Jump to content

Interesting error


Zyvyn
 Share

Recommended Posts

So a week ago i scanned my computer and i had no malware i attempt to scan today and it only scans 205,466 items on my computer (no where near all of them) and then it starts detecting malware and the malware amounts skyrocket and dont stop going up until it reached the 205,466 then malware bytes will stop responding and crash

Link to post
Share on other sites

Hello Zyvyn and welcome to Malwarebytes,

My screen name is kevinf80, i`m here to help clean up your system. Make sure to run all scans from accounts with Administrator status, continue as follows please:

Anyone other than the original starter of this thread please DO NOT follow the instructions and advice posted as replies here, my help and advice is NOT related to your system and will probably cause more harm than good...

Next,

RogueKiller is a powerful tool. So, it is preferable that a helper checks the scan results to avoid potential false positives removal....

Download RogueKiller and save it on your desktop, ensure to download correct version..

RogueKiller (X86)

RogueKiller (x64)
 
  • Exit all running applications.
  • Double-click on RogueKiller.exe to launch the tool. On its first execution, RogueKiller will disply the software license (EULA), click on "Accept" to continue.
  • If RogueKiller is unable to load, do not hesitate to try launching it several times or rename it winlogon.
  • Click "Start Scan" to begin the analysis. This may take some time.
  • Once the scan is complete, click the "Open TXT" button to display the scan report.
  • Copy/Paste it's content in your next reply.


Note : A "Premium" version of the tool is available, but the free version provides everything you need to clean your machine.

Next,

Download Farbar Recovery Scan Tool and save it to your desktop.

Alternative download option: http://www.techspot.com/downloads/6731-farbar-recovery-scan-tool.html

Note: You need to run the version compatible with your system (32 bit or 64 bit). If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

If your security alerts to FRST either, accept the alert or turn your security off to allow FRST to run. It is not malicious or infected in any way...

Be aware FRST must be run from an account with Administrator status...
 
  • Double-click to run it. When the tool opens click Yes to disclaimer.(Windows 8/10 users will be prompted about Windows SmartScreen protection - click More information and Run.)
  • Make sure Addition.txt is checkmarked under "Optional scans"
  • Press Scan button to run the tool....
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The tool will also make a log named (Addition.txt) Please attach that log to your reply.


Let me see those logs in your reply...

Thank you,

Kevin....
Link to post
Share on other sites

So before I start I would like to say my installation of windows is messed up Im on a machine updated from win8 to 8.1 and its a 32bit system file wise like having x86 but under system info its 64 bit It thinks its 64bit and also missing a few of my services.msc like Windows modules installer service so 90% of 64bit programs crash for me Farbar recovery tool seems to be one of the few that will function waiting for the results now

 

 

Edited by Zyvyn
Link to post
Share on other sites

10 hours ago, kevinf80 said:
Hello Zyvyn and welcome to Malwarebytes,

My screen name is kevinf80, i`m here to help clean up your system. Make sure to run all scans from accounts with Administrator status, continue as follows please:

Anyone other than the original starter of this thread please DO NOT follow the instructions and advice posted as replies here, my help and advice is NOT related to your system and will probably cause more harm than good...

Next,

RogueKiller is a powerful tool. So, it is preferable that a helper checks the scan results to avoid potential false positives removal....

Download RogueKiller and save it on your desktop, ensure to download correct version..

RogueKiller (X86)

RogueKiller (x64)
 
  • Exit all running applications.
  • Double-click on RogueKiller.exe to launch the tool. On its first execution, RogueKiller will disply the software license (EULA), click on "Accept" to continue.
  • If RogueKiller is unable to load, do not hesitate to try launching it several times or rename it winlogon.
  • Click "Start Scan" to begin the analysis. This may take some time.
  • Once the scan is complete, click the "Open TXT" button to display the scan report.
  • Copy/Paste it's content in your next reply.


Note : A "Premium" version of the tool is available, but the free version provides everything you need to clean your machine.

Next,

Download Farbar Recovery Scan Tool and save it to your desktop.

Alternative download option: http://www.techspot.com/downloads/6731-farbar-recovery-scan-tool.html

Note: You need to run the version compatible with your system (32 bit or 64 bit). If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

If your security alerts to FRST either, accept the alert or turn your security off to allow FRST to run. It is not malicious or infected in any way...

Be aware FRST must be run from an account with Administrator status...
 
  • Double-click to run it. When the tool opens click Yes to disclaimer.(Windows 8/10 users will be prompted about Windows SmartScreen protection - click More information and Run.)
  • Make sure Addition.txt is checkmarked under "Optional scans"
  • Press Scan button to run the tool....
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The tool will also make a log named (Addition.txt) Please attach that log to your reply.


Let me see those logs in your reply...

Thank you,

Kevin....

 

rk_5F14.tmp.txt

FRST.txt

Addition.txt

Link to post
Share on other sites

Thanks for those logs, continue as follows:

Right click on RogueKiller.exe and select "Run as Administrator" to start the tool, accept UAC..

In the new window the "Home" tab should already be selected, Change by selecting "Scan" tab, then select "Start Scan"

user posted image

When the scan completes Checkmark (tick) the following against Registry entries, ensure that all other entries are not Checkmarked

[PUP.Gen1] (X64) HKEY_LOCAL_MACHINE\Software\Reimage -> Found
[PUP.Gen1] (X86) HKEY_LOCAL_MACHINE\Software\StrongSignal -> Found
[PUP.Gen1] (X86) HKEY_LOCAL_MACHINE\Software\{12A61307-94CD-4F8E-94BC-918E511FAA81} -> Found
[PUP.Gen1] (X86) HKEY_LOCAL_MACHINE\Software\{12DA0E6F-5543-440C-BAA2-28BF01070AFA} -> Found
[PUP.Gen1] (X86) HKEY_LOCAL_MACHINE\Software\{3A7D3E19-1B79-4E4E-BD96-5467DA2C4EF0} -> Found
[PUP.Gen1] (X64) HKEY_USERS\S-1-5-21-2028136974-233207522-1596086880-1001\Software\WebApp -> Found
[PUP.WebBar|PUP.Gen1] (X64) HKEY_USERS\S-1-5-21-2028136974-233207522-1596086880-1001\Software\WebBar -> Found
[PUP.Gen1] (X86) HKEY_USERS\S-1-5-21-2028136974-233207522-1596086880-1001\Software\WebApp -> Found
[PUP.WebBar|PUP.Gen1] (X86) HKEY_USERS\S-1-5-21-2028136974-233207522-1596086880-1001\Software\WebBar -> Found
[PUP.Gen1] (X64) HKEY_USERS\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA} -> Found
[PUP.Gen1] (X86) HKEY_USERS\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA} -> Found
[PUP.Gen1] (X64) HKEY_USERS\S-1-5-21-2028136974-233207522-1596086880-1001\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA} -> Found
[PUP.Gen1] (X86) HKEY_USERS\S-1-5-21-2028136974-233207522-1596086880-1001\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA} -> Found
[PUP.Gen1] (X64) HKEY_USERS\S-1-5-18\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA} -> Found
[PUP.Gen1] (X86) HKEY_USERS\S-1-5-18\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA} -> Found
[PUP.Gen1] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{0A7D6F3C-F2AB-48ED-BE23-99791BFF87D6} -> Found
[PUP.Gen1] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{2FA77785-00C3-A920-6452-D4FE5C9C129F} -> Found
[PUP.Gen1] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{35E0D123-1F22-9AE6-F973-B7ECA46E8BFE} -> Found
[PUP.Gen1] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{594FD08C-0622-F9B8-CB02-7C1355D33CB8} -> Found
[PUP.Gen1] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{AE9B04F2-E9E8-162C-829B-52C116B3EFCC} -> Found
[PUM.Proxy] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NlaSvc\Parameters\Internet\ManualProxies | (default) : -> Found
[PUM.HomePage] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main | Start Page : http://www.bing.com/search?FORM=INCOH1&PC=IC05&PTAG=ICO-e4bb6b87 -> Found
[PUM.HomePage] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main | Start Page : http://www.bing.com/search?FORM=INCOH1&PC=IC05&PTAG=ICO-e4bb6b87 -> Found
[PUM.HomePage] (X64) HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main | Start Page : http://homepage.aol.com/?mtmhp=txtlnkusaolp00000800 -> Found
[PUM.HomePage] (X86) HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main | Start Page : http://homepage.aol.com/?mtmhp=txtlnkusaolp00000800 -> Found
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-2028136974-233207522-1596086880-1001\Software\Microsoft\Internet Explorer\Main | Start Page : http://www.bing.com/search?FORM=INCOH1&PC=IC05&PTAG=ICO-e4bb6b87 -> Found
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-2028136974-233207522-1596086880-1001\Software\Microsoft\Internet Explorer\Main | Start Page : http://www.bing.com/search?FORM=INCOH1&PC=IC05&PTAG=ICO-e4bb6b87 -> Found
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Main | Start Page : http://homepage.aol.com/?mtmhp=txtlnkusaolp00000800 -> Found
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Main | Start Page : http://homepage.aol.com/?mtmhp=txtlnkusaolp00000800 -> Found
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-2028136974-233207522-1596086880-1001\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : http://dell13.msn.com/?pc=DCJB -> Found
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-2028136974-233207522-1596086880-1001\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : http://dell13.msn.com/?pc=DCJB -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | TCP Query User{95D62CD2-44D1-430F-AA12-B5386097C56C}C:\users\fishe_000\appdata\local\temp\temp2_minecraft_staging.zip\minecraft_test_launcher\runtime\jre-x64\1.8.0_51\bin\javaw.exe : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|App=C:\users\fishe_000\appdata\local\temp\temp2_minecraft_staging.zip\minecraft_test_launcher\runtime\jre-x64\1.8.0_51\bin\javaw.exe|Name=javaw|Desc=javaw|Defer=User| [x] -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | UDP Query User{B879ADBA-F730-413F-9FBD-D36D914E0CFA}C:\users\fishe_000\appdata\local\temp\temp2_minecraft_staging.zip\minecraft_test_launcher\runtime\jre-x64\1.8.0_51\bin\javaw.exe : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Private|App=C:\users\fishe_000\appdata\local\temp\temp2_minecraft_staging.zip\minecraft_test_launcher\runtime\jre-x64\1.8.0_51\bin\javaw.exe|Name=javaw|Desc=javaw|Defer=User| [x] -> Found


Checkmark (tick) the following against Tasks entries, ensure that all other entries are not Checkmarked

[Suspicious.Path] %WINDIR%\Tasks\AlphaKeys.job -- c:\programdata\{3f68727e-584d-038d-3f68-8727e584c9f9}\1836564099126468364c.exe (--startup=1 --single) -> Found
[Suspicious.Path] %WINDIR%\Tasks\ClearCutter.job -- c:\programdata\{793caee7-1c0b-c4da-793c-caee71c0bb9c}\3107820937540893722c.exe (--startup=1 --single) -> Found
[Suspicious.Path] %WINDIR%\Tasks\HeroZero.job -- c:\programdata\{d482e378-024e-c908-d482-2e3780248de0}\8523010576033943528c.exe (--startup=1 --single) -> Found
[Suspicious.Path] \AlphaKeys -- c:\programdata\{3f68727e-584d-038d-3f68-8727e584c9f9}\1836564099126468364c.exe (--startup=1 --single) -> Found
[Suspicious.Path] \ClearCutter -- c:\programdata\{793caee7-1c0b-c4da-793c-caee71c0bb9c}\3107820937540893722c.exe (--startup=1 --single) -> Found
[Suspicious.Path] \HeroZero -- c:\programdata\{d482e378-024e-c908-d482-2e3780248de0}\8523010576033943528c.exe (--startup=1 --single) -> Found


Checkmark (tick) the following against File entries, ensure that all other entries are not Checkmarked

[PUP.Gen1][Folder] C:\Users\Fishe_000\AppData\Roaming\Mipony -> Found
[PUP.Filefinder][Folder] C:\Users\Fishe_000\AppData\Roaming\Pluto TV -> Found
[Tr.Kovter][File] C:\Users\Fishe_000\AppData\Local\73f17\7e634.85cd30 -> Found
[PUP.Gen1][Folder] C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MiPony -> Found


Checkmark (tick) the following against Web Browser entries, ensure that all other entries are not Checkmarked

[PUP.Gen0][Chrome:Addon] Default : MSN Homepage & Bing Search Engine [fcfenmboojpjinhpgggodefccipikbpd] -> Found
[PUP.Gen1|PUM.HomePage][Chrome:Config] Default [SecurePrefs] : session.startup_urls [http://search.gboxapp.com/] -> Found



Hit the Delete button, when complete select "Open Report" in the next window select "Export txt" the log will open. Save to your Desktop for reference, also attach to next reply.
 
Next,

Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into. "Do not open that file"
NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

Open FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply.


Next,

Please open Malwarebytes Anti-Malware.
 
  • On the Settings tab > Detection and Protection sub tab, Detection Options, tick the box "Scan for rootkits".
  • Under Non-Malware Protection sub tab Change PUP and PUM entries to Treat detections as Malware
  • Click on the Scan tab, then click on Scan Now >> . If an update is available, click the Update Now button.
  • A Threat Scan will begin.
  • When the Scan is complete Apply Actions to any found entries.
  • Wait for the prompt to restart the computer to appear (if applicable), then click on Yes.
  • After the restart once you are back at your desktop, open MBAM once more.


To get the log from Malwarebytes do the following:
 
  • Click on the History tab > Application Logs.
  • Double click on the Scan log which shows the Date and time of the scan just performed.
  • Click Export > From export you have three options:
    Copy to Clipboard - if seleted right click to your reply and select "Paste" log will be pasted to your reply
    Text file (*.txt) - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply
    XML file (*.xml) - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply
     
  • Please use "Copy to Clipboard, then Right click to your reply > select "Paste" that will copy the log to your reply…

Let me see those logs, also tell me if there are any remaining issues or concerns....

Thank you,

Kevin...

 

Link to post
Share on other sites

7 hours ago, kevinf80 said:

Thanks for those logs, continue as follows:

Right click on RogueKiller.exe and select "Run as Administrator" to start the tool, accept UAC..

In the new window the "Home" tab should already be selected, Change by selecting "Scan" tab, then select "Start Scan"

user posted image

When the scan completes Checkmark (tick) the following against Registry entries, ensure that all other entries are not Checkmarked

[PUP.Gen1] (X64) HKEY_LOCAL_MACHINE\Software\Reimage -> Found
[PUP.Gen1] (X86) HKEY_LOCAL_MACHINE\Software\StrongSignal -> Found
[PUP.Gen1] (X86) HKEY_LOCAL_MACHINE\Software\{12A61307-94CD-4F8E-94BC-918E511FAA81} -> Found
[PUP.Gen1] (X86) HKEY_LOCAL_MACHINE\Software\{12DA0E6F-5543-440C-BAA2-28BF01070AFA} -> Found
[PUP.Gen1] (X86) HKEY_LOCAL_MACHINE\Software\{3A7D3E19-1B79-4E4E-BD96-5467DA2C4EF0} -> Found
[PUP.Gen1] (X64) HKEY_USERS\S-1-5-21-2028136974-233207522-1596086880-1001\Software\WebApp -> Found
[PUP.WebBar|PUP.Gen1] (X64) HKEY_USERS\S-1-5-21-2028136974-233207522-1596086880-1001\Software\WebBar -> Found
[PUP.Gen1] (X86) HKEY_USERS\S-1-5-21-2028136974-233207522-1596086880-1001\Software\WebApp -> Found
[PUP.WebBar|PUP.Gen1] (X86) HKEY_USERS\S-1-5-21-2028136974-233207522-1596086880-1001\Software\WebBar -> Found
[PUP.Gen1] (X64) HKEY_USERS\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA} -> Found
[PUP.Gen1] (X86) HKEY_USERS\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA} -> Found
[PUP.Gen1] (X64) HKEY_USERS\S-1-5-21-2028136974-233207522-1596086880-1001\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA} -> Found
[PUP.Gen1] (X86) HKEY_USERS\S-1-5-21-2028136974-233207522-1596086880-1001\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA} -> Found
[PUP.Gen1] (X64) HKEY_USERS\S-1-5-18\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA} -> Found
[PUP.Gen1] (X86) HKEY_USERS\S-1-5-18\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA} -> Found
[PUP.Gen1] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{0A7D6F3C-F2AB-48ED-BE23-99791BFF87D6} -> Found
[PUP.Gen1] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{2FA77785-00C3-A920-6452-D4FE5C9C129F} -> Found
[PUP.Gen1] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{35E0D123-1F22-9AE6-F973-B7ECA46E8BFE} -> Found
[PUP.Gen1] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{594FD08C-0622-F9B8-CB02-7C1355D33CB8} -> Found
[PUP.Gen1] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{AE9B04F2-E9E8-162C-829B-52C116B3EFCC} -> Found
[PUM.Proxy] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NlaSvc\Parameters\Internet\ManualProxies | (default) : -> Found
[PUM.HomePage] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main | Start Page : http://www.bing.com/search?FORM=INCOH1&PC=IC05&PTAG=ICO-e4bb6b87 -> Found
[PUM.HomePage] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main | Start Page : http://www.bing.com/search?FORM=INCOH1&PC=IC05&PTAG=ICO-e4bb6b87 -> Found
[PUM.HomePage] (X64) HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main | Start Page : http://homepage.aol.com/?mtmhp=txtlnkusaolp00000800 -> Found
[PUM.HomePage] (X86) HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main | Start Page : http://homepage.aol.com/?mtmhp=txtlnkusaolp00000800 -> Found
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-2028136974-233207522-1596086880-1001\Software\Microsoft\Internet Explorer\Main | Start Page : http://www.bing.com/search?FORM=INCOH1&PC=IC05&PTAG=ICO-e4bb6b87 -> Found
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-2028136974-233207522-1596086880-1001\Software\Microsoft\Internet Explorer\Main | Start Page : http://www.bing.com/search?FORM=INCOH1&PC=IC05&PTAG=ICO-e4bb6b87 -> Found
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Main | Start Page : http://homepage.aol.com/?mtmhp=txtlnkusaolp00000800 -> Found
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Main | Start Page : http://homepage.aol.com/?mtmhp=txtlnkusaolp00000800 -> Found
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-2028136974-233207522-1596086880-1001\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : http://dell13.msn.com/?pc=DCJB -> Found
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-2028136974-233207522-1596086880-1001\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : http://dell13.msn.com/?pc=DCJB -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | TCP Query User{95D62CD2-44D1-430F-AA12-B5386097C56C}C:\users\fishe_000\appdata\local\temp\temp2_minecraft_staging.zip\minecraft_test_launcher\runtime\jre-x64\1.8.0_51\bin\javaw.exe : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|App=C:\users\fishe_000\appdata\local\temp\temp2_minecraft_staging.zip\minecraft_test_launcher\runtime\jre-x64\1.8.0_51\bin\javaw.exe|Name=javaw|Desc=javaw|Defer=User| [x] -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | UDP Query User{B879ADBA-F730-413F-9FBD-D36D914E0CFA}C:\users\fishe_000\appdata\local\temp\temp2_minecraft_staging.zip\minecraft_test_launcher\runtime\jre-x64\1.8.0_51\bin\javaw.exe : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Private|App=C:\users\fishe_000\appdata\local\temp\temp2_minecraft_staging.zip\minecraft_test_launcher\runtime\jre-x64\1.8.0_51\bin\javaw.exe|Name=javaw|Desc=javaw|Defer=User| [x] -> Found


Checkmark (tick) the following against Tasks entries, ensure that all other entries are not Checkmarked

[Suspicious.Path] %WINDIR%\Tasks\AlphaKeys.job -- c:\programdata\{3f68727e-584d-038d-3f68-8727e584c9f9}\1836564099126468364c.exe (--startup=1 --single) -> Found
[Suspicious.Path] %WINDIR%\Tasks\ClearCutter.job -- c:\programdata\{793caee7-1c0b-c4da-793c-caee71c0bb9c}\3107820937540893722c.exe (--startup=1 --single) -> Found
[Suspicious.Path] %WINDIR%\Tasks\HeroZero.job -- c:\programdata\{d482e378-024e-c908-d482-2e3780248de0}\8523010576033943528c.exe (--startup=1 --single) -> Found
[Suspicious.Path] \AlphaKeys -- c:\programdata\{3f68727e-584d-038d-3f68-8727e584c9f9}\1836564099126468364c.exe (--startup=1 --single) -> Found
[Suspicious.Path] \ClearCutter -- c:\programdata\{793caee7-1c0b-c4da-793c-caee71c0bb9c}\3107820937540893722c.exe (--startup=1 --single) -> Found
[Suspicious.Path] \HeroZero -- c:\programdata\{d482e378-024e-c908-d482-2e3780248de0}\8523010576033943528c.exe (--startup=1 --single) -> Found


Checkmark (tick) the following against File entries, ensure that all other entries are not Checkmarked

[PUP.Gen1][Folder] C:\Users\Fishe_000\AppData\Roaming\Mipony -> Found
[PUP.Filefinder][Folder] C:\Users\Fishe_000\AppData\Roaming\Pluto TV -> Found
[Tr.Kovter][File] C:\Users\Fishe_000\AppData\Local\73f17\7e634.85cd30 -> Found
[PUP.Gen1][Folder] C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MiPony -> Found


Checkmark (tick) the following against Web Browser entries, ensure that all other entries are not Checkmarked

[PUP.Gen0][Chrome:Addon] Default : MSN Homepage & Bing Search Engine [fcfenmboojpjinhpgggodefccipikbpd] -> Found
[PUP.Gen1|PUM.HomePage][Chrome:Config] Default [SecurePrefs] : session.startup_urls [http://search.gboxapp.com/] -> Found



Hit the Delete button, when complete select "Open Report" in the next window select "Export txt" the log will open. Save to your Desktop for reference, also attach to next reply.
 
Next,

Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into. "Do not open that file"
NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

Open FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply.


Next,

Please open Malwarebytes Anti-Malware.
 
  • On the Settings tab > Detection and Protection sub tab, Detection Options, tick the box "Scan for rootkits".
  • Under Non-Malware Protection sub tab Change PUP and PUM entries to Treat detections as Malware
  • Click on the Scan tab, then click on Scan Now >> . If an update is available, click the Update Now button.
  • A Threat Scan will begin.
  • When the Scan is complete Apply Actions to any found entries.
  • Wait for the prompt to restart the computer to appear (if applicable), then click on Yes.
  • After the restart once you are back at your desktop, open MBAM once more.


To get the log from Malwarebytes do the following:
 
  • Click on the History tab > Application Logs.
  • Double click on the Scan log which shows the Date and time of the scan just performed.
  • Click Export > From export you have three options:
    Copy to Clipboard - if seleted right click to your reply and select "Paste" log will be pasted to your reply
    Text file (*.txt) - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply
    XML file (*.xml) - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply
     
  • Please use "Copy to Clipboard, then Right click to your reply > select "Paste" that will copy the log to your reply…

Let me see those logs, also tell me if there are any remaining issues or concerns....

Thank you,

Kevin...

 

you didnt attach the fixlist.txt file

Link to post
Share on other sites

Thanks for the RK log, all entries are found, none were deleted. Can you run RK again...

Right click on RogueKiller.exe and select "Run as Administrator" to start the tool, accept UAC..

In the new window the "Home" tab should already be selected, Change by selecting "Scan" tab, then select "Start Scan"

user posted image

When the scan completes checkmark (tick) all found entries, Hit the Delete button, when complete select "Open Report" in the next window select "Export txt" the log will open. Save to your Desktop for reference, also attach to next reply.
 
Next,
 
Please open Malwarebytes Anti-Malware.
 
  • On the Settings tab > Detection and Protection sub tab, Detection Options, tick the box "Scan for rootkits".
  • Under Non-Malware Protection sub tab Change PUP and PUM entries to Treat detections as Malware
  • Click on the Scan tab, then click on Scan Now >> . If an update is available, click the Update Now button.
  • A Threat Scan will begin.
  • When the Scan is complete Apply Actions to any found entries.
  • Wait for the prompt to restart the computer to appear (if applicable), then click on Yes.
  • After the restart once you are back at your desktop, open MBAM once more.


To get the log from Malwarebytes do the following:
 
  • Click on the History tab > Application Logs.
  • Double click on the Scan log which shows the Date and time of the scan just performed.
  • Click Export > From export you have three options:
    Copy to Clipboard - if seleted right click to your reply and select "Paste" log will be pasted to your reply
    Text file (*.txt) - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply
    XML file (*.xml) - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply
     
  • Please use "Copy to Clipboard, then Right click to your reply > select "Paste" that will copy the log to your reply…


Next,

Download Sophos Free Virus Removal Tool and save it to your desktop.

If your security alerts to this scan either accept the alert or turn off your security to allow Sophos to run and complete.....

Please Do Not use your PC whilst the scan is in progress.... This scan is very thorough so may take several hours...
 
  • Double click the icon and select Run
  • Click Next
  • Select I accept the terms in this license agreement, then click Next twice
  • Click Install
  • Click Finish to launch the program
  • Once the virus database has been updated click Start Scanning
  • If any threats are found click Details, then View log file... (bottom left hand corner)
  • Copy and paste the results in your reply
  • Close the Notepad document, close the Threat Details screen, then click Start cleanup
  • Click Exit to close the program
  • If no threats were found please confirm that result....



The Virus Removal Tool scans the following areas of your computer:
  • Memory, including system memory on 32-bit (x86) versions of Windows
  • The Windows registry
  • All local hard drives, fixed and removable
  • Mapped network drives are not scanned.


Note: If threats are found in the computer memory, the scan stops. This is because further scanning could enable the threat to spread. You will be asked to click Start Cleanup to remove the threats before continuing the scan.

Post those logs, also let me know if there are any remaining issues or concerns....

Thank you,

Kevin...
Link to post
Share on other sites

Thanks for the update, run the following to clean up..

Uninstall Sophos AV http://www.askvg.com/how-to-completely-uninstall-remove-a-software-program-in-windows-without-using-3rd-party-software/

Next,

RogueKiller is portable version, delete that folder, also navigate to and delete C:\ProgramData\RogueKiller

Download "Delfix by Xplode" and save it to your desktop.

Or use the following if first link is down:

"Delfix link mirror"

If your security program alerts to Delfix either, accept the alert or turn your security off.

Double Click to start the program. If you are using Vista or higher, please right-click and choose run as administrator

Make Sure the following items are checked:
 

  • Remove disinfection tools <----- this will remove tools we have used.
  • Purge System Restore <--- this will remove all previous and possibly exploited restore points, a new point relative to system status at present will be created.
  • Reset system settings <--- this will reset any system settings back to default that were changed either by us during cleansing or malware/infection


Now click on "Run" and wait patiently until the tool has completed.

The tool will create a log when it has completed. We don't need you to post this.

Any remnant files/logs from tools we have used can be deleted…

Next,

Read the following links to fully understand PC Security and Best Practices, you may find them useful....

Answers to Common Security Questions and best Practices

Do I need a Registry Cleaner?

Take care and surf safe

Kevin... user posted image

 

Link to post
Share on other sites

Glad we could help. :)If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.