Software policy restrictions present, suspect infection

[fullera]

FRST.txt

Addition.txt

[Android8888]

Hello fullera and

My screen name is Android8888 but if you wish you can call me Rui which is my real name. I will be helping you with your malware issues. Please ask questions if anything is unclear.

I suggest printing out each set of instructions or copy them to a Notepad file and reading the entire post before proceeding. It will make following them easier.

Read all of my instructions very carefully and bear in mind that any mistakes during the cleaning process may have serious consequences such as leaving the computer unbootable.

Please DO NOT run any tools on your own or make any other changes to your computer and follow the directions in the order listed during the malware removal process, otherwise you can worsen the situation rather than solve it.

Make sure to run all tools from the computer's Desktop and with Administrator privileges (i.e. right-click the tool icon and select Run as administrator).

Please run one scan at a time.

Once started the malware removal process has to be completed. Even if your computer appears to be running better after performing a first set of instructions, it may still be infected as some infections are difficult to remove and can leave remnants on the System. Please consider it clean and safe only when I declare it free of malware.

In some cases malware uses Group Policy restrictions to enforce restriction on security programs and prevent them from functioning normally. In other cases those restrictions are set by the system administrators to prevent the users or the malware from doing harm.

Next,

Follow the instructions below to execute a fix on your system using FRST, and provide the log in your next reply.

• Download the attached fixlist.txt file, and save it on your Desktop (or wherever your FRST64.exe executable is located); DO NOT open or modify that file!
• Right-click on the FRST executable and select Run as Administrator;
• Click on the Fix button;
  
  Credits: Aura
• On completion, a message will come up saying that the fix has been completed and it'll open a log in Notepad;
• Please attach the Fixlog.txt in your next reply;
  

Next,

• Download AdwCleaner and move it to your Desktop
• Right-click on AdwCleaner.exe and select Run as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users)
• Accept the EULA (I accept), then click on Scan
• Let the scan complete. Once it's done, make sure that every item listed in the different tabs is checked and click on the Clean button. This will kill all active processes
  
  Credits: Aura
• Once the cleaning process is complete, AdwCleaner will ask to restart your computer, do it
• After the restart, a log will open when logging in. Please attach that log in your next reply
  

Next,

• Download Junkware Removal Tool (JRT) and move it to your Desktop
• Right-click on JRT.exe and select Run as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users)
• Press on any key to launch the scan and let it complete
  
  Credits: Bleeping Computer and Aura
• Once the scan is complete, a log will open. Please attach that log in your next reply
  

Next,

I need you to run a scan with Malwarebytes and attach its log in your next reply but before you do that I suggest you to update the program from version 2 to version 3.
Malwarebytes version 3 engine supports newer, more efficient and more advanced detection techniques and rule syntax not available in the MBAM 2.x engine.
You can follow the instructions below to do it. When installing the version 3, the old version will be automatically removed, so please proceed as follow:

Please download Malwarebytes version 3 from here and save it to your computer's Desktop.

• Right-click on the Malwarebytes icon and select Run as administrator to run the tool.
• Click Yes to accept any security warnings that may appear.
• Once the Malwarebytes dashboard opens, on the right detail pane click on the word "Current" under the Scan Status to update the tool´s database.
• On the left menu pane click on the Settings tab, and then select the Protection tab on the top.
• Under the Scan Options, turn on the buttons Scan for rootkits and Scan within archives.
• Click the Scan tab on the right detail pane, select Threat Scan and click the Start Scan button
• Note: The scan may take some time to finish, so please be patient.
• If potential threats are detected, ensure to check-mark all the listed items, and click the Quarantine Selected button.
• While still on the Scan tab, click the View Report button, and in the window that opens click the Export button, select Text file (*.txt), and save the log to your Desktop.
• The log can also be viewed by clicking the log to select it, then clicking the View Report button.
  

Please attach the log for my review.

Note: If asked to restart the computer, please do so immediately.

 

In your next reply please attach the following logs:
Fixlog.txt
AdwCleaner clean log
Junkware Removal Tool log (JRT.txt)
Malwarebytes clean log

How is the computer running now? Any issues or concerns?

Rui

fixlist.txt

[fullera]

Rui,

Thank you for the quick reponse to my request for help.

Attached are the following logs.

Fixlog.txt

AdwCleaner was clean, no log

Jrt.txt

Mbam.txt from version 3

Computer was not running slow, but I knew it was infected. Had removed rootkit with combofix last week and I knew there was more.

Do you need another Frst scan?

I also have two other problem computers that I suspect are infected also. I have Frst scans of each of them.

Would you help me with these also or do I need to start another request?

fullera

Fixlog.txt

JRT.txt

Mbam.txt

[Android8888]

Hello fullera and thank you for the logs.

Sorry about the delay in responding.

 

23 hours ago, fullera said:

Do you need another Frst scan?

Not for now.

 

23 hours ago, fullera said:

I also have two other problem computers that I suspect are infected also. I have Frst scans of each of them.

Would you help me with these also or do I need to start another request?

Usually we treat one computer at a time. That means one topic for each computer to avoid possible misunderstandings with the instructions. I suggest you open new threads to other computers.

Please note that if the other computers you suspected being infected are connected in the same internal network as this one, then you should keep them disconnected until we complete the clean up process for this computer.

Okay, please scan your computer with ESET Online Scanner to search for leftovers.

• Click on this link to open ESET Online Scanner in a new window.
  
  1. Click on the Scan Now button to download the esetonlinescanner_enu.exe file. Save it to your Desktop.
  2. Close all your programs and browsers and disconnect any USB flash drives from the computer.
  3. Please disable your antivirus program to avoid potential conflicts, improve the performance and speed up the scan.
  4. Double click on esetonlinescanner_enu.exe to start ESET Online Scanner. It will open a window with the Terms of Use.

• Check mark Download latest version of ESET Online Scanner and click the Accept button.
• Click Yes to accept any security warnings that may appear.
• Under Computer scan settings, check mark Enable detection of potentially unwanted applications.
• Then click Advanced settings and check mark the following options:
  
  • Enable detection of potentially unsafe applications
  • Clean threats automatically
    
• Click the Scan button.
• ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time to finish.
• When the scan completes, click List Threats.
• Click Export, and save the file to your Desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
• Click the Back button.
• Click the Finish button.
  

Note: If nothing is found, it will not produce a log.

 

Next,

Please download RogueKiller 32/64 Bits Installer (RogueKiller_setup_ref3.exe) by Tigzy and save it to your computer's Desktop.

• Right click on the file RogueKiller_setup_ref3.exe and select Run as administrator to install the tool.
• Click Yes to accept any security warnings that may appear.
• Choose the installation language and click OK.
• Checkmark "Install 32 and 64 bits versions" and click Next. Follow the steps to install the tool.
• Now close all programs and browsers.
• Please disconnect any USB or external drives from the computer before you run this scan!
• Right-click on the RogueKiller icon and select Run as administrator.
• Click Yes to accept any security warnings that may appear.
• Click the Scan tab and then click the Start Scan button.
• Wait until the scan has finished. This may take some time consuming. Note: Do NOT remove any entries as they may are not all bad.
• Once finished click on Open Report. It will open a new window.
• Click Export TXT to export the report as a text file, give a name to the file such as RKlog.txt and save it to your Desktop.
• Close RogueKiller.
  

Please copy and paste the contents of RKlog.txt to your next reply.

Please re-enable your antivirus program.

 

How is the system behavior now?

Rui

[fullera]

Completed Eset Scan and Rogue Killer scan.

Log for Eset attached - Rogue Killer found nothing.

Note! Eset removed one of my paid software programs. RecoverKey - I can recover it from backup.

Computer is running very fast.

EsetScan.txt

[Android8888]

Hi fullera.

17 hours ago, fullera said:

Computer is running very fast.

Great!

 

17 hours ago, fullera said:

Note! Eset removed one of my paid software programs. RecoverKey - I can recover it from backup.

Programs like this one which serve to find and display a license key for particular software or the Operating System fulfill the criteria for Potentially Unsafe Applications. That is why it has been detected and deleted. I'm glad that you have a backup of it.

 

Okay, please perform another scan with Malwarebytes and quarantine all the items it finds.
Please post its log in your next reply.

Are there any issues or concerns with the computer?

Thank you.

Rui

[fullera]

Malwarebytes version 3 was negative.

All is well. Thank you for your help.

[Android8888]

Hello fullera.

It's good to hear that all is well!

Before you go I suggest you check for outdated programs that you might have installed in your system. Outdated programs contains security vulnerabilities that are exploited by malware in order to infect the computer without the user's knowledge. Usually this is one of the ways that more contributes to the infection of your computer.

Run a program like Personal Software Inspector (PSI) or FileHippo Update Checker to see what programs need to be updated.

 

After that you can delete the tolls we used in the removal process using DelFix.

Follow the instructions below to download and execute DelFix.

• Download DelFix and move the executable to your Desktop;
• Right-click on DelFix.exe and select Run as Administrator;
• Check the following options :
  
  • Activate UAC (This option will activate the User Account Control feature).
  • Remove disinfection tools (this option will remove the tools used in the cleaning process).
  • Create registry backup (this option will create a backup from the Windows Registry).
  • Purge system restore (this option will remove all previous and possibly infected restore points, and will create a new and clean restore point of your system).
  • Reset system settings (this option will reset any system settings back to default that were changed either by us during cleansing or by malware infection).
    
• Once the options mentioned above are checked, click on Run;
• After DelFix is done running, a log will open. I do not need to see the log, you can delete it.
  

If all is well with the computer:

To help keep malware off your system below I have included a number of recommendations for how to protect your computer in order to prevent future malware infections. Please consider using these ideas to help secure your computer.

Keep your Windows Operating System up-to-date.

Keep your AntiVirus program up-to-date.

Please note: Many installer offer third-party downloads that are installed automatically when you do not uncheck certain checkboxes. While most of the time not being malicious you usually do not want these on your computer. Be careful during the installation process and you will avoid seeing tons of new unwanted toolbars in your favorite web browser.

Keep Malwarebytes Anti-Malware (MBAM) update and perform a regular scan to your system as it will make it harder for malware to reside on your computer.
A tutorial on using MBAM can be found here and a complete guide here

Please Note: Only the paid for version has real time capabilities. Please Note: Only the paid for version has real time capabilities. Please go here and scroll down to find a comparison list of the two versions.

A free non-resident utility to prevent the installation of ActiveX-based malware is JavaCool's SpywareBlaster, available here

Please keep these programs up-to-date and run them whenever you suspect a problem to prevent malware problems. A number of programs have resident protection and it is a good idea to run the resident protection of one of each type of program to maintain protection. However, it is important to run only one resident program of each type since they can conflict and become less effective. That means only one antivirus, firewall and scanning anti-spyware program at a time. Passive protectors, like SpywareBlaster can be run with any of them.

Note that there are a lot of rogue programs out there that want to scare you into giving them your money and some malware actually claims to be security programs. If you get a popup for a security program that you did not install yourself, do NOT click on it and ask for help immediately. It is very important to run an antivirus and firewall, but you can't always rely on reviews and ads for information. Ask in a security forum that you trust if you are not sure.

A similar category of programs is now called "scareware." Scareware programs are active infections that will pop-up on your computer and tell you that you are infected. If you look closely, it will usually have a name that looks like it might be legitimate, but it is NOT one of the programs you installed. It tells you to click and install it right away. If you click on any part of it, including the 'X' to close it, you may actually help it infect your computer further. Keeping protection updated and running resident protection can help prevent these infections. If it happens anyway, get offline as quickly as you can. Pull the internet connection cable or shut down the computer if you have to. Contact someone to help by using another computer if possible. These programs are also sometimes called 'rogues', but they are different than the older version of rogues mentioned above.

Another most feared threat at the moment is an infection by a Ransomware. A Ransomware infection is a program that ransoms the data or functionality of your computer until you perform an action. This action is typically to pay a ransom in the form of Bitcoins or another payment method. I advise you to read more info on this terrible threat here and here.

Please keep your programs up to date. This applies to most of the programs and all your Internet Browsers in particular. Vulnerabilities in the programs are often exploited in order to install malware on your PC.

Be careful with flash drives, as they can spread infections. See this post on USB/flash drive safety.

Stay away from P2P software; even with a clean P2P program, their networks are often riddled with malware.

Don't click on attachments or links in e-mail, and read your e-mail in text-only mode for the highest safety.

Don't click on links received in instant message programs.

A HOSTS file will prevent Internet Explorer from communicating with sites known to be associated with adware or spyware. A good regularly updated HOST file is MVPS HOSTS File, available here

For much more useful and complete information, please read the following links to fully understand PC Security and Best Practices:
So how did I get infected in the first place
Answers to common security questions - Best Practices

Hopefully these steps will help to keep you error and malware free. If you run into more difficulty, we will certainly do what we can to help.

Happy surfing and stay safe.

Android8888

[AdvancedSetup]

Glad we could help. :)If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.Other members who need assistance please start your own topic in a new thread. Thanks!