Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Kyubey.exe, hotcine, Elex-tech, winsnare, and many more


  • This topic is locked This topic is locked
9 replies to this topic

#1 nenenona

nenenona

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:10:54 PM

Posted 02 April 2017 - 09:34 PM

Hi,

 

recently my PC installed some browser on itself, and it keeps popping an ads. I have tried scanning using my antivirus and malwarebytes, but it keeps coming back the day after.

 

I really need someone to help me fix this, I had read the previous similar issue in this forum and try to fix it myself, but its not working.

Im attaching the FRST and Addition.txt
and I'm using Windows 7 ultimate x64

Attached Files



BC AdBot (Login to Remove)

 


#2 Jo*

Jo*

  • Malware Response Team
  • 3,429 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:05:54 PM

Posted 03 April 2017 - 03:15 AM

:welcome: to BleepingComputer.

Hi there,

my name is Jo and I will help you with your computer problems.


Please follow these guidelines:
  • Read and follow the instructions in the sequence they are posted.
  • print or copy & save instructions.
  • back up all your private data / music / important files on another (external) drive before using our tools.
  • Do not install / uninstall any applications, unless otherwise instructed.
  • Use only that tools you have been instructed to use.
  • Copy and Paste the log files inside your post, unless otherwise instructed.
  • Ask for clarification, if you have any questions.
  • Stay with this topic til you get the all clean post.
  • My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.

***


:step1: Download Security Check by screen317 from here or here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
    Vista / Windows 7/8 users right-click and select Run As Administrator.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

***


:step2: Please download Malwarebytes Anti-Rootkit and save it to your desktop.
  • Be sure to print out and follow the instructions provided on that same page.
  • Caution: This is a beta version so please be sure to read the disclaimer and back up all your data before using.
  • Double click on downloaded file. OK self extracting prompt.
  • MBAR will start. Click in the introduction screen "next" to continue.
  • Click in the following screen "Update" to obtain the latest malware definitions.
  • Once the update is complete select "Next" and click "Scan".
With some infections, you may see two messages boxes.
  • 'Could not load protection driver'. Click 'OK'.
  • 'Could not load DDA driver'. Click 'Yes' to this message, to allow the driver to load after a restart. Allow the computer to restart. Continue with the rest of these instructions.
  • If malware is found - do not press the Clean up button, please go to the MBAR folder and then copy/paste the contents of the MBAR-log-***.txt file to your next reply.
  • If there is no malware found, please let me know as well.

***


:step3: Please download AdwCleaner by Xplode and save to your Desktop.
Double-click AdwCleaner.exe
Vista / Windows 7/8/10 users right-click and select Run As Administrator.
  • Click on the Scan button.
  • AdwCleaner will begin...be patient as the scan may take some time to complete.
  • After the scan has finished, click on the Logfile button...a logfile (AdwCleaner[R0].txt) will open in Notepad for review.
  • The contents of the log file may be confusing. Unless you see a program name that you know should not be removed, don't worry about it.
    If you see an entry you want to keep, let me know about it.
  • Copy and paste the contents of that logfile in your next reply.
  • A copy of all logfiles are saved in the C:\AdwCleaner folder which was created when running the tool.

***


Graduate of the WTT Classroom
Cheers,
Jo
If I have been helping you, and I have not replied to your latest post in 36 hours please send me a PM.


#3 nenenona

nenenona
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:10:54 PM

Posted 05 April 2017 - 12:07 AM

Hi Jo,

Thank you for your assistance and sorry for the late reply

I already did all of your instruction but unfortunately had to delete few folders manually in step 2, due to MBAR keeps hang.

But after that, the scan process can be done

 

Here is my logs,

 
 
*i cant attach the system log of mbar before I deleted some folders manually because it size is too large

Attached Files



#4 Jo*

Jo*

  • Malware Response Team
  • 3,429 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:05:54 PM

Posted 05 April 2017 - 02:11 AM

Hello,

:step1: Run Malwarebytes Anti-Rootkit again: Double click mbar.exe to run the tool.
Vista / Windows 7/8/10 users right-click and select Run As Administrator.
  • Scan your system for malware
  • If malware is found, click on the Cleanup button to remove any threats and reboot if prompted to do so.
  • Wait while the system shuts down and the cleanup process is performed.
  • then please go to the MBAR folder and then copy/paste the contents of the MBAR-log-***.txt file to your next reply.
  • If there is no malware found, please let me know as well.

***


:step2: Double click on AdwCleaner.exe to run the tool again.
Vista / Windows 7/8/10 users right-click and select Run As Administrator.
  • Click on the Scan button.
  • AdwCleaner will begin...be patient as the scan may take some time to complete.
  • After the scan has finished, click on the Clean button.
  • Press OK when asked to close all programs and follow the onscreen prompts.
  • Press OK again to allow AdwCleaner to restart the computer and complete the removal process.
  • After rebooting, a logfile report (AdwCleaner[C#].txt) will open automatically (where the largest value of # represents the most recent report).
  • Copy and paste the contents of that logfile in your next reply.
  • A copy of that logfile will also be saved in the C:\AdwCleaner folder.

***


:step3: Please download Junkware Removal Tool from HERE and save it to your desktop.
Shutdown your antivirus to avoid any potential conflicts.
Double click JRT.exe to run the tool.
Vista / Windows 7/8/10 users right-click and select Run As Administrator.
  • JRT will begin to backup your registry and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, the log JRT.txt is saved on your desktop and will automatically open.
Enable your antivirus!
Post the contents of JRT.txt into your next reply.


***


:step4: How the computer is running now?


***


:step5: FRST / FSRT64: run it again.
  • Right-click FRST / FSRT64 then click "Run as administrator" (XP users: click run after receipt of Windows Security Warning - Open File).
  • When the tool opens, click Yes to disclaimer.
  • Put a check into the box next to Addition.txt and press the Scan button.
  • When finished, it will produce logs called FRST.txt and Addition.txt in the same directory the tool was run from.
  • Please copy and paste both logs in your next reply.
-----------------------------------------------------------

Graduate of the WTT Classroom
Cheers,
Jo
If I have been helping you, and I have not replied to your latest post in 36 hours please send me a PM.


#5 nenenona

nenenona
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:10:54 PM

Posted 05 April 2017 - 04:04 AM

Hi again,

 

I already perform all of your suggestion, 

But there are some malware that keep detected by adwcleaner, I also had reinstalled Chrome because of it

 

Attached Files



#6 Jo*

Jo*

  • Malware Response Team
  • 3,429 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:05:54 PM

Posted 05 April 2017 - 05:49 AM

Copy FRST / FSRT64.exe to your desktop!


Open notepad. Please copy the contents of the code box below. To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
Save it in the same location as / FSRT / FSRT64 (usually your desktop) as fixlist.txt




Start
CreateRestorePoint:
CloseProcesses:
HKU\S-1-5-21-3054896765-712760123-2082123540-1000\...\Policies\Explorer: [DisallowRun] 1
HKU\S-1-5-21-3054896765-712760123-2082123540-1000\...\MountPoints2: E - E:\AutoRun.exe
HKU\S-1-5-21-3054896765-712760123-2082123540-1000\...\MountPoints2: G - G:\AutoRun.exe
HKU\S-1-5-21-3054896765-712760123-2082123540-1000\...\MountPoints2: H - H:\AutoRun.exe
HKU\S-1-5-21-3054896765-712760123-2082123540-1000\...\MountPoints2: {b10f292b-8009-11e6-9289-e89d87bf6b1e} - G:\AutoRun.exe
ShellExecuteHooks: No Name - {0D9F6C28-F1AF-11E6-BD3F-64006A5CFC23} - C:\Users\Adventa\AppData\Roaming\Kuslereidersy\Nihertyckkoge.dll -> No File
GroupPolicy: Restriction <======= ATTENTION
CHR StartupUrls: Default -> "hxxp://search.conduit.com/?ctid=CT3225826&SearchSource=48","hxxp://www.startpageing123.com/?type=hp&ts=1487661036&z=0b5e3578ee94c34bc8913fbgezab1maqcq2gde7cfz&from=che0812&uid=HitachiXHTS725050A9A360_101211PCJ400GLG4HJ9JX","hxxp://www.startpageing123.com/?type=hp&ts=1490754928&z=ec3d288c560e85d87a2aa99gbzdtee4m1w5zftfo0b&from=che0812&uid=HitachiXHTS725050A9A360_101211PCJ400GLG4HJ9JX"
CHR Extension: (Chrome Media Router) - C:\Users\Adventa\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2017-04-05]
S3 WsDrvInst; C:\Program Files (x86)\Wondershare\Dr.Fone for iOS\DriverInstall.exe [X]
U3 apumzpym; C:\Windows\System32\Drivers\apumzpym.sys [0 ] (Intel Corporation) <==== ATTENTION (zero byte File/Folder)
S3 EagleX64; \??\C:\Windows\system32\drivers\EagleX64.sys [X]
S3 EMP_MIRRQW; system32\DRIVERS\EMP_MirrQW.sys [X]
S3 npkcrypt; \??\C:\Program Files (x86)\Ragnarok Online Indonesia\npkcrypt.sys [X]
S3 npkycryp; \??\C:\Program Files (x86)\Ragnarok Online Indonesia\npkycryp.sys [X]
S3 VGPU; System32\drivers\rdvgkmd.sys [X]
FirewallRules: [{360EB676-3145-4CD1-821D-CE8078BA7C2F}] => (Allow) C:\Program Files (x86)\Firefox\bin\FirefoxUpdate.exe
FirewallRules: [{2B475627-8983-4BD0-84D3-0B5C425B93B9}] => (Allow) C:\Program Files (x86)\MIO\loader\hitachixhts725050a9a360_101211pcj400glg4hj9jx.dat
FirewallRules: [{E90C3A9A-B4B6-4847-A0BF-DB995440FA95}] => (Allow) C:\Program Files (x86)\MIO\loader\hitachixhts725050a9a360_101211pcj400glg4hj9jx.dat
FirewallRules: [{6DE85DD3-33F6-46AD-A4B7-CC0C0373E7AE}] => (Allow) C:\Program Files (x86)\MIO\loader\hitachixhts725050a9a360_101211pcj400glg4hj9jx.dat
FirewallRules: [{4A936EAA-23EF-4D30-B5D6-C54602CFCB59}] => (Allow) C:\Program Files (x86)\MIO\loader\hitachixhts725050a9a360_101211pcj400glg4hj9jx.dat
HKLM-x32\...\Run: [SMΔRT-Protection] => C:\Program Files (x86)\Smadav\SMΔRTP.exe [1736704 2017-01-23] (Smadsoft)
EmptyTemp:
End
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST / FSRT64 again as Administrator like we did before but this time press the Fix button just once and wait.
The tool will make a log (Fixlog.txt) please post it to your reply.


How the computer is running now?

Graduate of the WTT Classroom
Cheers,
Jo
If I have been helping you, and I have not replied to your latest post in 36 hours please send me a PM.


#7 nenenona

nenenona
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:10:54 PM

Posted 06 April 2017 - 02:50 AM

My computer is running fine by now, there is no more annoying adds, and my chrome ran smoothly by now

Many thanks for the help Jo

 

 

Here is my log

 

Attached Files



#8 Jo*

Jo*

  • Malware Response Team
  • 3,429 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:05:54 PM

Posted 06 April 2017 - 04:24 AM

Hello again,

:step1: Please download and run the following tool to help allow other programs to run. (courtesy of BleepingComputer.com)
There are 5 different versions. If one of them won't run then download and try to run the other one.
Vista and Win7/8/10 users need to right click and choose Run as Administrator
You only need to get one of them to run, not all of them.Do not reboot your computer after running rkill as the malware programs will start again.


---


:step2: Malwarebytes' Anti-Malware
If this program is already installed: Skip the installation and run only the scan!
Download and install: Please download Malwarebytes Anti-Malware to your desktop.
  • Double-click mb3-setup-1878.1878-3.5.1.2522.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to the following:
    • Launch Malwarebytes Anti-Malware
    • A 14 day trial of the Premium features is pre-selected. You may deselect this if you wish, and it will not diminish the scanning and removal capabilities of the program.
  • Click Finish.
  • On the Dashboard, click the 'Update Now >>' link
  • After the update completes, click the 'Scan Now >>' button.
  • Or, on the Dashboard, click the Scan Now >> button.
  • If an update is available, click the Update Now button.
  • A Threat Scan will begin.
  • When the scan is complete, if there have been detections, click Apply Actions to allow MBAM to clean what was detected.
  • In most cases, a restart will be required.
  • Wait for the prompt to restart the computer to appear, then click on Yes.
How to get logs: (Export log to save as txt)
  • After the restart once you are back at your desktop, open MBAM once more.
  • Click on the History tab > Application Logs.
  • Double click on the scan log which shows the Date and time of the scan just performed.
  • Click 'Export'.
  • Click 'Text file (*.txt)'
  • In the Save File dialog box which appears, click on Desktop.
  • In the File name: box type a name for your scan log.
  • A message box named 'File Saved' should appear stating "Your file has been successfully exported".
  • Click Ok
  • Attach that saved log to your next reply.
(Copy to clipboard for pasting into forum replies or tickets)
  • After the restart once you are back at your desktop, open MBAM once more.
  • Click on the History tab > Application Logs.
  • Double click on the scan log which shows the Date and time of the scan just performed.
  • Click 'Copy to Clipboard'
  • Paste the contents of the clipboard into your reply.

---


:step3:
ZN3USrZ.png Emsisoft Emergency Kit
  • Click here to download Emsisoft Emergency Kit. The download will automatically start after a moment.
  • Save EmsisoftEmergencyKit.exe to your Desktop.
  • Double click on EmsisoftEmergencyKit.exe (Windows Vista/7/8 users: Accept UAC warning if it is enabled). A screen like this will appear:
    dQVDkTW.png
  • Leave everything as it is, then click Extract. This will unpack Emsisoft Emergency Kit to the EEK folder located in the root drive (usually C:\).
  • Once the extraction is done, an icon qwL1Upn.png will appear on your Desktop. Double click it to start Emsisoft Emergency Kit.
  • Wait for Emsisoft Emergency Kit to finish loading signatures. A screen like this should appear:
    yEgPemv.png
  • Choose Yes, then wait for EEK to finish updating.
  • Choose Malware Scan under the Scan button. When EEK asks to activate PUP detection, choose Yes.
  • Wait for the scan to finish.
    RUeRoi4.png
  • If EEK detects something, all detected items will be displayed. Place a checkmark before everything, then choose Quarantine Selected.
  • If Emsisoft Emergency Kit asks to reboot, please do so immediately.
  • The scan log is located in Logs -> Scan Logs. Click on the entry of the latest scan, choose Export and save the report on your Desktop.
    P7FSALs.png
  • Please Copy and Paste the contents of the scan log in your next reply.

***


:step4: How the computer is running now?


***


Graduate of the WTT Classroom
Cheers,
Jo
If I have been helping you, and I have not replied to your latest post in 36 hours please send me a PM.


#9 Jo*

Jo*

  • Malware Response Team
  • 3,429 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:05:54 PM

Posted 11 April 2017 - 03:06 AM

Hi,

it has been several days since I sent my last set of instructions to help with your computer problem.

Please let me know if you are having problems and still need help.

Note: Thread will be closed if no response after 3 days.

Graduate of the WTT Classroom
Cheers,
Jo
If I have been helping you, and I have not replied to your latest post in 36 hours please send me a PM.


#10 Jo*

Jo*

  • Malware Response Team
  • 3,429 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:05:54 PM

Posted 18 April 2017 - 12:14 PM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.

Graduate of the WTT Classroom
Cheers,
Jo
If I have been helping you, and I have not replied to your latest post in 36 hours please send me a PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users