Jump to content

Recommended Posts

Hello!

A few days ago I needed something very fast and unfortunately had a disastrous encounter with a keygen or something like that. As a result I got a shi*load of malware and adware on my computer (YeaDesktop, Chinese UC Browser, Adware Elex and some other stuff) which I believe I've mostly been able to clean with the help of Malwarebytes, CCleaner and HitManPro. I also cleaned (regedit) the system registry on my Windows 7.

However, I simply can't get rid of this malware registry value called ADWARE.ELEX.SHHKRST. Over the weekend I must have gone through my computer with Malwarebytes at least a dozen times and I quarantined/deleted this sucker each time, but it just keeps coming back. No matter whether I reboot (restart) my computer or not. It's like there is a hidden dropper somewhere, causing reinfection every time I quarantine/delete it. Most of the times I get just one hit (Adware.Elex.SHHKRST - see -> malware1.txt), although today two scans also ended with two hits (Adware.Elex.SHHKRST and Trojan.WMIHijacker.ClnShrt - see -> malware2.txt).

On Saturday (11.6.) I made a full scan of my computer with Microsoft Security Essentials and it didn't find a single threat. No virus, malware, adware or trojan. Then I scanned it with ADWCleaner and it found the following threats (see --> AdwCleaner0.txt) , which I quarantined/deleted. I also used ESET Online Scanner (yes, I temporarily disable Microsoft Security Essentials while doing that) and got the following hits (see -> EST.Scan.txt). Today I also scanned my computer with RogueKiller and it found several hits (see - > KillerRougue1 and 2.txt). I quarantined/deleted every hit, except the first one which I forgot to check (see -> KillerRougue.Deleted.txt). I also scanned again my computer with HitManPro, but it didn't find anything except a few tracking cookies. I also checked the computer with Junkware Removal Tool and got a few hits (see -> JRT.txt)

I don't know what else I can do. I apologise for too many attachments, but I just wanted to present my problem as thoroughly and shortly, so that we are not unnecessary running in circles.

Attached at the end are also the usually on this forum requested files: FRS.txt and Addition.txt.

Help. :D

Best regards,

Adam

malware1.txt

malware2.txt

AdwCleaner0.txt

EST.Scan.txt

Killer.Rougue.Deleted.txt

JRT.txt

FRST.txt

Addition.txt

Link to post
Share on other sites

Hi!

Well, I went today over my computer again.

1.) First I restored my IE Explorer and Mozilla Firefox browsers.

2.) Then I scanned the computer with RogueKiller. It found the following 2 threats, which I deleted.

[PUM.SearchPage] (X64) HKEY_USERS\S-1-5-21-2810601530-1322417806-279784104-1002\Software\Microsoft\Internet Explorer\Main | Search Bar : Preserve  -> Replaced (http://search.msn.com/spbasic.htm)
[PUM.SearchPage] (X86) HKEY_USERS\S-1-5-21-2810601530-1322417806-279784104-1002\Software\Microsoft\Internet Explorer\Main | Search Bar : Preserve  -> Replaced (http://search.msn.com/spbasic.htm)

3.) After RogueKiller I scanned the computer with ADWCleaner and it found zero threats.

4.) After ADWCleaner I scanned it with Junkware Removal Tool (JRT) and it found the following 8 threats, which I deleted.

Successfully deleted: C:\Users\******\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4L6ROW3N (Temporary Internet Files Folder)
Successfully deleted: C:\Users\******\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7AJOASNM (Temporary Internet Files Folder)
Successfully deleted: C:\Users\******\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DM6QBX86 (Temporary Internet Files Folder)
Successfully deleted: C:\Users\******\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GP5JXVJT (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4L6ROW3N (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7AJOASNM (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DM6QBX86 (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GP5JXVJT (Temporary Internet Files Folder)

5.) After JRT I scanned the computer with Sophos Virus Removal Tool. The scan took a couple of hours and it found zero threats.

6.) Then I decided to scan the computer with Malwarebytes and it found 1 threat. My old nemeisis Adware.Elex.SHHKRST. I quarantined and deleted it.

Registry Values: 1
Adware.Elex.SHHKRST, HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\SHELLEXECUTEHOOKS\{5F51FFFE-7463-4220-B711-E5B9ACB8EDFE}, Quarantined, [0fa952ec6e3b6cca9f681a576f9156aa],

7.) Then I rebooted my computer.

8.) And scanned it again with Malwarebytes and the Adware.Elex.SHHKRST is back. :wacko:

I would really, really, really, really, really, really appreciate a help from a professional on this.

I don't know what else to do. I am thinking of scanning my computer with Avira Anti-Virus Program, but I am a bit reluctant to install another new anti-virus program which probably won't find anything. Also, how is it that only Malwarebytes is apparently able to detect this adware??

Best regards,

Adam

Edited by Adam555
Link to post
Share on other sites

Hello Adam555 and welcome to Malwarebytes,

I see from your logs your are running an outdated version of Malwarebytes, lets go for an upgrade first..

Totally Remove Malwarebytes from your system:

Download the latest version of Malwarebytes cleanup tool from here: https://downloads.malwarebytes.com/file/mb_clean and save to your Desktop..

If applicable, backup your Malwarebytes license key information and deactivate the product.

Close all open applications and deactivate Malwarebytes <---- Very important, do not miss that step

To deactivate Malwarebytes:

Right click on tray icon, from the opened list select "Quit Malwarebytes" an UAC alert will open, select "Yes" to deactivate Malwarebytes...
 
  • Double-click mb-clean.exe to run it
  • A prompt to confirm the cleanup will appear, select Yes or No
  • Yes - will proceed with the cleanup process <---- Select this option to start the tool
  • No - will exit the utility
  • The Utility will launch a Command Prompt window which will disappear once the the cleanup process completes.
  • Once completed, a log file ("mb-cleanresult.txt") will be on your desktop and you'll be prompted to reboot
  • We recommend an immediate reboot <--- Do Not miss out this step
  • Suppressing the reboot may result in an incomplete cleanup
  • Upon reboot Malwarebytes will be totally removed from your system


To re-install Malwarebytes:

Download Malwarebytes version 3 from the following link:

https://www.malwarebytes.com/mwb-download/thankyou/
 
  • Double click on the installer and follow the prompts. If necessary select the Blue Help tab for video instructions....
  • When the install completes and is updated do the following:
  • Open Malwarebytes, select > "settings" > "protection tab"
  • Scroll down to "Scan Options" ensure Scan for Rootkits and Scan within Archives are both on....
  • Go back to "DashBoard" select the Blue "Scan Now" tab......


When the scan completes deal with any found entries... Then select "Export Summary" then "Text File (*.txt)" name that log and save , you can copy or attach that to your reply...

If you have lost the activation licence key information it can be located here: http://www.cleverbridge.com/342/?scope=cusecolp

Next,

Run FRST one more time, ensure all boxes are checkmarked under "Whitelist" but only Addition.txt under "Optional scan" Select scan, when done post the new logs. "FRST.txt" and "Addition.txt"

Let me see those logs in your reply..

Thank you,

Kevin...
Link to post
Share on other sites

Hello Kevin,

Thank you for your reply and help on this matter.

As you suggested I totally removed Malwarebytes from my computer and installed the newest version of it. I was using before it's free version hence I didn't have a licence key or now needed to deactivate the product.

I scanned the computer with the newest version and it found 1 threat: Adware.Elex.SHHKRST (see -> Malwarebytes.txt). I put it in a quarantine, but I haven't deleted it yet.

As you advised I also ran again FRST and below you'll find the attached txt log files (see -> FRST.txt and Addition.txt).

Would it help you, Kevin, if I sent you the Malwarebytes txt log file from 10th June (which is when this saga of mine began), when I quarantined/deleted a bunch of adware and viruses?

Best regards,

Adam

 

 

Malwarebytes.txt

Addition.txt

FRST.txt

Link to post
Share on other sites

Thanks for those logs, continue as follows:

Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into. "Do not open that file"
NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

Open FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply.

Next,

user posted imageEmsisoft Emergency Kit
  • Click Here to download Emsisoft Emergency Kit. The download will automatically start after a moment.
  • Save EmsisoftEmergencyKit.exe to your Desktop.
  • Double click on EmsisoftEmergencyKit.exe (Windows Vista/7/8/10 users: Accept UAC warning if it is enabled). A screen like this will appear:
    user posted image
     
  • Leave everything as it is, then click Extract. This maybe listed as Install This will unpack or install Emsisoft Emergency Kit to the EEK folder located in the root drive (usually C:\).
  • Once the extraction or installation is done, an icon will appear on your Desktop. Double click it to start Emsisoft Emergency Kit.
    user posted image
     
  • Wait for Emsisoft Emergency Kit to finish loading signatures. A screen like this should appear:
    user posted image
     
  • Choose Yes, then wait for EEK to finish updating.
  • Choose Malware Scan under the Scan button. When EEK asks to activate PUP detection, choose Yes.
  • Wait for the scan to finish.
    user posted image
     
  • If EEK detects something, all detected items will be displayed. Place a checkmark before everything, then choose Quarantine Selected.
  • If Emsisoft Emergency Kit asks to reboot, please do so immediately.
  • The scan log is located in Logs -> Scan Logs. Click on the entry of the latest scan, choose Export and save the report on your Desktop.
    user posted image
     
  • Please Copy and Paste the contents of the scan log in your next reply.


Let me see those logs in your reply, also post the Malwarebytes log you mention earlier...

Thank you,

Kevin

fixlist.txt

Link to post
Share on other sites

Hello Kevin,

Thank you for your reply and help.

I did what you asked me with fixlist.txt and FRST. I attached the file (Fixlog.txt) below.

I also scanned my computer with Emsisoft. Actually three times (twice Malware and once Custom) because the program automatically installed in my native language, so it was a nightmare to navigate through. Also the first time when I scanned with Malware Scan I forgot to activate the PUP detection. It didn't automatically ask me to activate it, so I had to do it manually. I did that by clicking SETTINGS under SCAN, then SCAN on the upper menu and SCANNER SETTINGS button in the lower right corner. There you check Detect Potentially Unwanted Programs (PUP).

Anyway, here are the results of my scans:

1.) Malware Scan (with PUP off). It found 1 threat.

Emsisoft Emergency Kit - Version 2017.4
Last update: 14.6.2017 23:54:24
User account: Imperia-PC\Imperia
Computer name: IMPERIA-PC
OS version: Windows 7x64 Service Pack 1

Scan settings:

Scan type: Malware Scan
Objects: Rootkits, Memory, Traces, Files

Detect PUPs: Off
Scan archives: Off
ADS Scan: On
File extension filter: Off
Direct disk access: Off

Scan start:  14.6.2017 23:12:26

Key: HKEY_USERS\S-1-5-21-2810601530-1322417806-279784104-1002\SOFTWARE\GOOGLE\CHROME\EXTENSIONS\FDLOIJIJLKOBLMIGDOFOMMGNHECKMAKI  zaznano*: Application.WebExt (A) [278134] [* "zaznano" means detected - Adam]

Scanned:  96611
Found:  1

Scan End:  14.6.2017 23:48:54
Scan Time:  0:36:28

Key: HKEY_USERS\S-1-5-21-2810601530-1322417806-279784104-1002\SOFTWARE\GOOGLE\CHROME\EXTENSIONS\FDLOIJIJLKOBLMIGDOFOMMGNHECKMAKI     Application.WebExt (A)

Put In Quarantine: 1

2.) Then I scanned with Custom Scan (with PUP on). It found zero threats.

Emsisoft Emergency Kit - Version 2017.4
Last update: 14.6.2017 23:54:24
User account: Imperia-PC\Imperia
Computer name: IMPERIA-PC
OS version: Windows 7x64 Service Pack 1

Scan settings:

Scan type: Custom Scan
Objects: Rootkits, Memory, Traces, C:\

Detect PUPs: On
Scan archives: On
ADS Scan: On
File extension filter: Off
Direct disk access: Off

Scan start:  15.6.2017 0:02:15

Scanned   363228
Found   0

Scan end:  15.6.2017 2:42:07
Scan time:  2:39:52

3.) And finally for a good measure I went over it again with Malware Scan, but this time with with PUP on. It found zero threats.

Emsisoft Emergency Kit - Version 2017.4
Last update: 14.6.2017 23:54:24
User account: Imperia-PC\Imperia
Computer name: IMPERIA-PC
OS version: Windows 7x64 Service Pack 1

Scan settings:

Scan type: Malware Scan
Objects: Rootkits, Memory, Traces, Files

Detect PUPs: On
Scan archives: Off
ADS Scan: On
File extension filter: Off
Direct disk access: Off

Scan start: 15.6.2017 2:52:07

Scanned  96695
Found   0

Scan end:  15.6.2017 3:33:18
Scan time:  0:41:11

And this was it. I'm sorry for the confusion. :unsure:

You will also find attached the Malwarebytes log file from 10th June, when I quarantined and deleted a bunch of adware and viruses from my computer. I'm particularly "troubled" by these two entries:

Trojan.WMIHijacker.ClnShrt, C:\Users\Imperia\AppData\Roaming\Mozilla\Firefox\Profiles\9i0xhn8o.default\sessionstore-backups\recovery.js, Good: (), Bad: (yeadesktop), Replaced,[f934bc8101a86acca1d204a6f8096b95]
PUP.Optional.NavSmart.ClnShrt, C:\Users\Imperia\AppData\Roaming\Mozilla\Firefox\Profiles\9i0xhn8o.default\sessionstore-backups\recovery.js, Good: (), Bad: (navsmart), Replaced,[fd309e9ffeabbc7a2c49c88e2ed53ec2]

Thank you again for your help.

Best regards,

Klemen

Fixlog.txt

malware.10.6.2017.txt

Link to post
Share on other sites

Hello Kevin,

Thank you for your reply and invaluable help.

I deleted the found adware from Emsisoft Quarantine, rebooted my computer twice and ran a fresh scan with Malwarebytes. It found zero malicious items (see attached file). The pesky Adware.Elex.Shhkrst is gone. :D

The computer is operating normally. I reckon all what's left for me to do now is to uninstall some of these programs that I installed during the past couple of days.

Thank you again, Kevin!

Best regards,

K.

Malwarebytes.16.6.2017.txt

Link to post
Share on other sites

Emsisoft does not install, we can clean up as follows:

Navigate to and delete the following, (if still present):

C:\ProgramData\Emsisoft
C:\Users\{your user name}\Desktop\start emergency kit scanner - Shortcut.lnk
C:\EEK
C:\Users\{your user name}\Desktop\EmsisoftEmergencyKit.exe


Next,

Download "Delfix by Xplode" and save it to your desktop.

Or use the following if first link is down:

"Delfix link mirror"

If your security program alerts to Delfix either, accept the alert or turn your security off.

Double Click to start the program. If you are using Vista or higher, please right-click and choose run as administrator

Make Sure the following items are checked:

 
  • Remove disinfection tools <----- this will remove tools we have used.
  • Purge System Restore <--- this will remove all previous and possibly exploited restore points, a new point relative to system status at present will be created.
  • Reset system settings <--- this will reset any system settings back to default that were changed either by us during cleansing or malware/infection


Now click on "Run" and wait patiently until the tool has completed.

The tool will create a log when it has completed. We don't need you to post this.

Any remnant files/logs from tools we have used can be deleted…

Next,

Read the following links to fully understand PC Security and Best Practices, you may find them useful....

Answers to Common Security Questions and best Practices

Do I need a Registry Cleaner?

Take care and surf safe

Kevin... user posted image
Link to post
Share on other sites

Glad we could help. :)If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.