Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible virus - programs disabled, occasional freeze/Windows load issues


  • Please log in to reply
28 replies to this topic

#1 Danzar1

Danzar1

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:46 AM

Posted 25 January 2016 - 03:47 AM

Hi guys

 

I think I have a virus. Specs are an Intel-based PC running Windows 10 64bit. 

 
Symptoms:
  • AVG detection - found a 'MalSign.ClientConnect.A57' yesterday (Cscript.exe process).
  • Poor booting - boots to windows login fine, but getting into Windows is inconsistent. Sometimes it works, sometimes I get a grey screen, sometimes a black screen. The latter leads to alot of HDD activity and only occurs when the internet is disconnected. 
  • Programs no longer run - this seems to be most Windows programs plus installed programs located in the c:/program files folder. Programs in the 32-bit c:/program files (x86) folder appear to work.
  • Application errors - rundll32.exe (comes up twice), rtkNGUI64.exe, all at first Windows entry.
  • Complete freezes. 
  • Internet issues - Chrome works as it's in the x86 folder, and browsing seems sluggish but ok. The issues are when the net is simply on, the machine freezes, HDD starts loading, or I get black screens.
 
Possible causes:
  • A torrent file - recently I was downloading a torrent for a bunch of old F1 races (legit, from 1978-80) and I wanted to swap clients. Redownloaded the original torrent file and it kept downloading to appdata/temp, not downloads. After a minute, it would disappear entirely. Files was 10MB which is unusual for a torrent.
  • ..or I don't have a virus but messed something up (see below).
 
Emisoft anti malware - all hell broke loose right after I ran this yesterday. Before that, I just suspected I had a virus. The scan showed only one possible issue, something called 'setting.disableregistrytools'. I deleted it, then the problems above started.
 
A latter scan using Malwarebytes found 30 or so issues, most being files in a temp folder. I couldn't get a log because notepad doesn't work (refer issues above). I also couldn't delete the files, it just didn't work.
 
Other issues:
 
  • Rkill doesn't work as the Command Console is disabled.
  • Windows reported a strange 'COM surrogate' error.
  • The scan turned up an odd alleged program called OCComSDK.
  • I can't system restore because CP is disabled.
  • I can't create log files as notepad is disabled.
 
Would appreciate advice or assistance. For the purposes of logs, I'll try and make notepad++ my default. It works, unlike the stock notepad.
 
Thanks!
 
Dan

Edited by Danzar1, 25 January 2016 - 03:49 AM.


BC AdBot (Login to Remove)

 


#2 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,670 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:46 AM

Posted 25 January 2016 - 08:34 PM

Hi Danzar1 :)

My name is Aura and I'll be assisting you with your issue. Are you able to boot in Safe Mode with Networking, and run MiniToolBox using the instructions below from there?

3Al62Pm.pngMiniToolBox
  • Download MiniToolBox and move the file to your Desktop;
  • Right-click on MiniToolBox.exe and select Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users);
  • Check the following options:
    • Flush DNS;
    • Report IE Proxy Settings;
    • Reset IE Proxy Settings;
    • Report FF Proxy Settings;
    • Reset FF Proxy Settings;
    • List content of Hosts;
    • List IP Configuration;
    • List Winsock Entries;
    • List Last 10 Event Viewer Errors;
    • List Installed Programs;
    • List Devices - Only Problems;
    • List Users, Partitions and Memory size;
      OQmAcqS.png
  • Once this is done, click on Go and wait for the scan to complete;
  • Once the scan is complete, a log will open. Please copy/paste the content of the output log in your next reply;

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#3 Danzar1

Danzar1
  • Topic Starter

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:46 AM

Posted 25 January 2016 - 09:38 PM

Hi Aura, thanks for your reply. One thing to note: I managed an auto restore, which seems to have resolved all of the issues. Let me know if you feel it's not worth investigating any further. Here is the log:

 

MiniToolBox by Farbar  Version: 02-11-2015
Ran by dannyboy (administrator) on 26-01-2016 at 13:28:57
Running from "C:\Users\dannyboy\Desktop"
Microsoft Windows 10 Home  (X64)
Model: H97M-D3H Manufacturer: Gigabyte Technology Co., Ltd.
Boot Mode: Network
***************************************************************************
 
========================= Flush DNS: ===================================
 
Windows IP Configuration
 
Successfully flushed the DNS Resolver Cache.
 
========================= IE Proxy Settings: ============================== 
 
Proxy is not enabled.
No Proxy Server is set.
 
"Reset IE Proxy Settings": IE Proxy Settings were reset.
 
========================= FF Proxy Settings: ============================== 
 
 
"Reset FF Proxy Settings": Firefox Proxy settings were reset.
 
========================= Hosts content: =================================
127.0.0.1       localhost
========================= IP Configuration: ================================
 
TAP-Win32 Adapter V9 = Ethernet (Media disconnected)
Qualcomm Atheros AR9287 Wireless Network Adapter = Wireless Network Connection (Media disconnected)
Realtek PCIe GBE Family Controller = Local Area Connection (Media disconnected)
 
 
# ----------------------------------
# IPv4 Configuration
# ----------------------------------
pushd interface ipv4
 
reset
set global
set interface interface="Local Area Connection* 1" forwarding=enabled advertise=enabled nud=enabled ignoredefaultroutes=disabled
set interface interface="Local Area Connection* 2" forwarding=enabled advertise=enabled nud=enabled ignoredefaultroutes=disabled
set interface interface="Local Area Connection 6" forwarding=enabled advertise=enabled nud=enabled ignoredefaultroutes=disabled
set interface interface="Wireless Network Connection 2" forwarding=enabled advertise=enabled nud=enabled ignoredefaultroutes=disabled
set interface interface="Local Area Connection" forwarding=enabled advertise=enabled nud=enabled ignoredefaultroutes=disabled
set interface interface="Local Area Connection 5" forwarding=enabled advertise=enabled nud=enabled ignoredefaultroutes=disabled
set interface interface="Wireless Network Connection" forwarding=enabled advertise=enabled nud=enabled ignoredefaultroutes=disabled
set interface interface="Local Area Connection 2" forwarding=enabled advertise=enabled nud=enabled ignoredefaultroutes=disabled
set interface interface="Local Area Connection 3" forwarding=enabled advertise=enabled nud=enabled ignoredefaultroutes=disabled
set interface interface="Ethernet" forwarding=enabled advertise=enabled nud=enabled ignoredefaultroutes=disabled
set interface interface="Local Area Connection* 3" forwarding=enabled advertise=enabled nud=enabled ignoredefaultroutes=disabled
set interface interface="Ethernet 2" forwarding=enabled advertise=enabled nud=enabled ignoredefaultroutes=disabled
set interface interface="Ethernet 3" forwarding=enabled advertise=enabled nud=enabled ignoredefaultroutes=disabled
 
 
popd
# End of IPv4 configuration
 
 
 
Windows IP Configuration
 
   Host Name . . . . . . . . . . . . : dannyboy-PC
   Primary Dns Suffix  . . . . . . . : 
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
 
Ethernet adapter Local Area Connection:
 
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 
   Description . . . . . . . . . . . : Realtek PCIe GBE Family Controller
   Physical Address. . . . . . . . . : 74-D4-35-FF-13-A0
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
 
Wireless LAN adapter Wireless Network Connection:
 
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : home.gateway
   Description . . . . . . . . . . . : Qualcomm Atheros AR9287 Wireless Network Adapter
   Physical Address. . . . . . . . . : E8-DE-27-9A-F8-F1
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
 
Wireless LAN adapter Local Area Connection* 2:
 
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 
   Description . . . . . . . . . . . : Microsoft Hosted Network Virtual Adapter
   Physical Address. . . . . . . . . : 5A-DE-27-9A-F8-F1
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
 
Wireless LAN adapter Local Area Connection* 3:
 
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 
   Description . . . . . . . . . . . : Microsoft Wi-Fi Direct Virtual Adapter
   Physical Address. . . . . . . . . : 1A-DE-27-9A-F8-F1
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
 
Tunnel adapter Local Area Connection 2:
 
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 
   Description . . . . . . . . . . . : BlackBerry Virtual Private Network
   Physical Address. . . . . . . . . : 02-F0-FA-79-C0-01
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
 
Ethernet adapter Ethernet:
 
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 
   Description . . . . . . . . . . . : TAP-Win32 Adapter V9
   Physical Address. . . . . . . . . : 00-FF-55-33-FF-76
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
Server:  UnKnown
Address:  127.0.0.1
 
Ping request could not find host google.com. Please check the name and try again.
Server:  UnKnown
Address:  127.0.0.1
 
Ping request could not find host yahoo.com. Please check the name and try again.
 
Pinging 127.0.0.1 with 32 bytes of data:
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
 
Ping statistics for 127.0.0.1:
    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 0ms, Average = 0ms
===========================================================================
Interface List
  3...74 d4 35 ff 13 a0 ......Realtek PCIe GBE Family Controller
  7...e8 de 27 9a f8 f1 ......Qualcomm Atheros AR9287 Wireless Network Adapter
 17...5a de 27 9a f8 f1 ......Microsoft Hosted Network Virtual Adapter
  5...1a de 27 9a f8 f1 ......Microsoft Wi-Fi Direct Virtual Adapter
 10...02 f0 fa 79 c0 01 ......BlackBerry Virtual Private Network
 12...00 ff 55 33 ff 76 ......TAP-Win32 Adapter V9
  1...........................Software Loopback Interface 1
===========================================================================
 
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
===========================================================================
Persistent Routes:
  None
 
IPv6 Route Table
===========================================================================
Active Routes:
 If Metric Network Destination      Gateway
  1    306 ::1/128                  On-link
  1    306 ff00::/8                 On-link
===========================================================================
Persistent Routes:
  None
========================= Winsock entries =====================================
 
Catalog5 01 C:\WINDOWS\SysWOW64\napinsp.dll [55808] (Microsoft Corporation)
Catalog5 02 C:\WINDOWS\SysWOW64\pnrpnsp.dll [70656] (Microsoft Corporation)
Catalog5 03 C:\WINDOWS\SysWOW64\pnrpnsp.dll [70656] (Microsoft Corporation)
Catalog5 04 C:\WINDOWS\SysWOW64\NLAapi.dll [65024] (Microsoft Corporation)
Catalog5 05 C:\WINDOWS\SysWOW64\mswsock.dll [312160] (Microsoft Corporation)
Catalog5 06 C:\WINDOWS\SysWOW64\winrnr.dll [23552] (Microsoft Corporation)
Catalog9 01 C:\WINDOWS\SysWOW64\mswsock.dll [312160] (Microsoft Corporation)
Catalog9 02 C:\WINDOWS\SysWOW64\mswsock.dll [312160] (Microsoft Corporation)
Catalog9 03 C:\WINDOWS\SysWOW64\mswsock.dll [312160] (Microsoft Corporation)
Catalog9 04 C:\WINDOWS\SysWOW64\mswsock.dll [312160] (Microsoft Corporation)
Catalog9 05 C:\WINDOWS\SysWOW64\mswsock.dll [312160] (Microsoft Corporation)
Catalog9 06 C:\WINDOWS\SysWOW64\mswsock.dll [312160] (Microsoft Corporation)
Catalog9 07 C:\WINDOWS\SysWOW64\mswsock.dll [312160] (Microsoft Corporation)
Catalog9 08 C:\WINDOWS\SysWOW64\mswsock.dll [312160] (Microsoft Corporation)
Catalog9 09 C:\WINDOWS\SysWOW64\mswsock.dll [312160] (Microsoft Corporation)
Catalog9 10 C:\WINDOWS\SysWOW64\mswsock.dll [312160] (Microsoft Corporation)
Catalog9 11 C:\WINDOWS\SysWOW64\mswsock.dll [312160] (Microsoft Corporation)
x64-Catalog5 01 C:\Windows\System32\napinsp.dll [68096] (Microsoft Corporation)
x64-Catalog5 02 C:\Windows\System32\pnrpnsp.dll [87040] (Microsoft Corporation)
x64-Catalog5 03 C:\Windows\System32\pnrpnsp.dll [87040] (Microsoft Corporation)
x64-Catalog5 04 C:\Windows\System32\NLAapi.dll [80896] (Microsoft Corporation)
x64-Catalog5 05 C:\Windows\System32\mswsock.dll [357216] (Microsoft Corporation)
x64-Catalog5 06 C:\Windows\System32\winrnr.dll [31744] (Microsoft Corporation)
x64-Catalog9 01 C:\Windows\System32\mswsock.dll [357216] (Microsoft Corporation)
x64-Catalog9 02 C:\Windows\System32\mswsock.dll [357216] (Microsoft Corporation)
x64-Catalog9 03 C:\Windows\System32\mswsock.dll [357216] (Microsoft Corporation)
x64-Catalog9 04 C:\Windows\System32\mswsock.dll [357216] (Microsoft Corporation)
x64-Catalog9 05 C:\Windows\System32\mswsock.dll [357216] (Microsoft Corporation)
x64-Catalog9 06 C:\Windows\System32\mswsock.dll [357216] (Microsoft Corporation)
x64-Catalog9 07 C:\Windows\System32\mswsock.dll [357216] (Microsoft Corporation)
x64-Catalog9 08 C:\Windows\System32\mswsock.dll [357216] (Microsoft Corporation)
x64-Catalog9 09 C:\Windows\System32\mswsock.dll [357216] (Microsoft Corporation)
x64-Catalog9 10 C:\Windows\System32\mswsock.dll [357216] (Microsoft Corporation)
x64-Catalog9 11 C:\Windows\System32\mswsock.dll [357216] (Microsoft Corporation)
 
========================= Event log errors: ===============================
 
Application errors:
==================
Error: (01/26/2016 01:28:13 PM) (Source: Microsoft-Windows-Immersive-Shell) (User: dannyboy-PC)
Description: Activation of app Microsoft.Getstarted_2.6.12.0_x64__8wekyb3d8bbwe:App.AppX7mv0s3r0wanj0n66dy6vax24ps6avzvz.mca failed with error: -2144927149 See the Microsoft-Windows-TWinUI/Operational log for additional information.
 
Error: (01/26/2016 01:25:34 PM) (Source: RIM MDNS) (User: )
Description: mDNSCoreReceiveResponse: Unexpected conflict discarding   21 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa. PTR dannyboy-PC-2.local.
 
Error: (01/26/2016 01:25:34 PM) (Source: RIM MDNS) (User: )
Description: mDNSCoreReceiveResponse: Received from 0000:0000:0000:0000:0000:0000:0000:0001:5353   19 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa. PTR dannyboy-PC.local.
 
Error: (01/26/2016 01:25:34 PM) (Source: RIM MDNS) (User: )
Description: mDNSCoreReceiveResponse: Unexpected conflict discarding   21 4.1.168.192.in-addr.arpa. PTR dannyboy-PC-2.local.
 
Error: (01/26/2016 01:25:34 PM) (Source: RIM MDNS) (User: )
Description: mDNSCoreReceiveResponse: Received from 192.168.1.4:5353   19 4.1.168.192.in-addr.arpa. PTR dannyboy-PC.local.
 
Error: (01/26/2016 01:25:33 PM) (Source: RIM MDNS) (User: )
Description: Local Hostname dannyboy-PC.local already in use; will try dannyboy-PC-2.local instead
 
Error: (01/26/2016 01:25:33 PM) (Source: RIM MDNS) (User: )
Description: mDNSCoreReceiveResponse: ProbeCount 2; will deregister    4 dannyboy-PC.local. Addr 192.168.1.4
 
Error: (01/26/2016 01:25:33 PM) (Source: RIM MDNS) (User: )
Description: mDNSCoreReceiveResponse: Received from 192.168.1.4:5353   16 dannyboy-PC.local. AAAA FE80:0000:0000:0000:29A0:C12F:DB45:FFBD
 
Error: (01/26/2016 01:25:33 PM) (Source: RIM MDNS) (User: )
Description: mDNSCoreReceiveResponse: Resetting to Probing:    4 dannyboy-PC.local. Addr 192.168.1.4
 
Error: (01/26/2016 01:25:33 PM) (Source: RIM MDNS) (User: )
Description: mDNSCoreReceiveResponse: Received from 192.168.1.4:5353   16 dannyboy-PC.local. AAAA FE80:0000:0000:0000:29A0:C12F:DB45:FFBD
 
 
System errors:
=============
Error: (01/26/2016 01:28:36 PM) (Source: DCOM) (User: dannyboy-PC)
Description: 1084ShellHWDetectionUnavailable{DD522ACC-F821-461A-A407-50B198B896DC}
 
Error: (01/26/2016 01:28:30 PM) (Source: DCOM) (User: dannyboy-PC)
Description: 1084WSearchUnavailable{9E175B6D-F52A-11D8-B9A5-505054503030}
 
Error: (01/26/2016 01:28:30 PM) (Source: DCOM) (User: dannyboy-PC)
Description: 1084ShellHWDetectionUnavailable{DD522ACC-F821-461A-A407-50B198B896DC}
 
Error: (01/26/2016 01:28:23 PM) (Source: DCOM) (User: dannyboy-PC)
Description: 1084ShellHWDetectionUnavailable{DD522ACC-F821-461A-A407-50B198B896DC}
 
Error: (01/26/2016 01:28:17 PM) (Source: DCOM) (User: dannyboy-PC)
Description: 1084ShellHWDetectionUnavailable{DD522ACC-F821-461A-A407-50B198B896DC}
 
Error: (01/26/2016 01:28:17 PM) (Source: DCOM) (User: dannyboy-PC)
Description: 1084WSearchUnavailable{B52D54BB-4818-4EB9-AA80-F9EACD371DF8}
 
Error: (01/26/2016 01:28:17 PM) (Source: DCOM) (User: dannyboy-PC)
Description: 1084WSearchUnavailable{B52D54BB-4818-4EB9-AA80-F9EACD371DF8}
 
Error: (01/26/2016 01:28:17 PM) (Source: DCOM) (User: dannyboy-PC)
Description: 1084WSearchUnavailable{B52D54BB-4818-4EB9-AA80-F9EACD371DF8}
 
Error: (01/26/2016 01:28:17 PM) (Source: DCOM) (User: dannyboy-PC)
Description: 1084WSearchUnavailable{B52D54BB-4818-4EB9-AA80-F9EACD371DF8}
 
Error: (01/26/2016 01:28:17 PM) (Source: DCOM) (User: dannyboy-PC)
Description: 1084WSearchUnavailable{B52D54BB-4818-4EB9-AA80-F9EACD371DF8}
 
 
Microsoft Office Sessions:
=========================
 
CodeIntegrity Errors:
===================================
  Date: 2016-01-14 22:32:21.715
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\efswrt.dll because the set of per-page image hashes could not be found on the system.
 
  Date: 2016-01-09 14:34:59.902
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\efswrt.dll because the set of per-page image hashes could not be found on the system.
 
  Date: 2016-01-01 20:36:38.534
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\efswrt.dll because the set of per-page image hashes could not be found on the system.
 
  Date: 2015-12-23 20:59:34.332
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\efswrt.dll because the set of per-page image hashes could not be found on the system.
 
  Date: 2015-12-20 11:24:08.215
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\efswrt.dll because the set of per-page image hashes could not be found on the system.
 
  Date: 2015-12-19 21:21:38.904
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\efswrt.dll because the set of per-page image hashes could not be found on the system.
 
  Date: 2015-12-16 20:58:07.249
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\efswrt.dll because the set of per-page image hashes could not be found on the system.
 
  Date: 2015-12-16 20:58:06.927
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\efswrt.dll because the set of per-page image hashes could not be found on the system.
 
  Date: 2015-12-16 20:52:58.688
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\System32\efswrt.dll because the set of per-page image hashes could not be found on the system.
 
 
=========================== Installed Programs ============================
 
µTorrent (HKCU\...\uTorrent) (Version: 3.4.5.41372 - BitTorrent Inc.)
7-Zip 9.22 (x64 edition) (HKLM\...\{23170F69-40C1-2702-0922-000001000000}) (Version: 9.22.00.0 - Igor Pavlov)
Ace Stream Media 3.1.1 (HKCU\...\AceStream) (Version: 3.1.1 - Ace Stream Media)
Adobe AIR (HKLM-x32\...\Adobe AIR) (Version: 17.0.0.124 - Adobe Systems Incorporated)
Adobe Flash Player 20 NPAPI (HKLM-x32\...\Adobe Flash Player NPAPI) (Version: 20.0.0.286 - Adobe Systems Incorporated)
Adobe Shockwave Player 12.1 (HKLM-x32\...\Adobe Shockwave Player) (Version: 12.1.3.153 - Adobe Systems, Inc.)
Audacity 2.1.1 (HKLM-x32\...\Audacity®_is1) (Version: 2.1.1 - Audacity Team)
Autodesk Pixlr (HKLM-x32\...\{B0547B43-3AEE-453C-9945-800B9F92052D}) (Version: 1.0.3.0 - Autodesk) Hidden
Autodesk Pixlr (HKLM-x32\...\Autodesk Pixlr) (Version: 1.0.3.0 - Autodesk)
AVG (HKLM\...\{A597ED27-4945-4E0B-8E37-DCD93DD85AD0}) (Version: 16.12.7303 - AVG Technologies) Hidden
AVG (HKLM\...\AvgZen) (Version: 1.31.1.48846 - AVG Technologies)
AVG 2016 (HKLM\...\{C3506E0A-35BE-4AAF-BA41-62E9D9FD3B92}) (Version: 16.0.4522 - AVG Technologies) Hidden
AVG Protection (HKLM\...\AVG) (Version: 2016.12.7303 - AVG Technologies)
AVG Zen (HKLM\...\{5ED53AC5-2BEA-4B9D-8AA2-41AF9565F75A}) (Version: 1.31.9 - AVG Technologies) Hidden
Battlefield 4™ (HKLM-x32\...\{ABADE36E-EC37-413B-8179-B432AD3FACE7}) (Version: 1.6.2.40658 - Electronic Arts)
Battlelog Web Plugins (HKLM-x32\...\Battlelog Web Plugins) (Version: 2.7.0 - EA Digital Illusions CE AB)
BlackBerry Link (HKLM-x32\...\{15AFC3BA-5D41-4616-AD9A-AE5B6F52CA24}) (Version: 1.2.3.56 - BlackBerry Ltd.) Hidden
BlackBerry Link (HKLM-x32\...\BlackBerry_10_Desktop) (Version: 1.2.3.56 - BlackBerry Ltd.)
Call of Duty® 4 - Modern Warfare™ 1.6 Patch (HKLM-x32\...\{8A15B7D9-908A-4EF9-BA84-5AEDE61743EE}) (Version: 1.6 - Activision) Hidden
Call of Duty® 4 - Modern Warfare™ 1.6 Patch (HKLM-x32\...\InstallShield_{8A15B7D9-908A-4EF9-BA84-5AEDE61743EE}) (Version:  - ) Hidden
Call of Duty® 4 - Modern Warfare™ 1.7 Patch (HKLM-x32\...\{931C37FC-594D-43A9-B10F-A2F2B1F03498}) (Version: 1.7 - Activision) Hidden
Call of Duty® 4 - Modern Warfare™ 1.7 Patch (HKLM-x32\...\InstallShield_{931C37FC-594D-43A9-B10F-A2F2B1F03498}) (Version:  - ) Hidden
CCleaner (HKLM\...\CCleaner) (Version: 5.13 - Piriform)
CDBurnerXP (HKLM\...\{7E265513-8CDA-4631-B696-F40D983F3B07}_is1) (Version: 4.5.4.5067 - CDBurnerXP)
Citrix Receiver (HKLM-x32\...\CitrixOnlinePluginPackWeb) (Version: 14.2.100.14 - Citrix Systems, Inc.)
CodeStuff Starter (HKLM-x32\...\CodeStuff Starter) (Version: 5.6.2.9 - CodeStuff)
Defraggler (HKLM\...\Defraggler) (Version: 2.19 - Piriform)
Evernote v. 5.9.1 (HKLM-x32\...\{5EA1DED0-5285-11E5-8AA1-0050569584E9}) (Version: 5.9.1.8742 - Evernote Corp.)
Firefox Developer Edition 45.0a2 (x64 en-GB) (HKLM\...\Firefox Developer Edition 45.0a2 (x64 en-GB)) (Version: 45.0a2 - Mozilla)
FMW 1 (HKLM\...\{1F610B48-81E7-4A33-AFC9-1D7602C80732}) (Version: 1.52.1 - AVG Technologies) Hidden
Freemake Video Converter version 4.1.5 (HKLM-x32\...\Freemake Video Converter_is1) (Version: 4.1.5 - Ellora Assets Corporation)
Google Chrome (HKLM-x32\...\Google Chrome) (Version: 47.0.2526.111 - Google Inc.)
Google Earth (HKLM-x32\...\{4D2A6330-2F8B-11E3-9C40-B8AC6F97B88E}) (Version: 7.1.2.2041 - Google)
Google Update Helper (HKLM-x32\...\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}) (Version: 1.3.29.1 - Google Inc.) Hidden
Google Update Helper (HKLM-x32\...\{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}) (Version: 1.3.25.11 - Google Inc.) Hidden
ImgBurn (HKLM-x32\...\ImgBurn) (Version: 2.5.8.0 - LIGHTNING UK!)
Intel® Chipset Device Software (HKLM-x32\...\{e48a2f61-851a-4155-82f9-af1b04db8c3b}) (Version: 10.0.13 - Intel® Corporation) Hidden
Intel® Processor Graphics (HKLM-x32\...\{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}) (Version: 10.18.14.4170 - Intel Corporation)
Intel® Rapid Storage Technology (HKLM\...\{409CB30E-E457-4008-9B1A-ED1B9EA21140}) (Version: 13.1.0.1058 - Intel Corporation)
Intel® USB 3.0 eXtensible Host Controller Driver (HKLM-x32\...\{240C3DDD-C5E9-4029-9DF7-95650D040CF2}) (Version: 3.0.0.16 - Intel Corporation)
IrfanView (remove only) (HKLM-x32\...\IrfanView) (Version: 4.38 - Irfan Skiljan)
Java 8 Update 60 (64-bit) (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F86418060F0}) (Version: 8.0.600.27 - Oracle Corporation)
Microsoft ASP.NET MVC 4 Runtime (HKLM-x32\...\{3FE312D5-B862-40CE-8E4E-A6D8ABF62736}) (Version: 4.0.40804.0 - Microsoft Corporation)
Microsoft Office 2007 Service Pack 3 (SP3) (HKLM-x32\...\{91120000-002F-0000-0000-0000000FF1CE}_HOMESTUDENTR_{6E107EB7-8B55-48BF-ACCB-199F86A2CD93}) (Version:  - Microsoft)
Microsoft Office File Validation Add-In (HKLM-x32\...\{90140000-2005-0000-0000-0000000FF1CE}) (Version: 14.0.5130.5003 - Microsoft Corporation)
Microsoft Office Home and Student 2007 (HKLM-x32\...\HOMESTUDENTR) (Version: 12.0.6612.1000 - Microsoft Corporation)
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.41212.0 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022 (HKLM-x32\...\{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}) (Version: 9.0.21022 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM-x32\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.60610 (HKLM-x32\...\{a1909659-0a08-4554-8af1-2175904903a1}) (Version: 11.0.60610.1 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 (HKLM-x32\...\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.60610 (HKLM-x32\...\{95716cce-fc71-413f-8ad5-56c2892d4b3a}) (Version: 11.0.60610.1 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.21005 (HKLM-x32\...\{7f51bdb9-ee21-49ee-94d6-90afc321780e}) (Version: 12.0.21005.1 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (HKLM-x32\...\{f65db027-aff3-4070-886a-0d87064aabb1}) (Version: 12.0.30501.0 - Microsoft Corporation)
MixMeister BPM Analyzer 1.0 (HKLM-x32\...\MixMeister BPM Analyzer_is1) (Version:  - MixMeister Technology LLC)
Mozilla Maintenance Service (HKLM-x32\...\MozillaMaintenanceService) (Version: 45.0.0.5867 - Mozilla)
MPC-HC 1.7.10 (64-bit) (HKLM\...\{2ACBF1FA-F5C3-4B19-A774-B22A31F231B9}_is1) (Version: 1.7.10 - MPC-HC Team)
MusicBee 2.4 (HKLM-x32\...\MusicBee) (Version: 2.4 - Steven Mayall)
Notepad++ (HKLM-x32\...\Notepad++) (Version: 6.6.9 - Notepad++ Team)
NVIDIA 3D Vision Controller Driver 352.65 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.NVIRUSB) (Version: 352.65 - NVIDIA Corporation)
NVIDIA 3D Vision Driver 361.43 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.3DVision) (Version: 361.43 - NVIDIA Corporation)
NVIDIA GeForce Experience 2.8.1.21 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.GFExperience) (Version: 2.8.1.21 - NVIDIA Corporation)
NVIDIA Graphics Driver 361.43 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Driver) (Version: 361.43 - NVIDIA Corporation)
NVIDIA HD Audio Driver 1.3.34.4 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_HDAudio.Driver) (Version: 1.3.34.4 - NVIDIA Corporation)
NVIDIA PhysX System Software 9.15.0428 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.PhysX) (Version: 9.15.0428 - NVIDIA Corporation)
Online Plug-in (HKLM-x32\...\{C0F6F192-C145-44AF-8D68-CC6F91DE9F9B}) (Version: 14.2.100.14 - Citrix Systems, Inc.) Hidden
Origin (HKLM-x32\...\Origin) (Version: 9.3.6.4639 - Electronic Arts, Inc.)
paint.net (HKLM\...\{19BD2C33-16A8-4ED1-B9EA-D9E35B21EC42}) (Version: 4.0.5 - dotPDN LLC)
PDF-Viewer (HKLM\...\{A278382D-4F1B-4D47-9885-8523F7261E8D}_is1) (Version: 2.5.310.0 - Tracker Software Products Ltd)
Pioneer DDJ_WeGO Driver (HKLM-x32\...\Pioneer DDJ_WeGO ASIO) (Version: 1.000.000.001 - Pioneer Corporation.)
Postbox (3.0.11) (HKLM-x32\...\Postbox (3.0.11)) (Version: 3.0.11 (en-US) - Postbox, Inc.)
Private Internet Access Support Files (HKLM-x32\...\{7D72DAFF-DCB2-437B-BC22-4B2ABF21462B}) (Version: 1.0.0.0 - Private Internet Access)
PunkBuster Services (HKLM-x32\...\PunkBusterSvc) (Version: 0.993 - Even Balance, Inc.)
qBittorrent 3.1.10 (HKLM-x32\...\qBittorrent) (Version: 3.1.10 - The qBittorrent project)
Quickflix Player (HKLM-x32\...\{738990ac-e704-407f-b51b-a8ee009874be}) (Version: 3.0.2.0 - Quickflix Limited)
Quickflix Player (HKLM-x32\...\{DE091C2C-6446-4B56-9935-26DC169B6713}) (Version: 3.0.2 - Quickflix Limited) Hidden
Quickflix Player Component (HKCU\...\759197394.streaming.quickflix.com.au) (Version:  - streaming.quickflix.com.au)
Realtek Ethernet Controller Driver (HKLM-x32\...\{8833FFB6-5B0C-4764-81AA-06DFEED9A476}) (Version: 7.88.617.2014 - Realtek)
Realtek High Definition Audio Driver (HKLM-x32\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.7256 - Realtek Semiconductor Corp.)
Revo Uninstaller 1.95 (HKLM-x32\...\Revo Uninstaller) (Version: 1.95 - VS Revo Group)
Samsung Magician (HKLM-x32\...\{29AE3F9F-7158-4ca7-B1ED-28A73ECDB215}_is1) (Version: 4.5.1 - Samsung Electronics)
Self-service Plug-in (HKLM-x32\...\{D294F212-1DB8-47C8-9579-A53F50186DA2}) (Version: 4.2.100.5943 - Citrix Systems, Inc.) Hidden
SHIELD Streaming (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_GFExperience.NvStreamSrv) (Version: 4.1.0250 - NVIDIA Corporation) Hidden
SHIELD Wireless Controller Driver (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_ShieldWirelessController) (Version: 2.8.1.21 - NVIDIA Corporation) Hidden
Skitch (HKLM-x32\...\Skitch 2.3.1.169) (Version: 2.3.1.169 - Evernote Corp.)
Skype™ 7.2 (HKLM-x32\...\{24991BA0-F0EE-44AD-9CC8-5EC50AECF6B7}) (Version: 7.2.103 - Skype Technologies S.A.)
Steam (HKLM-x32\...\{048298C9-A4D3-490B-9FF9-AB023A9238F3}) (Version: 1.0.0.0 - Valve Corporation)
swMSM (HKLM-x32\...\{612C34C7-5E90-47D8-9B5C-0F717DD82726}) (Version: 12.0.0.1 - Adobe Systems, Inc) Hidden
Total War: ROME II - Emperor Edition (HKLM-x32\...\Steam App 214950) (Version:  - Creative Assembly)
TP-LINK TL-WN881ND Driver (HKLM-x32\...\{FDA7E907-6539-42C1-9721-0239C281B336}) (Version: 1.3.1 - TP-LINK)
TP-LINK Wireless Configuration Utility (HKLM-x32\...\{319D91C6-3D44-436C-9F79-36C0D22372DC}) (Version: 1.3.1 - TP-LINK)
Update for 2007 Microsoft Office System (KB967642) (HKLM-x32\...\{91120000-002F-0000-0000-0000000FF1CE}_HOMESTUDENTR_{C444285D-5E4F-48A4-91DD-47AAAA68E92D}) (Version:  - Microsoft)
VirtualDJ LE (DDJ-WeGO) (HKLM-x32\...\{B2173D5D-8899-4B9D-B209-750063D4E2F2}) (Version: 7.4.1 - Atomix Productions)
VirtualDJ LE (HKLM-x32\...\{42C0065F-C8D0-4E50-9292-AF85BF996CA4}) (Version: 7.4.2 - Atomix Productions)
Visual Studio 2012 x64 Redistributables (HKLM\...\{8C775E70-A791-4DA8-BCC3-6AB7136F4484}) (Version: 14.0.0.1 - AVG Technologies)
Visual Studio 2012 x86 Redistributables (HKLM-x32\...\{98EFF19A-30AB-4E4B-B943-F06B1C63EBF8}) (Version: 14.0.0.1 - AVG Technologies CZ, s.r.o.)
VLC media player (HKLM-x32\...\VLC media player) (Version: 2.2.1 - VideoLAN)
Waterfox 40.1.0 (x64 en-US) (HKLM\...\Waterfox 40.1.0 (x64 en-US)) (Version: 40.1.0 - Mozilla)
WinRAR 5.30 beta 5 (64-bit) (HKLM\...\WinRAR archiver) (Version: 5.30.5 - win.rar GmbH)
WinSCP 5.5.6 (HKLM-x32\...\winscp3_is1) (Version: 5.5.6 - Martin Prikryl)
 
========================= Devices: ================================
 
 
========================= Memory info: ===================================
 
Percentage of memory in use: 9%
Total physical RAM: 8057.14 MB
Available physical RAM: 7299.73 MB
Total Virtual: 16249.14 MB
Available Virtual: 15604.15 MB
 
========================= Partitions: =====================================
 
1 Drive c: (Main operating SSD) (Fixed) (Total:222.58 GB) (Free:76.18 GB) NTFS
2 Drive d: (Main storage drive) (Fixed) (Total:931.51 GB) (Free:189.84 GB) NTFS
 
========================= Users: ========================================
 
User accounts for \\DANNYBOY-PC
 
Administrator            dannyboy                 DefaultAccount           
Guest                    
 
 
**** End of log ****


#4 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,670 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:46 AM

Posted 25 January 2016 - 09:40 PM

Well there's no harm in investigating a bit :) Your MiniToolBox looks pretty clean, let's do a quick sweep with JRT, AdwCleaner and Malwarebytes then.

lv0mVRW.pngJunkware Removal Tool (JRT)
  • Download Junkware Removal Tool (JRT) and move it to your Desktop;
  • Right-click on JRT.exe and select Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users);
  • Press on any key to launch the scan and let it complete;
    tLsXbWy.png
    Credits : BleepingComputer.com
  • Once the scan is complete, a log will open. Please copy/paste the content of the output log in your next reply;
zcMPezJ.pngAdwCleaner - Fix Mode
  • Download AdwCleaner and move it to your Desktop;
  • Right-click on AdwCleaner.exe and select Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users);
  • Accept the EULA (I accept), let the database update, then click on Scan;
  • Let the scan complete. Once it's done, make sure that every item listed in the different tabs is checked and click on the Cleaning button. This will kill all the active processes;
    CfdTLN1.png
  • Once the cleaning process is complete, AdwCleaner will ask to restart your computer, do it;
  • After the restart, a log will open when logging in. Please copy/paste the content of that log in your next reply;
aOpBoaQ.pngMalwarebytes Anti-Malware - Clean Mode
  • Download and install the free version of Malwarebytes Anti-Malware
    Note: It's your choice if you want to enable the free trial of Malwarebytes Premium or not. Enabling it will give you real-time protection from the program, as well as access to all the Premium features.
    Note: If you have Malwarebytes already installed, you don't need to install it again. Simply start from the next bullet point;
  • Once Malwarebytes is installed, launch it and let it update his database. You might have to click on the Update Now button;
  • Once the database update is complete, click on the Scan tab, then select the Threat Scan button and click on Start Scan;
  • Let the scan run, the time required to complete the scan depends of your system and computer specs;
  • Once the scan is complete, make sure that the checkbox by Threat is checked (it means that every item detected is checked), then click on the Remove Selected button;
    L9PN4j1.png
  • Click on Save Results after the deletion (in the bottom-right corner) and select Copy to clipboard. Paste the content in your next reply;
Your next reply(ies) should therefore contain:
  • Copy/pasted JRT log;
  • Copy/pasted AdwCleaner clean log;
  • Copy/pasted Malwarebytes clean log;

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#5 Danzar1

Danzar1
  • Topic Starter

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:46 AM

Posted 25 January 2016 - 09:51 PM

Thanks Aura, here is the JRT log:

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Malwarebytes
Version: 8.0.2 (01.06.2016)
Operating System: Windows 10 Home x64 
Ran by dannyboy (Administrator) on Tue 01/26/2016 at 13:44:44.04
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 
 
 
File System: 10 
 
Successfully deleted: C:\Users\dannyboy\AppData\Local\Google\Chrome\User Data\Default\Extensions\gpdjojdkbbmdfjfahjcgigfpmkopogic (Folder) 
Successfully deleted: C:\Users\dannyboy\AppData\Local\Google\Chrome\User Data\Default\Local Storage\chrome-extension_elicpjhcidhpjomhibiffojpinpmmpil_0.localstorage (File) 
Successfully deleted: C:\Users\dannyboy\Appdata\LocalLow\.acestream (Folder) 
Successfully deleted: C:\Users\dannyboy\AppData\Roaming\.acestream (Folder) 
Successfully deleted: C:\Users\dannyboy\AppData\Roaming\acestream (Folder) 
Successfully deleted: C:\Users\dannyboy\AppData\Roaming\acewebextension (Folder) 
Successfully deleted: C:\Users\dannyboy\AppData\Roaming\Mozilla\Firefox\Profiles\fu1lft6r.default\extensions\hxxps-everywhere@eff.org\chrome\locale\ru@petr1708 (Folder) 
Successfully deleted: C:\Users\dannyboy\AppData\Roaming\Mozilla\Firefox\Profiles\fu1lft6r.default\extensions\hxxps-everywhere@eff.org\chrome\locale\zh_CN.GB2312 (Folder) 
Successfully deleted: C:\WINDOWS\SysWOW64\REN516B.tmp (File) 
Successfully deleted: C:\WINDOWS\SysWOW64\RENC059.tmp (File) 
 
 
 
Registry: 1 
 
Successfully deleted: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\\AceWebException (Registry Value) 
 
 
 
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Tue 01/26/2016 at 13:48:07.06
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


#6 Danzar1

Danzar1
  • Topic Starter

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:46 AM

Posted 25 January 2016 - 10:03 PM

And the Adware:

 

# AdwCleaner v5.031 - Logfile created 26/01/2016 at 13:58:11
# Updated 25/01/2016 by Xplode
# Database : 2016-01-25.3 [Server]
# Operating system : Windows 10 Home  (x64)
# Username : dannyboy - DANNYBOY-PC
# Running from : C:\Users\dannyboy\Desktop\AdwCleaner.exe
# Option : Cleaning
 
***** [ Services ] *****
 
 
***** [ Folders ] *****
 
[-] Folder Deleted : C:\_acestream_cache_
[-] Folder Deleted : C:\Users\dannyboy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Ace Stream Media
 
***** [ Files ] *****
 
[-] File Deleted : C:\Users\dannyboy\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\elicpjhcidhpjomhibiffojpinpmmpil
 
***** [ DLLs ] *****
 
 
***** [ Shortcuts ] *****
 
 
***** [ Scheduled tasks ] *****
 
 
***** [ Registry ] *****
 
[-] Key Deleted : HKCU\Software\Classes\Applications\ace_player.exe
[-] Key Deleted : HKCU\Software\Classes\AudioCD\shell\PlayWithACEStream
[-] Key Deleted : HKCU\Software\Classes\DVD\shell\PlayWithACEStream
[-] Key Deleted : HKCU\Software\Classes\MIME\Database\Content Type\application/x-acestream-plugin
[-] Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\ACEStreamPlayCDAudioOnArrival
[-] Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\ACEStreamPlayDVDAudioOnArrival
[-] Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\ACEStreamPlayDVDMovieOnArrival
[-] Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\ACEStreamPlayMusicFilesOnArrival
[-] Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\ACEStreamPlaySVCDMovieOnArrival
[-] Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\ACEStreamPlayVCDMovieOnArrival
[-] Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\ACEStreamPlayVideoFilesOnArrival
[-] Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.acelive
[-] Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.acemedia
[-] Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.acestream
[-] Key Deleted : HKCU\Software\Classes\CLSID\{79690976-ED6E-403C-BBBA-F8928B5EDE17}
[-] Key Deleted : HKCU\Software\AceStream
[-] Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\AceStream
[-] Key Deleted : HKCU\Software\Classes\.acelive
[-] Key Deleted : HKCU\Software\Classes\.acemedia
[-] Key Deleted : HKCU\Software\Classes\.acestream
[-] Key Deleted : HKCU\Software\Classes\acestream
[-] Key Deleted : HKCU\Software\Classes\AceStream.CDAudio
[-] Key Deleted : HKCU\Software\Classes\AceStream.DVDMovie
[-] Key Deleted : HKCU\Software\Classes\AceStream.file
[-] Key Deleted : HKCU\Software\Classes\AceStream.OPENFolder
[-] Key Deleted : HKCU\Software\Classes\AceStream.SVCDMovie
[-] Key Deleted : HKCU\Software\Classes\AceStream.VCDMovie
 
***** [ Web browsers ] *****
 
 
*************************
 
:: "Tracing" keys removed
:: Winsock settings cleared
 
########## EOF - C:\AdwCleaner\AdwCleaner[C3].txt - [3438 bytes] ##########


#7 Danzar1

Danzar1
  • Topic Starter

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:46 AM

Posted 25 January 2016 - 10:26 PM

And here is the Malwarebytes log, thanks Aura:

 

Malwarebytes Anti-Malware
www.malwarebytes.org
 
Scan Date: 1/26/2016
Scan Time: 2:05 PM
Logfile: 
Administrator: Yes
 
Version: 2.2.0.1024
Malware Database: v2016.01.26.01
Rootkit Database: v2016.01.20.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled
 
OS: Windows 10
CPU: x64
File System: NTFS
User: dannyboy
 
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 419672
Time Elapsed: 17 min, 1 sec
 
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled
 
Processes: 0
(No malicious items detected)
 
Modules: 0
(No malicious items detected)
 
Registry Keys: 0
(No malicious items detected)
 
Registry Values: 0
(No malicious items detected)
 
Registry Data: 0
(No malicious items detected)
 
Folders: 0
(No malicious items detected)
 
Files: 2
PUP.Optional.OpenCandy, C:\Users\dannyboy\AppData\Local\Temp\HYD2B74.tmp.1453523731\HTA\install.1453523731.zip, Quarantined, [74c545f97b1e2b0bb06a0430e41ef010], 
PUP.Optional.OpenCandy, C:\Users\dannyboy\AppData\Local\Temp\HYD8078.tmp.1453523556\HTA\install.1453523556.zip, Quarantined, [f049bf7ff5a4fb3b071380b437cb4cb4], 
 
Physical Sectors: 0
(No malicious items detected)
 
 
(end)


#8 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,670 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:46 AM

Posted 25 January 2016 - 10:29 PM

Where you using a program called AceStream? It seems like JRT and AdwCleaner completely removed it. JRT also removed your Pin It All extension in Google Chrome. I reported it to the developer since its a FP so he can fix it.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#9 Danzar1

Danzar1
  • Topic Starter

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:46 AM

Posted 25 January 2016 - 10:40 PM

Hi Aura, thanks for the quick reply. I was using Acestream for formula 1. Legit program but not exactly safe to use, so totally fine with its removal. 

 

What does 'FP' mean?



#10 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,670 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:46 AM

Posted 25 January 2016 - 10:41 PM

Good to know, it means that there's a reason for it to be removed by JRT and AdwCleaner.

FP means false positive, its when a legitimate file, process, entry, etc. is being flagged as malicious and/or suspicious by a security software.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#11 Danzar1

Danzar1
  • Topic Starter

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:46 AM

Posted 25 January 2016 - 10:47 PM

It's a good program (very handy for live HD streams, with a VLC player interface), but from what I understand, it's unsafe because it streams using a torrent, rather than direct. I'm no expert though!



#12 Danzar1

Danzar1
  • Topic Starter

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:46 AM

Posted 25 January 2016 - 11:09 PM

An update on how my PC is performing. Obviously no more errors etc. Browsing is slow though. Takes a little longer for pages to load, jittery when scrolling down a page. It could simply be slow internet at the moment though. 

 

Let me know if I need to do anything further and thanks again Aura.



#13 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,670 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:46 AM

Posted 26 January 2016 - 06:21 AM

So security software don't like it because it's P2P and you could easily get infected using it I guess.

As for your slow browsing issue, let's see if deleting your temp files can help here.

3DPGbxe.pngTemp File Cleaner (TFC)
  • Download Temp File Cleaner (TFC) and move it to your Desktop;
  • Right-click on TFC.exe and select Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users);
  • Simply click on Start to launch the clean-up and wait until it completes;
    s5yB2E8.png
  • Depending on which processes are running, all your programs will be closed and explorer.exe (your Windows shell) will be killed, it will however be relaunched shortly after so do not panic;
  • There's no log to give for this tool;

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#14 Danzar1

Danzar1
  • Topic Starter

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:46 AM

Posted 26 January 2016 - 07:24 AM

Aura, done and thank you. Cleaned out about 400mb. 



#15 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,670 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:46 AM

Posted 26 January 2016 - 07:39 AM

Is your web browsing still slow? Which web browser(s) do you use? Google Chrome?

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users