g33ky Posted March 12, 2017 ID:1107920 Share Posted March 12, 2017 this is what I get. If I delete and restart the pc it comes back. what can I do to remove it permanently so it doesn't come back? right now its in quarantine Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 3/11/17 Scan Time: 9:17 PM Logfile: help.txt Administrator: Yes -Software Information- Version: 3.0.0 Components Version: 1.0.39 Update Package Version: 1.0.1479 License: Free -System Information- OS: Windows 10 CPU: x64 File System: NTFS User: DESKTOP-6UQFAR7\g33k -Scan Summary- Scan Type: Custom Scan Result: Completed Objects Scanned: 411995 Time Elapsed: 1 hr, 5 min, 34 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Enabled PUM: Enabled -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 0 (No malicious items detected) File: 1 Trojan.Agent.E.Generic, C:\WINDOWS\HOSTS, No Action By User, [1337], [353524],1.0.1479 Physical Sector: 0 (No malicious items detected) (end) Link to post Share on other sites More sharing options...
g33ky Posted March 15, 2017 Author ID:1108709 Share Posted March 15, 2017 adwcleaner_6.044, roguekiller, and super antispyware found things but did not find that trojan Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted March 15, 2017 Root Admin ID:1108745 Share Posted March 15, 2017 Please download Farbar Recovery Scan Tool and save it to your desktop. Note: You need to run the version compatible with your system. You can check here if you're not sure if your computer is 32-bit or 64-bit Double-click to run it. When the tool opens click Yes to disclaimer. Press Scan button. It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply. The first time the tool is run, it also makes another log (Addition.txt). Please attach it to your reply as well. Please attach the logs. Do not copy/paste directly here. Link to post Share on other sites More sharing options...
g33ky Posted March 15, 2017 Author ID:1108812 Share Posted March 15, 2017 here you go Addition.txt FRST.txt Link to post Share on other sites More sharing options...
g33ky Posted March 17, 2017 Author ID:1109251 Share Posted March 17, 2017 hope someone is working on it. i know everyone is super busy so take your time. Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted March 17, 2017 Root Admin ID:1109279 Share Posted March 17, 2017 Hello @g33ky The logs show you're using some old versions of Java that have been compromised. Unless you're programming in Java and need a specific version I would highly recommend uninstalling all versions of Java. If possible try to run your computer without Java. If you really must have Java then make sure you always keep it up to date. Java 8 Update 121 (64-bit) (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F64180121F0}) (Version: 8.0.1210.13 - Oracle Corporation) Java 8 Update 121 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F32180121F0}) (Version: 8.0.1210.13 - Oracle Corporation) Java SE Development Kit 8 Update 102 (64-bit) (HKLM\...\{64A3A4F4-B792-11D6-A78A-00B0D0180102}) (Version: 8.0.1020.14 - Oracle Corporation) Java SE Development Kit 8 Update 102 (HKLM-x32\...\{32A3A4F4-B792-11D6-A78A-00B0D0180102}) (Version: 8.0.1020.14 - Oracle Corporation) Java SE Development Kit 8 Update 112 (64-bit) (HKLM\...\{64A3A4F4-B792-11D6-A78A-00B0D0180112}) (Version: 8.0.1120.15 - Oracle Corporation) Java SE Development Kit 8 Update 121 (64-bit) (HKLM\...\{64A3A4F4-B792-11D6-A78A-00B0D0180121}) (Version: 8.0.1210.13 - Oracle Corporation) Java SE Development Kit 8 Update 92 (64-bit) (HKLM\...\{64A3A4F4-B792-11D6-A78A-00B0D0180920}) (Version: 8.0.920.14 - Oracle Corporation) Java SE Development Kit 8 Update 92 (HKLM-x32\...\{32A3A4F4-B792-11D6-A78A-00B0D0180920}) (Version: 8.0.920.14 - Oracle Corporation) Your computer also has products from IObit installed. I'll give you a bit of history about that Chinese company and let you decide for yourself if you wish to keep using their product or not. The company behind this product was found to be stealing the MBAM database. Personally I would not trust installing any software from a company that resorts to stealing someone's technology to sell their product. Please see the following links and make up your own mind if you want to keep this on your system. If needed, your malware helper can help you remove it. IOBit Steals Malwarebytes' Intellectual Property IOBit's Denial of Theft Unconvincing IOBit Theft Conclusion IObit: Trusting Your Antivirus Vendor Malwarebytes: IObit Stole Our Signatures Database IObit accused of stealing from Malwarebytes IOBit sucks at ethics Do you know for certain this software is safe? Google has almost no hits for it which is often a sign of a Trojan or other unknown file type. If you're not certain what it is you should remove it. KnewPlayer (HKLM-x32\...\{3C8911B0-2785-4DCE-88A3-7B7C836965FA}) (Version: 1.00.0000 - KnewPlayer) <==== ATTENTION Not malware but a couple items you may or may not want loading with the computer every time you start it. C:\Program Files\Acer\User Experience Improvement Program\Framework\TriggerFramework.exe [2014-03-12] Nothing wrong with SuperAntispyware but this is a pretty old version. With the file being this old it would have almost no valuable protection for you. If you want to use it you should look at getting the latest version and remove this older one. Task: {279B3D49-2940-4484-A866-6E29E77F23CE} - System32\Tasks\SUPERAntiSpyware Scheduled Task 8b4289ea-9e6b-445f-8e0d-3d7423a7e3c2 => C:\Program Files\SUPERAntiSpyware\SASTask.exe [2013-11-07] (SUPERAdBlocker.com) Task: {35FC6F44-A91D-4DB4-870F-22C1D74DA41D} - System32\Tasks\SUPERAntiSpyware Scheduled Task 95c4c97b-50d7-4d7d-86ac-bd6ae91e44a9 => C:\Program Files\SUPERAntiSpyware\SASTask.exe [2013-11-07] (SUPERAdBlocker.com) This appears to be a legitimate file from Acer, but it does not show that it's signed and I'm not sure what it even does. Might consider stopping it from launching unless you know what it's for. Task: {803AFE5C-1A8F-4608-BFD6-D09F6D9CDEF5} - System32\Tasks\FUBTrackingByPLD => C:\OEM\Preload\FubTracking\FubTracking.exe [2015-05-14] () Why are you stopping Malwarebytes tray from loading? ==================== MSCONFIG/TASK MANAGER disabled items == HKLM\...\StartupApproved\Run: => "RTHDVCPL" HKLM\...\StartupApproved\Run32: => "Malwarebytes TrayApp" HKU\S-1-5-21-3126460104-843830753-1945369205-1001\...\StartupApproved\Run: => "GUDelayStartup" Please read the following article concerning the use of MSCONFIGMsconfig Is Not A Startup Manager You have a driver from Bitdefender antivirus still running on the system. You should get their removal tool and run it to do a clean removal. S1 BdfNdisf; C:\WINDOWS\system32\DRIVERS\bdfndisf6.sys [107496 2016-02-16] (BitDefender LLC) http://www.bitdefender.com/uninstall Nothing wrong with using Glarysoft but remember that you should never use the Registry Cleaning feature. That is Snake Oil. Do I need a Windows Registry Cleaner? Let me have you run the following please. Please download the attached fixlist.txt file and save it to the Desktop.NOTE. It's important that both files, FRST or FRST64 and fixlist.txt are in the same location or the fix will not work. NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system. Run FRST or FRST64 and press the Fix button just once and wait. If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart. The tool will make a log on the Desktop (Fixlog.txt). Please attach or post it to your next reply. Note: If the tool warned you about an outdated version please download and run the updated version. fixlist.txt Thanks Ron Link to post Share on other sites More sharing options...
g33ky Posted March 18, 2017 Author ID:1109473 Share Posted March 18, 2017 here you guys go Fixlog.txt Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted March 18, 2017 Root Admin ID:1109497 Share Posted March 18, 2017 Please open Malwarebytes and do a Threat Scan and post back that log. Then run FRST and get both new logs and post those back, as shown here https://forums.malwarebytes.com/topic/9573-im-infected-what-do-i-do-now/ Thanks Link to post Share on other sites More sharing options...
g33ky Posted March 18, 2017 Author ID:1109545 Share Posted March 18, 2017 as for Malwarebytes log Idk how where or how to post that or what setting to turn it on Malwarebytes did more Iobit and trojan.agent.e.generic again Addition.txt FRST.txt Link to post Share on other sites More sharing options...
g33ky Posted March 19, 2017 Author ID:1109716 Share Posted March 19, 2017 you can delete or move this post. I restored the quarantine files. i know you shouldn't have but I did. went to the windows folder and deleted the host file along with the IObit folders. open up regedit.exe and deleted IObit folders and a few others. I empty the bin after all that was done. just ran Malwarebytes and it found no pup/malware/adware/trojan/etc.... I'll run the other later today so make sure nothing is on here. so thanks for help I'll remember the info for the future. Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted March 19, 2017 Root Admin ID:1109722 Share Posted March 19, 2017 Glad we could help. :)If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.Other members who need assistance please start your own topic in a new thread. Thanks! Link to post Share on other sites More sharing options...
Recommended Posts