Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rkill scan raport


  • Please log in to reply
11 replies to this topic

#1 eugen_pl

eugen_pl

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:05:01 AM

Posted 18 February 2017 - 05:52 PM

Hello there.

 

 Please find enclosed Rkill raport.

 

My laptop ( ASUS G750J, Intel indeside CORE I7, GEFORCE GTX 780M, Windows 10 Pro ) is strange slow. McAfee don't find nothing wrong.

I used Rkill before start of McAfee scan and here is report :

 

"

Rkill 2.8.4 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2017 BleepingComputer.com
More Information about Rkill can be found at this link:
 http://www.bleepingcomputer.com/forums/topic308364.html
Program started at: 02/18/2017 09:56:32 PM in x64 mode.
Windows Version: Windows 10 Pro
Checking for Windows services to stop:
 * No malware services found to stop.
Checking for processes to terminate:
 * C:\Windows\SysWOW64\UMonit64.exe (PID: 9560) [WD-HEUR]
1 proccess terminated!
Checking Registry for malware related settings:
 * No issues found in the Registry.
Resetting .EXE, .COM, & .BAT associations in the Windows Registry.
Performing miscellaneous checks:
 * Windows Defender Disabled
   [HKLM\SOFTWARE\Microsoft\Windows Defender]
   "DisableAntiSpyware" = dword:00000001
Checking Windows Service Integrity:
 * gagp30kx [Missing Service]
 * IEEtwCollectorService [Missing Service]
 * IoQos [Missing Service]
 * nv_agp [Missing Service]
 * TimeBroker [Missing Service]
 * uagp35 [Missing Service]
 * uliagpkx [Missing Service]
 * WcsPlugInService [Missing Service]
 * wpcfltr [Missing Service]
 * WSService [Missing Service]
 * agp440 [Missing ImagePath]
 * AJRouter => %SystemRoot%\system32\svchost.exe -k LocalServiceNetworkRestricted [Incorrect ImagePath]
 * WpnService => %systemroot%\system32\svchost.exe -k netsvcs [Incorrect ImagePath]
 * vmicrdv => %SystemRoot%\System32\icsvcext.dll [Incorrect ServiceDLL]
 * vmicvss => %SystemRoot%\System32\icsvcext.dll [Incorrect ServiceDLL]
Searching for Missing Digital Signatures:
 * No issues found.
Checking HOSTS File:
 * Cannot edit the HOSTS file.
 * Permissions Fixed. Administrators can now edit the HOSTS file.
 * HOSTS file entries found:
  127.0.0.1 localhost
  127.0.0.1 www.007guard.com
  127.0.0.1 007guard.com
  127.0.0.1 008i.com
  127.0.0.1 www.008k.com
  127.0.0.1 008k.com
  127.0.0.1 www.00hq.com
  127.0.0.1 00hq.com
  127.0.0.1 010402.com
  127.0.0.1 www.032439.com
  127.0.0.1 032439.com
  127.0.0.1 www.0scan.com
  127.0.0.1 0scan.com
  127.0.0.1 1000gratisproben.com
  127.0.0.1 www.1000gratisproben.com
  127.0.0.1 1001namen.com
  127.0.0.1 www.1001namen.com
  127.0.0.1 100888290cs.com
  127.0.0.1 www.100888290cs.com
  127.0.0.1 www.100sexlinks.com
  20 out of 15606 HOSTS entries shown.
  Please review HOSTS file for further entries.
Program finished at: 02/18/2017 09:57:31 PM
Execution time: 0 hours(s), 0 minute(s), and 58 seconds(s)"
 
Why is so much "missing services" ? How I can repair it ?
 
Thanks for advice

Edited by hamluis, 18 February 2017 - 06:24 PM.
Moved from Gen Sec to Am I Infected - Hamluis.


BC AdBot (Login to Remove)

 


#2 garioch7

garioch7

    RCMP Veteran


  • Malware Response Instructor
  • 3,793 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Port Hood, Nova Scotia, Canada
  • Local time:02:01 AM

Posted 19 February 2017 - 07:12 AM

eugen_pl:
 
RKill is not yet fully compatible with Windows 10.  Grinler will update it in the future.  Do not be concerned about those "missing" services.   That is simply a Windows 10 compatibility issue.  Your RKill report is normal for a Windows 10 computer.
 
Let's run a few scans and see if there is any evidence of viruses or other malware.
 
.
 
:step1: ESET Online Scanner using Internet Explorer:

Note 1: These instructions are for Internet Explorer only! If you're using Chrome or Firefox, you will need to download and install the ESET Smart Installer tool before it can scan. See instructions here.
Note 2: You will need to disable your currently installed Anti-Virus, how to do so can be found here.

  • Download esetsmartinstaller_enu.exe and save it to your Desktop.
  • Double click the icon.
  • Check YES, I accept the Terms of Use.
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Click Advanced settings.
  • Check the following items.

Enable detection of potentially unwanted applications
Remove found threats
Scan archives
Scan for potentially unsafe applications
Enable Anti-Stealth technology

  • Click Change next to Current scan targets:
  • Place a check mark in any additional drive you wish to scan then click OK.
  • Click Start.
  • ESET will then download updates and begin scanning your computer.
  • If no threats are found simply click Uninstall application on close and hit Finish.
  • If threats are found click List of found threats.
  • Click Export to text file.
  • Save the file on your Desktop as ESET.txt.
  • Click Back.
  • Check Uninstall application on close and Delete quarantined files.
  • Click Finish.
  • Close the ESET Online Scanner window.
  • Copy and paste the contents of ESET.txt into your reply, if any threats were detected.

Don't forget to re-enable your antivirus when finished!

.

:step2: Please run a Malwarebytes Anti-Malware scan for me.

  • Please download Malwarebytes to your Desktop.
  • Double-click mb3-setup-1878.1878-3.5.1.2522.exe and follow the prompts to install the program.
  • Then click Finish.
  • Next, please go to "Settings", "Protection", and turn on "Scan for rootkits", if it is not "On."
  • Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu.
  • If an update of the definitions is available, it will be downloaded and installed before the scan commences.
  • When the scan is complete, make sure that all Threats are selected, and click Remove Selected.
  • Restart your computer when prompted to do so.

The Scan log is available through History ->Application logs. Please copy and paste the contents of the log into your next reply.

.

Thank you and have a great day.

Regards,
-Phil


Graduate of the Bleeping Computer Malware Removal Study Hall


#3 eugen_pl

eugen_pl
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:05:01 AM

Posted 19 February 2017 - 12:13 PM

Hello Phil

 

Here are Eset and Malwarebytes logs:

 

ESET "C:\Users\Eugeniusz\Downloads\ccsetup526pro.exe Win32/Bundled.Toolbar.Google.D potentially unsafe application cleaned by deleting
C:\Users\Eugeniusz\Downloads\ccsetup527.exe Win32/Bundled.Toolbar.Google.D potentially unsafe application cleaned by deleting
F:\CD i DVD Kopie\EUGENE-PC 02-12-2011 1846 Drive\EUGENE-PC\Backup Set 2011-12-02 184633\Backup Files 2011-12-02 184633\Backup files 2.zip a variant of Win32/Toolbar.Conduit.AU potentially unwanted application deleted
F:\CD i DVD Kopie\EUGENE-PC 02-12-2011 1846 Drive\EUGENE-PC\Backup Set 2011-12-02 184633\Backup Files 2011-12-02 184633\Backup files 3.zip a variant of Win32/Toolbar.Conduit.AU potentially unwanted application deleted
F:\CD i DVD Kopie\EUGENE-PC 02-12-2011 1846 Drive\EUGENE-PC\Backup Set 2011-12-02 184633\Backup Files 2011-12-02 184633\Backup files 6.zip a variant of Win32/Toolbar.Conduit.P potentially unwanted application,Win32/Toolbar.Conduit.Y potentially unwanted application,a variant of Win32/PriceGong.A potentially unwanted application deleted"

 

Malwarebytes

 

"

Malwarebytes
www.malwarebytes.com
-Log Details-
Scan Date: 2/19/17
Scan Time: 4:50 PM
Logfile: Malware 19 feb.txt
Administrator: Yes
-Software Information-
Version: 3.0.6.1469
Components Version: 1.0.50
Update Package Version: 1.0.1300
License: Trial
-System Information-
OS: Windows 10
CPU: x64
File System: NTFS
User: EUGENE_PL\Eugeniusz
-Scan Summary-
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 453104
Time Elapsed: 4 min, 46 sec
-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled
-Scan Details-
Process: 0
(No malicious items detected)
Module: 0
(No malicious items detected)
Registry Key: 0
(No malicious items detected)
Registry Value: 0
(No malicious items detected)
Registry Data: 0
(No malicious items detected)
Data Stream: 0
(No malicious items detected)
Folder: 0
(No malicious items detected)
File: 3
PUP.Optional.Trotux, C:\USERS\EUGENIUSZ\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\K2PBL97R.DEFAULT\PREFS.JS, Removal Failed, [420], [302758],1.0.1300
PUP.Optional.IStartPageing.ChrPRST, C:\USERS\EUGENIUSZ\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\K2PBL97R.DEFAULT\PREFS.JS, Removal Failed, [18048], [303351],1.0.1300
PUP.Optional.MySites123.ShrtCln, C:\USERS\EUGENIUSZ\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\K2PBL97R.DEFAULT\PREFS.JS, Removal Failed, [15011], [303353],1.0.1300
Physical Sector: 0
(No malicious items detected)

(end)"
 
 
Malwarebytes can't remove PUP.
 
Regards
 
Eugene

Edited by eugen_pl, 19 February 2017 - 12:14 PM.


#4 garioch7

garioch7

    RCMP Veteran


  • Malware Response Instructor
  • 3,793 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Port Hood, Nova Scotia, Canada
  • Local time:02:01 AM

Posted 19 February 2017 - 12:48 PM

Eugene:
 
Thank you for your logs.  Interesting that MB did not remove the three PUPs.  
 
.
 
:step1: What happens if you go to the Windows Start Menu, Programs, locate Malwarebytes, and then open that folder, and right-click the Malwarebytes program and select "Run as Administrator"?  If you have a desktop shortcut, do you get a "Run as Administrator" option when your right-click it?  If you can, run it again as an Administrator and copy and paste the contents of the log file.  If it still doesn't remove the PUPs, I will ask over at the Malwarebytes Forum where I am a "Trusted Advisor" and see if we can't figure out how to get rid of these PUPs, short of having to move you to our "Logs" Forum, where FRST should be able to remove these PUPs.  Unfortunately, no FRST logs are permitted in this Forum. It could be that this might be an issue with the new version of Malwarebytes Premium. They are having some issues with this new release (Version 3).  It could also be that your Windows login account has limited privileges.  Please ensure that you are logged into a Windows user account with Administrative privileges.
 
.
 
:step2: Please download AdwCleaner by Malwarebytes and save the file to your Desktop. For now, we are just going to do a scan. This will not delete anything. Let's see if AdwCleaner detects these PUPs.

  • Double click on AdwCleaner.exe to run the tool.
    Vista/Windows 7/8/10 users right-click and select Run As Administrator
  • The tool will start to update the database, please wait for it to complete the update.
  • Click on I Agree button.
  • Click on the Scan button.
  • AdwCleaner will begin...be patient as the scan may take some time to complete.
  • After the scan has finished, click on the Logfile button...a logfile (AdwCleaner[R#].txt) will open in Notepad for review (where the largest value of # represents the most recent report).
  • The contents of the log file may be confusing. Unless you see a program name that you know should not be removed, don't worry about it. If you see an entry you want to keep, let me know about it.
  • Copy and paste the contents of that logfile in your next reply.
  • A copy of all logfiles are saved in the C:\AdwCleaner folder which was created when running the tool.

.

:step3: Please download Junkware Removal Tool to your desktop.

  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Please copy and paste the contents of JRT.txt into your next message.

.


Thank you and have a great day.

Regards,
-Phil


Graduate of the Bleeping Computer Malware Removal Study Hall


#5 eugen_pl

eugen_pl
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:05:01 AM

Posted 19 February 2017 - 01:54 PM

Hi Phil

 

Malwarebytes "Run as administrator" mode  log:

 

 

Malwarebytes
www.malwarebytes.com
-Log Details-
Scan Date: 2/19/17
Scan Time: 5:17 PM
Logfile: Malware 19 feb ADMIN.txt
Administrator: Yes
-Software Information-
Version: 3.0.6.1469
Components Version: 1.0.50
Update Package Version: 1.0.1302
License: Trial
-System Information-
OS: Windows 10
CPU: x64
File System: NTFS
User: EUGENE_PL\Eugeniusz
-Scan Summary-
Scan Type: Custom Scan
Result: Completed
Objects Scanned: 367598
Time Elapsed: 27 min, 50 sec
-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled
-Scan Details-
Process: 0
(No malicious items detected)
Module: 0
(No malicious items detected)
Registry Key: 0
(No malicious items detected)
Registry Value: 0
(No malicious items detected)
Registry Data: 0
(No malicious items detected)
Data Stream: 0
(No malicious items detected)
Folder: 0
(No malicious items detected)
File: 3
PUP.Optional.Trotux, C:\USERS\EUGENIUSZ\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\K2PBL97R.DEFAULT\PREFS.JS, Removal Failed, [420], [302758],1.0.1302
PUP.Optional.IStartPageing.ChrPRST, C:\USERS\EUGENIUSZ\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\K2PBL97R.DEFAULT\PREFS.JS, Removal Failed, [18049], [303351],1.0.1302
PUP.Optional.MySites123.ShrtCln, C:\USERS\EUGENIUSZ\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\K2PBL97R.DEFAULT\PREFS.JS, Removal Failed, [15012], [303353],1.0.1302
Physical Sector: 0
(No malicious items detected)

(end)

 

 

 

 

AdwCleaner  "Run as administrator" mode ( before restart ) Log:

 

 

 

 

# AdwCleaner v6.043 - Logfile created 19/02/2017 at 18:16:47
# Updated on 27/01/2017 by Malwarebytes
# Database : 2017-02-13.1 [Local]
# Operating System : Windows 10 Pro  (X64)
# Username : Eugeniusz - EUGENE_PL
# Running from : C:\Users\Eugeniusz\Desktop\New folder\adwcleaner_6.043.exe
# Mode: Scan
# Support : https://www.malwarebytes.com/support
 
***** [ Services ] *****
No malicious services found.

***** [ Folders ] *****
No malicious folders found.

***** [ Files ] *****
No malicious files found.

***** [ DLL ] *****
No malicious DLLs found.

***** [ WMI ] *****
No malicious keys found.

***** [ Shortcuts ] *****
No infected shortcut found.

***** [ Scheduled Tasks ] *****
No malicious task found.

***** [ Registry ] *****
No malicious registry entries found.

***** [ Web browsers ] *****
Firefox pref Found:  [C:\Users\Eugeniusz\AppData\Roaming\Mozilla\Firefox\Profiles\k2pbl97r.default\prefs.js] - "extensions.adaware.acsBlacklist" -  "ads.williamhillcasino.com,static.williamhillcasino.com,www.vindale.com,ww
Firefox pref Found:  [C:\Users\Eugeniusz\AppData\Roaming\Mozilla\Firefox\Profiles\k2pbl97r.default\prefs.js] - "extensions.adaware.acsWhitelist" -  "dictionnaire-japonais.com,twoocdn.com,kbc.be,gartenxxl.de,vezess.hu,bonda
No malicious Chromium based browser items found.
*************************
C:\AdwCleaner\AdwCleaner[C0].txt - [1135 Bytes] - [14/08/2016 19:22:54]
C:\AdwCleaner\AdwCleaner[C2].txt - [1440 Bytes] - [18/02/2017 21:26:04]
C:\AdwCleaner\AdwCleaner[C3].txt - [1421 Bytes] - [18/02/2017 22:04:53]
C:\AdwCleaner\AdwCleaner[S0].txt - [1226 Bytes] - [14/08/2016 19:21:14]
C:\AdwCleaner\AdwCleaner[S1].txt - [1282 Bytes] - [14/08/2016 19:35:11]
C:\AdwCleaner\AdwCleaner[S2].txt - [1553 Bytes] - [18/02/2017 21:25:23]
C:\AdwCleaner\AdwCleaner[S3].txt - [1557 Bytes] - [18/02/2017 22:04:11]
C:\AdwCleaner\AdwCleaner[S4].txt - [1918 Bytes] - [19/02/2017 18:16:47]
########## EOF - C:\AdwCleaner\AdwCleaner[S4].txt - [1991 Bytes] ##########

 

 

 

AdwCleaner  "Run as administrator" mode ( after restart ) Log:

 

 

 

 

# AdwCleaner v6.043 - Logfile created 19/02/2017 at 18:42:29
# Updated on 27/01/2017 by Malwarebytes
# Database : 2017-02-13.1 [Local]
# Operating System : Windows 10 Pro  (X64)
# Username : Eugeniusz - EUGENE_PL
# Running from : C:\Users\Eugeniusz\Desktop\New folder\adwcleaner_6.043.exe
# Mode: Scan
# Support : https://www.malwarebytes.com/support
 
***** [ Services ] *****
No malicious services found.

***** [ Folders ] *****
No malicious folders found.

***** [ Files ] *****
No malicious files found.

***** [ DLL ] *****
No malicious DLLs found.

***** [ WMI ] *****
No malicious keys found.

***** [ Shortcuts ] *****
No infected shortcut found.

***** [ Scheduled Tasks ] *****
No malicious task found.

***** [ Registry ] *****
No malicious registry entries found.

***** [ Web browsers ] *****
No malicious Firefox based browser items found.
No malicious Chromium based browser items found.
*************************
C:\AdwCleaner\AdwCleaner[C0].txt - [1135 Bytes] - [14/08/2016 19:22:54]
C:\AdwCleaner\AdwCleaner[C2].txt - [1440 Bytes] - [18/02/2017 21:26:04]
C:\AdwCleaner\AdwCleaner[C3].txt - [1421 Bytes] - [18/02/2017 22:04:53]
C:\AdwCleaner\AdwCleaner[C4].txt - [1572 Bytes] - [19/02/2017 18:18:27]
C:\AdwCleaner\AdwCleaner[S0].txt - [1226 Bytes] - [14/08/2016 19:21:14]
C:\AdwCleaner\AdwCleaner[S1].txt - [1282 Bytes] - [14/08/2016 19:35:11]
C:\AdwCleaner\AdwCleaner[S2].txt - [1553 Bytes] - [18/02/2017 21:25:23]
C:\AdwCleaner\AdwCleaner[S3].txt - [1557 Bytes] - [18/02/2017 22:04:11]
C:\AdwCleaner\AdwCleaner[S4].txt - [2070 Bytes] - [19/02/2017 18:16:47]
C:\AdwCleaner\AdwCleaner[S5].txt - [1665 Bytes] - [19/02/2017 18:42:29]
########## EOF - C:\AdwCleaner\AdwCleaner[S5].txt - [1738 Bytes] ##########

 

 

 

JRT  "Run as administrator" mode  Log:

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Malwarebytes
Version: 8.1.0 (12.05.2016)
Operating System: Windows 10 Pro x64
Ran by Eugeniusz (Administrator) on 19/02/2017 at 18:26:24.23
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 

File System: 0

Deleted the following from C:\Users\Eugeniusz\AppData\Roaming\Mozilla\Firefox\Profiles\k2pbl97r.default\prefs.js
user_pref(extensions.xpiState, {\app-profile\:{\@true-key\:{\d\:\C:\\\\Users\\\\Eugeniusz\\\\AppData\\\\Roaming\\\\Mozilla\\\\Firefox\\\\Profiles\\\\k2pbl97r.default
 
Registry: 0
 
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on 19/02/2017 at 18:34:47.61
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

 

 

Regards

 

Eugene



#6 eugen_pl

eugen_pl
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:05:01 AM

Posted 19 February 2017 - 02:06 PM

Malwarebytes "Run as administrator" log after running AdwCleaner and JRT.

 

 

Malwarebytes
www.malwarebytes.com
-Log Details-
Scan Date: 2/19/17
Scan Time: 6:59 PM
Logfile: mb nowy.txt
Administrator: Yes
-Software Information-
Version: 3.0.6.1469
Components Version: 1.0.50
Update Package Version: 1.0.1302
License: Trial
-System Information-
OS: Windows 10
CPU: x64
File System: NTFS
User: EUGENE_PL\Eugeniusz
-Scan Summary-
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 453093
Time Elapsed: 4 min, 42 sec
-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled
-Scan Details-
Process: 0
(No malicious items detected)
Module: 0
(No malicious items detected)
Registry Key: 0
(No malicious items detected)
Registry Value: 0
(No malicious items detected)
Registry Data: 0
(No malicious items detected)
Data Stream: 0
(No malicious items detected)
Folder: 0
(No malicious items detected)
File: 3
PUP.Optional.Trotux, C:\USERS\EUGENIUSZ\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\K2PBL97R.DEFAULT\PREFS.JS, No Action By User, [420], [302758],1.0.1302
PUP.Optional.IStartPageing.ChrPRST, C:\USERS\EUGENIUSZ\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\K2PBL97R.DEFAULT\PREFS.JS, No Action By User, [18049], [303351],1.0.1302
PUP.Optional.MySites123.ShrtCln, C:\USERS\EUGENIUSZ\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\K2PBL97R.DEFAULT\PREFS.JS, No Action By User, [15012], [303353],1.0.1302
Physical Sector: 0
(No malicious items detected)

(end)


#7 garioch7

garioch7

    RCMP Veteran


  • Malware Response Instructor
  • 3,793 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Port Hood, Nova Scotia, Canada
  • Local time:02:01 AM

Posted 19 February 2017 - 03:25 PM

Eugene:
 
Thank you for the logs and going the extra step of running Malwarebytes Premium again, after the AdwCleaner and JRT runs.  Great job!   :thumbsup:
 
I have opened a topic over at the Malwarebytes 3.0 Forum, requesting that they have a look at your logs here.  The Malwarebytes 3.0 Forum topic can be found at this link.
 
I don't know whether these were false detections; or, whether there might be a bug in the Malwarebytes Premium disinfection program component.  These PUPs are not serious (no keyloggers, trojans, backdoors, etc.), so I would appreciate your patience to permit the Malwarebytes staff to peruse our topic here and get back to us with their conclusions; or, their request for Malwarebytes Premium logs.  It is important for them to be able to work on live computers in these situations, particularly if there might be a bug in either the detection or removal components of the current version of the Malwarebytes Premium program.  You would be making your own contribution to the fight against malware! :thumbup2:
 
I am confident that the Malwarebytes staff will get respond to our topic in the next day or two (very busy over there), but, if at any point, you want to get an immediate answer one way or the other, and this IS YOUR COMPUTER, I can refer you to our "Virus, Trojan, Spyware and Malware Removal Logs" Forum.  If that is what you decide that you want to do, then I will personally pick up your topic, if you have informed me beforehand.  In that Forum, I can run the Farbar Recovery and Scan Tool (FRST) and other powerful anti-malware scanning and removal tools to determine if those PUPs are really present; and, if so, to terminate them.

 

Were it me and my computer, since these are just "run-of-the-mill" browser hijackers, I would wait for the Malwarebytes staff to have a look.  IF the detections are legitimate, the worst that they will do is slow down your computer, fight with each other, and impair your web browsing experience.

 

Ultimately, Eugene, it is YOUR decision.  It is YOUR computer.  I am only here to help you.

 

Thank you and have a great day.

 

Regards,

-Phil


Graduate of the Bleeping Computer Malware Removal Study Hall


#8 garioch7

garioch7

    RCMP Veteran


  • Malware Response Instructor
  • 3,793 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Port Hood, Nova Scotia, Canada
  • Local time:02:01 AM

Posted 23 February 2017 - 06:02 AM

Eugene:

 

I have heard back from Malwarebytes.  They would like you to locate the file below, with Windows File Explorer, and zip this file for them so that they can have a look.  You will have to enable "View Hidden Files", if you have not already done so, to see the "AppData" folder and its subfolders.

C:\USERS\EUGENIUSZ\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\K2PBL97R.DEFAULT\PREFS.JS

Please attach the zipped file to your next reply, if you can.  If it is too large, please open a free account at Sendspace.com and upload the zipped file there.  Please copy and paste the Sendspace file download link into your next reply.

 

Thank you for your patience.  Have a great day.

 

Regards,

-Phil


Graduate of the Bleeping Computer Malware Removal Study Hall


#9 eugen_pl

eugen_pl
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:05:01 AM

Posted 23 February 2017 - 07:57 PM

Hi Phil,

 

the file is not too large but I can not to find "attach" option.

 

Here is link to my uploaded file.

 

https://www.sendspace.com/file/nclws9

 

​​How you can run Farbar Recovery and Scan Tool to my laptop ?

 

Regards

 

Eugene


Edited by eugen_pl, 23 February 2017 - 07:58 PM.


#10 eugen_pl

eugen_pl
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:05:01 AM

Posted 23 February 2017 - 09:18 PM

Eugene:
 
Thank you for the logs and going the extra step of running Malwarebytes Premium again, after the AdwCleaner and JRT runs.  Great job!   :thumbsup:
 
I have opened a topic over at the Malwarebytes 3.0 Forum, requesting that they have a look at your logs here.  The Malwarebytes 3.0 Forum topic can be found at this link.
 
I don't know whether these were false detections; or, whether there might be a bug in the Malwarebytes Premium disinfection program component.  These PUPs are not serious (no keyloggers, trojans, backdoors, etc.), so I would appreciate your patience to permit the Malwarebytes staff to peruse our topic here and get back to us with their conclusions; or, their request for Malwarebytes Premium logs.  It is important for them to be able to work on live computers in these situations, particularly if there might be a bug in either the detection or removal components of the current version of the Malwarebytes Premium program.  You would be making your own contribution to the fight against malware! :thumbup2:
 
I am confident that the Malwarebytes staff will get respond to our topic in the next day or two (very busy over there), but, if at any point, you want to get an immediate answer one way or the other, and this IS YOUR COMPUTER, I can refer you to our "Virus, Trojan, Spyware and Malware Removal Logs" Forum.  If that is what you decide that you want to do, then I will personally pick up your topic, if you have informed me beforehand.  In that Forum, I can run the Farbar Recovery and Scan Tool (FRST) and other powerful anti-malware scanning and removal tools to determine if those PUPs are really present; and, if so, to terminate them.

 

Were it me and my computer, since these are just "run-of-the-mill" browser hijackers, I would wait for the Malwarebytes staff to have a look.  IF the detections are legitimate, the worst that they will do is slow down your computer, fight with each other, and impair your web browsing experience.

 

Ultimately, Eugene, it is YOUR decision.  It is YOUR computer.  I am only here to help you.

 

Thank you and have a great day.

 

Regards,

-Phil

 

 

Eugene:

 

I have heard back from Malwarebytes.  They would like you to locate the file below, with Windows File Explorer, and zip this file for them so that they can have a look.  You will have to enable "View Hidden Files", if you have not already done so, to see the "AppData" folder and its subfolders.

C:\USERS\EUGENIUSZ\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\K2PBL97R.DEFAULT\PREFS.JS

Please attach the zipped file to your next reply, if you can.  If it is too large, please open a free account at Sendspace.com and upload the zipped file there.  Please copy and paste the Sendspace file download link into your next reply.

 

Thank you for your patience.  Have a great day.

 

Regards,

-Phil



#11 garioch7

garioch7

    RCMP Veteran


  • Malware Response Instructor
  • 3,793 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Port Hood, Nova Scotia, Canada
  • Local time:02:01 AM

Posted 24 February 2017 - 01:32 PM

Eugene:

 

Thank you for the Sendspace URL for the file that was requested by Malwarebytes.

 

I have sent the link to the staff member over at Malwarebytes who is going to ensure that it gets examined to determine whether the detections might be false positives.

 

Please stand by.  This being Friday afternoon, I would not expect to hear from them until mid-week, next week.

 

Thank you for your patience.  Have a great day.

 

Regards,

-Phil


Graduate of the Bleeping Computer Malware Removal Study Hall


#12 garioch7

garioch7

    RCMP Veteran


  • Malware Response Instructor
  • 3,793 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Port Hood, Nova Scotia, Canada
  • Local time:02:01 AM

Posted 25 February 2017 - 12:36 PM

Eugene:

 

I have heard back from Malwarebytes.  Please see, and follow the instructions, in this post and then repeat your scan.  Ensure that, in "Settings, Protection, "Potential Threat Protection" you have selected "Treat PUPs/PUMs as malware" for both boxes.  Also, you should ensure that "Scan for rootkits" is enabled.

 

Please copy and paste the contents of the Malwarebytes scan log into your next reply.

 

Thank you and have a great day.

 

Regards,

-Phil


Graduate of the Bleeping Computer Malware Removal Study Hall





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users