Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

infected with keylogger / psw stealer


  • This topic is locked This topic is locked
14 replies to this topic

#1 peter45w

peter45w

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:04:06 PM

Posted 03 February 2017 - 12:14 PM

Hello,

 

My PC has really been dragging and acting up,Ive done all the scans,Avast scan, malwarebyte scan, adwcleaner scan, ccleaner ect....

Some of my password has been changed, some of my content have been edit. All of my password have been random unique password.

Attached Files


Edited by peter45w, 03 February 2017 - 12:17 PM.


BC AdBot (Login to Remove)

 


#2 olgun52

olgun52

  • Malware Response Team
  • 3,792 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:06 PM

Posted 03 February 2017 - 06:17 PM

Hello peter45w and Welcome to the BleepingComputer. :welcome:

My name is Yılmaz and I'll help you with the cleanup of malware from your computer.

Before we move on, please read the following points carefully.

  • Please complete all steps in the specified order.
  • Even if tools don't find malware, I want you to post the logfiles anyway.
  • Please copy and paste the logfiles directly into your posts. Please do not attach them unless you are instructed to do so.
  • Read the instructions carefully. If you have problems, stop what you were doing and describe the problems you encountered as precisely as you can.
  • Don't install or uninstall software during the cleanup unless you are told to do so.
  • Ensure your external and/or USB drives are inserted during always the scan.
  • If you can't answer for the next few days, please let me know. If you haven't answered within 5 days, I am assuming that you don't need help anymore and your topic will be closed.
  • If you have illegal/cracked software, cracks, keygens, etc. on the system, please remove or uninstall them now!
  • I can not guarantee that we will find and be able to remove all malware. The cleaning process is not instant. Please continue to review my answers until I tell you that your computer is clean
  • Please reply to this thread. Do not start a new topic
  • As my first language is not English, please do not use slang or idioms. It could be hard for me to understand.
  • Please open as administrator the computer. How is open as administrator the computer?
  • Disable your AntiVirus and AntiSpyware applications, as they will interfere with our tools and the removal. If you are unsure how to do this, please refer to get help here

Thanks
 

 

You should not use TeamViewer software.
Please remove it.

 

There are no problems with your file extensions. İmpossible to read ,are there  files to encrypting by a ransom malware,  . Or encrypted documents ?
 

Please do the following.

 

Download CKScanner from here
Important : Save it to your desktop.

  • Doubleclick CKScanner.exe and click Search For Files.(If you have Windows Vista / Windows 7 / Windows 8 please do a Right click on CKScanner.exe and select Run as Administrator)
  • After a very short time, when the cursor hourglass disappears, click Save List To File.
  • A message box will verify that the file is saved.
  • Double-click the CKFiles.txt icon on your desktop and copy/paste the contents in your next reply.

Sincerely . :hello:


Edited by olgun52, 03 February 2017 - 06:25 PM.

Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#3 peter45w

peter45w
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:04:06 PM

Posted 03 February 2017 - 09:19 PM

Hello, thanks for the fast answer, my english is kind of broken so..
 
I never setup teamviewer, i just have it and start it sometime(with start once feature), but i will remove the setup file. Or tell me wath can i dot for erase any trace of teamviewer in my computer.
 
Aslo there are no ransomware that are crypting my file, or any crypted document....
 
 
CKScanner 2.5 - Additional Security Risks - These are not necessarily bad
c:\program files\conexant\cnxt_audio_hda\epkeys.ini
c:\program files (x86)\steam\steamapps\common\dc universe online\unreal3\dcgame\cookedpc\character\geargroup\helmet\dhelmetnutcracker1acr.upk
c:\program files (x86)\steam\steamapps\common\dc universe online\unreal3\dcgame\cookedpc\character\geargroup\helmet\dhelmetnutcracker1mes.upk
c:\program files (x86)\steam\steamapps\common\dc universe online\unreal3\dcgame\cookedpc\character\geargroup\helmet\dhelmetnutcracker1mon.upk
c:\program files (x86)\steam\steamapps\common\dc universe online\unreal3\dcgame\cookedpc\character\geargroup\helmet\dhelmetnutcracker1spr.upk
c:\program files (x86)\steam\steamapps\common\dc universe online\unreal3\dcgame\cookedpc\character\geargroup\helmet\dhelmetnutcracker1stk.upk
c:\program files (x86)\steam\steamapps\common\dc universe online\unreal3\dcgame\cookedpc\character\geargroup\helmet\dhelmetnutcracker1thg.upk
c:\program files (x86)\steam\steamapps\common\dc universe online\unreal3\dcgame\cookedpc\character\geargroup\helmet\dhelmetnutcracker2acr.upk
c:\program files (x86)\steam\steamapps\common\dc universe online\unreal3\dcgame\cookedpc\character\geargroup\helmet\dhelmetnutcracker2mes.upk
c:\program files (x86)\steam\steamapps\common\dc universe online\unreal3\dcgame\cookedpc\character\geargroup\helmet\dhelmetnutcracker2mon.upk
c:\program files (x86)\steam\steamapps\common\dc universe online\unreal3\dcgame\cookedpc\character\geargroup\helmet\dhelmetnutcracker2spr.upk
c:\program files (x86)\steam\steamapps\common\dc universe online\unreal3\dcgame\cookedpc\character\geargroup\helmet\dhelmetnutcracker2stk.upk
c:\program files (x86)\steam\steamapps\common\dc universe online\unreal3\dcgame\cookedpc\character\geargroup\helmet\dhelmetnutcracker2thg.upk
c:\program files (x86)\steam\steamapps\common\dc universe online\unreal3\dcgame\cookedpc\character\geargroup\helmet\dhelmetnutcracker3acr.upk
c:\program files (x86)\steam\steamapps\common\dc universe online\unreal3\dcgame\cookedpc\character\geargroup\helmet\dhelmetnutcracker3mes.upk
c:\program files (x86)\steam\steamapps\common\dc universe online\unreal3\dcgame\cookedpc\character\geargroup\helmet\dhelmetnutcracker3mon.upk
c:\program files (x86)\steam\steamapps\common\dc universe online\unreal3\dcgame\cookedpc\character\geargroup\helmet\dhelmetnutcracker3spr.upk
c:\program files (x86)\steam\steamapps\common\dc universe online\unreal3\dcgame\cookedpc\character\geargroup\helmet\dhelmetnutcracker3stk.upk
c:\program files (x86)\steam\steamapps\common\dc universe online\unreal3\dcgame\cookedpc\character\geargroup\helmet\dhelmetnutcracker3thg.upk
c:\program files (x86)\steam\steamapps\common\dc universe online\unreal3\dcgame\cookedpc\dcfxgroups\power\electric\dcfxpowele_thundercrack_imp.upk
c:\swsetup\drv\audio\conexant\conexanth_mmdrb2\10.0.684.45\src\audio\x64\epkeys.ini
c:\swsetup\drv\audio\conexant\conexanth_mmdrb2\10.0.684.45\src\audio\x86\epkeys.ini
c:\users\phoenix\desktop\gpg4usb\help\docu_keygen.html
c:\windows\cnxt\rollback\oem22.inf\epkeys.ini
c:\windows\cnxt\rollback\oem23.inf\epkeys.ini
c:\windows\cnxt\rollback\oem67.inf\epkeys.ini
c:\windows\system32\driverstore\filerepository\cisstrt.inf_amd64_86403948048494e5\epkeys.ini
scanner sequence 3.ZZ.11.HWCAU0
 ----- EOF ----- 
 

Edited by peter45w, 03 February 2017 - 09:21 PM.


#4 olgun52

olgun52

  • Malware Response Team
  • 3,792 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:06 PM

Posted 04 February 2017 - 03:23 AM

Hi peter45w,

 

I understand,thanks.

 

Did you install NordVPN in the past? Or do you use a proxy ?

====================================================================

Please do the following;

 

Step 1:

Run FRST fixlist

  • Please open notepad (Start > All Programs > Accessories > Notepad)
  • Copy the entire contents of the code box below (Do not copy the word 'code') to Notepad.
  • Save it to the Desktop, and name it: fixlist.txt
CreateRestorePoint:
CloseProcesses:

HKLM-x32\...\Run: [] => [X]
HKU\S-1-5-21-1199084194-2178762476-723503590-1001\...\MountPoints2: {94c35a44-49b9-11e6-9bd9-08d40c2d87b3} - "G:\setup.exe"
CHR HKLM\SOFTWARE\Policies\Google: Restriction <======= ATTENTION
C:\Users\phoenix\AppData\Local\Temp
R2 ibtsiva; %SystemRoot%\system32\ibtsiva [X]
S3 xhunter1; C:\WINDOWS\xhunter1.sys [36808 2016-10-26] (Wellbia.com Co., Ltd.)
U1 npcap; pas de ImagePath
AlternateDataStreams: C:\Users\phoenix:Heroes & Generals [38]
AlternateDataStreams: C:\Users\phoenix\Desktop\html(4).rar:$CmdZnID [26]
(hxxp://www.ruby-lang.org/) C:\Users\phoenix\AppData\Local\Temp\ocrDF5E.tmp\bin\rubyw.exe
(hxxp://www.ruby-lang.org/) C:\Users\phoenix\AppData\Local\Temp\ocr145F.tmp\bin\rubyw.exe
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://hp15-comm.msn.com/?pc=HRTE
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://hp15-comm.msn.com/?pc=HRTE
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://hp15-comm.msn.com/?pc=HRTE
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://hp15-comm.msn.com/?pc=HRTE
HKU\S-1-5-21-1199084194-2178762476-723503590-1001\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://hp15-comm.msn.com/?pc=HRTE
HKU\S-1-5-21-1199084194-2178762476-723503590-1001\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://hp15-comm.msn.com/?pc=HRTE
CHR HKLM-x32\...\Chrome\Extension: [eofcbnmajmjmplflapaojjnihcjkigck] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [gomekmidlodglbbmalcneegieacbdmki] - hxxps://clients2.google.com/service/update2/crx
C:\Users\Public\VOIP.dat
2017-02-01 22:05 - 2016-11-19 21:16 - 00000000 ____D C:\Users\phoenix\AppData\Roaming\TeamViewer
C:\Users\phoenix\AppData\Roaming\ASSDraw3.cfg

CMD: ipconfig /flushdns
EmptyTemp:
Hosts:
Reboot:
End

NOTICE: This script is written specifically for this computer!!!

  • Running this on another computer may cause damage to the Operating System.
  • Now, please run FRST, and press the Fix button, just once, and wait.
  • When done, the tool creates a report on the Desktop called: Fixlog.txt

>> Please post the Fixlog.txt in your reply.

 

Step 2:
 Please download AdwCleaner by Xplode onto your desktop.

  • Double click on AdwCleaner.exe to run the tool.
  • Click on Scan, then Clean.
  • A logfile will automatically open after the scan has finished.
  • Please post the contents of that logfile with your next reply.
  • You can find the logfile at C:\AdwCleaner[S1].txt as well.

Step 3:
Please download Junkware Removal Tool to your desktop.

  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista / 7 / 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.

 

Regards

Yılmaz


Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#5 peter45w

peter45w
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:04:06 PM

Posted 04 February 2017 - 08:33 AM

Hi,

Yes i do use nordvpn, and private internet acces vpn sometime. It currenlty in my installed program.

 

Can tou explain wath the Farbar Recovery fix has complety remove ? All details about wath kind of malware and wath kind of stuff please? (if you can )

 

 

 

 

FIXLOG.TXT:

 

Résultats de correction de Farbar Recovery Scan Tool (x64) Version: 29-01-2017
Exécuté par phoenix (04-02-2017 12:39:27) Run:1
Exécuté depuis C:\Users\phoenix\Downloads
Profils chargés: phoenix (Profils disponibles: phoenix)
Mode d'amorçage: Normal
==============================================
 
fixlist contenu:
*****************
CreateRestorePoint:
CloseProcesses:
 
HKLM-x32\...\Run: [] => [X]
HKU\S-1-5-21-1199084194-2178762476-723503590-1001\...\MountPoints2: {94c35a44-49b9-11e6-9bd9-08d40c2d87b3} - "G:\setup.exe"
CHR HKLM\SOFTWARE\Policies\Google: Restriction <======= ATTENTION
C:\Users\phoenix\AppData\Local\Temp
R2 ibtsiva; %SystemRoot%\system32\ibtsiva [X]
S3 xhunter1; C:\WINDOWS\xhunter1.sys [36808 2016-10-26] (Wellbia.com Co., Ltd.)
U1 npcap; pas de ImagePath
AlternateDataStreams: C:\Users\phoenix:Heroes & Generals [38]
AlternateDataStreams: C:\Users\phoenix\Desktop\html(4).rar:$CmdZnID [26]
(hxxp://www.ruby-lang.org/) C:\Users\phoenix\AppData\Local\Temp\ocrDF5E.tmp\bin\rubyw.exe
(hxxp://www.ruby-lang.org/) C:\Users\phoenix\AppData\Local\Temp\ocr145F.tmp\bin\rubyw.exe
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://hp15-comm.msn.com/?pc=HRTE
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://hp15-comm.msn.com/?pc=HRTE
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://hp15-comm.msn.com/?pc=HRTE
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://hp15-comm.msn.com/?pc=HRTE
HKU\S-1-5-21-1199084194-2178762476-723503590-1001\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://hp15-comm.msn.com/?pc=HRTE
HKU\S-1-5-21-1199084194-2178762476-723503590-1001\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://hp15-comm.msn.com/?pc=HRTE
CHR HKLM-x32\...\Chrome\Extension: [eofcbnmajmjmplflapaojjnihcjkigck] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [gomekmidlodglbbmalcneegieacbdmki] - hxxps://clients2.google.com/service/update2/crx
C:\Users\Public\VOIP.dat
2017-02-01 22:05 - 2016-11-19 21:16 - 00000000 ____D C:\Users\phoenix\AppData\Roaming\TeamViewer
C:\Users\phoenix\AppData\Roaming\ASSDraw3.cfg
 
CMD: ipconfig /flushdns
EmptyTemp:
Hosts:
Reboot:
End
*****************
 
Le Point de restauration a été créé avec succès.
Processus fermé avec succès.
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\ => valeur supprimé(es) avec succès
HKU\S-1-5-21-1199084194-2178762476-723503590-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{94c35a44-49b9-11e6-9bd9-08d40c2d87b3} => clé supprimé(es) avec succès
HKCR\CLSID\{94c35a44-49b9-11e6-9bd9-08d40c2d87b3} => clé non trouvé(e). 
HKLM\SOFTWARE\Policies\Google => clé supprimé(es) avec succès
C:\Users\phoenix\AppData\Local\Temp => déplacé(es) avec succès
HKLM\System\CurrentControlSet\Services\ibtsiva => clé supprimé(es) avec succès
ibtsiva => service supprimé(es) avec succès
HKLM\System\CurrentControlSet\Services\xhunter1 => clé supprimé(es) avec succès
xhunter1 => service supprimé(es) avec succès
HKLM\System\CurrentControlSet\Services\npcap => clé supprimé(es) avec succès
npcap => service supprimé(es) avec succès
C:\Users\phoenix => ":Heroes & Generals" ADS supprimé(es) avec succès.
C:\Users\phoenix\Desktop\html(4).rar => ":$CmdZnID" ADS supprimé(es) avec succès.
C:\Users\phoenix\AppData\Local\Temp\ocrDF5E.tmp\bin\rubyw.exe => Aucun processus actif trouvé
C:\Users\phoenix\AppData\Local\Temp\ocr145F.tmp\bin\rubyw.exe => Aucun processus actif trouvé
HKLM\Software\\Microsoft\Internet Explorer\Main\\Start Page => valeur restauré(es) avec succès
HKLM\Software\\Microsoft\Internet Explorer\Main\\Default_Page_URL => valeur restauré(es) avec succès
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main\\Start Page => valeur supprimé(es) avec succès
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main\\Default_Page_URL => valeur supprimé(es) avec succès
HKU\S-1-5-21-1199084194-2178762476-723503590-1001\Software\Microsoft\Internet Explorer\Main\\Start Page => valeur restauré(es) avec succès
HKU\S-1-5-21-1199084194-2178762476-723503590-1001\Software\Microsoft\Internet Explorer\Main\\Default_Page_URL => valeur restauré(es) avec succès
HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\eofcbnmajmjmplflapaojjnihcjkigck => clé supprimé(es) avec succès
HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\gomekmidlodglbbmalcneegieacbdmki => clé supprimé(es) avec succès
"C:\Users\Public\VOIP.dat" => non trouvé(e).
C:\Users\phoenix\AppData\Roaming\TeamViewer => déplacé(es) avec succès
C:\Users\phoenix\AppData\Roaming\ASSDraw3.cfg => déplacé(es) avec succès
 
========= ipconfig /flushdns =========
 
 
Configuration IP de Windows
 
Cache de r‚solution DNS vid‚.
 
========= Fin de CMD: =========
 
C:\Windows\System32\Drivers\etc\hosts => déplacé(es) avec succès
Hosts restauré(es) avec succès.
 
=========== EmptyTemp: ==========
 
BITS transfer queue => 574285 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 57783185 B
Java, Flash, Steam htmlcache => 468383024 B
Windows/system/drivers => 46556374 B
Edge => 294245 B
Chrome => 807010137 B
Firefox => 49525777 B
Opera => 0 B
 
Temp, IE cache, history, cookies, recent:
Default => 7680 B
Users => 0 B
ProgramData => 0 B
Public => 0 B
systemprofile => 0 B
systemprofile32 => 0 B
LocalService => 18340 B
NetworkService => 7648536 B
phoenix => 5196210 B
 
RecycleBin => 0 B
EmptyTemp: => 1.3 GB données temporaires supprimées.
 
================================
 
 
Le système a dû redémarrer.
 
==== Fin de Fixlog 12:43:42 ====
 
 
 
 
 
 

 

AdwCleaner v6.043:

 

# AdwCleaner v6.043 - Rapport créé le 04/02/2017 à 14:15:42
# Mis à jour le 27/01/2017 par Malwarebytes
# Base de données : 2017-02-03.2 [Serveur]
# Système d'exploitation : Windows 10 Home  (X64)
# Nom d'utilisateur : phoenix - DESKTOP-9V2JDSG
# Exécuté depuis : C:\Users\phoenix\Downloads\adwcleaner_6.043 (1).exe
# Mode: Scan
 
 
 
***** [ Services ] *****
 
Aucun service malveillant trouvé.
 
 
***** [ Dossiers ] *****
 
Aucun dossier malveillant trouvé.
 
 
***** [ Fichiers ] *****
 
Aucun fichier malveillant trouvé.
 
 
***** [ DLL ] *****
 
Aucune DLL patchée trouvée.
 
 
***** [ WMI ] *****
 
Aucune clé malveillante trouvée.
 
 
***** [ Raccourcis ] *****
 
Aucun raccourci infecté trouvé.
 
 
***** [ Tâches planifiées ] *****
 
Aucune tâche malveillante trouvée.
 
 
***** [ Registre ] *****
 
Aucun élément malveillant trouvé dans le registre.
 
 
***** [ Navigateurs web ] *****
 
Aucune préférence Firefox malveillante trouvée.
Aucune préférence Chromium malveillante trouvée.
 
*************************
 
C:\AdwCleaner\AdwCleaner[C0].txt - [1407 octets] - [28/01/2017 05:33:47]
C:\AdwCleaner\AdwCleaner[S0].txt - [1508 octets] - [27/01/2017 16:05:06]
C:\AdwCleaner\AdwCleaner[S1].txt - [1431 octets] - [31/01/2017 08:06:49]
C:\AdwCleaner\AdwCleaner[S2].txt - [1505 octets] - [03/02/2017 16:45:54]
C:\AdwCleaner\AdwCleaner[S3].txt - [1429 octets] - [04/02/2017 14:15:42]
 
########## EOF - C:\AdwCleaner\AdwCleaner[S3].txt - [1503 octets] ##########
 
 
 
 
 
 
 
 
Junkware Removal Tool (JRT):
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Malwarebytes
Version: 8.1.0 (12.05.2016)
Operating System: Windows 10 Home x64 
Ran by phoenix (Administrator) on 04/02/2017 at 14:08:11,94
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 
 
 
File System: 1 
 
Successfully deleted: C:\ProgramData\mntemp (File) 
 
 
 
Registry: 0 
 
 
 
 
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on 04/02/2017 at 14:10:42,43
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 

Edited by peter45w, 04 February 2017 - 08:35 AM.


#6 olgun52

olgun52

  • Malware Response Team
  • 3,792 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:06 PM

Posted 04 February 2017 - 03:03 PM

Can tou explain wath the Farbar Recovery fix has complety remove ? All details about wath kind of malware and wath kind of stuff please? (if you can )

Not as yet. We took an important step. Need to continuation of the process.
=============================================================
 
Please do the following;

 

Step 1:

Scan with Malwarebytes Antimalware:

Please download Malwarebytes Anti-Malware to your desktop.

  • Double-click the downloaded setup file and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to the following:
  • Launch Malwarebytes Anti-Malware
  • A 14 day trial of the Premium features is pre-selected. You may deselect this if you wish, and it will not diminish the scanning and removal capabilities of the program.
  • Click Finish.

If the program is already installed:

  • Run Malwarebytes Antimalware
  • On the Dashboard, click the 'Update Now >>' link
  • After the update completes, click the 'Scan Now >>' button.
  • Or, on the Dashboard, click the Scan Now >> button.
  • If an update is available, click the Update Now button.
  • A Threat Scan will begin.
  • When the scan is complete, if there have been detections, click Apply Actions to allow MBAM to clean what was detected.
  • In most cases, a restart will be required.
  • Wait for the prompt to restart the computer to appear, then click on Yes.
  • After the restart once you are back at your desktop, open MBAM once more.
  • Click on the History tab > Application Logs.
  • Double click on the scan log which shows the Date and time of the scan just performed.
  • Click 'Copy to Clipboard'
  • Paste the contents of the clipboard into your reply

Step 2:

Please download and run RogueKiller  32/64 bit to your desktop

Quit all running programs.

For Windows XP, double-click to start.
For Vista or Windows 7-8, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

Click Scan to scan the system.
When the scan completes > Close out the program > Don't Fix anything!

Don't run any other options, they're not all bad!

Post back the report which should be located on your desktop.
(please don't put logs in code or quotes)

 

Regards

Yılmaz


Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#7 peter45w

peter45w
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:04:06 PM

Posted 04 February 2017 - 04:38 PM

Rogue killer:
 
RogueKiller V12.9.6.0 (x64) [Jan 30 2017] (Gratuit) par Adlice Software
 
Système d'exploitation : Windows 10 (10.0.14393) 64 bits version
Démarré en  : Mode normal
Utilisateur : phoenix [Administrateur]
Démarré depuis : C:\Program Files\RogueKiller\RogueKiller64.exe
Mode : Scan -- Date : 02/04/2017 21:49:43 (Durée : 00:45:33)
 
¤¤¤ Processus : 0 ¤¤¤
 
¤¤¤ Registre : 2 ¤¤¤
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{789d4002-ba00-41d5-9453-51d51efe663c} | DhcpNameServer : 109.62.67.65 109.62.67.66 ([Martinique][Martinique])  -> Trouvé(e)
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{c02d0735-efae-4ab5-aa80-f0142e8607a6} | DhcpNameServer : 109.62.67.65 109.62.67.66 ([Martinique][Martinique])  -> Trouvé(e)
 
¤¤¤ Tâches : 0 ¤¤¤
 
¤¤¤ Fichiers : 0 ¤¤¤
 
¤¤¤ WMI : 0 ¤¤¤
 
¤¤¤ Fichier Hosts : 0 ¤¤¤
 
¤¤¤ Antirootkit : 0 (Driver: Chargé) ¤¤¤
 
¤¤¤ Navigateurs web : 2 ¤¤¤
[PUM.Proxy][Firefox:Config] i5t71k6a.default : user_pref("network.proxy.http", "37.59.37.41"); -> Trouvé(e)
[PUM.Proxy][Firefox:Config] i5t71k6a.default : user_pref("network.proxy.http_port", 3128); -> Trouvé(e)
 
¤¤¤ Vérification MBR : ¤¤¤
+++++ PhysicalDrive0: HGST HTS541010A9E680 +++++
--- User ---
[MBR] 80c946881def8953a77453d916fbc541
[BSP] f46f5790fc3617f1f93129e3521c2df7 : Empty MBR Code
Partition table:
0 - [MAN-MOUNT] EFI system partition | Offset (sectors): 2048 | Size: 360 MB
1 - [MAN-MOUNT] Microsoft reserved partition | Offset (sectors): 739328 | Size: 128 MB
2 - Basic data partition | Offset (sectors): 1001472 | Size: 934657 MB
3 - [SYSTEM][MAN-MOUNT] Basic data partition | Offset (sectors): 1915179008 | Size: 950 MB
4 - [SYSTEM] Basic data partition | Offset (sectors): 1917124608 | Size: 15720 MB
5 - [SYSTEM] Basic data partition | Offset (sectors): 1949319168 | Size: 2048 MB
User = LL1 ... OK
User = LL2 ... OK
 
 
 
 
 
 

 

 

 

 

Malwarebytes
www.malwarebytes.com
 
-Détails du journal-
Date de l'analyse: 04/02/2017
Heure de l'analyse: 21:20
Fichier journal: jeuipps.txt
Administrateur: Oui
 
-Informations du logiciel-
Version: 3.0.6.1469
Version de composants: 
Version de pack de mise à jour: 
Licence: Essai
 
-Informations système-
Système d'exploitation: Windows 10
Processeur: x64
Système de fichiers: NTFS
Utilisateur: DESKTOP-9V2JDSG\phoenix
 
-Résumé de l'analyse-
Type d'analyse: Analyse des menaces
Résultat: Annulé
Objets analysés: 0
(Aucun élément malveillant détecté)
Temps écoulé: 0 min, 54 s
 
-Options d'analyse-
Mémoire: Activé
Démarrage: Activé
Système de fichiers: Activé
Archives: Activé
Rootkits: Désactivé
Heuristique: Activé
PUP: Activé
PUM: Activé
 
-Détails de l'analyse-
Processus: 0
(Aucun élément malveillant détecté)
 
Module: 0
(Aucun élément malveillant détecté)
 
Clé du registre: 0
(Aucun élément malveillant détecté)
 
Valeur du registre: 0
(Aucun élément malveillant détecté)
 
Données du registre: 0
(Aucun élément malveillant détecté)
 
Flux de données: 0
(Aucun élément malveillant détecté)
 
Dossier: 0
(Aucun élément malveillant détecté)
 
Fichier: 0
(Aucun élément malveillant détecté)
 
Secteur physique: 0
(Aucun élément malveillant détecté)
 
 
(end)

Edited by peter45w, 04 February 2017 - 04:39 PM.


#8 olgun52

olgun52

  • Malware Response Team
  • 3,792 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:06 PM

Posted 04 February 2017 - 06:09 PM

Hi peter45w,
 
ESET Online Scanner:

Temporarily disable your AntiVirus and AntiSpyware protection - instructions here.

  • Please visit the ESET Online Scanner website
  • Click the SCAN NOW button to download the esetonlinescanner_enu.exe file to the Desktop
  • Double click esetonlinescanner_enu.exe. Accept the Terms of Use
  • Select Enable detection of potentially unwanted applications
  • In Advanced Settings: make sure that Clean threats automatically is unchecked 
  • And Enable detection of potentially unsafe applications, Enable detection of suspicious applications, Scan archives, and Enable Anti-Stealth technology are all checked.
  • Click Scan
  • The program will begin to download it's virus database. The speed may vary depending on your Internet connection.
  • When completed, the program will begin to scan. This may take several hours. Please, be patient.
  • Do not do anything on your machine as it may interrupt the scan.
  • When completed it'll show a list of "Threats found", click beneath it on Save to text file.... and save it as ESET log.txt on your Desktop.
  • Then click Do not clean. Place a checkmark at Delete application's data on close, click Finish and close the program.

Don't forget to re-enable previously switched-off protection software!
 
Thanks


Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#9 peter45w

peter45w
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:04:06 PM

Posted 05 February 2017 - 09:43 AM

Hi, there was no found thread and no way to export log.txt

 

https://gyazo.com/119a5c07bf5c8aaae20517714075482d


Edited by peter45w, 05 February 2017 - 09:46 AM.


#10 olgun52

olgun52

  • Malware Response Team
  • 3,792 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:06 PM

Posted 05 February 2017 - 02:26 PM

Very goog.

How is your PC running now and any issues?


Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#11 peter45w

peter45w
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:04:06 PM

Posted 05 February 2017 - 03:36 PM

Hi,

No it fine, no any issue.. so no malware was found ?



#12 olgun52

olgun52

  • Malware Response Team
  • 3,792 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:06 PM

Posted 05 February 2017 - 04:04 PM

we found  and  removed, with fixlist.

=================

 

Congratulations,your PC are clean now.

 

Thank you for your patience.  Please do the following:

In any case please download delfix to your desktop.

  • Close all other programms and start delfix.
  • Please check all the boxes and run the tool.
  • delfix will now delete all found traces of our removal process

You can do fllowing:
 
The easiest and safest way to do this is:

  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.

to remove all but the most recently created Restore Point.

  • Go to Start > Run and type: Cleanmgr
  • Click "Ok". Disk Cleanup will scan your files for several minutes, then open.
  • Click the "More Options" tab, then click the "Clean up" button under System Restore.
  • Click Ok. You will be prompted with "Are you sure you want to delete all but the most recent restore point?"
  • Click Yes, then click Ok.
  • Click Yes again when prompted with "Are you sure you want to perform these actions?"
  • Disk Cleanup will remove the files and close automatically. Vista and Windows 7 users can refer to these links: Create a New Restore Point in Vista or Windows 7 and Disk Cleanup in Vista. and Disk cleanup in Windows 10

ERUNT (Emergency Recovery Utility NT) allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed.
 
Please take the time to carefully review this info contained below. Its invaluable.
Answers to common security questions - Best Practices
How Malware Spreads - How your system gets infected
Best Practices for Safe Computing - Prevention of Malware Infection
 
Some safety suggestions !

Best regards. :hello:


Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#13 peter45w

peter45w
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:04:06 PM

Posted 05 February 2017 - 07:32 PM

All is done right, thanks you  :clapping:



#14 olgun52

olgun52

  • Malware Response Team
  • 3,792 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:06 PM

Posted 06 February 2017 - 12:53 PM

Glad I could help.
Have a nice day.Good luck.

Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#15 olgun52

olgun52

  • Malware Response Team
  • 3,792 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:06 PM

Posted 06 February 2017 - 12:53 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users