22 - 00907264 _____ () C:\Windows\PCCleanupContextMenu\x64\ContextMenuHandler.dll
2014-11-09 19:04 - 2014-11-09 19:04 - 00254920 _____ () C:\Users\Joe\AppData\Roaming\baidu\BaiduYunGuanjia\YunShellExt64.dll
HKU\S-1-5-21-2428412701-502081269-2646495071-1000\...A8F59079A8D5}\localserver32: rundll32.exe javascript:"\..\mshtml.dll,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf> (the data entry has 243 more characters). <==== Poweliks!
ShellIconOverlayIdentifiers: [ SkyDrive1] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} =>  No File
ShellIconOverlayIdentifiers: [ SkyDrive2] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} =>  No File
ShellIconOverlayIdentifiers: [ SkyDrive3] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} =>  No File
ShellIconOverlayIdentifiers-x32: [ SkyDrive1] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} =>  No File
ShellIconOverlayIdentifiers-x32: [ SkyDrive2] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} =>  No File
ShellIconOverlayIdentifiers-x32: [ SkyDrive3] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} =>  No File
FF Plugin-x32: @baidu.com/YunWebDetectPlugin -> C:\Users\Joe\AppData\Roaming\baidu\BaiduYunGuanjia\npYunWebDetect.dll (Baidu.com, Inc.)
S3 BaiduYunUtility; C:\Users\Joe\AppData\Roaming\baidu\BaiduYunGuanjia\YunUtilityService.exe [86984 2014-11-09] ()
2015-01-02 15:03 - 2009-07-14 00:08 - 00000006 ____H () C:\windows\Tasks\SA.DAT
2014-12-30 15:17 - 2014-11-27 13:15 - 00000000 ____D () C:\Users\Joe\AppData\Roaming\BaiduYunGuanjia
C:\Users\Joe\AppData\Roaming\baidu
C:\Windows\PCCleanupContextMenu
C:\Users\Joe\AppData\Local\Temp\Quarantine.exe
*****************

"HKU\S-1-5-21-2428412701-502081269-2646495071-1000_Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}" => Key Deleted Successfully.
C:\Windows\PCCleanupContextMenu\x64\ContextMenuHandler.dll => Moved successfully.
C:\Users\Joe\AppData\Roaming\baidu\BaiduYunGuanjia\YunShellExt64.dll => Moved successfully.
HKU\S-1-5-21-2428412701-502081269-2646495071-1000\Software\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\localserver32 => Key not found.
HKU\S-1-5-21-2428412701-502081269-2646495071-1000\Software\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5} => Key not found.
"HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ SkyDrive1" => Key deleted successfully.
HKCR\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A} => Key not found.
"HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ SkyDrive2" => Key deleted successfully.
HKCR\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} => Key not found.
"HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ SkyDrive3" => Key deleted successfully.
HKCR\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524} => Key not found.
"HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ SkyDrive1" => Key deleted successfully.
HKCR\Wow6432Node\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A} => Key not found.
"HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ SkyDrive2" => Key deleted successfully.
HKCR\Wow6432Node\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} => Key not found.
"HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ SkyDrive3" => Key deleted successfully.
HKCR\Wow6432Node\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524} => Key not found.
"HKLM\Software\Wow6432Node\MozillaPlugins\@baidu.com/YunWebDetectPlugin" => Key deleted successfully.
C:\Users\Joe\AppData\Roaming\baidu\BaiduYunGuanjia\npYunWebDetect.dll => Moved successfully.
BaiduYunUtility => Service deleted successfully.
C:\windows\Tasks\SA.DAT => Moved successfully.
C:\Users\Joe\AppData\Roaming\BaiduYunGuanjia => Moved successfully.
C:\Users\Joe\AppData\Roaming\baidu => Moved successfully.
C:\Windows\PCCleanupContextMenu => Moved successfully.
C:\Users\Joe\AppData\Local\Temp\Quarantine.exe => Moved successfully.

==== End of Fixlog 18:41:31 ====

6 and 8:

No virus found.

 

I will keep checking my computer status after this fixing procedure.

 

Thanks and Best Regards.

 

Tom

Link to post
Share on other sites

Hi,

 

Right-click the fix.reg file and select Edit.

Replace the "Windows Registry Editor 4.00" line by: REGEDIT4

Save and close the window.

Double-click fix.reg and add the changes to the registry.

 

Tell me if you succeeded to add to the registry this time. Also please tell me if you still got problems with your PC.

 

Good luck. :)

Link to post
Share on other sites

  • Root Admin

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.