Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

MIO.exe, kyubey.exe, winsnare, flowhlp.dat msio and many others


  • This topic is locked This topic is locked
14 replies to this topic

#1 jcharm

jcharm

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:02 PM

Posted 11 April 2017 - 09:59 AM

I'm infected by a ton of malware. No idea how it got on my PC as I've never had viruses in the last 10 years. Pretty conscious user.

 

Tried to use Malware Bytes removal, Malware Rootkit removal tool, Adw-Cleaner, Hijack This, Hitman Pro, Zemena and UnHackMe. I've also tried live distro's such as Bitdefender rescue CD, F-secure and AVG rescue CD, all from a USB. The latter found almost nothing (when I know it's there, because malware will spit out 3000 hits afterwards).

 

They all remove a lot of stuff, but it keeps coming back. I suffer from extremely long boot times, massive delays right before logging into my user and also after logging into my user on Windows (despite SSD). Seems the malware keeps installing every time or something like that.

 

Symptoms:

 

Changing my search engine (luckysites for example), destroying my chrome user profile by replacing it, installing a bunch of malignant .exe such as MIO.exe, kyubey.exe. It also installs fake versions of Chrome and Firefox (I don't use firefox, suddenly it'll be installed and on my desktop). I've also found flowhlp.dat ,which seems to have hidden in a service (since I can't delete it, it'll say it's in use by a service, however can't find it ANYWHERE). I've tried deleteing stuff from the registry manually as well, just keeps coming back.

 

It also keeps turning off windows defender and such mess.

 

 

Going crazy here trying to find the source. I'd just format, but for reasons I'm unable to right now.

 

Hope you guys can help. I hope I've attached appropriate logs.

 

Thank you in advance for your time!

 

P.S: I tried running DeFogger, but it keeps crashing my computer. It'll say "succes, please restart now", but then my PC will just hang and I can't do anything but reset. If you guys want, I can just get rid of daemon tools all together, just let me know.

 

 

 

 

 

Additional scan result of Farbar Recovery Scan Tool (x64) Version: 15-03-2017
Ran by Jelle (11-04-2017 16:40:23)
Running from C:\Users\Jelle\Downloads
Windows 8.1 Pro (Update) (X64) (2013-10-28 17:15:58)
Boot Mode: Normal
==========================================================

==================== Accounts: =============================

Administrator (S-1-5-21-4099470078-3949118013-312997308-500 - Administrator - Disabled)
ASPNET (S-1-5-21-4099470078-3949118013-312997308-1006 - Limited - Enabled)
Guest (S-1-5-21-4099470078-3949118013-312997308-501 - Limited - Disabled)
HomeGroupUser$ (S-1-5-21-4099470078-3949118013-312997308-1003 - Limited - Enabled)
Jelle (S-1-5-21-4099470078-3949118013-312997308-1001 - Administrator - Enabled) => C:\Users\Jelle

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: Windows Defender (Enabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: Windows Defender (Enabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

==================== Installed Programs ======================

(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

µTorrent (HKU\S-1-5-21-4099470078-3949118013-312997308-1001\...\uTorrent) (Version: 3.4.9.43295 - BitTorrent Inc.)
7-Zip 9.20 (x64 edition) (HKLM\...\{23170F69-40C1-2702-0920-000001000000}) (Version: 9.20.00.0 - Igor Pavlov)
Ace Stream Media 3.1.16.1 (HKU\S-1-5-21-4099470078-3949118013-312997308-1001\...\AceStream) (Version: 3.1.16.1 - Ace Stream Media) <==== ATTENTION
AMD Software (HKLM\...\AMD Catalyst Install Manager) (Version: 9.0.000.8 - Advanced Micro Devices, Inc.)
Batman: Arkham Asylum GOTY Edition (HKLM-x32\...\Steam App 35140) (Version:  - Rocksteady Studios)
Batman: Arkham City GOTY (HKLM-x32\...\Steam App 200260) (Version:  - Rocksteady Studios)
Battle.net (HKLM-x32\...\Battle.net) (Version:  - Blizzard Entertainment)
Battlefield™ 1 (HKLM-x32\...\{335B50BC-6130-4BAF-9A6A-F1561270587B}) (Version: 1.0.49.28890 - Electronic Arts)
Catalyst Control Center Next Localization BR (Version: 2017.0316.1721.29397 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization CHS (Version: 2017.0316.1721.29397 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization CHT (Version: 2017.0316.1721.29397 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization CS (Version: 2017.0316.1721.29397 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization DA (Version: 2017.0316.1721.29397 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization DE (Version: 2017.0316.1721.29397 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization EL (Version: 2017.0316.1721.29397 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization ES (Version: 2017.0316.1721.29397 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization FI (Version: 2017.0316.1721.29397 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization FR (Version: 2017.0316.1721.29397 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization HU (Version: 2017.0316.1721.29397 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization IT (Version: 2017.0316.1721.29397 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization JA (Version: 2017.0316.1721.29397 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization KO (Version: 2017.0316.1721.29397 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization NL (Version: 2017.0316.1721.29397 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization NO (Version: 2017.0316.1721.29397 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization PL (Version: 2017.0316.1721.29397 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization RU (Version: 2017.0316.1721.29397 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization SV (Version: 2017.0316.1721.29397 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization TH (Version: 2017.0316.1721.29397 - Advanced Micro Devices, Inc.) Hidden
Catalyst Control Center Next Localization TR (Version: 2017.0316.1721.29397 - Advanced Micro Devices, Inc.) Hidden
CCleaner (HKLM\...\CCleaner) (Version: 5.25 - Piriform)
Cities: Skylines (HKLM\...\Steam App 255710) (Version:  - Colossal Order Ltd.)
CPUID HWMonitor 1.30 (HKLM\...\CPUID HWMonitor_is1) (Version:  - )
Curse (HKLM-x32\...\{39258ACA-B9D9-418C-ACE2-D874436BD88D}) (Version: 6.0.0.0 - Curse)
DAEMON Tools Lite (HKLM-x32\...\DAEMON Tools Lite) (Version: 4.49.1.0356 - Disc Soft Ltd)
DARK SOULS III (HKLM\...\Steam App 374320) (Version:  - FromSoftware, Inc.)
Discord (HKU\S-1-5-21-4099470078-3949118013-312997308-1001\...\Discord) (Version: 0.0.297 - Hammer & Chisel, Inc.)
Dota 2 (HKLM\...\Steam App 570) (Version:  - Valve)
Dota 2 (HKLM-x32\...\Steam App 570) (Version:  - Valve)
Equalizer APO (HKLM\...\EqualizerAPO) (Version: 1.1.2 - )
Europa Universalis IV (HKLM\...\Steam App 236850) (Version:  - Paradox Development Studio)
f.lux (HKU\S-1-5-21-4099470078-3949118013-312997308-1001\...\Flux) (Version:  - )
Foxit Reader (HKLM-x32\...\Foxit Reader_is1) (Version: 8.2.1.6871 - Foxit Software Inc.)
Google Drive (HKLM-x32\...\{A1238426-ECDF-4639-BE2F-8D12A97AE23C}) (Version: 2.34.5075.1619 - Google, Inc.)
Google Update Helper (x32 Version: 1.3.25.11 - Google Inc.) Hidden
Google Update Helper (x32 Version: 1.3.32.7 - Google Inc.) Hidden
Grim Dawn (HKLM-x32\...\Steam App 219990) (Version:  - Crate Entertainment)
HP Deskjet 3050A J611 series Basic Device Software (HKLM\...\{1B77E249-B8D5-4E5E-8848-693ACEF84E6D}) (Version: 28.0.1315.0 - Hewlett-Packard Co.)
HP Deskjet 3050A J611 series Help (HKLM-x32\...\{97DDCAB8-B770-4089-A10F-67568069D78A}) (Version: 140.0.2.2 - Hewlett Packard)
HP Deskjet 3050A J611 series Product Improvement Study (HKLM\...\{A772BF60-20A5-4279-A18B-B9D8DBC9B30A}) (Version: 28.0.1315.0 - Hewlett-Packard Co.)
HP Update (HKLM-x32\...\{912D30CF-F39E-4B31-AD9A-123C6B794EE2}) (Version: 5.005.002.002 - Hewlett-Packard)
IBM SPSS Statistics 21 (HKLM\...\{1E26B9C2-ED08-4EEA-83C8-A786502B41E5}) (Version: 21.0.0.0 - IBM Corp)
ImgBurn (HKLM-x32\...\ImgBurn) (Version: 2.5.8.0 - LIGHTNING UK!)
Java 8 Update 31 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F83218031F0}) (Version: 8.0.310 - Oracle Corporation)
Kodi (HKU\S-1-5-21-4099470078-3949118013-312997308-1001\...\Kodi) (Version:  - XBMC-Foundation)
Logitech-webcamsoftware (HKLM-x32\...\{D40EB009-0499-459c-A8AF-C9C110766215}) (Version: 2.80 - Logitech Inc.)
Malwarebytes Anti-Malware version 2.2.1.1043 (HKLM-x32\...\Malwarebytes Anti-Malware_is1) (Version: 2.2.1.1043 - Malwarebytes)
Microsoft .NET Framework 1.1 (HKLM-x32\...\{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}) (Version: 1.1.4322 - Microsoft)
Microsoft Games for Windows - LIVE Redistributable (HKLM-x32\...\{832D9DE0-8AFC-4689-9819-4DBBDEBD3E4F}) (Version: 3.5.92.0 - Microsoft Corporation)
Microsoft Games for Windows Marketplace (HKLM-x32\...\{4CB0307C-565E-4441-86BE-0DF2E4FB828C}) (Version: 3.5.50.0 - Microsoft Corporation)
Microsoft Office Professional Plus 2013 (HKLM\...\Office15.PROPLUS) (Version: 15.0.4569.1506 - Microsoft Corporation)
Microsoft Office Proofing Tools 2013 - Nederlands (HKLM\...\{90150000-001F-0413-1000-0000000FF1CE}) (Version: 15.0.4569.1506 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17 (HKLM\...\{8220EEFE-38CD-377E-8595-13398D740ACE}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (HKLM\...\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM-x32\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.60610 (HKLM-x32\...\{a1909659-0a08-4554-8af1-2175904903a1}) (Version: 11.0.60610.1 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 (HKLM-x32\...\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.50727 (HKLM-x32\...\{22154f09-719a-4619-bb71-5b3356999fbf}) (Version: 11.0.50727.1 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030 (HKLM-x32\...\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (HKLM-x32\...\{050d4fc8-5d48-4b8f-8972-47c82c46020f}) (Version: 12.0.30501.0 - Microsoft Corporation)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (HKLM-x32\...\{f65db027-aff3-4070-886a-0d87064aabb1}) (Version: 12.0.30501.0 - Microsoft Corporation)
Microsoft Visual C++ 2015 Redistributable (x64) - 14.0.24123 (HKLM-x32\...\{2cbcedbb-f38c-48a3-a3e1-6c6fd821a7f4}) (Version: 14.0.24123.0 - Microsoft Corporation)
Microsoft Visual C++ 2015 Redistributable (x86) - 14.0.24215 (HKLM-x32\...\{e2803110-78b3-4664-a479-3611a381656a}) (Version: 14.0.24215.1 - Microsoft Corporation)
Microsoft Visual J# .NET Redistributable Package 1.1 (HKLM-x32\...\{1A655D51-1423-48A3-B748-8F5A0BE294C8}) (Version: 1.1.4322 - Microsoft)
Microsoft Visual Studio 2010 Tools for Office Runtime (x64) (HKLM\...\Microsoft Visual Studio 2010 Tools for Office Runtime (x64)) (Version: 10.0.50903 - Microsoft Corporation)
Microtool version 1.1.0 (HKLM-x32\...\Microtool_is1) (Version: 1.1.0 - Microtool Technologies)
mIRC (HKLM-x32\...\mIRC) (Version: 7.43 - mIRC Co. Ltd.)
MSI Afterburner 4.3.0 (HKLM-x32\...\Afterburner) (Version: 4.3.0 - MSI Co., LTD)
MSI Gaming APP (HKLM-x32\...\{E0229316-E73B-484B-B9E0-45098AB38D8C}}_is1) (Version: 3.0.0.19 - MSI)
MSI Kombustor 2.5.9 (HKLM-x32\...\{0B7C79A5-5CB2-4ABD-A9C1-92A6213CE8DD}_is1) (Version:  - MSI Co., LTD)
Mumble 1.2.8 (HKLM-x32\...\{A4339487-03BB-45C7-9FB2-866408320E57}) (Version: 1.2.8 - Thorvald Natvig)
Need for Speed: Hot Pursuit (HKLM\...\Steam App 47870) (Version:  - Criterion Games)
NVIDIA PhysX (HKLM-x32\...\{C5C1C0F0-D62F-4DBF-81D4-D7EF397C228B}) (Version: 9.09.0814 - NVIDIA Corporation)
Oracle VM VirtualBox 5.0.14 (HKLM\...\{82022940-639B-48A3-86D9-B139864105F7}) (Version: 5.0.14 - Oracle Corporation)
Origin (HKLM-x32\...\Origin) (Version: 10.4.6.33873 - Electronic Arts, Inc.)
Outils de vérification linguistique 2013 de Microsoft Office - Français (Version: 15.0.4569.1506 - Microsoft Corporation) Hidden
PatchCleaner (HKLM-x32\...\{727DA176-50BB-452C-8DB5-96EE0A573ED4}) (Version: 1.4.20 - HomeDev)
Path of Exile (HKLM-x32\...\{90A4562F-D4A1-4B65-906D-41F236CF6902}) (Version: 1.0.3.30295 - Grinding Gear Games)
PerformanceTest v9.0 (HKLM\...\PerformanceTest 9_is1) (Version: 9.0.1008.0 - Passmark Software)
Portal (HKLM-x32\...\Steam App 400) (Version:  - Valve)
Portal 2 (HKLM-x32\...\Steam App 620) (Version:  - Valve)
puush (HKLM-x32\...\{C3592426-531E-4110-911D-BFECE2CE284B}) (Version: 1.0.0.0 - Dean Herbert)
Python 3.5.1 (64-bit) (HKU\S-1-5-21-4099470078-3949118013-312997308-1001\...\{b8440650-9dbe-4b7d-8167-6e0e3dcdf5d0}) (Version: 3.5.1150.0 - Python Software Foundation)
Python 3.5.1 Core Interpreter (64-bit) (Version: 3.5.1150.0 - Python Software Foundation) Hidden
Python 3.5.1 Development Libraries (64-bit) (Version: 3.5.1150.0 - Python Software Foundation) Hidden
Python 3.5.1 Documentation (64-bit) (Version: 3.5.1150.0 - Python Software Foundation) Hidden
Python 3.5.1 Executables (64-bit) (Version: 3.5.1150.0 - Python Software Foundation) Hidden
Python 3.5.1 Launcher (32-bit) (HKLM-x32\...\{17778F7B-FB5A-4A93-9719-D75BAF673498}) (Version: 3.5.150.0 - Python Software Foundation)
Python 3.5.1 Launcher (32-bit) (HKLM-x32\...\{EC00AEF9-6544-4FEC-8152-C8949CDDCC85}) (Version: 3.5.150.0 - Python Software Foundation)
Python 3.5.1 pip Bootstrap (64-bit) (Version: 3.5.1150.0 - Python Software Foundation) Hidden
Python 3.5.1 Standard Library (64-bit) (Version: 3.5.1150.0 - Python Software Foundation) Hidden
Python 3.5.1 Tcl/Tk Support (64-bit) (Version: 3.5.1150.0 - Python Software Foundation) Hidden
Python 3.5.1 Test Suite (64-bit) (Version: 3.5.1150.0 - Python Software Foundation) Hidden
Python 3.5.1 Utility Scripts (64-bit) (Version: 3.5.1150.0 - Python Software Foundation) Hidden
Realtek High Definition Audio Driver (HKLM-x32\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.7982 - Realtek Semiconductor Corp.)
Service Pack 1 for Microsoft Office 2013 (KB2850036) 64-Bit Edition (HKLM\...\{90150000-0011-0000-1000-0000000FF1CE}_Office15.PROPLUS_{D82063A8-7C8C-4C3B-A9BB-95138CA55D26}) (Version:  - Microsoft)
Service Pack 1 for Microsoft Office 2013 (KB2850036) 64-Bit Edition (Version:  - Microsoft) Hidden
Skype™ 7.33 (HKLM-x32\...\{3B7E914A-93D5-4A29-92BB-AF8C3F66C431}) (Version: 7.33.105 - Skype Technologies S.A.)
South Park™: The Stick of Truth™ (HKLM\...\Steam App 213670) (Version:  - Obsidian Entertainment)
SpeedFan (remove only) (HKLM-x32\...\SpeedFan) (Version:  - )
Spotify (HKU\S-1-5-21-4099470078-3949118013-312997308-1001\...\Spotify) (Version: 1.0.52.725.g943b26a8 - Spotify AB)
Steam (HKLM-x32\...\{048298C9-A4D3-490B-9FF9-AB023A9238F3}) (Version: 1.0.0.0 - Valve Corporation)
Surgeon Simulator (HKLM\...\Steam App 233720) (Version:  - Bossa Studios)
TeamSpeak 3 Client (HKLM\...\TeamSpeak 3 Client) (Version: 3.0.19.4 - TeamSpeak Systems GmbH)
TeraCopy 2.27 (HKLM\...\TeraCopy_is1) (Version:  - Code Sector)
The Witcher 2: Assassins of Kings Enhanced Edition (HKLM-x32\...\Steam App 20920) (Version:  - CD Projekt RED)
TI Connect™ CE (HKLM-x32\...\{99F8299E-EFDF-4B45-91B4-F3AC8AEE5929}) (Version: 5.1.0.68 - Texas Instruments Inc.)
TweakNow DiskAnalyzer (HKLM-x32\...\TweakNow DiskAnalyzer_is1) (Version: 1.3.0 - TweakNow.com)
UnHackMe 8.70 (HKLM-x32\...\UnHackMe_is1) (Version:  - Greatis Software, LLC.)
Update for Skype for Business 2015 (KB3039776) 64-Bit Edition (HKLM\...\{90150000-012B-0409-1000-0000000FF1CE}_Office15.PROPLUS_{0FA8AE0C-69AE-4F60-A1AB-F79C6BA5A999}) (Version:  - Microsoft)
Uplay (HKLM-x32\...\Uplay) (Version: 4.4 - Ubisoft)
VLC media player (HKLM-x32\...\VLC media player) (Version: 2.2.4 - VideoLAN)
Vulkan Run Time Libraries 1.0.37.0 (HKLM\...\VulkanRT1.0.37.0-2) (Version: 1.0.37.0 - LunarG, Inc.)
Vulkan Run Time Libraries 1.0.37.0 (Version: 1.0.37.0 - LunarG, Inc.) Hidden
Warcraft III (HKLM-x32\...\Warcraft III) (Version:  - )
Warcraft III: All Products (HKU\S-1-5-21-4099470078-3949118013-312997308-1001\...\Warcraft III) (Version:  - )
Winamp (HKLM-x32\...\Winamp) (Version: 5.63  - Nullsoft, Inc)
Winamp Detector Plug-in (HKU\S-1-5-21-4099470078-3949118013-312997308-1001\...\Winamp Detect) (Version: 1.0.0.1 - Nullsoft, Inc)
WinDirStat 1.1.2 (HKU\S-1-5-21-4099470078-3949118013-312997308-1001\...\WinDirStat) (Version:  - )
Windows 7 USB/DVD Download Tool (HKLM-x32\...\{CCF298AF-9CE1-4B26-B251-486E98A34789}) (Version: 1.0.30 - Microsoft Corporation)
WinRAR 5.00 beta 6 (64-bit) (HKLM\...\WinRAR archiver) (Version: 5.00.6 - win.rar GmbH)
World of Warcraft (HKLM-x32\...\World of Warcraft) (Version:  - Blizzard Entertainment)
x264vfw - H.264/MPEG-4 AVC codec (remove only) (HKLM-x32\...\x264vfw) (Version:  - )
XSplit Gamecaster (HKLM-x32\...\{7CBDC2CD-F5C7-4DD3-91C8-1E4D68924955}) (Version: 1.9.1409.2308 - SplitmediaLabs)

==================== Custom CLSID (Whitelisted): ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

==================== Scheduled Tasks (Whitelisted) =============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

Task: {081EB14B-487A-48E6-A823-33D033396118} - System32\Tasks\{C7DE4A92-343F-4C8C-97AD-F859CE2ED89A} => pcalua.exe -a "D:\steam game back up\Portal and Dota 2 and Counter-Strike Global Offensive and AirMech and Dark Souls Prepare to Die Edition\Disk_2\steambackup.exe" -d "D:\steam game back up\Portal and Dota 2 and Counter-Strike Global Offensive and AirMech and Dark Souls Prepare to Die Edition\Disk_2"
Task: {313B2907-B415-4744-A2A4-84AF77A1D5E5} - System32\Tasks\Microsoft\Office\Office 15 Subscription Heartbeat => C:\Program Files\Common Files\Microsoft Shared\Office15\OLicenseHeartbeat.exe [2014-01-23] (Microsoft Corporation)
Task: {364EAF4C-7C67-4B1C-836F-AB952A506A06} - System32\Tasks\Shutdown => C:\Windows\System32\shutdown.exe [2014-10-29] (Microsoft Corporation)
Task: {36CC2CA3-023D-4772-B8E1-93DE5D82957A} - \{3D38BEE3-9CA0-49F3-A977-4DE6CEFEAAEE} -> No File <==== ATTENTION
Task: {59D09100-39A9-4119-9319-A72173CABE7D} - System32\Tasks\Microsoft\Office\OfficeTelemetryAgentLogOn => C:\Program Files\Microsoft Office\Office15\msoia.exe [2014-01-23] (Microsoft Corporation)
Task: {89DC9BCC-FE29-4FFD-992E-7C22E134347A} - System32\Tasks\CCleanerSkipUAC => C:\Program Files\CCleaner\CCleaner.exe [2016-12-06] (Piriform Ltd)
Task: {991D3C5C-EEB5-49DB-8301-FF1DFD3FACBA} - System32\Tasks\UnHackMe Task Scheduler => C:\Program Files (x86)\UnHackMe\hackmon.exe [2017-03-15] (Greatis Software)
Task: {AAA8B608-ED3B-43E5-8DB8-C0E22621A2F7} - \Ghuwolyarnock -> No File <==== ATTENTION
Task: {B77BEBC0-8E76-47F5-BBDD-B8AE4F933259} - System32\Tasks\Microsoft\Office\OfficeTelemetryAgentFallBack => C:\Program Files\Microsoft Office\Office15\msoia.exe [2014-01-23] (Microsoft Corporation)
Task: {D329301E-A86D-4E16-9BD9-E5C4C56610CB} - System32\Tasks\{F522331C-DC6A-443A-BC4B-A934DC6932DA} => pcalua.exe -a "D:\steam game back up\Portal and Dota 2 and Counter-Strike Global Offensive and AirMech and Dark Souls Prepare to Die Edition\Disk_1\steambackup.exe" -d "D:\steam game back up\Portal and Dota 2 and Counter-Strike Global Offensive and AirMech and Dark Souls Prepare to Die Edition\Disk_1"
Task: {E196661D-533C-4E08-989F-C921A41FEA88} - System32\Tasks\HPCustParticipation HP Deskjet 3050A J611 series => C:\Program Files\HP\HP Deskjet 3050A J611 series\Bin\HPCustPartic.exe [2012-10-17] (Hewlett-Packard Co.)

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

==================== Shortcuts =============================

(The entries could be listed to be restored or removed.)

Shortcut: C:\Users\Jelle\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk -> C:\Program Files (x86)\Antanna\Application\chrome.exe (Google Inc.)
Shortcut: C:\Users\Jelle\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\ImplicitAppShortcuts\69639df789022856\Google Chrome.lnk -> C:\Program Files (x86)\Antanna\Application\chrome.exe (Google Inc.)
Shortcut: C:\Users\Jelle\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\ImplicitAppShortcuts\360c22b137d62ce9\Google Chrome.lnk -> C:\Program Files (x86)\Antanna\Application\chrome.exe (Google Inc.)
Shortcut: C:\Users\Jelle\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\ImplicitAppShortcuts\11c9ddbe8c0ec677\Google Chrome.lnk -> C:\Program Files (x86)\Antanna\Application\chrome.exe (Google Inc.)
Shortcut: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk -> C:\Program Files (x86)\Antanna\Application\chrome.exe (Google Inc.)

ShortcutWithArgument: C:\Users\Jelle\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk -> C:\Program Files (x86)\Internet Explorer\iexplore.exe (Microsoft Corporation) -> hxxp://www.ourluckysites.com/?type=sc&ts=1491899107&z=9ac644ba9c43a9799589170g9z8t5gcb6tft1gdebq&from=che0812&uid=OCZ-AGILITY3_OCZ-460G4GD3Z15334LM

==================== Loaded Modules (Whitelisted) ==============

2015-04-16 14:24 - 2015-04-21 20:08 - 00076152 _____ () C:\WINDOWS\SysWOW64\PnkBstrA.exe
2012-01-10 15:41 - 2015-04-12 23:39 - 00568904 _____ () C:\Program Files (x86)\puush\puush.exe
2017-04-11 10:26 - 2017-04-10 05:12 - 00099328 _____ () c:\programdata\common\apple\apps\azuretools.dll
2017-04-11 10:26 - 2017-04-10 05:12 - 00099328 _____ () C:\ProgramData\common\Apple\Apps\AzureTools.dll
2017-03-21 15:29 - 2017-03-21 12:55 - 00103424 _____ () c:\programdata\microsoft\phone tools\corecon\12.0\addons\sdkfilesver.dll

==================== Alternate Data Streams (Whitelisted) =========

(If an entry is included in the fixlist, only the ADS will be removed.)

==================== Safe Mode (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)

==================== Association (Whitelisted) ===============

(If an entry is included in the fixlist, the registry item will be restored to default or removed.)

==================== Internet Explorer trusted/restricted ===============

(If an entry is included in the fixlist, it will be removed from the registry.)

IE restricted site: HKU\S-1-5-21-4099470078-3949118013-312997308-1001\...\skype.com -> hxxps://apps.skype.com

==================== Hosts content: ===============================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2013-08-22 15:25 - 2017-03-20 00:14 - 00000808 ____A C:\WINDOWS\system32\Drivers\etc\hosts

          
   

==================== Other Areas ============================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-4099470078-3949118013-312997308-1001\Control Panel\Desktop\\Wallpaper -> C:\Users\Jelle\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper
DNS Servers: 8.8.8.8 - 8.8.4.4
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
Windows Firewall is enabled.

==================== MSCONFIG/TASK MANAGER disabled items ==

HKLM\...\StartupApproved\Run32: => "HP Software Update"
HKLM\...\StartupApproved\Run32: => "Raptr"
HKLM\...\StartupApproved\Run32: => "PlaysTV"
HKU\S-1-5-21-4099470078-3949118013-312997308-1001\...\StartupApproved\Run: => "Spotify Web Helper"
HKU\S-1-5-21-4099470078-3949118013-312997308-1001\...\StartupApproved\Run: => "CCleaner Monitoring"
HKU\S-1-5-21-4099470078-3949118013-312997308-1001\...\StartupApproved\Run: => "HP Deskjet 3050A J611 series (NET)"
HKU\S-1-5-21-4099470078-3949118013-312997308-1001\...\StartupApproved\Run: => "GoogleDriveSync"

==================== FirewallRules (Whitelisted) ===============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

FirewallRules: [vm-monitoring-nb-session] => (Allow) LPort=139
FirewallRules: [{003D91CC-602D-4074-8120-B85244E9D307}] => (Allow) C:\Program Files\Microsoft Office\Office15\UcMapi.exe
FirewallRules: [{77644C10-1BD6-47DC-8CC2-E9E3675AC6D0}] => (Allow) C:\Program Files\Microsoft Office\Office15\UcMapi.exe
FirewallRules: [{9ED99213-FA8E-4B54-8BC1-625CEF878B80}] => (Allow) C:\Program Files\Microsoft Office\Office15\lync.exe
FirewallRules: [{0B78EB7E-F2C5-4ED5-B3A2-510F1941BD8B}] => (Allow) C:\Program Files\Microsoft Office\Office15\lync.exe
FirewallRules: [UDP Query User{001649C0-F172-4B8A-918A-96A15B8F04E1}C:\program files (x86)\winamp\winamp.exe] => (Allow) C:\program files (x86)\winamp\winamp.exe
FirewallRules: [TCP Query User{E9F416C4-6ABD-42DA-A2E8-455155F03D88}C:\program files (x86)\winamp\winamp.exe] => (Allow) C:\program files (x86)\winamp\winamp.exe
FirewallRules: [UDP Query User{A6CE1BE1-9372-4D4E-9199-840387590E21}C:\users\jelle\appdata\roaming\spotify\spotify.exe] => (Allow) C:\users\jelle\appdata\roaming\spotify\spotify.exe
FirewallRules: [TCP Query User{156D5BB5-E1AA-4A35-A076-887C917FF77C}C:\users\jelle\appdata\roaming\spotify\spotify.exe] => (Allow) C:\users\jelle\appdata\roaming\spotify\spotify.exe
FirewallRules: [{0397EC70-FEA0-4445-8D72-D8BF8AC2F7F0}] => (Allow) C:\Program Files (x86)\Skype\Phone\Skype.exe
FirewallRules: [{08E43FFF-4737-47AA-8385-CA52C61B4C9E}] => (Allow) C:\Program Files\Microsoft Office\Office15\UcMapi.exe
FirewallRules: [{E5FFE923-947D-4CC3-8D16-DAE9C552C945}] => (Allow) C:\Program Files\Microsoft Office\Office15\UcMapi.exe
FirewallRules: [{CA7CD2F9-D9D9-4660-BAF2-E0AAAF6CA07C}] => (Allow) C:\Program Files\Microsoft Office\Office15\lync.exe
FirewallRules: [{FF11BE6C-A6A5-41D4-AC6C-D55E7548563B}] => (Allow) C:\Program Files\Microsoft Office\Office15\lync.exe
FirewallRules: [UDP Query User{25B05AC8-8778-437E-B921-4671A8A00C8D}C:\users\jelle\appdata\roaming\spotify\spotify.exe] => (Allow) C:\users\jelle\appdata\roaming\spotify\spotify.exe
FirewallRules: [TCP Query User{A4FD92DD-94B8-4768-9FAE-E94765C1FC56}C:\users\jelle\appdata\roaming\spotify\spotify.exe] => (Allow) C:\users\jelle\appdata\roaming\spotify\spotify.exe
FirewallRules: [{58013736-7339-44B5-BFEB-97EE3ABB4A4D}] => (Allow) D:\Games\Steam\Steam.exe
FirewallRules: [{E0B8577C-6F88-4648-B5C0-DF8938CAA5E8}] => (Allow) D:\Games\Steam\Steam.exe
FirewallRules: [UDP Query User{B61B4896-BAD3-4588-8440-19A1228E1D39}C:\program files (x86)\winamp\winamp.exe] => (Allow) C:\program files (x86)\winamp\winamp.exe
FirewallRules: [TCP Query User{36C19FC6-862E-4881-9A78-05DCAD33E2A3}C:\program files (x86)\winamp\winamp.exe] => (Allow) C:\program files (x86)\winamp\winamp.exe
FirewallRules: [{473F1E5E-E222-40C1-A5CD-7C9799B599CB}] => (Allow) D:\Games\Steam\SteamApps\common\the witcher 2\Launcher.exe
FirewallRules: [{4F195D92-6CD2-4B15-9ABF-C9CF2CD0AA42}] => (Allow) D:\Games\Steam\SteamApps\common\the witcher 2\Launcher.exe
FirewallRules: [TCP Query User{9CC6A894-1330-4785-91EF-8E93AFDB7432}D:\games\steam\steamapps\common\the witcher 2\bin\witcher2.exe] => (Allow) D:\games\steam\steamapps\common\the witcher 2\bin\witcher2.exe
FirewallRules: [UDP Query User{54DABE0C-8A0C-4475-9B9A-A4B2AB6BD1B4}D:\games\steam\steamapps\common\the witcher 2\bin\witcher2.exe] => (Allow) D:\games\steam\steamapps\common\the witcher 2\bin\witcher2.exe
FirewallRules: [{4EA127B2-EEFB-4975-AE10-C5DADF022EC5}] => (Allow) D:\Games\Steam\SteamApps\common\Portal\hl2.exe
FirewallRules: [{3CACE887-2617-42BD-A37C-287BFC1AA810}] => (Allow) D:\Games\Steam\SteamApps\common\Portal\hl2.exe
FirewallRules: [{7CA72BC5-5AEF-4A9D-A612-5943D9AB62FA}] => (Allow) D:\Games\Steam\SteamApps\common\Portal 2\portal2.exe
FirewallRules: [{BECEE14C-E693-4F41-8C4D-5390D8F3C02E}] => (Allow) D:\Games\Steam\SteamApps\common\Portal 2\portal2.exe
FirewallRules: [{142FFF3D-EB25-44B3-9E80-844EDD8BBA40}] => (Allow) C:\Users\Jelle\AppData\Roaming\uTorrent\uTorrent.exe
FirewallRules: [{A90EA622-10FF-4E55-9553-D71FD4D22C40}] => (Allow) C:\Users\Jelle\AppData\Roaming\uTorrent\uTorrent.exe
FirewallRules: [{8C3D6CC2-9EC7-48E3-B924-2A2CAFF4E74F}] => (Allow) D:\Games\Steam\SteamApps\common\Batman Arkham Asylum GOTY\Binaries\BmLauncher.exe
FirewallRules: [{593CD61F-1DFC-4D9A-BF29-2704A62D65FD}] => (Allow) D:\Games\Steam\SteamApps\common\Batman Arkham Asylum GOTY\Binaries\BmLauncher.exe
FirewallRules: [TCP Query User{CA9FBA82-22C3-44C2-8998-F24E5ADE26DF}D:\games\steam\steamapps\common\batman arkham asylum goty\binaries\shippingpc-bmgame.exe] => (Allow) D:\games\steam\steamapps\common\batman arkham asylum goty\binaries\shippingpc-bmgame.exe
FirewallRules: [UDP Query User{538D84C3-BE26-4C23-9C6F-69364E403BCA}D:\games\steam\steamapps\common\batman arkham asylum goty\binaries\shippingpc-bmgame.exe] => (Allow) D:\games\steam\steamapps\common\batman arkham asylum goty\binaries\shippingpc-bmgame.exe
FirewallRules: [{D7D668EA-452B-4224-A83E-11FD7C15FF96}] => (Allow) D:\Games\Steam\SteamApps\common\Batman Arkham City GOTY\Binaries\Win32\BatmanAC.exe
FirewallRules: [{1AF82E5A-A820-4AB5-9F72-4C524BCDB007}] => (Allow) D:\Games\Steam\SteamApps\common\Batman Arkham City GOTY\Binaries\Win32\BatmanAC.exe
FirewallRules: [{E4CE7D9C-F06F-4FA9-8709-CF55798B0485}] => (Allow) C:\Windows\SysWOW64\PnkBstrA.exe
FirewallRules: [{7D2B3C24-B27F-4479-9083-4095A49FBA13}] => (Allow) C:\Windows\SysWOW64\PnkBstrA.exe
FirewallRules: [{61E968B3-11F0-4436-A925-67D33BA867D3}] => (Allow) C:\Windows\SysWOW64\PnkBstrB.exe
FirewallRules: [{3E582F11-5D8F-452F-815D-0DB9E2DD351A}] => (Allow) C:\Windows\SysWOW64\PnkBstrB.exe
FirewallRules: [TCP Query User{9FF1C139-B52E-4DC7-AB6D-C9C92A4A4F99}D:\games\steam\steamapps\common\the witcher 2\bin\witcher2.exe] => (Allow) D:\games\steam\steamapps\common\the witcher 2\bin\witcher2.exe
FirewallRules: [UDP Query User{83DEB531-9D5A-4E17-A424-62AA10F8E413}D:\games\steam\steamapps\common\the witcher 2\bin\witcher2.exe] => (Allow) D:\games\steam\steamapps\common\the witcher 2\bin\witcher2.exe
FirewallRules: [{F7C083A5-0138-47E8-81F4-3CEEE0904A0D}] => (Allow) C:\Program Files\HP\HP Deskjet 3050A J611 series\Bin\DeviceSetup.exe
FirewallRules: [{0FF3DBDA-2D69-44DF-B834-F5B1CA98C654}] => (Allow) C:\Program Files\HP\HP Deskjet 3050A J611 series\Bin\HPNetworkCommunicator.exe
FirewallRules: [{BECAEF35-DB7A-4957-A405-E2D71BBCE47A}] => (Allow) C:\Program Files\HP\HP Deskjet 3050A J611 series\Bin\HPNetworkCommunicatorCom.exe
FirewallRules: [{9516AB02-DC57-43A7-91E7-E040D19F325E}] => (Allow) D:\Games\Battle.net\Battle.net.exe
FirewallRules: [{68F937C8-1BE8-4A82-B1D2-00D467D32828}] => (Allow) D:\Games\Battle.net\Battle.net.exe
FirewallRules: [{86B922B6-820B-4CF8-A41B-B923E5BB1F6F}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [{D77EEFE7-EEC5-4F7B-9384-A7D14FA12230}] => (Allow) D:\SPSS\WinWrapIDE.exe
FirewallRules: [{1FA1331D-4686-42DE-A401-8F27C9431EEB}] => (Allow) D:\SPSS\WinWrapIDE.exe
FirewallRules: [{34030AE3-7B26-4D42-B216-6D98B83493EE}] => (Allow) D:\SPSS\stats.com
FirewallRules: [{A71DEA00-CDB3-4D65-9281-0894C8EFFB19}] => (Allow) D:\SPSS\stats.com
FirewallRules: [{D683174D-CDDA-4874-ACA0-7BDF44A3B6DB}] => (Allow) D:\SPSS\stats.exe
FirewallRules: [{F76509B1-538F-4578-A0EA-A713C37CC88D}] => (Allow) D:\SPSS\stats.exe
FirewallRules: [TCP Query User{4678E5C2-BE10-43FA-8C6E-4E26C4C9A257}D:\spss\jre\bin\javaw.exe] => (Allow) D:\spss\jre\bin\javaw.exe
FirewallRules: [UDP Query User{471EC56B-FEDC-4CBA-BBB3-27B91F4782E1}D:\spss\jre\bin\javaw.exe] => (Allow) D:\spss\jre\bin\javaw.exe
FirewallRules: [{BCE14663-A35F-4311-861C-0156BEC673C7}] => (Allow) D:\Games\Steam\SteamApps\common\dota 2 beta\game\bin\win64\dota2.exe
FirewallRules: [{0B3FD13E-9E2F-4B74-AC88-8803FB7B43CF}] => (Allow) D:\Games\Steam\SteamApps\common\dota 2 beta\game\bin\win64\dota2.exe
FirewallRules: [TCP Query User{63D6B59B-4F1D-4593-93F5-E082AC2B9844}C:\program files (x86)\mirc\mirc.exe] => (Allow) C:\program files (x86)\mirc\mirc.exe
FirewallRules: [UDP Query User{E0838F3F-7AB0-4C24-9E41-59A87A3D6F1B}C:\program files (x86)\mirc\mirc.exe] => (Allow) C:\program files (x86)\mirc\mirc.exe
FirewallRules: [{21F75DAA-A50F-470E-A00C-853EE19CAF18}] => (Allow) D:\Games\Steam\SteamApps\common\Grim Dawn\Grim Dawn.exe
FirewallRules: [{7E077491-311C-41C9-AFA4-14FC4F703088}] => (Allow) D:\Games\Steam\SteamApps\common\Grim Dawn\Grim Dawn.exe
FirewallRules: [{3CE83AB9-2D6E-4C89-AA7C-900FC54DF81E}] => (Allow) D:\Games\Steam\SteamApps\common\Europa Universalis IV\eu4.exe
FirewallRules: [{87FC74E8-590B-4D81-8A18-F92B80A9BF0C}] => (Allow) D:\Games\Steam\SteamApps\common\Europa Universalis IV\eu4.exe
FirewallRules: [{033177B7-7003-4CC8-9F81-BC55FBDC1B4A}] => (Allow) D:\Games\Steam\SteamApps\common\Surgeon Simulator 2013\ss2013.exe
FirewallRules: [{721A5AE8-C4A4-4D43-B6F2-51CF6BC2FA81}] => (Allow) D:\Games\Steam\SteamApps\common\Surgeon Simulator 2013\ss2013.exe
FirewallRules: [{4C36C20D-680E-4080-A876-590BD9C60B9C}] => (Allow) D:\Games\Steam\SteamApps\common\South Park - The Stick of Truth\South Park - The Stick of Truth.exe
FirewallRules: [{90EC9575-E1AC-4D2A-9206-80158C83EDB8}] => (Allow) D:\Games\Steam\SteamApps\common\South Park - The Stick of Truth\South Park - The Stick of Truth.exe
FirewallRules: [{0ACC9C9D-B34A-442E-B2E4-4D3F50E657CA}] => (Allow) D:\Games\Steam\SteamApps\common\Need for Speed Hot Pursuit\NFS11.exe
FirewallRules: [{845F7041-4D3E-4F3B-B246-29B0C89AED8A}] => (Allow) D:\Games\Steam\SteamApps\common\Need for Speed Hot Pursuit\NFS11.exe
FirewallRules: [{80EC3CA5-CD1C-4712-B6D4-1B32013C4D9B}] => (Allow) D:\Games\Steam\bin\cef\cef.win7\steamwebhelper.exe
FirewallRules: [{E68E390F-70A2-4531-8D75-83D3DD2BEC47}] => (Allow) D:\Games\Steam\bin\cef\cef.win7\steamwebhelper.exe
FirewallRules: [{70B830CE-D0B2-41EA-A15B-3DCB476B0CC7}] => (Allow) D:\Games\Steam\SteamApps\common\DARK SOULS III\Game\DarkSoulsIII.exe
FirewallRules: [{83CAEDC2-4D74-432E-AF90-C27660A327A4}] => (Allow) D:\Games\Steam\SteamApps\common\DARK SOULS III\Game\DarkSoulsIII.exe
FirewallRules: [{5DA70BF3-B0FF-4AF0-B70A-F8AD8C14CA2B}] => (Allow) D:\Games\Steam\SteamApps\common\Cities_Skylines\Cities.exe
FirewallRules: [{0F5C1DF2-FEBE-40E4-8B32-3F701BA9DD8B}] => (Allow) D:\Games\Steam\SteamApps\common\Cities_Skylines\Cities.exe
FirewallRules: [{A3434C66-E6C8-41CB-8D21-7DBCAEE8EDCB}] => (Allow) C:\WINDOWS\TEMP\FlowSpritSetup_slnt_5011.exe
FirewallRules: [{CF5A661E-BB54-44F1-BE5D-616A00028EDE}] => (Allow) C:\WINDOWS\system32\config\systemprofile\AppData\Local\BrowserAir\Application\BrowserairExec.exe
FirewallRules: [{8C536F9D-D71F-4454-A7EE-4B6CD19E9ADB}] => (Allow) C:\Program Files (x86)\BF1\Battlefield 1\bf1Trial.exe
FirewallRules: [{A1756028-97C5-4A1A-A180-E5F6C74F4088}] => (Allow) C:\Program Files (x86)\BF1\Battlefield 1\bf1Trial.exe
FirewallRules: [{55687650-793D-482F-ACF9-E84D274395C1}] => (Allow) C:\Program Files (x86)\BF1\Battlefield 1\bf1.exe
FirewallRules: [{2BF93C55-2EBF-4F3D-89FF-284406353B49}] => (Allow) C:\Program Files (x86)\BF1\Battlefield 1\bf1.exe
FirewallRules: [TCP Query User{DA5B29BF-ED10-410D-A1A8-D390A774A20D}C:\program files (x86)\kodi\kodi.exe] => (Allow) C:\program files (x86)\kodi\kodi.exe
FirewallRules: [UDP Query User{1FDCFEE4-868D-4AB2-9431-2A7980AC92C1}C:\program files (x86)\kodi\kodi.exe] => (Allow) C:\program files (x86)\kodi\kodi.exe
FirewallRules: [{B8AADA9D-A9C7-4348-BF74-75BA732900AA}] => (Allow) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
FirewallRules: [{5A86D934-5B25-46C2-9939-B1C004189109}] => (Allow) C:\Users\Jelle\AppData\Roaming\ACEStream\engine\ace_engine.exe
FirewallRules: [{70397A3D-ED7A-44AD-8E65-3B30A06FE5DF}] => (Allow) C:\Users\Jelle\AppData\Roaming\ACEStream\engine\ace_engine.exe
FirewallRules: [{C463502E-782A-479D-8FC8-4B541A8A7903}] => (Allow) C:\Program Files (x86)\MIO\loader\ocz-agility3_ocz-460g4gd3z15334lm.dat
FirewallRules: [{71388390-E6B3-4B78-AB97-D24AA29C0C3D}] => (Allow) C:\Program Files (x86)\MIO\loader\ocz-agility3_ocz-460g4gd3z15334lm.dat
FirewallRules: [{11B9890A-0DC8-45F3-9C80-2E5D84019768}] => (Allow) C:\Program Files (x86)\Firefox\bin\FirefoxUpdate.exe
FirewallRules: [{146BAE38-4EA5-4781-9B04-12C44C761E40}] => (Allow) C:\Program Files (x86)\Firefox\Firefox.exe
FirewallRules: [{04CF5CD7-994C-4CB1-B8D8-7BE8D5928CC5}] => (Allow) C:\Program Files (x86)\Antanna\Application\chrome.exe

==================== Restore Points =========================

11-04-2017 16:07:14 UnHackMe Malware Removal

==================== Faulty Device Manager Devices =============

Name: Jelly galaxy
Description: SM-G800F
Class Guid: {eec5ad98-8080-425f-922a-dabf3de3f69a}
Manufacturer: Samsung Electronics Co., Ltd.
Service: WUDFWpdMtp
Problem: : This device cannot start. (Code10)
Resolution: Device failed to start. Click "Update Driver" to update the drivers for this device.
On the "General Properties" tab of the device, click "Troubleshoot" to start the troubleshooting wizard.

==================== Event log errors: =========================

Application errors:
==================
Error: (04/11/2017 04:22:44 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: mbar.exe, version: 1.9.3.1001, time stamp: 0x55ca7a8b
Faulting module name: unknown, version: 0.0.0.0, time stamp: 0x00000000
Exception code: 0xc0000005
Fault offset: 0x00000000
Faulting process id: 0xf0c
Faulting application start time: 0x01d2b2cb260e786e
Faulting application path: C:\Users\Jelle\Desktop\mbar\mbar.exe
Faulting module path: unknown
Report Id: 536e1203-1ec2-11e7-80d7-f46d043c4ee4
Faulting package full name:
Faulting package-relative application ID:

Error: (04/11/2017 04:14:15 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: The program mbar.exe version 1.9.3.1001 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.

Process ID: f0c

Start Time: 01d2b2cb260e786e

Termination Time: 60000

Application Path: C:\Users\Jelle\Desktop\mbar\mbar.exe

Report Id: f8b4a3e3-1ec0-11e7-80d7-f46d043c4ee4

Faulting package full name:

Faulting package-relative application ID:

Error: (04/11/2017 04:07:16 PM) (Source: Microsoft-Windows-CAPI2) (EventID: 513) (User: )
Description: Cryptographic Services failed while processing the OnIdentity() call in the System Writer Object.

Details:
AddLegacyDriverFiles: Unable to back up image of binary Microsoft Link-Layer Discovery Protocol.

System Error:
Access is denied.
.

Error: (04/11/2017 04:00:51 PM) (Source: SideBySide) (EventID: 33) (User: )
Description: Activation context generation failed for "c:\program files\amd\cim\bin64\SetACL64.exe".
Dependent Assembly Microsoft.VC80.MFC,processorArchitecture="amd64",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50608.0" could not be found.
Please use sxstrace.exe for detailed diagnosis.

Error: (04/11/2017 04:00:05 PM) (Source: SideBySide) (EventID: 78) (User: )
Description: Activation context generation failed for "d:\games\steam\steamapps\common\grim dawn\CrashReporter.exe".Error in manifest or policy file "" on line .
A component version required by the application conflicts with another component version already active.
Conflicting components are:.
Component 1: C:\WINDOWS\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.18006_none_a9ec6aab013aafee.manifest.
Component 2: C:\WINDOWS\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.18006_none_623f33d3ecbe86e8.manifest.

Error: (04/11/2017 03:59:45 PM) (Source: SideBySide) (EventID: 33) (User: )
Description: Activation context generation failed for "c:\program files\amd\cim\bin64\SetACL64.exe".
Dependent Assembly Microsoft.VC80.MFC,processorArchitecture="amd64",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50608.0" could not be found.
Please use sxstrace.exe for detailed diagnosis.

Error: (04/11/2017 03:56:25 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: rundll32.exe, version: 6.3.9600.17415, time stamp: 0x545045a2
Faulting module name: gsvF5C0.tmp, version: 0.0.0.0, time stamp: 0x58ec3489
Exception code: 0xc0000005
Fault offset: 0x0001c85f
Faulting process id: 0x38c
Faulting application start time: 0x01d2b2cb5218511d
Faulting application path: C:\Windows\syswow64\rundll32.exe
Faulting module path: C:\WINDOWS\TEMP\gsvF5C0.tmp
Report Id: a6a806d4-1ebe-11e7-80d7-f46d043c4ee4
Faulting package full name:
Faulting package-relative application ID:

Error: (04/11/2017 01:29:16 PM) (Source: Microsoft-Windows-CAPI2) (EventID: 513) (User: )
Description: Cryptographic Services failed while processing the OnIdentity() call in the System Writer Object.

Details:
AddLegacyDriverFiles: Unable to back up image of binary Microsoft Link-Layer Discovery Protocol.

System Error:
Access is denied.
.

Error: (04/11/2017 10:33:29 AM) (Source: Office 2013 Licensing Service) (EventID: 0) (User: )
Description: Event-ID 0

Error: (04/11/2017 10:32:29 AM) (Source: SideBySide) (EventID: 78) (User: )
Description: Activation context generation failed for "d:\games\steam\steamapps\common\grim dawn\CrashReporter.exe".Error in manifest or policy file "" on line .
A component version required by the application conflicts with another component version already active.
Conflicting components are:.
Component 1: C:\WINDOWS\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.18006_none_a9ec6aab013aafee.manifest.
Component 2: C:\WINDOWS\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.18006_none_623f33d3ecbe86e8.manifest.

System errors:
=============
Error: (04/11/2017 04:40:23 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The Google Update-service (gupdate) service failed to start due to the following error:
The system cannot find the file specified.

Error: (04/11/2017 04:38:21 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The Origin Web Helper Service service failed to start due to the following error:
The service did not respond to the start or control request in a timely fashion.

Error: (04/11/2017 04:38:21 PM) (Source: Service Control Manager) (EventID: 7009) (User: )
Description: A timeout was reached (60000 milliseconds) while waiting for the Origin Web Helper Service service to connect.

Error: (04/11/2017 04:37:11 PM) (Source: volmgr) (EventID: 46) (User: )
Description: Crash dump initialization failed!

Error: (04/11/2017 04:37:20 PM) (Source: EventLog) (EventID: 6008) (User: )
Description: The previous system shutdown at 4:35:49 PM on ‎4/‎11/‎2017 was unexpected.

Error: (04/11/2017 04:35:49 PM) (Source: EventLog) (EventID: 6008) (User: )
Description: The previous system shutdown at 4:17:42 PM on ‎4/‎11/‎2017 was unexpected.

Error: (04/11/2017 04:11:24 PM) (Source: Service Control Manager) (EventID: 7034) (User: )
Description: The AMD service terminated unexpectedly.  It has done this 1 time(s).

Error: (04/11/2017 04:10:51 PM) (Source: Microsoft-Windows-WindowsUpdateClient) (EventID: 20) (User: NT AUTHORITY)
Description: Installation Failure: Windows failed to install the following update with error 0x80070643: Definition Update for Windows Defender - KB2267602 (Definition 1.239.1256.0).

Error: (04/11/2017 04:07:34 PM) (Source: Ntfs) (EventID: 55) (User: NT AUTHORITY)
Description: A corruption was discovered in the file system structure on volume C:.

The exact nature of the corruption is unknown.  The file system structures need to be scanned online.

Error: (04/11/2017 03:53:44 PM) (Source: Service Control Manager) (EventID: 7023) (User: )
Description: The WinSAPSvc service terminated with the following error:
The specified module could not be found.

CodeIntegrity:
===================================
  Date: 2017-04-10 15:21:24.322
  Description: Code Integrity determined that a process (\Device\HarddiskVolume2\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume2\Program Files\Common Files\microsoft shared\OFFICE15\MSOXMLMF.DLL that did not meet the Custom 3 / Antimalware signing level requirements.

  Date: 2017-04-09 11:02:53.066
  Description: Code Integrity determined that a process (\Device\HarddiskVolume2\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume2\Program Files\Common Files\microsoft shared\OFFICE15\MSOXMLMF.DLL that did not meet the Custom 3 / Antimalware signing level requirements.

  Date: 2017-04-07 08:49:32.141
  Description: Code Integrity determined that a process (\Device\HarddiskVolume2\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume2\Program Files\Common Files\microsoft shared\OFFICE15\MSOXMLMF.DLL that did not meet the Custom 3 / Antimalware signing level requirements.

  Date: 2017-04-06 21:29:33.567
  Description: Code Integrity determined that a process (\Device\HarddiskVolume2\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume2\Program Files\Common Files\microsoft shared\OFFICE15\MSOXMLMF.DLL that did not meet the Custom 3 / Antimalware signing level requirements.

  Date: 2017-04-06 10:55:38.095
  Description: Code Integrity determined that a process (\Device\HarddiskVolume2\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume2\Program Files\Common Files\microsoft shared\OFFICE15\MSOXMLMF.DLL that did not meet the Custom 3 / Antimalware signing level requirements.

  Date: 2017-04-05 16:38:47.837
  Description: Code Integrity determined that a process (\Device\HarddiskVolume2\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume2\Program Files\Common Files\microsoft shared\OFFICE15\MSOXMLMF.DLL that did not meet the Custom 3 / Antimalware signing level requirements.

  Date: 2017-04-05 10:54:43.314
  Description: Code Integrity determined that a process (\Device\HarddiskVolume2\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume2\Program Files\Common Files\microsoft shared\OFFICE15\MSOXMLMF.DLL that did not meet the Custom 3 / Antimalware signing level requirements.

  Date: 2017-04-01 16:22:13.994
  Description: Code Integrity determined that a process (\Device\HarddiskVolume2\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume2\Program Files\Common Files\microsoft shared\OFFICE15\MSOXMLMF.DLL that did not meet the Custom 3 / Antimalware signing level requirements.

  Date: 2017-04-01 14:51:54.292
  Description: Code Integrity determined that a process (\Device\HarddiskVolume2\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume2\Program Files\Common Files\microsoft shared\OFFICE15\MSOXMLMF.DLL that did not meet the Custom 3 / Antimalware signing level requirements.

  Date: 2017-03-31 09:15:47.728
  Description: Code Integrity determined that a process (\Device\HarddiskVolume2\Program Files\Windows Defender\MsMpEng.exe) attempted to load \Device\HarddiskVolume2\Program Files\Common Files\microsoft shared\OFFICE15\MSOXMLMF.DLL that did not meet the Custom 3 / Antimalware signing level requirements.

==================== Memory info ===========================

Processor: AMD Phenom™ II X4 965 Processor
Percentage of memory in use: 22%
Total physical RAM: 8190.18 MB
Available physical RAM: 6337.96 MB
Total Virtual: 10622.18 MB
Available Virtual: 8715.5 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:111.45 GB) (Free:5.6 GB) NTFS
Drive d: () (Fixed) (Total:596.16 GB) (Free:26.59 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 111.8 GB) (Disk ID: 5C18D55F)
Partition 1: (Active) - (Size=350 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=111.4 GB) - (Type=07 NTFS)

========================================================
Disk: 1 (MBR Code: Windows 7 or 8) (Size: 596.2 GB) (Disk ID: 2AE92AE8)
Partition 1: (Active) - (Size=596.2 GB) - (Type=07 NTFS)

==================== End of Addition.txt ============================

Attached Files


Edited by jcharm, 11 April 2017 - 10:14 AM.


BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 38,593 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:02 AM

Posted 13 April 2017 - 08:20 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Remove this program in bold via the Control Panel > Programs > Programs and Features.
Ace Stream Media 3.1.16.1 (HKU\S-1-5-21-4099470078-3949118013-312997308-1001\...\AceStream) (Version: 3.1.16.1 - Ace Stream Media) <==== ATTENTION
===

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.

Please copy the entire contents of the code box below to a new file.
 
Start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

HKLM-x32\...\Run: [] => [X]
HKU\S-1-5-19\Control Panel\Desktop\\SCRNSAVE.EXE ->
HKU\S-1-5-20\Control Panel\Desktop\\SCRNSAVE.EXE ->
HKU\S-1-5-21-4099470078-3949118013-312997308-1001\Control Panel\Desktop\\SCRNSAVE.EXE ->
HKU\S-1-5-18\Control Panel\Desktop\\SCRNSAVE.EXE ->
GroupPolicy: Restriction <======= ATTENTION
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.ourluckysites.com/?type=hp&ts=1491899107&z=9ac644ba9c43a9799589170g9z8t5gcb6tft1gdebq&from=che0812&uid=OCZ-AGILITY3_OCZ-460G4GD3Z15334LM
URLSearchHook: [S-1-5-21-4099470078-3949118013-312997308-1001] ATTENTION => Default URLSearchHook is missing
FF HKU\S-1-5-21-4099470078-3949118013-312997308-1001\...\Firefox\Extensions: [acewebextension_unlisted@acestream.org] - C:\Users\Jelle\AppData\Roaming\ACEStream\extensions\awe\firefox\acewebextension_unlisted.xpi => not found
FF Plugin-x32: @microsoft.com/Lync,version=15.0 -> C:\Program Files (x86)\Mozilla Firefox\plugins\npmeetingjoinpluginoc.dll [No File]
FF Plugin HKU\S-1-5-21-4099470078-3949118013-312997308-1001: @acestream.net/acestreamplugin,version=3.1.16.1 -> C:\Users\Jelle\AppData\Roaming\ACEStream\player\npace_plugin.dll [No File]
FF Plugin HKU\S-1-5-21-4099470078-3949118013-312997308-1001: @acestream.net/acestreamplugin,version=3.1.6 -> C:\Users\Jelle\AppData\Roaming\ACEStream\player\npace_plugin.dll [No File]
CHR HomePage: Profile 1 -> hxxp://www.ourluckysites.com/?type=hp&ts=1491899107&z=9ac644ba9c43a9799589170g9z8t5gcb6tft1gdebq&from=che0812&uid=OCZ-AGILITY3_OCZ-460G4GD3Z15334LM
CHR StartupUrls: Profile 1 -> "hxxp://www.ourluckysites.com/?type=hp&ts=1491899107&z=9ac644ba9c43a9799589170g9z8t5gcb6tft1gdebq&from=che0812&uid=OCZ-AGILITY3_OCZ-460G4GD3Z15334LM"
CHR DefaultSearchURL: Profile 1 -> hxxp://www.ourluckysites.com/search/?type=ds&ts=1491899107&z=9ac644ba9c43a9799589170g9z8t5gcb6tft1gdebq&from=che0812&uid=OCZ-AGILITY3_OCZ-460G4GD3Z15334LM&q={searchTerms}
CHR DefaultSearchKeyword: Profile 1 -> ourluckysites
CHR Profile: C:\Users\Jelle\AppData\Local\Google\Chrome\User Data\ChromeDefaultData [2017-04-01] <==== ATTENTION
CHR Extension: (Betalingen via Chrome Web Store) - C:\Users\Jelle\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2017-03-20]
CHR Extension: (Chrome Media Router) - C:\Users\Jelle\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2017-03-20]
CHR HKU\S-1-5-21-4099470078-3949118013-312997308-1001\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [mjbepbhonbojpoaenhckjocchgfiaofo] - hxxps://clients2.google.com/service/update2/crx
HKU\S-1-5-21-4099470078-3949118013-312997308-1001\...\StartMenuInternet\ChromeHTML: -> C:\Program Files (x86)\Antanna\Application\chrome.exe (Google Inc.) <==== ATTENTION
S2 gupdate; "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /svc [X]
S3 gupdatem; "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /medsvc [X]
S3 cpuz137; \??\C:\Users\Jelle\AppData\Local\Temp\cpuz137\cpuz137_x64.sys [X] <==== ATTENTION
S3 cpuz138; \??\C:\Users\Jelle\AppData\Local\Temp\cpuz138\cpuz138_x64.sys [X] <==== ATTENTION
S3 MSICDSetup; \??\E:\CDriver64.sys [X]
S3 NTIOLib_1_0_4; \??\C:\Program Files (x86)\MSI\Live Update\NTIOLib_X64.sys [X]
S3 NTIOLib_1_0_C; \??\E:\NTIOLib_X64.sys [X]
S0 rjaty; System32\drivers\imofugc.sys [X]
Task: {36CC2CA3-023D-4772-B8E1-93DE5D82957A} - \{3D38BEE3-9CA0-49F3-A977-4DE6CEFEAAEE} -> No File <==== ATTENTION
Task: {AAA8B608-ED3B-43E5-8DB8-C0E22621A2F7} - \Ghuwolyarnock -> No File <==== ATTENTION
ShortcutWithArgument: C:\Users\Jelle\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk -> C:\Program Files (x86)\Internet Explorer\iexplore.exe (Microsoft Corporation) -> hxxp://www.ourluckysites.com/?type=sc&ts=1491899107&z=9ac644ba9c43a9799589170g9z8t5gcb6tft1gdebq&from=che0812&uid=OCZ-AGILITY3_OCZ-460G4GD3Z15334LM
FirewallRules: [{CF5A661E-BB54-44F1-BE5D-616A00028EDE}] => (Allow) C:\WINDOWS\system32\config\systemprofile\AppData\Local\BrowserAir\Application\BrowserairExec.exe
FirewallRules: [{11B9890A-0DC8-45F3-9C80-2E5D84019768}] => (Allow) C:\Program Files (x86)\Firefox\bin\FirefoxUpdate.exe
C:\Program Files (x86)\Firefox\bin\FirefoxUpdate.exe
C:\WINDOWS\system32\config\systemprofile\AppData\Local\BrowserAir
C:\Program Files (x86)\Antanna\Application\chrome.exe

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.

===

Your copy of Chrome has been compromised

If you want to save all your settings refer to this page.
Follow the instructions before removing Chrome.
http://juan2geek.com/how-to-backup-and-restore-entire-google-chrome-setting/
<<<>>>

Clear your Chrome cache and cookies
https://support.google.com/chromebook/answer/183083?hl=en

Before you do Export your Bookmarks
Chrome will export your bookmarks as a HTML file, which you can then import into another browser.

Remove Chrome using the the instructions on this page.
https://support.google.com/chrome/answer/95319?hl=en

Re-install Chrome and the Bookmarks.

Use this site to get the latest version.
https://support.google.com/chrome/answer/95346?co=GENIE.Platform%3DDesktop&hl=en-GB

p.s.
If you Sync your data.
How To Delete Your Google Chrome Browser Sync Data
http://www.howtogeek.com/103655/how-to-delete-your-google-chrome-browser-sync-data/
<<<>>>

Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.

You can manually check your present version and update as recommended.
https://www.java.com/en/download/installed.jsp

Be careful not to install malware posing as Java update!
Important read this blog.
http://blog.trendmicro.com/trendlabs-security-intelligence/malware-poses-as-an-update-for-java-0-day-fix/

Quoted from the page.
"In light of the recent events surrounding Java, users must seriously consider their use of Java. Do they really need it? If yes, make sure that users follow the steps we recommended and get the security update directly from the official oracle website." at:
http://www.oracle.com/technetwork/java/javase/downloads/index.html

How to disable Java in your browsers
http://www.infoworld.com/t/web-browsers/how-disable-java-in-your-browsers-210882

If still present after the update you can remove the old versions of Java via the Control Panel > Programs > Programs and Features.
Java 8 Update 31 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F83218031F0}) (Version: 8.0.310 - Oracle Corporation)
===

Please let me know what problem persists with this computer.

#3 jcharm

jcharm
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:02 PM

Posted 13 April 2017 - 09:07 AM

Hello,

 

Thank you for your reply.

 

 

 

Remove this program in bold via the Control Panel > Programs > Programs and Features.
Ace Stream Media 3.1.16.1 (HKU\S-1-5-21-4099470078-3949118013-312997308-1001\...\AceStream) (Version: 3.1.16.1 - Ace Stream Media) <==== ATTENTION

 

Ace Stream Media is a program I've installed myself and have been using for quite a long time. I believe it to be benign. I've also had Ace Stream Media much longer than my malware symptoms. If you insist I remove it, I will, but it's been a valuable program and I do not believe it is the source of the malware or has much to do with it. I also have it running on other systems for years, and there hasn't been malware on that.

 

I've peformed all the other recommendations you have posted. Unfortunately after the necesasry reboot,I again had a long black screen after entering my password and I've noticed several malware programs have re-installed themselves. For example, cat.exe (called Kitty in taskmanager) was running from username/appdata/local/kitty. Language is simplified Chinese it says in the details... Amulesw has installed itself again. Also Biposhbonle is back in my program files (x86) folder, as well as MIO. WINSNARE (SNARER) is also present in the task manager. I'm sure there are more. Windows defender has been turned off without my interference as well.

 

Java has been updated. Chrome has been uninstalled and I'm using IE for now.

 

 

Here is the log:

 

Fix result of Farbar Recovery Scan Tool (x64) Version: 15-03-2017
Ran by Jelle (13-04-2017 15:54:31) Run:1
Running from C:\Users\Jelle\Desktop
Loaded Profiles: Jelle (Available Profiles: Jelle)
Boot Mode: Normal
==============================================

fixlist content:
*****************
Start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

HKLM-x32\...\Run: [] => [X]
HKU\S-1-5-19\Control Panel\Desktop\\SCRNSAVE.EXE ->
HKU\S-1-5-20\Control Panel\Desktop\\SCRNSAVE.EXE ->
HKU\S-1-5-21-4099470078-3949118013-312997308-1001\Control Panel\Desktop\\SCRNSAVE.EXE ->
HKU\S-1-5-18\Control Panel\Desktop\\SCRNSAVE.EXE ->
GroupPolicy: Restriction <======= ATTENTION
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.ourluckysites.com/?type=hp&ts=1491899107&z=9ac644ba9c43a9799589170g9z8t5gcb6tft1gdebq&from=che0812&uid=OCZ-AGILITY3_OCZ-460G4GD3Z15334LM
URLSearchHook: [S-1-5-21-4099470078-3949118013-312997308-1001] ATTENTION => Default URLSearchHook is missing
FF HKU\S-1-5-21-4099470078-3949118013-312997308-1001\...\Firefox\Extensions: [acewebextension_unlisted@acestream.org] - C:\Users\Jelle\AppData\Roaming\ACEStream\extensions\awe\firefox\acewebextension_unlisted.xpi => not found
FF Plugin-x32: @microsoft.com/Lync,version=15.0 -> C:\Program Files (x86)\Mozilla Firefox\plugins\npmeetingjoinpluginoc.dll [No File]
FF Plugin HKU\S-1-5-21-4099470078-3949118013-312997308-1001: @acestream.net/acestreamplugin,version=3.1.16.1 -> C:\Users\Jelle\AppData\Roaming\ACEStream\player\npace_plugin.dll [No File]
FF Plugin HKU\S-1-5-21-4099470078-3949118013-312997308-1001: @acestream.net/acestreamplugin,version=3.1.6 -> C:\Users\Jelle\AppData\Roaming\ACEStream\player\npace_plugin.dll [No File]
CHR HomePage: Profile 1 -> hxxp://www.ourluckysites.com/?type=hp&ts=1491899107&z=9ac644ba9c43a9799589170g9z8t5gcb6tft1gdebq&from=che0812&uid=OCZ-AGILITY3_OCZ-460G4GD3Z15334LM
CHR StartupUrls: Profile 1 -> "hxxp://www.ourluckysites.com/?type=hp&ts=1491899107&z=9ac644ba9c43a9799589170g9z8t5gcb6tft1gdebq&from=che0812&uid=OCZ-AGILITY3_OCZ-460G4GD3Z15334LM"
CHR DefaultSearchURL: Profile 1 -> hxxp://www.ourluckysites.com/search/?type=ds&ts=1491899107&z=9ac644ba9c43a9799589170g9z8t5gcb6tft1gdebq&from=che0812&uid=OCZ-AGILITY3_OCZ-460G4GD3Z15334LM&q={searchTerms}
CHR DefaultSearchKeyword: Profile 1 -> ourluckysites
CHR Profile: C:\Users\Jelle\AppData\Local\Google\Chrome\User Data\ChromeDefaultData [2017-04-01] <==== ATTENTION
CHR Extension: (Betalingen via Chrome Web Store) - C:\Users\Jelle\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2017-03-20]
CHR Extension: (Chrome Media Router) - C:\Users\Jelle\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2017-03-20]
CHR HKU\S-1-5-21-4099470078-3949118013-312997308-1001\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [mjbepbhonbojpoaenhckjocchgfiaofo] - hxxps://clients2.google.com/service/update2/crx
HKU\S-1-5-21-4099470078-3949118013-312997308-1001\...\StartMenuInternet\ChromeHTML: -> C:\Program Files (x86)\Antanna\Application\chrome.exe (Google Inc.) <==== ATTENTION
S2 gupdate; "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /svc [X]
S3 gupdatem; "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /medsvc [X]
S3 cpuz137; \??\C:\Users\Jelle\AppData\Local\Temp\cpuz137\cpuz137_x64.sys [X] <==== ATTENTION
S3 cpuz138; \??\C:\Users\Jelle\AppData\Local\Temp\cpuz138\cpuz138_x64.sys [X] <==== ATTENTION
S3 MSICDSetup; \??\E:\CDriver64.sys [X]
S3 NTIOLib_1_0_4; \??\C:\Program Files (x86)\MSI\Live Update\NTIOLib_X64.sys [X]
S3 NTIOLib_1_0_C; \??\E:\NTIOLib_X64.sys [X]
S0 rjaty; System32\drivers\imofugc.sys [X]
Task: {36CC2CA3-023D-4772-B8E1-93DE5D82957A} - \{3D38BEE3-9CA0-49F3-A977-4DE6CEFEAAEE} -> No File <==== ATTENTION
Task: {AAA8B608-ED3B-43E5-8DB8-C0E22621A2F7} - \Ghuwolyarnock -> No File <==== ATTENTION
ShortcutWithArgument: C:\Users\Jelle\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk -> C:\Program Files (x86)\Internet Explorer\iexplore.exe (Microsoft Corporation) -> hxxp://www.ourluckysites.com/?type=sc&ts=1491899107&z=9ac644ba9c43a9799589170g9z8t5gcb6tft1gdebq&from=che0812&uid=OCZ-AGILITY3_OCZ-460G4GD3Z15334LM
FirewallRules: [{CF5A661E-BB54-44F1-BE5D-616A00028EDE}] => (Allow) C:\WINDOWS\system32\config\systemprofile\AppData\Local\BrowserAir\Application\BrowserairExec.exe
FirewallRules: [{11B9890A-0DC8-45F3-9C80-2E5D84019768}] => (Allow) C:\Program Files (x86)\Firefox\bin\FirefoxUpdate.exe
C:\Program Files (x86)\Firefox\bin\FirefoxUpdate.exe
C:\WINDOWS\system32\config\systemprofile\AppData\Local\BrowserAir
C:\Program Files (x86)\Antanna\Application\chrome.exe

End
*****************

Restore point was successfully created.
Processes closed successfully.
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\ => value not found.
HKU\S-1-5-19\Control Panel\Desktop\\SCRNSAVE.EXE => value removed successfully
HKU\S-1-5-20\Control Panel\Desktop\\SCRNSAVE.EXE => value removed successfully
HKU\S-1-5-21-4099470078-3949118013-312997308-1001\Control Panel\Desktop\\SCRNSAVE.EXE => value removed successfully
HKU\S-1-5-18\Control Panel\Desktop\\SCRNSAVE.EXE => value removed successfully
C:\WINDOWS\system32\GroupPolicy\Machine => moved successfully
C:\WINDOWS\system32\GroupPolicy\GPT.ini => moved successfully
C:\WINDOWS\SysWOW64\GroupPolicy\GPT.ini => moved successfully
HKLM\Software\\Microsoft\Internet Explorer\Main\\Default_Page_URL => value restored successfully
Could not restore Default URLSearchHook.
HKU\S-1-5-21-4099470078-3949118013-312997308-1001\Software\Mozilla\Firefox\Extensions\\acewebextension_unlisted@acestream.org => value removed successfully
HKLM\Software\Wow6432Node\MozillaPlugins\@microsoft.com/Lync,version=15.0 => key removed successfully
HKU\S-1-5-21-4099470078-3949118013-312997308-1001\Software\MozillaPlugins\@acestream.net/acestreamplugin,version=3.1.16.1 => key removed successfully
C:\Users\Jelle\AppData\Roaming\ACEStream\player\npace_plugin.dll => not found.
HKU\S-1-5-21-4099470078-3949118013-312997308-1001\Software\MozillaPlugins\@acestream.net/acestreamplugin,version=3.1.6 => key removed successfully
C:\Users\Jelle\AppData\Roaming\ACEStream\player\npace_plugin.dll => not found.
Chrome HomePage => not found.
Chrome StartupUrls => not found.
Chrome DefaultSearchURL => not found.
Chrome DefaultSearchKeyword => not found.
C:\Users\Jelle\AppData\Local\Google\Chrome\User Data\ChromeDefaultData => moved successfully
C:\Users\Jelle\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\nmmhkkegccagdldgiimedpiccmgmieda => moved successfully
C:\Users\Jelle\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm => moved successfully
HKU\S-1-5-21-4099470078-3949118013-312997308-1001\SOFTWARE\Google\Chrome\Extensions\mjbepbhonbojpoaenhckjocchgfiaofo => key removed successfully
HKU\S-1-5-21-4099470078-3949118013-312997308-1001\SOFTWARE\Clients\StartMenuInternet\ChromeHTML => key removed successfully
HKLM\System\CurrentControlSet\Services\gupdate => key removed successfully
gupdate => service removed successfully
HKLM\System\CurrentControlSet\Services\gupdatem => key removed successfully
gupdatem => service removed successfully
HKLM\System\CurrentControlSet\Services\cpuz137 => key removed successfully
cpuz137 => service removed successfully
HKLM\System\CurrentControlSet\Services\cpuz138 => key removed successfully
cpuz138 => service removed successfully
HKLM\System\CurrentControlSet\Services\MSICDSetup => key removed successfully
MSICDSetup => service removed successfully
HKLM\System\CurrentControlSet\Services\NTIOLib_1_0_4 => key removed successfully
NTIOLib_1_0_4 => service removed successfully
HKLM\System\CurrentControlSet\Services\NTIOLib_1_0_C => key removed successfully
NTIOLib_1_0_C => service removed successfully
rjaty => service not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{36CC2CA3-023D-4772-B8E1-93DE5D82957A} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{36CC2CA3-023D-4772-B8E1-93DE5D82957A} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\{3D38BEE3-9CA0-49F3-A977-4DE6CEFEAAEE} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{AAA8B608-ED3B-43E5-8DB8-C0E22621A2F7} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{AAA8B608-ED3B-43E5-8DB8-C0E22621A2F7} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Ghuwolyarnock => key removed successfully
C:\Users\Jelle\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk => Shortcut argument removed successfully.
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{CF5A661E-BB54-44F1-BE5D-616A00028EDE} => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{11B9890A-0DC8-45F3-9C80-2E5D84019768} => value removed successfully
"C:\Program Files (x86)\Firefox\bin\FirefoxUpdate.exe" => not found.
"C:\WINDOWS\system32\config\systemprofile\AppData\Local\BrowserAir" => not found.
"C:\Program Files (x86)\Antanna\Application\chrome.exe" => not found.

=========== EmptyTemp: ==========

BITS transfer queue => 8388608 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 14912338 B
Java, Flash, Steam htmlcache => 282812527 B
Windows/system/drivers => 77364240 B
Edge => 0 B
Chrome => 404581088 B
Firefox => 11916612 B
Opera => 0 B

Temp, IE cache, history, cookies, recent:
Default => 0 B
Users => 0 B
ProgramData => 0 B
Public => 0 B
systemprofile => 0 B
systemprofile32 => 15663007 B
LocalService => 0 B
NetworkService => 33152 B
Jelle => 352383162 B

RecycleBin => 0 B
EmptyTemp: => 1.1 GB temporary data Removed.

================================

The system needed a reboot.

==== End of Fixlog 15:54:48 ====


Edited by jcharm, 13 April 2017 - 09:08 AM.


#4 nasdaq

nasdaq

  • Malware Response Team
  • 38,593 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:02 AM

Posted 13 April 2017 - 12:45 PM

Ace Stream Media is a program I've installed myself and have been using for quite a long time. I believe it to be benign. I've also had Ace Stream Media much longer than my malware symptoms.

It's a potentially Unwanted Program (PUP). Keep it if not causing any issues.

===
 

reboot,I again had a long black screen after entering my password and I've noticed several malware programs have re-installed themselves. For example, cat.exe (called Kitty in taskmanager) was running from username/appdata/local/kitty. Language is simplified Chinese it says in the details. etc...

I have not see an references to these programs in your logs.

Lets check further.

Please download and run the following tool to help allow other programs to run. (courtesy of BleepingComputer.com)
There are 3 different versions. If one of them won't run then download and try to run the other one.
Vista and Win7 users need to right click and choose Run as Admin
You only need to get one of them to run, not all of them.

rkill.exe
rkill.com
rkill.scr

It is possible that the infection you are trying to remove will not allow you to download files on the infected computer. If this is the case, then you will need to download the files requested on another computer and then transfer them to the desktop of the infected computer. You can transfer the files via a CD/DVD, external drive, or USB flash drive.

When completed it will create a log. Please post the content on your next reply.
===

--RogueKiller--
  • Download & SAVE to your Desktop Download RogueKiller
  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or above, right-click the program file and select "Run as Administrator"
  • Accept the user agreements.
  • Execute the scan and wait until it has finished.
  • If a Windows opens to explain what [PUM's] are, read about it.
  • Click the RoguKiller icon on your taksbar to return to the report.
  • Click open the Report
  • Click Export TXT button
  • Save the file as ReportRogue.txt
  • Click the Remove button to delete the items in RED
  • Click Finish and close the program.
  • Locate the ReportRogue.txt file on your Desktop and copy/paste the contents in your next.
=======

Temporarily disable your AV program so it does not interfere.
Info on how to disable your security applications How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs - Security Mini-Guides.

Download Zoek tool from here

When the download appears, save to the Desktop.
On the Desktop, right-click the Zoek.exe file and select: Run as Administrator
(Give it a few seconds to appear.)

Next, copy/paste the entire script inside the code box below to the input field of Zoek:
createsrpoint;
autoclean;
emptyclsid;
emptyffcache;
FFdefaults;
emptyiecache;
iedefaults;
emptychrcache;
CHRdefaults;
emptyalltemp;
emptyfolderscheck;delete
ipconfig /flushdns;b
Now...
Close any open Browsers.
Click the Run script button, and wait. It takes a few minutes to run all the script.

When the tool finishes, the zoek-results.log is opened in Notepad.
The log is also found on the systemdrive, normally C:\
If a reboot is needed, the log is opened after the reboot.

Please attach the zoek-results.log in your reply.
===

Also, please provide an update on how the computer is behaving after running the above script.

===

#5 jcharm

jcharm
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:02 PM

Posted 13 April 2017 - 04:55 PM

Hello nasdaq,

 

Thank you again for your extensive reply. I appreciate it. 

 

Here are the reports, first rkill, then roguekiller and then zoek. Roguekill definitely found a lot of stuff. It also flagged utorrentie.exe, which seems to be in the utorrent folder. uTorrent isn't unwanted, but I thought perhaps malware was hidden in there, so I just deleted it, it's no biggie, I can always reinstall if the program is now broken. edit: quick google search teaches me utorrent uses this thing to run ads. Not sure, but that's the first thing i find on google.

 

So far, boot time is quicker (so to the user login screen). I still did have a very long black screen after logging in however. Unsure if that had to do with the zoek/roguekiller still doing stuff, as they required a restart. I can't find the folders that usually spawn in my program files (x86) folder that contain malware. I do however see a folder called MK which again has a folder inside it called HL, which is empty. I've deleted this before, but it keeps coming back. Unsure what it is. I have noticed that task manager now requires permission before opening when I press ctrl+shift+esc. Is that one of the anti-malware programs returning to default UAC settings?

 

edit: unhackme (which is still installed) immediately flagged the MK folder, as well as appdata\local\kitty and appdata\local\snare. 

 

Anyway, logs: 

 

Rkill 2.8.4 by Lawrence Abrams (Grinler)
Copyright 2008-2017 BleepingComputer.com
More Information about Rkill can be found at this link:
 
Program started at: 04/13/2017 11:08:18 PM in x64 mode.
Windows Version: Windows 8.1 Pro 
 
Checking for Windows services to stop:
 
 * No malware services found to stop.
 
Checking for processes to terminate:
 
 * C:\Users\Jelle\AppData\Local\Kitty\cat.exe (PID: 1636) [UP-HEUR]
 * C:\Users\Jelle\AppData\Local\Temp\{EC190F8E-FB5F-46FF-A500-72D95E896EA0}\GoogleUpdate.exe (PID: 4512) [T-HEUR]
 
2 proccesses terminated!
 
Checking Registry for malware related settings:
 
 * No issues found in the Registry.
 
Resetting .EXE, .COM, & .BAT associations in the Windows Registry.
 
Performing miscellaneous checks:
 
 * No issues found.
 
Checking Windows Service Integrity: 
 
 * No issues found.
 
Searching for Missing Digital Signatures: 
 
 * No issues found.
 
Checking HOSTS File: 
 
 * HOSTS file entries found: 
 
 
   
 
Program finished at: 04/13/2017 11:08:55 PM
Execution time: 0 hours(s), 0 minute(s), and 37 seconds(s)
 
 
-----------------------------------------------------------------------------------------
 
RogueKiller V12.10.4.0 (x64) [Apr 10 2017] (Free) door Adlice Software 
 
Besturingssysteem : Windows 8.1 (6.3.9600) 64 bits version
Gestart in : Normale mode
Gebruiker : Jelle [Administrator]
Started from : C:\Program Files\RogueKiller\RogueKiller64.exe
Mode : Scan -- Datum : 04/13/2017 23:10:04 (Duration : 00:23:13)
 
¤¤¤ Processen : 0 ¤¤¤
 
¤¤¤ Register : 30 ¤¤¤
[Adw.Elex] (X64) HKEY_LOCAL_MACHINE\Software\InterSect Alliance -> Gevonden
[PUP.UCBrowser|PUP.Gen1] (X64) HKEY_LOCAL_MACHINE\Software\UCBrowser -> Gevonden
[PUP.Ghokswa] (X86) HKEY_LOCAL_MACHINE\Software\Firefox -> Gevonden
[PUP.Gen1] (X86) HKEY_LOCAL_MACHINE\Software\UCBrowserPID -> Gevonden
[PUP.UCBrowser|PUP.Gen1] (X64) HKEY_USERS\.DEFAULT\Software\UCBrowser -> Gevonden
[PUP.Gen1] (X64) HKEY_USERS\.DEFAULT\Software\UCBrowserPID -> Gevonden
[PUP.UCBrowser|PUP.Gen1] (X86) HKEY_USERS\.DEFAULT\Software\UCBrowser -> Gevonden
[PUP.Gen1] (X86) HKEY_USERS\.DEFAULT\Software\UCBrowserPID -> Gevonden
[PUP.Gen1] (X64) HKEY_USERS\S-1-5-21-4099470078-3949118013-312997308-1001\Software\AceStream -> Gevonden
[PUP.Ghokswa] (X64) HKEY_USERS\S-1-5-21-4099470078-3949118013-312997308-1001\Software\Firefox -> Gevonden
[PUP.Gen1] (X64) HKEY_USERS\S-1-5-21-4099470078-3949118013-312997308-1001\Software\UCBrowserPID -> Gevonden
[PUP.Gen1] (X86) HKEY_USERS\S-1-5-21-4099470078-3949118013-312997308-1001\Software\AceStream -> Gevonden
[PUP.Ghokswa] (X86) HKEY_USERS\S-1-5-21-4099470078-3949118013-312997308-1001\Software\Firefox -> Gevonden
[PUP.Gen1] (X86) HKEY_USERS\S-1-5-21-4099470078-3949118013-312997308-1001\Software\UCBrowserPID -> Gevonden
[PUP.UCBrowser|PUP.Gen1] (X64) HKEY_USERS\S-1-5-18\Software\UCBrowser -> Gevonden
[PUP.Gen1] (X64) HKEY_USERS\S-1-5-18\Software\UCBrowserPID -> Gevonden
[PUP.UCBrowser|PUP.Gen1] (X86) HKEY_USERS\S-1-5-18\Software\UCBrowser -> Gevonden
[PUP.Gen1] (X86) HKEY_USERS\S-1-5-18\Software\UCBrowserPID -> Gevonden
[Adw.Microtool] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\Microtool_is1 -> Gevonden
[PUP.Gen1] (X64) HKEY_USERS\S-1-5-21-4099470078-3949118013-312997308-1001\Software\Microsoft\Windows\CurrentVersion\Uninstall\AceStream -> Gevonden
[PUP.Gen1] (X86) HKEY_USERS\S-1-5-21-4099470078-3949118013-312997308-1001\Software\Microsoft\Windows\CurrentVersion\Uninstall\AceStream -> Gevonden
[PUM.Proxy] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NlaSvc\Parameters\Internet\ManualProxies | (default) :   -> Gevonden
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters | DhcpNameServer : 195.130.131.1 195.130.130.1 ([Belgium][-])  -> Gevonden
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{C0F9FDB7-CA54-48FE-9AC3-FFCB2F1F48CA} | DhcpNameServer : 195.130.131.1 195.130.130.1 ([Belgium][-])  -> Gevonden
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {A3434C66-E6C8-41CB-8D21-7DBCAEE8EDCB} : v2.22|Action=Allow|Active=TRUE|Dir=In|App=C:\WINDOWS\TEMP\FlowSpritSetup_slnt_5011.exe|Name=FlowSpritSetup_slnt_5011.exe| [x] -> Gevonden
[Suspicious.Path|PUP.Gen1] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {5A86D934-5B25-46C2-9939-B1C004189109} : v2.22|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Public|App=C:\Users\Jelle\AppData\Roaming\ACEStream\engine\ace_engine.exe|Name=AceStream| [x] -> Gevonden
[Suspicious.Path|PUP.Gen1] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {70397A3D-ED7A-44AD-8E65-3B30A06FE5DF} : v2.22|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Public|App=C:\Users\Jelle\AppData\Roaming\ACEStream\engine\ace_engine.exe|Name=AceStream| [x] -> Gevonden
[PUP.Ghokswa] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {146BAE38-4EA5-4781-9B04-12C44C761E40} : v2.22|Action=Allow|Active=TRUE|Dir=In|App=C:\Program Files (x86)\Firefox\Firefox.exe|Name=Firefox browser| [x] -> Gevonden
[PUM.Policies] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 0  -> Gevonden
[PUM.Policies] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 0  -> Gevonden
 
¤¤¤ Taken : 0 ¤¤¤
 
¤¤¤ Bestanden : 14 ¤¤¤
[Adw.Shopperz|PUP.Gen1][Bestand] C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\BrowserAir.lnk [LNK@] C:\Users\Jelle\AppData\Local\BrowserAir\Application\BrowserairExec.exe -> Gevonden
[Adw.Shopperz|PUP.Gen1][Bestand] C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\BrowserAir.lnk [LNK@] C:\Users\Jelle\AppData\Local\BrowserAir\Application\BrowserairExec.exe -> Gevonden
[Adw.Shopperz|PUP.Gen1][Bestand] C:\Windows\SysWOW64\config\systemprofile\Desktop\BrowserAir.lnk [LNK@] C:\Users\Jelle\AppData\Local\BrowserAir\Application\BrowserairExec.exe -> Gevonden
[PUP.Gen1][Map] C:\Users\Jelle\AppData\Roaming\.ACEStream -> Gevonden
[Tr.Gen0][Bestand] C:\Users\Jelle\AppData\Roaming\uTorrent\updates\3.4.5_41372\utorrentie.exe -> Gevonden
[Tr.Gen0][Bestand] C:\Users\Jelle\AppData\Roaming\uTorrent\updates\3.4.5_41712\utorrentie.exe -> Gevonden
[Tr.Gen0][Bestand] C:\Users\Jelle\AppData\Roaming\uTorrent\updates\3.4.6_42094\utorrentie.exe -> Gevonden
[Tr.Gen0][Bestand] C:\Users\Jelle\AppData\Roaming\uTorrent\updates\3.4.7_42330\utorrentie.exe -> Gevonden
[Tr.Gen0][Bestand] C:\Users\Jelle\AppData\Roaming\uTorrent\updates\3.4.8_42449\utorrentie.exe -> Gevonden
[Tr.Gen0][Bestand] C:\Users\Jelle\AppData\Roaming\uTorrent\updates\3.4.9_42606\utorrentie.exe -> Gevonden
[Tr.Gen0][Bestand] C:\Users\Jelle\AppData\Roaming\uTorrent\updates\3.4.9_42973\utorrentie.exe -> Gevonden
[Tr.Gen0][Bestand] C:\Users\Jelle\AppData\Roaming\uTorrent\updates\3.4.9_43085\utorrentie.exe -> Gevonden
[Tr.Gen0][Bestand] C:\Users\Jelle\AppData\Roaming\uTorrent\updates\3.4.9_43295\utorrentie.exe -> Gevonden
[PUP.Gen0][Map] C:\Users\Jelle\AppData\Roaming\WinSAPSvc -> Gevonden
 
¤¤¤ WMI : 0 ¤¤¤
 
¤¤¤ Host-bestand : 0 ¤¤¤
 
¤¤¤ Antirootkit : 0 (Driver: Geladen) ¤¤¤
 
¤¤¤ Web Browsers : 2 ¤¤¤
[PUM.Proxy][Firefox:Config] 14jblrn9.default : user_pref("network.proxy.http", ""); -> Gevonden
[PUM.Proxy][Firefox:Config] 14jblrn9.default : user_pref("network.proxy.http_port", ""); -> Gevonden
 
¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: OCZ-AGILITY3 ATA Device +++++
--- User ---
[MBR] 4d7ccf644b6ddb451083f11fb1ca9794
[BSP] e68b150900a0e8e2c86d13e77017307a : Windows Vista/7/8|VT.Unknown MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 350 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 718848 | Size: 114121 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK
 
+++++ PhysicalDrive1: WDC WD6400AACS-00G8B1 ATA Device +++++
--- User ---
[MBR] 40dd3fed5d70ebe0b8663ddca8aa0632
[BSP] aded8987c3667339b1d4a1d389d273a0 : Windows Vista/7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 63 | Size: 610470 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK
 

 

----------------------------------------------------------------------------------------------------------------------------------

 

 
Zoek.exe v5.0.0.1 Updated 27-09-2015
Tool run by Jelle on do 13-04-2017 at 23:37:36,94.
Microsoft Windows 8.1 Pro 6.3.9600  x64
Running in: Normal Mode No Internet Access Detected
Launched: C:\Users\Jelle\Desktop\zoek.exe [Scan all users] [Script inserted] 
 
==== System Restore Info ======================
 
13-4-2017 23:38:00 Zoek.exe System Restore Point Created Successfully.
 
==== Empty Folders Check ======================
 
C:\PROGRA~2\Adobe deleted successfully
C:\PROGRA~2\Origin Games deleted successfully
C:\PROGRA~2\Rockstar Games deleted successfully
C:\PROGRA~2\COMMON~1\EAInstaller deleted successfully
C:\Program Files\HitmanPro deleted successfully
C:\Program Files\Rockstar Games deleted successfully
C:\PROGRA~3\Malwarebytes' Anti-Malware (portable) deleted successfully
C:\PROGRA~3\RegRun deleted successfully
C:\Users\Jelle\AppData\Roaming\Foxit Scanner Images deleted successfully
C:\Users\Jelle\AppData\Roaming\HpUpdate deleted successfully
C:\Users\Jelle\AppData\Roaming\Malwarebytes deleted successfully
C:\Users\Jelle\AppData\Roaming\My Games deleted successfully
C:\Users\Jelle\AppData\Roaming\Opera deleted successfully
C:\Users\Jelle\AppData\Local\EmieBrowserModeList deleted successfully
C:\Users\Jelle\AppData\Local\EmieSiteList deleted successfully
C:\Users\Jelle\AppData\Local\EmieUserList deleted successfully
C:\Users\Jelle\AppData\Local\Opera deleted successfully
C:\Users\Jelle\AppData\Local\Skype deleted successfully
C:\WINDOWS\serviceprofiles\networkservice\AppData\Local\PeerDistPub deleted successfully
C:\WINDOWS\serviceprofiles\networkservice\AppData\Local\PeerDistRepub deleted successfully
 
==== Deleting CLSID Registry Keys ======================
 
 
==== Deleting CLSID Registry Values ======================
 
 
==== Deleting Services ======================
 
 
==== FireFox Fix ======================
 
Deleted from C:\Users\Jelle\AppData\Roaming\Mozilla\Firefox\Profiles\14jblrn9.default\prefs.js:
user_pref("browser.startup.homepage", "about:blank");
user_pref("browser.search.suggest.enabled", false);
user_pref("browser.search.useDBForOrder", true);
 
Added to C:\Users\Jelle\AppData\Roaming\Mozilla\Firefox\Profiles\14jblrn9.default\prefs.js:
user_pref("browser.startup.homepage", "about:home");
user_pref("browser.newtab.url", "about:newtab");
 
==== Batch Command(s) Run By Tool======================
 
 
==== Deleting Files \ Folders ======================
 
C:\PROGRA~2\Adobe not found
C:\PROGRA~2\Origin Games not found
C:\PROGRA~2\Rockstar Games not found
C:\PROGRA~3\Malwarebytes' Anti-Malware (portable) not found
C:\Users\Jelle\AppData\Roaming\Curse Client deleted
C:\Users\Jelle\AppData\Roaming\discord deleted
C:\Users\Jelle\AppData\Roaming\uTorrent deleted
C:\Users\Jelle\AppData\Roaming\CopyRights.txt deleted
C:\Users\Jelle\AppData\Roaming\hr.txt deleted
C:\Users\Jelle\AppData\Roaming\io.txt deleted
C:\Users\Jelle\AppData\Roaming\License.txt deleted
C:\Users\Jelle\AppData\Roaming\pa-in.txt deleted
C:\Users\Jelle\AppData\Roaming\setupctrl.txt deleted
C:\Users\Jelle\AppData\Roaming\sk.txt deleted
C:\WINDOWS\sysWoW64\config\systemprofile\AppData\Roaming\az.txt deleted
C:\WINDOWS\sysWoW64\config\systemprofile\AppData\Roaming\CopyRights.txt deleted
C:\WINDOWS\sysWoW64\config\systemprofile\AppData\Roaming\For_WDS_Server_pls_use_WinPE_folder.txt deleted
C:\WINDOWS\sysWoW64\config\systemprofile\AppData\Roaming\fur.txt deleted
C:\WINDOWS\sysWoW64\config\systemprofile\AppData\Roaming\gu.txt deleted
C:\WINDOWS\sysWoW64\config\systemprofile\AppData\Roaming\hi.txt deleted
C:\WINDOWS\sysWoW64\config\systemprofile\AppData\Roaming\hr.txt deleted
C:\WINDOWS\sysWoW64\config\systemprofile\AppData\Roaming\io.txt deleted
C:\WINDOWS\sysWoW64\config\systemprofile\AppData\Roaming\License.txt deleted
C:\WINDOWS\sysWoW64\config\systemprofile\AppData\Roaming\mng.txt deleted
C:\WINDOWS\sysWoW64\config\systemprofile\AppData\Roaming\ms.txt deleted
C:\WINDOWS\sysWoW64\config\systemprofile\AppData\Roaming\ne.txt deleted
C:\WINDOWS\sysWoW64\config\systemprofile\AppData\Roaming\pa-in.txt deleted
C:\WINDOWS\sysWoW64\config\systemprofile\AppData\Roaming\setupctrl.txt deleted
C:\WINDOWS\sysWoW64\config\systemprofile\AppData\Roaming\sk.txt deleted
C:\PROGRA~3\Package Cache deleted
C:\Users\Jelle\AppData\Local\uninst.tmp deleted
C:\Users\Jelle\AppData\Local\FlowSprit.dll deleted
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Search.lnk deleted
C:\windows\SysNative\GroupPolicy\Machine deleted
C:\windows\SysNative\GroupPolicy\User deleted
C:\WINDOWS\Syswow64\BCAB.tmp deleted
C:\WINDOWS\Syswow64\SET664D.tmp deleted
C:\WINDOWS\Syswow64\SET66EB.tmp deleted
C:\WINDOWS\Syswow64\SET6C24.tmp deleted
C:\WINDOWS\Syswow64\SET7287.tmp deleted
C:\WINDOWS\Syswow64\SET7E1C.tmp deleted
C:\WINDOWS\Syswow64\SET7E2D.tmp deleted
C:\WINDOWS\Syswow64\SET86E4.tmp deleted
C:\WINDOWS\Syswow64\SET8ACE.tmp deleted
C:\WINDOWS\Syswow64\SET99BC.tmp deleted
C:\WINDOWS\Syswow64\SETA537.tmp deleted
C:\WINDOWS\Syswow64\SETA6EA.tmp deleted
C:\WINDOWS\Syswow64\SETC4F4.tmp deleted
C:\WINDOWS\Syswow64\SETC573.tmp deleted
C:\WINDOWS\Syswow64\SETC5E4.tmp deleted
C:\WINDOWS\Syswow64\SETD3E0.tmp deleted
C:\WINDOWS\Syswow64\SETDEE9.tmp deleted
C:\WINDOWS\Syswow64\SETDF4C.tmp deleted
C:\WINDOWS\Syswow64\SETDF7D.tmp deleted
C:\WINDOWS\Syswow64\SETE36B.tmp deleted
C:\WINDOWS\Syswow64\SETE3F9.tmp deleted
C:\WINDOWS\Syswow64\SETED1A.tmp deleted
C:\WINDOWS\Syswow64\SETF449.tmp deleted
C:\WINDOWS\SysWow64\AI_RecycleBin deleted
C:\Users\Jelle\AppData\Roaming\Mozilla\Firefox\Profiles\14jblrn9.default\extensions\firefox@ghostery.com.xpi deleted
C:\Users\Jelle\AppData\Roaming\Mozilla\Firefox\Profiles\14jblrn9.default\jetpack deleted
 
==== Firefox Start and Search pages ======================
 
ProfilePath: C:\Users\Jelle\AppData\Roaming\Mozilla\Firefox\Profiles\14jblrn9.default
user_pref("browser.startup.homepage", "about:home");
user_pref("browser.newtab.url", "about:newtab");
 
==== Firefox Proxy Settings ======================
 
ProfilePath: C:\Users\Jelle\AppData\Roaming\Mozilla\Firefox\Profiles\14jblrn9.default
user_pref("network.proxy.autoconfig_url", "");
user_pref("network.proxy.no_proxies_on", "localhost, 127.0.0.1, stealthy.co");
user_pref("network.proxy.type", "");
 
==== Firefox Extensions ======================
 
ProfilePath: C:\Users\Jelle\AppData\Roaming\Mozilla\Firefox\Profiles\14jblrn9.default
- PSFactoryBuffer - %ProfilePath%\extensions\{1D6E8113-C179-CD83-D1A2-6AB3BF9846F4}
- Instagram for Firefox - %ProfilePath%\extensions\jid0-BumCY9dUzYckeJaH3JEeimjBpxM@jetpack.xpi
- Reddit Enhancement Suite - %ProfilePath%\extensions\jid1-xUfzOsOFlzSOXg@jetpack.xpi
- HttpFox - %ProfilePath%\extensions\{4093c4de-454a-4329-8aff-c6b0b123c386}.xpi
- ReloadEvery - %ProfilePath%\extensions\{888d99e7-e8b5-46a3-851e-1ec45da1e644}.xpi
- Video DownloadHelper - %ProfilePath%\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}.xpi
- Update Scanner - %ProfilePath%\extensions\{c07d1a49-9894-49ff-a594-38960ede8fb9}.xpi
- Adblock Plus - %ProfilePath%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi
 
==== Firefox Plugins ======================
 
 
==== Chromium Look ======================
 
 
Chrome Media Router - Jelle\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm
 
==== Set IE to Default ======================
 
Old Values:
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
"Use Search Asst"="yes"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchUrl]
"Default"="https://%66%65%65%64.%73%6F%6E%69%63-%73%65%61%72%63%68.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGKBFnYN5R-SRTQR4zPSPkbNFA5i_N_-AUuMOiqVhTzNGjnszW24LOgMOPgd0BLEH9KNSKbpP9Ja0-tibyvLQRvcBIEjUDNtXiBHuQlpuCg0Od2cqcjr6uyO5m9GmWCDZ6RLEujWA6I2yNBlBi8qp6BONw_JeD3PG-Go8l8Xwwnp-MX0t7L4u41rdbo38&q={searchTerms}"
[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\SearchUrl]
"Default"="https://%66%65%65%64.%73%6F%6E%69%63-%73%65%61%72%63%68.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGKBFnYN5R-SRTQR4zPSPkbNFA5i_N_-AUuMOiqVhTzNGjnszW24LOgMOPgd0BLEH9KNSKbpP9Ja0-tibyvLQRvcBIEjUDNtXiBHuQlpuCg0Od2cqcjr6uyO5m9GmWCDZ6RLEujWA6I2yNBlBi8qp6BONw_JeD3PG-Go8l8Xwwnp-MX0t7L4u41rdbo38&q={searchTerms}"
 
New Values:
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
"Use Search Asst"="no"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchUrl]
[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\SearchUrl]
 
==== All HKCU SearchScopes ======================
 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes
"DefaultScope"="{0633EE93-D776-472f-A0FF-E1416B8B2E3A}"
{012E1000-F331-11DB-8314-0800200C9A66} Google  Url="http://www.google.com/search?q={searchTerms}"
 
==== Reset Google Chrome ======================
 
C:\Users\Jelle\AppData\Local\Google\Chrome\User Data\Default\Preferences was reset successfully
C:\Users\Jelle\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences was reset successfully
C:\WINDOWS\sysWoW64\config\systemprofile\AppData\Local\UCBrowser\User Data\Default\Preferences was reset successfully
C:\Users\Jelle\AppData\Local\Google\Chrome\User Data\Default\Web Data was reset successfully
C:\WINDOWS\sysWoW64\config\systemprofile\AppData\Local\UCBrowser\User Data\Default\Web Data.65 was reset successfully
C:\WINDOWS\sysWoW64\config\systemprofile\AppData\Local\UCBrowser\User Data\Default\Web Data.65-journal was reset successfully
 
==== Empty IE Cache ======================
 
C:\WINDOWS\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
C:\Users\Jelle\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 emptied successfully
C:\Users\Jelle\AppData\Local\Microsoft\Windows\INetCache\Low\Content.IE5 emptied successfully
C:\WINDOWS\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 emptied successfully
C:\WINDOWS\sysWoW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 emptied successfully
C:\WINDOWS\sysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 emptied successfully
C:\Users\Jelle\AppData\Local\Microsoft\Windows\INetCache\IE emptied successfully
C:\Users\Jelle\AppData\Local\Microsoft\Windows\INetCache\Low\IE emptied successfully
C:\WINDOWS\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE emptied successfully
C:\WINDOWS\sysWoW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE emptied successfully
 
==== Empty FireFox Cache ======================
 
No FireFox Cache found
 
==== Empty Chrome Cache ======================
 
C:\Users\Jelle\AppData\Local\Google\Chrome\User Data\Default\Cache emptied successfully
C:\WINDOWS\sysWoW64\config\systemprofile\AppData\Local\UCBrowser\User Data\Default\Cache emptied successfully
 
==== Empty All Flash Cache ======================
 
Flash Cache Emptied Successfully
 
==== Empty All Java Cache ======================
 
Java Cache cleared successfully
 
==== C:\zoek_backup content ======================
 
C:\zoek_backup (files=1128 folders=157 696799476 bytes)
 
==== Empty Temp Folders ======================
 
C:\Users\Default\AppData\Local\Temp emptied successfully
C:\Users\Default User\AppData\Local\Temp emptied successfully
C:\Users\Jelle\AppData\Local\Temp will be emptied at reboot
C:\WINDOWS\serviceprofiles\networkservice\AppData\Local\Temp emptied successfully
C:\WINDOWS\serviceprofiles\Localservice\AppData\Local\Temp emptied successfully
C:\WINDOWS\Temp will be emptied at reboot
 
==== After Reboot ======================
 
==== Empty Temp Folders ======================
 
C:\WINDOWS\Temp successfully emptied
C:\Users\Jelle\AppData\Local\Temp successfully emptied
 
==== Empty Recycle Bin ======================
 
C:\$RECYCLE.BIN successfully emptied
 
==== EOF on do 13-04-2017 at 23:51:17,19 ======================

Edited by jcharm, 13 April 2017 - 05:05 PM.


#6 nasdaq

nasdaq

  • Malware Response Team
  • 38,593 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:02 AM

Posted 14 April 2017 - 07:55 AM

I have noticed that task manager now requires permission before opening when I press ctrl+shift+esc. Is that one of the anti-malware programs returning to default UAC settings?

Yes. Your call if you want to remove that protection.

===
 

I do however see a folder called MK which again has a folder inside it called HL, which is empty.

Could this \MK folder be created by a Game you play?
===

Run the RogueKiller tool and delete these entries.
 

¤¤¤ Register : 30 ¤¤¤
[Adw.Elex] (X64) HKEY_LOCAL_MACHINE\Software\InterSect Alliance -> Gevonden
[PUP.UCBrowser|PUP.Gen1] (X64) HKEY_LOCAL_MACHINE\Software\UCBrowser -> Gevonden
[PUP.Ghokswa] (X86) HKEY_LOCAL_MACHINE\Software\Firefox -> Gevonden
[PUP.Gen1] (X86) HKEY_LOCAL_MACHINE\Software\UCBrowserPID -> Gevonden
[PUP.UCBrowser|PUP.Gen1] (X64) HKEY_USERS\.DEFAULT\Software\UCBrowser -> Gevonden
[PUP.Gen1] (X64) HKEY_USERS\.DEFAULT\Software\UCBrowserPID -> Gevonden
[PUP.UCBrowser|PUP.Gen1] (X86) HKEY_USERS\.DEFAULT\Software\UCBrowser -> Gevonden
[PUP.Gen1] (X86) HKEY_USERS\.DEFAULT\Software\UCBrowserPID -> Gevonden
[PUP.Gen1] (X64) HKEY_USERS\S-1-5-21-4099470078-3949118013-312997308-1001\Software\AceStream -> Gevonden
[PUP.Ghokswa] (X64) HKEY_USERS\S-1-5-21-4099470078-3949118013-312997308-1001\Software\Firefox -> Gevonden
[PUP.Gen1] (X64) HKEY_USERS\S-1-5-21-4099470078-3949118013-312997308-1001\Software\UCBrowserPID -> Gevonden
[PUP.Gen1] (X86) HKEY_USERS\S-1-5-21-4099470078-3949118013-312997308-1001\Software\AceStream -> Gevonden
[PUP.Ghokswa] (X86) HKEY_USERS\S-1-5-21-4099470078-3949118013-312997308-1001\Software\Firefox -> Gevonden
[PUP.Gen1] (X86) HKEY_USERS\S-1-5-21-4099470078-3949118013-312997308-1001\Software\UCBrowserPID -> Gevonden
[PUP.UCBrowser|PUP.Gen1] (X64) HKEY_USERS\S-1-5-18\Software\UCBrowser -> Gevonden
[PUP.Gen1] (X64) HKEY_USERS\S-1-5-18\Software\UCBrowserPID -> Gevonden
[PUP.UCBrowser|PUP.Gen1] (X86) HKEY_USERS\S-1-5-18\Software\UCBrowser -> Gevonden
[PUP.Gen1] (X86) HKEY_USERS\S-1-5-18\Software\UCBrowserPID -> Gevonden
[Adw.Microtool] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\Microtool_is1 -> Gevonden
[PUP.Gen1] (X64) HKEY_USERS\S-1-5-21-4099470078-3949118013-312997308-1001\Software\Microsoft\Windows\CurrentVersion\Uninstall\AceStream -> Gevonden
[PUP.Gen1] (X86) HKEY_USERS\S-1-5-21-4099470078-3949118013-312997308-1001\Software\Microsoft\Windows\CurrentVersion\Uninstall\AceStream -> Gevonden
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {A3434C66-E6C8-41CB-8D21-7DBCAEE8EDCB} : v2.22|Action=Allow|Active=TRUE|Dir=In|App=C:\WINDOWS\TEMP\FlowSpritSetup_slnt_5011.exe|Name=FlowSpritSetup_slnt_5011.exe| [x] -> Gevonden
[PUP.Ghokswa] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {146BAE38-4EA5-4781-9B04-12C44C761E40} : v2.22|Action=Allow|Active=TRUE|Dir=In|App=C:\Program Files (x86)\Firefox\Firefox.exe|Name=Firefox browser| [x] -> Gevonden

¤¤¤ Taken : 0 ¤¤¤

¤¤¤ Bestanden : 14 ¤¤¤
[Adw.Shopperz|PUP.Gen1][Bestand] C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\BrowserAir.lnk [LNK@] C:\Users\Jelle\AppData\Local\BrowserAir\Application\BrowserairExec.exe -> Gevonden
[Adw.Shopperz|PUP.Gen1][Bestand] C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\BrowserAir.lnk [LNK@] C:\Users\Jelle\AppData\Local\BrowserAir\Application\BrowserairExec.exe -> Gevonden
[Adw.Shopperz|PUP.Gen1][Bestand] C:\Windows\SysWOW64\config\systemprofile\Desktop\BrowserAir.lnk [LNK@] C:\Users\Jelle\AppData\Local\BrowserAir\Application\BrowserairExec.exe -> Gevonden
[Tr.Gen0][Bestand] C:\Users\Jelle\AppData\Roaming\uTorrent\updates\3.4.5_41372\utorrentie.exe -> Gevonden
[Tr.Gen0][Bestand] C:\Users\Jelle\AppData\Roaming\uTorrent\updates\3.4.5_41712\utorrentie.exe -> Gevonden
[Tr.Gen0][Bestand] C:\Users\Jelle\AppData\Roaming\uTorrent\updates\3.4.6_42094\utorrentie.exe -> Gevonden
[Tr.Gen0][Bestand] C:\Users\Jelle\AppData\Roaming\uTorrent\updates\3.4.7_42330\utorrentie.exe -> Gevonden
[Tr.Gen0][Bestand] C:\Users\Jelle\AppData\Roaming\uTorrent\updates\3.4.8_42449\utorrentie.exe -> Gevonden
[Tr.Gen0][Bestand] C:\Users\Jelle\AppData\Roaming\uTorrent\updates\3.4.9_42606\utorrentie.exe -> Gevonden
[Tr.Gen0][Bestand] C:\Users\Jelle\AppData\Roaming\uTorrent\updates\3.4.9_42973\utorrentie.exe -> Gevonden
[Tr.Gen0][Bestand] C:\Users\Jelle\AppData\Roaming\uTorrent\updates\3.4.9_43085\utorrentie.exe -> Gevonden
[Tr.Gen0][Bestand] C:\Users\Jelle\AppData\Roaming\uTorrent\updates\3.4.9_43295\utorrentie.exe -> Gevonden
[PUP.Gen0][Map] C:\Users\Jelle\AppData\Roaming\WinSAPSvc -> Gevonden
C:\Users\Jelle\AppData\Local\Kitty\cat.exe
C:\Users\Jelle\AppData\Local\Temp\{EC190F8E-FB5F-46FF-A500-72D95E896EA0}\GoogleUpdate.exe


===

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.
 
start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

C:\Program Files (x86)\MK
C:\Users\Jelle\AppData\Local\Kitty
C:\Users\Jelle\AppData\Local\Temp\{EC190F8E-FB5F-46FF-A500-72D95E896EA0}
C:\Users\Jelle\AppData\Local\Antanna
C:\Program Files (x86)\Antanna

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

#7 jcharm

jcharm
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:02 PM

Posted 14 April 2017 - 08:19 AM

Hello nasdaq,

 

It's possible, but seems unlikely. It was never there before and I haven't played or installed any new games. UnHackMe also keeps flagging it. I don't know what the point of the empty folder is though, as it's just that, empty. Windows Defender isn't being turned off anymore, so that's progress! I also don't see any new tasks in the task scheduler anymore, so that's positive as well.

 

I manually removed the folders yesterday night, so the script wasn't able to remove them now. Sorry about that! I guess the end results is the same. Here's the log anyway:

 

Fix result of Farbar Recovery Scan Tool (x64) Version: 15-03-2017
Ran by Jelle (14-04-2017 15:12:18) Run:2
Running from C:\Users\Jelle\Desktop
Loaded Profiles: Jelle (Available Profiles: Jelle)
Boot Mode: Normal
==============================================
 
fixlist content:
*****************
start
 
CreateRestorePoint:
EmptyTemp:
CloseProcesses:
 
C:\Program Files (x86)\MK
C:\Users\Jelle\AppData\Local\Kitty
C:\Users\Jelle\AppData\Local\Temp\{EC190F8E-FB5F-46FF-A500-72D95E896EA0}
C:\Users\Jelle\AppData\Local\Antanna
C:\Program Files (x86)\Antanna
 
End
*****************
 
Restore point was successfully created.
Processes closed successfully.
"C:\Program Files (x86)\MK" => not found.
"C:\Users\Jelle\AppData\Local\Kitty" => not found.
"C:\Users\Jelle\AppData\Local\Temp\{EC190F8E-FB5F-46FF-A500-72D95E896EA0}" => not found.
"C:\Users\Jelle\AppData\Local\Antanna" => not found.
"C:\Program Files (x86)\Antanna" => not found.
 
=========== EmptyTemp: ==========
 
BITS transfer queue => 8388608 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 10144566 B
Java, Flash, Steam htmlcache => 28860444 B
Windows/system/drivers => 14054 B
Edge => 0 B
Chrome => 359513566 B
Firefox => 0 B
Opera => 0 B
 
Temp, IE cache, history, cookies, recent:
Default => 0 B
Users => 0 B
ProgramData => 0 B
Public => 0 B
systemprofile => 128 B
systemprofile32 => 6119 B
LocalService => 0 B
NetworkService => 0 B
Jelle => 8171811 B
 
RecycleBin => 0 B
EmptyTemp: => 395.9 MB temporary data Removed.
 
================================
 
 
The system needed a reboot.
 
==== End of Fixlog 15:12:28 ====


#8 nasdaq

nasdaq

  • Malware Response Team
  • 38,593 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:02 AM

Posted 14 April 2017 - 08:58 AM


If any of these folders return, run this search.

Lets see what we can find in the Registry.

Farbar Recovery Scan Tool (FRST) - Registry Search
Follow the instructions below to download and execute a Registry search on your system with FRST, and provide the log in your next reply.
  • Right-click on the executable and select Run as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users);
  • Accept the disclaimer by clicking on Yes, and FRST will then do a back-up of your Registry which should take a few seconds;
  • In the Search text area, copy and paste the following:
MK;Kitty;EC190F8E-FB5F-46FF-A500-72D95E896EA0;Antanna
  • Once done, click on the Search Registry button and wait for FRST to finish the search;
  • On completion, a log will open in Notepad. Copy and paste its content in your next reply;


#9 jcharm

jcharm
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:02 PM

Posted 14 April 2017 - 09:48 AM

Hello Nasdaq,

 

I've performed the registry search. However, the log is extremely big. The Chrome tab becomes unresponsive upon copying the content of the log. For that reason, I've attached the log file in my post instead.

 

Hope that's okay. Thanks again for your help.

Attached Files



#10 nasdaq

nasdaq

  • Malware Response Team
  • 38,593 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:02 AM

Posted 15 April 2017 - 07:05 AM

Copy the text IN THE QUOTE BOX below to notepad. Save it as fixme.reg to your desktop.
Be sure the "Save as" type is set to "all files" Once you have saved Right click the .reg file and allow it to merge with the registry.
 

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ApprovedByRegRun2\AntiRepl\0]
"Target"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ApprovedByRegRun2\AntiRepl\1]
"Target"=-
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Antanna]
[-HKEY_USERS\S-1-5-21-4099470078-3949118013-312997308-1001\Software\Antanna]
[HKEY_USERS\S-1-5-21-4099470078-3949118013-312997308-1001\Software\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\48e6e59b_0]
""=-
[-HKEY_USERS\S-1-5-21-4099470078-3949118013-312997308-1001\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store]
[-HKEY_USERS\S-1-5-21-4099470078-3949118013-312997308-1001\Software\Classes\ActivatableClasses\Package\DefaultBrowser_NOPUBLISHERID\Server\DefaultBrowserServer]
[-HKEY_USERS\S-1-5-21-4099470078-3949118013-312997308-1001\Software\Classes\Extensions\ContractId\Windows.File\PackageId\DefaultBrowser_NOPUBLISHERID\ActivatableClassId\DefaultBrowser.DefaultBrowserActivatableClass]
[-HKEY_USERS\S-1-5-21-4099470078-3949118013-312997308-1001\Software\Classes\Extensions\ContractId\Windows.Launch\PackageId\DefaultBrowser_NOPUBLISHERID\ActivatableClassId\DefaultBrowser.DefaultBrowserActivatableClass]
[-HKEY_USERS\S-1-5-21-4099470078-3949118013-312997308-1001\Software\Classes\Extensions\ContractId\Windows.Protocol\PackageId\DefaultBrowser_NOPUBLISHERID\ActivatableClassId\DefaultBrowser.DefaultBrowserActivatableClass]
[-HKEY_USERS\S-1-5-21-4099470078-3949118013-312997308-1001\Software\Classes\Extensions\ContractId\Windows.Search\PackageId\DefaultBrowser_NOPUBLISHERID\ActivatableClassId\DefaultBrowser.DefaultBrowserActivatableClass]
[HKEY_USERS\S-1-5-21-4099470078-3949118013-312997308-1001\Software\Classes\ftp\DefaultIcon]
""=-
[HKEY_USERS\S-1-5-21-4099470078-3949118013-312997308-1001\Software\Classes\ftp\shell\open\command]
""=-
[HKEY_USERS\S-1-5-21-4099470078-3949118013-312997308-1001\Software\Classes\http\DefaultIcon]
""=-
[HKEY_USERS\S-1-5-21-4099470078-3949118013-312997308-1001\Software\Classes\http\shell\open\command]
""=-
[HKEY_USERS\S-1-5-21-4099470078-3949118013-312997308-1001\Software\Classes\https\DefaultIcon]
""=-
[HKEY_USERS\S-1-5-21-4099470078-3949118013-312997308-1001\Software\Classes\https\shell\open\command]
""=-
[HKEY_USERS\S-1-5-21-4099470078-3949118013-312997308-1001\Software\Classes\irc\DefaultIcon]
""=-
[HKEY_USERS\S-1-5-21-4099470078-3949118013-312997308-1001\Software\Classes\irc\shell\open\command]
""=-
[HKEY_USERS\S-1-5-21-4099470078-3949118013-312997308-1001\Software\Classes\mailto\DefaultIcon]
""=-
[HKEY_USERS\S-1-5-21-4099470078-3949118013-312997308-1001\Software\Classes\mailto\shell\open\command]
""=-
[HKEY_USERS\S-1-5-21-4099470078-3949118013-312997308-1001\Software\Classes\mms\DefaultIcon]
""=-
[HKEY_USERS\S-1-5-21-4099470078-3949118013-312997308-1001\Software\Classes\mms\shell\open\command]
""=-
[HKEY_USERS\S-1-5-21-4099470078-3949118013-312997308-1001\Software\Classes\news\DefaultIcon]
""=-
[HKEY_USERS\S-1-5-21-4099470078-3949118013-312997308-1001\Software\Classes\news\shell\open\command]
""=-
[HKEY_USERS\S-1-5-21-4099470078-3949118013-312997308-1001\Software\Classes\nntp\DefaultIcon]
""=-
[HKEY_USERS\S-1-5-21-4099470078-3949118013-312997308-1001\Software\Classes\nntp\shell\open\command]
""=-
[HKEY_USERS\S-1-5-21-4099470078-3949118013-312997308-1001\Software\Classes\sms\DefaultIcon]
""=-
[HKEY_USERS\S-1-5-21-4099470078-3949118013-312997308-1001\Software\Classes\sms\shell\open\command]
""=-
[HKEY_USERS\S-1-5-21-4099470078-3949118013-312997308-1001\Software\Classes\smsto\DefaultIcon]
""=-
[HKEY_USERS\S-1-5-21-4099470078-3949118013-312997308-1001\Software\Classes\smsto\shell\open\command]
""=-
[HKEY_USERS\S-1-5-21-4099470078-3949118013-312997308-1001\Software\Classes\tel\DefaultIcon]
""=-
[HKEY_USERS\S-1-5-21-4099470078-3949118013-312997308-1001\Software\Classes\tel\shell\open\command]
""=-
[HKEY_USERS\S-1-5-21-4099470078-3949118013-312997308-1001\Software\Classes\urn\DefaultIcon]
""=-
[HKEY_USERS\S-1-5-21-4099470078-3949118013-312997308-1001\Software\Classes\urn\shell\open\command]
""=-
[HKEY_USERS\S-1-5-21-4099470078-3949118013-312997308-1001\Software\Classes\webcal\DefaultIcon]
""=-
[HKEY_USERS\S-1-5-21-4099470078-3949118013-312997308-1001\Software\Classes\webcal\shell\open\command]
""=-


Restart the computer when completed.

You can delete the fixme.reg file when done.
===

Refer to post no 2 and reinstall chrome from the link I gave you.


Let me know what problem persists.

#11 jcharm

jcharm
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:02 PM

Posted 19 April 2017 - 02:34 AM

Hello nasdaq,

 

Happy Easter! I was off-line during this holiday.

 

I've merged the file with the registry succesfully. The only thing UnHackMe keeps flagging is C:\USERS\PUBLIC\DOCUMENTS\TEMP.DAT 

 

I am unsure if this file is malicious. Other scanners do not flag the file. 

 

Otherwise, I don't have any issues. Is there a way to check if anything pops up? 



#12 nasdaq

nasdaq

  • Malware Response Team
  • 38,593 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:02 AM

Posted 19 April 2017 - 09:34 AM


Delete it to your Recycle bin.

C:\USERS\PUBLIC\DOCUMENTS\TEMP.DAT

If a program needs it you will be prompted and you can restore it.

Flush it if all is well in a week or two.

===

If all is well.

To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/


https://www.bleepingcomputer.com/tutorials/keep-your-computer-safe-online/
Simple and easy ways to keep your computer safe and secure on the Internet.
===

#13 jcharm

jcharm
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:02 PM

Posted 20 April 2017 - 04:00 AM

I've deleted it multiple times, but it seems to be coming back every time.

 

This is what is inside, if I open the file with notepad

 

dll.571.service.0.0.0
 
Unsure if it can do any harm.


#14 nasdaq

nasdaq

  • Malware Response Team
  • 38,593 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:02 AM

Posted 20 April 2017 - 07:39 AM

It's not harmful.

https://www.exedb.com/en/571.dll/840535
===

If all is well.

To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/


https://www.bleepingcomputer.com/tutorials/keep-your-computer-safe-online/
Simple and easy ways to keep your computer safe and secure on the Internet.
===

#15 jcharm

jcharm
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:04:02 PM

Posted 21 April 2017 - 03:34 AM

Alright! Seems that is it then :)

 

Thank you very much for your help nasdaq, I greatly appreciate it. You have been most helpful.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users