HanyanC Posted December 22, 2017 ID:1193686 Share Posted December 22, 2017 Hello, I have found on the task manager five windows process managers (32 bit) Every time I launch a game on steam, one or two of them would suddenly jump from 60% to 80% CPU usage. I have searched for a solution, scanned with malware-bytes free and adware cleaner, but nothing worked. Then I got mbar, but it just does not start. When I launch it, it would ask for administrator permission, and then nothing would happen. Malwarebytes log Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 12/22/17 Scan Time: 9:43 AM Log File: 6cf58efe-e726-11e7-901b-4ccc6a8170c6.json Administrator: Yes -Software Information- Version: 3.3.1.2183 Components Version: 1.0.262 Update Package Version: 1.0.3543 License: Free -System Information- OS: Windows 10 (Build 15063.786) CPU: x64 File System: NTFS User: MSI\Legitozone (H) -Scan Summary- Scan Type: Threat Scan Result: Completed Objects Scanned: 351463 Threats Detected: 5 Threats Quarantined: 3 Time Elapsed: 3 min, 52 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 0 (No malicious items detected) Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 0 (No malicious items detected) File: 5 PUP.Optional.RelevantKnowledge, C:\USERS\LEGITOZONE (H)\APPDATA\LOCAL\TEMP\~OSCD9C.TMP\RLXF.DLL, Removal Failed, [1136], [296186],1.0.3543 PUP.Optional.RelevantKnowledge, C:\USERS\LEGITOZONE (H)\APPDATA\LOCAL\TEMP\~OSCD9C.TMP\RLXG.DLL, Removal Failed, [1136], [296186],1.0.3543 PUP.Optional.Conduit, C:\USERS\LEGITOZONE (H)\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Profile 2\Sync Data\SyncData.sqlite3, Replaced, [532], [454835],1.0.3543 PUP.Optional.Conduit, C:\USERS\LEGITOZONE (H)\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Profile 2\Web Data, Replaced, [532], [454835],1.0.3543 PUP.Optional.Trovi, C:\USERS\LEGITOZONE (H)\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Profile 2\Web Data, Replaced, [4703], [454808],1.0.3543 Physical Sector: 0 (No malicious items detected) (end) Adwarecleaner log # AdwCleaner 7.0.4.0 - Logfile created on Fri Dec 22 14:57:08 2017 # Updated on 2017/27/10 by Malwarebytes # Database: 12-21-2017.1 # Running on Windows 10 Home (X64) # Mode: scan # Support: https://www.malwarebytes.com/support ***** [ Services ] ***** No malicious services found. ***** [ Folders ] ***** PUP.Optional.Legacy, C:\ProgramData\Tencent PUP.Optional.Legacy, C:\ProgramData\Application Data\Tencent PUP.Optional.Legacy, C:\Users\All Users\Tencent ***** [ Files ] ***** No malicious files found. ***** [ DLL ] ***** No malicious DLLs found. ***** [ WMI ] ***** No malicious WMI found. ***** [ Shortcuts ] ***** No malicious shortcuts found. ***** [ Tasks ] ***** No malicious tasks found. ***** [ Registry ] ***** No malicious registry entries found. ***** [ Firefox (and derivatives) ] ***** No malicious Firefox entries. ***** [ Chromium (and derivatives) ] ***** No malicious Chromium entries. ************************* C:/AdwCleaner/AdwCleaner[C0].txt - [2112 B] - [2017/11/2 23:13:50] C:/AdwCleaner/AdwCleaner[C1].txt - [1556 B] - [2017/11/26 5:31:49] C:/AdwCleaner/AdwCleaner[C2].txt - [1564 B] - [2017/11/27 15:30:46] C:/AdwCleaner/AdwCleaner[S0].txt - [2059 B] - [2017/11/2 23:13:30] C:/AdwCleaner/AdwCleaner[S1].txt - [1590 B] - [2017/11/26 5:25:15] C:/AdwCleaner/AdwCleaner[S2].txt - [1449 B] - [2017/11/26 5:28:29] C:/AdwCleaner/AdwCleaner[S3].txt - [1414 B] - [2017/11/27 15:29:53] C:/AdwCleaner/AdwCleaner[S4].txt - [1423 B] - [2017/12/1 21:59:41] C:/AdwCleaner/AdwCleaner[S5].txt - [1491 B] - [2017/12/2 15:42:21] C:/AdwCleaner/AdwCleaner[S6].txt - [1559 B] - [2017/12/6 19:20:20] C:/AdwCleaner/AdwCleaner[S7].txt - [1627 B] - [2017/12/10 2:8:35] C:/AdwCleaner/AdwCleaner[S8].txt - [1823 B] - [2017/12/22 14:35:53] ########## EOF - C:\AdwCleaner\AdwCleaner[S9].txt ########## Link to post Share on other sites More sharing options...
Aura Posted December 22, 2017 ID:1193716 Share Posted December 22, 2017 Hi HanyanC My name is Aura and I'll be assisting you with your malware issue. Since we'll be working together, you can call me Aura or Yoan, which is my real name, it's up to you! Now that we've broke the ice, I'll just ask you a few things during the time we'll be working together to clean your system and get it back to an operational state. As you'll notice, the logs we are asking for here are quite lenghty, so it's normal for me to not reply exactly after you post them. This is because I need some time to analyse them and then act accordingly. However, I'll always reply within 24 hours, 48 hours at most if something unexpected happens As long as I'm assisting you on Malwarebytes Forums, in this thread, I'll ask you to not seek assistance anywhere else for any issue related to the system we are working on. If you have an issue, question, etc. about your computer, please ask it in this thread and I'll assist you The same principle applies to any modifications you make to your system, I would like you to ask me before you do any manipulations that aren't in the instructions I posted. This is to ensure that we are operating in sync and I know exactly what's happening on your system If you aren't sure about an instruction I'm giving you, ask me about it. This is to ensure that the clean-up process goes without any issue. I'll answer you and even give you more precise instructions/explanations if you need. There's no shame in asking questions here, better be safe than sorry! If you don't reply to your thread within 3 days, I'll bump this thread to let you know that I'm waiting for you. If you don't reply after 5 days, it'll be closed. If you return after that period, you can send me a PM to get it unlocked and we'll continue where we left off; Since malware can work quickly, we want to get rid of them as fast as we can, before they make unknown changes to the system. This being said, I would appreciate if you could reply to this thread within 24 hours of me posting. This way, we'll have a good clean-up rhythm and the chances of complications will be reduced I'm against any form of pirated, illegal and counterfeit software and material. So if you have any installed on your system, I'll ask you to uninstall them right now. You don't have to tell me if you indeed had some or not, I'll give you the benefit of the doubt. Plus, this would be against Malwarebytes Forums's rules In the end, you are the one asking for assistance here. So if you wish to go a different way during the clean-up, like format and reinstall Windows, you are free to do so. I would appreciate you to let me know about it first, and if you need, I can also assist you in the process I would appreciate if you were to stay with me until the end, which means, until I declare your system clean. Just because your system isn't behaving weirdly anymore, or is running better than before, it doesn't mean that the infection is completely goneThis being said, I have a full time job so sometimes it'll take longer for me to reply to you. Don't worry, you'll be my first priority as soon as I get home and have time to look at your thread This being said, it's time to clean-up some malware, so let's get started, shall we? Follow the instructions in the thread below, and provide me both FRST logs (FRST.txt and Addition.txt). You can attach them in your next post, or copy/paste their content. https://forums.malwarebytes.com/topic/9573-im-infected-what-do-i-do-now/ Link to post Share on other sites More sharing options...
HanyanC Posted December 22, 2017 Author ID:1193720 Share Posted December 22, 2017 Hello, I just did the two scans. Malwarebytes scan Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 12/22/17 Scan Time: 11:34 AM Log File: eba13ee2-e735-11e7-92ab-4ccc6a8170c6.json Administrator: Yes -Software Information- Version: 3.3.1.2183 Components Version: 1.0.262 Update Package Version: 1.0.3544 License: Free -System Information- OS: Windows 10 (Build 15063.786) CPU: x64 File System: NTFS User: MSI\Legitozone (H) -Scan Summary- Scan Type: Threat Scan Result: Completed Objects Scanned: 351663 Threats Detected: 2 Threats Quarantined: 2 Time Elapsed: 3 min, 53 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 0 (No malicious items detected) Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 0 (No malicious items detected) File: 2 PUP.Optional.RelevantKnowledge, C:\USERS\LEGITOZONE (H)\APPDATA\LOCAL\TEMP\~OSCD9C.TMP\RLXF.DLL, Delete-on-Reboot, [1136], [296186],1.0.3544 PUP.Optional.RelevantKnowledge, C:\USERS\LEGITOZONE (H)\APPDATA\LOCAL\TEMP\~OSCD9C.TMP\RLXG.DLL, Delete-on-Reboot, [1136], [296186],1.0.3544 Physical Sector: 0 (No malicious items detected) (end) Addition.txt FRST.txt Link to post Share on other sites More sharing options...
HanyanC Posted December 22, 2017 Author ID:1193763 Share Posted December 22, 2017 (edited) Hello, I have found in the FRST in the whitelisted processes (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe() C:\Users\Legitozone (H)\AppData\Local\wdcubsm\recgsnx.exe() C:\Users\Legitozone (H)\AppData\Local\wdcubsm\recgsnx.exe (Microsoft Corporation) C:\Windows\System32\smartscreen.exe (Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe (Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe() C:\Users\Legitozone (H)\AppData\Local\wdcubsm\recgsnx.exe () C:\Users\Legitozone (H)\AppData\Local\wdcubsm\recgsnx.exe () C:\Users\Legitozone (H)\AppData\Local\wdcubsm\recgsnx.exe Which seemes to correspond to the processes that takes up the CPU? Edited December 22, 2017 by HanyanC Link to post Share on other sites More sharing options...
Aura Posted December 22, 2017 ID:1193814 Share Posted December 22, 2017 You're right, these files are part of the infection. Now, open FRST and copy/paste the following inside the text area. Once done, click on the FIx button. Afterwards, a file called fixlog.txt should be on your desktop. Attach it in your next reply. Start:: CMD: bcdedit.exe /set {bootmgr} displaybootmenu yes CMD: bcdedit.exe /set {default} recoveryenabled yes CMD: fltmc instances CMD: dir /a:-d /o:d C:\windows\system32\drivers End:: Link to post Share on other sites More sharing options...
HanyanC Posted December 22, 2017 Author ID:1193840 Share Posted December 22, 2017 I input the command into FRST. Fixlog.txt Link to post Share on other sites More sharing options...
Aura Posted December 23, 2017 ID:1193960 Share Posted December 23, 2017 Good! For the next step, you'll need to download FRST64.exe and the fixlist.txt from a clean computer and move them on your USB. Then, you need to insert the USB in the infected computer once it is either shutdown or in the Windows RE. If you don't, the infection will mess with the files on the USB Flash Drive and you'll have to restart. Farbar Recovery Scan Tool (FRST) - Recovery Environment Scan Follow the instructions below to download and execute a scan on your system with FRST from the Recovery Environment, and provide the logs in your next reply. Item(s) required: USB Flash Drive (size depend on if you have to create a USB Recovery or Installation media) CD/DVD (optional: only needed if you need to create a Recovery or Installation media and your USB Flash Drive is too small) Another computer (optional: only needed if you cannot work from the infected computer directly) Preparing the USB Flash Drive Download the right version of FRST for your system: FRST 64-bit Move the executable (FRST.exe or FRST64.exe) on your USB Flash Drive Download the attached fixlist.txt, and move it on your USB Flash Drive as well Boot in the Recovery Environment Plug your USB Flash Drive in the infected computer To enter the Recovery Environment with Windows Vista and Windows 7, follow the instructions below:Restart the computer Once you've seen your BIOS splashscreen (the computer manufacturer logo), tap the F8 key repeatedly until the Advanced Boot Options menu appears Use the arrow keys to select Repair your computer, and press on Enter Select your keyboard layout (US, French, etc.) and click on Next Click on Command Prompt to open the command promptNote:If you can't access the Recovery Environment using the F8 method above, you'll need to create a Windows installation or repair media. It can be made on the computer itself or another one running the same version of Windows as the one you plan to use it on. For more information, check out this tutorial on SevenForums. To enter the Recovery Environment with Windows 8 or Windows 8.1, follow the instructions in this tutorial on EightForumsNote:If you can't access the Recovery Environment using the method above, you'll need to create a Windows installation or repair media. It can be made on the computer itself or another one running the same version of Windows as the one you plan to use it on. For more information, check out this tutorial. To enter the Recovery Environment with Windows 10, follow the instructions in this tutorial on TenForumsNote:If you can't access the Recovery Environment using the method above, you'll need to create a Windows installation or repair media. It can be made on the computer itself or another one running the same version of Windows as the one you plan to use it on. For more information, check out this tutorial on TenForums. Once in the command prompt In the command prompt, type notepad and press on Enter Notepad will open. Click on the File menu and select Open Click on Computer/This PC, find the letter for your USB Flash Drive, then close the window and Notepad In the command prompt, type e:\frst.exe (for the x64 version, type e:\frst64.exe and press on Enter Note: Replace the letter e with the drive letter of your USB Flash Drive FRST will open Click on Yes to accept the disclaimer Click on the Fix button and wait for the scan to complete A log called fixlog.txt will be saved on your USB Flash Drive. Attach it in your next reply fixlist.txt Link to post Share on other sites More sharing options...
HanyanC Posted December 23, 2017 Author ID:1193966 Share Posted December 23, 2017 I did it, but 1. The disclaimer for frst did not come up 2. the fixlist disappeared on my external hard drive after the fix? Fixlog.txt Link to post Share on other sites More sharing options...
Aura Posted December 23, 2017 ID:1193967 Share Posted December 23, 2017 That's normal Now, can you run a new scan with Malwarebytes and provide me the log afterwards? Link to post Share on other sites More sharing options...
HanyanC Posted December 23, 2017 Author ID:1193970 Share Posted December 23, 2017 Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 12/23/17 Scan Time: 10:15 AM Log File: 2d8760e8-e7f4-11e7-998b-4ccc6a8170c6.json Administrator: Yes -Software Information- Version: 3.3.1.2183 Components Version: 1.0.262 Update Package Version: 1.0.3550 License: Free -System Information- OS: Windows 10 (Build 15063.786) CPU: x64 File System: NTFS User: MSI\Legitozone (H) -Scan Summary- Scan Type: Threat Scan Result: Completed Objects Scanned: 365494 Threats Detected: 3 Threats Quarantined: 3 Time Elapsed: 3 min, 55 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Enabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 0 (No malicious items detected) Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 0 (No malicious items detected) File: 3 Rootkit.Agent.PUA, C:\WINDOWS\System32\drivers\dsiehkor.sys, Delete-on-Reboot, [5712], [429857],0.0.0 PUP.Optional.RelevantKnowledge, C:\USERS\LEGITOZONE (H)\APPDATA\LOCAL\TEMP\~OSCD9C.TMP\RLXG.DLL, Delete-on-Reboot, [1136], [296186],1.0.3550 PUP.Optional.RelevantKnowledge, C:\USERS\LEGITOZONE (H)\APPDATA\LOCAL\TEMP\~OSCD9C.TMP\RLXF.DLL, Delete-on-Reboot, [1136], [296186],1.0.3550 Physical Sector: 0 (No malicious items detected) (end) Link to post Share on other sites More sharing options...
Aura Posted December 23, 2017 ID:1193971 Share Posted December 23, 2017 Good. Now let's do a sweep with AdwCleaner and RogueKiller. AdwCleaner - Fix Mode Download AdwCleaner and move it to your Desktop Right-click on AdwCleaner.exe and select Run as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users) Accept the EULA (I accept), then click on Scan Let the scan complete. Once it's done, make sure that every item listed in the different tabs is checked and click on the Clean button. This will kill all active processes Once the cleaning process is complete, AdwCleaner will ask to restart your computer, do it After the restart, a log will open when logging in. Please copy/paste the content of that log in your next reply RogueKiller Download the right version of RogueKiller for your Windows version (32 or 64-bit) Once done, move the executable file to your Desktop, right-click on it and select Run as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users) Click on the Start Scan button in the right panel, which will bring you to another tab, and click on it again (this time it'll be in the bottom right corner) Wait for the scan to complete On completion, the results will be displayed Check every single entry (threat found), and click on the Remove Selected button On completion, the results will be displayed. Click on the Open Report button in the bottom left corner, followed by the Open TXT button (also in the bottom left corner) This will open the report in Notepad. Copy/paste its content in your next reply Your next reply(ies) should therefore contain: Copy/pasted AdwCleaner clean log Copy/pasted RogueKiller clean log Link to post Share on other sites More sharing options...
HanyanC Posted December 23, 2017 Author ID:1193986 Share Posted December 23, 2017 AdwCleaner # AdwCleaner 7.0.5.0 - Logfile created on Sat Dec 23 15:32:21 2017 # Updated on 2017/29/11 by Malwarebytes # Running on Windows 10 Home (X64) # Mode: clean # Support: https://www.malwarebytes.com/support ***** [ Services ] ***** No malicious services deleted. ***** [ Folders ] ***** No malicious folders deleted. ***** [ Files ] ***** No malicious files deleted. ***** [ DLL ] ***** No malicious DLLs cleaned. ***** [ WMI ] ***** No malicious WMI cleaned. ***** [ Shortcuts ] ***** No malicious shortcuts cleaned. ***** [ Tasks ] ***** No malicious tasks deleted. ***** [ Registry ] ***** No malicious registry entries deleted. ***** [ Firefox (and derivatives) ] ***** No malicious Firefox entries deleted. ***** [ Chromium (and derivatives) ] ***** No malicious Chromium entries deleted. ************************* ::Tracing keys deleted ::Winsock settings cleared ::Additional Actions: 0 ************************* C:/AdwCleaner/AdwCleaner[C0].txt - [2112 B] - [2017/11/2 23:13:50] C:/AdwCleaner/AdwCleaner[C1].txt - [1556 B] - [2017/11/26 5:31:49] C:/AdwCleaner/AdwCleaner[C2].txt - [1564 B] - [2017/11/27 15:30:46] C:/AdwCleaner/AdwCleaner[C3].txt - [2041 B] - [2017/12/22 14:59:55] C:/AdwCleaner/AdwCleaner[C4].txt - [2089 B] - [2017/12/23 15:26:9] C:/AdwCleaner/AdwCleaner[S0].txt - [2059 B] - [2017/11/2 23:13:30] C:/AdwCleaner/AdwCleaner[S10].txt - [1901 B] - [2017/12/23 15:25:59] C:/AdwCleaner/AdwCleaner[S11].txt - [2039 B] - [2017/12/23 15:31:13] C:/AdwCleaner/AdwCleaner[S1].txt - [1590 B] - [2017/11/26 5:25:15] C:/AdwCleaner/AdwCleaner[S2].txt - [1449 B] - [2017/11/26 5:28:29] C:/AdwCleaner/AdwCleaner[S3].txt - [1414 B] - [2017/11/27 15:29:53] C:/AdwCleaner/AdwCleaner[S4].txt - [1423 B] - [2017/12/1 21:59:41] C:/AdwCleaner/AdwCleaner[S5].txt - [1491 B] - [2017/12/2 15:42:21] C:/AdwCleaner/AdwCleaner[S6].txt - [1559 B] - [2017/12/6 19:20:20] C:/AdwCleaner/AdwCleaner[S7].txt - [1627 B] - [2017/12/10 2:8:35] C:/AdwCleaner/AdwCleaner[S8].txt - [1823 B] - [2017/12/22 14:35:53] C:/AdwCleaner/AdwCleaner[S9].txt - [1892 B] - [2017/12/22 14:57:8] ########## EOF - C:\AdwCleaner\AdwCleaner[C5].txt ########## Rogue RogueKiller V12.11.29.0 (x64) [Dec 18 2017] (Free) by Adlice Software mail : http://www.adlice.com/contact/ Feedback : https://forum.adlice.com Website : http://www.adlice.com/download/roguekiller/ Blog : http://www.adlice.com Operating System : Windows 10 (10.0.15063) 64 bits version Started in : Normal mode User : Legitozone (H) [Administrator] Started from : D:\Big Downloads\RogueKiller_portable64.exe Mode : Delete -- Date : 12/23/2017 10:35:37 (Duration : 00:37:11) ¤¤¤ Processes : 0 ¤¤¤ ¤¤¤ Registry : 6 ¤¤¤ [PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-1104895402-3119110596-1116759699-1003\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : http://oem15.msn.com/?pc=NMTE -> Replaced (http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome) [PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-1104895402-3119110596-1116759699-1003\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : http://oem15.msn.com/?pc=NMTE -> Replaced (http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome) [PUM.SearchPage] (X64) HKEY_USERS\S-1-5-21-1104895402-3119110596-1116759699-1003\Software\Microsoft\Internet Explorer\Main | Search Bar : Preserve -> Replaced (http://search.msn.com/spbasic.htm) [PUM.SearchPage] (X86) HKEY_USERS\S-1-5-21-1104895402-3119110596-1116759699-1003\Software\Microsoft\Internet Explorer\Main | Search Bar : Preserve -> Replaced (http://search.msn.com/spbasic.htm) [Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | UDP Query User{F37579E2-FCA1-4687-825D-DD5AEF2B0734}C:\users\legitozone (h)\appdata\local\temp\commongamedownloader\120_1488278264_95984\teniodl.exe : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Public|App=C:\users\legitozone (h)\appdata\local\temp\commongamedownloader\120_1488278264_95984\teniodl.exe|Name=teniodl.exe|Desc=teniodl.exe|Defer=User| [x] -> Deleted [Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | TCP Query User{D72E43C3-591B-463E-84D4-A47D496FC28F}C:\users\legitozone (h)\appdata\local\temp\commongamedownloader\120_1488278264_95984\teniodl.exe : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Public|App=C:\users\legitozone (h)\appdata\local\temp\commongamedownloader\120_1488278264_95984\teniodl.exe|Name=teniodl.exe|Desc=teniodl.exe|Defer=User| [x] -> Deleted ¤¤¤ Tasks : 0 ¤¤¤ ¤¤¤ Files : 4 ¤¤¤ [PUP.Gen1][Folder] C:\ProgramData\simplitec -> Deleted [PUP.uTorrentAds][File] C:\Users\Legitozone (H)\AppData\Roaming\uTorrent\updates\3.5.0_44090\utorrentie.exe -> Deleted [PUP.uTorrentAds][File] C:\Users\Legitozone (H)\AppData\Roaming\uTorrent\updates\3.5.0_44294\utorrentie.exe -> Deleted [PUP.Gen1][Folder] C:\ProgramData\simplitec -> ERROR [3] ¤¤¤ WMI : 0 ¤¤¤ ¤¤¤ Hosts File : 0 ¤¤¤ ¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤ ¤¤¤ Web browsers : 1 ¤¤¤ [PUM.SearchPage][Chrome:Config] Profile 2 [SecurePrefs] : default_search_provider_data.template_url_data.keyword [google] -> Deleted ¤¤¤ MBR Check : ¤¤¤ +++++ PhysicalDrive0: HFS128G39MNC-3510A +++++ --- User --- [MBR] cbdd134313ba05a2896a3c9757a0f917 [BSP] 0e9949b298a8b718c354ab969614755c : Empty MBR Code Partition table: 0 - [MAN-MOUNT] EFI system partition | Offset (sectors): 2048 | Size: 300 MB 1 - [MAN-MOUNT] Microsoft reserved partition | Offset (sectors): 616448 | Size: 128 MB 2 - Basic data partition | Offset (sectors): 878592 | Size: 119771 MB 3 - [SYSTEM][MAN-MOUNT] | Offset (sectors): 246171648 | Size: 1002 MB User = LL1 ... OK User = LL2 ... OK +++++ PhysicalDrive1: ST1000LM035-1RK172 +++++ --- User --- [MBR] d92b0f5c8fe0e85a09d7ca91bd2ca128 [BSP] 3ba00bc47043a84d849a5d4e452f90bc : Empty MBR Code Partition table: 0 - Basic data partition | Offset (sectors): 2048 | Size: 936052 MB 1 - [SYSTEM][MAN-MOUNT] Basic data partition | Offset (sectors): 1917036544 | Size: 17816 MB User = LL1 ... OK User = LL2 ... OK +++++ PhysicalDrive2: WD 3200BEV External USB Device +++++ --- User --- [MBR] e53e30269e2f6c5c20d27edd7ab00336 [BSP] 49facedad3640935e7bf61a4a2bdd488 : Windows XP MBR Code Partition table: 0 - [XXXXXX] FAT32-LBA (0xc) [VISIBLE] Offset (sectors): 63 | Size: 305242 MB User = LL1 ... OK Error reading LL2 MBR! ([32] The request is not supported. ) Link to post Share on other sites More sharing options...
Aura Posted December 23, 2017 ID:1193988 Share Posted December 23, 2017 Good. Now please run a new scan with FRST and provide me a fresh set of logs. Link to post Share on other sites More sharing options...
HanyanC Posted December 23, 2017 Author ID:1193990 Share Posted December 23, 2017 FRST.txt Addition.txt Link to post Share on other sites More sharing options...
Aura Posted December 24, 2017 ID:1194232 Share Posted December 24, 2017 Almost done! Farbar Recovery Scan Tool (FRST) - Fix mode Follow the instructions below to execute a fix on your system using FRST, and provide the log in your next reply. Download the attached fixlist.txt file, and save it on your Desktop (or wherever your FRST.exe/FRST64.exe executable is located) Right-click on the FRST executable and select Run as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users) Click on the Fix button On completion, a message will come up saying that the fix has been completed and it'll open a log in Notepad Copy and paste its content in your next reply How's your system behaving now? Are there any other issues to address? fixlist.txt Link to post Share on other sites More sharing options...
HanyanC Posted December 24, 2017 Author ID:1194318 Share Posted December 24, 2017 Hello, I think my system is behaving fine. The windows processor manager (32bit) is not in task manager anymore. Just one question, if the same problem appears again, should I seek help on the forum, or use this as a trouble shooter? Fixlog.txt Link to post Share on other sites More sharing options...
Aura Posted December 25, 2017 ID:1194404 Share Posted December 25, 2017 You should start a new thread, as the main fix (fixlist.txt) will be different, since the files, folders, drivers, services, etc. generated by SmartService (the infection) are all randomly generated. And good to know that everything's working now Since there are no signs of infection anymore in your logs, and you just told me that there are no more issues left to address, I guess we're done here. We'll wrap it up by running DelFix to delete the tools and logs that were used in this clean-up. DelFix Follow the instructions below to download and execute DelFix. Download DelFix and move the executable to your Desktop Right-click on DelFix.exe and select Run as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users) Check the following options :Activate UAC Remove disinfection tools Create registry backup Purge system restore Reset system settings Once all the options mentionned above are checked, click on Run After DelFix is done running, a log will open. Please copy/paste the content of the output log in your next reply Tips, tricks, advice and recommendations Now it's time to give you some tips, tricks, advice and recommendations on how to protect your system and prevent you from being infected in the future. This is where I'll explain basic security measures that you should take to protect and harden your system, and also make sure it stays as safe and secure as possible against hackers and malware. You are free to ignore the recommendations listed below, although I obviously do not recommend it. If you have any questions about one of the points covered in the speech below, feel free to ask me your questions here directly so I can answer them and guide you. Windows Updates Keeping Windows up to date is one of the first steps in having a safe and secure system. The Security Updates that Windows receives are meant to fix exploits and flaws in it that makes it more secure and not exploitable by hackers. In order to do that, you should always install the Security Updates, known as "Important Updates" on your Windows system. These updates are released on the second Tuesday of every month, but some are also released before if they are emergency/critical Security Updates. Let's make sure that you have all your Important Updates and Recommended Updates installed and that your Windows Updates are set to be installed automatically. How To Change Windows Update Settings How To Check For & Install Windows Updates Keeping your programs up-to-date Like keeping Windows updated, keeping your installed programs up-to-date is another important step in having a safe and secure system. Outdated programs can be exploited by hackers and malware to infect a system and take it over. This is especially true today with the rise of Exploit Kits (and also 0-days) which is one of the biggest attack vectors to distribute malware. Therefore, you should always keep vulnerable programs like Adobe Flash Player, Adobe Shockwave Player, Java, Silverlight, Google Chrome, Mozilla Firefox, VLC Media Player, etc. updated to their most recent version (even better, you don't have to install them if you don't use them). Programs like UCheck, SecuniaPSI and Heimdal Free will scan your system for outdated programs, and help you identify them, as well as update them. UCheck Documentation How to detect vulnerable and out-dated programs using Secunia Personal Software Inspector (PSI) Anti-Virus Note: The programs listed below are all free to use or they have some sort of trial. Some of them have a paid version that provides more features, while a lot of other good programs only have a paid version but aren't listed there (such as Kaspersky and ESET Antivirus products). Sophos Home Bitdefender Free Antivirus Emsisoft Anti-Malware - Free 30 day trial. Once it expires, EAM enters into a freeware mode where it is still considered an Antivirus program, but without real-time protection Avira Free Antivirus avast! Free Antivirus Anti-Malware, Anti-Exploit and Anti-Ransomware Having a decent security setup (which also includes an Antivirus) is the most crucial step to protect a system. These programs are additional layers of defence that will prevent a system from being infected, or if it somehow ends up infected, help mitigate the infection and remediate it. Fortunately, the new Malwarebytes 3 bundle all these layers in one, easy to use and efficient product. Malwarebytes 3 offers Malware, Web, Exploit and Ransomware protection modules that works together in order to keep your system protected and stop an infection at multiple level. Malwarebytes - Comes with a free trial of the Premium version for 14 days, after which it reverts back to the Free version Note: Please note that only the Premium version of Malwarebytes 3 offers real-time protection (Malware, Web, Exploit and Ransomware). The free version only allows you to scan your system for threats and remove them. Firewall Starting in Windows Vista, the Windows Firewall greatly improved and will satisfy the needs of most users. If you do not have an Internet Suite Antivirus program (which includes a firewall) and you want to use a 3rd party firewall, you can consider the options below. GlassWire - Has both a free and paid version (with different packages) Windows Firewall Control - Gives you more control over your Windows Firewall TinyWall - Lightweight firewall implementing the Windows Firewall and giving you more control over it Web Browsers and Web Browsing Web Browsers could be considered as the closest door between a malware and your system. This is where most malware goes through to infect a system, and therefore it should be the program(s) you want to secure the most. There are two ways of going about it: hardening your web browser via extensions, and having good browsing habits. Hardening your web browser means to install extensions that will help it protect itself (and your system on the same occasion) against Exploit Kits, MiTM attacks, etc. but also you at the same time. Here are a few extensions that I recommend you to install. uBlock Origin: Efficient multi-purpose blocker that is lightweight on RAM and CPU usage (Google Chrome, Mozilla Firefox, Microsoft Edge, Opera and most Chromium and Firefox-based browsers) HTTPS Everywhere: Extension that converts your HTTP (unencrypted) requests to HTTPS (encrypted) ones (Google Chrome, Mozilla Firefox and Opera) Web of Trust: Website reputation, rating and review extension that will help you quickly identify bad and suspicious sites from good ones (every web browsers) NoScript: NoScript is a script blocker (Java, Flash, JavaScript, etc.) for Mozilla Firefox and Firefox-based browsers (Mozilla Firefox and Firefox-based web browsers) uMatrix: For advanced users, a point and click matrix-like extensions that allow you to control requests done on a webpage (based on source, destination and type) (Google Chrome, Mozilla Firefox and Opera) LastPass: Secure password manager allowing you to create, manage, and use passwords you save in your LastPass account (every web browser) As for safe browsing habits, you can find tons of guides, tutorials, articles, etc. online that will highlight the basics you need to follow (only visit websites you trust, do not click on ads, do not download files from untrusted sources, use a password manager, always verify the URL of a website and make sure it's correctly typed, etc.), and even what you can do if you want to take it a step further (create a fake email address for spam emails, browse the web in a privacy mode, etc.). Here are a few: The Ultimate Guide to Secure your Online Browsing: Chrome, Firefox and Internet Explorer on Heimdal Security Seven Useful Habits For A Safer Internet on Kapsersky Blog Tips for Secure Web Browsing: Cybersecurity 101 on VeraCode Safe browsing habits on Internet Safety Project Wiki As you can see, there are plenty of resources out there. Simply Googling "good browsing habits" or "safe browsing habits" should allow you to find a lot of them. Other recommendations Even if you follow every recommendation that I listed here, in the end, it's also your job to be careful when browsing the web and downloading files if you don't want to get infected. Therefore, if you use your brain (common sense) when browsing the web, downloading programs and files, etc., you have far less chances to get infected by a malware. If for example you're not sure if a website is legitimate or not, or if a file is safe to download and execute, or if a program looks "too good" to be free, I suggest you to avoid going to that website, downloading that file or using that program. Here are a few guides, tutorials, articles, etc. that you could read in order to learn more about computer protection and security to improve your current computer protection setup but also improve your good web browsing and computer usage practices : Answers to common security questions - Best Practices by quietman7 How Malware Spreads - How did I get infected by quietman7 Simple and easy ways to keep your computer safe and secure on the Internet by Lawrence Abrams (aka Grinler) How to Prevent Malware by miekiemoes Tips & Advice on StaySafeOnline.org The End! And that's it! Now that you know more about how to protect your computer and secure it, you're good to go back to your online activities, but in a safe and secure way! You are also free to stay on the forums and ask for help in different topics if you ever need to. Just make sure that you post your question/issue in the right section to get the best assistance possible. And if you ever get infected again (which I hope you wont!), you can always comeback in this section to get another checkup with one of our trained malware removal member. Do you have any questions before I close this thread? Link to post Share on other sites More sharing options...
HanyanC Posted December 25, 2017 Author ID:1194417 Share Posted December 25, 2017 No, I have nothing else. Thank you for everything! # DelFix v1.013 - Logfile created 25/12/2017 at 11:19:50 # Updated 17/04/2016 by Xplode # Username : Legitozone (H) - MSI # Operating System : Windows 10 Home (64 bits) ~ Activating UAC ... OK ~ Removing disinfection tools ... Deleted : C:\FRST Deleted : C:\AdwCleaner Deleted : C:\Users\Legitozone (H)\Desktop\AdwCleaner.exe Deleted : C:\Users\Legitozone (H)\Desktop\adwcleaner_7.0.4.0.exe Deleted : C:\Users\Legitozone (H)\Desktop\Fixlog.txt Deleted : C:\Users\Legitozone (H)\Desktop\FRST64 (1).exe Deleted : C:\Users\Legitozone (H)\Desktop\Rkill.txt ~ Creating registry backup ... OK ~ Cleaning system restore ... New restore point created ! ~ Resetting system settings ... OK ########## - EOF - ########## Link to post Share on other sites More sharing options...
Aura Posted December 25, 2017 ID:1194425 Share Posted December 25, 2017 No problem HanyanC, you're welcome! Merry Christmas and stay safe Link to post Share on other sites More sharing options...
Aura Posted December 25, 2017 ID:1194426 Share Posted December 25, 2017 Glad we could help. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request. This applies only to the originator of this thread.Other members who need assistance please start your own topic in a new thread. Thanks Link to post Share on other sites More sharing options...
Recommended Posts