Jump to content

I'm infected with Utrack


Recommended Posts

Hello Quickflash123, welcome to Malwarebytes' Malware Removal forum!
 
My name is Adam. I will be assisting you with your malware-related problems.
If you would allow me to call you by your first name I would prefer that. smile.png
 
General P2P/Piracy Notice: 
 

If you are using Peer to Peer (P2P) filesharing software such as uTorrent, BitTorrent or similar you must either fully uninstall or completely disable the programme(s) from running whilst receiving assistance at this forum. 
Failure to remove or disable such software will result in your topic being closed and no further assistance being provided.
If you have illegal/cracked/keygen or similar software on the computer, please remove/uninstall the software now and read the policy on Piracy. Failure to do so will also result in your topic being closed.

 
======================================================
 
Please read through the points below to ensure this process moves as quickly and efficiently as possible.

  • Ensure you read through my instructions thoroughly, and carry out each step in the order specified.
  • Please do not run any tools or take any steps other than those I provide for you. Independent efforts may make matters worse, and will affect my ability in providing the best set of instructions for you.
  • Please backup important files before proceeding with my instructions. Malware removal can be unpredictable at times.   
  • If you come across any issues whilst following my instructions, please stop and inform me of the issue in as much detail as possible. Please do not hesitate to ask before proceeding.
  • Topics are locked if no response is made after 4 days. Please inform me if you require additional time to complete my instructions.
  • I will notify you when I believe your computer is free of malware. Please bear in mind, absence of symptoms does not necessarily correlate to absence of malware, so please wait until the "All Clean". 

======================================================
 
Please carry out the instructions below:
 
STEP 1
GfiJrQ9.png Malwarebytes Anti-Malware (MBAM)

  • Open Malwarebytes Anti-Malware and click Update Now.
  • Once updated, click the Settings tab, followed by Detection and Protection and tick Scan for rootkits.
  • Click the Scan tab, ensure Threat Scan is selected and click Start Scan.
  • Note: You may see the following message, "Could not load DDA driver". Click Yes, allow your PC to reboot and continue afterwards. 
  • If threats are detected, click Remove Selected. If you are prompted to reboot, click Yes.
  • Upon completion of the scan (or after the reboot), click the History tab.
  • Click Application Logs and double-click the Scan Log.
  • Click Copy to Clipboard and paste the log in your next reply. 
     

STEP 2
E3feWj5.png Junkware Removal Tool (JRT)

  • Please download Junkware Removal Tool and save the file to your Desktop.
  • Temporarily disable your anti-virus software. For instructions, please refer to the following link.
  • Right-Click JRT.exe and select AVOiBNU.jpg Run as administrator to run the programme.
  • Follow the prompts and allow the scan to run uninterrupted. 
  • Upon completion, a log (JRT.txt) will open on your desktop.
  • Re-enable your anti-virus software.
  • Copy the contents of JRT.txt and paste in your next reply.
     

STEP 3
BY4dvz9.png AdwCleaner

  • Please download AdwCleaner and save the file to your Desktop.
  • Right-Click AdwCleaner.exe and select AVOiBNU.jpg Run as administrator to run the programme.
  • Follow the prompts. 
  • Click Scan
  • Upon completion, click Logfile. A log (AdwCleaner[s1].txt) will open. Briefly check the log for anything you know to be legitimate. 
  • Ensure anything you know to be legitimate does not have a checkmark under the corresponding tab, and click Cleaning
  • Follow the prompts and allow your computer to reboot
  • After the reboot, a log (AdwCleaner[C1].txt) will open. Copy the contents of the log and paste in your next reply.

-- File and folder backups are made for items removed using this tool. Should a legitimate file or folder be removed (otherwise known as a 'false-positive'), simple steps can be taken to restore the item. Please do not overly concern yourself with the contents of AdwCleaner[s1].txt.
 
======================================================

STEP 4
pfNZP4A.png Logs
In your next reply please include the following logs. Please be sure to copy and paste the requested logs, as well as provide information on any questions I may have asked.

  • MBAM log
  • JRT.txt
  • AdwCleaner[C1].txt
Link to post
Share on other sites

Thanks for helping! You can call me Charlie.

 

MBAM log: Malwarebytes Anti-Malware

www.malwarebytes.org
 
Scan Date: 02/03/2016
Scan Time: 19:24
Logfile: 
Administrator: Yes
 
Version: 2.2.0.1024
Malware Database: v2016.03.02.04
Rootkit Database: v2016.02.27.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled
 
OS: Windows 8.1
CPU: x64
File System: NTFS
User: Santa
 
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 377402
Time Elapsed: 3 hr, 0 min, 57 sec
 
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled
 
Processes: 0
(No malicious items detected)
 
Modules: 0
(No malicious items detected)
 
Registry Keys: 0
(No malicious items detected)
 
Registry Values: 0
(No malicious items detected)
 
Registry Data: 0
(No malicious items detected)
 
Folders: 0
(No malicious items detected)
 
Files: 5
PUP.Optional.PricePeep, C:\Users\Santa\AppData\Local\Google\Chrome\User Data\Default\Local Storage\https_static.pricepeep00.pricepeep.net_0.localstorage, Quarantined, [99634042c5d490a6627086893aca3dc3], 
PUP.Optional.PricePeep, C:\Users\Santa\AppData\Local\Google\Chrome\User Data\Default\Local Storage\https_static.pricepeep00.pricepeep.net_0.localstorage-journal, Quarantined, [29d381011a7f191d1cb6ff10b153c33d], 
PUP.Optional.CrossRider, C:\Users\Santa\AppData\Local\Google\Chrome\User Data\Default\Local Storage\https_d19tqk5t6qcjac.cloudfront.net_0.localstorage, Quarantined, [9567a9d97326de582052adc193715ea2], 
PUP.Optional.CrossRider, C:\Users\Santa\AppData\Local\Google\Chrome\User Data\Default\Local Storage\https_d19tqk5t6qcjac.cloudfront.net_0.localstorage-journal, Quarantined, [b04c6e1450493ff77bf7e5891fe51be5], 
PUP.Optional.Amonetize, C:\Users\Santa\AppData\Local\Temp\amipixel.cfg, Quarantined, [9d5ff38f3267a492e107cd614eb726da], 
 
Physical Sectors: 0
(No malicious items detected)
 
 
(end)  
 
JRT log:  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Malwarebytes
Version: 8.0.3 (02.09.2016)
Operating System: Windows 8.1 x64 
Ran by Santa (Administrator) on 02/03/2016 at 18:57:54.38
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 
 
 
File System: 1 
 
Successfully deleted: C:\Users\Santa\AppData\Roaming\3909 (Folder) 
 
 
 
Registry: 1 
 
Successfully deleted: HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{42851317-120C-4246-B0BA-570232EEE93F} (Registry Key)
 
 
 
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on 02/03/2016 at 19:13:31.48
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 
 
AdwCleaner log: # AdwCleaner v5.030 - Logfile created 19/01/2016 at 17:56:44
# Updated 17/01/2016 by Xplode
# Database : 2016-01-17.3 [server]
# Operating system : Windows 8.1  (x64)
# Username : Santa - BONSAI
# Running from : C:\Users\Santa\Desktop\adwcleaner_5.030.exe
# Option : Cleaning
 
***** [ Services ] *****
 
 
***** [ Folders ] *****
 
[-] Folder Deleted : C:\Program Files (x86)\app_setup
[-] Folder Deleted : C:\Program Files (x86)\BearShare Applications
[-] Folder Deleted : C:\Program Files (x86)\MyPCBU
[-] Folder Deleted : C:\Program Files (x86)\webget
[-] Folder Deleted : C:\Program Files (x86)\YourFileDownloaderUpdater
[-] Folder Deleted : C:\Program Files (x86)\Priceless
[-] Folder Deleted : C:\Program Files (x86)\Re-Markable Corp
[-] Folder Deleted : C:\Program Files (x86)\Re-Markable-soft
[!] Folder Not Deleted : C:\Program Files (x86)\YourFileDownloaderUpdater
[-] Folder Deleted : C:\ProgramData\apn
[-] Folder Deleted : C:\ProgramData\ParetoLogic
[-] Folder Deleted : C:\ProgramData\savernet
[-] Folder Deleted : C:\ProgramData\speedypc software
[-] Folder Deleted : C:\ProgramData\LuckyeShoPper
[-] Folder Deleted : C:\ProgramData\ShoPpErMiaster
[-] Folder Deleted : C:\ProgramData\Microsoft\Windows\Start Menu\Programs\mipony
[-] Folder Deleted : C:\Users\Santa\AppData\Local\SearchProtect
[-] Folder Deleted : C:\Users\Santa\AppData\Local\Temp\apn
[-] Folder Deleted : C:\Users\Santa\AppData\Local\Temp\Iminent
[-] Folder Deleted : C:\Users\Santa\AppData\Roaming\Advanced System Protector
[-] Folder Deleted : C:\Users\Santa\AppData\Roaming\DigitalSites
[-] Folder Deleted : C:\Users\Santa\AppData\Roaming\DownloadManager
[-] Folder Deleted : C:\Users\Santa\AppData\Roaming\DriverCure
[-] Folder Deleted : C:\Users\Santa\AppData\Roaming\mipony
[-] Folder Deleted : C:\Users\Santa\AppData\Roaming\ParetoLogic
[-] Folder Deleted : C:\Users\Santa\AppData\Roaming\speedypc software
[-] Folder Deleted : C:\Users\Santa\AppData\Roaming\Systweak
[-] Folder Deleted : C:\Users\Santa\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Wajam
[#] Folder Deleted : C:\Windows\SysNative\Tasks\Advanced System Protector
[-] Folder Deleted : C:\Windows\SysWOW64\config\systemprofile\AppData\Local\SafeGuard
 
***** [ Files ] *****
 
[-] File Deleted : C:\Users\Santa\AppData\Local\Google\Chrome\User Data\Default\Local Storage\chrome-extension_ehhlaekjfiiojlddgndcnefflngfmhen_0.localstorage
[-] File Deleted : C:\Users\Santa\AppData\Local\Google\Chrome\User Data\Default\Local Storage\chrome-extension_igdhbblpcellaljokkpfhcjlagemhgjl_0.localstorage
[-] File Deleted : C:\Users\Santa\AppData\Local\Google\Chrome\User Data\Default\Local Storage\chrome-extension_jdkokpcldhneihjdhigfjmoeojkdcbmg_0.localstorage
[-] File Deleted : C:\Users\Santa\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxps_www.superfish.com_0.localstorage
[-] File Deleted : C:\Users\Santa\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxps_www.superfish.com_0.localstorage-journal
[-] File Deleted : C:\Users\Santa\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_help.ask.com_0.localstorage
[-] File Deleted : C:\Users\Santa\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_help.ask.com_0.localstorage-journal
[-] File Deleted : C:\Users\Santa\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_st.chatango.com_0.localstorage
[-] File Deleted : C:\Users\Santa\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_st.chatango.com_0.localstorage-journal
[-] File Deleted : C:\Users\Santa\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_static.re-markit00.re-markit.co_0.localstorage
[-] File Deleted : C:\Users\Santa\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_static.re-markit00.re-markit.co_0.localstorage-journal
[-] File Deleted : C:\Users\Santa\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_undeaddies.dl.tb.ask.com_0.localstorage
[-] File Deleted : C:\Users\Santa\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_undeaddies.dl.tb.ask.com_0.localstorage-journal
[-] File Deleted : C:\Users\Santa\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_www.search.ask.com_0.localstorage
[-] File Deleted : C:\Users\Santa\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_www.search.ask.com_0.localstorage-journal
[-] File Deleted : C:\Users\Santa\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_www.superfish.com_0.localstorage
[-] File Deleted : C:\Users\Santa\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_www.superfish.com_0.localstorage-journal
[-] File Deleted : C:\Users\Santa\AppData\Roaming\Bubble Dock.boostrap.log
[-] File Deleted : C:\Users\Santa\AppData\Roaming\WindApp.boostrap.log
[-] File Deleted : C:\Windows\SysNative\roboot64.exe
 
***** [ DLLs ] *****
 
 
***** [ Shortcuts ] *****
 
 
***** [ Scheduled tasks ] *****
 
[-] Task Deleted : Advanced System Protector
[-] Task Deleted : Digital Sites
[-] Task Deleted : Update Service YourFileDownloader
[-] Task Deleted : amiupdaterExi
[-] Task Deleted : Re-Markable Update
[-] Task Deleted : Update Service YourFileDownloader
 
***** [ Registry ] *****
 
[-] Key Deleted : HKLM\SOFTWARE\Classes\AppID\{4D6A5312-AB4D-41AA-8BED-0E019B87CA11}
[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{26B19FA4-E8A1-4A1B-A163-1A1E46F830DD}
[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{D879A501-50A7-BEFC-A4C5-32DC6E0CB208}
[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{261FBF1D-F3B3-2401-2C58-EBC0463C1629}
[-] Key Deleted : HKLM\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}
[-] Key Deleted : HKLM\SOFTWARE\Classes\Interface\{3408AC0D-510E-4808-8F7B-6B70B1F88534}
[-] Key Deleted : HKLM\SOFTWARE\Classes\Interface\{813A22E0-3E2B-4188-9BDA-ECA9878B8D48}
[-] Key Deleted : HKLM\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}
[-] Key Deleted : HKLM\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}
[-] Key Deleted : HKLM\SOFTWARE\Classes\Interface\{5303FD57-3FDC-F100-A43E-6459D364952A}
[-] Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{DCABB943-792E-44C4-9029-ECBEE6265AF9}
[-] Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{E9C229F3-0EB5-31EB-1B8D-AA31E4DFC617}
[-] Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{84FF7BD6-B47F-46F8-9130-01B2696B36CB}
[-] Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{261FBF1D-F3B3-2401-2C58-EBC0463C1629}
[-] Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{261FBF1D-F3B3-2401-2C58-EBC0463C1629}
[-] Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{261FBF1D-F3B3-2401-2C58-EBC0463C1629}
[-] Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{68B81CCD-A80C-4060-8947-5AE69ED01199}
[-] Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E6B969FB-6D33-48D2-9061-8BBD4899EB08}
[-] Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}
[-] Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{3408AC0D-510E-4808-8F7B-6B70B1F88534}
[-] Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{813A22E0-3E2B-4188-9BDA-ECA9878B8D48}
[-] Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}
[-] Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}
[-] Key Deleted : HKCU\Software\1ClickDownload
[-] Key Deleted : HKCU\Software\dsiteproducts
[-] Key Deleted : HKCU\Software\InstallCore
[-] Key Deleted : HKCU\Software\Nosibay
[-] Key Deleted : HKCU\Software\ParetoLogic
[-] Key Deleted : HKCU\Software\SafeGuardApp
[-] Key Deleted : HKCU\Software\Softonic
[-] Key Deleted : HKCU\Software\speedypc software
[-] Key Deleted : HKCU\Software\Store
[-] Key Deleted : HKCU\Software\TornTv Downloader
[-] Key Deleted : HKCU\Software\WEBAPP
[-] Key Deleted : HKCU\Software\webget
[-] Key Deleted : HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}
[-] Key Deleted : HKCU\Software\AppDataLow\Software\Re-Markable
[-] Key Deleted : HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}
[-] Key Deleted : HKLM\SOFTWARE\{3A7D3E19-1B79-4E4E-BD96-5467DA2C4EF0}
[-] Key Deleted : HKLM\SOFTWARE\{6791A2F3-FC80-475C-A002-C014AF797E9C}
[-] Key Deleted : HKLM\SOFTWARE\Conduit
[-] Key Deleted : HKLM\SOFTWARE\Iminent
[-] Key Deleted : HKLM\SOFTWARE\ParetoLogic
[-] Key Deleted : HKLM\SOFTWARE\SafeGuardApp
[-] Key Deleted : HKLM\SOFTWARE\speedypc software
[-] Key Deleted : HKLM\SOFTWARE\webget
[-] Key Deleted : HKLM\SOFTWARE\YourFileDownloader
[-] Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{0A7D6F3C-F2AB-48ED-BE23-99791BFF87D6}
[-] Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{7D7D6742-5B49-4454-9E9B-748E731E741A}_is1
[-] Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\346CE134-363D-E5D3-BE43-A903594A3725
[-] Key Deleted : [x64] HKLM\SOFTWARE\Iminent
[-] Key Deleted : HKLM\SOFTWARE\Classes\Installer\Features\C3F6D7A0BA2FDE84EB329997B1FF786D
[-] Key Deleted : HKLM\SOFTWARE\Classes\Installer\Products\C3F6D7A0BA2FDE84EB329997B1FF786D
[-] Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\C3F6D7A0BA2FDE84EB329997B1FF786D
[-] Key Deleted : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\datamngrCoordinator.exe
 
***** [ Web browsers ] *****
 
[-] [C:\Users\Santa\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences] [Extension] Deleted : aaaaaiabcopkplhgaedhbloeejhhankf
 
*************************
 
:: "Tracing" keys removed
:: Winsock settings cleared
 
########## EOF - C:\AdwCleaner\AdwCleaner[C1].txt - [9932 bytes] ##########
# AdwCleaner v5.037 - Logfile created 02/03/2016 at 19:16:04
# Updated 28/02/2016 by Xplode
# Database : 2016-03-02.1 [server]
# Operating system : Windows 8.1  (x64)
# Username : Santa - BONSAI
# Running from : C:\Users\Santa\Desktop\AdwCleaner.exe
# Option : Clean
 
***** [ Services ] *****
 
 
***** [ Folders ] *****
 
[-] Folder Deleted : C:\ProgramData\{aa5c75a3-5ee5-08cb-aa5c-c75a35eed68d}
 
***** [ Files ] *****
 
[-] File Deleted : C:\Users\Santa\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_static.re-markit00.re-markit.co_0.localstorage
[-] File Deleted : C:\Users\Santa\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_static.re-markit00.re-markit.co_0.localstorage-journal
 
***** [ DLLs ] *****
 
 
***** [ Shortcuts ] *****
 
 
***** [ Scheduled tasks ] *****
 
 
***** [ Registry ] *****
 
[-] Key Deleted : HKCU\Software\WIN
[-] Key Deleted : HKU\S-1-5-21-2652612324-3306134021-1595356588-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\Software\WIN
[-] Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\re-markit.co
[-] Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\static.re-markit00.re-markit.co
 
***** [ Web browsers ] *****
 
 
*************************
 
:: "Tracing" keys removed
:: Winsock settings cleared
 
*************************
 
C:\AdwCleaner\AdwCleaner[C1].txt - [11466 bytes] - [19/01/2016 17:56:44]
C:\AdwCleaner\AdwCleaner[s1].txt - [10202 bytes] - [19/01/2016 17:47:48]
C:\AdwCleaner\AdwCleaner[s2].txt - [1596 bytes] - [02/03/2016 19:07:19]
 
########## EOF - C:\AdwCleaner\AdwCleaner[C1].txt - [11687 bytes] ##########
 
Link to post
Share on other sites

Hi Charlie, 
 
Please do the following: 
 
xlK5Hdb.png Farbar Recovery Scan Tool (FRST) Scan

  • Right-Click FRST64.exe and select AVOiBNU.jpg Run as administrator to run the programme.
  • Ensure the Addition.txt box is checked.
  • Click the Scan button and let the programme run.
  • Upon completion, click OK, then OK on the Addition.txt pop up screen.
  • Two logs (FRST.txt & Addition.txt) will now be open on your Desktop. Copy the contents of both logs and paste in your next reply. 
Link to post
Share on other sites

Hi Charlie, 
 
Please do the following:
 
STEP 1
xlK5Hdb.png Farbar Recovery Scan Tool (FRST) Script

  • Press the Windows Key pdKOQKY.png + r on your keyboard at the same time. Type Notepad and click OK.
  • Copy the entire contents of the codebox below and paste into the Notepad document.
    startCreateRestorePoint:HKLM\...\Run: [] => [X]HKLM-x32\...\Run: [] => [X]HKU\S-1-5-21-2652612324-3306134021-1595356588-1001\...\MountPoints2: {6a7372ab-9d9a-11e3-82a1-40f02f28030b} - "E:\iStudio.exe"HKU\S-1-5-21-2652612324-3306134021-1595356588-1001\...\MountPoints2: {d429b5f8-8907-11e4-82e7-40f02f28030b} - "F:\setup.exe"CHR HKLM\SOFTWARE\Policies\Google: Restriction <======= ATTENTIONProxyEnable: [.DEFAULT] => Proxy is enabled.ProxyServer: [.DEFAULT] => http=127.0.0.1:59058;https=127.0.0.1:59058S3 xhunter1; \??\C:\Windows\xhunter1.sys [X]2016-03-02 19:04 - 2016-03-02 19:04 - 00000000 ____D C:\Users\Santa\AppData\Roaming\39092015-02-03 10:45 - 2015-02-03 10:45 - 0000120 _____ () C:\Users\Santa\AppData\Roaming\9f9c4aa8.datTask: {06532D8A-D76E-4703-AC2E-014D0EA8397E} - System32\Tasks\{304DC37F-3A51-451A-8ED1-ADC20675E92F} => pcalua.exe -a "C:\Program Files (x86)\InstallShield Installation Information\{75CACA8C-92F4-44F9-87EC-B728915A69B7}\Setup.exe" -c -runfromtemp -l0x0409  -removeonlyTask: {2A71A4C1-74A8-483C-9B1D-3C2AC71E9F70} - System32\Tasks\{C5CE2857-3742-4C81-947B-FBB17391173F} => pcalua.exe -a D:\setup.exe -d D:\Task: {712CEDBE-89A3-4917-887A-9A9BCA1F9F4A} - System32\Tasks\{0D57B77F-4E17-4941-8D40-A15AA6C7B454} => pcalua.exe -a C:\ProgramData\DivX\Setup\DivXSetup.exe -c /uninstallTask: {8F30B461-21EB-4C05-93F1-3CBEB46C8632} - System32\Tasks\Microsoft\22f973e0e09ec61abf885da1ad49918f => C:\Users\Santa\AppData\Roaming\DownloadManager\Loader.exe <==== ATTENTIONC:\Users\Santa\AppData\Roaming\DownloadManagerTask: {AF503C1E-8C0F-4416-A539-050AB4736381} - System32\Tasks\{CF5B5C9B-3877-4258-8FA4-6DE7378B1A36} => pcalua.exe -a "C:\Users\Santa\Desktop\Minecraft Mods\forge-1.7.10-10.13.2.1291-installer-win.exe" -d "C:\Users\Santa\Desktop\Minecraft Mods"Task: {BA6B573E-D34A-462A-834A-3B1AF5FBAF05} - \Microsoft\981a712922399d5a4451af18621e0726 -> No File <==== ATTENTIONFirewallRules: [{4CB0549E-0FCE-4571-BDBC-4A75D2FF920F}] => (Allow) C:\Program Files (x86)\YourFileDownloader\YourFileDownloader.exeFirewallRules: [{370B45DA-76A8-47FD-8FCE-A594AA85FE88}] => (Allow) C:\Program Files (x86)\YourFileDownloader\YourFileDownloader.exeFirewallRules: [{C4B5D6E5-3A42-4112-B3A2-9479F9337C41}] => (Allow) C:\Program Files (x86)\YourFileDownloader\Downloader.exeFirewallRules: [{62C6B749-1ABB-4019-869B-BAF57F7C8984}] => (Allow) C:\Program Files (x86)\YourFileDownloader\Downloader.exeC:\Program Files (x86)\YourFileDownloader2016-03-01 22:50 - 2014-08-27 13:28 - 00000000 ____D C:\Users\Santa\AppData\Roaming\uTorrentCMD: ipconfig /flushdnsEmptyTemp:end
  • Click FileSave As and type fixlist.txt as the File Name
  • Important: The file must be saved in the same location as FRST64.exe. 

NOTICE: This script is intended for use on this particular machine. Do not use this script on any other machine; doing so may cause damage to your Operating System.

  • Right-Click FRST64.exe and select AVOiBNU.jpg Run as administrator to run the programme.
  • Click Fix.
  • A log (Fixlog.txt) will open on your desktop. Copy the contents of the log and paste in your next reply.
     

STEP 2
GzlsbnV.png ESET Online Scan
Note: This scan may take a long time to complete. Please do not browse the Internet whilst your Anti-Virus is disabled.

  • Please download ESET Online Scan and save the file to your Desktop.
  • Temporarily disable your anti-virus software. For instructions, please refer to the following link.
  • Double-click esetsmartinstaller_enu.exe to run the programme. 
  • Agree to the EULA by placing a checkmark next to Yes, I accept the Terms of Use. Then click Start.
  • Agree to the Terms of Use once more and click Start. Allow components to download.
  • Place a checkmark next to Enable detection of potentially unwanted applications.
  • Click Advanced settings. Place a checkmark next to:
    • Scan archives
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • Ensure Remove found threats is unchecked.
  • Click Start.
  • Wait for the scan to finish. Please be patient as this can take some time.
  • Upon completion, click esetListThreats.png. If no threats were found, skip the next two bullet points. 
  • Click esetExport.png and save the file to your Desktop, naming it something such as "ESET Scan".
  • Push the Back button.
  • Place a checkmark next to KN1w2nv.png and click SzOC1p0.png.
  • Re-enable your anti-virus software.
  • Copy the contents of the log and paste in your next reply.
     

======================================================
 
STEP 3
pfNZP4A.png Logs
In your next reply please include the following logs. Please be sure to copy and paste the requested logs, as well as provide information on any questions I may have asked.

  • Fixlog.txt
  • ESET Online Scan log
Link to post
Share on other sites

Hello,
 
Please refer to the forum's policy on cracked software - first mentioned in Post #2:
https://forums.malwarebytes.org/index.php?/topic/97700-piracy/

This topic will now be closed due to evidence of cracked or pirated software on this system.
 

C:\Games\Universe Sandbox 2 Alpha 13.1\steam_api.dll a variant of Win32/HackTool.Crack.DW potentially unsafe applicationC:\Games\Universe Sandbox 2 Alpha 14\steam_api.dll a variant of Win32/HackTool.Crack.DW potentially unsafe applicationC:\Program Files (x86)\NoSt34M\Plague Inc Evolved v0.7.4\steam_api.dll Win32/HackTool.Crack.DW potentially unsafe applicationC:\Users\Santa\AppData\Local\Temp\13061667693635349678.exe a variant of Win32/InstallCore.ADX.gen potentially unwanted applicationC:\Users\Santa\AppData\Local\Temp\Temp1_Grand-Theft-Auto-V.zip\Grand Theft Auto V.exe MSIL/Surveyer.BY trojanC:\Users\Santa\Desktop\CharlieZane\Winrar Stuff\3DMGAME-Grand.Theft.Auto.V.Update.3.and.Crack.v4.rar a variant of Win32/Packed.VMProtect.AAA trojanC:\Users\Santa\Desktop\CharlieZane\Winrar Stuff\Terraria 1.2.4.1.rar Win32/HackTool.Crack.DW potentially unsafe applicationC:\Users\Santa\Desktop\CharlieZane\Winrar Stuff\The.Escapists.Early.Cracked-3DM.rar a variant of Win32/Packed.VMProtect.ABD trojanC:\Users\Santa\Desktop\CharlieZane\Winrar Stuff\The_Escapists_0.792.zip a variant of Win32/HackTool.Crack.DW potentially unsafe application
Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.