Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Need help removing My PC Backup (and other possible malware)


  • This topic is locked This topic is locked
2 replies to this topic

#1 dafuq

dafuq

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:07:26 PM

Posted 08 August 2013 - 11:15 PM

I ran Adw Cleaner and this is the log:
 

# AdwCleaner v2.306 - Logfile created 08/09/2013 at 10:47:35
# Updated 19/07/2013 by Xplode
# Operating system : Windows 7 Professional Service Pack 1 (32 bits)
# User : server - ILOFT23
# Boot Mode : Normal
# Running from : C:\Users\server\Downloads\AdwCleaner.exe
# Option [Delete]
 
 
***** [Services] *****
 
 
***** [Files / Folders] *****
 
File Deleted : C:\Windows\Tasks\AmiUpdXp.job
Folder Deleted : C:\ProgramData\Tarma Installer
Folder Deleted : C:\Users\server\AppData\Local\SwvUpdater
Folder Deleted : C:\Users\server\AppData\Roaming\Mozilla\Firefox\Profiles\l1edqx43.default\extensions\plugin@getwebcake.com
 
***** [Registry] *****
 
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{7169BBB3-3289-4696-B35D-4A88BCF6FB12}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\WebCakeIEClient.DLL
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{2A5A2A90-3B30-4E6E-A955-2F232C6EF517}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{67BD9EEB-AA06-4329-A940-D250019300C9}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{AF6B0594-6008-4327-93E5-608AD710A6FA}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{DF84E609-C3A4-49CB-A160-61767DAF8899}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{9EDC0C90-2B5B-4512-953E-35767BAD5C67}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{DF84E609-C3A4-49CB-A160-61767DAF8899}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{A0EE0278-2986-4E5A-884E-A3BF0357E476}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{EFDF368C-8DD9-4E05-87CD-16AA5CB03CB8}
Key Deleted : HKLM\SOFTWARE\Classes\Updater.AmiUpd
Key Deleted : HKLM\SOFTWARE\Classes\Updater.AmiUpd.1
Key Deleted : HKLM\SOFTWARE\Classes\WebCakeIEClient.Api
Key Deleted : HKLM\SOFTWARE\Classes\WebCakeIEClient.Api.1
Key Deleted : HKLM\SOFTWARE\Classes\WebCakeIEClient.Layers
Key Deleted : HKLM\SOFTWARE\Classes\WebCakeIEClient.Layers.1
Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\fjoijdanhaiflhibkljeklcghcmmfffh
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\WebCakeDesktop_RASAPI32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\WebCakeDesktop_RASMANCS
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2A5A2A90-3B30-4E6E-A955-2F232C6EF517}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{AF6B0594-6008-4327-93E5-608AD710A6FA}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{99C91FC5-DB5B-4AA0-BB70-5D89C5A4DF96}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{C4ED781C-7394-4906-AAFF-D6AB64FF7C38}
Key Deleted : HKLM\Software\Tarma Installer
Value Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Run [WebCake Desktop]
 
***** [Internet Browsers] *****
 
-\\ Internet Explorer v10.0.9200.16635
 
[OK] Registry is clean.
 
-\\ Mozilla Firefox v11.0 (en-US)
 
File : C:\Users\server\AppData\Roaming\Mozilla\Firefox\Profiles\l1edqx43.default\prefs.js
 
C:\Users\server\AppData\Roaming\Mozilla\Firefox\Profiles\l1edqx43.default\user.js ... Deleted !
 
[OK] File is clean.
 
-\\ Google Chrome v28.0.1500.95
 
File : C:\Users\server\AppData\Local\Google\Chrome\User Data\Default\Preferences
 
[OK] File is clean.
 
*************************
 
AdwCleaner[R1].txt - [10691 octets] - [09/08/2013 10:39:06]
AdwCleaner[S1].txt - [10681 octets] - [09/08/2013 10:39:38]
AdwCleaner[S2].txt - [3303 octets] - [09/08/2013 10:47:35]
 
########## EOF - C:\AdwCleaner[S2].txt - [3363 octets] ##########
 


======================================================================

I ran JRT and this is the log:

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 5.3.8 (08.07.2013:4)
OS: Windows 7 Professional x86
Ran by server on Fri 08/09/2013 at 10:49:47.82
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 
 
 
~~~ Services
 
Successfully stopped: [Service] backupstack 
Successfully deleted: [Service] backupstack 
 
 
 
~~~ Registry Values
 
Successfully deleted: [Registry Value] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\update.exe
 
 
 
~~~ Registry Keys
 
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\CLSID\{A0B10EBE-4E51-4CAE-949B-E6B9E7D68CEA}
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\CLSID\{BB975E58-E769-4E5A-BA12-B765BC559FF3}
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\CLSID\{F511AFDB-726E-4458-90E7-1ECB97406544}
Failed to delete: [Registry Key] HKEY_CLASSES_ROOT\CLSID\{FB684D26-01F4-4D9D-87CB-F486BEBA56DC}
Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\Interface\{0AFD55C8-ADF8-4A33-A6E1-DEDB7A36AEB4}
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\torch
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\trolltech
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\AppDataLow\software\lyrics_monkey
Successfully deleted: [Registry Key] "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-3730447077-1950318055-3244836388-1000\Software\SweetIM"
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\torch
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\trolltech
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{FB684D26-01F4-4D9D-87CB-F486BEBA56DC}
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{69C0E130-9F25-437B-9522-192970C0D4FA}
 
 
 
~~~ Files
 
Successfully deleted [File] C:\Windows\Tasks\Lyrics-Monkey Update.job
Successfully deleted [File] C:\Windows\system32\Tasks\BrowserDefendert
Successfully deleted [File] C:\Windows\system32\Tasks\EPUpdater
Successfully deleted [File] C:\Windows\system32\Tasks\Lyrics-Monkey Update
 
 
 
~~~ Folders
 
Successfully deleted: [Folder] "C:\Users\server\AppData\Roaming\web cake"
Successfully deleted: [Folder] "C:\Program Files\free youtube downloader"
Successfully deleted: [Folder] "C:\Program Files\mypc backup"
Failed to delete: [Folder] "C:\Program Files\web cake"
 
 
 
~~~ FireFox
 
Successfully deleted: [Folder] C:\Users\server\AppData\Roaming\mozilla\firefox\profiles\l1edqx43.default\extensions\125
Successfully deleted: [Folder] C:\Users\server\AppData\Roaming\mozilla\firefox\profiles\l1edqx43.default\extensions\ffxtlbr@mixidj.com
 
 
 
~~~ Chrome
 
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Google\Chrome\Extensions\kiplfnciaokpcennlkldkdaeaaomamof
 
 
 
~~~ Event Viewer Logs were cleared
 
 
 
 
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Fri 08/09/2013 at 10:51:41.84
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 


I closed my AV and ran Combofix but after 30mins of waiting for it to finish scanning it still didn't stop. So I restarted my computer without any log/unfinished scan.

does it really normally take that long?
 



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 40,544 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:26 AM

Posted 11 August 2013 - 08:07 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

--RogueKiller--
  • Download & SAVE to your Desktop RogueKiller for 32bit or Roguekiller for 64bit
  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or Windows 7, right-click and select "Run as Administrator to start"
  • For Windows XP, double-click to start.
  • Wait until Prescan has finished ...
  • Then Click on "Scan" button
  • Wait until the Status box shows "Scan Finished"
  • click on "delete"
  • Wait until the Status box shows "Deleting Finished"
  • Click on "Report" and copy/paste the content of the Notepad into your next reply.
  • The log should be found in RKreport[1].txt on your Desktop
  • Exit/Close RogueKiller+
===

Please download and run this DDS Scanning Tool. Nothing will be deleted. It will just give me some additional information about your system.

Download DDS by sUBs from one of the following links, if you no longer have it available. Save it to your desktop.

1: DDS.scr (Not recommended if you use Chrome to download this .scr file. Use the other options.)
2: DDS.pif
3: DDS.COM

Double click on the DDS icon, allow it to run.
A small box will open, with an explanation about the tool. No input is needed, the scan is running.
Notepad will open with the results.
Follow the instructions that pop up for posting the results.
Please note: You may have to disable any script protection running if the scan fails to run.

dds_scr.gif

Please just paste the contents of the DDS.txt log in your next post. DO NOT attach the log.
===

Please paste the logs in your next reply, DO NOT ATTACH THEM
Let me know what problem persists.

#3 nasdaq

nasdaq

  • Malware Response Team
  • 40,544 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:26 AM

Posted 17 August 2013 - 07:54 AM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users