Jump to content

Recommended Posts

this is what I get. If I delete and restart the pc it comes back.  what can I do to remove it permanently so it doesn't come back? right now its in quarantine

 

Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 3/11/17
Scan Time: 9:17 PM
Logfile: help.txt
Administrator: Yes

-Software Information-
Version: 3.0.0
Components Version: 1.0.39
Update Package Version: 1.0.1479
License: Free

-System Information-
OS: Windows 10
CPU: x64
File System: NTFS
User: DESKTOP-6UQFAR7\g33k

-Scan Summary-
Scan Type: Custom Scan
Result: Completed
Objects Scanned: 411995
Time Elapsed: 1 hr, 5 min, 34 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

-Scan Details-
Process: 0
(No malicious items detected)

Module: 0
(No malicious items detected)

Registry Key: 0
(No malicious items detected)

Registry Value: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 0
(No malicious items detected)

File: 1
Trojan.Agent.E.Generic, C:\WINDOWS\HOSTS, No Action By User, [1337], [353524],1.0.1479

Physical Sector: 0
(No malicious items detected)


(end)

Link to post
Share on other sites

  • Root Admin

Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system.
You can check here if you're not sure if your computer is 32-bit or 64-bit

  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
  • The first time the tool is run, it also makes another log (Addition.txt). Please attach it to your reply as well.


Please attach the logs. Do not copy/paste directly here.

 

Link to post
Share on other sites

  • Root Admin

Hello @g33ky

The logs show you're using some old versions of Java that have been compromised. Unless you're programming in Java and need a specific version I would highly recommend uninstalling all versions of Java. If possible try to run your computer without Java. If you really must have Java then make sure you always keep it up to date.

Java 8 Update 121 (64-bit) (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F64180121F0}) (Version: 8.0.1210.13 - Oracle Corporation)
Java 8 Update 121 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F32180121F0}) (Version: 8.0.1210.13 - Oracle Corporation)
Java SE Development Kit 8 Update 102 (64-bit) (HKLM\...\{64A3A4F4-B792-11D6-A78A-00B0D0180102}) (Version: 8.0.1020.14 - Oracle Corporation)
Java SE Development Kit 8 Update 102 (HKLM-x32\...\{32A3A4F4-B792-11D6-A78A-00B0D0180102}) (Version: 8.0.1020.14 - Oracle Corporation)
Java SE Development Kit 8 Update 112 (64-bit) (HKLM\...\{64A3A4F4-B792-11D6-A78A-00B0D0180112}) (Version: 8.0.1120.15 - Oracle Corporation)
Java SE Development Kit 8 Update 121 (64-bit) (HKLM\...\{64A3A4F4-B792-11D6-A78A-00B0D0180121}) (Version: 8.0.1210.13 - Oracle Corporation)
Java SE Development Kit 8 Update 92 (64-bit) (HKLM\...\{64A3A4F4-B792-11D6-A78A-00B0D0180920}) (Version: 8.0.920.14 - Oracle Corporation)
Java SE Development Kit 8 Update 92 (HKLM-x32\...\{32A3A4F4-B792-11D6-A78A-00B0D0180920}) (Version: 8.0.920.14 - Oracle Corporation)

Your computer also has products from IObit installed. I'll give you a bit of history about that Chinese company and let you decide for yourself if you wish to keep using their product or not.

The company behind this product was found to be stealing the MBAM database.
Personally I would not trust installing any software from a company that resorts to stealing someone's technology to sell their product.
Please see the following links and make up your own mind if you want to keep this on your system. If needed, your malware helper can help you remove it.


Do you know for certain this software is safe? Google has almost no hits for it which is often a sign of a Trojan or other unknown file type. If you're not certain what it is you should remove it.

KnewPlayer (HKLM-x32\...\{3C8911B0-2785-4DCE-88A3-7B7C836965FA}) (Version: 1.00.0000 - KnewPlayer) <==== ATTENTION

Not malware but a couple items you may or may not want loading with the computer every time you start it.

 

C:\Program Files\Acer\User Experience Improvement Program\Framework\TriggerFramework.exe [2014-03-12]

Nothing wrong with SuperAntispyware but this is a pretty old version. With the file being this old it would have almost no valuable protection for you. If you want to use it you should look at getting the latest version and remove this older one.

Task: {279B3D49-2940-4484-A866-6E29E77F23CE} - System32\Tasks\SUPERAntiSpyware Scheduled Task 8b4289ea-9e6b-445f-8e0d-3d7423a7e3c2 => C:\Program Files\SUPERAntiSpyware\SASTask.exe [2013-11-07] (SUPERAdBlocker.com)
Task: {35FC6F44-A91D-4DB4-870F-22C1D74DA41D} - System32\Tasks\SUPERAntiSpyware Scheduled Task 95c4c97b-50d7-4d7d-86ac-bd6ae91e44a9 => C:\Program Files\SUPERAntiSpyware\SASTask.exe [2013-11-07] (SUPERAdBlocker.com)

 

This appears to be a legitimate file from Acer, but it does not show that it's signed and I'm not sure what it even does. Might consider stopping it from launching unless you know what it's for.

Task: {803AFE5C-1A8F-4608-BFD6-D09F6D9CDEF5} - System32\Tasks\FUBTrackingByPLD => C:\OEM\Preload\FubTracking\FubTracking.exe [2015-05-14] ()

Why are you stopping Malwarebytes tray from loading?

==================== MSCONFIG/TASK MANAGER disabled items ==

HKLM\...\StartupApproved\Run: => "RTHDVCPL"
HKLM\...\StartupApproved\Run32: => "Malwarebytes TrayApp"
HKU\S-1-5-21-3126460104-843830753-1945369205-1001\...\StartupApproved\Run: => "GUDelayStartup"

Please read the following article concerning the use of MSCONFIG
Msconfig Is Not A Startup Manager

You have a driver from Bitdefender antivirus still running on the system. You should get their removal tool and run it to do a clean removal.

S1 BdfNdisf; C:\WINDOWS\system32\DRIVERS\bdfndisf6.sys [107496 2016-02-16] (BitDefender LLC)

http://www.bitdefender.com/uninstall

Nothing wrong with using Glarysoft but remember that you should never use the Registry Cleaning feature. That is Snake Oil.

Do I need a Windows Registry Cleaner?

 

Let me have you run the following please.

Please download the attached fixlist.txt file and save it to the Desktop.
NOTE. It's important that both files, FRST or FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system.

Run FRST or FRST64 and press the Fix button just once and wait.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Desktop (Fixlog.txt). Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

fixlist.txt

Thanks

Ron

 

 

Link to post
Share on other sites

you can delete or move this post.

I restored the quarantine files. i know you shouldn't have but I did.

went to the windows folder and deleted the host file along with the IObit folders.

open up regedit.exe and deleted IObit folders and a few others. I empty the bin after all that was done.

just ran Malwarebytes and it found no pup/malware/adware/trojan/etc....   I'll run the other later today so make sure nothing is on here. so thanks for help I'll remember the info for the future.

Link to post
Share on other sites

  • Root Admin

Glad we could help. :)If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.