Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

MBAR found trojans etc and there could be more stuff


  • Please log in to reply
8 replies to this topic

#1 gaberilde

gaberilde

  • Members
  • 66 posts
  • ONLINE
  •  
  • Local time:04:35 PM

Posted 15 February 2017 - 03:28 AM

heres the log my pc could have more viruses then this but malware bytes and adwcleaner come up clean, so dont try them please i already tried them

 

whoops forgot the frst log here it is

Attached Files


Edited by gaberilde, 15 February 2017 - 03:54 AM.


BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 35,168 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:35 AM

Posted 15 February 2017 - 09:52 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

FW: Norton Internet Security (Enabled) {084FC016-54FB-7A6D-DFFC-2B9050228CD1}
mpsdrv => Firewall Service is not running.
MpsSvc => Firewall Service is not running.


Is the Firewall running or is this a false positive?
===

Do you know what this is?
Task: {372CB5CF-83F8-4F2D-9067-CAF62768B2CB} - System32\Tasks\fastpcload => F:\Scripts\TempEndOthersSpecialrunner.vbs [2017-01-15] ()
===

This might bes causing some Windows updates issues?
Let me know.
Check "winmgmt" service or repair WMI.
===


Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.

Please copy the entire contents of the code box below to a new file.


Start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

HKLM\Software\Policies\Microsoft\Windows NT\SystemRestore: [DisableSR/DisableConfig]  <===== ATTENTION
GroupPolicy: Restriction <======= ATTENTION
HKU\S-1-5-21-2573605897-3760810489-296237192-1001\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
FF user.js: detected! => F:\Files\FireFoxProfile\user.js [2016-01-09]
FF Extension: (Block site) - F:\Files\FireFoxProfile\Extensions\{dd3d7613-0246-469d-bc65-2a3cc1668adc} [2016-09-24]
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.30.3\npGoogleUpdate3.dll [No File]
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.30.3\npGoogleUpdate3.dll [No File]
CHR Extension: (SwagButton) - C:\Users\gaberilde\AppData\Local\Google\Chrome\User Data\Default\Extensions\gngocbkfmikdgphklgmmehbjjlfgdemm [2016-12-14]
CHR Extension: (Awesome New Tab Page) - C:\Users\gaberilde\AppData\Local\Google\Chrome\User Data\Default\Extensions\mgmiemnjjchgkmgbeljfocdjjnpjnmcg [2016-10-29]
CHR Extension: (Chrome Web Store Payments) - C:\Users\gaberilde\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2017-01-19]
CHR Extension: (Chrome Web Store Payments) - C:\Users\gaberilde\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-06-12]
CHR Extension: (Chrome Web Store Payments) - C:\Users\gaberilde\AppData\Local\Google\Chrome\User Data\Profile 2\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-09-05]
CHR Extension: (Chrome Web Store Payments) - C:\Users\gaberilde\AppData\Local\Google\Chrome\User Data\Profile 3\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2017-01-23]
CHR Extension: (Chrome Web Store Payments) - C:\Users\gaberilde\AppData\Local\Google\Chrome\User Data\Profile 4\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-06-12]
CHR Extension: (Chrome Web Store Payments) - C:\Users\gaberilde\AppData\Local\Google\Chrome\User Data\Profile 5\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2017-01-24]
CHR Extension: (Norton Security Toolbar) - C:\Users\gaberilde\AppData\Local\Google\Chrome\User Data\Profile 6\Extensions\cjabmdjcfcfdmffimndhafhblfmpjdpe [2016-06-12]
CHR Extension: (Chrome Web Store Payments) - C:\Users\gaberilde\AppData\Local\Google\Chrome\User Data\Profile 6\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-06-12]
CHR Extension: (Chrome Web Store Payments) - C:\Users\gaberilde\AppData\Local\Google\Chrome\User Data\Profile 7\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-06-12]
CHR Extension: (Chrome Web Store Payments) - C:\Users\gaberilde\AppData\Local\Google\Chrome\User Data\Profile 8\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-06-12]
CHR HKLM\...\Chrome\Extension: [hkhkiakolggnnicallabhkobalpeplpi] - <no Path/update_url>
CHR HKLM-x32\...\Chrome\Extension: [hkhkiakolggnnicallabhkobalpeplpi] - <no Path/update_url>
S4 hshld; C:\Program Files (x86)\Hotspot Shield\bin\cmw_srv.exe [2718840 2016-10-13] (AnchorFree Inc.)
S2 DigitalWave.Update.Service; "C:\Program Files (x86)\Common Files\DVDVideoSoft\lib\app_updater.exe" [X]
S4 ibtsiva; %SystemRoot%\system32\ibtsiva [X]
S2 MEmusvc; C:\Program Files\Microvirt\MEmu\MemuService.exe [X]
S4 SynTPEnhService; "C:\Program Files\Synaptics\SynTP\SynTPEnhService.exe" [X]
S3 dbx; system32\DRIVERS\dbx.sys [X]
S3 dglvrbus; \SystemRoot\System32\drivers\dglvrbus.sys [X]
S3 dglvrkdod; \SystemRoot\system32\DRIVERS\dglvrkdod.sys [X]
S3 dglvrmflt; \SystemRoot\System32\drivers\dglvrmflt.sys [X]
S3 SmbDrv; \SystemRoot\System32\drivers\Smb_driver_AMDASF.sys [X]
S3 SmbDrvI; \SystemRoot\system32\DRIVERS\Smb_driver_Intel.sys [X]
CustomCLSID: HKU\S-1-5-21-2573605897-3760810489-296237192-1001_Classes\CLSID\{0E270DAA-1BE6-48F2-AC49-1DE01A13D5A7}\InprocServer32 -> %%systemroot%%\system32\shell32.dll => No File
Shortcut: C:\Users\gaberilde\Desktop\Games\Zoo Tycoon 2.lnk -> F:\Program Files (x86)\Microsoft Games\Zoo Tycoon 2\Starter.bat (No File)
AlternateDataStreams: C:\ProgramData\Temp:F0762150 [107]
HKLM\...\.reg: Regedit.Document =>  <===== ATTENTION
HKU\S-1-5-21-2573605897-3760810489-296237192-1001\Software\Classes\.exe: exefile =>  <===== ATTENTION
FirewallRules: [TCP Query User{9EBF3EE4-0DB4-4207-9458-9B296FBECC71}C:\program files (x86)\minecraft\runtime\jre-x64\1.8.0_25\bin\javaw.exe] => (Allow) C:\program files (x86)\minecraft\runtime\jre-x64\1.8.0_25\bin\javaw.exe
FirewallRules: [UDP Query User{3ED44C0D-2FB0-45A4-81A5-99DE6C277365}C:\program files (x86)\minecraft\runtime\jre-x64\1.8.0_25\bin\javaw.exe] => (Allow) C:\program files (x86)\minecraft\runtime\jre-x64\1.8.0_25\bin\javaw.exe

Reboot:

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.

You can manually check your present version and update as recommended.
https://www.java.com/en/download/installed.jsp

Be careful not to install malware posing as Java update!
Important read this blog.
http://blog.trendmicro.com/trendlabs-security-intelligence/malware-poses-as-an-update-for-java-0-day-fix/

Quoted from the page.
"In light of the recent events surrounding Java, users must seriously consider their use of Java. Do they really need it? If yes, make sure that users follow the steps we recommended and get the security update directly from the official oracle website." at:
http://www.oracle.com/technetwork/java/javase/downloads/index.html

How to disable Java in your browsers
http://www.infoworld.com/t/web-browsers/how-disable-java-in-your-browsers-210882

If still present after the update you can remove these old versions of Java via the Control Panel > Programs > Programs and Features.
Java 8 Update 111 (64-bit) (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F64180111F0}) (Version: 8.0.1110.14 - Oracle Corporation)
Java 8 Update 111 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F32180111F0}) (Version: 8.0.1110.14 - Oracle Corporation)
Java SE Development Kit 8 Update 101 (64-bit) (HKLM\...\{64A3A4F4-B792-11D6-A78A-00B0D0180101}) (Version: 8.0.1010.13 - Oracle Corporation)

Please let me know what problem persists with this computer.

#3 gaberilde

gaberilde
  • Topic Starter

  • Members
  • 66 posts
  • ONLINE
  •  
  • Local time:04:35 PM

Posted 15 February 2017 - 02:40 PM

hi the firewall is norton and disabled the built in to avoid conflicts

 

and the vbs is a file i made to make the pc go faster on boot

 

the windows update issue is probably because i disabled services to make the pc run faster

 

and the java is a pain to update because my internet only goes 1mb max download so i dont update it very often but its update as often as i can get it plus i need it and when i can i will update it

 

and i am not stupid enough to download malware if it dosent come from the official site ;)

 

java is already disabled in browser because i have the new google chrome which blocked it



#4 gaberilde

gaberilde
  • Topic Starter

  • Members
  • 66 posts
  • ONLINE
  •  
  • Local time:04:35 PM

Posted 17 February 2017 - 10:12 AM

hi what do i do next



#5 nasdaq

nasdaq

  • Malware Response Team
  • 35,168 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:35 AM

Posted 17 February 2017 - 02:01 PM

Sorry for this delay.

Temporarily disable your AV program so it does not interfere.
Info on how to disable your security applications How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs - Security Mini-Guides.

Download Zoek tool from here

When the download appears, save to the Desktop.
On the Desktop, right-click the Zoek.exe file and select: Run as Administrator
(Give it a few seconds to appear.)

Next, copy/paste the entire script inside the code box below to the input field of Zoek:
createsrpoint;
autoclean;
emptyclsid;
emptyffcache;
FFdefaults;
emptyiecache;
iedefaults;
emptychrcache;
CHRdefaults;
emptyalltemp;
emptyfolderscheck;delete
ipconfig /flushdns;b
Now...
Close any open Browsers.
Click the Run script button, and wait. It takes a few minutes to run all the script.

When the tool finishes, the zoek-results.log is opened in Notepad.
The log is also found on the systemdrive, normally C:\
If a reboot is needed, the log is opened after the reboot.

Please attach the zoek-results.log in your reply.
===

--RogueKiller--
  • Download & SAVE to your Desktop Download RogueKiller
  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or above, right-click the program file and select "Run as Administrator"
  • Accept the user agreements.
  • Execute the scan and wait until it has finished.
  • If a Windows opens to explain what [PUM's] are, read about it.
  • Click the RoguKiller icon on your taksbar to return to the report.
  • Click open the Report
  • Click Export TXT button
  • Save the file as ReportRogue.txt
  • Click the Remove button to delete the items in RED
  • Click Finish and close the program.
  • Locate the ReportRogue.txt file on your Desktop and copy/paste the contents in your next.
=======


Also, please provide an update on how the computer is behaving after running the above script.

#6 gaberilde

gaberilde
  • Topic Starter

  • Members
  • 66 posts
  • ONLINE
  •  
  • Local time:04:35 PM

Posted Yesterday, 08:31 AM

dont know if zoek thingy is done

 

 

rouge killer

 

 

RogueKiller V12.9.7.0 (x64) [Feb  6 2017] (Free) by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/download/roguekiller/
Blog : http://www.adlice.com
Operating System : Windows 10 (10.0.14393) 64 bits version
Started in : Normal mode
User : gaberilde [Administrator]
Started from : C:\Program Files\RogueKiller\RogueKiller64.exe
Mode : Delete -- Date : 02/18/2017 09:13:48 (Duration : 02:41:01)
¤¤¤ Processes : 0 ¤¤¤
¤¤¤ Registry : 24 ¤¤¤
[PUP.Gen1] (X64) HKEY_USERS\RK_gaberilde_ON_O_66A6\Software\OCS -> Deleted
[PUP.Gen1] (X86) HKEY_USERS\RK_gaberilde_ON_O_66A6\Software\OCS -> Deleted
[Suspicious.Path] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run | Discord : C:\ProgramData\SquirrelMachineInstalls\Discord.exe --checkInstall [7] -> Not selected
[PUP.Gen0] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\DigitalWave.Update.Service ("C:\Program Files (x86)\Common Files\DVDVideoSoft\lib\app_updater.exe") -> Deleted
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-2573605897-3760810489-296237192-1001\Software\Microsoft\Internet Explorer\Main | Default_Page_URL :
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-2573605897-3760810489-296237192-1001\Software\Microsoft\Internet Explorer\Main | Default_Page_URL :
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{3406ffa2-ce02-420a-95e8-2be9c6c53251} | NameServer : 78.143.192.20,78.143.192.10 ([United Kingdom][United Kingdom])  -> Replaced ()
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{6dce5435-5cae-40ce-b75e-21b71625fac7} | NameServer : 78.143.192.20,78.143.192.10 ([United Kingdom][United Kingdom])  -> Replaced ()
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{eced4c9d-e0f1-437c-b7c6-f4dcaadafe33} | NameServer : 78.143.192.20,78.143.192.10 ([United Kingdom][United Kingdom])  -> Replaced ()
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{ed35462b-396b-41a8-92a4-3ae81607f824} | NameServer : 78.143.192.20,78.143.192.10 ([United Kingdom][United Kingdom])  -> Replaced ()
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters\Interfaces\{3406FFA2-CE02-420A-95E8-2BE9C6C53251} | NameServer : 78.143.192.20,78.143.192.10, ([United Kingdom][United Kingdom])  -> Replaced ()
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters\Interfaces\{36C707CA-CEF5-4DFF-95D3-DA4A7B10280A} | NameServer : 78.143.192.20,78.143.192.10,192.168.1.254 ([United Kingdom][United Kingdom][-])  -> Replaced ()
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters\Interfaces\{39C0D821-17ED-46E2-8ACB-C97C619F95E2} | NameServer : 78.143.192.20,78.143.192.10,192.168.1.254 ([United Kingdom][United Kingdom][-])  -> Replaced ()
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters\Interfaces\{6DCE5435-5CAE-40CE-B75E-21B71625FAC7} | NameServer : 78.143.192.20,78.143.192.10, ([United Kingdom][United Kingdom])  -> Replaced ()
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters\Interfaces\{ECED4C9D-E0F1-437C-B7C6-F4DCAADAFE33} | NameServer : 78.143.192.20,78.143.192.10, ([United Kingdom][X])  -> Replaced ()
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters\Interfaces\{ED35462B-396B-41A8-92A4-3AE81607F824} | NameServer : 78.143.192.20,78.143.192.10, ([United Kingdom][United Kingdom])  -> Replaced ()
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\RK_System_ON_O_4700\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {545D177E-3B28-4DDB-9039-B2DD8078299A} : v2.22|Action=Allow|Active=TRUE|Dir=In|Protocol=6|App=O:\Users\gaberilde\AppData\Roaming\BitTorrent\BitTorrent.exe|Name=BitTorrent (TCP-In) (gaberilde)|Desc=Allow µTorrent network traffic with Edge Traversal|Edge=TRUE| [x] -> Deleted
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\RK_System_ON_O_4700\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {5CB3F728-0977-45B5-AB2B-801002CB15C1} : v2.22|Action=Allow|Active=TRUE|Dir=Out|Protocol=6|App=O:\Users\gaberilde\AppData\Roaming\BitTorrent\BitTorrent.exe|Name=BitTorrent (TCP-Out) (gaberilde)|Desc=Allow µTorrent network traffic| [x] -> Deleted
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\RK_System_ON_O_4700\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {A4A77311-80B5-47E2-933A-DC8CCA923AD9} : v2.22|Action=Allow|Active=TRUE|Dir=In|Protocol=17|App=O:\Users\gaberilde\AppData\Roaming\BitTorrent\BitTorrent.exe|Name=BitTorrent (UDP-In) (gaberilde)|Desc=Allow µTorrent network traffic with Edge Traversal|Edge=TRUE| [x] -> Deleted
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\RK_System_ON_O_4700\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {D7ECB3D3-AC0E-4875-9D32-D33D4D170171} : v2.22|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|App=O:\Users\gaberilde\AppData\Roaming\BitTorrent\BitTorrent.exe|Name=BitTorrent (gaberilde)| [x] -> Deleted
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\RK_System_ON_O_4700\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {F3020C14-7FF9-454D-A7D2-CCBE0A911B81} : v2.22|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Private|App=O:\Users\gaberilde\AppData\Roaming\BitTorrent\BitTorrent.exe|Name=BitTorrent (gaberilde)| [x] -> Deleted
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\RK_System_ON_O_4700\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {C4B61069-6E3B-4E94-A2D1-5ABD311AAC3B} : v2.22|Action=Allow|Active=TRUE|Dir=Out|Protocol=17|App=O:\Users\gaberilde\AppData\Roaming\BitTorrent\BitTorrent.exe|Name=BitTorrent (UDP-Out) (gaberilde)|Desc=Allow µTorrent network traffic| [x] -> Deleted
[Tr.Gen0] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {DE2D07DD-3CA3-4631-B1A2-410AD7F15A16} : v2.26|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|App=C:\Program Files\uvnc bvba\UltraVNC\winvnc.exe|Name=winvnc.exe| [7] -> Deleted
[Tr.Gen0] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {AB9AF688-3495-43F1-841F-94CDCB7643BC} : v2.26|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Private|App=C:\Program Files\uvnc bvba\UltraVNC\winvnc.exe|Name=winvnc.exe| [7] -> Deleted
¤¤¤ Tasks : 0 ¤¤¤
¤¤¤ Files : 19 ¤¤¤
[PUP.Gen0][File] C:\Users\gaberilde\Desktop\DVDVideoSoft Free Studio.lnk [LNK@] C:\PROGRA~2\COMMON~1\DVDVID~1\FREEST~1.EXE -> Deleted
[PUP.Gen0][File] C:\Users\gaberilde\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\DVDVideoSoft\DVDVideoSoft Free Studio.lnk [LNK@] C:\PROGRA~2\COMMON~1\DVDVID~1\FREEST~1.EXE -> Deleted
[PUP.Gen0][File] C:\Users\gaberilde\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\DVDVideoSoft\Log Report.lnk [LNK@] C:\PROGRA~2\COMMON~1\DVDVID~1\bin\DVSSYS~1.EXE -> Deleted
[PUP.Gen0][File] C:\Users\gaberilde\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\DVDVideoSoft\Premium Membership.lnk [LNK@] C:\PROGRA~2\COMMON~1\DVDVID~1\PREMIU~1.EXE -> Deleted
[PUP.Gen0][File] C:\Users\gaberilde\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\DVDVideoSoft\Uninstall.lnk [LNK@] C:\PROGRA~2\COMMON~1\DVDVID~1\lib\UNINST~1.EXE -> Deleted
[PUP.Gen1][Folder] C:\Users\gaberilde\AppData\Roaming\Musixmatch -> Deleted
[PUP.Gen1][File] C:\Users\gaberilde\AppData\Roaming\Musixmatch\Cache\data_0 -> Deleted
[PUP.Gen1][File] C:\Users\gaberilde\AppData\Roaming\Musixmatch\Cache\data_1 -> Deleted
[PUP.Gen1][File] C:\Users\gaberilde\AppData\Roaming\Musixmatch\Cache\data_2 -> Deleted
[PUP.Gen1][File] C:\Users\gaberilde\AppData\Roaming\Musixmatch\Cache\data_3 -> Deleted
[PUP.Gen1][File] C:\Users\gaberilde\AppData\Roaming\Musixmatch\Cache\index -> Deleted
[PUP.Gen1][Folder] C:\Users\gaberilde\AppData\Roaming\Musixmatch\Cache -> Deleted
[PUP.Gen1][File] C:\Users\gaberilde\AppData\Roaming\Musixmatch\Cookies -> Deleted
[PUP.Gen1][File] C:\Users\gaberilde\AppData\Roaming\Musixmatch\Cookies-journal -> Deleted
[PUP.Gen1][File] C:\Users\gaberilde\AppData\Roaming\Musixmatch\databases\Databases.db -> Deleted
[PUP.Gen1][File] C:\Users\gaberilde\AppData\Roaming\Musixmatch\databases\Databases.db-journal -> Deleted
[PUP.Gen1][Folder] C:\Users\gaberilde\AppData\Roaming\Musixmatch\databases -> Deleted
[PUP.Gen1][File] C:\Users\gaberilde\AppData\Roaming\Musixmatch\GPUCache\data_0 -> Deleted
[PUP.Gen1][File] C:\Users\gaberilde\AppData\Roaming\Musixmatch\GPUCache\data_1 -> Deleted
[PUP.Gen1][File] C:\Users\gaberilde\AppData\Roaming\Musixmatch\GPUCache\data_2 -> Deleted
[PUP.Gen1][File] C:\Users\gaberilde\AppData\Roaming\Musixmatch\GPUCache\data_3 -> Deleted
[PUP.Gen1][File] C:\Users\gaberilde\AppData\Roaming\Musixmatch\GPUCache\index -> Deleted
[PUP.Gen1][Folder] C:\Users\gaberilde\AppData\Roaming\Musixmatch\GPUCache -> Deleted
[PUP.Gen1][File] C:\Users\gaberilde\AppData\Roaming\Musixmatch\IndexedDB\file__0.indexeddb.leveldb\000003.log -> Deleted
[PUP.Gen1][File] C:\Users\gaberilde\AppData\Roaming\Musixmatch\IndexedDB\file__0.indexeddb.leveldb\CURRENT -> Deleted
[PUP.Gen1][File] C:\Users\gaberilde\AppData\Roaming\Musixmatch\IndexedDB\file__0.indexeddb.leveldb\LOCK -> Deleted
[PUP.Gen1][File] C:\Users\gaberilde\AppData\Roaming\Musixmatch\IndexedDB\file__0.indexeddb.leveldb\LOG -> Deleted
[PUP.Gen1][File] C:\Users\gaberilde\AppData\Roaming\Musixmatch\IndexedDB\file__0.indexeddb.leveldb\LOG.old -> Deleted
[PUP.Gen1][File] C:\Users\gaberilde\AppData\Roaming\Musixmatch\IndexedDB\file__0.indexeddb.leveldb\MANIFEST-000001 -> Deleted
[PUP.Gen1][Folder] C:\Users\gaberilde\AppData\Roaming\Musixmatch\IndexedDB\file__0.indexeddb.leveldb -> Deleted
[PUP.Gen1][Folder] C:\Users\gaberilde\AppData\Roaming\Musixmatch\IndexedDB -> Deleted
[PUP.Gen1][File] C:\Users\gaberilde\AppData\Roaming\Musixmatch\Local Storage\file__0.localstorage -> Deleted
[PUP.Gen1][File] C:\Users\gaberilde\AppData\Roaming\Musixmatch\Local Storage\file__0.localstorage-journal -> Deleted
[PUP.Gen1][Folder] C:\Users\gaberilde\AppData\Roaming\Musixmatch\Local Storage -> Deleted
[PUP.Gen1][File] C:\Users\gaberilde\AppData\Roaming\Musixmatch\QuotaManager -> Deleted
[PUP.Gen1][File] C:\Users\gaberilde\AppData\Roaming\Musixmatch\QuotaManager-journal -> Deleted
[PUP.Gen1][File] C:\Users\gaberilde\AppData\Roaming\Musixmatch\Settings -> Deleted
[Tr.Gen0][File] C:\ProgramData\Microsoft\Windows\Start Menu\Programs\UltraVNC\Edit Settings.lnk [LNK@] C:\PROGRA~1\UVNCBV~1\UltraVNC\UVNC_S~1.EXE -> Not selected
[Tr.Gen0][File] C:\ProgramData\Microsoft\Windows\Start Menu\Programs\UltraVNC\UltraVNC Launcher.lnk [LNK@] C:\PROGRA~1\UVNCBV~1\UltraVNC\UVNC_L~1.EXE -> Not selected
[Tr.Gen0][File] C:\ProgramData\Microsoft\Windows\Start Menu\Programs\UltraVNC\UltraVNC Repeater.lnk [LNK@] C:\PROGRA~1\UVNCBV~1\UltraVNC\repeater.exe -> Not selected
[Tr.Gen0][File] C:\ProgramData\Microsoft\Windows\Start Menu\Programs\UltraVNC\UltraVNC Server.lnk [LNK@] C:\PROGRA~1\UVNCBV~1\UltraVNC\winvnc.exe -> Not selected
[Tr.Gen0][File] C:\ProgramData\Microsoft\Windows\Start Menu\Programs\UltraVNC\UltraVNC Viewer.lnk [LNK@] C:\PROGRA~1\UVNCBV~1\UltraVNC\VNCVIE~1.EXE -> Not selected
[Tr.Gen0][Folder] C:\Program Files\uvnc bvba -> Not selected
[PUP.Gen0][Folder] C:\Program Files (x86)\Common Files\DVDVideoSoft -> Not selected
[PUP.Gen0][File] C:\Users\gaberilde\Desktop\DVDVideoSoft Free Studio.lnk [LNK@] C:\PROGRA~2\COMMON~1\DVDVID~1\FREEST~1.EXE -> Not selected
[Tr.Gen0][File] C:\Users\gaberilde\Pictures\Mario_Tower_Defence.exe -> Not selected
[PUP.Gen0][File] C:\Users\gaberilde\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\DVDVideoSoft\DVDVideoSoft Free Studio.lnk [LNK@] C:\PROGRA~2\COMMON~1\DVDVID~1\FREEST~1.EXE -> Not selected
[PUP.Gen0][File] C:\Users\gaberilde\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\DVDVideoSoft\Log Report.lnk [LNK@] C:\PROGRA~2\COMMON~1\DVDVID~1\bin\DVSSYS~1.EXE -> Removed at reboot [2]
[PUP.Gen0][File] C:\Users\gaberilde\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\DVDVideoSoft\Premium Membership.lnk [LNK@] C:\PROGRA~2\COMMON~1\DVDVID~1\PREMIU~1.EXE -> Removed at reboot [2]
[PUP.Gen0][File] C:\Users\gaberilde\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\DVDVideoSoft\Uninstall.lnk [LNK@] C:\PROGRA~2\COMMON~1\DVDVID~1\lib\UNINST~1.EXE -> Not selected
¤¤¤ WMI : 0 ¤¤¤
¤¤¤ Hosts File : 0 [Too big!] ¤¤¤
¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤
¤¤¤ Web browsers : 4 ¤¤¤
[PUP.Gen0][Chrome:Addon] Default : SwagButton [gngocbkfmikdgphklgmmehbjjlfgdemm] -> Not selected
[PUP.Gen0][Chrome:Addon] Default : Awesome New Tab Page [mgmiemnjjchgkmgbeljfocdjjnpjnmcg] -> Not selected
[PUM.HomePage][Chrome:Config] Default [SecurePrefs] : homepage [http://www.roblox.com/] -> Not selected
[PUM.HomePage][Chrome:Config] Default [SecurePrefs] : session.startup_urls [http://everybodyedits.com/|http://www.roblox.com/games/?Keyword=otis%20elevator|http://www.facebook.com/home.php?|http://www.chatzy.com/55920671108061|https://www.youtube.com/channel/UCQ6fPy9wr7qnMxAbFOGBaLw|http://sploder.com/] -> Not selected
¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: WDC WD10JPVX-22JC3T0 +++++
--- User ---
[MBR] b81b5d20f02cb29051f366338c32172c
[BSP] c220cbc7ebdd651287a5fc4135f263e6 : Unknown|VT.Unknown MBR Code
Partition table:
0 - [MAN-MOUNT] EFI system partition | Offset (sectors): 2048 | Size: 300 MB
1 - [MAN-MOUNT] Microsoft reserved partition | Offset (sectors): 616448 | Size: 128 MB
2 - Basic data partition | Offset (sectors): 878592 | Size: 541584 MB
3 - Basic data partition | Offset (sectors): 1110042624 | Size: 30735 MB
4 - [SYSTEM][MAN-MOUNT] Basic data partition | Offset (sectors): 1172989952 | Size: 900 MB
5 - Basic data partition | Offset (sectors): 1174833152 | Size: 359992 MB
6 - [SYSTEM][MAN-MOUNT] Basic data partition | Offset (sectors): 1912096768 | Size: 20228 MB
User = LL1 ... OK
User = LL2 ... OK
 

 

Attached Files



#7 nasdaq

nasdaq

  • Malware Response Team
  • 35,168 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:35 AM

Posted Yesterday, 10:56 AM

How is the computer running now?

#8 gaberilde

gaberilde
  • Topic Starter

  • Members
  • 66 posts
  • ONLINE
  •  
  • Local time:04:35 PM

Posted Yesterday, 11:04 AM

bad i think that thing is still running through



#9 nasdaq

nasdaq

  • Malware Response Team
  • 35,168 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:35 AM

Posted Today, 09:14 AM

Please download MiniToolBox to Desktop and run it.

Check mark the following boxes:
  • Flush DNS
  • Report IE Proxy Settings
  • Reset IE Proxy Settings
  • Report FF Proxy Settings
  • Reset FF Proxy Settings
  • List last 10 Event Viewer log
  • List content of Hosts
  • List IP Configuration
  • List Winsock Entries
  • Click Go and copy/paste the log (MTB.txt) into your next post.
  • Note: When using "Reset FF Proxy Settings" option Firefox should be closed.
Please give me more details on what is wrong with this computer.




1 user(s) are reading this topic

1 members, 0 guests, 0 anonymous users


    gaberilde