Zyvyn Posted September 6, 2017 ID:1160891 Share Posted September 6, 2017 So a week ago i scanned my computer and i had no malware i attempt to scan today and it only scans 205,466 items on my computer (no where near all of them) and then it starts detecting malware and the malware amounts skyrocket and dont stop going up until it reached the 205,466 then malware bytes will stop responding and crash Link to post Share on other sites More sharing options...
kevinf80 Posted September 6, 2017 ID:1160896 Share Posted September 6, 2017 Hello Zyvyn and welcome to Malwarebytes, My screen name is kevinf80, i`m here to help clean up your system. Make sure to run all scans from accounts with Administrator status, continue as follows please: Anyone other than the original starter of this thread please DO NOT follow the instructions and advice posted as replies here, my help and advice is NOT related to your system and will probably cause more harm than good... Next, RogueKiller is a powerful tool. So, it is preferable that a helper checks the scan results to avoid potential false positives removal.... Download RogueKiller and save it on your desktop, ensure to download correct version..RogueKiller (X86)RogueKiller (x64) Exit all running applications. Double-click on RogueKiller.exe to launch the tool. On its first execution, RogueKiller will disply the software license (EULA), click on "Accept" to continue. If RogueKiller is unable to load, do not hesitate to try launching it several times or rename it winlogon. Click "Start Scan" to begin the analysis. This may take some time. Once the scan is complete, click the "Open TXT" button to display the scan report. Copy/Paste it's content in your next reply. Note : A "Premium" version of the tool is available, but the free version provides everything you need to clean your machine. Next, Download Farbar Recovery Scan Tool and save it to your desktop. Alternative download option: http://www.techspot.com/downloads/6731-farbar-recovery-scan-tool.htmlNote: You need to run the version compatible with your system (32 bit or 64 bit). If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version. If your security alerts to FRST either, accept the alert or turn your security off to allow FRST to run. It is not malicious or infected in any way... Be aware FRST must be run from an account with Administrator status... Double-click to run it. When the tool opens click Yes to disclaimer.(Windows 8/10 users will be prompted about Windows SmartScreen protection - click More information and Run.) Make sure Addition.txt is checkmarked under "Optional scans" Press Scan button to run the tool.... It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply. The tool will also make a log named (Addition.txt) Please attach that log to your reply. Let me see those logs in your reply... Thank you, Kevin.... Link to post Share on other sites More sharing options...
Zyvyn Posted September 6, 2017 Author ID:1161026 Share Posted September 6, 2017 (edited) So before I start I would like to say my installation of windows is messed up Im on a machine updated from win8 to 8.1 and its a 32bit system file wise like having x86 but under system info its 64 bit It thinks its 64bit and also missing a few of my services.msc like Windows modules installer service so 90% of 64bit programs crash for me Farbar recovery tool seems to be one of the few that will function waiting for the results now Edited September 6, 2017 by Zyvyn Link to post Share on other sites More sharing options...
Zyvyn Posted September 6, 2017 Author ID:1161035 Share Posted September 6, 2017 10 hours ago, kevinf80 said: Hello Zyvyn and welcome to Malwarebytes, My screen name is kevinf80, i`m here to help clean up your system. Make sure to run all scans from accounts with Administrator status, continue as follows please: Anyone other than the original starter of this thread please DO NOT follow the instructions and advice posted as replies here, my help and advice is NOT related to your system and will probably cause more harm than good... Next, RogueKiller is a powerful tool. So, it is preferable that a helper checks the scan results to avoid potential false positives removal.... Download RogueKiller and save it on your desktop, ensure to download correct version..RogueKiller (X86)RogueKiller (x64) Exit all running applications. Double-click on RogueKiller.exe to launch the tool. On its first execution, RogueKiller will disply the software license (EULA), click on "Accept" to continue. If RogueKiller is unable to load, do not hesitate to try launching it several times or rename it winlogon. Click "Start Scan" to begin the analysis. This may take some time. Once the scan is complete, click the "Open TXT" button to display the scan report. Copy/Paste it's content in your next reply. Note : A "Premium" version of the tool is available, but the free version provides everything you need to clean your machine. Next, Download Farbar Recovery Scan Tool and save it to your desktop. Alternative download option: http://www.techspot.com/downloads/6731-farbar-recovery-scan-tool.htmlNote: You need to run the version compatible with your system (32 bit or 64 bit). If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version. If your security alerts to FRST either, accept the alert or turn your security off to allow FRST to run. It is not malicious or infected in any way... Be aware FRST must be run from an account with Administrator status... Double-click to run it. When the tool opens click Yes to disclaimer.(Windows 8/10 users will be prompted about Windows SmartScreen protection - click More information and Run.) Make sure Addition.txt is checkmarked under "Optional scans" Press Scan button to run the tool.... It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply. The tool will also make a log named (Addition.txt) Please attach that log to your reply. Let me see those logs in your reply... Thank you, Kevin.... rk_5F14.tmp.txt FRST.txt Addition.txt Link to post Share on other sites More sharing options...
kevinf80 Posted September 6, 2017 ID:1161060 Share Posted September 6, 2017 Thanks for those logs, continue as follows: Right click on RogueKiller.exe and select "Run as Administrator" to start the tool, accept UAC.. In the new window the "Home" tab should already be selected, Change by selecting "Scan" tab, then select "Start Scan" When the scan completes Checkmark (tick) the following against Registry entries, ensure that all other entries are not Checkmarked[PUP.Gen1] (X64) HKEY_LOCAL_MACHINE\Software\Reimage -> Found [PUP.Gen1] (X86) HKEY_LOCAL_MACHINE\Software\StrongSignal -> Found [PUP.Gen1] (X86) HKEY_LOCAL_MACHINE\Software\{12A61307-94CD-4F8E-94BC-918E511FAA81} -> Found [PUP.Gen1] (X86) HKEY_LOCAL_MACHINE\Software\{12DA0E6F-5543-440C-BAA2-28BF01070AFA} -> Found [PUP.Gen1] (X86) HKEY_LOCAL_MACHINE\Software\{3A7D3E19-1B79-4E4E-BD96-5467DA2C4EF0} -> Found [PUP.Gen1] (X64) HKEY_USERS\S-1-5-21-2028136974-233207522-1596086880-1001\Software\WebApp -> Found [PUP.WebBar|PUP.Gen1] (X64) HKEY_USERS\S-1-5-21-2028136974-233207522-1596086880-1001\Software\WebBar -> Found [PUP.Gen1] (X86) HKEY_USERS\S-1-5-21-2028136974-233207522-1596086880-1001\Software\WebApp -> Found [PUP.WebBar|PUP.Gen1] (X86) HKEY_USERS\S-1-5-21-2028136974-233207522-1596086880-1001\Software\WebBar -> Found [PUP.Gen1] (X64) HKEY_USERS\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA} -> Found [PUP.Gen1] (X86) HKEY_USERS\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA} -> Found [PUP.Gen1] (X64) HKEY_USERS\S-1-5-21-2028136974-233207522-1596086880-1001\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA} -> Found [PUP.Gen1] (X86) HKEY_USERS\S-1-5-21-2028136974-233207522-1596086880-1001\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA} -> Found [PUP.Gen1] (X64) HKEY_USERS\S-1-5-18\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA} -> Found [PUP.Gen1] (X86) HKEY_USERS\S-1-5-18\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA} -> Found [PUP.Gen1] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{0A7D6F3C-F2AB-48ED-BE23-99791BFF87D6} -> Found [PUP.Gen1] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{2FA77785-00C3-A920-6452-D4FE5C9C129F} -> Found [PUP.Gen1] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{35E0D123-1F22-9AE6-F973-B7ECA46E8BFE} -> Found [PUP.Gen1] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{594FD08C-0622-F9B8-CB02-7C1355D33CB8} -> Found [PUP.Gen1] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{AE9B04F2-E9E8-162C-829B-52C116B3EFCC} -> Found [PUM.Proxy] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NlaSvc\Parameters\Internet\ManualProxies | (default) : -> Found [PUM.HomePage] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main | Start Page : http://www.bing.com/search?FORM=INCOH1&PC=IC05&PTAG=ICO-e4bb6b87 -> Found [PUM.HomePage] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main | Start Page : http://www.bing.com/search?FORM=INCOH1&PC=IC05&PTAG=ICO-e4bb6b87 -> Found [PUM.HomePage] (X64) HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main | Start Page : http://homepage.aol.com/?mtmhp=txtlnkusaolp00000800 -> Found [PUM.HomePage] (X86) HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main | Start Page : http://homepage.aol.com/?mtmhp=txtlnkusaolp00000800 -> Found [PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-2028136974-233207522-1596086880-1001\Software\Microsoft\Internet Explorer\Main | Start Page : http://www.bing.com/search?FORM=INCOH1&PC=IC05&PTAG=ICO-e4bb6b87 -> Found [PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-2028136974-233207522-1596086880-1001\Software\Microsoft\Internet Explorer\Main | Start Page : http://www.bing.com/search?FORM=INCOH1&PC=IC05&PTAG=ICO-e4bb6b87 -> Found [PUM.HomePage] (X64) HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Main | Start Page : http://homepage.aol.com/?mtmhp=txtlnkusaolp00000800 -> Found [PUM.HomePage] (X86) HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Main | Start Page : http://homepage.aol.com/?mtmhp=txtlnkusaolp00000800 -> Found [PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-2028136974-233207522-1596086880-1001\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : http://dell13.msn.com/?pc=DCJB -> Found [PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-2028136974-233207522-1596086880-1001\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : http://dell13.msn.com/?pc=DCJB -> Found [Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | TCP Query User{95D62CD2-44D1-430F-AA12-B5386097C56C}C:\users\fishe_000\appdata\local\temp\temp2_minecraft_staging.zip\minecraft_test_launcher\runtime\jre-x64\1.8.0_51\bin\javaw.exe : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|App=C:\users\fishe_000\appdata\local\temp\temp2_minecraft_staging.zip\minecraft_test_launcher\runtime\jre-x64\1.8.0_51\bin\javaw.exe|Name=javaw|Desc=javaw|Defer=User| [x] -> Found [Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | UDP Query User{B879ADBA-F730-413F-9FBD-D36D914E0CFA}C:\users\fishe_000\appdata\local\temp\temp2_minecraft_staging.zip\minecraft_test_launcher\runtime\jre-x64\1.8.0_51\bin\javaw.exe : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Private|App=C:\users\fishe_000\appdata\local\temp\temp2_minecraft_staging.zip\minecraft_test_launcher\runtime\jre-x64\1.8.0_51\bin\javaw.exe|Name=javaw|Desc=javaw|Defer=User| [x] -> Found Checkmark (tick) the following against Tasks entries, ensure that all other entries are not Checkmarked[Suspicious.Path] %WINDIR%\Tasks\AlphaKeys.job -- c:\programdata\{3f68727e-584d-038d-3f68-8727e584c9f9}\1836564099126468364c.exe (--startup=1 --single) -> Found [Suspicious.Path] %WINDIR%\Tasks\ClearCutter.job -- c:\programdata\{793caee7-1c0b-c4da-793c-caee71c0bb9c}\3107820937540893722c.exe (--startup=1 --single) -> Found [Suspicious.Path] %WINDIR%\Tasks\HeroZero.job -- c:\programdata\{d482e378-024e-c908-d482-2e3780248de0}\8523010576033943528c.exe (--startup=1 --single) -> Found [Suspicious.Path] \AlphaKeys -- c:\programdata\{3f68727e-584d-038d-3f68-8727e584c9f9}\1836564099126468364c.exe (--startup=1 --single) -> Found [Suspicious.Path] \ClearCutter -- c:\programdata\{793caee7-1c0b-c4da-793c-caee71c0bb9c}\3107820937540893722c.exe (--startup=1 --single) -> Found [Suspicious.Path] \HeroZero -- c:\programdata\{d482e378-024e-c908-d482-2e3780248de0}\8523010576033943528c.exe (--startup=1 --single) -> Found Checkmark (tick) the following against File entries, ensure that all other entries are not Checkmarked[PUP.Gen1][Folder] C:\Users\Fishe_000\AppData\Roaming\Mipony -> Found [PUP.Filefinder][Folder] C:\Users\Fishe_000\AppData\Roaming\Pluto TV -> Found [Tr.Kovter][File] C:\Users\Fishe_000\AppData\Local\73f17\7e634.85cd30 -> Found [PUP.Gen1][Folder] C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MiPony -> Found Checkmark (tick) the following against Web Browser entries, ensure that all other entries are not Checkmarked[PUP.Gen0][Chrome:Addon] Default : MSN Homepage & Bing Search Engine [fcfenmboojpjinhpgggodefccipikbpd] -> Found [PUP.Gen1|PUM.HomePage][Chrome:Config] Default [SecurePrefs] : session.startup_urls [http://search.gboxapp.com/] -> Found Hit the Delete button, when complete select "Open Report" in the next window select "Export txt" the log will open. Save to your Desktop for reference, also attach to next reply. Next, Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into. "Do not open that file" NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work. Open FRST and press the Fix button just once and wait. The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply. Next, Please open Malwarebytes Anti-Malware. On the Settings tab > Detection and Protection sub tab, Detection Options, tick the box "Scan for rootkits". Under Non-Malware Protection sub tab Change PUP and PUM entries to Treat detections as Malware Click on the Scan tab, then click on Scan Now >> . If an update is available, click the Update Now button. A Threat Scan will begin. When the Scan is complete Apply Actions to any found entries. Wait for the prompt to restart the computer to appear (if applicable), then click on Yes. After the restart once you are back at your desktop, open MBAM once more. To get the log from Malwarebytes do the following: Click on the History tab > Application Logs. Double click on the Scan log which shows the Date and time of the scan just performed. Click Export > From export you have three options:Copy to Clipboard - if seleted right click to your reply and select "Paste" log will be pasted to your replyText file (*.txt) - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to replyXML file (*.xml) - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply Please use "Copy to Clipboard, then Right click to your reply > select "Paste" that will copy the log to your reply… Let me see those logs, also tell me if there are any remaining issues or concerns.... Thank you, Kevin... Link to post Share on other sites More sharing options...
Zyvyn Posted September 7, 2017 Author ID:1161189 Share Posted September 7, 2017 7 hours ago, kevinf80 said: Thanks for those logs, continue as follows: Right click on RogueKiller.exe and select "Run as Administrator" to start the tool, accept UAC.. In the new window the "Home" tab should already be selected, Change by selecting "Scan" tab, then select "Start Scan" When the scan completes Checkmark (tick) the following against Registry entries, ensure that all other entries are not Checkmarked[PUP.Gen1] (X64) HKEY_LOCAL_MACHINE\Software\Reimage -> Found [PUP.Gen1] (X86) HKEY_LOCAL_MACHINE\Software\StrongSignal -> Found [PUP.Gen1] (X86) HKEY_LOCAL_MACHINE\Software\{12A61307-94CD-4F8E-94BC-918E511FAA81} -> Found [PUP.Gen1] (X86) HKEY_LOCAL_MACHINE\Software\{12DA0E6F-5543-440C-BAA2-28BF01070AFA} -> Found [PUP.Gen1] (X86) HKEY_LOCAL_MACHINE\Software\{3A7D3E19-1B79-4E4E-BD96-5467DA2C4EF0} -> Found [PUP.Gen1] (X64) HKEY_USERS\S-1-5-21-2028136974-233207522-1596086880-1001\Software\WebApp -> Found [PUP.WebBar|PUP.Gen1] (X64) HKEY_USERS\S-1-5-21-2028136974-233207522-1596086880-1001\Software\WebBar -> Found [PUP.Gen1] (X86) HKEY_USERS\S-1-5-21-2028136974-233207522-1596086880-1001\Software\WebApp -> Found [PUP.WebBar|PUP.Gen1] (X86) HKEY_USERS\S-1-5-21-2028136974-233207522-1596086880-1001\Software\WebBar -> Found [PUP.Gen1] (X64) HKEY_USERS\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA} -> Found [PUP.Gen1] (X86) HKEY_USERS\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA} -> Found [PUP.Gen1] (X64) HKEY_USERS\S-1-5-21-2028136974-233207522-1596086880-1001\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA} -> Found [PUP.Gen1] (X86) HKEY_USERS\S-1-5-21-2028136974-233207522-1596086880-1001\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA} -> Found [PUP.Gen1] (X64) HKEY_USERS\S-1-5-18\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA} -> Found [PUP.Gen1] (X86) HKEY_USERS\S-1-5-18\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA} -> Found [PUP.Gen1] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{0A7D6F3C-F2AB-48ED-BE23-99791BFF87D6} -> Found [PUP.Gen1] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{2FA77785-00C3-A920-6452-D4FE5C9C129F} -> Found [PUP.Gen1] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{35E0D123-1F22-9AE6-F973-B7ECA46E8BFE} -> Found [PUP.Gen1] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{594FD08C-0622-F9B8-CB02-7C1355D33CB8} -> Found [PUP.Gen1] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{AE9B04F2-E9E8-162C-829B-52C116B3EFCC} -> Found [PUM.Proxy] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NlaSvc\Parameters\Internet\ManualProxies | (default) : -> Found [PUM.HomePage] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main | Start Page : http://www.bing.com/search?FORM=INCOH1&PC=IC05&PTAG=ICO-e4bb6b87 -> Found [PUM.HomePage] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main | Start Page : http://www.bing.com/search?FORM=INCOH1&PC=IC05&PTAG=ICO-e4bb6b87 -> Found [PUM.HomePage] (X64) HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main | Start Page : http://homepage.aol.com/?mtmhp=txtlnkusaolp00000800 -> Found [PUM.HomePage] (X86) HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main | Start Page : http://homepage.aol.com/?mtmhp=txtlnkusaolp00000800 -> Found [PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-2028136974-233207522-1596086880-1001\Software\Microsoft\Internet Explorer\Main | Start Page : http://www.bing.com/search?FORM=INCOH1&PC=IC05&PTAG=ICO-e4bb6b87 -> Found [PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-2028136974-233207522-1596086880-1001\Software\Microsoft\Internet Explorer\Main | Start Page : http://www.bing.com/search?FORM=INCOH1&PC=IC05&PTAG=ICO-e4bb6b87 -> Found [PUM.HomePage] (X64) HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Main | Start Page : http://homepage.aol.com/?mtmhp=txtlnkusaolp00000800 -> Found [PUM.HomePage] (X86) HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Main | Start Page : http://homepage.aol.com/?mtmhp=txtlnkusaolp00000800 -> Found [PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-2028136974-233207522-1596086880-1001\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : http://dell13.msn.com/?pc=DCJB -> Found [PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-2028136974-233207522-1596086880-1001\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : http://dell13.msn.com/?pc=DCJB -> Found [Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | TCP Query User{95D62CD2-44D1-430F-AA12-B5386097C56C}C:\users\fishe_000\appdata\local\temp\temp2_minecraft_staging.zip\minecraft_test_launcher\runtime\jre-x64\1.8.0_51\bin\javaw.exe : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|App=C:\users\fishe_000\appdata\local\temp\temp2_minecraft_staging.zip\minecraft_test_launcher\runtime\jre-x64\1.8.0_51\bin\javaw.exe|Name=javaw|Desc=javaw|Defer=User| [x] -> Found [Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | UDP Query User{B879ADBA-F730-413F-9FBD-D36D914E0CFA}C:\users\fishe_000\appdata\local\temp\temp2_minecraft_staging.zip\minecraft_test_launcher\runtime\jre-x64\1.8.0_51\bin\javaw.exe : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Private|App=C:\users\fishe_000\appdata\local\temp\temp2_minecraft_staging.zip\minecraft_test_launcher\runtime\jre-x64\1.8.0_51\bin\javaw.exe|Name=javaw|Desc=javaw|Defer=User| [x] -> Found Checkmark (tick) the following against Tasks entries, ensure that all other entries are not Checkmarked[Suspicious.Path] %WINDIR%\Tasks\AlphaKeys.job -- c:\programdata\{3f68727e-584d-038d-3f68-8727e584c9f9}\1836564099126468364c.exe (--startup=1 --single) -> Found [Suspicious.Path] %WINDIR%\Tasks\ClearCutter.job -- c:\programdata\{793caee7-1c0b-c4da-793c-caee71c0bb9c}\3107820937540893722c.exe (--startup=1 --single) -> Found [Suspicious.Path] %WINDIR%\Tasks\HeroZero.job -- c:\programdata\{d482e378-024e-c908-d482-2e3780248de0}\8523010576033943528c.exe (--startup=1 --single) -> Found [Suspicious.Path] \AlphaKeys -- c:\programdata\{3f68727e-584d-038d-3f68-8727e584c9f9}\1836564099126468364c.exe (--startup=1 --single) -> Found [Suspicious.Path] \ClearCutter -- c:\programdata\{793caee7-1c0b-c4da-793c-caee71c0bb9c}\3107820937540893722c.exe (--startup=1 --single) -> Found [Suspicious.Path] \HeroZero -- c:\programdata\{d482e378-024e-c908-d482-2e3780248de0}\8523010576033943528c.exe (--startup=1 --single) -> Found Checkmark (tick) the following against File entries, ensure that all other entries are not Checkmarked[PUP.Gen1][Folder] C:\Users\Fishe_000\AppData\Roaming\Mipony -> Found [PUP.Filefinder][Folder] C:\Users\Fishe_000\AppData\Roaming\Pluto TV -> Found [Tr.Kovter][File] C:\Users\Fishe_000\AppData\Local\73f17\7e634.85cd30 -> Found [PUP.Gen1][Folder] C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MiPony -> Found Checkmark (tick) the following against Web Browser entries, ensure that all other entries are not Checkmarked[PUP.Gen0][Chrome:Addon] Default : MSN Homepage & Bing Search Engine [fcfenmboojpjinhpgggodefccipikbpd] -> Found [PUP.Gen1|PUM.HomePage][Chrome:Config] Default [SecurePrefs] : session.startup_urls [http://search.gboxapp.com/] -> Found Hit the Delete button, when complete select "Open Report" in the next window select "Export txt" the log will open. Save to your Desktop for reference, also attach to next reply. Next, Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into. "Do not open that file" NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work. Open FRST and press the Fix button just once and wait. The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply. Next, Please open Malwarebytes Anti-Malware. On the Settings tab > Detection and Protection sub tab, Detection Options, tick the box "Scan for rootkits". Under Non-Malware Protection sub tab Change PUP and PUM entries to Treat detections as Malware Click on the Scan tab, then click on Scan Now >> . If an update is available, click the Update Now button. A Threat Scan will begin. When the Scan is complete Apply Actions to any found entries. Wait for the prompt to restart the computer to appear (if applicable), then click on Yes. After the restart once you are back at your desktop, open MBAM once more. To get the log from Malwarebytes do the following: Click on the History tab > Application Logs. Double click on the Scan log which shows the Date and time of the scan just performed. Click Export > From export you have three options:Copy to Clipboard - if seleted right click to your reply and select "Paste" log will be pasted to your replyText file (*.txt) - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to replyXML file (*.xml) - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply Please use "Copy to Clipboard, then Right click to your reply > select "Paste" that will copy the log to your reply… Let me see those logs, also tell me if there are any remaining issues or concerns.... Thank you, Kevin... you didnt attach the fixlist.txt file Link to post Share on other sites More sharing options...
kevinf80 Posted September 7, 2017 ID:1161211 Share Posted September 7, 2017 Apologies.... fixlist.txt Link to post Share on other sites More sharing options...
Zyvyn Posted September 7, 2017 Author ID:1161316 Share Posted September 7, 2017 I ran FRST and clicked fix and it generated the fixlog.txt but the second a window popped up saying it made a log my computer crashed under the error 0xc000021a heres the log Fixlog.txt Link to post Share on other sites More sharing options...
kevinf80 Posted September 7, 2017 ID:1161363 Share Posted September 7, 2017 The log does not show if the fix completed... Did you run RogueKiller before FRST...? if so was a log produced... Link to post Share on other sites More sharing options...
Zyvyn Posted September 7, 2017 Author ID:1161488 Share Posted September 7, 2017 forgot to export it so i will scan through roguekiller again and export the log this time Link to post Share on other sites More sharing options...
Zyvyn Posted September 8, 2017 Author ID:1161520 Share Posted September 8, 2017 logexport.txt heres the log Link to post Share on other sites More sharing options...
kevinf80 Posted September 8, 2017 ID:1161616 Share Posted September 8, 2017 Thanks for the RK log, all entries are found, none were deleted. Can you run RK again... Right click on RogueKiller.exe and select "Run as Administrator" to start the tool, accept UAC.. In the new window the "Home" tab should already be selected, Change by selecting "Scan" tab, then select "Start Scan" When the scan completes checkmark (tick) all found entries, Hit the Delete button, when complete select "Open Report" in the next window select "Export txt" the log will open. Save to your Desktop for reference, also attach to next reply. Next, Please open Malwarebytes Anti-Malware. On the Settings tab > Detection and Protection sub tab, Detection Options, tick the box "Scan for rootkits". Under Non-Malware Protection sub tab Change PUP and PUM entries to Treat detections as Malware Click on the Scan tab, then click on Scan Now >> . If an update is available, click the Update Now button. A Threat Scan will begin. When the Scan is complete Apply Actions to any found entries. Wait for the prompt to restart the computer to appear (if applicable), then click on Yes. After the restart once you are back at your desktop, open MBAM once more. To get the log from Malwarebytes do the following: Click on the History tab > Application Logs. Double click on the Scan log which shows the Date and time of the scan just performed. Click Export > From export you have three options:Copy to Clipboard - if seleted right click to your reply and select "Paste" log will be pasted to your replyText file (*.txt) - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to replyXML file (*.xml) - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply Please use "Copy to Clipboard, then Right click to your reply > select "Paste" that will copy the log to your reply… Next, Download Sophos Free Virus Removal Tool and save it to your desktop. If your security alerts to this scan either accept the alert or turn off your security to allow Sophos to run and complete..... Please Do Not use your PC whilst the scan is in progress.... This scan is very thorough so may take several hours... Double click the icon and select Run Click Next Select I accept the terms in this license agreement, then click Next twice Click Install Click Finish to launch the program Once the virus database has been updated click Start Scanning If any threats are found click Details, then View log file... (bottom left hand corner) Copy and paste the results in your reply Close the Notepad document, close the Threat Details screen, then click Start cleanup Click Exit to close the program If no threats were found please confirm that result.... The Virus Removal Tool scans the following areas of your computer: Memory, including system memory on 32-bit (x86) versions of Windows The Windows registry All local hard drives, fixed and removable Mapped network drives are not scanned. Note: If threats are found in the computer memory, the scan stops. This is because further scanning could enable the threat to spread. You will be asked to click Start Cleanup to remove the threats before continuing the scan. Post those logs, also let me know if there are any remaining issues or concerns.... Thank you, Kevin... Link to post Share on other sites More sharing options...
Zyvyn Posted September 9, 2017 Author ID:1162056 Share Posted September 9, 2017 issue is resolved thank you Link to post Share on other sites More sharing options...
kevinf80 Posted September 9, 2017 ID:1162075 Share Posted September 9, 2017 Thanks for the update, run the following to clean up.. Uninstall Sophos AV http://www.askvg.com/how-to-completely-uninstall-remove-a-software-program-in-windows-without-using-3rd-party-software/ Next, RogueKiller is portable version, delete that folder, also navigate to and delete C:\ProgramData\RogueKiller Download "Delfix by Xplode" and save it to your desktop. Or use the following if first link is down:"Delfix link mirror" If your security program alerts to Delfix either, accept the alert or turn your security off. Double Click to start the program. If you are using Vista or higher, please right-click and choose run as administrator Make Sure the following items are checked: Remove disinfection tools <----- this will remove tools we have used. Purge System Restore <--- this will remove all previous and possibly exploited restore points, a new point relative to system status at present will be created. Reset system settings <--- this will reset any system settings back to default that were changed either by us during cleansing or malware/infection Now click on "Run" and wait patiently until the tool has completed. The tool will create a log when it has completed. We don't need you to post this. Any remnant files/logs from tools we have used can be deleted… Next, Read the following links to fully understand PC Security and Best Practices, you may find them useful....Answers to Common Security Questions and best PracticesDo I need a Registry Cleaner? Take care and surf safe Kevin... Link to post Share on other sites More sharing options...
kevinf80 Posted September 11, 2017 ID:1162459 Share Posted September 11, 2017 Glad we could help. :)If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.Other members who need assistance please start your own topic in a new thread. Thanks! Link to post Share on other sites More sharing options...
Recommended Posts