armypolice_UK Posted March 18, 2017 ID:1109609 Share Posted March 18, 2017 Hello, i installed Malwarebytes now when i open it i get this error how can i fix it? Link to post Share on other sites More sharing options...
kevinf80 Posted March 18, 2017 ID:1109620 Share Posted March 18, 2017 Hello armypolice_UK and welcome to Malwarebytes, My screen name is kevinf80, i`m here to help clean up your system. Make sure to run all scans from accounts with Administrator status, continue as follows please: Anyone other than the original starter of this thread please DO NOT follow the instructions and advice posted as replies here, my help and advice is NOT related to your system and will probably cause more harm than good... Change the download folder setting in the Default Browser only. so all of the tools we may use are saved to the Desktop:Google Chrome - Click the "Customize and control Google Chrome" button in the upper right-corner of the browser. Choose Settings. at the bottom of the screen click the "Show advanced settings..." link. Scroll down to find the Downloads section and click the Change... button. Select your desktop and click OK.Mozilla Firefox - Click the "Open Menu" button in the upper right-corner of the browser. Choose Options. In the downloads section, click the Browse button, click on the Desktop folder and the click the "Select Folder" button. Click OK to get out of the Options menu.Internet Explorer - Click the Tools menu in the upper right-corner of the browser. Select View downloads. Select the Options link in the lower left of the window. Click Browse and select the Desktop and then choose the Select Folder button. Click OK to get out of the download options screen and then click Close to get out of the View Downloads screen. NOTE: IE8 Does not support changing download locations in this manner. You will need to download the tool(s) to the default folder, usually Downloads, then copy them to the desktop.Change default download folder location in Edge -Boot to a user account with admin status, select start > file explorer > right click on "Downloads" folder and select "Properties" In the new window select "Location" tab > clear the text field box and type in or copy/paste %userprofile%\Desktop > select "Apply" then "OK" Be aware you are not changing the Browser download folder location, you are changing the user’s download directory location..... Next, Follow the instructions in the following link to show hidden files:http://www.howtogeek.com/howto/windows-vista/show-hidden-files-and-folders-in-windows-vista/ Next, Download Farbar Recovery Scan Tool and save it to your desktop. Alternative download option: http://www.techspot.com/downloads/6731-farbar-recovery-scan-tool.htmlNote: You need to run the version compatible with your system (32 bit or 64 bit). If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version. If your security alerts to FRST either, accept the alert or turn your security off to allow FRST to run. It is not malicious or infected in any way... Be aware FRST must be run from an account with Administrator status... Double-click to run it. When the tool opens click Yes to disclaimer.(Windows 8/10 users will be prompted about Windows SmartScreen protection - click More information and Run.) Make sure Addition.txt is checkmarked under "Optional scans" Press Scan button to run the tool.... It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply. The tool will also make a log named (Addition.txt) Please attach that log to your reply. Let me see those logs... Thank you, Kevin.. Link to post Share on other sites More sharing options...
armypolice_UK Posted March 19, 2017 Author ID:1109784 Share Posted March 19, 2017 this Addition.txt FRST.txt Link to post Share on other sites More sharing options...
kevinf80 Posted March 19, 2017 ID:1109868 Share Posted March 19, 2017 Hello again armypolice_UK, Have you recently had some kind of infection on your system before you posted here at Malwarebytes...? Continue with the following: Click on Start > All Programs > Accessories: Right-click on the Command Prompt entry Select Run as Administrator accept the UAC prompt - the Elevated Command Prompt window should pop up. At the Command prompt, type or copy/paste the following commands, tap enter after each one... Please note there is a space between "winmgmt" and "/standalonehost" Also between "winmgmt" and "/resetrepository"winmgmt /standalonehost winmgmt /resetrepository exit Reboot your computer when complete..... Next, Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into. "Do not open that file" NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work. Open FRST and press the Fix button just once and wait. The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply. Next, Totally Remove Malwarebytes from your system: Download the latest version of Malwarebytes cleanup tool from here: https://downloads.malwarebytes.com/file/mb_clean and save to your Desktop.. If applicable, backup your Malwarebytes license key information and deactivate the product. Close all open applications and deactivate Malwarebytes <---- Very important, do not miss that step To deactivate Malwarebytes: Right click on tray icon, from the opened list select "Quit Malwarebytes" an UAC alert will open, select "Yes" to deactivate Malwarebytes... If applicable, backup your license key and deactivate the product. Double-click mb-clean.exe to run it A prompt to confirm the cleanup will appear, select Yes or No Yes - will proceed with the cleanup process <---- Select this option to start the tool No - will exit the utility The Utility will launch a Command Prompt window which will disappear once the the cleanup process completes. Once completed, a log file ("mb-cleanresult.txt") will be on your desktop and you'll be prompted to reboot We recommend an immediate reboot <--- Do Not miss out this step Suppressing the reboot may result in an incomplete cleanup Upon reboot Malwarebytes will be totally removed from your system To re-install Malwarebytes: Download Malwarebytes version 3 from the following link:https://www.malwarebytes.com/mwb-download/thankyou/ Double click on the installer and follow the prompts. If necessary select the Blue Help tab for video instructions.... When the install completes and is updated do the following: Open Malwarebytes, select > "settings" > "protection tab" Scroll down to "Scan Options" ensure Scan for Rootkits and Scan within Archives are both on.... Go back to "DashBoard" select the Blue "Scan Now" tab...... When the scan completes deal with any found entries... Then select "Export Summary" then "Text File (*.txt)" name that log and save , you can copy or attach that to your reply... Thank you, Kevin... fixlist.txt Link to post Share on other sites More sharing options...
armypolice_UK Posted March 21, 2017 Author ID:1110353 Share Posted March 21, 2017 Still same and yes I did have a infection on PC a few days ago it still "unable to connect to service" I done as you said please help as I need fix this Link to post Share on other sites More sharing options...
kevinf80 Posted March 21, 2017 ID:1110441 Share Posted March 21, 2017 Do you have the log (fixlog.txt) from FRST fix requested in my last reply...? Also see if you can run the following scans and post the produced logs... Download and save RogueKiller to your Desktop from this link:https://www.fosshub.com/RogueKiller.html/setup.exe Right click setup.exe and select Run as Administrator to start installing RogueKiller. At the next window Checkmark "Install 32 and 64 bit versions, then select "Next" In the next window skip Licence I.D. and Licence Key, select "Next" In the next window make no changes and select "Next" In the next window leave both "Additional Shortcuts" checkmarked, then select "Next" In the next window make no changes and select "Install" RogueKiller will extract and complete installation, in the new window leave "Launch Roguekiller" checkmarked, then select finish. RogueKiller will launch. Accept UAC, then read and accept "User Agreements" In the new window the "Home" tab should already be selected, Change by selecting "Scan" tab, then select "Start Scan" When the scan completes select "Open Report" In the new Window select "Export text" name that file RK.txt, save to your Desktop and attach to your reply Next, Download Farbar Service Scanner from here: http://www.bleepingcomputer.com/download/farbar-service-scanner/dl/62/ and run it on the computer with the issue.Make sure the following options are checked: Internet Services Windows Firewall System Restore Security Center/Action Center Windows Update Windows Defender Press "Scan". It will create a log (FSS.txt) in the same directory the tool is run. Please copy and paste the log to your reply. Thank you, Kevin... Link to post Share on other sites More sharing options...
armypolice_UK Posted March 22, 2017 Author ID:1110760 Share Posted March 22, 2017 here ya go mate @kevinf80 FSS.txt RK.txt Link to post Share on other sites More sharing options...
kevinf80 Posted March 22, 2017 ID:1110765 Share Posted March 22, 2017 Thanks for the logs, continue with the following: Right click on RogueKiller.exe and select "Run as Administrator" to start the tool, accept UAC.. In the new window the "Home" tab should already be selected, Change by selecting "Scan" tab, then select "Start Scan" When the scan completes Checkmark (tick) the following against Registry entries, ensure that all other entries are not Checkmarked[PUP.Gen0] (X64) HKEY_CLASSES_ROOT\CLSID\{04a68053-3f8a-4f33-9755-1a3a49200db2} (C:\Program Files (x86)\bestadblocker\k1OsiXcVtIyA3O.x64.dll) -> Found [PUP.Gen0] (X64) HKEY_CLASSES_ROOT\CLSID\{10ECCE17-29B5-4880-A8F5-EAD298611484} (C:\Program Files\Reimage\Reimage Repair\REI_Axcontrol.dll) -> Found [PUP.Gen0] (X64) HKEY_CLASSES_ROOT\CLSID\{801B440B-1EE3-49B0-B05D-2AB076D4E8CB} (C:\Program Files\Reimage\Reimage Repair\REI_Axcontrol.dll) -> Found [PUP.Gen1] (X64) HKEY_USERS\S-1-5-21-3738716786-2983444327-3403190484-1000\Software\IM -> Found [PUP.Gen1] (X64) HKEY_USERS\S-1-5-21-3738716786-2983444327-3403190484-1000\Software\Win -> Found [PUP.Gen1] (X86) HKEY_USERS\S-1-5-21-3738716786-2983444327-3403190484-1000\Software\IM -> Found [PUP.Gen1] (X86) HKEY_USERS\S-1-5-21-3738716786-2983444327-3403190484-1000\Software\Win -> Found [PUM.Proxy] (X64) HKEY_USERS\S-1-5-21-3738716786-2983444327-3403190484-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings | AutoConfigUrl : http://no-blok.biz/wpad.dat?264b4ebcd2fdf6d3bd24d38eee30075326213019 -> Found [PUM.Proxy] (X86) HKEY_USERS\S-1-5-21-3738716786-2983444327-3403190484-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings | AutoConfigUrl : http://no-blok.biz/wpad.dat?264b4ebcd2fdf6d3bd24d38eee30075326213019 -> Found [PUM.Proxy] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NlaSvc\Parameters\Internet\ManualProxies | (default) : 0http://no-blok.biz/wpad.dat?264b4ebcd2fdf6d3bd24d38eee30075326213019 -> Found [PUM.Proxy] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\NlaSvc\Parameters\Internet\ManualProxies | (default) : 0http://no-blok.biz/wpad.dat?264b4ebcd2fdf6d3bd24d38eee30075326213019 -> Found [Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | TCP Query User{9EA627DC-49BC-4A73-BDE5-1D45BFD0B108}C:\users\jacks\appdata\local\temp\rar$exa0.821\bf3_pc_server_r38\launcherserver.exe : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|Profile=Public|App=C:\users\jacks\appdata\local\temp\rar$exa0.821\bf3_pc_server_r38\launcherserver.exe|Name=launcherserver.exe|Desc=launcherserver.exe|Defer=User| [x] -> Found [Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | UDP Query User{4F971CE3-E250-4860-B783-2C70754E4468}C:\users\jacks\appdata\local\temp\rar$exa0.821\bf3_pc_server_r38\launcherserver.exe : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Private|Profile=Public|App=C:\users\jacks\appdata\local\temp\rar$exa0.821\bf3_pc_server_r38\launcherserver.exe|Name=launcherserver.exe|Desc=launcherserver.exe|Defer=User| [x] -> Found [Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | TCP Query User{F03F67ED-C792-4E83-A287-4D12E99D2407}C:\users\jacks\appdata\local\temp\rar$exa0.253\bf3_pc_server_r38\launcherserver.exe : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|Profile=Public|App=C:\users\jacks\appdata\local\temp\rar$exa0.253\bf3_pc_server_r38\launcherserver.exe|Name=launcherserver.exe|Desc=launcherserver.exe|Defer=User| [x] -> Found [Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | UDP Query User{E9BF5E8F-BEDD-4EA1-98D3-14DA0B45E190}C:\users\jacks\appdata\local\temp\rar$exa0.253\bf3_pc_server_r38\launcherserver.exe : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Private|Profile=Public|App=C:\users\jacks\appdata\local\temp\rar$exa0.253\bf3_pc_server_r38\launcherserver.exe|Name=launcherserver.exe|Desc=launcherserver.exe|Defer=User| [x] -> Found [Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | TCP Query User{BCA62750-1D8D-478C-ACBD-1FE4FFAB10B8}C:\users\jacks\appdata\local\temp\rar$exa0.358\teamspeak3-server_win64\tsdns\tsdnsserver_win64.exe : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|App=C:\users\jacks\appdata\local\temp\rar$exa0.358\teamspeak3-server_win64\tsdns\tsdnsserver_win64.exe|Name=tsdnsserver_win64.exe|Desc=tsdnsserver_win64.exe|Defer=User| [x] -> Found [Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | UDP Query User{336E2979-26CA-47B6-8FFE-14EDC5837645}C:\users\jacks\appdata\local\temp\rar$exa0.358\teamspeak3-server_win64\tsdns\tsdnsserver_win64.exe : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Private|App=C:\users\jacks\appdata\local\temp\rar$exa0.358\teamspeak3-server_win64\tsdns\tsdnsserver_win64.exe|Name=tsdnsserver_win64.exe|Desc=tsdnsserver_win64.exe|Defer=User| [x] -> Found [Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | TCP Query User{89E0451A-2DDB-4101-93E2-6149D09AB005}C:\users\jacks\appdata\local\temp\rar$exa0.693\teamspeak3-server_win64\ts3server_win64.exe : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|App=C:\users\jacks\appdata\local\temp\rar$exa0.693\teamspeak3-server_win64\ts3server_win64.exe|Name=ts3server_win64.exe|Desc=ts3server_win64.exe|Defer=User| [x] -> Found [Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | UDP Query User{C66E2BA2-63DE-4064-92D7-048C74C3E350}C:\users\jacks\appdata\local\temp\rar$exa0.693\teamspeak3-server_win64\ts3server_win64.exe : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Private|App=C:\users\jacks\appdata\local\temp\rar$exa0.693\teamspeak3-server_win64\ts3server_win64.exe|Name=ts3server_win64.exe|Desc=ts3server_win64.exe|Defer=User| [x] -> Found [Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | TCP Query User{E0C9CE13-B6AD-45C3-9F98-DF9B3B6D69A7}C:\users\jacks\appdata\local\temp\rar$exa0.627\teamspeak3-server_win64\tsdns\tsdnsserver_win64.exe : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|Profile=Public|App=C:\users\jacks\appdata\local\temp\rar$exa0.627\teamspeak3-server_win64\tsdns\tsdnsserver_win64.exe|Name=tsdnsserver_win64.exe|Desc=tsdnsserver_win64.exe|Defer=User| [x] -> Found [Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | UDP Query User{5BB39152-D41A-4A98-B8A4-CDB0741ED79E}C:\users\jacks\appdata\local\temp\rar$exa0.627\teamspeak3-server_win64\tsdns\tsdnsserver_win64.exe : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Private|Profile=Public|App=C:\users\jacks\appdata\local\temp\rar$exa0.627\teamspeak3-server_win64\tsdns\tsdnsserver_win64.exe|Name=tsdnsserver_win64.exe|Desc=tsdnsserver_win64.exe|Defer=User| [x] -> Found [Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | TCP Query User{7A68AA0E-8ED6-41CE-BC64-387B93D1D0BF}C:\users\jacks\appdata\local\temp\rar$exa0.936\zlohosteronly.exe : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Public|App=C:\users\jacks\appdata\local\temp\rar$exa0.936\zlohosteronly.exe|Name=zlohosteronly.exe|Desc=zlohosteronly.exe|Defer=User| [x] -> Found [Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | UDP Query User{7E4349AB-E46C-4836-A05C-6184C80FBDD5}C:\users\jacks\appdata\local\temp\rar$exa0.936\zlohosteronly.exe : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Public|App=C:\users\jacks\appdata\local\temp\rar$exa0.936\zlohosteronly.exe|Name=zlohosteronly.exe|Desc=zlohosteronly.exe|Defer=User| [x] -> Found [Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {AD6C9F87-6C22-4979-8827-BA2E78B7E302} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|App=C:\Users\jacks\AppData\Local\Temp\MPCOnline\MPCDownload.exe|Name=FunFive| [x] -> Found [Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {A1E229A0-7147-4E96-B10A-CF0AC28FD4D1} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Private|App=C:\Users\jacks\AppData\Local\Temp\MPCOnline\MPCDownload.exe|Name=FunFive| [x] -> Found [Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {53CA5C1D-6938-4B4B-8BA6-3CB2470F1A2F} : v2.10|Action=Allow|Active=TRUE|Dir=In|App=C:\Users\jacks\AppData\Local\Temp\5AJ7BZNGO4\chromedriver.exe|Name=Chromextender| [x] -> Found [Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | TCP Query User{9EA627DC-49BC-4A73-BDE5-1D45BFD0B108}C:\users\jacks\appdata\local\temp\rar$exa0.821\bf3_pc_server_r38\launcherserver.exe : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|Profile=Public|App=C:\users\jacks\appdata\local\temp\rar$exa0.821\bf3_pc_server_r38\launcherserver.exe|Name=launcherserver.exe|Desc=launcherserver.exe|Defer=User| [x] -> Found [Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | UDP Query User{4F971CE3-E250-4860-B783-2C70754E4468}C:\users\jacks\appdata\local\temp\rar$exa0.821\bf3_pc_server_r38\launcherserver.exe : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Private|Profile=Public|App=C:\users\jacks\appdata\local\temp\rar$exa0.821\bf3_pc_server_r38\launcherserver.exe|Name=launcherserver.exe|Desc=launcherserver.exe|Defer=User| [x] -> Found [Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | TCP Query User{F03F67ED-C792-4E83-A287-4D12E99D2407}C:\users\jacks\appdata\local\temp\rar$exa0.253\bf3_pc_server_r38\launcherserver.exe : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|Profile=Public|App=C:\users\jacks\appdata\local\temp\rar$exa0.253\bf3_pc_server_r38\launcherserver.exe|Name=launcherserver.exe|Desc=launcherserver.exe|Defer=User| [x] -> Found [Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | UDP Query User{E9BF5E8F-BEDD-4EA1-98D3-14DA0B45E190}C:\users\jacks\appdata\local\temp\rar$exa0.253\bf3_pc_server_r38\launcherserver.exe : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Private|Profile=Public|App=C:\users\jacks\appdata\local\temp\rar$exa0.253\bf3_pc_server_r38\launcherserver.exe|Name=launcherserver.exe|Desc=launcherserver.exe|Defer=User| [x] -> Found [Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | TCP Query User{BCA62750-1D8D-478C-ACBD-1FE4FFAB10B8}C:\users\jacks\appdata\local\temp\rar$exa0.358\teamspeak3-server_win64\tsdns\tsdnsserver_win64.exe : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|App=C:\users\jacks\appdata\local\temp\rar$exa0.358\teamspeak3-server_win64\tsdns\tsdnsserver_win64.exe|Name=tsdnsserver_win64.exe|Desc=tsdnsserver_win64.exe|Defer=User| [x] -> Found [Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | UDP Query User{336E2979-26CA-47B6-8FFE-14EDC5837645}C:\users\jacks\appdata\local\temp\rar$exa0.358\teamspeak3-server_win64\tsdns\tsdnsserver_win64.exe : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Private|App=C:\users\jacks\appdata\local\temp\rar$exa0.358\teamspeak3-server_win64\tsdns\tsdnsserver_win64.exe|Name=tsdnsserver_win64.exe|Desc=tsdnsserver_win64.exe|Defer=User| [x] -> Found [Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | TCP Query User{89E0451A-2DDB-4101-93E2-6149D09AB005}C:\users\jacks\appdata\local\temp\rar$exa0.693\teamspeak3-server_win64\ts3server_win64.exe : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|App=C:\users\jacks\appdata\local\temp\rar$exa0.693\teamspeak3-server_win64\ts3server_win64.exe|Name=ts3server_win64.exe|Desc=ts3server_win64.exe|Defer=User| [x] -> Found [Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | UDP Query User{C66E2BA2-63DE-4064-92D7-048C74C3E350}C:\users\jacks\appdata\local\temp\rar$exa0.693\teamspeak3-server_win64\ts3server_win64.exe : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Private|App=C:\users\jacks\appdata\local\temp\rar$exa0.693\teamspeak3-server_win64\ts3server_win64.exe|Name=ts3server_win64.exe|Desc=ts3server_win64.exe|Defer=User| [x] -> Found [Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | TCP Query User{E0C9CE13-B6AD-45C3-9F98-DF9B3B6D69A7}C:\users\jacks\appdata\local\temp\rar$exa0.627\teamspeak3-server_win64\tsdns\tsdnsserver_win64.exe : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|Profile=Public|App=C:\users\jacks\appdata\local\temp\rar$exa0.627\teamspeak3-server_win64\tsdns\tsdnsserver_win64.exe|Name=tsdnsserver_win64.exe|Desc=tsdnsserver_win64.exe|Defer=User| [x] -> Found [Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | UDP Query User{5BB39152-D41A-4A98-B8A4-CDB0741ED79E}C:\users\jacks\appdata\local\temp\rar$exa0.627\teamspeak3-server_win64\tsdns\tsdnsserver_win64.exe : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Private|Profile=Public|App=C:\users\jacks\appdata\local\temp\rar$exa0.627\teamspeak3-server_win64\tsdns\tsdnsserver_win64.exe|Name=tsdnsserver_win64.exe|Desc=tsdnsserver_win64.exe|Defer=User| [x] -> Found [Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | TCP Query User{7A68AA0E-8ED6-41CE-BC64-387B93D1D0BF}C:\users\jacks\appdata\local\temp\rar$exa0.936\zlohosteronly.exe : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Public|App=C:\users\jacks\appdata\local\temp\rar$exa0.936\zlohosteronly.exe|Name=zlohosteronly.exe|Desc=zlohosteronly.exe|Defer=User| [x] -> Found [Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | UDP Query User{7E4349AB-E46C-4836-A05C-6184C80FBDD5}C:\users\jacks\appdata\local\temp\rar$exa0.936\zlohosteronly.exe : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Public|App=C:\users\jacks\appdata\local\temp\rar$exa0.936\zlohosteronly.exe|Name=zlohosteronly.exe|Desc=zlohosteronly.exe|Defer=User| [x] -> Found [Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {AD6C9F87-6C22-4979-8827-BA2E78B7E302} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|App=C:\Users\jacks\AppData\Local\Temp\MPCOnline\MPCDownload.exe|Name=FunFive| [x] -> Found [Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {A1E229A0-7147-4E96-B10A-CF0AC28FD4D1} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Private|App=C:\Users\jacks\AppData\Local\Temp\MPCOnline\MPCDownload.exe|Name=FunFive| [x] -> Found [Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {53CA5C1D-6938-4B4B-8BA6-3CB2470F1A2F} : v2.10|Action=Allow|Active=TRUE|Dir=In|App=C:\Users\jacks\AppData\Local\Temp\5AJ7BZNGO4\chromedriver.exe|Name=Chromextender| [x] -> Found [PUM.Policies] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 0 -> Found [PUM.Policies] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 0 -> Found Checkmark (tick) the following against File entries, ensure that all other entries are not Checkmarked[PUP.Gen1][Folder] C:\ProgramData\simplitec -> Found [Hj.Shortcut][File] C:\Users\jacks\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Int?rn?t ???l?r?r.lnk [LNK@] C:\PROGRA~2\INTERN~1\iexplore.exe https://launchpage.org/?uid=oTlKBGjchx1sXu%2BaqfQZJX4ZStvzxHEZ578BbohU%2F6iWfz6hF%2ByR3xjdqx7hHYjEP9C6 -> Found [Hj.Shortcut][File] C:\Users\jacks\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\StartMenu\Int?rn?t ???l?r?r.lnk [LNK@] C:\PROGRA~2\INTERN~1\iexplore.exe https://launchpage.org/?uid=oTlKBGjchx1sXu%2BaqfQZJX4ZStvzxHEZ578BbohU%2F6iWfz6hF%2ByR3xjdqx7hHYjEP9C6 -> Found [PUP.Gen1][File] C:\Users\jacks\AppData\Roaming\Microsoft\Windows\Recent\Bubble Dock.lnk [LNK@] C:\Users\jacks\AppData\Roaming\Nosibay\Bubble Dock -> Found [PUP.Gen0|PUP.Gen1][File] C:\Users\jacks\AppData\Roaming\Microsoft\Windows\Recent\Selection Tools.lnk [LNK@] C:\Users\jacks\AppData\Roaming\WTools\Selection Tools -> Found [PUP.Gen1][File] C:\Users\jacks\AppData\Roaming\Microsoft\Windows\Recent\WindApp.lnk [LNK@] C:\Users\jacks\AppData\Roaming\Store\WindApp -> Found [PUP.Gen1][Folder] C:\Users\jacks\AppData\Roaming\simplitec -> Found [Hj.Shortcut][File] C:\Users\jacks\AppData\Local\Microsoft\Start Menu\?o??? ? ???e??e?.lnk [LNK@] C:\Windows\explorer.exe "http://exensup.ru/?utm_source=startlink03&utm_content=a425479155635b2e4743e1e153a7f55d&utm_term=5DA07DE8808C1F36E97CD748C485ED0C&utm_d=20160813" -> Found [Tr.Gen0][Folder] C:\Users\jacks\AppData\Local\syslog -> Found [Hj.Shortcut][File] C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Traffic Manager\CyberphobX website.lnk [LNK@] C:\Windows\explorer.exe http://cyberphobx.com -> Found [PUP.Gen1][Folder] C:\ProgramData\simplitec -> Found [Hj.Shortcut][File] C:\Users\jacks\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Int?rn?t ???l?r?r.lnk [LNK@] C:\PROGRA~2\INTERN~1\iexplore.exe https://launchpage.org/?uid=oTlKBGjchx1sXu%2BaqfQZJX4ZStvzxHEZ578BbohU%2F6iWfz6hF%2ByR3xjdqx7hHYjEP9C6 -> Found Checkmark (tick) the following against Web Browser entries, ensure that all other entries are not Checkmarked[PUP.Gen0][Chrome:Addon] Default : AVG Web TuneUp [chfdnecihphmhljaaejmgoiahnihplgn] -> Found [PUM.HomePage][Firefox:Config] 1bv1j037.default : user_pref("browser.startup.homepage", "http://tmutara.ru/?utm_content=49f4c593a4d99a0a30351a0448198d82&utm_source=startpm&utm_term=5DA07DE8808C1F36E97CD748C485ED0C&utm_d=20160813"); -> Found Hit the Delete button, when complete select "Open Report" in the next window select "Export txt" the log will open. Save to your Desktop for reference, also attach to next reply. When complete try Malwarebytes once more... Thank you, Kevin Link to post Share on other sites More sharing options...
armypolice_UK Posted March 23, 2017 Author ID:1111065 Share Posted March 23, 2017 21 hours ago, kevinf80 said: Thanks for the logs, continue with the following: Right click on RogueKiller.exe and select "Run as Administrator" to start the tool, accept UAC.. In the new window the "Home" tab should already be selected, Change by selecting "Scan" tab, then select "Start Scan" When the scan completes Checkmark (tick) the following against Registry entries, ensure that all other entries are not Checkmarked[PUP.Gen0] (X64) HKEY_CLASSES_ROOT\CLSID\{04a68053-3f8a-4f33-9755-1a3a49200db2} (C:\Program Files (x86)\bestadblocker\k1OsiXcVtIyA3O.x64.dll) -> Found [PUP.Gen0] (X64) HKEY_CLASSES_ROOT\CLSID\{10ECCE17-29B5-4880-A8F5-EAD298611484} (C:\Program Files\Reimage\Reimage Repair\REI_Axcontrol.dll) -> Found [PUP.Gen0] (X64) HKEY_CLASSES_ROOT\CLSID\{801B440B-1EE3-49B0-B05D-2AB076D4E8CB} (C:\Program Files\Reimage\Reimage Repair\REI_Axcontrol.dll) -> Found [PUP.Gen1] (X64) HKEY_USERS\S-1-5-21-3738716786-2983444327-3403190484-1000\Software\IM -> Found [PUP.Gen1] (X64) HKEY_USERS\S-1-5-21-3738716786-2983444327-3403190484-1000\Software\Win -> Found [PUP.Gen1] (X86) HKEY_USERS\S-1-5-21-3738716786-2983444327-3403190484-1000\Software\IM -> Found [PUP.Gen1] (X86) HKEY_USERS\S-1-5-21-3738716786-2983444327-3403190484-1000\Software\Win -> Found [PUM.Proxy] (X64) HKEY_USERS\S-1-5-21-3738716786-2983444327-3403190484-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings | AutoConfigUrl : http://no-blok.biz/wpad.dat?264b4ebcd2fdf6d3bd24d38eee30075326213019 -> Found [PUM.Proxy] (X86) HKEY_USERS\S-1-5-21-3738716786-2983444327-3403190484-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings | AutoConfigUrl : http://no-blok.biz/wpad.dat?264b4ebcd2fdf6d3bd24d38eee30075326213019 -> Found [PUM.Proxy] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NlaSvc\Parameters\Internet\ManualProxies | (default) : 0http://no-blok.biz/wpad.dat?264b4ebcd2fdf6d3bd24d38eee30075326213019 -> Found [PUM.Proxy] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\NlaSvc\Parameters\Internet\ManualProxies | (default) : 0http://no-blok.biz/wpad.dat?264b4ebcd2fdf6d3bd24d38eee30075326213019 -> Found [Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | TCP Query User{9EA627DC-49BC-4A73-BDE5-1D45BFD0B108}C:\users\jacks\appdata\local\temp\rar$exa0.821\bf3_pc_server_r38\launcherserver.exe : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|Profile=Public|App=C:\users\jacks\appdata\local\temp\rar$exa0.821\bf3_pc_server_r38\launcherserver.exe|Name=launcherserver.exe|Desc=launcherserver.exe|Defer=User| [x] -> Found [Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | UDP Query User{4F971CE3-E250-4860-B783-2C70754E4468}C:\users\jacks\appdata\local\temp\rar$exa0.821\bf3_pc_server_r38\launcherserver.exe : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Private|Profile=Public|App=C:\users\jacks\appdata\local\temp\rar$exa0.821\bf3_pc_server_r38\launcherserver.exe|Name=launcherserver.exe|Desc=launcherserver.exe|Defer=User| [x] -> Found [Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | TCP Query User{F03F67ED-C792-4E83-A287-4D12E99D2407}C:\users\jacks\appdata\local\temp\rar$exa0.253\bf3_pc_server_r38\launcherserver.exe : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|Profile=Public|App=C:\users\jacks\appdata\local\temp\rar$exa0.253\bf3_pc_server_r38\launcherserver.exe|Name=launcherserver.exe|Desc=launcherserver.exe|Defer=User| [x] -> Found [Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | UDP Query User{E9BF5E8F-BEDD-4EA1-98D3-14DA0B45E190}C:\users\jacks\appdata\local\temp\rar$exa0.253\bf3_pc_server_r38\launcherserver.exe : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Private|Profile=Public|App=C:\users\jacks\appdata\local\temp\rar$exa0.253\bf3_pc_server_r38\launcherserver.exe|Name=launcherserver.exe|Desc=launcherserver.exe|Defer=User| [x] -> Found [Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | TCP Query User{BCA62750-1D8D-478C-ACBD-1FE4FFAB10B8}C:\users\jacks\appdata\local\temp\rar$exa0.358\teamspeak3-server_win64\tsdns\tsdnsserver_win64.exe : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|App=C:\users\jacks\appdata\local\temp\rar$exa0.358\teamspeak3-server_win64\tsdns\tsdnsserver_win64.exe|Name=tsdnsserver_win64.exe|Desc=tsdnsserver_win64.exe|Defer=User| [x] -> Found [Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | UDP Query User{336E2979-26CA-47B6-8FFE-14EDC5837645}C:\users\jacks\appdata\local\temp\rar$exa0.358\teamspeak3-server_win64\tsdns\tsdnsserver_win64.exe : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Private|App=C:\users\jacks\appdata\local\temp\rar$exa0.358\teamspeak3-server_win64\tsdns\tsdnsserver_win64.exe|Name=tsdnsserver_win64.exe|Desc=tsdnsserver_win64.exe|Defer=User| [x] -> Found [Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | TCP Query User{89E0451A-2DDB-4101-93E2-6149D09AB005}C:\users\jacks\appdata\local\temp\rar$exa0.693\teamspeak3-server_win64\ts3server_win64.exe : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|App=C:\users\jacks\appdata\local\temp\rar$exa0.693\teamspeak3-server_win64\ts3server_win64.exe|Name=ts3server_win64.exe|Desc=ts3server_win64.exe|Defer=User| [x] -> Found [Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | UDP Query User{C66E2BA2-63DE-4064-92D7-048C74C3E350}C:\users\jacks\appdata\local\temp\rar$exa0.693\teamspeak3-server_win64\ts3server_win64.exe : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Private|App=C:\users\jacks\appdata\local\temp\rar$exa0.693\teamspeak3-server_win64\ts3server_win64.exe|Name=ts3server_win64.exe|Desc=ts3server_win64.exe|Defer=User| [x] -> Found [Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | TCP Query User{E0C9CE13-B6AD-45C3-9F98-DF9B3B6D69A7}C:\users\jacks\appdata\local\temp\rar$exa0.627\teamspeak3-server_win64\tsdns\tsdnsserver_win64.exe : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|Profile=Public|App=C:\users\jacks\appdata\local\temp\rar$exa0.627\teamspeak3-server_win64\tsdns\tsdnsserver_win64.exe|Name=tsdnsserver_win64.exe|Desc=tsdnsserver_win64.exe|Defer=User| [x] -> Found [Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | UDP Query User{5BB39152-D41A-4A98-B8A4-CDB0741ED79E}C:\users\jacks\appdata\local\temp\rar$exa0.627\teamspeak3-server_win64\tsdns\tsdnsserver_win64.exe : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Private|Profile=Public|App=C:\users\jacks\appdata\local\temp\rar$exa0.627\teamspeak3-server_win64\tsdns\tsdnsserver_win64.exe|Name=tsdnsserver_win64.exe|Desc=tsdnsserver_win64.exe|Defer=User| [x] -> Found [Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | TCP Query User{7A68AA0E-8ED6-41CE-BC64-387B93D1D0BF}C:\users\jacks\appdata\local\temp\rar$exa0.936\zlohosteronly.exe : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Public|App=C:\users\jacks\appdata\local\temp\rar$exa0.936\zlohosteronly.exe|Name=zlohosteronly.exe|Desc=zlohosteronly.exe|Defer=User| [x] -> Found [Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | UDP Query User{7E4349AB-E46C-4836-A05C-6184C80FBDD5}C:\users\jacks\appdata\local\temp\rar$exa0.936\zlohosteronly.exe : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Public|App=C:\users\jacks\appdata\local\temp\rar$exa0.936\zlohosteronly.exe|Name=zlohosteronly.exe|Desc=zlohosteronly.exe|Defer=User| [x] -> Found [Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {AD6C9F87-6C22-4979-8827-BA2E78B7E302} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|App=C:\Users\jacks\AppData\Local\Temp\MPCOnline\MPCDownload.exe|Name=FunFive| [x] -> Found [Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {A1E229A0-7147-4E96-B10A-CF0AC28FD4D1} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Private|App=C:\Users\jacks\AppData\Local\Temp\MPCOnline\MPCDownload.exe|Name=FunFive| [x] -> Found [Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {53CA5C1D-6938-4B4B-8BA6-3CB2470F1A2F} : v2.10|Action=Allow|Active=TRUE|Dir=In|App=C:\Users\jacks\AppData\Local\Temp\5AJ7BZNGO4\chromedriver.exe|Name=Chromextender| [x] -> Found [Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | TCP Query User{9EA627DC-49BC-4A73-BDE5-1D45BFD0B108}C:\users\jacks\appdata\local\temp\rar$exa0.821\bf3_pc_server_r38\launcherserver.exe : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|Profile=Public|App=C:\users\jacks\appdata\local\temp\rar$exa0.821\bf3_pc_server_r38\launcherserver.exe|Name=launcherserver.exe|Desc=launcherserver.exe|Defer=User| [x] -> Found [Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | UDP Query User{4F971CE3-E250-4860-B783-2C70754E4468}C:\users\jacks\appdata\local\temp\rar$exa0.821\bf3_pc_server_r38\launcherserver.exe : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Private|Profile=Public|App=C:\users\jacks\appdata\local\temp\rar$exa0.821\bf3_pc_server_r38\launcherserver.exe|Name=launcherserver.exe|Desc=launcherserver.exe|Defer=User| [x] -> Found [Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | TCP Query User{F03F67ED-C792-4E83-A287-4D12E99D2407}C:\users\jacks\appdata\local\temp\rar$exa0.253\bf3_pc_server_r38\launcherserver.exe : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|Profile=Public|App=C:\users\jacks\appdata\local\temp\rar$exa0.253\bf3_pc_server_r38\launcherserver.exe|Name=launcherserver.exe|Desc=launcherserver.exe|Defer=User| [x] -> Found [Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | UDP Query User{E9BF5E8F-BEDD-4EA1-98D3-14DA0B45E190}C:\users\jacks\appdata\local\temp\rar$exa0.253\bf3_pc_server_r38\launcherserver.exe : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Private|Profile=Public|App=C:\users\jacks\appdata\local\temp\rar$exa0.253\bf3_pc_server_r38\launcherserver.exe|Name=launcherserver.exe|Desc=launcherserver.exe|Defer=User| [x] -> Found [Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | TCP Query User{BCA62750-1D8D-478C-ACBD-1FE4FFAB10B8}C:\users\jacks\appdata\local\temp\rar$exa0.358\teamspeak3-server_win64\tsdns\tsdnsserver_win64.exe : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|App=C:\users\jacks\appdata\local\temp\rar$exa0.358\teamspeak3-server_win64\tsdns\tsdnsserver_win64.exe|Name=tsdnsserver_win64.exe|Desc=tsdnsserver_win64.exe|Defer=User| [x] -> Found [Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | UDP Query User{336E2979-26CA-47B6-8FFE-14EDC5837645}C:\users\jacks\appdata\local\temp\rar$exa0.358\teamspeak3-server_win64\tsdns\tsdnsserver_win64.exe : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Private|App=C:\users\jacks\appdata\local\temp\rar$exa0.358\teamspeak3-server_win64\tsdns\tsdnsserver_win64.exe|Name=tsdnsserver_win64.exe|Desc=tsdnsserver_win64.exe|Defer=User| [x] -> Found [Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | TCP Query User{89E0451A-2DDB-4101-93E2-6149D09AB005}C:\users\jacks\appdata\local\temp\rar$exa0.693\teamspeak3-server_win64\ts3server_win64.exe : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|App=C:\users\jacks\appdata\local\temp\rar$exa0.693\teamspeak3-server_win64\ts3server_win64.exe|Name=ts3server_win64.exe|Desc=ts3server_win64.exe|Defer=User| [x] -> Found [Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | UDP Query User{C66E2BA2-63DE-4064-92D7-048C74C3E350}C:\users\jacks\appdata\local\temp\rar$exa0.693\teamspeak3-server_win64\ts3server_win64.exe : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Private|App=C:\users\jacks\appdata\local\temp\rar$exa0.693\teamspeak3-server_win64\ts3server_win64.exe|Name=ts3server_win64.exe|Desc=ts3server_win64.exe|Defer=User| [x] -> Found [Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | TCP Query User{E0C9CE13-B6AD-45C3-9F98-DF9B3B6D69A7}C:\users\jacks\appdata\local\temp\rar$exa0.627\teamspeak3-server_win64\tsdns\tsdnsserver_win64.exe : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|Profile=Public|App=C:\users\jacks\appdata\local\temp\rar$exa0.627\teamspeak3-server_win64\tsdns\tsdnsserver_win64.exe|Name=tsdnsserver_win64.exe|Desc=tsdnsserver_win64.exe|Defer=User| [x] -> Found [Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | UDP Query User{5BB39152-D41A-4A98-B8A4-CDB0741ED79E}C:\users\jacks\appdata\local\temp\rar$exa0.627\teamspeak3-server_win64\tsdns\tsdnsserver_win64.exe : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Private|Profile=Public|App=C:\users\jacks\appdata\local\temp\rar$exa0.627\teamspeak3-server_win64\tsdns\tsdnsserver_win64.exe|Name=tsdnsserver_win64.exe|Desc=tsdnsserver_win64.exe|Defer=User| [x] -> Found [Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | TCP Query User{7A68AA0E-8ED6-41CE-BC64-387B93D1D0BF}C:\users\jacks\appdata\local\temp\rar$exa0.936\zlohosteronly.exe : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Public|App=C:\users\jacks\appdata\local\temp\rar$exa0.936\zlohosteronly.exe|Name=zlohosteronly.exe|Desc=zlohosteronly.exe|Defer=User| [x] -> Found [Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | UDP Query User{7E4349AB-E46C-4836-A05C-6184C80FBDD5}C:\users\jacks\appdata\local\temp\rar$exa0.936\zlohosteronly.exe : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Public|App=C:\users\jacks\appdata\local\temp\rar$exa0.936\zlohosteronly.exe|Name=zlohosteronly.exe|Desc=zlohosteronly.exe|Defer=User| [x] -> Found [Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {AD6C9F87-6C22-4979-8827-BA2E78B7E302} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|App=C:\Users\jacks\AppData\Local\Temp\MPCOnline\MPCDownload.exe|Name=FunFive| [x] -> Found [Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {A1E229A0-7147-4E96-B10A-CF0AC28FD4D1} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Private|App=C:\Users\jacks\AppData\Local\Temp\MPCOnline\MPCDownload.exe|Name=FunFive| [x] -> Found [Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {53CA5C1D-6938-4B4B-8BA6-3CB2470F1A2F} : v2.10|Action=Allow|Active=TRUE|Dir=In|App=C:\Users\jacks\AppData\Local\Temp\5AJ7BZNGO4\chromedriver.exe|Name=Chromextender| [x] -> Found [PUM.Policies] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 0 -> Found [PUM.Policies] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 0 -> Found Checkmark (tick) the following against File entries, ensure that all other entries are not Checkmarked[PUP.Gen1][Folder] C:\ProgramData\simplitec -> Found [Hj.Shortcut][File] C:\Users\jacks\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Int?rn?t ???l?r?r.lnk [LNK@] C:\PROGRA~2\INTERN~1\iexplore.exe https://launchpage.org/?uid=oTlKBGjchx1sXu%2BaqfQZJX4ZStvzxHEZ578BbohU%2F6iWfz6hF%2ByR3xjdqx7hHYjEP9C6 -> Found [Hj.Shortcut][File] C:\Users\jacks\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\StartMenu\Int?rn?t ???l?r?r.lnk [LNK@] C:\PROGRA~2\INTERN~1\iexplore.exe https://launchpage.org/?uid=oTlKBGjchx1sXu%2BaqfQZJX4ZStvzxHEZ578BbohU%2F6iWfz6hF%2ByR3xjdqx7hHYjEP9C6 -> Found [PUP.Gen1][File] C:\Users\jacks\AppData\Roaming\Microsoft\Windows\Recent\Bubble Dock.lnk [LNK@] C:\Users\jacks\AppData\Roaming\Nosibay\Bubble Dock -> Found [PUP.Gen0|PUP.Gen1][File] C:\Users\jacks\AppData\Roaming\Microsoft\Windows\Recent\Selection Tools.lnk [LNK@] C:\Users\jacks\AppData\Roaming\WTools\Selection Tools -> Found [PUP.Gen1][File] C:\Users\jacks\AppData\Roaming\Microsoft\Windows\Recent\WindApp.lnk [LNK@] C:\Users\jacks\AppData\Roaming\Store\WindApp -> Found [PUP.Gen1][Folder] C:\Users\jacks\AppData\Roaming\simplitec -> Found [Hj.Shortcut][File] C:\Users\jacks\AppData\Local\Microsoft\Start Menu\?o??? ? ???e??e?.lnk [LNK@] C:\Windows\explorer.exe "http://exensup.ru/?utm_source=startlink03&utm_content=a425479155635b2e4743e1e153a7f55d&utm_term=5DA07DE8808C1F36E97CD748C485ED0C&utm_d=20160813" -> Found [Tr.Gen0][Folder] C:\Users\jacks\AppData\Local\syslog -> Found [Hj.Shortcut][File] C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Traffic Manager\CyberphobX website.lnk [LNK@] C:\Windows\explorer.exe http://cyberphobx.com -> Found [PUP.Gen1][Folder] C:\ProgramData\simplitec -> Found [Hj.Shortcut][File] C:\Users\jacks\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Int?rn?t ???l?r?r.lnk [LNK@] C:\PROGRA~2\INTERN~1\iexplore.exe https://launchpage.org/?uid=oTlKBGjchx1sXu%2BaqfQZJX4ZStvzxHEZ578BbohU%2F6iWfz6hF%2ByR3xjdqx7hHYjEP9C6 -> Found Checkmark (tick) the following against Web Browser entries, ensure that all other entries are not Checkmarked[PUP.Gen0][Chrome:Addon] Default : AVG Web TuneUp [chfdnecihphmhljaaejmgoiahnihplgn] -> Found [PUM.HomePage][Firefox:Config] 1bv1j037.default : user_pref("browser.startup.homepage", "http://tmutara.ru/?utm_content=49f4c593a4d99a0a30351a0448198d82&utm_source=startpm&utm_term=5DA07DE8808C1F36E97CD748C485ED0C&utm_d=20160813"); -> Found Hit the Delete button, when complete select "Open Report" in the next window select "Export txt" the log will open. Save to your Desktop for reference, also attach to next reply. When complete try Malwarebytes once more... Thank you, Kevin I followed all that and it still don't work malwarebytes i also reinstalled it here is the report FFS 1.txt ^^ Last night after i showed you this one FSS.txt then this afternoon i did FFS3.txt after that i did FFS 4.txt Link to post Share on other sites More sharing options...
kevinf80 Posted March 23, 2017 ID:1111110 Share Posted March 23, 2017 Run the following Windows repair tool, do not be concerned about windows 10 entries, it will not check what is not there... Download Portable Windows Repair (all in one) from one of the following:www.tweaking.com/files/setups/tweaking.com_windows_repair_aio.ziphttp://www.majorgeeks.com/mg/getmirror/tweaking_com_windows_repair_portable,1.htmlhttps://www.bleepingcomputer.com/download/windows-repair-all-in-one/ Unzip the contents into a newly created folder on your desktop. Boot your system to Safe mode, instructions here: https://support.microsoft.com/en-gb/help/12376/windows-10-start-your-pc-in-safe-mode Open the Tweaking.com folder, run the tool by right click on Repair_Windows (icon with red briefcase) select "Run as Administrator" From the main GUI do the following: Select Tab 5 to make Registry backup, use the recommended option... When complete select "Repairs" tab, from there select "Open Repairs" tab.. From that window select the default option and checkmarck "Select All" box. When ready select "Start Repairs" tab.... When complete re-boot your system to Normal mode, see if there is any improvement... Logs are saved to the Tweaking.com folder on your Desktop, the one to post is _Windows_Repair_Log.txt Link to post Share on other sites More sharing options...
armypolice_UK Posted March 24, 2017 Author ID:1111449 Share Posted March 24, 2017 (edited) 19 hours ago, kevinf80 said: Run the following Windows repair tool, do not be concerned about windows 10 entries, it will not check what is not there... Download Portable Windows Repair (all in one) from one of the following:www.tweaking.com/files/setups/tweaking.com_windows_repair_aio.ziphttp://www.majorgeeks.com/mg/getmirror/tweaking_com_windows_repair_portable,1.htmlhttps://www.bleepingcomputer.com/download/windows-repair-all-in-one/ Unzip the contents into a newly created folder on your desktop. Boot your system to Safe mode, instructions here: https://support.microsoft.com/en-gb/help/12376/windows-10-start-your-pc-in-safe-mode Open the Tweaking.com folder, run the tool by right click on Repair_Windows (icon with red briefcase) select "Run as Administrator" From the main GUI do the following: Select Tab 5 to make Registry backup, use the recommended option... When complete select "Repairs" tab, from there select "Open Repairs" tab.. From that window select the default option and checkmarck "Select All" box. When ready select "Start Repairs" tab.... When complete re-boot your system to Normal mode, see if there is any improvement... Logs are saved to the Tweaking.com folder on your Desktop, the one to post is _Windows_Repair_Log.txt I followed all this and malwarebytes finally worked i'd like to thank-you very much @kevinf80 for helping me all the way and using your time to help me, is there someone i can contact admin wise to give you a good review cause you deserve one also soon i'll send you a donation Edited March 24, 2017 by armypolice_UK Link to post Share on other sites More sharing options...
kevinf80 Posted March 24, 2017 ID:1111480 Share Posted March 24, 2017 Thank you for the kind words, the guy who looks after this forum is probably @AdvancedSetup if you have no remaining issues or concerns we can clean up.... Uninstall RogueKiller http://www.askvg.com/how-to-completely-uninstall-remove-a-software-program-in-windows-without-using-3rd-party-software/ Next, Download "Delfix by Xplode" and save it to your desktop. Or use the following if first link is down:"Delfix link mirror" If your security program alerts to Delfix either, accept the alert or turn your security off. Double Click to start the program. If you are using Vista or higher, please right-click and choose run as administrator Make Sure the following items are checked: Remove disinfection tools <----- this will remove tools we have used. Purge System Restore <--- this will remove all previous and possibly exploited restore points, a new point relative to system status at present will be created. Reset system settings <--- this will reset any system settings back to default that were changed either by us during cleansing or malware/infection Now click on "Run" and wait patiently until the tool has completed. The tool will create a log when it has completed. We don't need you to post this. Any remnant files/logs from tools we have used can be deleted… Next, Read the following links to fully understand PC Security and Best Practices, you may find them useful....Answers to Common Security Questions and best PracticesDo I need a Registry Cleaner? Take care and surf safe Kevin... Link to post Share on other sites More sharing options...
armypolice_UK Posted March 24, 2017 Author ID:1111501 Share Posted March 24, 2017 44 minutes ago, kevinf80 said: Thank you for the kind words, the guy who looks after this forum is probably @AdvancedSetup if you have no remaining issues or concerns we can clean up.... Uninstall RogueKiller http://www.askvg.com/how-to-completely-uninstall-remove-a-software-program-in-windows-without-using-3rd-party-software/ Next, Download "Delfix by Xplode" and save it to your desktop. Or use the following if first link is down:"Delfix link mirror" If your security program alerts to Delfix either, accept the alert or turn your security off. Double Click to start the program. If you are using Vista or higher, please right-click and choose run as administrator Make Sure the following items are checked: Remove disinfection tools <----- this will remove tools we have used. Purge System Restore <--- this will remove all previous and possibly exploited restore points, a new point relative to system status at present will be created. Reset system settings <--- this will reset any system settings back to default that were changed either by us during cleansing or malware/infection Now click on "Run" and wait patiently until the tool has completed. The tool will create a log when it has completed. We don't need you to post this. Any remnant files/logs from tools we have used can be deleted… Next, Read the following links to fully understand PC Security and Best Practices, you may find them useful....Answers to Common Security Questions and best PracticesDo I need a Registry Cleaner? Take care and surf safe Kevin... What does all this do? Link to post Share on other sites More sharing options...
kevinf80 Posted March 24, 2017 ID:1111504 Share Posted March 24, 2017 The items to check in DelFix do have an explanation against the entry, which part do not understand...? Link to post Share on other sites More sharing options...
armypolice_UK Posted March 24, 2017 Author ID:1111570 Share Posted March 24, 2017 2 hours ago, kevinf80 said: The items to check in DelFix do have an explanation against the entry, which part do not understand...? But my problem solved as said above and is there a thing to remove files that's not going Link to post Share on other sites More sharing options...
kevinf80 Posted March 24, 2017 ID:1111579 Share Posted March 24, 2017 Quote and is there a thing to remove files that's not going What do you refer to...? Link to post Share on other sites More sharing options...
armypolice_UK Posted March 24, 2017 Author ID:1111613 Share Posted March 24, 2017 1 hour ago, kevinf80 said: What do you refer to...? Well i got a file on my destop and when I try and remove it, it says "error" and it won't remove Link to post Share on other sites More sharing options...
kevinf80 Posted March 24, 2017 ID:1111622 Share Posted March 24, 2017 What is the name of the file.. Link to post Share on other sites More sharing options...
armypolice_UK Posted March 24, 2017 Author ID:1111626 Share Posted March 24, 2017 5 minutes ago, kevinf80 said: What is the name of the file.. It's a language pack for a forum software Link to post Share on other sites More sharing options...
kevinf80 Posted March 24, 2017 ID:1111635 Share Posted March 24, 2017 Did you download it..? Can you post the address C:\Users\ {username}\desktop\{name of folder} Like so - C:\Users\Kevin\Desktop\Tools Link to post Share on other sites More sharing options...
armypolice_UK Posted March 25, 2017 Author ID:1111918 Share Posted March 25, 2017 C:\Users\Jack\Desktop\Traduction Française - XenForo 1.5.4 GobelinLand Link to post Share on other sites More sharing options...
kevinf80 Posted March 25, 2017 ID:1111945 Share Posted March 25, 2017 Download BlitzBlank from here: http://www.bleepingcomputer.com/download/blitzblank/dl/108/ and save it to your desktop. Right click on Blitzblank.exe select "Run as Administrator" Click OK at the warning (and take note of it, this is a VERY powerful tool!). Click the Script tab and copy/paste the following text there: DeleteFolder: C:\Users\Jack\Desktop\Traduction Franc¸aise - XenForo 1.5.4 GobelinLand Click Execute Now. An alert will ask "You are about to delete files, are you sure to proceed" Select OK to proceed A system reboot warning will open, it will say "Please close all running applicatons to avoid data loss" Select OK to proceed Your computer will need to reboot in order to do the fixes When done, post me the report created by Blitzblank. you can find it at the root of the drive Normaly C:\ Link to post Share on other sites More sharing options...
armypolice_UK Posted March 26, 2017 Author ID:1112184 Share Posted March 26, 2017 17 hours ago, kevinf80 said: Download BlitzBlank from here: http://www.bleepingcomputer.com/download/blitzblank/dl/108/ and save it to your desktop. Right click on Blitzblank.exe select "Run as Administrator" Click OK at the warning (and take note of it, this is a VERY powerful tool!). Click the Script tab and copy/paste the following text there: DeleteFolder: C:\Users\Jack\Desktop\Traduction Franc¸aise - XenForo 1.5.4 GobelinLand Click Execute Now. An alert will ask "You are about to delete files, are you sure to proceed" Select OK to proceed A system reboot warning will open, it will say "Please close all running applicatons to avoid data loss" Select OK to proceed Your computer will need to reboot in order to do the fixes When done, post me the report created by Blitzblank. you can find it at the root of the drive Normaly C:\ comes up with an error wrong command is there another application that will do it? Link to post Share on other sites More sharing options...
kevinf80 Posted March 26, 2017 ID:1112212 Share Posted March 26, 2017 It looks as though the folder name did not copy correctly, hence the command error... Thais is how I copied to the instruction: C:\Users\Jack\Desktop\Traduction Franc¸aise - XenForo 1.5.4 GobelinLand Not sure why it copied in like that, you had in your reply as such: C:\Users\Jack\Desktop\Traduction Française - XenForo 1.5.4 GobelinLand The word Francaise needs to be in the command line with no space Link to post Share on other sites More sharing options...
kevinf80 Posted April 1, 2017 ID:1114276 Share Posted April 1, 2017 Any progress....? Link to post Share on other sites More sharing options...
Recommended Posts