Shmouel Posted February 24, 2019 ID:1300358 Share Posted February 24, 2019 Following this issue - I understood I need to gather logs and post them here... (I don't upload the logs for mbam since it won't start for me - not even in safe mode). Addition.txt FRST.txt Link to post Share on other sites More sharing options...
RPMcMurphy Posted February 24, 2019 ID:1300442 Share Posted February 24, 2019 Hello and welcome. I'm reviewing your logs and I'll be back with you soon. In the meantime: Malware removal is a sometimes lengthy and tedious process. Please stick with the thread until I’ve given you the “All clear.” Absence of symptoms does not mean your machine is clean! Please do not run any scans or install/uninstall any applications without being directed to do so. Please note that the forum is very busy and if I don't hear from you within five days this thread will be closed. Link to post Share on other sites More sharing options...
Shmouel Posted February 24, 2019 Author ID:1300445 Share Posted February 24, 2019 9 minutes ago, RPMcMurphy said: Hello and welcome. I'm reviewing your logs and I'll be back with you soon. In the meantime: Malware removal is a sometimes lengthy and tedious process. Please stick with the thread until I’ve given you the “All clear.” Absence of symptoms does not mean your machine is clean! Please do not run any scans or install/uninstall any applications without being directed to do so. Please note that the forum is very busy and if I don't hear from you within five days this thread will be closed. Thanks. There's a windows defender full scan running since this morning. Should I stop it? Link to post Share on other sites More sharing options...
RPMcMurphy Posted February 24, 2019 ID:1300454 Share Posted February 24, 2019 You can stop that scan for now. Your logs indicate that you are using cracks and/or keygens. We don't support software piracy on this forum so, my continued assistance will require that you leave such software off your system. Also, please refrain from using your P2P software during our cleanup. - - - Right click on the FRST icon and select Run as administrator Highlight the below information (in the code box) then hit the Ctrl + C keys at the same time The information will be copied invisibly and will be 'pasted' into FRST automatically when you click Fix as instructed below CreateRestorePoint: CloseProcesses: C:\Windows\Temp\g2055.tmp.exe HKLM\ DisallowedCertificates: 03D22C9C66915D58C88912B64C1F984B8344EF09 (Comodo Security Solutions) <==== ATTENTION HKLM\ DisallowedCertificates: 0F684EC1163281085C6AF20528878103ACEFCAAB (F-Secure Corporation) <==== ATTENTION HKLM\ DisallowedCertificates: 1667908C9E22EFBD0590E088715CC74BE4C60884 (FRISK Software International/F-Prot) <==== ATTENTION HKLM\ DisallowedCertificates: 18DEA4EFA93B06AE997D234411F3FD72A677EECE (Bitdefender SRL) <==== ATTENTION HKLM\ DisallowedCertificates: 2026D13756EB0DB753DF26CB3B7EEBE3E70BB2CF (G DATA Software AG) <==== ATTENTION HKLM\ DisallowedCertificates: 249BDA38A611CD746A132FA2AF995A2D3C941264 (Malwarebytes Corporation) <==== ATTENTION HKLM\ DisallowedCertificates: 31AC96A6C17C425222C46D55C3CCA6BA12E54DAF (Symantec Corporation) <==== ATTENTION HKLM\ DisallowedCertificates: 331E2046A1CCA7BFEF766724394BE6112B4CA3F7 (Trend Micro) <==== ATTENTION HKLM\ DisallowedCertificates: 3353EA609334A9F23A701B9159E30CB6C22D4C59 (Webroot Inc.) <==== ATTENTION HKLM\ DisallowedCertificates: 373C33726722D3A5D1EDD1F1585D5D25B39BEA1A (SUPERAntiSpyware.com) <==== ATTENTION HKLM\ DisallowedCertificates: 3850EDD77CC74EC9F4829AE406BBF9C21E0DA87F (Kaspersky Lab) <==== ATTENTION HKLM\ DisallowedCertificates: 3D496FA682E65FC122351EC29B55AB94F3BB03FC (AVG Technologies CZ) <==== ATTENTION HKLM\ DisallowedCertificates: 4243A03DB4C3C15149CEA8B38EEA1DA4F26BD159 (PC Tools) <==== ATTENTION HKLM\ DisallowedCertificates: 42727E052C0C2E1B35AB53E1005FD9EDC9DE8F01 (K7 Computing Pvt Ltd) <==== ATTENTION HKLM\ DisallowedCertificates: 4420C99742DF11DD0795BC15B7B0ABF090DC84DF (Doctor Web Ltd.) <==== ATTENTION HKLM\ DisallowedCertificates: 4C0AF5719009B7C9D85C5EAEDFA3B7F090FE5FFF (Emsisoft Ltd) <==== ATTENTION HKLM\ DisallowedCertificates: 5240AB5B05D11B37900AC7712A3C6AE42F377C8C (Check Point Software Technologies Ltd.) <==== ATTENTION HKLM\ DisallowedCertificates: 5DD3D41810F28B2A13E9A004E6412061E28FA48D (Emsisoft Ltd) <==== ATTENTION HKLM\ DisallowedCertificates: 7457A3793086DBB58B3858D6476889E3311E550E (K7 Computing Pvt Ltd) <==== ATTENTION HKLM\ DisallowedCertificates: 76A9295EF4343E12DFC5FE05DC57227C1AB00D29 (BullGuard Ltd) <==== ATTENTION HKLM\ DisallowedCertificates: 775B373B33B9D15B58BC02B184704332B97C3CAF (McAfee) <==== ATTENTION HKLM\ DisallowedCertificates: 872CD334B7E7B3C3D1C6114CD6B221026D505EAB (Comodo Security Solutions) <==== ATTENTION HKLM\ DisallowedCertificates: 88AD5DFE24126872B33175D1778687B642323ACF (McAfee) <==== ATTENTION HKLM\ DisallowedCertificates: 9132E8B079D080E01D52631690BE18EBC2347C1E (Adaware Software) <==== ATTENTION HKLM\ DisallowedCertificates: 982D98951CF3C0CA2A02814D474A976CBFF6BDB1 (Safer Networking Ltd.) <==== ATTENTION HKLM\ DisallowedCertificates: 9A08641F7C5F2CCA0888388BE3E5DBDDAAA3B361 (Webroot Inc.) <==== ATTENTION HKLM\ DisallowedCertificates: 9C43F665E690AB4D486D4717B456C5554D4BCEB5 (ThreatTrack Security) <==== ATTENTION HKLM\ DisallowedCertificates: 9E3F95577B37C74CA2F70C1E1859E798B7FC6B13 (CURIOLAB S.M.B.A.) <==== ATTENTION HKLM\ DisallowedCertificates: A1F8DCB086E461E2ABB4B46ADCFA0B48C58B6E99 (Avira Operations GmbH & Co. KG) <==== ATTENTION HKLM\ DisallowedCertificates: A5341949ABE1407DD7BF7DFE75460D9608FBC309 (BullGuard Ltd) <==== ATTENTION HKLM\ DisallowedCertificates: A59CC32724DD07A6FC33F7806945481A2D13CA2F (ESET) <==== ATTENTION HKLM\ DisallowedCertificates: AB7E760DA2485EA9EF5A6EEE7647748D4BA6B947 (AVG Technologies CZ) <==== ATTENTION HKLM\ DisallowedCertificates: AD4C5429E10F4FF6C01840C20ABA344D7401209F (Avast Antivirus/Software) <==== ATTENTION HKLM\ DisallowedCertificates: AD96BB64BA36379D2E354660780C2067B81DA2E0 (Symantec Corporation) <==== ATTENTION HKLM\ DisallowedCertificates: B8EBF0E696AF77F51C96DB4D044586E2F4F8FD84 (Malwarebytes Corporation) <==== ATTENTION HKLM\ DisallowedCertificates: CDC37C22FE9272D8F2610206AD397A45040326B8 (Trend Micro) <==== ATTENTION HKLM\ DisallowedCertificates: D3F78D747E7C5D6D3AE8ABFDDA7522BFB4CBD598 (Kaspersky Lab) <==== ATTENTION HKLM\ DisallowedCertificates: DB303C9B61282DE525DC754A535CA2D6A9BD3D87 (ThreatTrack Security) <==== ATTENTION HKLM\ DisallowedCertificates: DB77E5CFEC34459146748B667C97B185619251BA (Avast Antivirus/Software) <==== ATTENTION HKLM\ DisallowedCertificates: E22240E837B52E691C71DF248F12D27F96441C00 (Total Defense, Inc.) <==== ATTENTION HKLM\ DisallowedCertificates: E513EAB8610CFFD7C87E00BCA15C23AAB407FCEF (AVG Technologies CZ) <==== ATTENTION HKLM\ DisallowedCertificates: ED841A61C0F76025598421BC1B00E24189E68D54 (Bitdefender SRL) <==== ATTENTION HKLM\ DisallowedCertificates: F83099622B4A9F72CB5081F742164AD1B8D048C9 (ESET) <==== ATTENTION HKLM\ DisallowedCertificates: FBB42F089AF2D570F2BF6F493D107A3255A9BB1A (Panda Security S.L) <==== ATTENTION HKLM\ DisallowedCertificates: FFFA650F2CB2ABC0D80527B524DD3F9FC172C138 (Doctor Web Ltd.) <==== ATTENTION HKU\S-1-5-21-1198311626-194739685-4191647409-1001\...\Run: [AdobeBridge] => [X] 2019-02-10 18:30 - 2019-02-13 09:34 - 000000000 ____D C:\Windows\AutoKMS 2019-02-03 22:34 - 2019-02-08 12:00 - 000000000 ____D C:\Windows\KMSServerService ContextMenuHandlers5: [igfxcui] -> {3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} => -> No File Task: {6E7688C6-CB08-4024-99D4-CFCFBCF9E34E} - System32\Tasks\Erocketing Disk Software => C:\Windows\system32\rundll32.exe "C:\Program Files\Erocketing Disk Software\Erocketing Disk Software.dll",yCieHAfJDmzQ <==== ATTENTION FirewallRules: [{C6F308F2-AEAC-47B5-B8A1-C073414728FD}] => (Allow) C:\Program Files (x86)\Steam\bin\cef\cef.win7\steamwebhelper.exe No File FirewallRules: [{EB6DAE8A-7B7A-4ABB-922A-B3C87E92CB0B}] => (Allow) C:\Program Files (x86)\Steam\bin\cef\cef.win7\steamwebhelper.exe No File FirewallRules: [TCP Query User{B16E3881-6D70-4652-A538-252A6A4EC3AE}D:\games\the long dark redux\tld.exe] => (Allow) D:\games\the long dark redux\tld.exe No File FirewallRules: [UDP Query User{50160A43-7256-4983-A1F0-6C2E2BCE08CC}D:\games\the long dark redux\tld.exe] => (Allow) D:\games\the long dark redux\tld.exe No File FirewallRules: [{A668DC20-4088-4D1C-BB32-B16C1D5EE2F6}] => (Allow) C:\Program Files\Microsoft Office\Office15\lync.exe No File FirewallRules: [{A95F9724-2430-47B0-AC0B-97DE5B13016C}] => (Allow) C:\Program Files\Microsoft Office\Office15\lync.exe No File FirewallRules: [{962C02FD-6062-403A-83DB-5EA358B98B4A}] => (Allow) C:\Program Files\Microsoft Office\Office15\UcMapi.exe No File FirewallRules: [{D0D8BC37-2E9E-4C09-A513-6FE166D28FEA}] => (Allow) C:\Program Files\Microsoft Office\Office15\UcMapi.exe No File FirewallRules: [TCP Query User{695D6363-0382-47BC-8B24-9FD3AD1DA3A0}D:\games\kingdom come deliverance band of bastards\bin\win64\kingdomcome.exe] => (Block) D:\games\kingdom come deliverance band of bastards\bin\win64\kingdomcome.exe No File FirewallRules: [UDP Query User{2EECC22A-D09A-45CC-B710-0B45D31BC3C6}D:\games\kingdom come deliverance band of bastards\bin\win64\kingdomcome.exe] => (Block) D:\games\kingdom come deliverance band of bastards\bin\win64\kingdomcome.exe No File Hosts: EmptyTemp: NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system Click Fix When completed he tool will create a log on the desktop called Fixlog.txt. Please copy and paste the contents of the file in your reply. Link to post Share on other sites More sharing options...
Shmouel Posted February 24, 2019 Author ID:1300463 Share Posted February 24, 2019 Thanks! Things look much better now (the malwarebytes software can now run). This is the Fixlog.txt I got. Fixlog.txt Link to post Share on other sites More sharing options...
RPMcMurphy Posted February 24, 2019 ID:1300469 Share Posted February 24, 2019 Good. Since it's working, run a Threat Scan with Malwarebytes, then do this: Download AdwCleaner and move it to your Desktop. Right-click on AdwCleaner.exe and select Run as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users). Accept the EULA (I accept), then click on Scan. Let the scan complete. Once it's done, make sure that every item listed in the different tabs is checked and click on the Clean button. Once the cleaning process is complete, AdwCleaner will ask to restart your computer, please do so. After the restart, a log will open when logging in. Please copy and paste the contents of that log into your next reply. Please include the following in your next post: Malwarebytes log adwCleaner log Link to post Share on other sites More sharing options...
Shmouel Posted February 25, 2019 Author ID:1300517 Share Posted February 25, 2019 Done. Here are the file. AdwCleaner[C03].txt malwarebytesLog.txt Link to post Share on other sites More sharing options...
RPMcMurphy Posted February 25, 2019 ID:1300591 Share Posted February 25, 2019 Those look good. Do you have any unresolved issues with the computer? Link to post Share on other sites More sharing options...
Shmouel Posted February 25, 2019 Author ID:1300596 Share Posted February 25, 2019 Not that I see. All looks good. Link to post Share on other sites More sharing options...
RPMcMurphy Posted February 25, 2019 ID:1300662 Share Posted February 25, 2019 In that case, you should be all set. I just have a little cleanup for you: Uninstall FRST Right click on the FRST icon and select Rename Change the name to Uninstall After renaming it, right click and select Run as Administrator Uninstall any other tools or logs from our work that you don't need. Link to post Share on other sites More sharing options...
Shmouel Posted February 26, 2019 Author ID:1300701 Share Posted February 26, 2019 Ok. Thank you very much for all the help! Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted March 2, 2019 Root Admin ID:1301502 Share Posted March 2, 2019 Glad we could help. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request. This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread. Thanks Link to post Share on other sites More sharing options...
Recommended Posts