gx1990 Posted June 24, 2015 ID:971599 Share Posted June 24, 2015 ive ran malwatebytes a few times but i keep getting the same files poping up, it find them then asks for me to restart my computer. Version: 2.01.6.1022Malware Database: v2015.06.24.04Rootkit Database: v2015.06.22.01Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\AUPDATE.EXESecurity.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\AUPDATE.EXE|Debugger Any suggestions? Link to post Share on other sites More sharing options...
kevinf80 Posted June 24, 2015 ID:971606 Share Posted June 24, 2015 Hello and welcome to Malwarebytes.org P2P/Piracy Warning: If you're using Peer 2 Peer software such as uTorrent, BitTorrent or similar you must either fully uninstall them or completely disable them from running while being assisted here. Failure to remove or disable such software will result in your topic being closed and no further assistance being provided.If you have illegal/cracked software, cracks, keygens etc. on the system, please remove or uninstall them now and read the policy on Piracy. Next, Change the download folder setting in the default Browser so all tools we may use are saved to the Desktop: Google Chrome - Click the "Customize and control Google Chrome" button in the upper right-corner of the browser. Choose Settings. at the bottom of the screen click the"Show advanced settings..." link. Scroll down to find the Downloads section and click the Change... button. Select your desktop and click OK. Mozilla Firefox - Click the "Open Menu" button in the upper right-corner of the browser. Choose Options. In the downloads section, click the Browse button, click on the Desktop folder and the click the "Select Folder" button. Click OK to get out of the Options menu. Internet Explorer - Click the Tools menu in the upper right-corner of the browser. Select View downloads. Select the Options link in the lower left of the window. Click Browse and select the Desktop and then choose the Select Folder button. Click OK to get out of the download options screen and then click Close to get out of the View Downloads screen.NOTE: IE8 Does not support changing download locations in this manner. You will need to download the tool(s) to the default folder, usually Downloads, then copy them to the desktop. Next, Follow the instructions in the following link to show hidden files: http://www.bleepingcomputer.com/tutorials/how-to-see-hidden-files-in-windows/ Next, Please open Malwarebytes Anti-Malware. On the Settings tab > Detection and Protection sub tab, Detection Options, tick the box "Scan for rootkits". Under Non-Malware Protection sub tab Change PUP and PUM entries to Treat detections as Malware Click on the Scan tab, then click on Scan Now >> . If an update is available, click the Update Now button. A Threat Scan will begin. With some infections, you may or may not see this message box. 'Could not load DDA driver' Click 'Yes' to this message, to allow the driver to load after a restart. Allow the computer to restart. Continue with the rest of these instructions. When the scan is complete, click Apply Actions. Wait for the prompt to restart the computer to appear, then click on Yes. After the restart once you are back at your desktop, open MBAM once more. To get the log from Malwarebytes do the following: Click on the History tab > Application Logs. Double click on the scan log which shows the Date and time of the scan just performed. Click Export > From export you have three options: Copy to Clipboard - if seleted right click to your reply and select "Paste" log will be pasted to your replyText file (*.txt) - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to replyXML file (*.xml) - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply Recommend you use "Copy to Clipboard, then Right click to your reply > select "Paste" that will copy the log to your reply… If Malwarebytes is not installed follow these instructions first: Download Malwarebytes Anti-Malware to your desktop.Double-click mbam-setup and follow the prompts to install the program.At the end, be sure a checkmark is placed next to the following: Launch Malwarebytes Anti-MalwareA 14 day trial of the Premium features is pre-selected. You may deselect this if you wish, and it will not diminish the scanning and removal capabilities of the program.Click Finish. Follow the instructions above.... Next, Download Farbar Recovery Scan Tool and save it to your desktop. Note: You need to run the version compatible with your system (32 bit or 64 bit). If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version. If your security alerts to FRST either accept the alert or disable your security and allow FRST to run... Double-click to run it. When the tool opens click Yes to disclaimer.Press Scan button.It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply. Next, Please download RogueKiller and save it to your desktop from the following link: http://www.bleepingcomputer.com/download/roguekiller/ Quit all running programs.For Windows XP, double-click to start.For Vista,Windows 7/8, Right-click on the program and select Run as Administrator to start and when prompted allow it to run.Read and accept the EULA (End User Licene Agreement)Click Scan to scan the system.When the scan completes select "Report", log will open. Close the program > Don't Fix anything!Post back the report which should also be located here: C:\Programdata\RogueKiller\Logs <-------- W7/8C:\Documents and Settings\All Users\Application Data\RogueKiller\Logs <------XP Let me see those logs in your reply.... Thank you, Kevin... Link to post Share on other sites More sharing options...
gx1990 Posted June 25, 2015 Author ID:971618 Share Posted June 25, 2015 Malwarebytes Anti-Malwarewww.malwarebytes.orgScan Date: 6/24/2015Scan Time: 7:38:49 PMLogfile:Administrator: YesVersion: 2.01.6.1022Malware Database: v2015.06.24.05Rootkit Database: v2015.06.22.01License: FreeMalware Protection: DisabledMalicious Website Protection: DisabledSelf-protection: DisabledOS: Windows 7 Service Pack 1CPU: x86File System: NTFSUser: HP1Scan Type: Threat ScanResult: CompletedObjects Scanned: 368425Time Elapsed: 28 min, 44 secMemory: EnabledStartup: EnabledFilesystem: EnabledArchives: EnabledRootkits: EnabledDeep Rootkit Scan: EnabledHeuristics: EnabledPUP: EnabledPUM: EnabledProcesses: 0(No malicious items detected)Modules: 0(No malicious items detected)Registry Keys: 1Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\AUPDATE.EXE, Quarantined, [ee971f9fdcae280ed9f91ea36f95f907],Registry Values: 1Security.Hijack, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\AUPDATE.EXE|Debugger, C:\Program Files\IObit\Advanced SystemCare 8\AutoReactivator.exe, Quarantined, [ee971f9fdcae280ed9f91ea36f95f907]Registry Data: 0(No malicious items detected)Folders: 0(No malicious items detected)Files: 0(No malicious items detected)Physical Sectors: 0(No malicious items detected)(end) i said i couldnt get into the documents and settings but i saved the report to the desktop.FRST.txtAddition.txtRKreport_SCN_06242015_202942.log Link to post Share on other sites More sharing options...
kevinf80 Posted June 25, 2015 ID:971720 Share Posted June 25, 2015 Thanks for those logs, continue as follows please: Please download DeFogger to your desktop.Double click DeFogger to run the tool. The application window will appear Click the Disable button to disable your CD Emulation drivers Click Yes to continue A 'Finished!' message will appear Click OK DeFogger will now ask to reboot the machine - click OKIMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.Do not re-enable these drivers until otherwise instructed. Next, Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into.NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.Run FRST and press the Fix button just once and wait.The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply. Next, Download AdwCleaner by Xplode onto your Desktop. Double click on Adwcleaner.exe to run the tool. Click on Scan Once the scan is done, click on the Clean button. <<<--- Ensure this option is completed You will get a prompt asking to close all programs. Click OK. Click OK again to reboot your computer. A text file will open after the restart. Please post the content of that logfile in your reply. You can also find the logfile at C:\AdwCleaner[sn].txt. Where n in the scan reference numberNext, Please download Junkware Removal Tool to your desktop.Shut down your protection software now to avoid potential conflicts. (re-enable when done)Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".The tool will open and start scanning your system.Please be patient as this can take a while to complete depending on your system's specifications.On completion, a log (JRT.txt) is saved to your desktop and will automatically open.Post the contents of JRT.txt into your next message.Next,Download Microsoft's " Malicious Software Removal Tool" and save direct to the desktopEnsure to get the correct version for your system.... 32 Bit version:https://www.microsoft.com/downloads/en/confirmation.aspx?FamilyId=AD724AE0-E72D-4F54-9AB3-75B8EB148356&displaylang=en64 Bit version:https://www.microsoft.com/downloads/en/confirmation.aspx?FamilyId=585D2BDE-367F-495E-94E7-6349F4EFFC74&displaylang=en Right click on the Tool, select “Run as Administrator” the tool will expand to the options WindowIn the "Scan Type" window, select Quick ScanPerform a scan and Click Finish when the scan is done. Retrieve the MSRT log as follows, and post it in your next reply: 1) Select the Windows key and R key together to open the "Run" function2) Type or Copy/Paste the following command to the "Run Line" and Press Enter: notepad c:\windows\debug\mrt.log Next, Uninstall all programs related to IOBit or Advanced System Care. <<---- Please complete that step..... Next, Run FRST one more time, ensure all boxes are checkmarked under "Whitelist" but only Addition.txt under "Optional scan" Select scan, when done post the two logs.... Let me see those logs in your next reply.... Thank you, Kevin.... Fixlist.txt Link to post Share on other sites More sharing options...
gx1990 Posted June 25, 2015 Author ID:971784 Share Posted June 25, 2015 i could get rid of everything except IObit Apps Toolbal, i believe that is one of the malware on my computer.Fixlog.txtFRST.txtAddition.txtJRT.txtmrt.log Link to post Share on other sites More sharing options...
gx1990 Posted June 25, 2015 Author ID:971796 Share Posted June 25, 2015 also are the items that are actually from iobit bad? Link to post Share on other sites More sharing options...
kevinf80 Posted June 25, 2015 ID:971811 Share Posted June 25, 2015 You`ve ran FRST fix twice and posted the second run log, hence all entries show as not found. I guess is safe to assume they were removed with the first run.... You have not included the log from AdwCleaner, did you run that scan? I never recommend or advise anyone to use any program related to IOBit, there is historical evidence that IOBit is not trustworthy... make up yout own mind.. The company behind IOBit products was found to be stealing malwarebytes database, although that was back to 2009. They have also been suspected of repeating that action with other security software.Personally I would not trust installing any software from a company that resorts to stealing someone's technology to sell their product. If helping anyone I always prefer all software related to IOBit or Advanced System care is removed.Please see the following links and make up your own mind if you want to keep this on your system. IOBit Steals Malwarebytes' Intellectual PropertyIOBit's Denial of Theft UnconvincingIOBit Theft ConclusionIObit: Trusting Your Antivirus VendorMalwarebytes: IObit Stole Our Signatures DatabaseIObit accused of stealing from Malwarebyteshttp://shanegowland.com/opinions/2012/iobit-is-a-sucky-company/Next,Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into.NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.Run FRST and press the Fix button just once and wait.The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply.Next,Use GeekUninstaller to remove the following programs (instructions follow)nternet Explorer Toolbar 4.7 by SweetPacksIObit Apps Toolbar v7.6Download GeekUninstaller from here: http://www.geekuninstaller.com/download (Choose free version) Save Geek.zip to your Desktop. (Visit the Home page at that link for necessary information)Extract Geek Uninstaller and save to your Desktop. There is no need to install, the executable is portable and can also be run from a USB if required.Run the tool, the main GUI will populate with installed programs list,Left click on Program name to highlight that entry.Select Action from the Menu bar, then Uninstall from there follow the prompts.If Uninstall fails open the "Action" menu one more time and use "Force Removal" optionNext, Scan with ESET Online ScannerThis step can only be done using Internet Explorer, Google Chrome or Mozilla Firefox.Temporary disable your AntiVirus and AntiSpyware protection - instructions here.Please visit ESET Online Scanner website.Click there Run ESET Online Scanner.If using Internet Explorer:Accept the Terms of Use and click Start. Allow the running of add-on.If using Mozilla Firefox or Google Chrome:Download esetsmartinstaller_enu.exe that you'll be given link to. Double click esetsmartinstaller_enu.exe. Allow the Terms of Use and click Start.To perform the scan:Make sure that Remove found threats is unchecked. Scan archives is checked. In Advanced Settings: Scan for potentially unwanted applications, Scan for potentially unsafe applications and Enable Anti-Stealth technology are checked. Under “Enable Stealth Technology select “Change” select any extra drives in that window. Click Start The program will begin to download it's virus database. The speed may vary depending on your Internet connection. When completed, the program will begin to scan. This may take several hours. Please, be patient. Do not do anything on your machine as it may interrupt the scan. When the scan is done, click Finish. A logfile will be created at C:\Program Files (x86)\ESET\ESET Online Scanner. Open it using Notepad.Please include this logfile in your next reply.Don't forget to re-enable protection software!Let me see those logs, also give an update on any remaining issues or concerns...Thank you,Kevin.. Fixlist.txt Link to post Share on other sites More sharing options...
gx1990 Posted June 25, 2015 Author ID:971817 Share Posted June 25, 2015 yes i think they were removed, i did another scan with mab and they wernt there this time, there were 2 files giving me trouble that one that i showed you IObit Apps Toolbal, and another one that i think was removed in one of the things u told me to run, the IObit Apps Toolbal program is still on there tho. and sry about all that the mix up, starting to get a little confused as to which files are which, but this i think is the results of the scan, i always thought iobits malware fighter was inferior to your guy's anyway, but do u have any suggestions about the advanced system care?AdwCleanerS0.txt Link to post Share on other sites More sharing options...
kevinf80 Posted June 25, 2015 ID:971834 Share Posted June 25, 2015 Let me see the logs from reply #7, also give an update on issues/concerns after that... Link to post Share on other sites More sharing options...
gx1990 Posted June 25, 2015 Author ID:971877 Share Posted June 25, 2015 guessing the log.txt is the one i wanted, also do you know any replacements for driver updater, or something similar to advanced system care? if they are as bad as u say they are i dont really wanna use their stuff unless i have too. and ya i was able to get rid of the IObit Apps Toolbar v7.6 by force uninstalling.Fixlog.txtlog.txt Link to post Share on other sites More sharing options...
gx1990 Posted June 25, 2015 Author ID:971879 Share Posted June 25, 2015 and should i just delete all the stuff u had be download? Link to post Share on other sites More sharing options...
kevinf80 Posted June 25, 2015 ID:971886 Share Posted June 25, 2015 One more program to uninstall with GeekUninstaller, WinZip the rest of ESET log entries are ok.... Next, To clean up tools etc: Download "Delfix by Xplode" and save it to your desktop. Or use the following if first link is down: "Delfix link mirror" Double Click to start the program. If you are using Vista or higher, please right-click and choose run as administrator Make Sure the following items are checked: Remove disinfection tools Purge System Restore <--- this will remove all previous restore points and create a fresh point relative to system status at present. Reset system settings Now click on "Run" and wait patiently until the tool has completed. The tool will create a log when it has completed. We don't need you to post this. Any remnant files/logs from tools we have used can be deleted… Next, To re-enable your Emulation drivers, double click DeFogger to run the tool. The application window will appear Click the Re-enable button to re-enable your CD Emulation drivers Click Yes to continue A 'Finished!' message will appear Click OK DeFogger will now ask to reboot the machine - click OKIMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_enable which will appear on your desktop.Your Emulation drivers are now re-enabled. Next, Read the following link to fully understand PC security and best practices, you may find it useful.... http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/#entry2316629 Next, Regarding drivers, I use nothing special, either they come in with Windows updates or I use Manf. website for Video cards, hardware etc. Regarding Advanced System Care, is related to IOBit so I never recommend or trust any software from that company, it just has a very bad history. End of day is your choice what you trust and what you use.... If no remaining issues or concerns are we ok to close out? Thank you, Kevin... Link to post Share on other sites More sharing options...
gx1990 Posted June 26, 2015 Author ID:971903 Share Posted June 26, 2015 yep, nothing on MAB now, thank you for your help. Link to post Share on other sites More sharing options...
kevinf80 Posted June 26, 2015 ID:972000 Share Posted June 26, 2015 Excellent... will close out shortly Take care and surf safe, Kevin... Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted June 30, 2015 Root Admin ID:972993 Share Posted June 30, 2015 Glad we could help. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread. Thanks! Link to post Share on other sites More sharing options...
Recommended Posts