Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

SalePlus Removal


  • This topic is locked This topic is locked
14 replies to this topic

#1 the geekfreak

the geekfreak

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:swansea uk
  • Local time:08:05 PM

Posted 11 April 2015 - 04:07 AM

Hi, 

So i have a gaming rig that i use for gaming and also video editing , Nobody else is allowed to use it but that rule was broken yesterday when my wife allowed our nephew on to it to play games.

He has since told us that he downloaded utorrent and also tried to get minecraft , Now i have since been on there and noticed strange browser behaviour , Ads even thoughy io use Ublock and random pages with ads opening on their own.

Have done a scan with Malwarebytes which found nothing , Then windows defender which also found nothing , Then Spybot which did find stuff and has removed/quarantined

Not noticing the random ads popping up or anything weird right now , I also managed to track down where the Google chorome extension "SalePlus" was and deleted it from the directory and also the browser extensions list.

However i am now worried there could be far more on this machine that i have no idea about , which is making me so mad because i am very careful what i allow and what i do not .

 

I would appreciate any help i get in this matter 

 

Thanks 

Daniel

 

 

 

 

Attached Files



BC AdBot (Login to Remove)

 


#2 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:06:05 AM

Posted 11 April 2015 - 07:32 AM

Hi,

 

 

You use a lot of cracks/keygens. This is playing with fire though.

Avoid using cracks and unknown programs from sources you don't trust. There are MANY alternative open-source applications.

Malware writers just love cracks and keygens, and will often attach malicious code into them. By using cracks and/or keygens, you are asking for problems.

So my advice is - stay away from them!

 

 

STEP 1

 

 

Chrome:
=======
CHR dev: Chrome dev build detected! <======= ATTENTION

 

We need to downgrade Google Chrome to the latest stable release. The adware has updated your browser to the developer version where Chrome internal checks are disabled and the adware will reinstall the malicious extensions periodically again if not downgraded...

Make sure that you export your passwords and favorites/bookmarks if you have any before you proceed with the steps below.

Check the links below for more information:

How to Export Bookmarks from Chrome

How To Backup Saved Passwords In Google Chrome Browse

 

Create a new Restore Point before you proceed just in case.

Now please download and install Revo Uninstaller 1.95.
Then please run Revo Uninstaller and select Google Chrome.
Please click Uninstall icon to uninstall the selected program.
Please choose Advanced.
Then click Next and follow the prompts.
Please click Select All and Delete to delete all registry items, folders and files listed by Revo.
If asked to restart the computer, please do so.

 

 

 

STEP 2

 

 

Please download the following file => and save it to the Desktop.
NOTE. It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

Run FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt). Please post it to your reply.
 

 

 

STEP 3

 

 

Now you can reinstall Google Chrome to the latest stable build Google Chrome 41.0.2272.118 Stable

 

 

 

Regards,

Georgi


cXfZ4wS.png


#3 the geekfreak

the geekfreak
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:swansea uk
  • Local time:08:05 PM

Posted 11 April 2015 - 08:59 AM

Hi,

All steps completed , I have a question , You mention that I download lots of cracks ,I did a while back try to get Corel videostudio for free and downloaded the crack for that but I don't believe anything else was downloaded,That failed anyway and I paid £70 for the official copy.

Can you shed any light on the other crack`s that are apparent  ?

 

Many thanks for your time in this matter , I have also enclosed the file you requested .

 

Daniel

 

Attached Files



#4 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:06:05 AM

Posted 12 April 2015 - 03:00 AM

Hi,

 

That was a general warning based on the files below:

 

2015-04-08 13:38 - 2015-04-08 13:38 - 00423415 _____ () C:\Users\Dan\Downloads\Software-free.net_Corel_VideoStudio_Ultimate_X8_Keygen.rar
2015-04-08 16:31 - 2015-04-08 16:31 - 01404425 _____ () C:\Users\Dan\Downloads\Corel.VideoStudio.Ultimate.X8.v18.0.0.181.Multilingual.x64.Incl.Keymaker-CORE.nzb

 

Since you have a paid version then I recommend to delete them.

 

Let's check for PUPs leftovers:

 

 

STEP 1

 

 

Please download Malwarebytes Anti-Malware 2.1.4.1018 Final to your desktop.
 

  • Double-click mbam-setup-2.1.4.1018.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to the following:
    • Launch Malwarebytes Anti-Malware
    • A 14 day trial of the Premium features is pre-selected. You may deselect this if you wish, and it will not diminish the scanning and removal capabilities of the program.
  • Click Finish.
  • On the Settings tab > Detection and Protection subtab, Detection Options, tick the box 'Scan for rootkits'.
  • Click on the Scan tab, then click on Scan Now >> . If an update is available, click the Update Now button.
  • A Threat Scan will begin.
  • With some infections, you may see this message box.
    • 'Could not load DDA driver'
  • Click 'Yes' to this message, to allow the driver to load after a restart.
  • Allow the computer to restart. Continue with the rest of these instructions.
  • When the scan is complete, click Apply Actions.
  • Wait for the prompt to restart the computer to appear, then click on Yes.
  • After the restart once you are back at your desktop, open MBAM once more.
  • Click on the History tab > Application Logs.
  • Double click on the scan log which shows the Date and time of the scan just performed.
  • Click 'Copy to Clipboard'
  • Paste the contents of the clipboard into your reply.

 

 

STEP 2

 

 

Please download AdwCleaner by Xplode and save to your Desktop.

  • Double click on AdwCleaner.exe to run the tool.
    Vista/Windows 7/8 users right-click and select Run As Administrator.
  • Click on the Scan button.
  • AdwCleaner will begin to scan your computer.
  • After the scan has finished click on the Clean button.
  • Press OK when asked to close all programs and follow the onscreen prompts.
  • Press OK again to allow AdwCleaner to restart the computer and complete the removal process.
  • After rebooting, a logfile report (AdwCleaner[S0].txt) will open automatically.
  • Copy and paste the contents of that logfile in your next reply.
  • A copy of that logfile will also be saved in the C:\AdwCleaner folder.

 

 

STEP 3

 

 

thisisujrt.gif  Please download Junkware Removal Tool to your desktop.

  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.

 

That's it for now. :)

 

 

Regards,

Georgi


Edited by B-boy/StyLe/, 12 April 2015 - 04:38 AM.
typo.

cXfZ4wS.png


#5 the geekfreak

the geekfreak
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:swansea uk
  • Local time:08:05 PM

Posted 12 April 2015 - 03:34 AM

Hi , Thanks for helping , i really appreciate it .

 

Malwarebytes

 

Malwarebytes Anti-Malware
www.malwarebytes.org
 
Scan Date: 12/04/2015
Scan Time: 09:17:45
Logfile: 
Administrator: Yes
 
Version: 2.00.4.1028
Malware Database: v2015.04.11.08
Rootkit Database: v2015.03.31.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled
 
OS: Windows 8.1
CPU: x64
File System: NTFS
User: Dan
 
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 341856
Time Elapsed: 4 min, 28 sec
 
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled
 
Processes: 0
(No malicious items detected)
 
Modules: 0
(No malicious items detected)
 
Registry Keys: 0
(No malicious items detected)
 
Registry Values: 0
(No malicious items detected)
 
Registry Data: 0
(No malicious items detected)
 
Folders: 0
(No malicious items detected)
 
Files: 0
(No malicious items detected)
 
Physical Sectors: 0
(No malicious items detected)
 
 
(end)
 
ADW
 
# AdwCleaner v4.201 - Logfile created 12/04/2015 at 09:26:01
# Updated 08/04/2015 by Xplode
# Database : 2015-04-08.1 [Server]
# Operating system : Windows 8.1 Pro  (x64)
# Username : Dan - BEAST
# Running from : C:\Users\Dan\Downloads\adwcleaner_4.201.exe
# Option : Cleaning
 
***** [ Services ] *****
 
 
***** [ Files / Folders ] *****
 
 
***** [ Scheduled tasks ] *****
 
 
***** [ Shortcuts ] *****
 
 
***** [ Registry ] *****
 
Key Deleted : HKLM\SOFTWARE\f5863687-931c-ea67-d5a5-b5acb8a47427
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{6137A08F-29B1-4E48-B6A1-70CC3ABF50F7}
Key Deleted : HKCU\Software\Conduit
Key Deleted : HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}
Key Deleted : HKLM\SOFTWARE\{3A7D3E19-1B79-4E4E-BD96-5467DA2C4EF0}
Key Deleted : HKLM\SOFTWARE\Conduit
Key Deleted : HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}
Key Deleted : HKLM\SOFTWARE\{12A61307-94CD-4F8E-94BC-918E511FAA81}
Data Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings [ProxyOverride] - *.local
 
***** [ Web browsers ] *****
 
-\\ Internet Explorer v11.0.9600.17416
 
 
-\\ Google Chrome v41.0.2272.118
 
 
*************************
 
AdwCleaner[R0].txt - [1365 bytes] - [12/04/2015 09:23:56]
AdwCleaner[R1].txt - [1424 bytes] - [12/04/2015 09:25:06]
AdwCleaner[S0].txt - [1326 bytes] - [12/04/2015 09:26:01]
 
########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [1385  bytes] ##########
 
Junkware
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.5.3 (04.07.2015:1)
OS: Windows 8.1 Pro x64
Ran by Dan on 12/04/2015 at  9:29:37.04
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 
 
 
~~~ Services
 
 
 
~~~ Registry Values
 
 
 
~~~ Registry Keys
 
 
 
~~~ Files
 
Successfully deleted: [File] "C:\WINDOWS\wininit.ini"
 
 
 
~~~ Folders
 
 
 
~~~ Event Viewer Logs were cleared
 
 
 
 
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on 12/04/2015 at  9:30:46.09
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 


#6 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:06:05 AM

Posted 12 April 2015 - 04:40 AM

Hi,

 

 

Here are the last set of steps just to make sure nothing is lurking in the dark corners. smile.png

 

 

 

STEP 1

 

 

icon_zps423a0d9f.jpg Please download ZHPCleaner (by NicolasCoolman) to your desktop.

  • Double click on ZHPCleaner to run the tool. (Vista/Windows 7/8 users right-click and select Run As Administrator).
  • Please click the Ashampoo_Snap_20140819_13h09m50s_001__zp button.
  • Then press the y3pI4LR.png button.
  • During the scan any open instances of the browsers will be closed automatically.
  • A logfile will automatically open after the scan has finished.
  • Please post the contents of that logfile with your next reply.

 

 

STEP 2

 

 

 

1.Please download HitmanPro.

  • For 32-bit Operating System - dEMD6.gif.
  • This is the mirror - dEMD6.gif
  • For 64-bit Operating System - dEMD6.gif
  • This is the mirror - dEMD6.gif

2.Launch the program by double clicking on the 5vo5F.jpg icon. (Windows Vista/7 users right click on the HitmanPro icon and select run as administrator).

Note: If the program won't run please then open the program while holding down the left CTRL key until the program is loaded.

3.Click on the next button. You must agree with the terms of EULA. (if asked)

4.Check the box beside "No, I only want to perform a one-time scan to check this computer".

5.Click on the next button.

6.The program will start to scan the computer. The scan will typically take no more than 2-3 minutes.

7.When the scan is done click on drop-down menu of the found entries (if any) and choose - Apply to all => Ignore <= IMPORTANT!!!

 

6-scanfin-choose.jpg
 
8.Click on the next button.

9.Click on the "Save Log" button.

10.Save that file to your desktop and post the content of that file in your next reply.
 
Note: if there isn't a dropdown menu when the scan is done then please don't delete anything and close HitmanPro

Navigate to C:\ProgramData\HitmanPro\Logs open the report and copy and paste it to your next reply.

 

Note: Programdata is hidden by default. Please make sure that you can view all hidden files. Instructions on how to do this can be found here:
How to see hidden files in Windows

 

 

 

STEP 3

 

 

emsisoft_emergency_kit.pnglogo.png

  • Download EmsisoftEmergencyKit, run the exe and extract the content in a folder of your choice like (C:\EEK) by clicking the Extract button.
  • Double-click the desktop-shortcut called Start Emsisoft Emergency Kit to start the tool.
  • Click on the "Yes" button when asked to obtain the latest malware definitions.
  • Once the update is complete click "Scan".
  • Click on the "Yes" button when asked to enable the scan for Potentially Unwanted Applications.
  • Next click on the Full Scan. When the scan complete, click on the View Report button (don't delete or quarantine anything).
  • Please copy and paste the content of the report in your next reply.

 

 

 

STEP 4

 

 

Also let's check for outdated and vulnerable software on your pc

 

 

Download Security Check by screen317 from here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

 

and then if there aren't any issues left I'll give you my final recommendations. :)

Let me know for any remaining issues.

 

 

Regards,

Georgi


cXfZ4wS.png


#7 the geekfreak

the geekfreak
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:swansea uk
  • Local time:08:05 PM

Posted 12 April 2015 - 05:29 AM

~ ZHPCleaner v2015.4.11.165 by Nicolas Coolman (12/04/2015)
~ Run by Dan (Administrator)  (12/04/2015 10:48:00)
~ State version : Version OK
~ Type : Scan
~ Report : C:\Users\Dan\Desktop\ZHPCleaner.txt
~ Quarantine : C:\Users\Dan\AppData\Roaming\ZHP\ZHPCleaner_Quarantine.txt
~ UAC : Activate
~ Boot Mode : Normal (Normal boot)
~ Windows 81, 64-bit  (Build 9600)
 
 
---\\  Services (0)
~ No malicious items found.
 
 
---\\  Browser internet (0)
~ No malicious items found.
 
 
---\\  Hosts file (1)
~ The hosts file is legitimate (15518)
 
 
---\\  Scheduled automatic tasks. (0)
~ No malicious items found.
 
 
---\\  Explorer ( File, Folder) (2)
FOUND file: C:\WINDOWS\Prefetch\SPYHUNTER-INSTALLER.EXE-F51929F4.pf  (Crapware.SpyHunter)
FOUND file: C:\WINDOWS\Prefetch\SPYHUNTER4.EXE-7BD5E907.pf  (Crapware.SpyHunter)
 
 
---\\  Registry ( Key, Value, Data) (4)
FOUND data: HKCR\\Shell\Open\Command\\Default [Bad : [html] ]  (Broken.OpenCommand)
FOUND key: [X64] HKLM\SOFTWARE\Classes\Pab74c68c_a8a1_4247_9bc0_9bca8ed9d337_.Pab74c68c_a8a1_4247_9bc0_9bca8ed9d337_.9 [SalePlus] (PUP.SalePlus)
FOUND key: [X64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\017FBE4BFF801E1C0CA173EC30517151 [c:\Program Files\Corel\Corel VideoStudio Ultimate X8\zh-TW\MovieWizardRC.dll] (PUP.MovieWizard)
FOUND key: [X64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\02F340680E70A828CABB95ABDBBAC4F5 [c:\Program Files\Corel\Corel VideoStudio Ultimate X8\BITMAP\MovieWizard\CheckBox\] (PUP.MovieWizard)
 
 
---\\ Result of repair
~ Any repair made
~ Browser not found (Mozilla Firefox)
~ Browser not found (Opera Software)
 
 
---\\ Statistics
~ Items scanned : 107068
~ Items found : 6
~ Items repaired : 0
 
 
End of clean at 10:52:01
===================
ZHPCleaner-[S]-12042015-10_52_01.txt
 
 

HitmanPro 3.7.9.240
www.hitmanpro.com
 
   Computer name . . . . : BEAST
   Windows . . . . . . . : 6.3.0.9600.X64/4
   User name . . . . . . : BEAST\Dan
   UAC . . . . . . . . . : Enabled
   License . . . . . . . : Free
 
   Scan date . . . . . . : 2015-04-12 10:53:37
   Scan mode . . . . . . : Normal
   Scan duration . . . . : 1m 1s
   Disk access mode  . . : Direct disk access (SRB)
   Cloud . . . . . . . . : Internet
   Reboot  . . . . . . . : No
 
   Threats . . . . . . . : 0
   Traces  . . . . . . . : 16
 
   Objects scanned . . . : 2,026,716
   Files scanned . . . . : 72,125
   Remnants scanned  . . : 505,014 files / 1,449,577 keys
 
Suspicious files ____________________________________________________________
 
   C:\Users\Dan\AppData\Local\PunkBuster\BF3\pb\dll\wc002342.dll
      Size . . . . . . . : 969,032 bytes
      Age  . . . . . . . : 253.0 days (2014-08-02 11:21:37)
      Entropy  . . . . . : 7.6
      SHA-256  . . . . . : FC5702BFEF687EDAF89499C7849E4FDA0AF9D72A5A632C5B4E20F2562468596C
      RSA Key Size . . . : 2048
      Authenticode . . . : Valid
      Fuzzy  . . . . . . : 22.0
         The .reloc (relocation) section in this program contains code. This is an indication of malware infection.
         Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
         Authors name is missing in version info. This is not common to most programs.
         Version control is missing. This file is probably created by an individual. This is not typical for most programs.
         Program contains PE structure anomalies. This is not typical for most programs.
         Program is code signed with a valid Authenticode certificate.
 
   C:\Users\Dan\AppData\Local\PunkBuster\BF3\pb\pbcl.dll
      Size . . . . . . . : 969,032 bytes
      Age  . . . . . . . : 249.8 days (2014-08-05 14:37:37)
      Entropy  . . . . . : 7.6
      SHA-256  . . . . . : FC5702BFEF687EDAF89499C7849E4FDA0AF9D72A5A632C5B4E20F2562468596C
      RSA Key Size . . . : 2048
      Authenticode . . . : Valid
      Fuzzy  . . . . . . : 22.0
         The .reloc (relocation) section in this program contains code. This is an indication of malware infection.
         Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
         Authors name is missing in version info. This is not common to most programs.
         Version control is missing. This file is probably created by an individual. This is not typical for most programs.
         Program contains PE structure anomalies. This is not typical for most programs.
         Program is code signed with a valid Authenticode certificate.
 
   C:\Users\Dan\AppData\Local\PunkBuster\BF3\pb\pbclold.dll
      Size . . . . . . . : 969,032 bytes
      Age  . . . . . . . : 253.0 days (2014-08-02 11:16:06)
      Entropy  . . . . . : 7.6
      SHA-256  . . . . . : FC5702BFEF687EDAF89499C7849E4FDA0AF9D72A5A632C5B4E20F2562468596C
      RSA Key Size . . . : 2048
      Authenticode . . . : Valid
      Fuzzy  . . . . . . : 22.0
         The .reloc (relocation) section in this program contains code. This is an indication of malware infection.
         Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
         Authors name is missing in version info. This is not common to most programs.
         Version control is missing. This file is probably created by an individual. This is not typical for most programs.
         Program contains PE structure anomalies. This is not typical for most programs.
         Program is code signed with a valid Authenticode certificate.
 
   C:\Users\Dan\AppData\Local\PunkBuster\BF3\pb\PnkBstrK.sys
      Size . . . . . . . : 140,520 bytes
      Age  . . . . . . . : 253.0 days (2014-08-02 11:16:16)
      Entropy  . . . . . : 7.8
      SHA-256  . . . . . : A02F21CE0AAE716212DD2593B8392A7674D8CE932B3B133B3A33152809E7307C
      RSA Key Size . . . : 2048
      Authenticode . . . : Valid
      Fuzzy  . . . . . . : 22.0
         The .reloc (relocation) section in this program contains code. This is an indication of malware infection.
         Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
         Authors name is missing in version info. This is not common to most programs.
         Version control is missing. This file is probably created by an individual. This is not typical for most programs.
         Program contains PE structure anomalies. This is not typical for most programs.
         The file is a device driver. Device drivers run as trusted (highly privileged) code.
         Program is code signed with a valid Authenticode certificate.
 
   C:\Users\Dan\AppData\Local\PunkBuster\BF4\pb\PnkBstrK.sys
      Size . . . . . . . : 140,056 bytes
      Age  . . . . . . . : 139.7 days (2014-11-23 17:25:47)
      Entropy  . . . . . : 7.8
      SHA-256  . . . . . : 47B3809EC160F55624EDE90E170827DB5E94FEFEB5E33C893CFE5D6F49FACF3A
      RSA Key Size . . . : 2048
      Authenticode . . . : Valid
      Fuzzy  . . . . . . : 22.0
         The .reloc (relocation) section in this program contains code. This is an indication of malware infection.
         Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
         Authors name is missing in version info. This is not common to most programs.
         Version control is missing. This file is probably created by an individual. This is not typical for most programs.
         Program contains PE structure anomalies. This is not typical for most programs.
         The file is a device driver. Device drivers run as trusted (highly privileged) code.
         Program is code signed with a valid Authenticode certificate.
 
   C:\Users\Dan\AppData\Local\PunkBuster\BFH\pb\pbcl.dll
      Size . . . . . . . : 1,010,200 bytes
      Age  . . . . . . . : 24.6 days (2015-03-18 20:09:00)
      Entropy  . . . . . : 7.6
      SHA-256  . . . . . : C36E1D128A92709FEB7D569A9DC5019FA20977346DF223B61054672EDD1FF2D1
      RSA Key Size . . . : 2048
      Authenticode . . . : Valid
      Fuzzy  . . . . . . : 22.0
         The .reloc (relocation) section in this program contains code. This is an indication of malware infection.
         Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
         Authors name is missing in version info. This is not common to most programs.
         Version control is missing. This file is probably created by an individual. This is not typical for most programs.
         Program contains PE structure anomalies. This is not typical for most programs.
         Program is code signed with a valid Authenticode certificate.
      Forensic Cluster
         -0.1s C:\ProgramData\Microsoft\Windows Defender\Scans\MetaStore\2\18\
         -0.1s C:\Users\Dan\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7B8944BA8AD0EFDF0E01A43EF62BECD0_99B19D26BD58DA7B2BD394E131904932
         -0.1s C:\Users\Dan\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7B8944BA8AD0EFDF0E01A43EF62BECD0_99B19D26BD58DA7B2BD394E131904932
          0.0s C:\Users\Dan\AppData\Local\PunkBuster\BFH\pb\pbcl.dll
          0.0s C:\Users\Dan\AppData\Local\PunkBuster\BFH\pb\pbag.dll
 
   C:\Users\Dan\AppData\Local\PunkBuster\BFH\pb\PnkBstrK.sys
      Size . . . . . . . : 140,128 bytes
      Age  . . . . . . . : 68.0 days (2015-02-03 10:11:59)
      Entropy  . . . . . : 7.7
      SHA-256  . . . . . : 2F2D9F995E89C133A53D941304EEE1D1B327F1438FA2B9CA31C019B03A297FF6
      RSA Key Size . . . : 2048
      Authenticode . . . : Valid
      Fuzzy  . . . . . . : 22.0
         The .reloc (relocation) section in this program contains code. This is an indication of malware infection.
         Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
         Authors name is missing in version info. This is not common to most programs.
         Version control is missing. This file is probably created by an individual. This is not typical for most programs.
         Program contains PE structure anomalies. This is not typical for most programs.
         The file is a device driver. Device drivers run as trusted (highly privileged) code.
         Program is code signed with a valid Authenticode certificate.
 
   C:\Users\Dan\Downloads\FRST64.exe
      Size . . . . . . . : 2,095,616 bytes
      Age  . . . . . . . : 1.0 days (2015-04-11 09:52:19)
      Entropy  . . . . . : 7.5
      SHA-256  . . . . . : 72AAB1C62CF0BC00F5B102954B603D1509B2AF5F0BD1911E9CAE98C4DDE2D152
      Needs elevation  . : Yes
      Fuzzy  . . . . . . : 24.0
         Program has no publisher information but prompts the user for permission elevation.
         Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
         Authors name is missing in version info. This is not common to most programs.
         Version control is missing. This file is probably created by an individual. This is not typical for most programs.
         Time indicates that the file appeared recently on this computer.
 
 
Potential Unwanted Programs _________________________________________________
 
   HKU\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\ (UniDeals)
   HKU\S-1-5-18\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\ (UniDeals)
   HKU\S-1-5-21-105014023-2738048968-2884344003-1001\Software\Classes\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\ (UniDeals)
   HKU\S-1-5-21-105014023-2738048968-2884344003-1001\Software\Classes\TypeLib\{157B1AA6-3E5C-404A-9118-C1D91F537040}\ (UniDeals)
   HKU\S-1-5-21-105014023-2738048968-2884344003-1001_Classes\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\ (UniDeals)
   HKU\S-1-5-21-105014023-2738048968-2884344003-1001_Classes\TypeLib\{157B1AA6-3E5C-404A-9118-C1D91F537040}\ (UniDeals)
   HKU\S-1-5-21-105014023-2738048968-2884344003-1001_Classes\Wow6432Node\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\ (UniDeals)
   HKU\S-1-5-21-105014023-2738048968-2884344003-1001_Classes\Wow6432Node\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\ (UniDeals)
 
 
 

Emsisoft Emergency Kit - Version 9.0
Last update: 12/04/2015 11:00:54
User account: BEAST\Dan
 
Scan settings:
 
Scan type: Full Scan
Objects: Rootkits, Memory, Traces, C:\, D:\
 
Detect PUPs: On
Scan archives: On
ADS Scan: On
File extension filter: Off
Advanced caching: On
Direct disk access: Off
 
Scan start: 12/04/2015 11:01:23
Value: HKEY_USERS\S-1-5-21-105014023-2738048968-2884344003-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM -> DISABLETASKMGR detected: Setting.DisableTaskMgr (A)
Value: HKEY_USERS\S-1-5-21-105014023-2738048968-2884344003-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM -> DISABLEREGISTRYTOOLS detected: Setting.DisableRegistryTools (A)
C:\Users\Dan\Downloads\Software-free.net_Corel_VideoStudio_Ultimate_X8_Keygen.rar -> Corel VideoStudio Ultimate X8 v18.0.0.181 Incl Keygen\keygen.exe detected: Trojan.Generic.12846683 (B)
C:\Users\Dan\Downloads\Software-free.net_Corel_VideoStudio_Ultimate_X8_Keygen.rar -> Corel VideoStudio Ultimate X8 v18.0.0.181 Incl Keygen\keygen.rar -> keygen.exe detected: Trojan.Generic.12846683 (B)
 
Scanned 383574
Found 4
 
Scan end: 12/04/2015 11:25:08
Scan time: 0:23:45
 

 Results of screen317's Security Check version 1.00  
   x64 (UAC is enabled)  
 Internet Explorer 11  
``````````````Antivirus/Firewall Check:`````````````` 
 Windows Firewall Enabled!  
 Windows Firewall Disabled!  
Windows Defender   
 WMI entry may not exist for antivirus; attempting automatic update. 
`````````Anti-malware/Other Utilities Check:````````` 
 MVPS Hosts File  
 Spybot - Search & Destroy 
 TikiOne Steam Cleaner   
 Java 7 Update 67  
 Java version 32-bit out of Date! 
 Adobe Flash Player 17.0.0.134  
 Google Chrome (41.0.2272.118) 
````````Process Check: objlist.exe by Laurent````````  
 Windows Defender MSMpEng.exe 
 Spybot Teatimer.exe is disabled! 
`````````````````System Health check````````````````` 
 Total Fragmentation on Drive C:  % 
````````````````````End of Log`````````````````````` 
 
 


#8 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:06:05 AM

Posted 13 April 2015 - 01:46 AM

Hi,
 
 
Please download the following file => and save it to the Desktop.
NOTE. It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

Run FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt). Please post it to your reply.

 

 

UPDATING TASKS

 

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version of Java components and upgrade the application.

  • Download the latest version of Java SE 8.
  • Click the Java SE 8u40 "Download JRE" button to the right.
  • Select your Platform, Register and check the box that says: "I agree to the Java SE Runtime Environment 8 License Agreement.".
  • Click on Continue.
  • Click on the link to download Windows Offline Installation (jre-8u40-windows-i586.exe) and save it to your desktop. Do NOT use the Sun Download Manager..
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel > Programs, click on Uninstall a program and remove all older versions of Java:
    Java 7 Update 67
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on the download to install the newest version. (Vista/Windows 7 users, right click on the jre-8u40-windows-i586.exe and select "Run as an Administrator.")

 

 

Next please run JavaRa.

 

  • Please download JavaRa 2.6 and unzip it to your desktop.
  • Double-click on JavaRa.exe to start the program.
  • Choose Remove JRE and since you already uninstalled the old version of JAVA skip step 1 and click on the next button.
  • Now click on Perform Removal Routine to remove the older versions of Java installed on your computer.
  • When that's successfully done, please click OK to close the message.
  • Click on Next and skip the downloading process. Click Next and now click on Close this wizard and click Finish.
  • From the main menu please choose Additional tasks
  • Place a checkmark beside Remove startup entry, Remove Outdated JRE Firefox Extentions and Clean JRE Temp Files and click Run. The browsers should be closed before running this task.
  • When that's succesfully done you will see a message at the top saying: "Selected tasks completed successfully".
  • A log file should be created in the same directory as JavaRa.
  • Please attach the log to your next reply.
  • Close JavaRa by clicking the red cross button.

 

 

Let me know how are things now.

 
 
Regards,
Georgi


Edited by B-boy/StyLe/, 13 April 2015 - 05:19 AM.
typo.

cXfZ4wS.png


#9 the geekfreak

the geekfreak
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:swansea uk
  • Local time:08:05 PM

Posted 13 April 2015 - 02:51 AM

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 12-04-2015
Ran by Dan at 2015-04-13 08:35:49 Run:2
Running from C:\Users\Dan\Desktop
Loaded Profiles: Dan (Available profiles: Dan)
Boot Mode: Normal
==============================================
 
Content of fixlist:
*****************
start
CreateRestorePoint:
CloseProcesses:
C:\Users\Dan\Downloads\Software-free.net_Corel_VideoStudio_Ultimate_X8_Keygen.rar
C:\WINDOWS\Prefetch\SPYHUNTER-INSTALLER.EXE-F51929F4.pf
C:\WINDOWS\Prefetch\SPYHUNTER4.EXE-7BD5E907.pf
DeleteKey: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Pab74c68c_a8a1_4247_9bc0_9bca8ed9d337_.Pab74c68c_a8a1_4247_9bc0_9bca8ed9d337_.9
DeleteKey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\Pab74c68c_a8a1_4247_9bc0_9bca8ed9d337_.Pab74c68c_a8a1_4247_9bc0_9bca8ed9d337_.9
DeleteKey: HKU\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}
DeleteKey: HKU\S-1-5-18\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}
DeleteKey: HKU\S-1-5-21-105014023-2738048968-2884344003-1001\Software\Classes\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}
DeleteKey: HKU\S-1-5-21-105014023-2738048968-2884344003-1001\Software\Classes\TypeLib\{157B1AA6-3E5C-404A-9118-C1D91F537040}
DeleteKey: HKU\S-1-5-21-105014023-2738048968-2884344003-1001_Classes\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}
DeleteKey: HKU\S-1-5-21-105014023-2738048968-2884344003-1001_Classes\TypeLib\{157B1AA6-3E5C-404A-9118-C1D91F537040}
DeleteKey: HKU\S-1-5-21-105014023-2738048968-2884344003-1001_Classes\Wow6432Node\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}
DeleteKey: HKU\S-1-5-21-105014023-2738048968-2884344003-1001_Classes\Wow6432Node\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}
end
*****************
 
Restore point was successfully created.
Processes closed successfully.
C:\Users\Dan\Downloads\Software-free.net_Corel_VideoStudio_Ultimate_X8_Keygen.rar => Moved successfully.
C:\WINDOWS\Prefetch\SPYHUNTER-INSTALLER.EXE-F51929F4.pf => Moved successfully.
C:\WINDOWS\Prefetch\SPYHUNTER4.EXE-7BD5E907.pf => Moved successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Pab74c68c_a8a1_4247_9bc0_9bca8ed9d337_.Pab74c68c_a8a1_4247_9bc0_9bca8ed9d337_.9 => Failed to delete key at first attempt (Error: C0000121), see next line.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Pab74c68c_a8a1_4247_9bc0_9bca8ed9d337_.Pab74c68c_a8a1_4247_9bc0_9bca8ed9d337_.9 => Key could not be deleted. Access denied.
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\Pab74c68c_a8a1_4247_9bc0_9bca8ed9d337_.Pab74c68c_a8a1_4247_9bc0_9bca8ed9d337_.9 => Key not found. 
HKU\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA} => Failed to delete key at first attempt (Error: C0000121), see next line.
HKU\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA} => Key could not be deleted. Access denied.
HKU\S-1-5-18\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA} => Key could not be deleted. Access denied.
HKU\S-1-5-21-105014023-2738048968-2884344003-1001\Software\Classes\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326} => Failed to delete key at first attempt (Error: C0000121), see next line.
HKU\S-1-5-21-105014023-2738048968-2884344003-1001\Software\Classes\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326} => Key could not be deleted. Access denied.
HKU\S-1-5-21-105014023-2738048968-2884344003-1001\Software\Classes\TypeLib\{157B1AA6-3E5C-404A-9118-C1D91F537040} => Failed to delete key at first attempt (Error: C0000121), see next line.
HKU\S-1-5-21-105014023-2738048968-2884344003-1001\Software\Classes\TypeLib\{157B1AA6-3E5C-404A-9118-C1D91F537040} => Key could not be deleted. Access denied.
HKU\S-1-5-21-105014023-2738048968-2884344003-1001_Classes\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326} => Key could not be deleted. Access denied.
HKU\S-1-5-21-105014023-2738048968-2884344003-1001_Classes\TypeLib\{157B1AA6-3E5C-404A-9118-C1D91F537040} => Key could not be deleted. Access denied.
HKU\S-1-5-21-105014023-2738048968-2884344003-1001_Classes\Wow6432Node\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5} => Failed to delete key at first attempt (Error: C0000121), see next line.
HKU\S-1-5-21-105014023-2738048968-2884344003-1001_Classes\Wow6432Node\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5} => Key could not be deleted. Access denied.
HKU\S-1-5-21-105014023-2738048968-2884344003-1001_Classes\Wow6432Node\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326} => Failed to delete key at first attempt (Error: C0000121), see next line.
HKU\S-1-5-21-105014023-2738048968-2884344003-1001_Classes\Wow6432Node\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326} => Key could not be deleted. Access denied.
 
 
The system needed a reboot. 
 
==== End of Fixlog 08:36:47 ====
 
User initialised redundant data purge.
......................
 
Removed registry subkey: java.exe
Removed registry subkey: javaw.exe
Removed registry subkey tree: {08B0E5C0-4FCB-11CF-AAA5-00401C608501}
Removed registry subkey tree: {5852F5ED-8BF4-11D4-A245-0080C6F74284}
Removed registry subkey: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}
Removed registry subkey: {DBC80044-A445-435b-BC74-9C25C1C588A9}
Removed registry subkey: F60730A4A66673047777F5728467D401
Removed registry subkey tree: F60730A4A66673047777F5728467D401
Removed registry subkey: A5CCAAC40F5B69B47777ACF82566467C
Removed registry subkey tree: {5852F5EC-8BF4-11D4-A245-0080C6F74284}
Removed registry subkey: application/java-deployment-toolkit
Removed registry subkey: application/x-java-applet
Removed registry subkey: application/x-java-jnlp-file
Removed registry subkey tree: {5852F5E0-8BF4-11D4-A245-0080C6F74284}
Removed registry subkey: .jar
Removed registry subkey: .jnlp
Removed registry subkey tree: jarfile
Removed registry subkey tree: JavaWebStart.isInstalled
Removed registry subkey tree: JavaWebStart.isInstalled.1.7.0.0
Removed registry subkey tree: JNLPFile
Removed registry subkey: {5852F5ED-8BF4-11D4-A245-0080C6F74284}
Removed registry subkey: javaws.exe
Removed registry subkey: Browser Helper Objects
Removed registry subkey: A5CCAAC40F5B69B47777ACF82566467C
Removed registry subkey: 225FA5D4CDB0C57489E7F511C11D0182
Removed registry subkey: 225FC5D4ADB0C57489E7F511C11D0182
Removed registry subkey: 225FC5D4BDB0C57489E7F511C11D0182
Removed registry subkey: 52AAFD69654C07446983ADA1256FC7A9
Removed registry subkey: AD9BB15F1AC776D49B768EDF5A02B896
Removed registry subkey: E1215CC4312C58A4A8F9D630115FB457
Removed registry subkey tree: F60730A4A66673047777F5728467D401
Exception encountered in module [JavaRa]
Message: Cannot delete a subkey tree because the subkey does not exist.
   at Microsoft.Win32.RegistryKey.DeleteSubKeyTreeInternal(String subkey)
   at Microsoft.Win32.RegistryKey.DeleteSubKeyTree(String subkey)
   at JavaRa.routines_registry.delete_key(String key)
 
Removed registry subkey: Oracle_JavaAccessBridge
Removed registry subkey tree: JavaSoft
Removal routine completed successfully. 33 items have been deleted.
== Cleaning JRE temporary files ==
 
== Cleaning JRE temporary files ==
 
 
Can we also remove all these programmes i have downloaded and uninstall  ?

Edited by the geekfreak, 13 April 2015 - 02:52 AM.


#10 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:06:05 AM

Posted 13 April 2015 - 03:24 AM

Hi,

 

For some reason something prevented FRST from deleting the affected registry keys.

Please temporarily close all programs and disable Windows Defender this way:

http://winaero.com/blog/how-to-disable-or-enable-windows-defender-in-windows-8-1/

and then run the script again and post back the results.

 

We will delete the tools we used at the end of the cleaning process. Don't worry about them. :)

 

 

Regards,

Georgi


cXfZ4wS.png


#11 the geekfreak

the geekfreak
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:swansea uk
  • Local time:08:05 PM

Posted 13 April 2015 - 03:55 AM

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 12-04-2015
Ran by Dan at 2015-04-13 09:51:22 Run:3
Running from C:\Users\Dan\Desktop
Loaded Profiles: Dan (Available profiles: Dan)
Boot Mode: Normal
==============================================
 
Content of fixlist:
*****************
start
CreateRestorePoint:
CloseProcesses:
C:\Users\Dan\Downloads\Software-free.net_Corel_VideoStudio_Ultimate_X8_Keygen.rar
C:\WINDOWS\Prefetch\SPYHUNTER-INSTALLER.EXE-F51929F4.pf
C:\WINDOWS\Prefetch\SPYHUNTER4.EXE-7BD5E907.pf
DeleteKey: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Pab74c68c_a8a1_4247_9bc0_9bca8ed9d337_.Pab74c68c_a8a1_4247_9bc0_9bca8ed9d337_.9
DeleteKey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\Pab74c68c_a8a1_4247_9bc0_9bca8ed9d337_.Pab74c68c_a8a1_4247_9bc0_9bca8ed9d337_.9
DeleteKey: HKU\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}
DeleteKey: HKU\S-1-5-18\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}
DeleteKey: HKU\S-1-5-21-105014023-2738048968-2884344003-1001\Software\Classes\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}
DeleteKey: HKU\S-1-5-21-105014023-2738048968-2884344003-1001\Software\Classes\TypeLib\{157B1AA6-3E5C-404A-9118-C1D91F537040}
DeleteKey: HKU\S-1-5-21-105014023-2738048968-2884344003-1001_Classes\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}
DeleteKey: HKU\S-1-5-21-105014023-2738048968-2884344003-1001_Classes\TypeLib\{157B1AA6-3E5C-404A-9118-C1D91F537040}
DeleteKey: HKU\S-1-5-21-105014023-2738048968-2884344003-1001_Classes\Wow6432Node\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}
DeleteKey: HKU\S-1-5-21-105014023-2738048968-2884344003-1001_Classes\Wow6432Node\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}
end
*****************
 
Restore point was successfully created.
Processes closed successfully.
"C:\Users\Dan\Downloads\Software-free.net_Corel_VideoStudio_Ultimate_X8_Keygen.rar" => File/Directory not found.
"C:\WINDOWS\Prefetch\SPYHUNTER-INSTALLER.EXE-F51929F4.pf" => File/Directory not found.
"C:\WINDOWS\Prefetch\SPYHUNTER4.EXE-7BD5E907.pf" => File/Directory not found.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Pab74c68c_a8a1_4247_9bc0_9bca8ed9d337_.Pab74c68c_a8a1_4247_9bc0_9bca8ed9d337_.9 => Failed to delete key at first attempt (Error: C0000121), see next line.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Pab74c68c_a8a1_4247_9bc0_9bca8ed9d337_.Pab74c68c_a8a1_4247_9bc0_9bca8ed9d337_.9 => Key Deleted Successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes\Pab74c68c_a8a1_4247_9bc0_9bca8ed9d337_.Pab74c68c_a8a1_4247_9bc0_9bca8ed9d337_.9 => Key not found. 
HKU\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA} => Failed to delete key at first attempt (Error: C0000121), see next line.
HKU\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA} => Key Deleted Successfully.
HKU\S-1-5-18\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA} => Key not found. 
HKU\S-1-5-21-105014023-2738048968-2884344003-1001\Software\Classes\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326} => Failed to delete key at first attempt (Error: C0000121), see next line.
HKU\S-1-5-21-105014023-2738048968-2884344003-1001\Software\Classes\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326} => Key Deleted Successfully.
HKU\S-1-5-21-105014023-2738048968-2884344003-1001\Software\Classes\TypeLib\{157B1AA6-3E5C-404A-9118-C1D91F537040} => Failed to delete key at first attempt (Error: C0000121), see next line.
HKU\S-1-5-21-105014023-2738048968-2884344003-1001\Software\Classes\TypeLib\{157B1AA6-3E5C-404A-9118-C1D91F537040} => Key Deleted Successfully.
HKU\S-1-5-21-105014023-2738048968-2884344003-1001_Classes\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326} => Key not found. 
HKU\S-1-5-21-105014023-2738048968-2884344003-1001_Classes\TypeLib\{157B1AA6-3E5C-404A-9118-C1D91F537040} => Key not found. 
HKU\S-1-5-21-105014023-2738048968-2884344003-1001_Classes\Wow6432Node\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5} => Failed to delete key at first attempt (Error: C0000121), see next line.
HKU\S-1-5-21-105014023-2738048968-2884344003-1001_Classes\Wow6432Node\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5} => Key Deleted Successfully.
HKU\S-1-5-21-105014023-2738048968-2884344003-1001_Classes\Wow6432Node\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326} => Failed to delete key at first attempt (Error: C0000121), see next line.
HKU\S-1-5-21-105014023-2738048968-2884344003-1001_Classes\Wow6432Node\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326} => Key Deleted Successfully.
 
 
The system needed a reboot. 
 
==== End of Fixlog 09:51:42 ====


#12 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:06:05 AM

Posted 13 April 2015 - 04:18 AM

Hello,

 

 

Thank you for following my instructions perfectly! :bounce:

 

 

Now that we are at the end of our journey I have some final words for you. :)
All Clean !
Your machine appears to be clean, please take the time to read below on how to secure the machine and take the necessary steps to keep it Clean.

 

 

 

STEP 1 - CLEANUP


Here are a few additional steps on how to remove all of the tools we used as promised:

 

 

Download the following file => and save it to the Desktop.
NOTE. It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

Run FRST/FRST64 and press the Fix button just once and wait.
It's no needed to post the log this time.

 

  • Next please download Delfix.exe by Xplode and save it to your desktop.
  • Please start it and check the box next to "Remove disinfection tools" and click on the run button.
  • The tool will delete itself once it finishes.

 

Note: If any tool, file, log file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.

 

 

 

STEP 2 - SECURITY ADVICES


Change all your passwords !


Since your computer was infected for peace of mind, I would however advise you that all (or as much possible) your passwords be changed including those for bank accounts, credit cards and home loans, PIN codes etc) just in case.

 

Many of the modern malware samples have backdoor abilities and can steal confidential information from the compromised computer. Also you should check for any suspicious transactions if such occur. If you find out that you have been victim to fraud contact your bank or the appropriate institution for assistance.
Use different passwords for all your accounts. Also don't use easy passwords such as your favorite teams, bands or pets because this will allow people to guess your password.
You can use Password Generator - Norton Identity Safe to create random passwords and then install an application like KeePass Password Safe or LastPass to store them for easy access. If you do Online Banikng please read this article: Online Banking Protection Against Identity Theft

 

If you're storing passwords in the browser to access websites than they are non encrypted well. Only if you use Firefox with master password protection, this provide better security. You can add Secure Login to prevent Java and other exploits when log-in.

 

 

Keep your antivirus software turned on and up-to-date

 

 

  • New viruses come out every minute, so it is essential that you have the latest signatures for your antivirus program to provide you with the best possible protection from malicious software.
  • Note: You should only have one antivirus installed at a time. Having more than one antivirus program installed at once is likely to cause conflicts and may well decrease your overall protection as well as impairing the performance of your PC.
  • Note: You should scan your computer with an antimalware program like Malwarebytes' Anti-Malware on a regular basis just as you would an antivirus software.
  • Be sure to check for and download any definition updates prior to performing a scan.
  • Also keep in mind that MBAM is not a replacement for antivirus software, it is meant to complement the protection provided by a full antivirus product and is designed to detect the threats that are missed by most antivirus software.

 

 

Visit Microsoft's Windows Update Site Frequently

 

  • It is important that you visit Windows Update regularly.
  • This will ensure your computer has always the latest security updates available installed on your computer.
  • If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
  • It is possible for other programs on your computer to have security vulnerability that can allow malware to infect you.
  • Therefore, it is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities.
  • You can check these by visiting Personal Software Inspector or you can use the following application for this purpose PatchMyPC

 

 

Be prepared for CryptoLocker and similar threats:
 

Check the article below for more information:

The ascension of Crypto-Ransomware and what you need to know to protect yourself

 

Since the prevention is better than cure you can use CryptoPrevent (described in the link above) to secure the PC against these lockers. Keep in mind that if you choose high protection level in CryptoPrevent then you can encounter some problems with the installed applications. You may need to lower the protection level if you encounter such problems or to add the entries to the whitelist:

 

mtBkCIZ.jpg

 

I would not recommend you to use the latest option which is still in BETA. Many programs will not work when the Maximum Protection + Program Filtering (BETA) setting is activated...

 

Also you may need to disable the protection sometimes before you can install new software or apply updates and when you are done then you need to re-apply the protection. It can be very annoying, but still better than losing all of the documents because of Cryptolocker and his variants.

 

 

Also a new tool was created to help prevention of Ransomware called CryptoMonitor. You can take a look at it if you want. smile.png

 

 

Comodo Firewall/Internet Security can protect the data if you add all local disks to Protected Files and Folders but if you decide to use it then keep in mind to keep Windows Defender disabled!

 

Panda have an option (similar to this offered by Comodo) called Data Shield which can help you to protect your data against ransomware.

What is the Data Shield protection of Panda 2015? but if you choose to stick to Panda then you should keep Windows Defender disabled and also keep in mind that the software is shareware.

 

However using such programs on business computers can be very difficult since the users will receive a lot of pop-ups with questions and probably will be impossible for them to work in a efficient way...

 

You may want to check Malwarebytes Anti-Exploit and add install it to be safe when surfing the net. It work with the most popular browsers and it is very effective. See the article here.

 

There are other programs worth checking like Sandboxie, HitmanPro.Alert, SecureAplus (offer ClamWin - be sure to uncheck it during install if you have another AV installed), VoodooShield (similar to SecureAplus but does not offer ClamWin antivirus), Emet, Toolwiz Time Freeze, KeyScrambler Personal etc, but they are too complicated for the average user. However, you can take a look at them if have the time to learn how to use them.

 

Keep in mind to choose carefully in order to avoid conflicts or instability caused by incompatible security programs.
Also having more than one "real-time" program can be a drain on your PC's efficiency so please refrain doing so.

 

 

Practice Safe Internet


One of the main reasons people get infected in the first place is that they are not practicing Safe Internet. You practice Safe Internet when you educate yourself on how to properly use the Internet through the use of security tools and good practice. Knowing how you can get infected and what types of files and sites to avoid will be the most crucial step in keeping your computer malware free. The reality is that the majority of people who are infected with malware are ones who click on things they shouldn't be clicking on. Whether these things are files or sites it doesn't really matter. If something is out to get you, and you click on it, it most likely will.  Below are a list of simple precautions to take to keep your computer clean and running securely:

  • If you receive an attachment from someone you do not know, DO NOT OPEN IT! Simple as that.  Opening attachments from people you do not know is a very common method for viruses or worms to infect your computer.
  • .zip, .exe, .com, .bat, .pif, .scr, .cmd or .vbs do not open the attachment unless you know for a fact that it is clean. For the casual computer user, you will almost never receive a valid attachment of this type.
  • If you receive an attachment from someone you know, and it looks suspicious, then it probably is.  The email could be from someone you know infected with a malware that is trying to infect everyone in their address book.
  • If you are browsing the Internet and a popup appears saying that you are infected, ignore it!. These are, as far as I am concerned, scams that are being used to scare you into purchasing a piece of software. For an example of these types of popups, or Foistware, you should read this article:
    Foistware, And how to avoid it. There are also programs that disguise themselves as Anti-Spyware or security products but are instead scams.  For a list of these types of programs we recommend you visit this link: About Malwares, Rogues, Scarewares, SmitfraudFix
  • Another tactic to fool you on the web is when a site displays a popup that looks like a normal Windows message  or alert. When you click on them, though, they instead bring you to another site that is trying to push a product on you.  We suggest that you close these windows by clicking on the X instead of the OK button. Alternatively, you can check to see if it's a real alert by right-clicking on the window.  If there is a menu that comes up saying Add to Favorites... you know it's a fake.
  • Do not go to adult sites. I know this may bother some of you, but the fact is that a large amount of malware is pushed through these types of sites. I am not saying all adult sites do this, but a lot do.
  • When using an Instant Messaging program be cautious about clicking on links people send to you. It is not uncommon for infections to send a message to everyone in the infected person's contact list that contains a link to an infection. Instead when you receive a message that contains a link, message back to the person asking if it is legit before you click on it.
  • Stay away from Warez and Crack sites! In addition to the obvious copyright issues, the downloads from these sites are typically overrun with infections. Avoid using cracks and unknown programs from sources you don't trust. There are MANY alternative open-source applications. Malware writers just love cracks and keygens, and will often attach malicious code into them. By using cracks and/or keygens, you are asking for problems. So my advice is - stay away from them!
  • Be careful of what you download off of web sites and Peer-2-Peer networks. Some sites disguise malware as legitimate software to trick you into installing them and Peer-2-Peer networks are crawling with it. If you want to download a piece of software a from a site, and are not sure if they are legitimate, you can use McAfee Siteadvisor, Bitdefender TrafficLight or Avira Browser Safety to look up info on the site. Note: skip this advice if your antivirus have a Web Guard.
  • DO NOT INSTALL any software without first reading the End User License Agreement, otherwise known as the EULA. A tactic that some developers use is to offer their software for free, but have spyware and other programs you do not want bundled with it. This is where they make their money. By reading the agreement there is a good chance you can spot this and not install the software.
  • You may want to install unchecky to prevent adware bundled into many free programs to install. Please keep in mind that this program is a beta version of a product and not completely tested to ensure its stability or reliability.

 

 

Tweak your browsers
 

MOZILLA FIREFOX

 

To prevent further infections be sure to install the following add-ons AdBlock Plus
 

Adblock Plus hides all those annoying (and potentially dangerous) advertisements on websites that try and tempt you to buy or download something. AdBlock not only speeds up your browsing and makes it easier on your eyes, but also makes it safer.

 

Adblock Plus can be found here.
 
Do not add to many filters subscriptions because it will slow down your browser startup time.
 
erfxUim.jpg

 

 

You can take a look at NoScript as well but NoScript is only for advanced users as it blocks all the interactive parts of a webpage, such as login options. Obviously you wouldn’t want to block your ability to log on to your internet banking or your webmail, but thankfully you can tell NoScript to allow certain websites and block others. This is very useful to ensure that the website you’re visiting is not trying to tempt you to interact with another, more dangerous website.

 

You can download it from here
You can find the optimal settings here
A tutorial on how to use it can be found here

 

 

Ad-Muncher is now free so you can give it a try as well.

 

 

 

Google Chrome

 
If you like Google Chrome there are many similar extensions for this browser as well. Since I am not a Google Chrome user I can't tell you which of them are good and how they work. You should find out by yourself.

However Google Chrome can block a lot of unknown malware because of his sandbox.Beware of the fact that Google Chrome doesn't provide master password protection for your saved in the browser passwords. Check this out: Google Chrome security flaw offers unrestricted password access


 
For Internet Explorer read the article below:


Security and privacy features in Internet Explorer

 

 

Also you can change your DNS settings with these 8.26.56.26 and 8.20.247.20 to use Comodo Secure DNS for free (to prevent phishing attacks). Sometime the DNS servers may be overloaded by the traffic coming from other networks and then you can lose your internet connection. In that case you can switch back to your ISP DNS again.

 

 

Make the extensions for known file types visible:
 
 
Be wary of files with a double extension such as image.jpg.exe. As a default setting, Windows often hides common file extensions, meaning that a program like image.jpg.exe will appear to you as simply image.jpg. Double extensions exploit this by hiding the second, dangerous extension and reassuring you with the first one.Check this out - Show or hide file name extensions.


 
Disable Autorun and Windows Scripting Host:
 
 
It's a good idea to disable the Autorun functionality to prevent spreading of the infections from USB flash drives.

Check the article here for more information.

 

If you don't use any script files then you can go ahead and disable Windows Scripting Host using the tool provided by Symantec - NoScript.exe. Simple download and run it and click on the Disable button and reboot the computer. If you need to run any js. or vbs scripts at a later stage you should run NoScript again and select Enable, then reboot the computer.
 

 

 
Create an image of your system (you can use the built-in Windows software as well if you prefer)

  • Now when your pc is malware free it is a good idea to do a backup of all important files just in case something happens it.
  • Macrium Reflect is very good choice that enables you to create an image of your system drive which can be restored in case of problems.
  • The download link is here.
  • The tutorial on how to create an system image can be found here.
  • The tutorial on how to restore an system image can be found here.
  • Be sure to read the tutorial first.

 

 

Follow this list and your potential for being infected again will reduce dramatically.

 

Safe Surfing ! :)

 

Regards,

Georgi


cXfZ4wS.png


#13 the geekfreak

the geekfreak
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:swansea uk
  • Local time:08:05 PM

Posted 13 April 2015 - 05:13 AM

Thank you .

 

Have sent a little something for your time .

If the Paypal does not work due to limit`s on my account then by all mean send me details of your bank and i can do a bank transfer directly .

Daniel


Edited by the geekfreak, 13 April 2015 - 05:20 AM.


#14 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:06:05 AM

Posted 13 April 2015 - 05:21 AM

Hi Daniel,

 

You're more than welcome! I am glad I could help! smile.png

Thanks for the beers! beer11.gif

 

Take care!

 

 

Regards,

Georgi


cXfZ4wS.png


#15 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:06:05 AM

Posted 15 April 2015 - 01:42 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

cXfZ4wS.png





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users