Jump to content

Advanced file Optimizer - can't open .exe files


Recommended Posts

Hi. I registered because I have a problem. I don't know if this is the right website, but I've found a similar problem to mine on two websites, yours is one of them. https://forums.malwarebytes.org/topic/119495-exe-files-wont-open-in-windows-xp/ Here is the topic I found and followed a little bit, which I know that I shouldn't have done so.

I was searching for a programme to open some files named "sf1" and google pointed me towards a malicious programme named "Advanced file optimizer". Before I downloaded it, my antivirus ESET NOD32 warned me about it, that it is suspicious, but I ignored it twice since I couldn't find another programme for the files. After this programme did its work, I couldn't open any programmes ending with .exe. Because I tried to solve the problem on my own I think I've caused more trouble myself than the programme itself. Honestly, this is probably a big mess, but after I found that I could make programmes work by just renaming their end to let's say .com, I thought the problem is not even that serious. But I've done some things later, in a wish to restore the system back to its old self. I wanted to simply restore the system to an earlier point, so it could all disappear, but it didn't run.  

The second website's topic I was following http://www.bleepingcomputer.com/forums/t/542716/infected-with-advanced-file-optimizer/ 

If this isn't the place for this problem I'll go to bleeping computer site, which seems more appropriate for this type of problem since this website is for users of Malwarebytes I presume. But at that website all the starters of topics, stopped replying, like they couldn't find the solution, so they just closed the topic due to their inactivity. Here you solved the problem, with the user's confirmation.

I have denied an user called "trustedinstaller" because it wasn't allowing me to rename some stuff, and I figured it as a virus, but it probably was something important. The computer asks me for permissions before renaming some programmes, which before didn't. After some programmes being renamed to .com, my PC has renamed most of them? So now I can open some things, like Regedit, and command prompt, without big problems, so maybe this can be fixed after all?

If I have to pay anything, say so up-front, and I'll try my best to pay for it. I tried uploading report from Rkill in notepad text form, but it sends error from your website saying " There was a problem processing the uploaded file. -200 ". If you're willing to help me, I'll follow your instructions, will provide what you need and do as you'll say.

With regards, makrarom.

P.S. very sorry about the mess, if it's too much just say so!

Link to post
Share on other sites

Hello makrarom and welcome to Malwarebytes,

My screen name is kevinf80, i`m here to help clean up your system. Make sure to run all scans from accounts with Administrator status, continue as follows please:

Anyone other than the original starter of this thread please DO NOT follow the instructions and advice posted as replies here, my help and advice is NOT related to your system and will probably cause more harm than good...

Download RKill from here: http://www.bleepingcomputer.com/download/rkill/

There are three buttons to choose from with different names on, select the first one and save it to your desktop.
  • Double-click on the Rkill desktop icon to run the tool.
  • If using Vista or Windows 7/8/10, right-click on it and Run As Administrator.
  • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
  • A log pops up at the end of the run. This log file is located at C:\rkill.log. Please post this in your next reply.
  • If you do not see the black box flash on the screen delete the icon from the desktop and go back to the link for the download, select the next button and try to run the tool again, continue to repeat this process using the remaining buttons until the tool runs. You will find further links if you scroll down the page with other names, try them one at a time.
  • If the tool does not run from any of the links provided, please let me know.


Please open Malwarebytes Anti-Malware.
  • On the Settings tab > Detection and Protection sub tab, Detection Options, tick the box "Scan for rootkits".
  • Under Non-Malware Protection sub tab Change PUP and PUM entries to Treat detections as Malware
  • Click on the Scan tab, then click on Scan Now >> . If an update is available, click the Update Now button.
  • A Threat Scan will begin.
  • When the Scan is complete Apply Actions to any found entries.
  • Wait for the prompt to restart the computer to appear (if applicable), then click on Yes.
  • After the restart once you are back at your desktop, open MBAM once more.

To get the log from Malwarebytes do the following:
  • Click on the History tab > Application Logs.
  • Double click on the Scan log which shows the Date and time of the scan just performed.
  • Click Export > From export you have three options:
    Copy to Clipboard - if seleted right click to your reply and select "Paste" log will be pasted to your reply
    Text file (*.txt) - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply
    XML file (*.xml) - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply
  • Please use "Copy to Clipboard, then Right click to your reply > select "Paste" that will copy the log to your reply…

If Malwarebytes is not installed follow these instructions first:

Download Malwarebytes Anti-Malware to your desktop.
  • Double-click mbam-setup and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to the following:
  • Launch Malwarebytes Anti-Malware
  • A 14 day trial of the Premium features is pre-selected. You may deselect this if you wish, and it will not diminish the scanning and removal capabilities of the program.
  • Click Finish. Follow the instructions above....


Download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system (32 bit or 64 bit). If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

If your security alerts to FRST either, accept the alert or turn your security off to allow FRST to run. It is not malicious or infected in any way...
  • Double-click to run it. When the tool opens click Yes to disclaimer.(Windows 8/10 users will be prompted about Windows SmartScreen protection - click More information and Run.)
  • Make sure Addition.txt is checkmarked under "Optional scans"
  • Press Scan button to run the tool....
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The tool will also make a log named (Addition.txt) Please attach that log to your reply.

Let me see those logs in your reply...

Thank you,

Link to post
Share on other sites

Well, after Malwarebytes Anti-Malware's scan was done and the computer's restart, I found my icons shown again. Before there were only white pictures. The only thing that is still white is Google Chrome now, which is still set to .com for opening it. I don't really know how to change it back, but I guess I can figure that on my own, by reinstalling it.

About Malwarebytes Anti-Malware's logs. I'll paste some pictures because I can't find any logs.


The bugs are in the quarantine, though. http://i.imgur.com/nsuMIIv.png

This is the first slide http://i.imgur.com/Bi74DQW.png

This time, I've uploaded text reports successfully. Only FRST and Addition, because I can't see Malwarebytes one. 

Thanks for your help so far! Unless this is it, I can't really tell...




Link to post
Share on other sites

I've found under the History Settings that my Scan Log Option was turned off. I turned it on, and here is the report. 

Malwarebytes Anti-Malware

Scan Date: 8. 09. 2016
Scan Time: 11:45
Administrator: Yes

Malware Database: v2016.09.08.04
Rootkit Database: v2016.08.15.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows 10
CPU: x64
File System: NTFS
User: Urban

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 471025
Time Elapsed: 41 min, 6 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 10
PUP.Optional.Incredibar, HKLM\SOFTWARE\CLASSES\APPID\{608D3067-77E8-463D-9084-908966806826}, Quarantined, [5f558ae5f4a6e65026a26234c9396a96], 
PUP.Optional.Incredibar, HKLM\SOFTWARE\WOW6432NODE\CLASSES\APPID\{608D3067-77E8-463D-9084-908966806826}, Quarantined, [5f558ae5f4a6e65026a26234c9396a96], 
PUP.Optional.Incredibar, HKLM\SOFTWARE\CLASSES\WOW6432NODE\APPID\{608D3067-77E8-463D-9084-908966806826}, Quarantined, [5f558ae5f4a6e65026a26234c9396a96], 
Adware.1ClickDownload, HKLM\SOFTWARE\CLASSES\APPID\{C007DADD-132A-624C-088E-59EE6CF0711F}, Quarantined, [961e78f7247671c5282a1f78a45ea65a], 
Adware.1ClickDownload, HKLM\SOFTWARE\WOW6432NODE\CLASSES\APPID\{C007DADD-132A-624C-088E-59EE6CF0711F}, Quarantined, [961e78f7247671c5282a1f78a45ea65a], 
Adware.1ClickDownload, HKLM\SOFTWARE\CLASSES\WOW6432NODE\APPID\{C007DADD-132A-624C-088E-59EE6CF0711F}, Quarantined, [961e78f7247671c5282a1f78a45ea65a], 
Adware.1ClickDownload, HKLM\SOFTWARE\CLASSES\APPID\{EA28B360-05E0-4F93-8150-02891F1D8D3C}, Quarantined, [4c685619afeb94a2c68decab53af8977], 
Adware.1ClickDownload, HKLM\SOFTWARE\WOW6432NODE\CLASSES\APPID\{EA28B360-05E0-4F93-8150-02891F1D8D3C}, Quarantined, [4c685619afeb94a2c68decab53af8977], 
Adware.1ClickDownload, HKLM\SOFTWARE\CLASSES\WOW6432NODE\APPID\{EA28B360-05E0-4F93-8150-02891F1D8D3C}, Quarantined, [4c685619afeb94a2c68decab53af8977], 
PUP.Optional.CrossRider, HKU\S-1-5-21-435036236-1764767429-2939522118-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\Netbet Poker, Quarantined, [f5bf303ff8a24aec918259896d9701ff], 

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 22
PUP.Optional.Conduit, C:\Users\Urban\AppData\LocalLow\Conduit, Quarantined, [b8fc96d94f4b56e08b69a91d8082c23e], 
PUP.Optional.Conduit, C:\Users\Urban\AppData\LocalLow\Conduit\ChromeExtData, Quarantined, [b8fc96d94f4b56e08b69a91d8082c23e], 
PUP.Optional.Conduit, C:\Users\Urban\AppData\LocalLow\Conduit\ChromeExtData\bifkcdcophkelpoliphpjejnkoppbokh, Quarantined, [b8fc96d94f4b56e08b69a91d8082c23e], 
PUP.Optional.Conduit, C:\Users\Urban\AppData\LocalLow\Conduit\ChromeExtData\bifkcdcophkelpoliphpjejnkoppbokh\Repository, Quarantined, [b8fc96d94f4b56e08b69a91d8082c23e], 
PUP.Optional.MoboGenie, C:\Users\Urban\AppData\Local\Mobogenie, Quarantined, [b6fe432c5941072fa1aafde9dd2703fd], 
PUP.Optional.MoboGenie, C:\Users\Urban\AppData\Local\Mobogenie\backup, Quarantined, [b6fe432c5941072fa1aafde9dd2703fd], 
PUP.Optional.MoboGenie, C:\Users\Urban\AppData\Local\Mobogenie\Data, Quarantined, [b6fe432c5941072fa1aafde9dd2703fd], 
PUP.Optional.MoboGenie, C:\Users\Urban\AppData\Local\Mobogenie\device, Quarantined, [b6fe432c5941072fa1aafde9dd2703fd], 
PUP.Optional.MoboGenie, C:\Users\Urban\AppData\Local\Mobogenie\Download, Quarantined, [b6fe432c5941072fa1aafde9dd2703fd], 
PUP.Optional.MoboGenie, C:\Users\Urban\AppData\Local\Mobogenie\Download\Apk, Quarantined, [b6fe432c5941072fa1aafde9dd2703fd], 
PUP.Optional.MoboGenie, C:\Users\Urban\AppData\Local\Mobogenie\Download\Music, Quarantined, [b6fe432c5941072fa1aafde9dd2703fd], 
PUP.Optional.MoboGenie, C:\Users\Urban\AppData\Local\Mobogenie\Download\Picture, Quarantined, [b6fe432c5941072fa1aafde9dd2703fd], 
PUP.Optional.MoboGenie, C:\Users\Urban\AppData\Local\Mobogenie\Download\Video, Quarantined, [b6fe432c5941072fa1aafde9dd2703fd], 
PUP.Optional.MoboGenie, C:\Users\Urban\AppData\Local\Mobogenie\driver, Quarantined, [b6fe432c5941072fa1aafde9dd2703fd], 
PUP.Optional.MoboGenie, C:\Users\Urban\AppData\Local\Mobogenie\Version, Quarantined, [b6fe432c5941072fa1aafde9dd2703fd], 
PUP.Optional.MoboGenie, C:\Users\Urban\AppData\Local\Mobogenie\Version\CacheVersion, Quarantined, [b6fe432c5941072fa1aafde9dd2703fd], 
PUP.Optional.MoboGenie, C:\Users\Urban\AppData\Local\Mobogenie\Version\NewVersion, Quarantined, [b6fe432c5941072fa1aafde9dd2703fd], 
PUP.Optional.MoboGenie, C:\Users\Urban\AppData\Local\Mobogenie\Version\OldVersion, Quarantined, [b6fe432c5941072fa1aafde9dd2703fd], 
PUP.Optional.MediaHint.ChrPRST, C:\Users\Urban\AppData\Local\Google\Chrome\User Data\Default\Extensions\akipcefbjlmpbcejgdaopmmidpnjlhnb\0.2.6_0, Quarantined, [b00481ee554569cd7b384e4d7490ad53], 
PUP.Optional.MediaHint.ChrPRST, C:\Users\Urban\AppData\Local\Google\Chrome\User Data\Default\Extensions\akipcefbjlmpbcejgdaopmmidpnjlhnb\0.2.6_0\images, Quarantined, [b00481ee554569cd7b384e4d7490ad53], 
PUP.Optional.MediaHint.ChrPRST, C:\Users\Urban\AppData\Local\Google\Chrome\User Data\Default\Extensions\akipcefbjlmpbcejgdaopmmidpnjlhnb\0.2.6_0\_metadata, Quarantined, [b00481ee554569cd7b384e4d7490ad53], 
PUP.Optional.MediaHint.ChrPRST, C:\Users\Urban\AppData\Local\Google\Chrome\User Data\Default\Extensions\akipcefbjlmpbcejgdaopmmidpnjlhnb, Quarantined, [b00481ee554569cd7b384e4d7490ad53], 

Files: 60
PUP.Optional.SysTweak, C:\$Recycle.Bin\S-1-5-21-435036236-1764767429-2939522118-1001\$RQJO8C7\unins000.com, Quarantined, [3a7ae887069451e5c42a5c65778aa957], 
PUP.Optional.CrossRider, C:\Users\Urban\AppData\Local\NetBet Poker\internalSetupPokerUninstall1459198800241_na_en.exe, Quarantined, [f5bf303ff8a24aec918259896d9701ff], 
PUP.Optional.Conduit, C:\Users\Urban\AppData\LocalLow\Conduit\ChromeExtData\bifkcdcophkelpoliphpjejnkoppbokh\Repository\CT2189699.128778272517450195.search.selectedEngineId.txt, Quarantined, [b8fc96d94f4b56e08b69a91d8082c23e], 
PUP.Optional.Conduit, C:\Users\Urban\AppData\LocalLow\Conduit\ChromeExtData\bifkcdcophkelpoliphpjejnkoppbokh\Repository\CT2189699.128778272517450195.search.settings.txt, Quarantined, [b8fc96d94f4b56e08b69a91d8082c23e], 
PUP.Optional.Conduit, C:\Users\Urban\AppData\LocalLow\Conduit\ChromeExtData\bifkcdcophkelpoliphpjejnkoppbokh\Repository\CT2189699.appOptions.txt, Quarantined, [b8fc96d94f4b56e08b69a91d8082c23e], 
PUP.Optional.Conduit, C:\Users\Urban\AppData\LocalLow\Conduit\ChromeExtData\bifkcdcophkelpoliphpjejnkoppbokh\Repository\CT2189699.downloadRefCookieData.txt, Quarantined, [b8fc96d94f4b56e08b69a91d8082c23e], 
PUP.Optional.Conduit, C:\Users\Urban\AppData\LocalLow\Conduit\ChromeExtData\bifkcdcophkelpoliphpjejnkoppbokh\Repository\CT2189699.NotificationSettings.txt, Quarantined, [b8fc96d94f4b56e08b69a91d8082c23e], 
PUP.Optional.Conduit, C:\Users\Urban\AppData\LocalLow\Conduit\ChromeExtData\bifkcdcophkelpoliphpjejnkoppbokh\Repository\CT2189699.NOTIFICATION_ID.notifications-repository.txt, Quarantined, [b8fc96d94f4b56e08b69a91d8082c23e], 
PUP.Optional.Conduit, C:\Users\Urban\AppData\LocalLow\Conduit\ChromeExtData\bifkcdcophkelpoliphpjejnkoppbokh\Repository\CT2189699.NOTIFICATION_ID.notifications-servicemap.txt, Quarantined, [b8fc96d94f4b56e08b69a91d8082c23e], 
PUP.Optional.Conduit, C:\Users\Urban\AppData\LocalLow\Conduit\ChromeExtData\bifkcdcophkelpoliphpjejnkoppbokh\Repository\CT2189699.NOTIFICATION_ID.notifications-service_588283.txt, Quarantined, [b8fc96d94f4b56e08b69a91d8082c23e], 
PUP.Optional.Conduit, C:\Users\Urban\AppData\LocalLow\Conduit\ChromeExtData\bifkcdcophkelpoliphpjejnkoppbokh\Repository\CT2189699.savedPositions.txt, Quarantined, [b8fc96d94f4b56e08b69a91d8082c23e], 
PUP.Optional.Conduit, C:\Users\Urban\AppData\LocalLow\Conduit\ChromeExtData\bifkcdcophkelpoliphpjejnkoppbokh\Repository\CT2189699_RAW.serviceLayer_services_appsMetadata.txt, Quarantined, [b8fc96d94f4b56e08b69a91d8082c23e], 
PUP.Optional.Conduit, C:\Users\Urban\AppData\LocalLow\Conduit\ChromeExtData\bifkcdcophkelpoliphpjejnkoppbokh\Repository\CT2189699_RAW.serviceLayer_services_appTrackingFirstTime.txt, Quarantined, [b8fc96d94f4b56e08b69a91d8082c23e], 
PUP.Optional.Conduit, C:\Users\Urban\AppData\LocalLow\Conduit\ChromeExtData\bifkcdcophkelpoliphpjejnkoppbokh\Repository\CT2189699_RAW.serviceLayer_services_gottenAppsContextMenu.txt, Quarantined, [b8fc96d94f4b56e08b69a91d8082c23e], 
PUP.Optional.Conduit, C:\Users\Urban\AppData\LocalLow\Conduit\ChromeExtData\bifkcdcophkelpoliphpjejnkoppbokh\Repository\CT2189699_RAW.serviceLayer_services_login.txt, Quarantined, [b8fc96d94f4b56e08b69a91d8082c23e], 
PUP.Optional.Conduit, C:\Users\Urban\AppData\LocalLow\Conduit\ChromeExtData\bifkcdcophkelpoliphpjejnkoppbokh\Repository\CT2189699_RAW.serviceLayer_services_otherAppsContextMenu.txt, Quarantined, [b8fc96d94f4b56e08b69a91d8082c23e], 
PUP.Optional.Conduit, C:\Users\Urban\AppData\LocalLow\Conduit\ChromeExtData\bifkcdcophkelpoliphpjejnkoppbokh\Repository\CT2189699_RAW.serviceLayer_services_searchAPI.txt, Quarantined, [b8fc96d94f4b56e08b69a91d8082c23e], 
PUP.Optional.Conduit, C:\Users\Urban\AppData\LocalLow\Conduit\ChromeExtData\bifkcdcophkelpoliphpjejnkoppbokh\Repository\CT2189699_RAW.serviceLayer_services_serviceMap.txt, Quarantined, [b8fc96d94f4b56e08b69a91d8082c23e], 
PUP.Optional.Conduit, C:\Users\Urban\AppData\LocalLow\Conduit\ChromeExtData\bifkcdcophkelpoliphpjejnkoppbokh\Repository\CT2189699_RAW.serviceLayer_services_toolbarContextMenu.txt, Quarantined, [b8fc96d94f4b56e08b69a91d8082c23e], 
PUP.Optional.Conduit, C:\Users\Urban\AppData\LocalLow\Conduit\ChromeExtData\bifkcdcophkelpoliphpjejnkoppbokh\Repository\CT2189699_RAW.serviceLayer_services_toolbarSettings.txt, Quarantined, [b8fc96d94f4b56e08b69a91d8082c23e], 
PUP.Optional.Conduit, C:\Users\Urban\AppData\LocalLow\Conduit\ChromeExtData\bifkcdcophkelpoliphpjejnkoppbokh\Repository\CT2189699_RAW.serviceLayer_services_translation.txt, Quarantined, [b8fc96d94f4b56e08b69a91d8082c23e], 
PUP.Optional.Conduit, C:\Users\Urban\AppData\LocalLow\Conduit\ChromeExtData\bifkcdcophkelpoliphpjejnkoppbokh\Repository\CT2189699_10.14.40.128.serviceLayer_services_appTrackingFirstTime.txt, Quarantined, [b8fc96d94f4b56e08b69a91d8082c23e], 
PUP.Optional.Conduit, C:\Users\Urban\AppData\LocalLow\Conduit\ChromeExtData\bifkcdcophkelpoliphpjejnkoppbokh\Repository\CT2189699_10.14.40.128.serviceLayer_services_gottenAppsContextMenu.txt, Quarantined, [b8fc96d94f4b56e08b69a91d8082c23e], 
PUP.Optional.Conduit, C:\Users\Urban\AppData\LocalLow\Conduit\ChromeExtData\bifkcdcophkelpoliphpjejnkoppbokh\Repository\CT2189699_10.14.40.128.serviceLayer_services_login.txt, Quarantined, [b8fc96d94f4b56e08b69a91d8082c23e], 
PUP.Optional.Conduit, C:\Users\Urban\AppData\LocalLow\Conduit\ChromeExtData\bifkcdcophkelpoliphpjejnkoppbokh\Repository\CT2189699_10.14.40.128.serviceLayer_services_otherAppsContextMenu.txt, Quarantined, [b8fc96d94f4b56e08b69a91d8082c23e], 
PUP.Optional.Conduit, C:\Users\Urban\AppData\LocalLow\Conduit\ChromeExtData\bifkcdcophkelpoliphpjejnkoppbokh\Repository\CT2189699_10.14.40.128.serviceLayer_services_searchAPI.txt, Quarantined, [b8fc96d94f4b56e08b69a91d8082c23e], 
PUP.Optional.Conduit, C:\Users\Urban\AppData\LocalLow\Conduit\ChromeExtData\bifkcdcophkelpoliphpjejnkoppbokh\Repository\CT2189699_10.14.40.128.serviceLayer_services_serviceMap.txt, Quarantined, [b8fc96d94f4b56e08b69a91d8082c23e], 
PUP.Optional.Conduit, C:\Users\Urban\AppData\LocalLow\Conduit\ChromeExtData\bifkcdcophkelpoliphpjejnkoppbokh\Repository\CT2189699_10.14.40.128.serviceLayer_services_toolbarContextMenu.txt, Quarantined, [b8fc96d94f4b56e08b69a91d8082c23e], 
PUP.Optional.Conduit, C:\Users\Urban\AppData\LocalLow\Conduit\ChromeExtData\bifkcdcophkelpoliphpjejnkoppbokh\Repository\CT2189699_10.14.40.128.serviceLayer_services_toolbarSettings.txt, Quarantined, [b8fc96d94f4b56e08b69a91d8082c23e], 
PUP.Optional.Conduit, C:\Users\Urban\AppData\LocalLow\Conduit\ChromeExtData\bifkcdcophkelpoliphpjejnkoppbokh\Repository\CT2189699.searchProtectorData.txt, Quarantined, [b8fc96d94f4b56e08b69a91d8082c23e], 
PUP.Optional.Conduit, C:\Users\Urban\AppData\LocalLow\Conduit\ChromeExtData\bifkcdcophkelpoliphpjejnkoppbokh\Repository\CT2189699_10.14.40.128.serviceLayer_services_appsMetadata.txt, Quarantined, [b8fc96d94f4b56e08b69a91d8082c23e], 
PUP.Optional.Conduit, C:\Users\Urban\AppData\LocalLow\Conduit\ChromeExtData\bifkcdcophkelpoliphpjejnkoppbokh\Repository\CT2189699_10.14.40.128.serviceLayer_services_translation.txt, Quarantined, [b8fc96d94f4b56e08b69a91d8082c23e], 
PUP.Optional.Conduit, C:\Users\Urban\AppData\LocalLow\Conduit\ChromeExtData\bifkcdcophkelpoliphpjejnkoppbokh\Repository\toolbar_initializing_logger.txt, Quarantined, [b8fc96d94f4b56e08b69a91d8082c23e], 
PUP.Optional.Conduit, C:\Users\Urban\AppData\LocalLow\Conduit\ChromeExtData\bifkcdcophkelpoliphpjejnkoppbokh\Repository\uninstallData.txt, Quarantined, [b8fc96d94f4b56e08b69a91d8082c23e], 
PUP.Optional.Conduit, C:\Users\Urban\AppData\LocalLow\Conduit\ChromeExtData\bifkcdcophkelpoliphpjejnkoppbokh\Repository\uninstallUrl.txt, Quarantined, [b8fc96d94f4b56e08b69a91d8082c23e], 
PUP.Optional.Conduit, C:\Users\Urban\AppData\LocalLow\Conduit\ChromeExtData\bifkcdcophkelpoliphpjejnkoppbokh\Repository\CT2189699_10.14.251.3.serviceLayer_services_appsMetadata.txt, Quarantined, [b8fc96d94f4b56e08b69a91d8082c23e], 
PUP.Optional.Conduit, C:\Users\Urban\AppData\LocalLow\Conduit\ChromeExtData\bifkcdcophkelpoliphpjejnkoppbokh\Repository\CT2189699_10.14.251.3.serviceLayer_services_appTrackingFirstTime.txt, Quarantined, [b8fc96d94f4b56e08b69a91d8082c23e], 
PUP.Optional.Conduit, C:\Users\Urban\AppData\LocalLow\Conduit\ChromeExtData\bifkcdcophkelpoliphpjejnkoppbokh\Repository\CT2189699_10.14.251.3.serviceLayer_services_gottenAppsContextMenu.txt, Quarantined, [b8fc96d94f4b56e08b69a91d8082c23e], 
PUP.Optional.Conduit, C:\Users\Urban\AppData\LocalLow\Conduit\ChromeExtData\bifkcdcophkelpoliphpjejnkoppbokh\Repository\CT2189699_10.14.251.3.serviceLayer_services_login.txt, Quarantined, [b8fc96d94f4b56e08b69a91d8082c23e], 
PUP.Optional.Conduit, C:\Users\Urban\AppData\LocalLow\Conduit\ChromeExtData\bifkcdcophkelpoliphpjejnkoppbokh\Repository\CT2189699_10.14.251.3.serviceLayer_services_otherAppsContextMenu.txt, Quarantined, [b8fc96d94f4b56e08b69a91d8082c23e], 
PUP.Optional.Conduit, C:\Users\Urban\AppData\LocalLow\Conduit\ChromeExtData\bifkcdcophkelpoliphpjejnkoppbokh\Repository\CT2189699_10.14.251.3.serviceLayer_services_searchAPI.txt, Quarantined, [b8fc96d94f4b56e08b69a91d8082c23e], 
PUP.Optional.Conduit, C:\Users\Urban\AppData\LocalLow\Conduit\ChromeExtData\bifkcdcophkelpoliphpjejnkoppbokh\Repository\CT2189699_10.14.251.3.serviceLayer_services_serviceMap.txt, Quarantined, [b8fc96d94f4b56e08b69a91d8082c23e], 
PUP.Optional.Conduit, C:\Users\Urban\AppData\LocalLow\Conduit\ChromeExtData\bifkcdcophkelpoliphpjejnkoppbokh\Repository\CT2189699_10.14.251.3.serviceLayer_services_toolbarContextMenu.txt, Quarantined, [b8fc96d94f4b56e08b69a91d8082c23e], 
PUP.Optional.Conduit, C:\Users\Urban\AppData\LocalLow\Conduit\ChromeExtData\bifkcdcophkelpoliphpjejnkoppbokh\Repository\CT2189699_10.14.251.3.serviceLayer_services_toolbarSettings.txt, Quarantined, [b8fc96d94f4b56e08b69a91d8082c23e], 
PUP.Optional.Conduit, C:\Users\Urban\AppData\LocalLow\Conduit\ChromeExtData\bifkcdcophkelpoliphpjejnkoppbokh\Repository\CT2189699_10.14.251.3.serviceLayer_services_translation.txt, Quarantined, [b8fc96d94f4b56e08b69a91d8082c23e], 
PUP.Optional.MoboGenie, C:\Users\Urban\AppData\Local\Mobogenie\adb.black_devices, Quarantined, [b6fe432c5941072fa1aafde9dd2703fd], 
PUP.Optional.MoboGenie, C:\Users\Urban\AppData\Local\Mobogenie\adb.write_devices, Quarantined, [b6fe432c5941072fa1aafde9dd2703fd], 
PUP.Optional.MoboGenie, C:\Users\Urban\AppData\Local\Mobogenie\client.time, Quarantined, [b6fe432c5941072fa1aafde9dd2703fd], 
PUP.Optional.MoboGenie, C:\Users\Urban\AppData\Local\Mobogenie\driverresult.log, Quarantined, [b6fe432c5941072fa1aafde9dd2703fd], 
PUP.Optional.MoboGenie, C:\Users\Urban\AppData\Local\Mobogenie\mobo.uuid, Quarantined, [b6fe432c5941072fa1aafde9dd2703fd], 
PUP.Optional.MoboGenie, C:\Users\Urban\AppData\Local\Mobogenie\Source.mu, Quarantined, [b6fe432c5941072fa1aafde9dd2703fd], 
PUP.Optional.MoboGenie, C:\Users\Urban\AppData\Local\Mobogenie\Data\mobogenie_u_user_dl.mg, Quarantined, [b6fe432c5941072fa1aafde9dd2703fd], 
PUP.Optional.MoboGenie, C:\Users\Urban\AppData\Local\Mobogenie\Version\CacheVersion\release-update.xml, Quarantined, [b6fe432c5941072fa1aafde9dd2703fd], 
PUP.Optional.MediaHint.ChrPRST, C:\Users\Urban\AppData\Local\Google\Chrome\User Data\Default\Extensions\akipcefbjlmpbcejgdaopmmidpnjlhnb\0.2.6_0\manifest.json, Quarantined, [b00481ee554569cd7b384e4d7490ad53], 
PUP.Optional.MediaHint.ChrPRST, C:\Users\Urban\AppData\Local\Google\Chrome\User Data\Default\Extensions\akipcefbjlmpbcejgdaopmmidpnjlhnb\0.2.6_0\app.js, Quarantined, [b00481ee554569cd7b384e4d7490ad53], 
PUP.Optional.MediaHint.ChrPRST, C:\Users\Urban\AppData\Local\Google\Chrome\User Data\Default\Extensions\akipcefbjlmpbcejgdaopmmidpnjlhnb\0.2.6_0\icon_128.png, Quarantined, [b00481ee554569cd7b384e4d7490ad53], 
PUP.Optional.MediaHint.ChrPRST, C:\Users\Urban\AppData\Local\Google\Chrome\User Data\Default\Extensions\akipcefbjlmpbcejgdaopmmidpnjlhnb\0.2.6_0\images\off_32.png, Quarantined, [b00481ee554569cd7b384e4d7490ad53], 
PUP.Optional.MediaHint.ChrPRST, C:\Users\Urban\AppData\Local\Google\Chrome\User Data\Default\Extensions\akipcefbjlmpbcejgdaopmmidpnjlhnb\0.2.6_0\images\on_32.png, Quarantined, [b00481ee554569cd7b384e4d7490ad53], 
PUP.Optional.MediaHint.ChrPRST, C:\Users\Urban\AppData\Local\Google\Chrome\User Data\Default\Extensions\akipcefbjlmpbcejgdaopmmidpnjlhnb\0.2.6_0\_metadata\computed_hashes.json, Quarantined, [b00481ee554569cd7b384e4d7490ad53], 
PUP.Optional.MediaHint.ChrPRST, C:\Users\Urban\AppData\Local\Google\Chrome\User Data\Default\Extensions\akipcefbjlmpbcejgdaopmmidpnjlhnb\0.2.6_0\_metadata\verified_contents.json, Quarantined, [b00481ee554569cd7b384e4d7490ad53], 

Physical Sectors: 0
(No malicious items detected)


Link to post
Share on other sites

Thanks for those logs, continue please:

Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into.
NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

Open FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply.


Download AdwCleaner by Xplode onto your Desktop.
  • Double click on Adwcleaner.exe to run the tool.
  • Click on the Scan in the Actions box
  • Please wait fot the scan to finish..
  • When "Waiting for action.Please uncheck elements you want to keep" shows in top line..
  • Click on the Cleaning box.
  • Next click OK on the "Closing Programs" pop up box.
  • Click OK on the Information box & again OK to allow the necessary reboot
  • After restart the AdwCleaner(C*)-Notepad log will appear, please copy/paste it in your next reply. Where * is the number relative to list of scans completed...


Download Sophos Free Virus Removal Tool and save it to your desktop.
  • Double click the icon and select Run
  • Click Next
  • Select I accept the terms in this license agreement, then click Next twice
  • Click Install
  • Click Finish to launch the program
  • Once the virus database has been updated click Start Scanning
  • If any threats are found click Details, then View log file... (bottom left hand corner)
  • Copy and paste the results in your reply
  • Close the Notepad document, close the Threat Details screen, then click Start cleanup
  • Click Exit to close the program
  • If no threats were found please confirm that result....

Let me see those logs in your reply, also tell me if there are any remaining issues or concerns...

Thank you,





Link to post
Share on other sites

----------AdwCleaner----------- REPORT 1

# AdwCleaner v6.010 - Logfile created 09/09/2016 at 11:44:23
# Updated on 12/08/2016 by ToolsLib
# Database : 2016-09-09.2 [Server]
# Operating System : Windows 10 Pro  (X64)
# Username : Urban - URBAN-PC
# Running from : C:\Users\Urban\Downloads\AdwCleaner.exe
# Mode: Clean
# Support : https://toolslib.net/forum

***** [ Services ] *****

***** [ Folders ] *****

[-] Folder deleted: C:\Users\Urban\AppData\Local\DriverToolkit
[-] Folder deleted: C:\Users\Urban\AppData\Local\genienext
[-] Folder deleted: C:\Users\Urban\AppData\Local\Systweak
[-] Folder deleted: C:\Users\Urban\AppData\Roaming\DriverCure
[-] Folder deleted: C:\Users\Urban\AppData\Roaming\ExpressFiles
[-] Folder deleted: C:\Users\Urban\AppData\Roaming\Hola
[-] Folder deleted: C:\Users\Urban\AppData\Roaming\ParetoLogic
[-] Folder deleted: C:\Users\Urban\Documents\Mobogenie
[-] Folder deleted: C:\ProgramData\ParetoLogic
[-] Folder deleted: C:\ProgramData\Systweak
[#] Folder deleted on reboot: C:\ProgramData\Application Data\ParetoLogic
[#] Folder deleted on reboot: C:\ProgramData\Application Data\Systweak
[-] Folder deleted: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Advanced File Optimizer
[-] Folder deleted: C:\Program Files (x86)\Advanced File Optimizer
[-] Folder deleted: C:\Program Files (x86)\DriverToolkit
[-] Folder deleted: C:\Program Files (x86)\GreenTree Applications
[-] Folder deleted: C:\Program Files (x86)\Mobogenie
[-] Folder deleted: C:\WINDOWS\SysWOW64\config\systemprofile\AppData\Local\Systweak
[#] Folder deleted on reboot: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Advanced File Optimizer
[#] Folder deleted on reboot: C:\Program Files (x86)\Advanced File Optimizer

***** [ Files ] *****

[-] File deleted: C:\Users\Urban\daemonprocess.txt
[-] File deleted: C:\Users\Urban\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Advanced File Optimizer.lnk
[-] File deleted: C:\END
[-] File deleted: C:\Users\Urban\AppData\Roaming\Mozilla\Firefox\Profiles\jk8kchq0.default-1373027264337\invalidprefs.js

***** [ DLL ] *****

***** [ WMI ] *****

***** [ Shortcuts ] *****

***** [ Scheduled Tasks ] *****

***** [ Registry ] *****

[-] Key deleted: [x64] HKLM\SOFTWARE\Classes\Interface\{9EDC0C90-2B5B-4512-953E-35767BAD5C67}
[-] Key deleted: HKLM\SOFTWARE\Classes\AppID\{15F6BCB7-BB0F-4A66-8762-4765B05597EB}
[-] Key deleted: HKLM\SOFTWARE\Classes\AppID\{1973277F-87B0-4EA3-9ED2-470A91D284CF}
[-] Key deleted: HKLM\SOFTWARE\Classes\AppID\{BDB69379-802F-4EAF-B541-F8DE92DD98DB}
[-] Key deleted: HKLM\SOFTWARE\Classes\CLSID\{1AA60054-57D9-4F99-9A55-D0FBFBE7ECD3}
[-] Key deleted: HKLM\SOFTWARE\Classes\CLSID\{6801410E-CC88-42D6-A93B-909E95645407}
[-] Key deleted: HKLM\SOFTWARE\Classes\CLSID\{8BF0126F-A5B7-4720-ABB2-2414A0AF5474}
[-] Key deleted: HKLM\SOFTWARE\Classes\TypeLib\{15F6BCB7-BB0F-4A66-8762-4765B05597EB}
[-] Key deleted: [x64] HKLM\SOFTWARE\Hola
[-] Key deleted: [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{2F603A45-D956-496B-81B5-50D782424976}
[-] Key deleted: [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{B85C4CB2-B352-4BD8-818C-BCE353599107}
[-] Key deleted: [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Hola
[-] Key deleted: HKU\.DEFAULT\Software\Hola
[-] Key deleted: HKU\S-1-5-21-435036236-1764767429-2939522118-1001\Software\APN PIP
[-] Key deleted: HKU\S-1-5-21-435036236-1764767429-2939522118-1001\Software\Conduit
[-] Key deleted: HKU\S-1-5-21-435036236-1764767429-2939522118-1001\Software\Hola
[-] Key deleted: HKU\S-1-5-21-435036236-1764767429-2939522118-1001\Software\ParetoLogic
[-] Key deleted: HKU\S-1-5-21-435036236-1764767429-2939522118-1001\Software\PIP
[-] Key deleted: HKU\S-1-5-21-435036236-1764767429-2939522118-1001\Software\PrivitizeVPNInstallDates
[-] Key deleted: HKU\S-1-5-21-435036236-1764767429-2939522118-1001\Software\Softonic
[-] Key deleted: HKU\S-1-5-21-435036236-1764767429-2939522118-1001\Software\StartSearch
[-] Key deleted: HKU\S-1-5-21-435036236-1764767429-2939522118-1001\Software\systweak
[-] Key deleted: HKU\S-1-5-21-435036236-1764767429-2939522118-1001\Software\AppDataLow\Software\Conduit
[-] Key deleted: HKCU\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-435036236-1764767429-2939522118-1001\Software\SweetIM
[#] Key deleted on reboot: HKU\S-1-5-18\Software\Hola
[#] Key deleted on reboot: HKCU\Software\APN PIP
[#] Key deleted on reboot: HKCU\Software\Conduit
[#] Key deleted on reboot: HKCU\Software\Hola
[#] Key deleted on reboot: HKCU\Software\ParetoLogic
[#] Key deleted on reboot: HKCU\Software\PIP
[#] Key deleted on reboot: HKCU\Software\PrivitizeVPNInstallDates
[#] Key deleted on reboot: HKCU\Software\Softonic
[#] Key deleted on reboot: HKCU\Software\StartSearch
[#] Key deleted on reboot: HKCU\Software\systweak
[#] Key deleted on reboot: HKCU\Software\AppDataLow\Software\Conduit
[-] Key deleted: HKLM\SOFTWARE\ParetoLogic
[-] Key deleted: HKLM\SOFTWARE\PIP
[-] Key deleted: HKLM\SOFTWARE\systweak
[-] Key deleted: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{2F603A45-D956-496B-81B5-50D782424976}
[-] Key deleted: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{B85C4CB2-B352-4BD8-818C-BCE353599107}
[-] Value deleted: [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run [hola]
[-] Value deleted: [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run32 [mobilegeni daemon]
[-] Key deleted: HKLM\SOFTWARE\Classes\AppID\esrv.EXE
[-] Key deleted: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\MobogenieAdd

***** [ Web browsers ] *****


:: "Tracing" keys deleted
:: Winsock settings cleared


C:\AdwCleaner\AdwCleaner[C0].txt - [5836 Bytes] - [09/09/2016 11:44:23]
C:\AdwCleaner\AdwCleaner[S0].txt - [5672 Bytes] - [09/09/2016 11:21:50]

########## EOF - C:\AdwCleaner\AdwCleaner[C0].txt - [5982 Bytes] ##########

--------Sophos------ REPORT 2

2016-09-09 10:05:31.433    Sophos Virus Removal Tool version 2.5.6
2016-09-09 10:05:31.433    Copyright (c) 2009-2016 Sophos Limited. All rights reserved.

2016-09-09 10:05:31.433    This tool will scan your computer for viruses and other threats. If it finds any, it will give you the option to remove them.

2016-09-09 10:05:31.433    Windows version 6.2 SP 0.0  build 9200 SM=0x100 PT=0x1 WOW64
2016-09-09 10:05:31.434    Checking for updates...
2016-09-09 10:05:31.450    Update progress: proxy server not available
2016-09-09 10:05:47.967    Option all = no
2016-09-09 10:05:47.967    Option recurse = yes
2016-09-09 10:05:47.967    Option archive = no
2016-09-09 10:05:47.967    Option service = yes
2016-09-09 10:05:47.967    Option confirm = yes
2016-09-09 10:05:47.967    Option sxl = yes
2016-09-09 10:05:47.969    Option max-data-age = 35
2016-09-09 10:05:47.969    Option vdl-logging = yes
2016-09-09 10:05:47.981    Customer ID:    094260ca9b3af99f9d4a3909fc47a743
2016-09-09 10:05:47.981    Machine ID:    e6a9dbc030c741ada843127374a5b090
2016-09-09 10:05:47.982    Component SVRTcli.exe version 2.5.6
2016-09-09 10:05:47.982    Component control.dll version 2.5.6
2016-09-09 10:05:47.982    Component SVRTservice.exe version 2.5.6
2016-09-09 10:05:47.982    Component engine\osdp.dll version
2016-09-09 10:05:47.983    Component engine\veex.dll version
2016-09-09 10:05:47.983    Component engine\savi.dll version
2016-09-09 10:05:47.984    Component rkdisk.dll version
2016-09-09 10:05:47.984    Version info:    Product version    2.5.6
2016-09-09 10:05:47.984    Version info:    Detection engine    3.65.2
2016-09-09 10:05:47.984    Version info:    Detection data    5.31
2016-09-09 10:05:47.984    Version info:    Build date    6.9.2016
2016-09-09 10:05:47.984    Version info:    Data files added    155
2016-09-09 10:05:47.984    Version info:    Last successful update    (not yet updated)
2016-09-09 10:05:58.280    Downloading updates...
2016-09-09 10:05:58.283    Update progress: [I96736] sdds.svrt_10: adding primary package C1A903B2-E63E-483b-982D-04BB9C457C60 RECOMMENDED baseVersion=1
2016-09-09 10:05:58.283    Update progress: [I95020] sdds.svrt_10: looking for packages included from product C1A903B2-E63E-483b-982D-04BB9C457C60 RECOMMENDED path=
2016-09-09 10:05:58.283    Update progress: [I22529] sdds.svrt_10: looking for supplements included from product C1A903B2-E63E-483b-982D-04BB9C457C60 RECOMMENDED path=
2016-09-09 10:05:58.283    Update progress: [I49502] sdds.savi0910.xml: found supplement SAVIW32 LATEST path= baseVersion= [included from product C1A903B2-E63E-483b-982D-04BB9C457C60 RECOMMENDED path=]
2016-09-09 10:05:58.283    Update progress: [I95020] sdds.savi0910.xml: looking for packages included from product SAVIW32 LATEST path=
2016-09-09 10:05:58.283    Update progress: [I22529] sdds.savi0910.xml: looking for supplements included from product SAVIW32 LATEST path=
2016-09-09 10:05:58.283    Update progress: [I49502] sdds.data0910.xml: found supplement IDE532 LATEST path= baseVersion= [included from product SAVIW32 LATEST path=]
2016-09-09 10:05:58.284    Update progress: [I95020] sdds.data0910.xml: looking for packages included from product IDE532 LATEST path=
2016-09-09 10:05:58.284    Update progress: [I22529] sdds.data0910.xml: looking for supplements included from product IDE532 LATEST path=
2016-09-09 10:05:58.284    Update progress: [I49502] sdds.data0910.xml: found supplement IDE533 LATEST path= baseVersion= [included from product IDE532 LATEST path=]
2016-09-09 10:05:58.284    Update progress: [I95020] sdds.data0910.xml: looking for packages included from product IDE533 LATEST path=
2016-09-09 10:05:58.284    Update progress: [I22529] sdds.data0910.xml: looking for supplements included from product IDE533 LATEST path=
2016-09-09 10:05:58.284    Update progress: [I49502] sdds.data0910.xml: found supplement IDE534 LATEST path= baseVersion= [included from product IDE533 LATEST path=]
2016-09-09 10:05:58.284    Update progress: [I95020] sdds.data0910.xml: looking for packages included from product IDE534 LATEST path=
2016-09-09 10:05:58.284    Update progress: [I22529] sdds.data0910.xml: looking for supplements included from product IDE534 LATEST path=
2016-09-09 10:05:58.284    Update progress: [I19463] Syncing product C1A903B2-E63E-483b-982D-04BB9C457C60 RECOMMENDED path=
2016-09-09 10:05:58.401    Update progress: [I19463] Syncing product SAVIW32 LATEST path=
2016-09-09 10:05:58.401    Update progress: [I19463] Product download size 151406551 bytes
2016-09-09 10:06:14.685    Update progress: [I19463] Syncing product IDE532 LATEST path=
2016-09-09 10:06:14.686    Update progress: [I19463] Product download size 1832805 bytes
2016-09-09 10:06:15.569    Update progress: [I19463] Syncing product IDE533 LATEST path=
2016-09-09 10:06:15.569    Update progress: [I19463] Product download size 185599 bytes
2016-09-09 10:06:15.601    Update progress: [I19463] Syncing product IDE534 LATEST path=
2016-09-09 10:06:15.648    Installing updates...
2016-09-09 10:06:16.452    Error level 1
2016-09-09 10:06:36.557    Update successful
2016-09-09 10:06:44.854    Option all = no
2016-09-09 10:06:44.854    Option recurse = yes
2016-09-09 10:06:44.854    Option archive = no
2016-09-09 10:06:44.854    Option service = yes
2016-09-09 10:06:44.854    Option confirm = yes
2016-09-09 10:06:44.854    Option sxl = yes
2016-09-09 10:06:44.856    Option max-data-age = 35
2016-09-09 10:06:44.856    Option vdl-logging = yes
2016-09-09 10:06:44.860    Customer ID:    094260ca9b3af99f9d4a3909fc47a743
2016-09-09 10:06:44.860    Machine ID:    e6a9dbc030c741ada843127374a5b090
2016-09-09 10:06:44.861    Component SVRTcli.exe version 2.5.6
2016-09-09 10:06:44.861    Component control.dll version 2.5.6
2016-09-09 10:06:44.861    Component SVRTservice.exe version 2.5.6
2016-09-09 10:06:44.861    Component engine\osdp.dll version
2016-09-09 10:06:44.862    Component engine\veex.dll version
2016-09-09 10:06:44.862    Component engine\savi.dll version
2016-09-09 10:06:44.862    Component rkdisk.dll version
2016-09-09 10:06:44.862    Version info:    Product version    2.5.6
2016-09-09 10:06:44.863    Version info:    Detection engine    3.65.2
2016-09-09 10:06:44.863    Version info:    Detection data    5.31
2016-09-09 10:06:44.863    Version info:    Build date    6.9.2016
2016-09-09 10:06:44.863    Version info:    Data files added    155
2016-09-09 10:06:44.863    Version info:    Last successful update    9.9.2016 12:06:36

2016-09-09 11:20:45.645    Could not open C:\hiberfil.sys
2016-09-09 11:20:52.151    Could not open C:\pagefile.sys
2016-09-09 11:37:50.486    Could not open C:\swapfile.sys
2016-09-09 11:37:52.185    Could not open C:\System Volume Information\{3808876b-c176-4e48-b7ae-04046e6cc752}
2016-09-09 11:37:52.185    Could not open C:\System Volume Information\{5ad72e7b-7122-11e6-9c0d-8c89a5156f01}{3808876b-c176-4e48-b7ae-04046e6cc752}
2016-09-09 11:37:52.185    Could not open C:\System Volume Information\{75188d31-73bb-11e6-9c0d-8c89a5156f01}{3808876b-c176-4e48-b7ae-04046e6cc752}
2016-09-09 11:37:52.185    Could not open C:\System Volume Information\{84b8e065-6328-11e6-9c0b-8c89a5156f01}{3808876b-c176-4e48-b7ae-04046e6cc752}
2016-09-09 11:37:52.186    Could not open C:\System Volume Information\{97ab4817-75bf-11e6-9c10-8c89a5156f01}{3808876b-c176-4e48-b7ae-04046e6cc752}
2016-09-09 11:37:52.186    Could not open C:\System Volume Information\{afcf82ac-6d64-11e6-9c0d-8c89a5156f01}{3808876b-c176-4e48-b7ae-04046e6cc752}
2016-09-09 11:40:04.130    Could not open C:\Users\Urban\AppData\Local\Google\Chrome\User Data\Default\Current Session
2016-09-09 11:40:04.161    Could not open C:\Users\Urban\AppData\Local\Google\Chrome\User Data\Default\Current Tabs
2016-09-09 11:57:24.019    >>> Virus 'Mal/Generic-S' found in file C:\Users\Urban\AppData\Roaming\winini.exe
2016-09-09 11:57:24.019    >>> Virus 'Mal/Generic-S' found in file HKCR\exefile\default
2016-09-09 11:57:24.019    >>> Virus 'Mal/Generic-S' found in file HKCR\exefile\default
2016-09-09 12:08:54.998    Could not open C:\Windows\System32\catroot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb
2016-09-09 12:08:55.052    Could not open C:\Windows\System32\catroot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb
2016-09-09 12:09:02.886    Could not open C:\Windows\System32\config\BBI
2016-09-09 12:09:03.973    Could not open C:\Windows\System32\config\RegBack\DEFAULT
2016-09-09 12:09:03.997    Could not open C:\Windows\System32\config\RegBack\SAM
2016-09-09 12:09:04.021    Could not open C:\Windows\System32\config\RegBack\SECURITY
2016-09-09 12:09:04.050    Could not open C:\Windows\System32\config\RegBack\SOFTWARE
2016-09-09 12:09:04.081    Could not open C:\Windows\System32\config\RegBack\SYSTEM
2016-09-09 12:59:59.676    Could not open D:\System Volume Information\{3808876b-c176-4e48-b7ae-04046e6cc752}
2016-09-09 12:59:59.677    Could not open D:\System Volume Information\{97ab4818-75bf-11e6-9c10-8c89a5156f01}{3808876b-c176-4e48-b7ae-04046e6cc752}
2016-09-09 13:01:11.596    >>> Virus 'Mal/Behav-066' found in file D:\Utorrent Downloads\COD2 Hack Pack\rld-cod2kg.exe
2016-09-09 13:01:11.596    >>> Virus 'Mal/Behav-066' found in file HKCR\exefile\default
2016-09-09 13:01:11.596    >>> Virus 'Mal/Behav-066' found in file HKCR\exefile\default
2016-09-09 13:03:25.385    Could not open LOGICAL:0004:00000000
2016-09-09 13:03:25.390    Could not open E:\
2016-09-09 13:03:25.391    Could not open LOGICAL:0005:00000000
2016-09-09 13:03:25.391    Could not open F:\
2016-09-09 13:03:25.586    Could not open H:\Boot\BCD
2016-09-09 13:03:27.459    The following items will be cleaned up:
2016-09-09 13:03:27.459    Mal/Generic-S
2016-09-09 13:03:27.459    Mal/Behav-066


Link to post
Share on other sites

I have a question. If this is it, what do I keep and what do I delete? I have downloaded a bunch of stuff and installed some scans and anti-viruses. What to keep and what to uninstall? And also do you know how to change my chrome back to .exe?  s8mVonc.png

If you don't know, then I'll reinstall it, but I don't know if it will delete my bookmarks, passwords and saved stuff... 

Edited by makrarom
Link to post
Share on other sites

Maybe is best to go for a fresh install of Chrome:

If your Chrome Bookmarks are important do this first:

Go to this link: http://www.wikihow.com/Export-Bookmarks-from-Chrome follow the instructions and Export your Bookmarks from Chrome, save to your Desktop or similar. Note the instructions can also be used to Import the bookmarks.....

Continue for a clean install:

Download Google Chrome installer and save ready for installation after clean up. Get installer from here: https://www.google.com/intl/en_uk/chrome/browser/desktop/index.html

Remove all synced data from Chrome go here: https://support.google.com/chrome/answer/6386691?hl=en-GB follow those instructions... It is essntial that any/all synced data is removed when the browser is hijacked or exploited in anyway...

Uninstall Chrome: https://support.google.com/chrome/answer/95319?hl=en-GB follow those instructions, ensure the option to "Also delete your browsing data" is selected. <<--- Very important!!

Navigate to C:\Users\Your user name\Appdata\Local from that folder delete the folder named Google (you will need to show hidden files/folders to see the folder Appdata)

For XP that will be My Computer > C:\ Documents and Settings\Your User Name\Application Data\Roaming

How to show hidden files and folders for windows: http://www.howtogeek.com/howto/windows-vista/show-hidden-files-and-folders-in-windows-vista/

Install Google Chrome....

Install Adblock Plus to Chrome: https://chrome.google.com/webstore/detail/adblock-plus/cfhdojbkjhnklbpkdaibdccddilifddb

Install DrWeb Link Ant-virus Link Checker: https://chrome.google.com/webstore/detail/drweb-anti-virus-link-che/aleggpabliehgbeagmfhnodcijcmbonb?hl=en
Let me know if Chrome is ok now..



Link to post
Share on other sites

Chrome is fine today! Yesterday I found how to rename it back to .exe. You open cmd, write "move", then enter the programme location - in my case C:\Users\Urban\AppData\Local\Google\Chrome\Application\chrome.com then write again C:\Users\Urban\AppData\Local\Google\Chrome\Application\chrome.exe - to change it to what you want ( I wanted .exe). Then I downloaded chrome cleanup tool to fix anything, and its working fine. I did the same for recovery tool (rstrui.com to .exe). Everything is back in its place, and I haven't found any problems. I'm sorry I didn't follow your instructions this time, but really it's not needed =). Thank you, Kevin, I wish you best of luck in the future ;) !


Link to post
Share on other sites

Thanks for the update, good to hear you`re all good to go. A quick fix to rename is to right click on the file in question and select "rename"  I thought you preferred a clean install...

To finish up uninstall Sophos via programs and features..


Download "Delfix by Xplode" and save it to your desktop.

Or use the following if first link is down:

"Delfix link mirror"

If your security program alerts to Delfix either, accept the alert or turn your security off.

Double Click to start the program. If you are using Vista or higher, please right-click and choose run as administrator

Make Sure the following items are checked:

  • Remove disinfection tools <----- this will remove tools we have used.
  • Purge System Restore <--- this will remove all previous and possibly exploited restore points, a new point relative to system status at present will be created.
  • Reset system settings   <--- this will reset any system settings back to default that were changed either by us during cleansing or malware/infection

Now click on "Run" and wait patiently until the tool has completed.

The tool will create a log when it has completed. We don't need you to post this.

Any remnant files/logs from tools we have used can be deleted…

Thank you....



Link to post
Share on other sites

Yes, I've tried renaming it at first, but it wasn't working, because the application was still functioning in .com form. But there was no icon, and it was just a temporary solution. If I changed the .com to .exe by renaming, it only renamed it and didn't change the way it opened com->exe. Anyways, I've removed the programmes during the disinfection with Delfix. I'll probably write those down, in case I or someone else needs an advice with viruses. Cheers :D

Link to post
Share on other sites

  • Root Admin

Glad we could help. :)If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.

Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.