Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malware that uninstalled chrome and disable Microsoft edge, this is the Devil! .


  • Please log in to reply
8 replies to this topic

#1 Petrouska

Petrouska

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:06 PM

Posted 17 August 2016 - 12:18 AM

Hi, 

 

Im not an expert as you all but Im computer oriented, so I can follow any instructions that can help, and I REALLY need help. please... :bowdown:

 

There is the story: I have a new computer and trying to install a program but ended up installing something that I dont know what it its...

HP

windows 8

64 bits

 

I was following a tutorial from you tube, the guy said that you must follow a link that he posted(bad idea), he even had positive feedback! 

As soon as I download this the computer start to behave different. the first this it did was that uninstalled google chrome!!, disable Microsoft edge and installed its own version of Microsoft explorer and at the moment this is the only one internet browser Im able to use...I have tried to install chrome again and this thing uninstall it without to be noticed, dont know how

- I ran all I could to catch this malware:

- Super anti spyware(I have the licence): initially detected the treat, but not really catch it..

- Malware bytes:  initially detected the treat, but not really catch it..this this ting even uninstall it  a couple of times!!

-Installed AVG antivirus: not even run...

- I manually uninstalled all the unwanted software, adware and whatever I believe its related with this, by running the computer in safe mode.

- Installed  Malware bytes(trial) again and apparently its not detecting any treat, but is constantly giving me a a popup alert saying that its blocking an outbound malicious website. so I still infected. 

 

Basically say that the location of the source of this outbound website is:

IP: 109.201.148.40

Port: 53587 / 53612 / 53627 / 53645 ... (* this  is a few of the  different ports that its using)

Type: Outbound

Process: C:\program files(x86)incurable\japheth.exe

 

-Installed Kaspersky (trial): Its not detecting any virus.

- tried to run ESET online and it seems to detect 2 treats but then it kinda freze and goes in blank...(not sure how to describe it better, but pretty much its not working) 

 

To be honest dont know what to do...please help.. :bowdown:

 

I need more details please let me know.

 

 

 

 

 

 

 

 



BC AdBot (Login to Remove)

 


#2 Slurppa

Slurppa

  • Malware Study Hall Senior
  • 623 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:06 PM

Posted 17 August 2016 - 09:32 AM

Hi Petrouska and welcome to the Bleeping Computer

Sorry to hear about your problems. Please follow the steps below to get started.

:step1:

Please upload the file
C:\program files(x86)incurable\japheth.exe
to Virustotal so we can get additional information about it.

Steps:
1. Go to VirusTotal website https://www.virustotal.com/
2. Click Choose File button and select file specified and double click it.
3. Click Scan It button. This may take a while.
4. Once finishes copy the result(the address in your browser) and include it in your next post.

 

:step2:

ESET Online Scanner
  • Click here to download the installer for ESET Online Scanner and save it to your Desktop.
  • Disable all your antivirus and antimalware software - see how to do that here.
  • Right click on esetsmartinstaller_enu.exe and select Run as Administrator.
  • Place a checkmark in YES, I accept the Terms of Use, then click Start. Wait for ESET Online Scanner to load its components.
  • Select Enable detection of potentially unwanted applications.
  • Click Advanced Settings, then place a checkmark in the following:
    • Remove found threats
    • Scan archives
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • Click Start to begin scanning.
  • ESET Online Scanner will start downloading signatures and scan. Please be patient, as this scan can take quite some time.
  • When the scan is done, click List threats (only available if ESET Online Scanner found something).
  • Click Export, then save the file to your desktop.
  • Click Back, then Finish to exit ESET Online Scanner.
:step3:

Please download MiniToolBox, save it to your desktop and run it.
Checkmark the following checkboxes:
  • Flush DNS
  • Report IE Proxy Settings
  • Reset IE Proxy Settings
  • Report FF Proxy Settings
  • Reset FF Proxy Settings
  • List content of Hosts
  • List IP configuration
  • List Winsock Entries
  • List last 10 Event Viewer log
  • List Installed Programs
  • List Devices
  • List Users, Partitions and Memory size.
  • List Minidump Files
  • List Restore Points
Click Go and post the result (Result.txt). A copy of Result.txt will be saved in the same directory the tool is run.

Note: When using "Reset FF Proxy Settings" option Firefox should be closed.

Member of the Bleeping Computer A.I.I. early response team!


#3 Petrouska

Petrouska
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:06 PM

Posted 19 August 2016 - 05:14 PM

Awesome!!!

 

Thank you very much, you save my computer...

 

Regards



#4 Petrouska

Petrouska
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:06 PM

Posted 19 August 2016 - 05:24 PM

BTW here are the logs...

 

Since I don't know how to get the logs of ESET online, there is the log of Malwarebytes, I already have this installed an can give you an idea....

 

Malwarebytes Anti-Malware
www.malwarebytes.org
 
Scan Date: 8/17/2016
Scan Time: 2:59 PM
Logfile: mwb 8.17.2016.txt
Administrator: Yes
 
Version: 2.2.1.1043
Malware Database: v2016.08.17.11
Rootkit Database: v2016.08.15.01
License: Trial
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled
 
OS: Windows 8
CPU: x64
File System: NTFS
User: iphoneking
 
Scan Type: Hyper Scan
Result: Completed
Objects Scanned: 246034
Time Elapsed: 4 min, 24 sec
 
Memory: Enabled
Startup: Enabled
Filesystem: Disabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled
 
Processes: 0
(No malicious items detected)
 
Modules: 0
(No malicious items detected)
 
Registry Keys: 11
PUP.Optional.WebDiscoverBrowser, HKLM\SOFTWARE\WebDiscoverBrowser, Quarantined, [3df2e6665a40d0662913ae31e41fc13f],
PUP.Optional.MultiPlug.PrxySvrRST, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{907F97CD-ECBB-42E8-AE84-220E33E87A3F}, Quarantined, [fa35e36919811323e8aa5a706d95a060],
PUP.Optional.SoftUpgrade, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{CFAF2A97-DE31-4145-BE7A-7F0B5B4CA887}, Quarantined, [c06fb09c2377b086656342b6758e35cb],
PUP.Optional.OutBrowse, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{E457A490-7CEE-43AB-8FCB-9A45FD20BDE5}, Quarantined, [f13e80cc65358aacb013e0186b9809f7],
PUP.Optional.MultiPlug.PrxySvrRST, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\Da4133289941332899, Quarantined, [42ed410b8c0e44f29104ae1c32d0a15f],
PUP.Optional.SoftUpgrade, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\SoftUpgrade, Quarantined, [0a2591bb4456f640f6d302f68380b34d],
Rogue.TechSupportScam, HKU\S-1-5-21-1341227517-1067120393-3149323367-1001\SOFTWARE\drivepro, Quarantined, [220d361661392e08b0b7fcd0ae568080],
PUP.Optional.InterStat, HKU\S-1-5-21-1341227517-1067120393-3149323367-1001\SOFTWARE\InterStat, Quarantined, [5dd28cc0a0fa95a1eb08fcfc40c337c9],
PUP.Optional.Conduit, HKU\S-1-5-21-1341227517-1067120393-3149323367-1001\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{0633EE93-D776-472F-A0FF-E1416B8B2E3A}, Quarantined, [53dcf7557a2070c6f6b9bbe1966df10f],
PUP.Optional.SystemHealer, HKU\S-1-5-21-1341227517-1067120393-3149323367-1001\SOFTWARE\SYSTEM HEALER, Quarantined, [909f3b11aaf0bb7bca1241bc768d53ad],
PUP.Optional.InterStat, HKU\S-1-5-21-1341227517-1067120393-3149323367-1001_Classes\APPLICATIONS\interstat.exe, Quarantined, [eb4455f7edad2610279243b9e61d2ad6],
 
Registry Values: 6
PUP.Optional.MultiPlug.PrxySvrRST, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{907F97CD-ECBB-42E8-AE84-220E33E87A3F}|Path, \Da4133289941332899, Quarantined, [fa35e36919811323e8aa5a706d95a060]
PUP.Optional.SoftUpgrade, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{CFAF2A97-DE31-4145-BE7A-7F0B5B4CA887}|Path, \SoftUpgrade, Quarantined, [c06fb09c2377b086656342b6758e35cb]
PUP.Optional.OutBrowse, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{E457A490-7CEE-43AB-8FCB-9A45FD20BDE5}|Path, \PCW\PCWRunner\PCW_10008, Quarantined, [f13e80cc65358aacb013e0186b9809f7]
PUP.Optional.Conduit, HKU\S-1-5-21-1341227517-1067120393-3149323367-1001\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}|URL, http://www.bing.com/search?pc=COSP&ptag=D081116-ACD9E650145F349E890F&form=CONBDF&conlogo=CT3331974&q={searchTerms}, Quarantined, [53dcf7557a2070c6f6b9bbe1966df10f]
PUP.Optional.Conduit, HKU\S-1-5-21-1341227517-1067120393-3149323367-1001\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}|TopResultURL, http://www.bing.com/search?pc=COSP&ptag=D081116-ACD9E650145F349E890F&form=CONBDF&conlogo=CT3331974&q={searchTerms}, Quarantined, [fe319eaebddddf57c7e89efe8a79a25e]
PUP.Optional.SystemHealer, HKU\S-1-5-21-1341227517-1067120393-3149323367-1001\SOFTWARE\SYSTEM HEALER|CartURL, 1, Quarantined, [909f3b11aaf0bb7bca1241bc768d53ad]
 
Registry Data: 0
(No malicious items detected)
 
Folders: 4
PUP.Optional.DNSUnlocker.ACMB2, C:\ProgramData\4d8db61d-0757-1, Quarantined, [d25df25a8c0e9d99fbbc12b503ff8779],
PUP.Optional.DNSUnlocker.ACMB2, C:\ProgramData\4d8db61d-3361-0, Quarantined, [08270d3fdebc7abcaa0dab1c3ec403fd],
PUP.Optional.InternetMonitor, C:\Users\iphoneking\AppData\Local\CrashRpt\UnsentCrashReports\BandwidthStat_353, Quarantined, [1d1284c8f3a7f24434314c7c986ac33d],
PUP.Optional.InternetMonitor, C:\Users\iphoneking\AppData\Local\CrashRpt\UnsentCrashReports\BandwidthStat_353\Logs, Quarantined, [1d1284c8f3a7f24434314c7c986ac33d],
 
Files: 2
PUP.Optional.MultiPlug.PrxySvrRST, C:\Windows\System32\Tasks\Da4133289941332899, Quarantined, [86a9cc805b3f290d008c9b2f5aa8e51b],
PUP.Optional.SoftUpgrade, C:\Windows\System32\Tasks\SoftUpgrade, Quarantined, [2b042f1dbbdf74c24185df195ba85da3],
 
Physical Sectors: 0
(No malicious items detected)
 

(end)

===========================================================

/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////

*****************************************************************************************************************

 

There is the  minitoolbook

MiniToolBox by Farbar  Version: 17-06-2016
Ran by iphoneking (administrator) on 17-08-2016 at 15:19:01
Running from "C:\Users\iphoneking\Downloads"
Microsoft Windows 10 Home  (X64)
Model: HP 15 TouchSmart Notebook PC Manufacturer: Hewlett-Packard
Boot Mode: Normal
***************************************************************************
 
========================= Flush DNS: ===================================
 
Windows IP Configuration
 
Successfully flushed the DNS Resolver Cache.
 
========================= IE Proxy Settings: ==============================
 
Proxy is not enabled.
No Proxy Server is set.
 
"Reset IE Proxy Settings": IE Proxy Settings were reset.
========================= Hosts content: =================================
162.222.194.13       cocomo.tremorhub.com
========================= IP Configuration: ================================
 
Realtek RTL8188EE 802.11 bgn Wi-Fi Adapter = Wi-Fi (Connected)
Realtek PCIe FE Family Controller = Ethernet (Media disconnected)
 

# ----------------------------------
# IPv4 Configuration
# ----------------------------------
pushd interface ipv4
 
reset
set global icmpredirects=enabled taskoffload=disabled
set interface interface="Local Area Connection* 1" forwarding=enabled advertise=enabled nud=enabled ignoredefaultroutes=disabled
set interface interface="Wi-Fi" forwarding=enabled advertise=enabled nud=enabled ignoredefaultroutes=disabled
set interface interface="Local Area Connection* 2" forwarding=enabled advertise=enabled nud=enabled ignoredefaultroutes=disabled
set interface interface="Ethernet" forwarding=enabled advertise=enabled nud=enabled ignoredefaultroutes=disabled
set interface interface="Local Area Connection* 3" forwarding=enabled advertise=enabled nud=enabled ignoredefaultroutes=disabled
 

popd
# End of IPv4 configuration
 
 
 
Windows IP Configuration
 
   Host Name . . . . . . . . . . . . : Mila
   Primary Dns Suffix  . . . . . . . :
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : satx.rr.com
 
Ethernet adapter Ethernet:
 
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Realtek PCIe FE Family Controller
   Physical Address. . . . . . . . . : 40-A8-F0-06-77-61
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
 
Wireless LAN adapter Local Area Connection* 2:
 
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft Wi-Fi Direct Virtual Adapter
   Physical Address. . . . . . . . . : 56-35-30-CE-5E-4C
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
 
Wireless LAN adapter Wi-Fi:
 
   Connection-specific DNS Suffix  . : satx.rr.com
   Description . . . . . . . . . . . : Realtek RTL8188EE 802.11bgn Wi-Fi Adapter
   Physical Address. . . . . . . . . : 54-35-30-CE-5E-4C
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   IPv6 Address. . . . . . . . . . . : 2605:6000:6c41:7b00:6c3d:8b79:7982:89d4(Preferred)
   Temporary IPv6 Address. . . . . . : 2605:6000:6c41:7b00:45d9:2f51:c174:58d7(Preferred)
   Link-local IPv6 Address . . . . . : fe80::6c3d:8b79:7982:89d4%2(Preferred)
   IPv4 Address. . . . . . . . . . . : 192.168.0.20(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : Wednesday, August 17, 2016 3:09:24 PM
   Lease Expires . . . . . . . . . . : Thursday, August 18, 2016 3:09:29 PM
   Default Gateway . . . . . . . . . : fe80::2e30:33ff:feb6:5a8a%2
                                       192.168.0.1
   DHCP Server . . . . . . . . . . . : 192.168.0.1
   DHCPv6 IAID . . . . . . . . . . . : 72627504
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1E-BB-A6-1B-40-A8-F0-06-77-61
   DNS Servers . . . . . . . . . . . : 209.18.47.62
                                       209.18.47.61
   NetBIOS over Tcpip. . . . . . . . : Enabled
Server:  dns-cac-lb-02.rr.com
Address:  209.18.47.62
 
Name:    google.com
Addresses:  2607:f8b0:4000:801::200e
   216.58.194.110
 

Pinging google.com [2607:f8b0:4000:801::200e] with 32 bytes of data:
Request timed out.
Request timed out.
 
Ping statistics for 2607:f8b0:4000:801::200e:
    Packets: Sent = 2, Received = 0, Lost = 2 (100% loss),
Server:  dns-cac-lb-02.rr.com
Address:  209.18.47.62
 
Name:    yahoo.com
Addresses:  2001:4998:44:204::a7
   2001:4998:c:a06::2:4008
   2001:4998:58:c02::a9
   98.138.253.109
   98.139.183.24
   206.190.36.45
 

Pinging yahoo.com [2001:4998:c:a06::2:4008] with 32 bytes of data:
Request timed out.
Request timed out.
 
Ping statistics for 2001:4998:c:a06::2:4008:
    Packets: Sent = 2, Received = 0, Lost = 2 (100% loss),
 
Pinging 127.0.0.1 with 32 bytes of data:
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
 
Ping statistics for 127.0.0.1:
    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 0ms, Average = 0ms
===========================================================================
Interface List
 18...40 a8 f0 06 77 61 ......Realtek PCIe FE Family Controller
 12...56 35 30 ce 5e 4c ......Microsoft Wi-Fi Direct Virtual Adapter
  2...54 35 30 ce 5e 4c ......Realtek RTL8188EE 802.11bgn Wi-Fi Adapter
  1...........................Software Loopback Interface 1
===========================================================================
 
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      192.168.0.1     192.168.0.20     25
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
      192.168.0.0    255.255.255.0         On-link      192.168.0.20    281
     192.168.0.20  255.255.255.255         On-link      192.168.0.20    281
    192.168.0.255  255.255.255.255         On-link      192.168.0.20    281
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
        224.0.0.0        240.0.0.0         On-link      192.168.0.20    281
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
  255.255.255.255  255.255.255.255         On-link      192.168.0.20    281
===========================================================================
Persistent Routes:
  None
 
IPv6 Route Table
===========================================================================
Active Routes:
 If Metric Network Destination      Gateway
  2    281 ::/0                     fe80::2e30:33ff:feb6:5a8a
  1    306 ::1/128                  On-link
  2    281 2605:6000:6c41:7b00::/56 fe80::2e30:33ff:feb6:5a8a
  2    281 2605:6000:6c41:7b00::/64 On-link
  2    281 2605:6000:6c41:7b00:45d9:2f51:c174:58d7/128
                                    On-link
  2    281 2605:6000:6c41:7b00:6c3d:8b79:7982:89d4/128
                                    On-link
  2    281 fe80::/64                On-link
  2    281 fe80::6c3d:8b79:7982:89d4/128
                                    On-link
  1    306 ff00::/8                 On-link
  2    281 ff00::/8                 On-link
===========================================================================
Persistent Routes:
  None
========================= Winsock entries =====================================
 
Catalog5 01 C:\WINDOWS\SysWOW64\napinsp.dll [55808] (Microsoft Corporation)
Catalog5 02 C:\WINDOWS\SysWOW64\pnrpnsp.dll [70656] (Microsoft Corporation)
Catalog5 03 C:\WINDOWS\SysWOW64\pnrpnsp.dll [70656] (Microsoft Corporation)
Catalog5 04 C:\WINDOWS\SysWOW64\NLAapi.dll [65024] (Microsoft Corporation)
Catalog5 05 C:\WINDOWS\SysWOW64\mswsock.dll [312160] (Microsoft Corporation)
Catalog5 06 C:\WINDOWS\SysWOW64\winrnr.dll [23552] (Microsoft Corporation)
Catalog5 07 C:\Program Files (x86)\Bonjour\mdnsNSP.dll [121704] (Apple Inc.)
Catalog9 01 C:\WINDOWS\SysWOW64\mswsock.dll [312160] (Microsoft Corporation)
Catalog9 02 C:\WINDOWS\SysWOW64\mswsock.dll [312160] (Microsoft Corporation)
Catalog9 03 C:\WINDOWS\SysWOW64\mswsock.dll [312160] (Microsoft Corporation)
Catalog9 04 C:\WINDOWS\SysWOW64\mswsock.dll [312160] (Microsoft Corporation)
Catalog9 05 C:\WINDOWS\SysWOW64\mswsock.dll [312160] (Microsoft Corporation)
Catalog9 06 C:\WINDOWS\SysWOW64\mswsock.dll [312160] (Microsoft Corporation)
Catalog9 07 C:\WINDOWS\SysWOW64\mswsock.dll [312160] (Microsoft Corporation)
Catalog9 08 C:\WINDOWS\SysWOW64\mswsock.dll [312160] (Microsoft Corporation)
Catalog9 09 C:\WINDOWS\SysWOW64\mswsock.dll [312160] (Microsoft Corporation)
Catalog9 10 C:\WINDOWS\SysWOW64\mswsock.dll [312160] (Microsoft Corporation)
Catalog9 11 C:\WINDOWS\SysWOW64\mswsock.dll [312160] (Microsoft Corporation)
x64-Catalog5 01 C:\Windows\System32\napinsp.dll [68096] (Microsoft Corporation)
x64-Catalog5 02 C:\Windows\System32\pnrpnsp.dll [87040] (Microsoft Corporation)
x64-Catalog5 03 C:\Windows\System32\pnrpnsp.dll [87040] (Microsoft Corporation)
x64-Catalog5 04 C:\Windows\System32\NLAapi.dll [80896] (Microsoft Corporation)
x64-Catalog5 05 C:\Windows\System32\mswsock.dll [357216] (Microsoft Corporation)
x64-Catalog5 06 C:\Windows\System32\winrnr.dll [31744] (Microsoft Corporation)
x64-Catalog5 07 C:\Program Files\Bonjour\mdnsNSP.dll [132968] (Apple Inc.)
x64-Catalog9 01 C:\Windows\System32\mswsock.dll [357216] (Microsoft Corporation)
x64-Catalog9 02 C:\Windows\System32\mswsock.dll [357216] (Microsoft Corporation)
x64-Catalog9 03 C:\Windows\System32\mswsock.dll [357216] (Microsoft Corporation)
x64-Catalog9 04 C:\Windows\System32\mswsock.dll [357216] (Microsoft Corporation)
x64-Catalog9 05 C:\Windows\System32\mswsock.dll [357216] (Microsoft Corporation)
x64-Catalog9 06 C:\Windows\System32\mswsock.dll [357216] (Microsoft Corporation)
x64-Catalog9 07 C:\Windows\System32\mswsock.dll [357216] (Microsoft Corporation)
x64-Catalog9 08 C:\Windows\System32\mswsock.dll [357216] (Microsoft Corporation)
x64-Catalog9 09 C:\Windows\System32\mswsock.dll [357216] (Microsoft Corporation)
x64-Catalog9 10 C:\Windows\System32\mswsock.dll [357216] (Microsoft Corporation)
x64-Catalog9 11 C:\Windows\System32\mswsock.dll [357216] (Microsoft Corporation)
 
=========================== Installed Programs ============================
 
4 Elements II (HKLM-x32\...\WTA-7d0833d6-8d83-4629-863f-2fde39dcbfd5) (Version: 2.2.0.98 - WildTangent) Hidden
7-Zip 9.20 (x64 edition) (HKLM\...\{23170F69-40C1-2702-0920-000001000000}) (Version: 9.20.00.0 - Igor Pavlov)
Adobe Acrobat Reader DC (HKLM-x32\...\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}) (Version: 15.017.20053 - Adobe Systems Incorporated)
Adobe Shockwave Player 12.0 (HKLM-x32\...\Adobe Shockwave Player) (Version: 12.0.4.144 - Adobe Systems, Inc.)
Airport Mania (HKLM-x32\...\WTA-71049ce5-2196-4fe9-a26f-b1ecd1649a83) (Version: 2.2.0.95 - WildTangent) Hidden
Azkend 2: The World Beneath (HKLM-x32\...\WTA-1a0328bf-9c61-4304-9203-a351883b3eae) (Version: 2.2.0.98 - WildTangent) Hidden
Bejeweled 3 (HKLM-x32\...\WTA-beb1d8b3-3775-46b1-b55e-14a4bb080be4) (Version: 2.2.0.98 - WildTangent) Hidden
Bonjour (HKLM\...\{6E3610B2-430D-4EB0-81E3-2B57E8B9DE8D}) (Version: 3.0.0.10 - Apple Inc.)
Bounce Symphony (HKLM-x32\...\WTA-381d0c2d-4dff-4fb9-87cd-6c331fa469f0) (Version: 2.2.0.97 - WildTangent) Hidden
Build-a-lot (HKLM-x32\...\WTA-d9ec9969-e463-4066-ab72-9dbcb3444b69) (Version: 2.2.0.98 - WildTangent) Hidden
Cradle Of Egypt Collector's Edition (HKLM-x32\...\WTA-c0f2d4ab-75dc-49e5-87b1-9fe340f4c329) (Version: 2.2.0.110 - WildTangent) Hidden
Cradle of Rome 2 (HKLM-x32\...\WTA-f8a5cb37-5db7-45cf-adf5-75dc99df08f4) (Version: 2.2.0.98 - WildTangent) Hidden
Curse at Twilight (HKLM-x32\...\WTA-50237475-4b74-429f-8656-4f4f008733fc) (Version: 3.0.2.32 - WildTangent) Hidden
CyberLink LabelPrint (HKLM-x32\...\InstallShield_{C59C179C-668D-49A9-B6EA-0121CCFC1243}) (Version: 2.5.5.6902 - CyberLink Corp.)
CyberLink Media Suite 10 (HKLM-x32\...\InstallShield_{1FBF6C24-C1fD-4101-A42B-0C564F9E8E79}) (Version: 10.0.5.3303 - CyberLink Corp.)
CyberLink Power2Go 8 (HKLM-x32\...\InstallShield_{2A87D48D-3FDF-41fd-97CD-A1E370EFFFE2}) (Version: 8.0.5.3228 - CyberLink Corp.)
CyberLink PowerDVD 12 (HKLM-x32\...\InstallShield_{B46BEA36-0B71-4A4E-AE41-87241643FA0A}) (Version: 12.0.2.3305 - CyberLink Corp.)
CyberLink YouCam (HKLM-x32\...\InstallShield_{01FB4998-33C4-4431-85ED-079E3EEFE75D}) (Version: 5.0.2.3302 - CyberLink Corp.)
Delicious: Emily's Childhood Memories Premium Edition (HKLM-x32\...\WTA-1a9be1e6-fff8-43ba-b19d-5b0e81474c44) (Version: 3.0.2.32 - WildTangent) Hidden
DisableMSDefender (HKLM\...\{74FE39A0-FB76-47CD-84BA-91E2BBB17EF2}) (Version: 1.0.0 - Hewlett-Packard Company) Hidden
Energy Star (HKLM-x32\...\{FC0ADA4D-8FA5-4452-8AFF-F0A0BAC97EF7}) (Version: 1.0.9 - Hewlett-Packard Company)
Farm Frenzy (HKLM-x32\...\WTA-c4cd4cd1-a13a-4dd3-aead-bc3924664421) (Version: 2.2.0.98 - WildTangent) Hidden
Fishdom 3: Collector's Edition (HKLM-x32\...\WTA-81a6b049-1b62-4db9-90c1-17cb2870fd90) (Version: 3.0.2.38 - WildTangent) Hidden
Governor of Poker 2 Premium Edition (HKLM-x32\...\WTA-e842f289-0f67-4eef-82da-1c1e95c3c75a) (Version: 2.2.0.110 - WildTangent) Hidden
Hewlett-Packard ACLM.NET v1.2.2.3 (HKLM-x32\...\{6F340107-F9AA-47C6-B54C-C3A19F11553F}) (Version: 1.00.0000 - Hewlett-Packard Company) Hidden
House of 1000 Doors: Family Secrets (HKLM-x32\...\WTA-eda74721-8094-4ea7-8ee5-a570f89d71c9) (Version: 2.2.0.98 - WildTangent) Hidden
HP Documentation (HKLM-x32\...\{CCE5C597-03EA-423E-BA80-6FCD280A8465}) (Version: 1.1.0.0 - Hewlett-Packard)
HP Registration Service (HKLM\...\{D1E8F2D7-7794-4245-B286-87ED86C1893C}) (Version: 1.2.7127.4628 - Hewlett-Packard)
HP SimplePass (HKLM-x32\...\InstallShield_{314FAD12-F785-4471-BCE8-AB506642B9A1}) (Version: 8.00.57 - Hewlett-Packard)
HP System Event Utility (HKLM-x32\...\{C78E8F51-3EAD-4F0C-83F0-EF371075E0B4}) (Version: 1.0.10 - Hewlett-Packard Company)
HP Utility Center (HKLM\...\{7A75E042-0D30-43C2-BD2A-684F4BE38FF7}) (Version: 2.3.1 - Hewlett-Packard Company)
HP Wireless Button Driver (HKLM-x32\...\{30B2D1D8-0A07-4B71-9553-0710C5D31E35}) (Version: 1.1.2.1 - Hewlett-Packard Company)
Inst5675 (HKLM\...\{2DE6247C-7077-451B-8BA7-FFD1A2ABBB47}) (Version: 8.00.57 - Softex Inc.) Hidden
Inst5676 (HKLM\...\{878F6913-7421-4713-97F7-0A736EE2A188}) (Version: 8.00.57 - Softex Inc.) Hidden
Intel® Manageability Engine Firmware Recovery Agent (HKLM-x32\...\{0EC7F9CC-4741-45AE-9F55-6E9343F726F5}) (Version: 1.1.0.36960 - Intel Corporation)
Intel® Management Engine Components (HKLM-x32\...\{65153EA5-8B6E-43B6-857B-C6E4FC25798A}) (Version: 9.5.15.1730 - Intel Corporation)
Intel® Processor Graphics (HKLM-x32\...\{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}) (Version: 10.18.10.4358 - Intel Corporation)
Intel® Rapid Storage Technology (HKLM\...\{409CB30E-E457-4008-9B1A-ED1B9EA21140}) (Version: 12.8.1.1000 - Intel Corporation)
Jewel Match 3 (HKLM-x32\...\WTA-2d937afd-6e6d-41a5-8629-08a46e03b439) (Version: 2.2.0.98 - WildTangent) Hidden
John Deere Drive Green (HKLM-x32\...\WTA-114d0994-8153-444d-9ef3-434a83981c0e) (Version: 2.2.0.95 - WildTangent) Hidden
Kaspersky Total Security (HKLM-x32\...\{F575F386-57EF-4943-B003-A13F13B05EEB}) (Version: 16.0.1.445 - Kaspersky Lab) Hidden
Kaspersky Total Security (HKLM-x32\...\InstallWIX_{F575F386-57EF-4943-B003-A13F13B05EEB}) (Version: 16.0.1.445 - Kaspersky Lab)
King Oddball (HKLM-x32\...\WTA-c835ebf0-8b3b-403c-911c-aa491feb78df) (Version: 3.0.2.48 - WildTangent) Hidden
Luxor Evolved (HKLM-x32\...\WTA-2b74283c-fc9f-4a25-b008-94d5439175b5) (Version: 2.2.0.98 - WildTangent) Hidden
Mahjongg Dimensions Deluxe (HKLM-x32\...\WTA-823d1f8a-bba6-4fd7-9bc2-f3422f24e0f7) (Version: 2.2.0.95 - WildTangent) Hidden
Malwarebytes Anti-Malware version 2.2.1.1043 (HKLM-x32\...\Malwarebytes Anti-Malware_is1) (Version: 2.2.1.1043 - Malwarebytes)
Microsoft Office Professional 2016 - en-us (HKLM\...\ProfessionalRetail - en-us) (Version: 16.0.7070.2033 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{837b34e3-7c30-493c-8f6a-2b0f04e2912c}) (Version: 8.0.59193 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM-x32\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM-x32\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Mystery P.I. - Curious Case of Counterfeit Cove (HKLM-x32\...\WTA-803d95e4-823a-4601-8428-6708cd786195) (Version: 2.2.0.98 - WildTangent) Hidden
Office 16 Click-to-Run Extensibility Component (HKLM-x32\...\{90160000-008C-0000-0000-0000000FF1CE}) (Version: 16.0.7030.1021 - Microsoft Corporation) Hidden
Office 16 Click-to-Run Licensing Component (HKLM\...\{90160000-008F-0000-1000-0000000FF1CE}) (Version: 16.0.7030.1021 - Microsoft Corporation) Hidden
Office 16 Click-to-Run Localization Component (HKLM-x32\...\{90160000-008C-0409-0000-0000000FF1CE}) (Version: 16.0.7030.1021 - Microsoft Corporation) Hidden
Peggle Nights (HKLM-x32\...\WTA-7352dbcb-dc7a-4742-baa8-4866c8f6c765) (Version: 2.2.0.98 - WildTangent) Hidden
Penguins! (HKLM-x32\...\WTA-70cdc77d-5442-4c90-af11-e5698174713c) (Version: 2.2.0.98 - WildTangent) Hidden
Plants vs. Zombies - Game of the Year (HKLM-x32\...\WTA-0db4a80c-37ef-4006-8ec4-99733faf0f34) (Version: 2.2.0.98 - WildTangent) Hidden
Polar Bowler (HKLM-x32\...\WTA-642c10a0-40bb-49ef-9ed1-18fa7ff821dd) (Version: 2.2.0.97 - WildTangent) Hidden
PrivaZer (HKLM-x32\...\PrivaZer) (Version: 3.0.7.0 - Goversoft LLC)
Realtek Card Reader (HKLM-x32\...\{5BC2B5AB-80DE-4E83-B8CF-426902051D0A}) (Version: 6.2.9200.29070 - Realtek Semiconductor Corp.)
Realtek Ethernet Controller All-In-One Windows Driver (HKLM-x32\...\{F7E7F0CB-AA41-4D5A-B6F2-8E6738EB063F}) (Version: 8.20.815.2013 - Realtek)
Realtek High Definition Audio Driver (HKLM-x32\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.7032 - Realtek Semiconductor Corp.)
REALTEK Wireless LAN Driver (HKLM-x32\...\{A5107464-AA9B-4177-8129-5FF2F42DD322}) (Version: 1.00.12.0906 - REALTEK Semiconductor Corp.)
Roads of Rome 3 (HKLM-x32\...\WTA-60fb917e-41ee-42cc-bc82-980e8c83dbbe) (Version: 2.2.0.98 - WildTangent) Hidden
Sdrive 2.5.8 (HKLM-x32\...\{74048A6E-4BAB-4F5F-8382-651C88F085B8}_is1) (Version: 2.5.8 - Seagate)
Seagate Dashboard (HKLM-x32\...\{EA266F00-A8E7-43A0-8DED-FBFE3F076934}) (Version: 4.4.19.0 - Seagate)
SUPERAntiSpyware (HKLM\...\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}) (Version: 6.0.1222 - SUPERAntiSpyware.com)
swMSM (HKLM-x32\...\{612C34C7-5E90-47D8-9B5C-0F717DD82726}) (Version: 12.0.0.1 - Adobe Systems, Inc) Hidden
Synaptics Pointing Device Driver (HKLM\...\SynTPDeinstKey) (Version: 19.2.4.0 - Synaptics Incorporated)
Tales of Lagoona (HKLM-x32\...\WTA-86a9add7-86f2-4919-a88c-ce5a784bef9d) (Version: 2.2.0.110 - WildTangent) Hidden
Update Installer for WildTangent Games App (HKLM-x32\...\{2FA94A64-C84E-49d1-97DD-7BF06C7BBFB2}.WildTangent Games App) (Version:  - WildTangent) Hidden
Vacation Quest™ - Australia (HKLM-x32\...\WTA-9dbdeaa4-20e7-4b1f-bede-cd208701438c) (Version: 3.0.2.32 - WildTangent) Hidden
Visual Studio 2012 x64 Redistributables (HKLM\...\{8C775E70-A791-4DA8-BCC3-6AB7136F4484}) (Version: 14.0.0.1 - AVG Technologies)
Visual Studio 2012 x86 Redistributables (HKLM-x32\...\{98EFF19A-30AB-4E4B-B943-F06B1C63EBF8}) (Version: 14.0.0.1 - AVG Technologies CZ, s.r.o.)
WildTangent Games (HKLM-x32\...\WildTangent wildgames Master Uninstall) (Version: 1.0.4.0 - WildTangent)
WildTangent Games App (HP Games) (HKLM-x32\...\{70B446D1-E03B-4ab0-9B3C-0832142C9AA8}.WildTangent Games App-hp) (Version: 4.0.10.15 - WildTangent) Hidden
Window Rules Manager (HKLM-x32\...\Window Rules Manager) (Version: 1.66 - Waveicon Inc.)
Youda Jewel Shop (HKLM-x32\...\WTA-a9a784c2-345e-443b-a24a-e95c99979541) (Version: 3.0.2.32 - WildTangent) Hidden
Zuma's Revenge (HKLM-x32\...\WTA-be74fce9-9a24-473a-8a95-15dffc28defe) (Version: 2.2.0.98 - WildTangent) Hidden
 
========================= Devices: ================================
 

========================= Memory info: ===================================
 
Percentage of memory in use: 41%
Total physical RAM: 6036.27 MB
Available physical RAM: 3503.51 MB
Total Virtual: 7188.27 MB
Available Virtual: 4740.07 MB
 
========================= Partitions: =====================================
 
1 Drive c: (Windows) (Fixed) (Total:445.62 GB) (Free:401.78 GB) NTFS
2 Drive d: (RECOVERY) (Fixed) (Total:18.58 GB) (Free:1.91 GB) NTFS
4 Drive f: (Sdrive) (Removable) (Total:1 GB) (Free:1 GB) FAT32
5 Drive h: () (Removable) (Total:1.86 GB) (Free:0.18 GB) FAT
6 Drive s: (Sdrive) (Network) (Total:1 GB) (Free:1 GB) FAT32
7 Drive z: (Public) (Network) (Total:2745.91 GB) (Free:2714.12 GB) NTFS
 
========================= Users: ========================================
 
User accounts for \\MILA
 
Administrator            DefaultAccount           Guest                   
iphoneking              
 
========================= Minidump Files ==================================
 
No minidump file found
 
========================= Restore Points ==================================
 
11-08-2016 18:29:38 Windows Live Essentials
11-08-2016 18:30:14 WLSetup
17-08-2016 03:17:56 Windows Update
 
**** End of log ****


#5 Slurppa

Slurppa

  • Malware Study Hall Senior
  • 623 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:06 PM

Posted 22 August 2016 - 08:43 AM

Hi Petrouska

Sorry for delay.

You appear to have had lot of PUP/Adware software on your computer. While they are not harmful like other malware they take up you system resources.
PUP software are usually bundled with free programs in order to generate revenue for the developer and are usually hidden options in the installer so be careful with all the
dialogs when installing software.
You can find more information about PUPs here.


:step1:
ZN3USrZ.png Emsisoft Emergency Kit
  • Click here to download Emsisoft Emergency Kit. The download will automatically start after a moment.
  • Save EmsisoftEmergencyKit.exe to your Desktop.
  • Double click on EmsisoftEmergencyKit.exe (Windows Vista/7/8 users: Accept UAC warning if it is enabled). A screen like this will appear:
    dQVDkTW.png
  • Leave everything as it is, then click Extract. This will unpack Emsisoft Emergency Kit to the EEK folder located in the root drive (usually C:\).
  • Once the extraction is done, an icon qwL1Upn.png will appear on your Desktop. Double click it to start Emsisoft Emergency Kit.
  • Wait for Emsisoft Emergency Kit to finish loading signatures. A screen like this should appear:
    yEgPemv.png
  • Choose Yes, then wait for EEK to finish updating.
  • Choose Malware Scan under the Scan button. When EEK asks to activate PUP detection, choose Yes.
  • Wait for the scan to finish.
    RUeRoi4.png
  • If EEK detects something, all detected items will be displayed. Place a checkmark before everything, then choose Quarantine Selected.
  • If Emsisoft Emergency Kit asks to reboot, please do so immediately.
  • The scan log is located in Logs -> Scan Logs. Click on the entry of the latest scan, choose Export and save the report on your Desktop.
    P7FSALs.png
  • Please Copy and Paste the contents of the scan log in your next reply.
 
:step2:
Please download AdwCleaner by Xplode and save to your Desktop.
  • Double-click on AdwCleaner.exe to run the tool.
    Vista/Windows 7/8 users right-click and select Run As Administrator.
  • The tool will start to update its database...please wait until complete.
  • Click on the Scan button.
  • AdwCleaner will begin...be patient as the scan may take some time to complete.
  • After the scan has finished, click on the Logfile button...a report (AdwCleaner[SX].txt) will open in Notepad (where the largest value of X represents the most recent report).
  • After reviewing the log, click on the Clean button.
  • Press OK when asked to close all programs and follow the onscreen prompts.
  • Press OK again to allow AdwCleaner to restart the computer and complete the removal process.
  • After rebooting, a logfile report (AdwCleaner[CX].txt) will open automatically (where the largest value of X represents the most recent report).
  • Copy and paste the contents of AdwCleaner[CX].txt in your next reply.
  • A copy of all logfiles are saved to C:\AdwCleaner.
 
:step3:
96jfrSi.png Please download Junkware Removal Tool to your desktop.
  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, 8,8.1 or Windows 10; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.

Member of the Bleeping Computer A.I.I. early response team!


#6 Petrouska

Petrouska
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:06 PM

Posted 25 August 2016 - 02:03 PM

Hi,

 

you were so rigth!, I thaugth that this nigmare had ended, the computer seems to be back to normal, but have not...I followed all your instructions and its amazing how there were more tings hided.

 

I just still have one concern, Google Chrome still uninstalling by itself  every other day or so.

 
Before I shut down the computer everything seems to be fine with chrome, then when I go back next day and turn on the computer Chrome its totally uninstalled from the computer! I go and install it again, and all my preferred settings load as if nothing  happened, I mean, my email its already logged in, bookmarks are there, browsing history, it even able to restore previous session, etc...
 
when I ran the AdwCleaner the Google Chrome icon disappear from the desktop in front of my eyes and when I check it was uninstalled. not sure if the AdwCleaner uninstall it or if this is a kind of side effect of the virus.
 
I install it again an this time realized that there was an unknown user logged into the Chrome settings in addition to me, I disable and deleted that user, so let see if the problems continue in the following days...perhaps you have something to suggest about this.
 
Please see below the logs ( BTW, I ran all twice to make sure everything its fine...)
 
Emsisoft Emergency Kit - Version 11.9
Last update: 8/24/2016 5:07:34 PM
User account: MILA\iphoneking
Computer name: MILA
OS version: Windows 10x64
 
Scan settings:
 
Scan type: Malware Scan
Objects: Rootkits, Memory, Traces, Files
 
Detect PUPs: On
Scan archives: Off
ADS Scan: On
File extension filter: Off
Advanced caching: On
Direct disk access: Off
 
Scan start: 8/24/2016 5:08:08 PM
Key: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\11598763487076930564  detected: Application.AppInstall (A)
C:\Program Files (x86)\SoftUpgrade  detected: Application.AdSoft (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\WOW6432NODE\INTERFACE\{DD05B915-F77B-474A-9D42-9FEEAF5475C4}  detected: Application.AdCons (A)
C:\Program Files (x86)\winrule\winruletask.exe  detected: Trojan.GenericKD.3477323 (B)
C:\Program Files (x86)\winrule\winruletask_.exe  detected: Trojan.GenericKD.3467293 (B)
 
Scanned 73995
Found 5
 
Scan end: 8/24/2016 5:14:36 PM
Scan time: 0:06:28
 
C:\Program Files (x86)\winrule\winruletask_.exe  Trojan.GenericKD.3467293 (B)
C:\Program Files (x86)\winrule\winruletask.exe  Trojan.GenericKD.3477323 (B)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\WOW6432NODE\INTERFACE\{DD05B915-F77B-474A-9D42-9FEEAF5475C4}  Application.AdCons (A)
C:\Program Files (x86)\SoftUpgrade  Application.AdSoft (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\11598763487076930564  Application.AppInstall (A)
 
Quarantined 5
 
# AdwCleaner v6.000 - Logfile created 24/08/2016 at 17:26:16
# Updated on 12/08/2016 by ToolsLib
# Database : 2016-08-24.1 [Server]
# Operating System : Windows 10 Home  (X64)
# Username : iphoneking - MILA
# Running from : C:\Users\iphoneking\Downloads\AdwCleaner.exe
# Mode: Clean
# Support : https://toolslib.net/forum
 
 
 
***** [ Services ] *****
 
 
 
***** [ Folders ] *****
 
[-] Folder deleted: C:\WINDOWS\SysNative\Tasks\PCW
 

***** [ Files ] *****
 
[-] File deleted: C:\WINDOWS\SysNative\LavasoftTcpService64.dll
[-] File deleted: C:\WINDOWS\SysNative\LavasoftTcpServiceOff.ini
[-] File deleted: C:\WINDOWS\SysWOW64\lavasofttcpservice.dll
[-] File deleted: C:\WINDOWS\SysWOW64\LavasoftTcpServiceOff.ini
 

***** [ DLL ] *****
 
 
 
***** [ WMI ] *****
 
 
 
***** [ Shortcuts ] *****
 
 
 
***** [ Scheduled Tasks ] *****
 
 
 
***** [ Registry ] *****
 
[-] Key deleted: HKLM\SOFTWARE\Classes\LavasoftTcpServiceLib.DataContainer
[-] Key deleted: HKLM\SOFTWARE\Classes\LavasoftTcpServiceLib.DataContainer.1
[-] Key deleted: HKLM\SOFTWARE\Classes\LavasoftTcpServiceLib.DataController
[-] Key deleted: HKLM\SOFTWARE\Classes\LavasoftTcpServiceLib.DataController.1
[-] Key deleted: HKLM\SOFTWARE\Classes\LavasoftTcpServiceLib.DataTable
[-] Key deleted: HKLM\SOFTWARE\Classes\LavasoftTcpServiceLib.DataTable.1
[-] Key deleted: HKLM\SOFTWARE\Classes\LavasoftTcpServiceLib.DataTableFields
[-] Key deleted: HKLM\SOFTWARE\Classes\LavasoftTcpServiceLib.DataTableFields.1
[-] Key deleted: HKLM\SOFTWARE\Classes\LavasoftTcpServiceLib.DataTableHolder
[-] Key deleted: HKLM\SOFTWARE\Classes\LavasoftTcpServiceLib.DataTableHolder.1
[-] Key deleted: HKLM\SOFTWARE\Classes\LavasoftTcpServiceLib.LSPLogic
[-] Key deleted: HKLM\SOFTWARE\Classes\LavasoftTcpServiceLib.LSPLogic.1
[-] Key deleted: HKLM\SOFTWARE\Classes\LavasoftTcpServiceLib.ReadOnlyManager
[-] Key deleted: HKLM\SOFTWARE\Classes\LavasoftTcpServiceLib.ReadOnlyManager.1
[-] Key deleted: HKLM\SOFTWARE\Classes\LavasoftTcpServiceLib.WFPController
[-] Key deleted: HKLM\SOFTWARE\Classes\LavasoftTcpServiceLib.WFPController.1
[-] Key deleted: HKLM\SOFTWARE\Classes\CLSID\{0015CAC9-FC30-4CD0-BFAA-7412CC2C4DD9}
[-] Key deleted: HKLM\SOFTWARE\Classes\CLSID\{26C7AFDB-3690-449E-B979-B0AF5CC56DD4}
[-] Key deleted: HKLM\SOFTWARE\Classes\CLSID\{3A5A5381-DAAF-4C0D-B032-2C66B3EE4A8D}
[-] Key deleted: HKLM\SOFTWARE\Classes\CLSID\{472EF1D2-4AAE-470D-AE85-6AF8177916FD}
[-] Key deleted: HKLM\SOFTWARE\Classes\CLSID\{8F010D54-C023-457F-AF03-497EACB6D519}
[-] Key deleted: HKLM\SOFTWARE\Classes\CLSID\{9A754403-27B1-4ED7-96D7-588F07888EBF}
[-] Key deleted: HKLM\SOFTWARE\Classes\CLSID\{CB31FF8F-BF80-4D2B-ADBE-12C6F5347890}
[-] Key deleted: HKLM\SOFTWARE\Classes\CLSID\{FCAA532B-E807-4027-940C-BA16B9D50105}
[-] Key deleted: HKLM\SOFTWARE\Classes\Interface\{06306AA5-80A1-4260-A9A3-A8E10F6AA8B7}
[-] Key deleted: HKLM\SOFTWARE\Classes\TypeLib\{ED62BC6E-64F1-46BE-866F-4C8DC0DF7057}
[-] Value deleted: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID [{B0932222-51E2-47D1-A4EF-CB10AE7DF086}]
[-] Key deleted: HKU\S-1-5-21-1341227517-1067120393-3149323367-1001\Software\INSTALLPATH\STATUS
[-] Key deleted: HKU\S-1-5-21-1341227517-1067120393-3149323367-1001\Software\winmnt
[#] Key deleted on reboot: HKCU\Software\INSTALLPATH\STATUS
[#] Key deleted on reboot: HKCU\Software\winmnt
[-] Key deleted: HKLM\SOFTWARE\Lavasoft\Web Companion
[-] Key deleted: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Online-IO
[-] Key deleted: HKCU\Software\Microsoft\Internet Explorer\DOMStorage\govids.net
[-] Key deleted: HKCU\Software\Microsoft\Internet Explorer\DOMStorage\www.govids.net
[-] Key deleted: HKLM\SYSTEM\CurrentControlSet\Control\Class\{0C95ABFE-4FB6-49DB-B22F-0E1F5FC4BEEC}
[-] Key deleted: HKLM\SYSTEM\CurrentControlSet\Control\Class\{EEEFACB3-729F-4484-B66D-E7A7917BBFC1}
[-] Key deleted: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\webcompanion.com
 

***** [ Web browsers ] *****
 
 
 
*************************
 
:: "Tracing" keys deleted
:: Winsock settings cleared
 
*************************
 
C:\AdwCleaner\AdwCleaner[C0].txt - [4177 Bytes] - [24/08/2016 17:26:16]
C:\AdwCleaner\AdwCleaner[S0].txt - [6049 Bytes] - [24/08/2016 17:19:28]
 
########## EOF - C:\AdwCleaner\AdwCleaner[C0].txt - [4323 Bytes] ##########
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Malwarebytes
Version: 8.0.7 (07.03.2016)
Operating System: Windows 10 Home x64
Ran by iphoneking (Administrator) on Wed 08/24/2016 at 18:54:11.81
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 
 

File System: 0
 
 
 

Registry: 0
 
 
 
 
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Wed 08/24/2016 at 18:57:13.29
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


#7 Petrouska

Petrouska
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:06 PM

Posted 25 August 2016 - 02:05 PM

this is the second try and only AdwCleaner find something else...

 

# AdwCleaner v6.000 - Logfile created 24/08/2016 at 18:49:26
# Updated on 12/08/2016 by ToolsLib
# Database : 2016-08-24.2 [Server]
# Operating System : Windows 10 Home  (X64)
# Username : iphoneking - MILA
# Running from : C:\Users\iphoneking\Downloads\AdwCleaner.exe
# Mode: Clean
# Support : https://toolslib.net/forum
 
 
 
***** [ Services ] *****
 
 
 
***** [ Folders ] *****
 
 
 
***** [ Files ] *****
 
 
 
***** [ DLL ] *****
 
 
 
***** [ WMI ] *****
 
 
 
***** [ Shortcuts ] *****
 
 
 
***** [ Scheduled Tasks ] *****
 
 
 
***** [ Registry ] *****
 
 
 
***** [ Web browsers ] *****
 
 
 
*************************
 
:: "Tracing" keys deleted
:: Winsock settings cleared
 
*************************
 
C:\AdwCleaner\AdwCleaner[C0].txt - [4402 Bytes] - [24/08/2016 17:26:16]
C:\AdwCleaner\AdwCleaner[C2].txt - [811 Bytes] - [24/08/2016 18:49:26]
C:\AdwCleaner\AdwCleaner[S0].txt - [6049 Bytes] - [24/08/2016 17:19:28]
C:\AdwCleaner\AdwCleaner[S1].txt - [3085 Bytes] - [24/08/2016 18:36:28]
 
########## EOF - C:\AdwCleaner\AdwCleaner[C2].txt - [1029 Bytes] ##########


#8 Petrouska

Petrouska
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:06 PM

Posted 26 August 2016 - 01:58 PM

Just want to update that the Google chrome still uninstalling, naw every time I shut down or restart the computer, this is becoming a bit annoying...the bad thing is that I really like to use chrome, wish you can help me solve this :(



#9 Slurppa

Slurppa

  • Malware Study Hall Senior
  • 623 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:06 PM

Posted 27 August 2016 - 07:39 AM

Hi

I would prefer if we took a closer look into your machine at this point in order to eliminate all possible infections.

Please follow the instructions in ==>This Guide<== starting at Step 6. If you cannot complete a step, skip it and continue.

Once the proper logs are created, then make a NEW TOPIC and post it ==>HERE<== Please include a description of your computer issues, what you have done to resolve them, and a link to this topic.

If you can produce at least some of the logs, then please create the new topic and explain what happens when you try to create the log(s) that you couldn't get. If you cannot produce any of the logs, then still post the topic and explain that you followed the Prep. Guide, were unable to create the logs, and describe what happens when you try to create the logs.

It would be helpful if you post a note here once you have completed the steps in the guide and have started your topic in malware removal. Good luck and be patient.

If HelpBot replies to your topic, PLEASE follow Step One so it will report your topic to the team members.

Member of the Bleeping Computer A.I.I. early response team!





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users