|
Malware Removal Discussion about Trojans, viruses, hoaxes, firewalls, spyware, and general Security issues. If you suspect your PC is infected with a virus, trojan or spyware app please include any supporting documentation or logs |
|
Topic Tools |
#16
|
||||
|
||||
Anything more?
You have been a great help. Thanks a million.
And anything else needs to be done? |
#17
|
||||
|
||||
Thanks for the logs.
Download and SAVE to your Desktop RogueKiller for 32bit or Roguekiller for 64bit
---------------------------------------------- :Run CFScript: Please start by opening Notepad and copy/paste the text in the box into the window: Code:
Folder:: c:\users\Soudager\AppData\Local\Henotu c:\users\Soudager\AppData\Local\Cobaro c:\users\Soudager\AppData\Local\hodor c:\users\Soudager\AppData\Local\Nilorer FireFox:: FF - prefs.js: browser.search.selectedEngine - Search Provided by Yahoo FF - user.js: xpinstall.signatures.required - false Drag CFScript.txt into ComboFix.exe This will let ComboFix run again. Restart if you have to. Save the produced logfile to your desktop. Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall "İnformation and logs"
Instructions on how to backup your Favourites/Bookmarks and other data can be found below.
Have a nice day. |
#18
|
||||
|
||||
Rogue killer log
RogueKiller V12.12.16.0 (x64) [May 4 2018] (Free) by Adlice Software
mail : http://www.adlice.com/contact/ Feedback : https://forum.adlice.com Website : http://www.adlice.com/download/roguekiller/ Blog : http://www.adlice.com Operating System : Windows 7 (6.1.7600) 64 bits version Started in : Normal mode User : Soudager [Administrator] Started from : C:\Program Files\RogueKiller\RogueKiller64.exe Mode : Delete -- Date : 05/13/2018 10:22:15 (Duration : 00:29:20) ¤¤¤ Processes : 0 ¤¤¤ ¤¤¤ Registry : 0 ¤¤¤ ¤¤¤ Tasks : 1 ¤¤¤ [Suspicious.Path] \{4D71AD05-713E-250A-0318-221077F30F98}\synhelper -- C:\Users\Soudager\AppData\Local\hodor\SYNHEL~1.EXE (/Check) -> Not selected ¤¤¤ Files : 0 ¤¤¤ ¤¤¤ WMI : 0 ¤¤¤ ¤¤¤ Hosts File : 0 ¤¤¤ ¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤ ¤¤¤ Web browsers : 5 ¤¤¤ [PUP.Gen0][Chrome:Addon] Default : Share With Care [jjflmfkjppbmejlfbhlpgjnomdoefkfa] -> Deleted [PUM.SearchEngine][Firefox:Config] nawte7v5.default : user_pref("browser.search.selectedEngine", "Search Provided by Yahoo"); -> Deleted [PUM.SearchEngine][Firefox:Config] nawte7v5.default : user_pref("browser.search.defaultenginename", "Search Provided by Yahoo"); -> Deleted [PUM.HomePage][Chrome:Config] Default [SecurePrefs] : homepage [http://www.houseofquran.com/] -> Deleted [PUM.HomePage][Chrome:Config] Default [SecurePrefs] : session.startup_urls [http://www.houseofquran.com/|https:/...ate&uref=chmm] -> Deleted ¤¤¤ MBR Check : ¤¤¤ +++++ PhysicalDrive0: WDC WD2500BEVT-60A23T0 ATA Device +++++ --- User --- [MBR] 9c4988aebec3de4a023e014a316c8042 [BSP] b8510907608e0b1e5a2209ca063fb59c : Windows Vista/7/8 MBR Code Partition table: 0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 100 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader] 1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 206848 | Size: 60000 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader] 2 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 123086848 | Size: 60000 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader] 3 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 245966848 | Size: 60000 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader] User = LL1 ... OK User = LL2 ... OK |
#19
|
||||
|
||||
Oops did something go wrong
I couldn't find 'delete' after Rogue Killer ran scan.
I found Remove. I selected some things and clicked removed them, though you had told me in the earlier mail not to remove everything since all found is not a threat. I posted the report file. I couldn't find '2' log files. (And when I had run the Rogue Killer earlier I had disabled Malwarebyte. This time I enabled it and ran the scan.) I don't know what went wrong . My 2 year old son may have clicked something. So I have run the Rogue Killer again. I will post that log after this. Thanks |
#20
|
||||
|
||||
MBAM log
Malwarebytes
www.malwarebytes.com -Log Details- Scan Date: 5/13/18 Scan Time: 10:13 AM Log File: 3656a0ad-5668-11e8-97c9-70f395583f2d.json Administrator: Yes -Software Information- Version: 3.4.5.2467 Components Version: 1.0.342 Update Package Version: 1.0.5088 License: Trial -System Information- OS: Windows 7 CPU: x64 File System: NTFS User: System -Scan Summary- Scan Type: Threat Scan Scan Initiated By: Scheduler Result: Completed Objects Scanned: 274630 Threats Detected: 20 Threats Quarantined: 19 Time Elapsed: 16 min, 16 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 0 (No malicious items detected) Registry Value: 0 (No malicious items detected) Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 3 PUP.Optional.CrossRider, C:\Users\Soudager\AppData\Local\Google\Chrome\User Data\Default\Extensions\jjflmfkjppbmejlfbhlpgjnomd oefkfa\0.1_0\_metadata, Quarantined, [389], [176560],1.0.5088 PUP.Optional.CrossRider, C:\Users\Soudager\AppData\Local\Google\Chrome\User Data\Default\Extensions\jjflmfkjppbmejlfbhlpgjnomd oefkfa\0.1_0, Quarantined, [389], [176560],1.0.5088 PUP.Optional.CrossRider, C:\USERS\SOUDAGER\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\JJFLMFKJPPBMEJLFBHLPGJNOMD OEFKFA, Quarantined, [389], [176560],1.0.5088 File: 17 PUP.Optional.CrossRider, C:\Users\Soudager\AppData\Local\Google\Chrome\User Data\Default\Extensions\jjflmfkjppbmejlfbhlpgjnomd oefkfa\0.1_0\_metadata\computed_hashes.json, Quarantined, [389], [176560],1.0.5088 PUP.Optional.CrossRider, C:\Users\Soudager\AppData\Local\Google\Chrome\User Data\Default\Extensions\jjflmfkjppbmejlfbhlpgjnomd oefkfa\0.1_0\_metadata\verified_contents.json, Quarantined, [389], [176560],1.0.5088 PUP.Optional.CrossRider, C:\Users\Soudager\AppData\Local\Google\Chrome\User Data\Default\Extensions\jjflmfkjppbmejlfbhlpgjnomd oefkfa\0.1_0\background.js, Quarantined, [389], [176560],1.0.5088 PUP.Optional.CrossRider, C:\Users\Soudager\AppData\Local\Google\Chrome\User Data\Default\Extensions\jjflmfkjppbmejlfbhlpgjnomd oefkfa\0.1_0\bookmarklet.js, Quarantined, [389], [176560],1.0.5088 PUP.Optional.CrossRider, C:\Users\Soudager\AppData\Local\Google\Chrome\User Data\Default\Extensions\jjflmfkjppbmejlfbhlpgjnomd oefkfa\0.1_0\icon-128.png, Quarantined, [389], [176560],1.0.5088 PUP.Optional.CrossRider, C:\Users\Soudager\AppData\Local\Google\Chrome\User Data\Default\Extensions\jjflmfkjppbmejlfbhlpgjnomd oefkfa\0.1_0\icon-16.png, Quarantined, [389], [176560],1.0.5088 PUP.Optional.CrossRider, C:\Users\Soudager\AppData\Local\Google\Chrome\User Data\Default\Extensions\jjflmfkjppbmejlfbhlpgjnomd oefkfa\0.1_0\icon-48.png, Quarantined, [389], [176560],1.0.5088 PUP.Optional.CrossRider, C:\Users\Soudager\AppData\Local\Google\Chrome\User Data\Default\Extensions\jjflmfkjppbmejlfbhlpgjnomd oefkfa\0.1_0\manifest.json, Quarantined, [389], [176560],1.0.5088 PUP.Optional.CrossRider, C:\USERS\SOUDAGER\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Removal Failed, [389], [176560],1.0.5088 PUP.Optional.CrossRider, C:\USERS\SOUDAGER\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, [389], [176560],1.0.5088 PUP.Optional.CrossRider, C:\USERS\SOUDAGER\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Data\SyncData.sqlite3, Replaced, [389], [176560],1.0.5088 PUP.Optional.WinYahoo, C:\USERS\SOUDAGER\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Data\SyncData.sqlite3, Replaced, [246], [454803],1.0.5088 PUP.Optional.WinYahoo, C:\USERS\SOUDAGER\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, [246], [454803],1.0.5088 PUP.Optional.WinYahoo, C:\USERS\SOUDAGER\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Data\SyncData.sqlite3, Replaced, [246], [454803],1.0.5088 PUP.Optional.WinYahoo, C:\USERS\SOUDAGER\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Web Data, Replaced, [246], [454803],1.0.5088 PUP.Optional.ASK, C:\USERS\SOUDAGER\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Data\SyncData.sqlite3, Replaced, [2], [454827],1.0.5088 PUP.Optional.ASK, C:\USERS\SOUDAGER\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Web Data, Replaced, [2], [454827],1.0.5088 Physical Sector: 0 (No malicious items detected) (end) |
#21
|
||||
|
||||
Rogue killer log (when i ran the 2nd time in fact 3rd
RogueKiller V12.12.16.0 (x64) [May 4 2018] (Free) by Adlice Software
mail : http://www.adlice.com/contact/ Feedback : https://forum.adlice.com Website : http://www.adlice.com/download/roguekiller/ Blog : http://www.adlice.com Operating System : Windows 7 (6.1.7600) 64 bits version Started in : Normal mode User : Soudager [Administrator] Started from : C:\Program Files\RogueKiller\RogueKiller64.exe Mode : Delete -- Date : 05/13/2018 11:09:04 (Duration : 00:33:00) ¤¤¤ Processes : 0 ¤¤¤ ¤¤¤ Registry : 0 ¤¤¤ ¤¤¤ Tasks : 1 ¤¤¤ [Suspicious.Path] \{4D71AD05-713E-250A-0318-221077F30F98}\synhelper -- C:\Users\Soudager\AppData\Local\hodor\SYNHEL~1.EXE (/Check) -> Deleted ¤¤¤ Files : 0 ¤¤¤ ¤¤¤ WMI : 0 ¤¤¤ ¤¤¤ Hosts File : 0 ¤¤¤ ¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤ ¤¤¤ Web browsers : 0 ¤¤¤ ¤¤¤ MBR Check : ¤¤¤ +++++ PhysicalDrive0: WDC WD2500BEVT-60A23T0 ATA Device +++++ --- User --- [MBR] 9c4988aebec3de4a023e014a316c8042 [BSP] b8510907608e0b1e5a2209ca063fb59c : Windows Vista/7/8 MBR Code Partition table: 0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 100 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader] 1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 206848 | Size: 60000 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader] 2 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 123086848 | Size: 60000 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader] 3 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 245966848 | Size: 60000 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader] User = LL1 ... OK User = LL2 ... OK |
#22
|
||||
|
||||
Only 1 log file of RK
I still couldn't find 2 log files
|
#23
|
||||
|
||||
Thanks for the logs.
Code:
I couldn't find '2' log files. I don't know what went wrong . My 2 year old son may have clicked something. Did you forget to run CFScript? Please run CFScript. |
#24
|
||||
|
||||
Did as instructed
1. When I dragged CFScript into ComboFix it started running but said that updates are available so I clicked 'update" ut . It got updated and then while I waited nothing was happening so I dragged the CFScript into ComboFix.
2.I started to run but showed the following thing: Quote:
3. Now after I clicked retry, another message window popped up. Quote:
(I had got this window earlier too ) 5. I will post the Log. |
#25
|
||||
|
||||
ComboFix Report
ComboFix 18-05-17.01 - Soudager 05/18/2018 9:47.2.2 - x64
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.1976.1012 [GMT 5.5:30] Running from: c:\users\Soudager\Desktop\ComboFix.exe Command switches used :: c:\users\Soudager\Desktop\CFScript.txt AV: Malwarebytes *Disabled/Updated* {23007AD3-69FE-687C-2629-D584AFFAF72B} SP: Malwarebytes *Disabled/Updated* {98619B37-4FC4-67F2-1C99-EEF6D47DBD96} SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46} * Created a new restore point . . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . c:\users\Soudager\AppData\Local\Cobaro c:\users\Soudager\AppData\Local\Henotu c:\users\Soudager\AppData\Local\hodor c:\users\Soudager\AppData\Local\hodor\fob.txt c:\users\Soudager\AppData\Local\hodor\gonefapud c:\users\Soudager\AppData\Local\hodor\nugag.txt c:\users\Soudager\AppData\Local\hodor\tapedomi c:\users\Soudager\AppData\Local\Nilorer c:\users\Soudager\AppData\Local\Nilorer\Bahedi.exe . . ((((((((((((((((((((((((( Files Created from 2018-04-18 to 2018-05-18 ))))))))))))))))))))))))))))))) . . 2018-05-18 04:22 . 2018-05-18 04:22 -------- d-----w- c:\users\Guest\AppData\Local\temp 2018-05-18 04:22 . 2018-05-18 04:22 -------- d-----w- c:\users\Default\AppData\Local\temp 2018-05-11 12:24 . 2018-05-13 05:39 28272 ----a-w- c:\windows\system32\drivers\TrueSight.sys 2018-05-11 12:24 . 2018-05-11 15:37 -------- d-----w- c:\programdata\RogueKiller 2018-05-11 12:23 . 2018-05-13 04:51 -------- d-----w- c:\program files\RogueKiller 2018-05-11 11:57 . 2018-05-18 03:53 253664 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2018-05-08 12:55 . 2018-05-08 12:55 76232 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{BDEB36F0-5DB5-48DF-96C1-83B8BC9F3AD9}\offreg.dll 2018-05-06 01:52 . 2018-03-19 07:27 76192 ----a-w- c:\windows\system32\drivers\mbae64.sys 2018-05-06 01:52 . 2018-05-06 01:52 -------- d-----w- c:\programdata\Malwarebytes 2018-05-06 01:52 . 2018-05-06 01:52 -------- d-----w- c:\program files\Malwarebytes 2018-05-03 15:00 . 2018-05-14 09:04 736952 ----a-w- c:\programdata\Microsoft\eHome\Packages\SportsV2\S portsTemplateCore-2\Microsoft.MediaCenter.Sports.UI.dll 2018-05-03 15:00 . 2018-05-14 09:03 1707160 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientU X\UpdateableMarkup-2\markup.dll 2018-05-03 15:00 . 2018-05-14 09:03 42168 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientU X\dSM-2\StartResources.dll 2018-05-03 15:00 . 2018-05-18 03:59 539984 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlig ht\MCESpotlight-2\SpotlightResources.dll 2018-05-02 14:03 . 2018-05-02 14:22 -------- d-----w- C:\AdwCleaner 2018-05-02 13:22 . 2018-05-02 13:22 -------- d-----w- c:\program files\VS Revo Group 2018-05-01 06:12 . 2018-05-18 04:00 736952 ----a-w- c:\programdata\Microsoft\eHome\Packages\SportsV2\S portsTemplateCore\Microsoft.MediaCenter.Sports.UI. dll 2018-05-01 06:12 . 2018-05-18 03:59 1707160 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientU X\UpdateableMarkup\markup.dll 2018-05-01 06:11 . 2018-05-18 03:59 42168 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientU X\dSM\StartResources.dll 2018-05-01 06:11 . 2018-05-11 06:50 539984 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlig ht\MCESpotlight\SpotlightResources.dll 2018-04-29 01:05 . 2018-05-11 11:22 62902208 ----a-w- c:\users\Soudager\AppData\Roaming\Microsoft\Skype for Desktop\Skype-Setup.exe 2018-04-27 02:37 . 2018-05-06 01:41 -------- d-----w- C:\FRST . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) )) . 2018-05-09 15:51 . 2012-10-16 19:56 804864 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe 2018-05-09 15:51 . 2012-08-28 14:29 144896 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run] "LightScribe Control Panel"="c:\program files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe" [2011-03-04 2741616] "Skype for Desktop"="c:\program files (x86)\Microsoft\Skype for Desktop\Skype.exe" [2018-04-24 49654216] . [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\ Windows\CurrentVersion\Run] "GrooveMonitor"="c:\program files (x86)\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 31016] "TkBellExe"="c:\program files (x86)\real\realplayer\Update\realsched.exe" [2013-05-19 295512] . c:\users\Soudager\AppData\Roaming\Microsoft\Window s\Start Menu\Programs\Startup\ OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files (x86)\Microsoft Office\Office12\ONENOTEM.EXE /tsr [2006-10-26 98632] . [HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\policies\system] "ConsentPromptBehaviorAdmin"= 5 (0x5) "ConsentPromptBehaviorUser"= 3 (0x3) "EnableUIADesktopToggle"= 0 (0x0) . [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\ windows nt\currentversion\windows] "LoadAppInit_DLLs"=1 (0x1) . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\MBAMService] @="Service" . R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework6 4\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET \Framework64\v4.0.30319\mscorsvw.exe [x] R3 dg_ssudbus;SAMSUNG Mobile USB Composite Device Driver (DEVGURU Ver.);c:\windows\system32\DRIVERS\ssudbus.sys;c:\w indows\SYSNATIVE\DRIVERS\ssudbus.sys [x] R3 EraserUtilDrv11520;EraserUtilDrv11520;c:\program files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilDrv11520.sys;c:\program files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilDrv11520.sys [x] R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys;c:\program files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [x] R3 HTCAND64;HTC Device Driver;c:\windows\system32\Drivers\ANDROIDUSB.sys; c:\windows\SYSNATIVE\Drivers\ANDROIDUSB.sys [x] R3 ssudmdm;SAMSUNG Mobile USB Modem Drivers (DEVGURU Ver.);c:\windows\system32\DRIVERS\ssudmdm.sys;c:\w indows\SYSNATIVE\DRIVERS\ssudmdm.sys [x] R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe;c: \windows\SYSNATIVE\Wat\WatAdminSvc.exe [x] S2 RealNetworks Downloader Resolver Service;RealNetworks Downloader Resolver Service;c:\program files (x86)\RealNetworks\RealDownloader\rndlresolversvc. exe;c:\program files (x86)\RealNetworks\RealDownloader\rndlresolversvc. exe [x] S3 MBAMService;Malwarebytes Service;c:\program files\Malwarebytes\Anti-Malware\mbamservice.exe;c:\program files\Malwarebytes\Anti-Malware\mbamservice.exe [x] S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\System32\Dr ivers\mbamswissarmy.sys;c:\windows\SYSNATIVE\Drive rs\mbamswissarmy.sys [x] S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys;c: \windows\SYSNATIVE\DRIVERS\Rt64win7.sys [x] S3 rtl8192se;Realtek Wireless LAN 802.11n PCI-E NIC NT Driver;c:\windows\system32\DRIVERS\rtl8192se.sys;c :\windows\SYSNATIVE\DRIVERS\rtl8192se.sys [x] . . --- Other Services/Drivers In Memory --- . *NewlyCreated* - MBAMSWISSARMY *Deregistered* - ESProtectionDriver *Deregistered* - MBAMWebProtection . [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\ active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}] 2011-03-04 06:59 451872 ----a-w- c:\program files (x86)\Common Files\LightScribe\LSRunOnce.exe . . --------- X64 Entries ----------- . . ------- Supplementary Scan ------- . uLocal Page = c:\windows\system32\blank.htm mLocal Page = c:\windows\SysWOW64\blank.htm IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office12\EXCEL.EXE/3000 TCP: DhcpNameServer = 192.168.43.1 FF - ProfilePath - c:\users\Soudager\AppData\Roaming\Mozilla\Firefox\ Profiles\nawte7v5.default\ FF - user.js: xpinstall.signatures.required - false . - - - - ORPHANS REMOVED - - - - . AddRemove-RealPlayer 16.0 - c:\program files (x86)\real\realplayer\Update\r1puninst.exe . . . --------------------- LOCKED REGISTRY KEYS --------------------- . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3B F-E7E5-453C-A2E4-D2C18CA0866F}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@c:\\Windows\\system32\\Macrome d\\Flash\\FlashUtil64_29_0_0_171_ActiveX.exe,-101" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3B F-E7E5-453C-A2E4-D2C18CA0866F}\Elevation] "Enabled"=dword:00000001 . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3B F-E7E5-453C-A2E4-D2C18CA0866F}\LocalServer32] @="c:\\Windows\\system32\\Macromed\\Flash\\FlashUt il64_29_0_0_171_ActiveX.exe" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3B F-E7E5-453C-A2E4-D2C18CA0866F}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{299 817DA-1FAC-4CE2-8F48-A108237013BD}] @Denied: (A 2) (Everyone) @="IFlashBroker6" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{299 817DA-1FAC-4CE2-8F48-A108237013BD}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{299 817DA-1FAC-4CE2-8F48-A108237013BD}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CL SID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@c:\\Windows\\SysWOW64\\Macrome d\\Flash\\FlashUtil32_29_0_0_171_ActiveX.exe,-101" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CL SID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\Elevation] "Enabled"=dword:00000001 . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CL SID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\LocalServer32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUt il32_29_0_0_171_ActiveX.exe" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CL SID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CL SID\{D27CDB6E-AE6D-11cf-96B8-444553540000}] @Denied: (A 2) (Everyone) @="Shockwave Flash Object" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CL SID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32 _29_0_0_171.ocx" "ThreadingModel"="Apartment" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CL SID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus] @="0" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CL SID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID] @="ShockwaveFlash.ShockwaveFlash.29" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CL SID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32 _29_0_0_171.ocx, 1" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CL SID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib] @="{D27CDB6B-AE6D-11cf-96B8-444553540000}" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CL SID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version] @="1.0" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CL SID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID] @="ShockwaveFlash.ShockwaveFlash" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CL SID\{D27CDB70-AE6D-11cf-96B8-444553540000}] @Denied: (A 2) (Everyone) @="Macromedia Flash Factory Object" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CL SID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32 _29_0_0_171.ocx" "ThreadingModel"="Apartment" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CL SID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID] @="FlashFactory.FlashFactory.1" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CL SID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32] @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32 _29_0_0_171.ocx, 1" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CL SID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib] @="{D27CDB6B-AE6D-11cf-96B8-444553540000}" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CL SID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version] @="1.0" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CL SID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID] @="FlashFactory.FlashFactory" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\In terface\{299817DA-1FAC-4CE2-8F48-A108237013BD}] @Denied: (A 2) (Everyone) @="IFlashBroker6" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\In terface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" . [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\In terface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" . [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Cl ass\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings] @Denied: (A) (Users) @Denied: (A) (Everyone) @Allowed: (B 1 2 3 4 5) (S-1-5-20) "BlindDial"=dword:00000000 . [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Cl ass\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings] @Denied: (A) (Users) @Denied: (A) (Everyone) @Allowed: (B 1 2 3 4 5) (S-1-5-20) "BlindDial"=dword:00000000 . [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Cl ass\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings] @Denied: (A) (Users) @Denied: (A) (Everyone) @Allowed: (B 1 2 3 4 5) (S-1-5-20) "BlindDial"=dword:00000000 . [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Cl ass\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings] @Denied: (A) (Users) @Denied: (A) (Everyone) @Allowed: (B 1 2 3 4 5) (S-1-5-20) "BlindDial"=dword:00000000 . [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PC W\Security] @Denied: (Full) (Everyone) . Completion time: 2018-05-18 09:55:31 ComboFix-quarantined-files.txt 2018-05-18 04:25 ComboFix2.txt 2018-05-11 12:12 . Pre-Run: 10,722,299,904 bytes free Post-Run: 10,661,695,488 bytes free . - - End Of File - - 3AF190B337075B83889471772B5A7C66 A36C5E4F47E84449FF07ED3517B43A31 |
#26
|
||||
|
||||
Rogue killer log
RogueKiller V12.12.16.0 (x64) [May 4 2018] (Free) by Adlice Software
mail : http://www.adlice.com/contact/ Feedback : https://forum.adlice.com Website : http://www.adlice.com/download/roguekiller/ Blog : http://www.adlice.com Operating System : Windows 7 (6.1.7600) 64 bits version Started in : Normal mode User : Soudager [Administrator] Started from : C:\Program Files\RogueKiller\RogueKiller64.exe Mode : Scan -- Date : 05/18/2018 10:44:12 (Duration : 00:24:47) ¤¤¤ Processes : 0 ¤¤¤ ¤¤¤ Registry : 0 ¤¤¤ ¤¤¤ Tasks : 0 ¤¤¤ ¤¤¤ Files : 0 ¤¤¤ ¤¤¤ WMI : 0 ¤¤¤ ¤¤¤ Hosts File : 0 ¤¤¤ ¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤ ¤¤¤ Web browsers : 0 ¤¤¤ ¤¤¤ MBR Check : ¤¤¤ +++++ PhysicalDrive0: WDC WD2500BEVT-60A23T0 ATA Device +++++ --- User --- [MBR] 9c4988aebec3de4a023e014a316c8042 [BSP] b8510907608e0b1e5a2209ca063fb59c : Windows Vista/7/8 MBR Code Partition table: 0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 100 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader] 1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 206848 | Size: 60000 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader] 2 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 123086848 | Size: 60000 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader] 3 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 245966848 | Size: 60000 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader] User = LL1 ... OK User = LL2 ... OK |
#27
|
||||
|
||||
What Next?
I don't have the windows opening up. But I worry if they will appear once the Malwarebytes expires.
Are we done? What precautions should I take for this not to repeat? Thanks to be with me for so long. |
#28
|
||||
|
||||
Quote:
No problem. You can buy the MalwareBytes software. Or you can only use it for browsing and as passive. Quote:
ESET Online Scanner: Temporarily disable your AntiVirus and AntiSpyware protection - instructions here.
Have a nice day. |
Bookmarks |
«
Previous Topic
|
Next Topic
»
|
|
Similar Topics | ||||
Topic | Topic Starter | Forum | Replies | Last Post |
click a link on a webpage and an incorrect tab opens | gaesilva | Malware Removal | 27 | February 24th, 2021 08:23 PM |
A new window opens with every click | Soudager | Windows 7 | 1 | February 26th, 2016 03:32 AM |
Drive opens in new window | terry12 | Windows XP | 1 | December 8th, 2007 02:46 PM |
link opens pop-up window | DJoe | Web Development & Graphic Design | 7 | October 2nd, 2005 09:27 PM |
Click on MP3 link, file opens in same browser window w/MediaPlayer,but file doesnt DL | wh00t | Windows 98 | 4 | March 6th, 2002 04:55 AM |
All times are GMT +1. The time now is 04:28 PM.