Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

New UC Rice Eater Browser and a lot of bad stuff


  • This topic is locked This topic is locked
3 replies to this topic

#1 Deadzior

Deadzior

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:05:33 PM

Posted 22 June 2016 - 03:40 PM

Hi this will be my first time here ^^ . So i downloaded some nasty software <I know my bad> and in the instalation process it well installed a whole load of malware but eset and malwarebytes <both active at the same time> Eradicated the most of it 48 files to be exact but still some remnants remain. I found them using Adwcleaner but after trying to clean them it immedieatly hangs to oblivion and only option is a system restart to help it. My System is Windows 10 Pro so i cant use Combofix to help the issue <To be honest i've read a lot of guides and warnings that without a well educated user of combofix  you shouldnt use it but with carefull usage i never had any system problems after scan and i used it a lot in the past <Win7> I also made a scan with JRT but it didnt detect anything.

 

Also after this stuff Mozilla is saying that almost every website <This one as well> Is not safe and i need to make expecitons every time.

 

 

Here's the ADW log :

# AdwCleaner v5.200 - raport utworzono 22/06/2016 o 22:25:10
# Ostatnia aktualizacja 14/06/2016 przez ToolsLib
# Baza danych : 2016-06-22.1 [z serwera]
# System operacyjny : Windows 10 Pro  (X64)
# Nazwa użytkownika : Damian - DEADZIOR
# Lokalizacja programu : C:\Users\Damian\Downloads\Programs\adwcleaner_5.200_www.INSTALKI.pl.exe
# Działanie : Skanuj
# Pomoc techniczna : https://toolslib.net/forum

***** [ Usługi ] *****

Usługa znaleziono : UCGuard

***** [ Foldery ] *****

Folder znaleziono : C:\Program Files (x86)\badu
Folder znaleziono : C:\Program Files (x86)\1E008D40-1466620318-2D00-2787-E0CB4EC3B6E1

***** [ Pliki ] *****

Plik znaleziono : C:\Windows\SysNative\drivers\ucguard.sys

***** [ DLL ] *****


***** [ WMI ] *****


***** [ Skróty ] *****


***** [ Zaplanowane zadania ] *****


***** [ Rejestr ] *****

Klucz znaleziono : HKLM\SOFTWARE\Clients\StartMenuInternet\UCBrowser
Klucz znaleziono : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\UCBrowser.exe
Wartość znaleziono : HKLM\SOFTWARE\RegisteredApplications [UCBrowser]
Klucz znaleziono : HKLM\SOFTWARE\Microsoft\MediaPlayer\ShimInclusionList\UCBrowser.exe
Klucz znaleziono : HKLM\SOFTWARE\Classes\UCHTML
Klucz znaleziono : HKLM\SOFTWARE\Classes\UCHTML.AssocFile.CRX
Klucz znaleziono : HKLM\SOFTWARE\Classes\UCHTML.AssocFile.HTM
Klucz znaleziono : HKLM\SOFTWARE\Classes\UCHTML.AssocFile.HTML
Klucz znaleziono : HKLM\SOFTWARE\Classes\UCHTML.AssocFile.MHT
Klucz znaleziono : HKLM\SOFTWARE\Classes\UCHTML.AssocFile.SHTM
Klucz znaleziono : HKLM\SOFTWARE\Classes\UCHTML.AssocFile.SHTML
Klucz znaleziono : HKLM\SOFTWARE\Classes\UCHTML.AssocFile.WEBP
Klucz znaleziono : HKLM\SOFTWARE\Classes\UCHTML.AssocFile.XHT
Klucz znaleziono : HKLM\SOFTWARE\Classes\UCHTML.AssocFile.XHTML
Klucz znaleziono : HKCU\Software\INSTALLPATH\STATUS
Klucz znaleziono : HKCU\Software\UCBrowser
Klucz znaleziono : HKCU\Software\UCBrowserPID
Klucz znaleziono : HKLM\SOFTWARE\{E6276374-DE18-4AA5-A365-9016A2F98A2D}
Klucz znaleziono : HKLM\SOFTWARE\UCBrowser
Klucz znaleziono : HKLM\SOFTWARE\UCBrowserPID
Klucz znaleziono : HKLM\SOFTWARE\{8C4CE252-7DB2-4F8E-8E76-BAD0E5826A83}
Klucz znaleziono : [x64] HKLM\SOFTWARE\{8C4CE252-7DB2-4F8E-8E76-BAD0E5826A83}
Klucz znaleziono : HKU\.DEFAULT\Software\{8C4CE252-7DB2-4F8E-8E76-BAD0E5826A83}
Klucz znaleziono : HKU\S-1-5-21-687947402-723180617-3278915659-1001\Software\INSTALLPATH\STATUS
Klucz znaleziono : HKU\S-1-5-21-687947402-723180617-3278915659-1001\Software\UCBrowser
Klucz znaleziono : HKU\S-1-5-21-687947402-723180617-3278915659-1001\Software\UCBrowserPID
Klucz znaleziono : HKU\S-1-5-18\Software\{8C4CE252-7DB2-4F8E-8E76-BAD0E5826A83}
Wartość znaleziono : HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules [{9AFF9623-3DC6-4B0B-B39A-0CACA2EF81A0}]
Wartość znaleziono : HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules [{5DBF3476-8B20-445B-9442-EBEA421D85AF}]
Wartość znaleziono : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run32 [apphide]

***** [ Przeglądarki internetowe ] *****


*************************

C:\AdwCleaner\AdwCleaner[C1].txt - [440 bajty] - [22/06/2016 21:11:55]
C:\AdwCleaner\AdwCleaner[C2].txt - [440 bajty] - [22/06/2016 21:25:05]
C:\AdwCleaner\AdwCleaner[C3].txt - [438 bajty] - [22/06/2016 22:19:29]
C:\AdwCleaner\AdwCleaner[S1].txt - [3524 bajty] - [22/06/2016 21:10:12]
C:\AdwCleaner\AdwCleaner[S2].txt - [3636 bajty] - [22/06/2016 21:23:22]
C:\AdwCleaner\AdwCleaner[S3].txt - [3665 bajty] - [22/06/2016 22:18:00]
C:\AdwCleaner\AdwCleaner[S4].txt - [3652 bajty] - [22/06/2016 22:25:10]

########## EOF - C:\AdwCleaner\AdwCleaner[S4].txt - [3725 bajty] ##########

ESET LOG :

Time;Scanner;Object type;Object;Threat;Action;User;Information;Hash
22.06.2016 20:42:00;Real-time file system protection;file;C:\Users\Damian\AppData\Local\Temp\~nsu.tmp\Zu_.exe;Win32/Adware.ConvertAd.AEY application;cleaned by deleting;DEADZIOR\Damian;Event occurred on a new file created by the application: C:\Users\Damian\AppData\Roaming\YSPackage\Uninstall.exe.;
22.06.2016 20:41:59;Real-time file system protection;file;C:\Users\Damian\AppData\Local\Temp\~nsu.tmp\Yu_.exe;Win32/Adware.ConvertAd.AEY application;cleaned by deleting;DEADZIOR\Damian;Event occurred on a new file created by the application: C:\Users\Damian\AppData\Roaming\YSPackage\Uninstall.exe.;
22.06.2016 20:41:58;Real-time file system protection;file;C:\Users\Damian\AppData\Local\Temp\~nsu.tmp\Xu_.exe;Win32/Adware.ConvertAd.AEY application;cleaned by deleting;DEADZIOR\Damian;Event occurred on a new file created by the application: C:\Users\Damian\AppData\Roaming\YSPackage\Uninstall.exe.;
22.06.2016 20:41:57;Real-time file system protection;file;C:\Users\Damian\AppData\Local\Temp\~nsu.tmp\Wu_.exe;Win32/Adware.ConvertAd.AEY application;cleaned by deleting;DEADZIOR\Damian;Event occurred on a new file created by the application: C:\Users\Damian\AppData\Roaming\YSPackage\Uninstall.exe.;
22.06.2016 20:41:56;Real-time file system protection;file;C:\Users\Damian\AppData\Local\Temp\~nsu.tmp\Vu_.exe;Win32/Adware.ConvertAd.AEY application;cleaned by deleting;DEADZIOR\Damian;Event occurred on a new file created by the application: C:\Users\Damian\AppData\Roaming\YSPackage\Uninstall.exe.;
22.06.2016 20:41:56;Real-time file system protection;file;C:\Users\Damian\AppData\Local\Temp\~nsu.tmp\Uu_.exe;Win32/Adware.ConvertAd.AEY application;cleaned by deleting;DEADZIOR\Damian;Event occurred on a new file created by the application: C:\Users\Damian\AppData\Roaming\YSPackage\Uninstall.exe.;
22.06.2016 20:41:55;Real-time file system protection;file;C:\Users\Damian\AppData\Local\Temp\~nsu.tmp\Tu_.exe;Win32/Adware.ConvertAd.AEY application;cleaned by deleting;DEADZIOR\Damian;Event occurred on a new file created by the application: C:\Users\Damian\AppData\Roaming\YSPackage\Uninstall.exe.;
22.06.2016 20:41:54;Real-time file system protection;file;C:\Users\Damian\AppData\Local\Temp\~nsu.tmp\Su_.exe;Win32/Adware.ConvertAd.AEY application;cleaned by deleting;DEADZIOR\Damian;Event occurred on a new file created by the application: C:\Users\Damian\AppData\Roaming\YSPackage\Uninstall.exe.;
22.06.2016 20:41:53;Real-time file system protection;file;C:\Users\Damian\AppData\Local\Temp\~nsu.tmp\Ru_.exe;Win32/Adware.ConvertAd.AEY application;cleaned by deleting;DEADZIOR\Damian;Event occurred on a new file created by the application: C:\Users\Damian\AppData\Roaming\YSPackage\Uninstall.exe.;
22.06.2016 20:41:52;Real-time file system protection;file;C:\Users\Damian\AppData\Local\Temp\~nsu.tmp\Qu_.exe;Win32/Adware.ConvertAd.AEY application;cleaned by deleting;DEADZIOR\Damian;Event occurred on a new file created by the application: C:\Users\Damian\AppData\Roaming\YSPackage\Uninstall.exe.;
22.06.2016 20:41:51;Real-time file system protection;file;C:\Users\Damian\AppData\Local\Temp\~nsu.tmp\Pu_.exe;Win32/Adware.ConvertAd.AEY application;cleaned by deleting;DEADZIOR\Damian;Event occurred on a new file created by the application: C:\Users\Damian\AppData\Roaming\YSPackage\Uninstall.exe.;
22.06.2016 20:41:51;Real-time file system protection;file;C:\Users\Damian\AppData\Local\Temp\~nsu.tmp\Ou_.exe;Win32/Adware.ConvertAd.AEY application;cleaned by deleting;DEADZIOR\Damian;Event occurred on a new file created by the application: C:\Users\Damian\AppData\Roaming\YSPackage\Uninstall.exe.;
22.06.2016 20:41:50;Real-time file system protection;file;C:\Users\Damian\AppData\Local\Temp\~nsu.tmp\Nu_.exe;Win32/Adware.ConvertAd.AEY application;cleaned by deleting;DEADZIOR\Damian;Event occurred on a new file created by the application: C:\Users\Damian\AppData\Roaming\YSPackage\Uninstall.exe.;
22.06.2016 20:41:49;Real-time file system protection;file;C:\Users\Damian\AppData\Local\Temp\~nsu.tmp\Mu_.exe;Win32/Adware.ConvertAd.AEY application;cleaned by deleting;DEADZIOR\Damian;Event occurred on a new file created by the application: C:\Users\Damian\AppData\Roaming\YSPackage\Uninstall.exe.;
22.06.2016 20:41:48;Real-time file system protection;file;C:\Users\Damian\AppData\Local\Temp\~nsu.tmp\Lu_.exe;Win32/Adware.ConvertAd.AEY application;cleaned by deleting;DEADZIOR\Damian;Event occurred on a new file created by the application: C:\Users\Damian\AppData\Roaming\YSPackage\Uninstall.exe.;
22.06.2016 20:41:47;Real-time file system protection;file;C:\Users\Damian\AppData\Local\Temp\~nsu.tmp\Ku_.exe;Win32/Adware.ConvertAd.AEY application;cleaned by deleting;DEADZIOR\Damian;Event occurred on a new file created by the application: C:\Users\Damian\AppData\Roaming\YSPackage\Uninstall.exe.;
22.06.2016 20:41:46;Real-time file system protection;file;C:\Users\Damian\AppData\Local\Temp\~nsu.tmp\Ju_.exe;Win32/Adware.ConvertAd.AEY application;cleaned by deleting;DEADZIOR\Damian;Event occurred on a new file created by the application: C:\Users\Damian\AppData\Roaming\YSPackage\Uninstall.exe.;
22.06.2016 20:41:45;Real-time file system protection;file;C:\Users\Damian\AppData\Local\Temp\~nsu.tmp\Iu_.exe;Win32/Adware.ConvertAd.AEY application;cleaned by deleting;DEADZIOR\Damian;Event occurred on a new file created by the application: C:\Users\Damian\AppData\Roaming\YSPackage\Uninstall.exe.;
22.06.2016 20:41:45;Real-time file system protection;file;C:\Users\Damian\AppData\Local\Temp\~nsu.tmp\Hu_.exe;Win32/Adware.ConvertAd.AEY application;cleaned by deleting;DEADZIOR\Damian;Event occurred on a new file created by the application: C:\Users\Damian\AppData\Roaming\YSPackage\Uninstall.exe.;
22.06.2016 20:41:44;Real-time file system protection;file;C:\Users\Damian\AppData\Local\Temp\~nsu.tmp\Gu_.exe;Win32/Adware.ConvertAd.AEY application;cleaned by deleting;DEADZIOR\Damian;Event occurred on a new file created by the application: C:\Users\Damian\AppData\Roaming\YSPackage\Uninstall.exe.;
22.06.2016 20:41:43;Real-time file system protection;file;C:\Users\Damian\AppData\Local\Temp\~nsu.tmp\Fu_.exe;Win32/Adware.ConvertAd.AEY application;cleaned by deleting;DEADZIOR\Damian;Event occurred on a new file created by the application: C:\Users\Damian\AppData\Roaming\YSPackage\Uninstall.exe.;
22.06.2016 20:41:42;Real-time file system protection;file;C:\Users\Damian\AppData\Local\Temp\~nsu.tmp\Eu_.exe;Win32/Adware.ConvertAd.AEY application;cleaned by deleting;DEADZIOR\Damian;Event occurred on a new file created by the application: C:\Users\Damian\AppData\Roaming\YSPackage\Uninstall.exe.;
22.06.2016 20:41:41;Real-time file system protection;file;C:\Users\Damian\AppData\Local\Temp\~nsu.tmp\Du_.exe;Win32/Adware.ConvertAd.AEY application;cleaned by deleting;DEADZIOR\Damian;Event occurred on a new file created by the application: C:\Users\Damian\AppData\Roaming\YSPackage\Uninstall.exe.;
22.06.2016 20:41:40;Real-time file system protection;file;C:\Users\Damian\AppData\Local\Temp\~nsu.tmp\Cu_.exe;Win32/Adware.ConvertAd.AEY application;cleaned by deleting;DEADZIOR\Damian;Event occurred on a new file created by the application: C:\Users\Damian\AppData\Roaming\YSPackage\Uninstall.exe.;
22.06.2016 20:41:39;Real-time file system protection;file;C:\Users\Damian\AppData\Local\Temp\~nsu.tmp\Bu_.exe;Win32/Adware.ConvertAd.AEY application;cleaned by deleting;DEADZIOR\Damian;Event occurred on a new file created by the application: C:\Users\Damian\AppData\Roaming\YSPackage\Uninstall.exe.;
22.06.2016 20:41:39;Real-time file system protection;file;C:\Users\Damian\AppData\Local\Temp\~nsu.tmp\Au_.exe;Win32/Adware.ConvertAd.AEY application;cleaned by deleting;DEADZIOR\Damian;Event occurred on a file modified by the application: C:\Users\Damian\AppData\Roaming\YSPackage\Uninstall.exe.;
22.06.2016 20:39:25;Real-time file system protection;file;C:\Program Files (x86)\badu\uc.exe;a variant of Win32/HideBaid.L potentially unwanted application;deleted;DEADZIOR\Damian;Event occurred during an attempt to access the file by the application: C:\Windows\System32\Taskmgr.exe (91E7AD993CEE462A3956B30735B64766E0648624).;4541563A1DA17AC6E552BC94EEBCAF87FF7E35B3
22.06.2016 20:39:25;Real-time file system protection;file;C:\Program Files (x86)\1E008D40-1466620318-2D00-2787-E0CB4EC3B6E1\hnse7E30.tmp;a variant of Win32/Adware.ConvertAd.XV application;cleaned by deleting;DEADZIOR\Damian;Event occurred during an attempt to access the file by the application: C:\Windows\System32\Taskmgr.exe (91E7AD993CEE462A3956B30735B64766E0648624).;A396E7CEF6865A2D3ABC675CD87F0ABBD444B0AD
22.06.2016 20:39:25;Real-time file system protection;file;C:\Program Files (x86)\1E008D40-1466620318-2D00-2787-E0CB4EC3B6E1\knsp4D25.tmpfs;a variant of Win32/Adware.ConvertAd.AHY application;cleaned by deleting;DEADZIOR\Damian;Event occurred during an attempt to access the file by the application: C:\Windows\System32\Taskmgr.exe (91E7AD993CEE462A3956B30735B64766E0648624).;1F2484AF5E83C10FBE78D4C04C7694CB9458B56A
22.06.2016 20:39:19;Real-time file system protection;file;C:\Program Files (x86)\1E008D40-1466620318-2D00-2787-E0CB4EC3B6E1\jnsk6538.tmp;a variant of Win32/Adware.ConvertAd.ABM application;cleaned by deleting;DEADZIOR\Damian;Event occurred during an attempt to access the file by the application: C:\Windows\System32\Taskmgr.exe (91E7AD993CEE462A3956B30735B64766E0648624).;B64AF0D23CAC7035C62CABA436D4FDBBEBF8C326
22.06.2016 20:39:00;Startup scanner;file;C:\Users\Damian\AppData\Local\YfzvPack\5ff80ca77ff7654bcfd7f1856be19ef1.exe;Win32/Injector.DAEJ trojan;cleaned by deleting;DEADZIOR\Damian;;
22.06.2016 20:38:33;Real-time file system protection;file;C:\Users\Damian\AppData\Local\Temp\KMSPico10.1.9__8174_il63164.exe;a variant of Win32/Amonetize.OR potentially unwanted application;deleted;DEADZIOR\Damian;Event occurred during an attempt to access the file by the application: C:\Windows\explorer.exe (B612CFE9506AFD65F3B67CE09918AEE51AEEE73E).;9E232B9B0C9308F72C89C6369FD163FED8AFB892
22.06.2016 20:38:30;Startup scanner;file;C:\Users\Damian\AppData\Roaming\YSPackage\YSPackage.exe;multiple threats;cleaned by deleting (after the next restart);DEADZIOR\Damian;;
22.06.2016 20:38:24;Startup scanner;file;C:\Program Files (x86)\badu\uc.exe;a variant of Win32/HideBaid.L potentially unwanted application;unable to clean;DEADZIOR\Damian;;4541563A1DA17AC6E552BC94EEBCAF87FF7E35B3
22.06.2016 20:36:24;Real-time file system protection;file;C:\Users\Damian\AppData\Local\Ekcstion\nznryszg.dll;a variant of Win32/Boaxxe.CO.gen trojan;cleaned by deleting;;Event occurred during an attempt to access the file.;8A0438C633A8B3CEDC06806A28690020E98CF0A3
22.06.2016 20:36:23;Real-time file system protection;file;C:\Program Files (x86)\UCBrowser\Application\Uninstall.exe;a variant of Win32/Taobao.B potentially unwanted application;deleted;ZARZĄDZANIE NT\SYSTEM;Event occurred during an attempt to access the file by the application: C:\Windows\System32\rundll32.exe (2348C635B0D333FAF314F0A1FA091CCA0B1996CD).;B9EFC99074825DA016AA2126026BF812DD8F5E5F
22.06.2016 20:36:17;HTTP filter;file;http://down.eszju.cn/8001/ttwifi.exe;Blocked Object;connection terminated;;Threat was detected upon access to web by the application: C:\Users\Damian\AppData\Local\Temp\nsrE8D.tmp (B14EE942F639DB4F270591D9D2E3A94FF0AAEBBC).;FB41F10CF14C935887CC1D35D7DF846598747F8A
22.06.2016 20:36:15;Real-time file system protection;file;C:\Users\Damian\AppData\Local\Ekcstion\nznryszg.dll;a variant of Win32/Boaxxe.CO.gen trojan;(after the next restart);DEADZIOR\Damian;Event occurred during an attempt to run the file by the application: C:\Windows\Temp\1588.tmp (41150DB3D51D3721E411C5BE68FEF278517954EE).;8A0438C633A8B3CEDC06806A28690020E98CF0A3
22.06.2016 20:35:49;Real-time file system protection;file;C:\Users\Damian\AppData\Local\Ekcstion\nznryszg.dll;a variant of Win32/Boaxxe.CO.gen trojan;(after the next restart);DEADZIOR\Damian;Event occurred during an attempt to run the file by the application: C:\Windows\Temp\158B.tmp (1FDC30983A59E2ED76ED81B4F6E6697DF6FAC89B).;8A0438C633A8B3CEDC06806A28690020E98CF0A3
22.06.2016 20:35:36;Real-time file system protection;file;C:\Users\Damian\AppData\Local\Ekcstion\nznryszg.dll;a variant of Win32/Boaxxe.CO.gen trojan;(after the next restart);DEADZIOR\Damian;Event occurred during an attempt to run the file by the application: C:\Windows\Temp\158A.tmp (DD3D89E35EEAA377E61521413AA96E6B648CFDDA).;8A0438C633A8B3CEDC06806A28690020E98CF0A3
22.06.2016 20:34:31;Real-time file system protection;file;C:\Users\Damian\AppData\Local\Ekcstion\nznryszg.dll;a variant of Win32/Boaxxe.CO.gen trojan;(after the next restart);DEADZIOR\Damian;Event occurred during an attempt to access the file by the application: C:\Windows\Temp\158E.tmp (3D4956A6FC76DE3CE27FCB8486F239E29BDB1AF3).;8A0438C633A8B3CEDC06806A28690020E98CF0A3
22.06.2016 20:34:25;Real-time file system protection;file;C:\Windows\Temp\1591.tmp;a variant of MSIL/Injector.POM trojan;cleaned by deleting;DEADZIOR\Damian;Event occurred during an attempt to access the file by the application: C:\Windows\Temp\1591.tmp (24D65590B8AC7316B0D4F685C4B9A510868B172A).;24D65590B8AC7316B0D4F685C4B9A510868B172A
22.06.2016 20:34:08;Real-time file system protection;file;C:\Windows\Temp\1589.tmp;multiple threats;cleaned by deleting;DEADZIOR\Damian;Event occurred on a file modified by the application: C:\Users\Damian\AppData\Local\Temp\nsrE8D.tmp.;
22.06.2016 20:34:07;Real-time file system protection;file;C:\Windows\Temp\1590.tmp;a variant of Win32/Adware.Imali.E application;cleaned by deleting;DEADZIOR\Damian;Event occurred on a file modified by the application: C:\Users\Damian\AppData\Local\Temp\nsrE8D.tmp (B14EE942F639DB4F270591D9D2E3A94FF0AAEBBC).;E5A8FA6169C7195369F39DC49676AAC100D24807
22.06.2016 20:34:07;Real-time file system protection;file;C:\Windows\Temp\1593.tmp;a variant of MSIL/Injector.ORY trojan;cleaned by deleting;DEADZIOR\Damian;Event occurred on a file modified by the application: C:\Users\Damian\AppData\Local\Temp\nsrE8D.tmp.;
22.06.2016 20:34:07;Real-time file system protection;file;C:\Windows\Temp\1568.tmp;a variant of Win32/MPCCleaner.A potentially unwanted application;deleted;DEADZIOR\Damian;Event occurred on a file modified by the application: C:\Users\Damian\AppData\Local\Temp\nsrE8D.tmp (B14EE942F639DB4F270591D9D2E3A94FF0AAEBBC).;F3D2A68E422FB2DE62A212EE8BFBF4234DF95197
22.06.2016 20:34:07;Real-time file system protection;file;C:\Windows\Temp\158F.tmp;a variant of Win32/Kryptik.EZQK trojan;cleaned by deleting;DEADZIOR\Damian;Event occurred on a file modified by the application: C:\Users\Damian\AppData\Local\Temp\nsrE8D.tmp (B14EE942F639DB4F270591D9D2E3A94FF0AAEBBC).;8F86C64F2427B5C0095274AA1012744B5701137C
22.06.2016 20:34:06;Real-time file system protection;file;C:\Windows\Temp\1597.tmp;Win32/TrojanDownloader.Adload.NRL trojan;cleaned by deleting;DEADZIOR\Damian;Event occurred on a file modified by the application: C:\Users\Damian\AppData\Local\Temp\nsrE8D.tmp.;
22.06.2016 20:34:06;Real-time file system protection;file;C:\Windows\Temp\1595.tmp;Win32/Adware.ConvertAd.ACA application;cleaned by deleting;DEADZIOR\Damian;Event occurred during an attempt to run the file by the application: C:\Users\Damian\AppData\Local\Temp\nsrE8D.tmp (B14EE942F639DB4F270591D9D2E3A94FF0AAEBBC).;56592A5FC527D8D2126659D3964AA8809A37C232
22.06.2016 20:34:06;Real-time file system protection;file;C:\Windows\Temp\158C.tmp;a variant of Win32/Adware.ConvertAd.ADW application;cleaned by deleting;DEADZIOR\Damian;Event occurred on a file modified by the application: C:\Users\Damian\AppData\Local\Temp\nsrE8D.tmp.;

and MBAM LOG :

Malwarebytes Anti-Malware
www.malwarebytes.org

Data skanowania: 22.06.2016
Czas skanowania: 20:49
Raport:
Administrator: Tak

Wersja: 2.2.1.1043
Baza szkodliwego oprogramowania: v2016.06.22.04
Baza danych rootkitów: v2016.05.27.01
Licencja: Darmowa
Ochrona przed złośliwym oprogramowaniem: Wyłączony
Ochrona przed szkodliwymi stronami: Wyłączony
Samoobrona: Wyłączony

System operacyjny: Windows 10
Procesor: x64
System plików: NTFS
Użytkownik: Damian

Typ skanowania: Dokładne skanowanie
Wynik: Zakończono
Obiekty przeskanowane: 284060
Czas, który upłynął: 9 min, 25 s

Pamięć: Włączony
Autostart: Włączony
System plików: Włączony
Archiwa: Włączony
Rootkity: Wyłączony
Heurystyka: Włączony
PUP: Włączony
PUM: Włączony

Procesy: 0
(Nie wykryto zagrożeń)

Moduły: 0
(Nie wykryto zagrożeń)

Klucze rejestru: 4
PUP.Optional.YesSearches, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\awpNdfs, Przeniesiono do kwarantanny, [03f95ca38811f5411197cf16b9481fe1],
PUP.Optional.Downloader, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{BC800D28-3127-4043-8667-0E02D112453B}, Usunięcie-po-restarcie, [f309fe018019fc3a2fd673522fd3a060],
PUP.Optional.Downloader, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\PPI Update, Usunięcie-po-restarcie, [15e740bf2970e452ba4cc7fefb07b947],
PUP.Optional.YellowSend, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\YSPackage, Przeniesiono do kwarantanny, [d8240bf4a8f19a9cdd5714a5be45b44c],

Wartości rejestru: 3
PUP.Optional.Downloader, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{BC800D28-3127-4043-8667-0E02D112453B}|Path, \PPI Update, Usunięcie-po-restarcie, [f309fe018019fc3a2fd673522fd3a060]
Backdoor.Bot, HKU\S-1-5-21-687947402-723180617-3278915659-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|svchost0, C:\Program Files (x86)\UCBrowser\Application\UUC0789.exe, Przeniesiono do kwarantanny, [0fed7f80504947efd25610edcf331ae6]
Trojan.Boaxxe.Gen, HKU\S-1-5-21-687947402-723180617-3278915659-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|Ekcstion, regsvr32.exe C:\Users\Damian\AppData\Local\Ekcstion\nznryszg.dll, Przeniesiono do kwarantanny, [21db6d92821766d0caaa6991d52e14ec]

Dane rejestru: 0
(Nie wykryto zagrożeń)

Foldery: 4
PUP.Optional.YellowSend, C:\Users\Damian\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\YSPackage, Przeniesiono do kwarantanny, [8b711ae5cdcca78f79435c60857d0bf5],
PUP.Optional.CleanBrowser, C:\Program Files (x86)\CleanBrowser, Przeniesiono do kwarantanny, [a359e718bddc46f08c188b367a88fc04],
PUP.Optional.CleanBrowser, C:\Program Files (x86)\CleanBrowser\Temp, Przeniesiono do kwarantanny, [a359e718bddc46f08c188b367a88fc04],
PUP.Optional.YellowSend, C:\Users\Damian\AppData\Roaming\YSPackage, Przeniesiono do kwarantanny, [9f5d0df23f5a3ef84f873a877b875ca4],

Pliki: 18
PUP.Optional.YesSearches, C:\Program Files (x86)\Awaphhogecult\awpNdfs.xhtm5, Przeniesiono do kwarantanny, [03f95ca38811f5411197cf16b9481fe1],
HackTool.AutoKMS, C:\ProgramData\KMSAuto\bin\KMSSS.exe, Przeniesiono do kwarantanny, [41bbc837435655e18dac24269b6739c7],
PUP.Optional.YesSearches, C:\Program Files (x86)\Awaphhogecult\awpNdftes.exe, Przeniesiono do kwarantanny, [28d416e954453ff7c4e4955056abb947],
Adware.Agent, C:\Program Files (x86)\CleanBrowser\uninstall.exe, Przeniesiono do kwarantanny, [f50702fd732692a48e37571020e23bc5],
RiskWare.FilePatcher, C:\Program Files (x86)\Internet Download Manager\idm.6.23.x.retail.u7-patch.exe, Przeniesiono do kwarantanny, [a755b946d5c47eb8804b113e45bc27d9],
PUP.Optional.Amonetize, C:\Program Files (x86)\KMSPico 10.0.6\KMSPico10.1.9__8174_il63164_26.exe, Przeniesiono do kwarantanny, [57a5659afe9be0565e61697cfa07d52b],
PUP.Optional.YesSearches, C:\Program Files (x86)\Reurveding\foneph.dll, Przeniesiono do kwarantanny, [0af2ca35b6e3bd795454469fe31e41bf],
PUP.Optional.YesSearches, C:\Program Files (x86)\Reurveding\pecuk.dll, Przeniesiono do kwarantanny, [2bd1ea15c7d21e18c4e4ad38a35e5da3],
PUP.Optional.YesSearches, C:\Program Files (x86)\Reurveding_\foneph.dll, Przeniesiono do kwarantanny, [db2186794653fe387c2ceff62cd57e82],
PUP.Optional.YesSearches, C:\Program Files (x86)\Reurveding_\pecuk.dll, Przeniesiono do kwarantanny, [be3e6a951d7c76c0eeba94511fe2b14f],
PUP.Optional.PriceFountain, C:\Users\Damian\AppData\Local\Temp\in7EE26C4F\256CE221_stp\PFGRP.dll, Przeniesiono do kwarantanny, [c03cb946ddbc73c305d37944dd24758b],
Adware.Agent.WFI, C:\Windows\Temp\1594.tmp, Przeniesiono do kwarantanny, [7a823cc341585ed866483b87e120c040],
PUP.Optional.Downloader, C:\Windows\System32\Tasks\PPI Update, Przeniesiono do kwarantanny, [5ba107f8f3a6b87e1ae9873ea75b0ef2],
Backdoor.Bot, C:\Program Files (x86)\UCBrowser\Application\UUC0789.exe, Przeniesiono do kwarantanny, [0fed7f80504947efd25610edcf331ae6],
PUP.Optional.YellowSend, C:\Users\Damian\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\YSPackage\Configure.lnk, Przeniesiono do kwarantanny, [8b711ae5cdcca78f79435c60857d0bf5],
PUP.Optional.CleanBrowser, C:\Program Files (x86)\CleanBrowser\uninstall.exe, Przeniesiono do kwarantanny, [a359e718bddc46f08c188b367a88fc04],
PUP.Optional.CleanBrowser, C:\Program Files (x86)\CleanBrowser\Temp\_1.zip, Przeniesiono do kwarantanny, [a359e718bddc46f08c188b367a88fc04],
PUP.Optional.Amonetize, C:\Users\Damian\AppData\Local\Temp\amipixel.cfg, Przeniesiono do kwarantanny, [8f6da45b7722cb6b9863860f14f05aa6],

Sektory fizyczne: 0
(Nie wykryto zagrożeń)


(end)


Edited by Deadzior, 22 June 2016 - 04:06 PM.


BC AdBot (Login to Remove)

 


#2 Deadzior

Deadzior
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:05:33 PM

Posted 22 June 2016 - 03:55 PM

And well just now i got an update package for that UC Browser instantly sent to me and hijacked by Internet Download Manager i blocked it of course but that can be a clue as well.



#3 nasdaq

nasdaq

  • Malware Response Team
  • 39,214 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:33 AM

Posted 23 June 2016 - 08:51 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Please remove everything found by the Malwarebytes and AdwCleaner tools.

Then run this toop and post the logs for my review.

Download the version of this tool for your operating system.
Farbar Recovery Scan Tool (64 bit)
Farbar Recovery Scan Tool (32 bit)
and save it to a folder on your computer's Desktop.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

How to attach a file to your reply:
In the Reply section in the bottom of the topic Click the "more reply Options" button.
attachlogs.png

Attach the file.
Select the "Choose a File" navigate to the location of the File.
Click the file you wish to Attach.

Click the Add reply button.
===

#4 Deadzior

Deadzior
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:05:33 PM

Posted 23 June 2016 - 02:28 PM

Well the issue is no more since i used win 10 recovery with a format to the starting point. And also i couldnt delete these files detected by ADW Cleaner because as i wrote before it just hangs and stops responding for eternity and beyond. Anyway thanks for the helping hand nasdaq and wish you a good day :)






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users