Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virus: Windows Process Manager


  • This topic is locked This topic is locked
24 replies to this topic

#1 SirEdward43

SirEdward43

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:18 PM

Posted 02 May 2018 - 06:41 PM

I apparently have a nasty piece of Malware on my laptop, and it refuses to come off.

 

This seems to be a distressingly common issue, looking at these forums, and I've followed several other guides for similar issues, which have the same 'Windows Process Manager' such as the following:

 

https://www.bleepingcomputer.com/forums/t/674935/windows-process-manager-virus/

 

and 

 

https://www.bleepingcomputer.com/forums/t/676604/trojan-windows-process-manager-32-bit/

 

Both of these sound incredibly similar to my issue, though I suspect the actual name of my malicious program to be different. At any rate, I've followed every step that I can on these guides, and a few others. They all seem to be the same, but it's not working for me, unfortunately. I know every situation is unique, so I'd like to get some guidance on this. I'll go ahead and attach my FRST log, since that seems to be the standard procedure with this. 

 

The issue that's causing me endless frustration is that I can't even create a Windows Repair Drive or access Windows RE mode through any means. It's driven me to consider wiping the laptop entirely and starting over, but I'd really rather avoid that headache entirely. I'm not really sure how I can proceed without access to the RE, though I've tried a few alternatives like creating a Windows install image in an attempt to access the recovery tools through that. No dice. The install image downloaded quickly enough but sat at 0% for over an hour before I gave up hope. Was that too short of a time to wait?

 

Let me know what you'll need me, and thanks in advance!

Attached Files

  • Attached File  FRST.txt   28.12KB   4 downloads


BC AdBot (Login to Remove)

 


#2 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,664 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:18 PM

Posted 03 May 2018 - 09:10 AM

Hi SirEdward43 :)

My name is Aura and I'll be assisting you with your malware issue. Since we'll be working together, you can call me Aura or Yoan, which is my real name, it's up to you! Now that we've broke the ice, I'll just ask you a few things during the time we'll be working together to clean your system and get it back to an operational state.
  • As you'll notice, the logs we are asking for here are quite lenghty, so it's normal for me to not reply exactly after you post them. This is because I need some time to analyse them and then act accordingly. However, I'll always reply within 24 hours, 48 hours at most if something unexpected happens
  • As long as I'm assisting you on BleepingComputer, in this thread, I'll ask you to not seek assistance anywhere else for any issue related to the system we are working on. If you have an issue, question, etc. about your computer, please ask it in this thread and I'll assist you
  • The same principle applies to any modifications you make to your system, I would like you to ask me before you do any manipulations that aren't in the instructions I posted. This is to ensure that we are operating in sync and I know exactly what's happening on your system
  • If you aren't sure about an instruction I'm giving you, ask me about it. This is to ensure that the clean-up process goes without any issue. I'll answer you and even give you more precise instructions/explanations if you need. There's no shame in asking questions here, better be safe than sorry!
  • If you don't reply to your thread within 3 days, I'll bump this thread to let you know that I'm waiting for you. If you don't reply after 5 days, it'll be closed. If you return after that period, you can send me a PM to get it unlocked and we'll continue where we left off
  • Since malware can work quickly, we want to get rid of them as fast as we can, before they make unknown changes to the system. This being said, I would appreciate if you could reply to this thread within 24 hours of me posting. This way, we'll have a good clean-up rhythm and the chances of complications will be reduced
  • I'm against any form of pirated, illegal and counterfeit software and material. So if you have any installed on your system, I'll ask you to uninstall them right now. You don't have to tell me if you indeed had some or not, I'll give you the benefit of the doubt. Plus, this would be against BleepingComputer's rules
  • In the end, you are the one asking for assistance here. So if you wish to go a different way during the clean-up, like format and reinstall Windows, you are free to do so. I would appreciate you to let me know about it first, and if you need, I can also assist you in the process
  • I would appreciate if you were to stay with me until the end, which means, until I declare your system clean. Just because your system isn't behaving weirdly anymore, or is running better than before, it doesn't mean that the infection is completely gone
    This being said, I have a full time job so sometimes it'll take longer for me to reply to you. Don't worry, you'll be my first priority as soon as I get home and have time to look at your thread
This being said, it's time to clean-up some malware, so let's get started, shall we? :)

iO3R662.pngFarbar Recovery Scan Tool (FRST) - Fix mode
Follow the instructions below to execute a fix on your system using FRST, and provide the log in your next reply.
  • Download the right version of FRST for your system:
    • FRST 32-bit
    • FRST 64-bit
      Note: Only the right version will run on your system, the other will throw an error message. So if you don't know what your system's version is, simply download both of them, and the one that works is the one you should be using.
  • Move the executable (FRST.exe or FRST64.exe) on your Desktop
  • Right-click on the FRST executable and select Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users)
  • Copy/paste the following inside the text area:
    Start::
    CMD: bcdedit.exe /set {bootmgr} displaybootmenu yes
    CMD: bcdedit.exe /set {default} recoveryenabled yes
    End::
    
  • Click on the Fix button
    NYA5Cbr.png
  • On completion, a message will come up saying that the fix has been completed and it'll open a log in Notepad
  • Copy and paste its content in your next reply

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#3 nasdaq

nasdaq

  • Malware Response Team
  • 39,578 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:18 PM

Posted 03 May 2018 - 09:15 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Please read these instructions carefully. If at any time you need help please ask before proceeding.

If your computer does not have the Windows Recovery Environment installed and available you can use the following method to run the Recovery Environment from a bootable USB disk.

NOTE: This USB disk needs to be created from a clean computer. You cannot use an infected computer for this process

NOTE: An 8GB USB 2.0 stick is required or at least recommended. In some cases a USB 3.0 disk can be used but some computers have issues booting from USB 3.0 disks.

Example drive (no endorsement implied, example only) - This drive example has not been tested by me. It is an older 2015 model with many good reviews though.

Amazon: Kingston 8GB DataTraveler 101 G2 USB 2.0 Flash Drive (DT101G2/8GBZ)

NewEgg: Kingston 8GB DataTraveler 101 G2 USB 2.0 Flash Drive (DT101G2/8GBZ)


STEP 1

Download a Windows 10 ISO image from Microsoft.

Method A: Using the Microsoft Media Creation Tool

https://www.microsoft.com/en-gb/software-download/windows10

Download the Media Creation Tool: https://go.microsoft.com/fwlink/?LinkId=691209

Follow the instructions displayed on the tool to download the Windows 10 ISO image.

In my testing I was not prompted for a license key to download the latest Windows 10 ISO image.

At the time of this writing 2017/12/21 there was only one ISO image offered. Windows 10

32-bit x86 or 64-bit x64


Note: You need to run the version compatible with your system.

You can check here if you're not sure if your computer is 32-bit or 64-bit


Method B: If Method A: above is not working for you then you can try the following method

Microsoft Windows and Office ISO Download Tool (this is not an authorized Microsoft tool, but appears to be legal)

https://www.heidoc.net/joomla/technology-science/microsoft/67-microsoft-windows-and-office-iso-download-tool

Download: https://www.heidoc.net/php/Windows%20ISO%20Downloader.exe

STEP 2

If you were unable to use the Windows Media Creation Tool in STEP 1 to create a USB disk then you can use this tool to burn the Windows 10 ISO image from STEP 1 above.

Download the Windows USB/DVD Download Tool from Gitbub and save to your computer.

English version: https://github.com/mantas-masidlauskas/wudt/raw/master/Downloads/Windows7-USB-DVD-Download-Tool-Installer-en-US.exe

Then install the Windows USB/DVD Download Tool and run it to burn a bootable USB disk from the ISO image. Browse to the location where you saved the Windows 10 ISO image in STEP 1

Note: This tool should work on XP, Vista, Windows 7, or Windows 10 - it is simply used to make a bootable USB disk. Remember, all of this needs to be done on a clean computer.

MCWx4mf.jpg

5IvFX1o.jpg

1hzeggf.jpg

g1iLLSH.jpg

KkzebK6.jpg


STEP 3

Please download the Farbar Recovery Scan Tool and save it to your desktop or other location you know where it's saved to. Then copy it to the USB disk you just created.

Note: You need to run the version compatible with your system.

You can check here if you're not sure if your computer is 32-bit or 64-bit

STEP 4

Shut down the infected computer. Do Not insert the USB disk you created until the infected computer has been shut down.

Once the computer is shut down then insert the newly created Windows 10 USB disk into the infected computer and power it back on and press the appropriate key to bring up the boot menu. The link below will help show you which key for various computers manufacturers is used to bring up the boot menu. Most will be either USB or UEFI depending on hardware and settings. If the computer boots up into the Normal Windows instead of the USB stick it may become infected and need to be completely redone again. Make sure you select the correct boot option.

How to Boot Your Computer from a USB Flash Drive

STEP 5

Once the computer starts to boot up from the USB disk, follow the screens and directions below.

Gvt31DC.jpg

wk8hs0E.jpg

F2gCAoF.jpg

X8NEEvb.jpg

You will need to open NOTEPAD.EXE to help find out which drive is your Windows drive and which drive is your USB disk drive you just created

O27kz3e.jpg

RRI6og4.jpg

For the more advanced user you could also use DISKPART to help locate which drive is mapped to your USB disk. In most cases the USB disk will be either D: or E: but depending on hardware the drive could be a much higher level such as H: or higher.

Example only - your hardware will look different
 
DISKPART> list volume

  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info

  ----------  ---  -----------  -----  ----------  -------  ---------  --------

  Volume 0     Z                       DVD-ROM         0 B  No Media

  Volume 1     C                NTFS   Partition    931 GB  Healthy    System

  Volume 2     Q   SEA-USB-4.0  NTFS   Partition   3725 GB  Healthy

  Volume 3     D                NTFS   Removable   7636 MB  Healthy
Go back to the DOS Command Prompt (if you used DISKPART type in Exit and press the Enter key) and type in the following and press the Enter key.

CD /D D: (or E: or whichever drive letter the USB stick is on)

Then type in CD\
and press the Enter key to get to the root or top of the USB disk.

Then type in FRST or FRST64 (depending on which version your computer uses) and click the Scan button.

A log called FRST.txt will be saved on your USB Flash Drive. Attach it in your next reply.

If all went well you should now be able to boot into Normal Mode and run Malwarebytes and run a Threat Scan to have it finish the removal process.

Please post the FRST.txt, Addition.txt and the MBAM log for my review.

Let me know what problem persists.

#4 SirEdward43

SirEdward43
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:18 PM

Posted 03 May 2018 - 05:46 PM

Thanks for the responses! I'll go ahead and respond to Aura first - here's the Log that FRST generated for me:

 

Fix result of Farbar Recovery Scan Tool (x64) Version: 03.05.2018
Ran by Ash (03-05-2018 15:40:51) Run:1
Running from C:\Users\Ash\Desktop
Loaded Profiles: Ash (Available Profiles: Ash)
Boot Mode: Normal
==============================================
 
fixlist content:
*****************
CMD: bcdedit.exe /set {bootmgr} displaybootmenu yes
CMD: bcdedit.exe /set {default} recoveryenabled yes
 
*****************
 
 
========= bcdedit.exe /set {bootmgr} displaybootmenu yes =========
 
The operation completed successfully.
 
========= End of CMD: =========
 
 
========= bcdedit.exe /set {default} recoveryenabled yes =========
 
The operation completed successfully.
 
========= End of CMD: =========
 
 
==== End of Fixlog 15:40:52 ====
 
 
 
 
In response to Nasdaq's post: I'll give that a shot as soon as I get a chance, thanks for posting all of that. I do want to let you know that the link you provided for accessing Boot options (https://craftedflash.com/info/how-boot-computer-from-usb-flash-drive) seems to be broken and resulting in an SQL error. 
 
Thank you two for the responses, again! 


#5 nasdaq

nasdaq

  • Malware Response Team
  • 39,578 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:18 PM

Posted 04 May 2018 - 07:39 AM

Aura

Sorry Aura I should have checked before posting 5 minutes after you.

#6 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,664 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:18 PM

Posted 04 May 2018 - 07:41 AM

All good nasdaq, no worries :)

SirEdward43, you can follow nasqad's instructions, as my next set of instructions was the same as the ones he provided. I'll be waiting for the FRST.txt log.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#7 SirEdward43

SirEdward43
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:18 PM

Posted 04 May 2018 - 05:39 PM

Hey there!

 

Aura:

 

Here's an updated FRST.txt log, just ran it again to create the log.

 

nasdaq:

 

I've obtained a USB stick, but I'm having some difficulty getting to make the image. I'll hopefully get that done in the next few days, but I've had a somewhat chaotic couple of days. I really appreciate the help you two are providing!

Attached Files

  • Attached File  FRST.txt   27.58KB   3 downloads


#8 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,664 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:18 PM

Posted 05 May 2018 - 10:40 AM

What kind of issues are you running into when trying to make the Windows 10 bootable USB?

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#9 SirEdward43

SirEdward43
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:18 PM

Posted 05 May 2018 - 04:48 PM

Nothing technical in nature. I only have this one laptop to use at the moment and since I can't create the bootable USB from it, as it's infected, I need to get one of buddies to let me use their computer. The problem here is scheduling conflicts, since everyone has plans for the weekend. But, I'll get a bootable USB as soon as I can and report my progress.


Edited by SirEdward43, 05 May 2018 - 04:48 PM.


#10 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,664 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:18 PM

Posted 05 May 2018 - 05:30 PM

Alright that's good. I'll be waiting :)

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#11 SirEdward43

SirEdward43
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:18 PM

Posted 07 May 2018 - 08:04 PM

Alright, I was able to get the Repair drive created, got it on the infected machine and ran FRST. Attached are the FRST and MBAM reports.

 

So far it does seem that the machine is running much better, and I'm not seeing any of the suspicious programs any longer.

 

Attached File  MBAM.txt   1.23KB   3 downloads

 

Attached File  FRST.txt   16.92KB   2 downloads



#12 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,664 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:18 PM

Posted 08 May 2018 - 08:49 AM

Good :) Now let's do a sweep with RogueKiller and AdwCleaner.

RQKuhw1.pngRogueKiller
  • Download the right version of RogueKiller for your Windows version (32 or 64-bit)
  • Once done, move the executable file to your Desktop, right-click on it and select Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users)
  • Click on the Start Scan button in the right panel, which will bring you to another tab, and click on it again (this time it'll be in the bottom right corner)
  • Wait for the scan to complete
  • On completion, the results will be displayed
  • Check every single entry (threat found), and click on the Remove Selected button
  • On completion, the results will be displayed. Click on the Open Report button in the bottom left corner, followed by the Open TXT button (also in the bottom left corner)
  • This will open the report in Notepad. Copy/paste its content in your next reply
zcMPezJ.pngAdwCleaner - Fix Mode
  • Download AdwCleaner and move it to your Desktop
  • Right-click on AdwCleaner.exe and select Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users)
  • Accept the EULA (I accept), then click on Scan
  • Let the scan complete. Once it's done, make sure that every item listed in the different tabs is checked and click on the Clean button. This will kill all active processes
    V7SD4El.png
  • Once the cleaning process is complete, AdwCleaner will ask to restart your computer, do it
  • After the restart, a log will open when logging in. Please copy/paste the content of that log in your next reply
Your next reply(ies) should therefore contain:
  • Copy/pasted RogueKiller clean log
  • Copy/pasted AdwCleaner clean log

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#13 SirEdward43

SirEdward43
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:18 PM

Posted 09 May 2018 - 07:16 PM

Alright, both of those found a few things, so thanks for the suggestion. Thanks again for the guidance through this overall!

 

So, here's the RogueKiller Log:

 

RogueKiller V12.12.16.0 (x64) [May  4 2018] (Free) by Adlice Software
 
Operating System : Windows 10 (10.0.16299) 64 bits version
Started in : Normal mode
User : Ash [Administrator]
Started from : C:\Program Files\RogueKiller\RogueKiller64.exe
Mode : Delete -- Date : 05/09/2018 15:53:58 (Duration : 01:07:19)
 
¤¤¤ Processes : 0 ¤¤¤
 
¤¤¤ Registry : 9 ¤¤¤
[Adw.Applica] (X64) HKEY_LOCAL_MACHINE\Software\idot -> Deleted
[Adw.Applica] (X86) HKEY_LOCAL_MACHINE\Software\idot -> Deleted
[PUP.Gen1] (X86) HKEY_LOCAL_MACHINE\Software\xs -> Not selected
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-1718776949-1027959391-2772839030-1001\Software\Microsoft\Internet Explorer\Main | Start Page :
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-1718776949-1027959391-2772839030-1001\Software\Microsoft\Internet Explorer\Main | Start Page :
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-1718776949-1027959391-2772839030-1001\Software\Microsoft\Internet Explorer\Main | Default_Page_URL :
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-1718776949-1027959391-2772839030-1001\Software\Microsoft\Internet Explorer\Main | Default_Page_URL :
[PUP.Gen1] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | TCP Query User{AAD12993-A12E-4921-8D70-EFA0DBEAA6DF}C:\users\ash\appdata\local\popcorn time\nw.exe : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Public|App=C:\users\ash\appdata\local\popcorn time\nw.exe|Name=nw.exe|Desc=nw.exe|Defer=User| [x] -> Not selected
[PUP.Gen1] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | UDP Query User{0955CFAC-4A59-4CC9-868C-D959BA0DE650}C:\users\ash\appdata\local\popcorn time\nw.exe : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Public|App=C:\users\ash\appdata\local\popcorn time\nw.exe|Name=nw.exe|Desc=nw.exe|Defer=User| [x] -> Not selected
 
¤¤¤ Tasks : 0 ¤¤¤
 
¤¤¤ Files : 2 ¤¤¤
[Root.Wajam][File] C:\Windows\System32\drivers\60f7b1282897725087b70910aca85402.sys -> Deleted
[Adw.Applica][Folder] C:\Program Files (x86)\applica -> Deleted
[Adw.Applica][File] C:\Program Files (x86)\applica\applica.exe -> Deleted
 
¤¤¤ WMI : 0 ¤¤¤
 
¤¤¤ Hosts File : 0 ¤¤¤
 
¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤
 
¤¤¤ Web browsers : 0 ¤¤¤
 
¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: HGST HTS541010A9E680 +++++
--- User ---
[MBR] b97d5d3bcb1fe844cce70fd2f7d531e7
[BSP] 3c89f8f171eec30db6b0d5ca3a0ac618 : Empty MBR Code
Partition table:
0 - [MAN-MOUNT] EFI system partition | Offset (sectors): 2048 | Size: 100 MB
1 - [SYSTEM][MAN-MOUNT] Basic data partition | Offset (sectors): 206848 | Size: 900 MB
2 - [MAN-MOUNT] Microsoft reserved partition | Offset (sectors): 2050048 | Size: 128 MB
3 - Basic data partition | Offset (sectors): 2312192 | Size: 931336 MB
4 - [SYSTEM][MAN-MOUNT]  | Offset (sectors): 1909690368 | Size: 912 MB
5 - [SYSTEM][MAN-MOUNT] Basic data partition | Offset (sectors): 1911560192 | Size: 20490 MB
User = LL1 ... OK
User = LL2 ... OK
 
 
 
 
And here is the AdwCleaner Log:
 
# -------------------------------
# Malwarebytes AdwCleaner 7.1.1.0
# -------------------------------
# Build:    04-27-2018
# Database: 2018-05-09.1
#
# -------------------------------
# Mode: Clean
# -------------------------------
# Start:    05-09-2018
# Duration: 00:00:05
# OS:       Windows 10 Home
# Cleaned:  9
# Failed:   0
 
 
***** [ Services ] *****
 
No malicious services cleaned.
 
***** [ Folders ] *****
 
No malicious folders cleaned.
 
***** [ Files ] *****
 
No malicious files cleaned.
 
***** [ DLL ] *****
 
No malicious DLLs cleaned.
 
***** [ WMI ] *****
 
No malicious WMI cleaned.
 
***** [ Shortcuts ] *****
 
No malicious shortcuts cleaned.
 
***** [ Tasks ] *****
 
Deleted       C:\Windows\System32\Tasks\AGProxyCheck
 
***** [ Registry ] *****
 
Deleted       HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{0F22D3F8-025B-4F70-88AF-EA2D9494AACB} 
Deleted       HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\AGProxyCheck
Deleted       HKLM\Software\Wow6432Node\xs
Deleted       HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules|UDP Query User{0955CFAC-4A59-4CC9-868C-D959BA0DE650}C:\users\ash\appdata\local\popcorn time\nw.exe
Deleted       HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules|TCP Query User{AAD12993-A12E-4921-8D70-EFA0DBEAA6DF}C:\users\ash\appdata\local\popcorn time\nw.exe
 
***** [ Chromium (and derivatives) ] *****
 
Deleted       MSN Homepage & Bing Search Engine
 
***** [ Chromium URLs ] *****
 
Deleted       Ask
Deleted       AOL
 
***** [ Firefox (and derivatives) ] *****
 
No malicious Firefox entries cleaned.
 
***** [ Firefox URLs ] *****
 
No malicious Firefox URLs cleaned.
 
 
*************************
 
[+] Delete Tracing Keys
[+] Reset Winsock
 
*************************
 
 
########## EOF - C:\AdwCleaner\Logs\AdwCleaner[C00].txt ##########
 
 
 


#14 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,664 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:18 PM

Posted 10 May 2018 - 07:33 AM

Good :) Now please run a new scan with FRST and provide me a fresh set of logs. I'll look for remnants.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#15 SirEdward43

SirEdward43
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:18 PM

Posted 10 May 2018 - 09:23 PM

Here's the FRST log as well as an Additional log that was generated with it.

Attached Files






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users