Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with malware after trying to install KMSpico


  • Please log in to reply
19 replies to this topic

#16 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,372 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:11:38 AM

Posted 15 September 2018 - 07:36 PM

Greetings Stefan.

Thank you for going through all the extra work.

Due to the severity of the infection(s) we are going to be a bit aggressive in cleaning your computer.

Please do this in Normal Boot.

===================================================

Uninstalling Programs Using Revo Uninstaller Free

--------------------

I recommend uninstalling the below listed program(s) from your computer.
  • Please download and install Revo Uninstaller Free
  • Right click Revo Uninstaller and select Run as administrator
  • From the list of programs double click on the listed program(s), or anything similar, to remove it (if it exists)
SSDOptimizerV13
  • Click Yes to any warning screen that may appear
  • If presented with the program uninstall option click Uninstall
  • If asked to restart now click No
  • Under Scanning Modes select Advanced then select Scan
  • On the Found leftover Registry items window click Select All, Delete, then Yes
  • If prompted click on Next
  • On the Found leftover files and folders window click on Select all, Delete, Yes, OK on any warning screen, then Finish
===================================================

Farbar's Recovery Scan Tool - Run Fix in Normal or Safe Mode

--------------------
  • Right click on the FRST icon and select Run as administrator
  • Highlight the below information then hit the Ctrl + C keys at the same time
  • The information will be copied invisibly and will be "pasted" into FRST automatically when you click Fix as instructed below
Start::
StartPowershell:
enable-computerrestore -drive "c:\"
vssadmin resize shadowstorage /on=c: /for=c: /maxsize=5%
checkpoint-computer -description "Done"
EndPowershell:
CloseProcesses:
HKU\S-1-5-21-198283595-3172470215-2829322620-1001\...\MountPoints2: {32128517-8c53-11e8-9718-806e6f6e6963} - "E:\autostart.exe"
2018-09-10 20:37 - 2018-09-10 20:55 - 000000000 ____D C:\ProgramData\zVmiMcGqez
2018-09-10 20:36 - 2018-09-10 20:55 - 000000000 ____D C:\Windows\SysWOW64\hfoxekvy
2018-09-10 20:36 - 2018-09-10 20:41 - 000000000 ____D C:\Users\Desktopper\AppData\Roaming\Windows RTL Handler
2018-09-10 20:36 - 2018-09-10 20:36 - 000000116 _____ C:\ProgramData\ythdg.exe
2018-09-10 20:35 - 2018-09-10 20:35 - 000003072 _____ C:\Users\Desktopper\AppData\Local\asSSDOptimizerV13.exe
2018-09-02 17:37 - 2018-09-02 17:37 - 001849788 _____ C:\Users\Desktopper\Downloads\TOMB RAIDER 2018 1080p BluRay.nzb
2018-08-29 21:51 - 2018-08-29 21:51 - 001094982 _____ C:\Users\Desktopper\Downloads\facqpmAuyrLJFhXs.par2.nzb
2018-08-29 20:16 - 2018-08-29 20:16 - 003409276 _____ C:\Users\Desktopper\Downloads\F4dMHokfJzk8qB.par2.nzb
2018-08-29 20:14 - 2018-08-29 20:14 - 000599358 _____ C:\Users\Desktopper\Downloads\97HYEWS258DF7G5G23RR65GLK88FF8.nzb
2018-08-29 20:13 - 2018-08-29 20:13 - 000591695 _____ C:\Users\Desktopper\Downloads\97HYEWS258DF7G5G23RR65GLK88FF8.par2.nzb
2018-08-16 22:08 - 2018-08-16 22:08 - 000287359 _____ C:\Users\Desktopper\Downloads\060418BIA14A.nzb
2018-08-16 22:06 - 2018-08-16 22:06 - 001324170 _____ C:\Users\Desktopper\Downloads\Bumba - In De Far West.nzb
cmd: netsh winsock reset catalog
cmd: netsh int ip reset C:\resettcpip.txt
cmd: netsh advfirewall reset
cmd: netsh advfirewall set allprofiles state ON
cmd: Bitsadmin /Reset /Allusers
cmd: ipconfig /flushdns
Removeproxy:
emptytemp:
End::
  • Click Fix
  • When completed he tool will create a log on the desktop called Fixlog.txt. Please copy and paste the contents of the file in your reply.
  • Note: This step resets your Firewall settings and you may be asked later to grant permission for legitimate programs to pass through the Firewall. If you recognize the program agree to the request.
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • Program uninstall?
  • Fixlog
  • Update on computer performance

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"May you be richly rewarded by the Lord, the God of Israel, under whose wings you have come to take refuge."

BC AdBot (Login to Remove)

 


#17 DevelishBuffalo

DevelishBuffalo
  • Topic Starter

  • Members
  • 11 posts
  • ONLINE
  •  
  • Local time:08:38 PM

Posted 16 September 2018 - 01:23 PM

Hello Gary,

 

Using Revo I uninstalled SSDOptimizer. After using the fix option in FRST and restarting my computer, the symptoms seem to be gone.

 

Fixlog:

 

Fix result of Farbar Recovery Scan Tool (x64) Version: 15.09.2018
Ran by Desktopper (16-09-2018 20:18:23) Run:1
Running from D:\
Loaded Profiles: Desktopper (Available Profiles: Desktopper)
Boot Mode: Normal
==============================================
 
fixlist content:
*****************
StartPowershell:
enable-computerrestore -drive "c:\"
vssadmin resize shadowstorage /on=c: /for=c: /maxsize=5%
checkpoint-computer -description "Done"
EndPowershell:
CloseProcesses:
HKU\S-1-5-21-198283595-3172470215-2829322620-1001\...\MountPoints2: {32128517-8c53-11e8-9718-806e6f6e6963} - "E:\autostart.exe"
2018-09-10 20:37 - 2018-09-10 20:55 - 000000000 ____D C:\ProgramData\zVmiMcGqez
2018-09-10 20:36 - 2018-09-10 20:55 - 000000000 ____D C:\Windows\SysWOW64\hfoxekvy
2018-09-10 20:36 - 2018-09-10 20:41 - 000000000 ____D C:\Users\Desktopper\AppData\Roaming\Windows RTL Handler
2018-09-10 20:36 - 2018-09-10 20:36 - 000000116 _____ C:\ProgramData\ythdg.exe
2018-09-10 20:35 - 2018-09-10 20:35 - 000003072 _____ C:\Users\Desktopper\AppData\Local\asSSDOptimizerV13.exe
2018-09-02 17:37 - 2018-09-02 17:37 - 001849788 _____ C:\Users\Desktopper\Downloads\TOMB RAIDER 2018 1080p BluRay.nzb
2018-08-29 21:51 - 2018-08-29 21:51 - 001094982 _____ C:\Users\Desktopper\Downloads\facqpmAuyrLJFhXs.par2.nzb
2018-08-29 20:16 - 2018-08-29 20:16 - 003409276 _____ C:\Users\Desktopper\Downloads\F4dMHokfJzk8qB.par2.nzb
2018-08-29 20:14 - 2018-08-29 20:14 - 000599358 _____ C:\Users\Desktopper\Downloads\97HYEWS258DF7G5G23RR65GLK88FF8.nzb
2018-08-29 20:13 - 2018-08-29 20:13 - 000591695 _____ C:\Users\Desktopper\Downloads\97HYEWS258DF7G5G23RR65GLK88FF8.par2.nzb
2018-08-16 22:08 - 2018-08-16 22:08 - 000287359 _____ C:\Users\Desktopper\Downloads\060418BIA14A.nzb
2018-08-16 22:06 - 2018-08-16 22:06 - 001324170 _____ C:\Users\Desktopper\Downloads\Bumba - In De Far West.nzb
cmd: netsh winsock reset catalog
cmd: netsh int ip reset C:\resettcpip.txt
cmd: netsh advfirewall reset
cmd: netsh advfirewall set allprofiles state ON
cmd: Bitsadmin /Reset /Allusers
cmd: ipconfig /flushdns
Removeproxy:
emptytemp:
 
*****************
 
 
========= Powershell: =========
 
vssadmin 1.1 - Volume Shadow Copy Service administrative command-line tool
© Copyright 2001-2013 Microsoft Corp.
 
Successfully resized the shadow copy storage association
 
========= End of Powershell: =========
 
Processes closed successfully.
"HKU\S-1-5-21-198283595-3172470215-2829322620-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{32128517-8c53-11e8-9718-806e6f6e6963}" => removed successfully
HKLM\Software\Classes\CLSID\{32128517-8c53-11e8-9718-806e6f6e6963} => not found
C:\ProgramData\zVmiMcGqez => moved successfully
C:\Windows\SysWOW64\hfoxekvy => moved successfully
C:\Users\Desktopper\AppData\Roaming\Windows RTL Handler => moved successfully
C:\ProgramData\ythdg.exe => moved successfully
"C:\Users\Desktopper\AppData\Local\asSSDOptimizerV13.exe" => not found
C:\Users\Desktopper\Downloads\TOMB RAIDER 2018 1080p BluRay.nzb => moved successfully
C:\Users\Desktopper\Downloads\facqpmAuyrLJFhXs.par2.nzb => moved successfully
C:\Users\Desktopper\Downloads\F4dMHokfJzk8qB.par2.nzb => moved successfully
C:\Users\Desktopper\Downloads\97HYEWS258DF7G5G23RR65GLK88FF8.nzb => moved successfully
C:\Users\Desktopper\Downloads\97HYEWS258DF7G5G23RR65GLK88FF8.par2.nzb => moved successfully
C:\Users\Desktopper\Downloads\060418BIA14A.nzb => moved successfully
C:\Users\Desktopper\Downloads\Bumba - In De Far West.nzb => moved successfully
 
========= netsh winsock reset catalog =========
 
 
Sucessfully reset the Winsock Catalog.
You must restart the computer in order to complete the reset.
 
 
========= End of CMD: =========
 
 
========= netsh int ip reset C:\resettcpip.txt =========
 
Resetting Compartment Forwarding, OK!
Resetting Compartment, OK!
Resetting Control Protocol, OK!
Resetting Echo Sequence Request, OK!
Resetting Global, OK!
Resetting Interface, OK!
Resetting Anycast Address, OK!
Resetting Multicast Address, OK!
Resetting Unicast Address, OK!
Resetting Neighbor, OK!
Resetting Path, OK!
Resetting Potential, OK!
Resetting Prefix Policy, OK!
Resetting Proxy Neighbor, OK!
Resetting Route, OK!
Resetting Site Prefix, OK!
Resetting Subinterface, OK!
Resetting Wakeup Pattern, OK!
Resetting Resolve Neighbor, OK!
Resetting , OK!
Resetting , OK!
Resetting , OK!
Resetting , OK!
Resetting , failed.
Toegang geweigerd.
 
Resetting , OK!
Resetting , OK!
Resetting , OK!
Resetting , OK!
Resetting , OK!
Resetting , OK!
Resetting , OK!
Restart the computer to complete this action.
 
 
========= End of CMD: =========
 
 
========= netsh advfirewall reset =========
 
Ok.
 
 
========= End of CMD: =========
 
 
========= netsh advfirewall set allprofiles state ON =========
 
Ok.
 
 
========= End of CMD: =========
 
 
========= Bitsadmin /Reset /Allusers =========
 
 
BITSADMIN version 3.0
BITS administration utility.
© Copyright Microsoft Corp.
 
{A26EADC0-C040-46C0-9522-A4CFA2CB44E5} canceled.
{3FC71BF5-FCAE-4CA8-BAD6-A42427ED2F4C} canceled.
2 out of 2 jobs canceled.
 
========= End of CMD: =========
 
 
========= ipconfig /flushdns =========
 
 
Windows IP Configuration
 
Successfully flushed the DNS Resolver Cache.
 
========= End of CMD: =========
 
 
========= RemoveProxy: =========
 
"HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\DefaultConnectionSettings" => removed successfully
"HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\SavedLegacySettings" => removed successfully
"HKU\S-1-5-21-198283595-3172470215-2829322620-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\DefaultConnectionSettings" => removed successfully
"HKU\S-1-5-21-198283595-3172470215-2829322620-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\SavedLegacySettings" => removed successfully
 
 
========= End of RemoveProxy: =========
 
 
=========== EmptyTemp: ==========
 
BITS transfer queue => 7888896 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 36193205 B
Java, Flash, Steam htmlcache => 32869640 B
Windows/system/drivers => 2072691 B
Edge => 3006174 B
Chrome => 619684480 B
Firefox => 0 B
Opera => 0 B
 
Temp, IE cache, history, cookies, recent:
Default => 0 B
Users => 0 B
ProgramData => 0 B
Public => 0 B
systemprofile => 0 B
systemprofile32 => 0 B
LocalService => 12606 B
LocalService => 0 B
NetworkService => 194368 B
NetworkService => 0 B
Desktopper => 53944692 B
 
RecycleBin => 60 B
EmptyTemp: => 720.9 MB temporary data Removed.
 
================================
 
 
The system needed a reboot.
 
==== End of Fixlog 20:18:57 ====


#18 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,372 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:11:38 AM

Posted 16 September 2018 - 04:34 PM

Excellent.

Please run this scan.

===================================================

ESET Online Scanner

--------------------

I'd like us to scan your machine with ESET OnlineScan This process may may take several hours, that is normal.
  • Download esetsmartinstaller_enu.exe and save it to your Desktop
  • Double click the icon
  • Check YES, I accept the Terms of Use
  • Click the Start button
  • Accept any security warnings from your browser
  • Click Advanced settings
  • Check the following items

Enable detection of potentially unwanted applications
Remove found threats
Scan archives
Scan for potentially unsafe applications
Enable Anti-Stealth technology

  • Click Start
  • ESET will then download updates and begin scanning your computer
  • If no threats are found simply click Uninstall application on close and hit Finish
  • If threats are found click List of found threats
  • Click Export to text file
  • Save the file on your Desktop as ESET.txt
  • Click Back
  • Review the list of entries and if there are any you want to keep stop and copy/paste the ESET.txt report in your reply for my review
  • If you do not wish to keep any of the entries check Uninstall application on close and Delete quarantined files
  • Click Finish
  • Close the ESET Online Scanner window
  • Copy and paste the contents of ESET.txt in your reply
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • ESET log
  • How is your computer running?

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"May you be richly rewarded by the Lord, the God of Israel, under whose wings you have come to take refuge."

#19 DevelishBuffalo

DevelishBuffalo
  • Topic Starter

  • Members
  • 11 posts
  • ONLINE
  •  
  • Local time:08:38 PM

Posted Yesterday, 01:55 PM

Hi Gary,

Unfortunately I won't be able to run these steps today. I will come back to you around this time tomorrow.

#20 DevelishBuffalo

DevelishBuffalo
  • Topic Starter

  • Members
  • 11 posts
  • ONLINE
  •  
  • Local time:08:38 PM

Posted Today, 01:29 PM

Hello Gary,

 

ESET Onlinscan didn't find anything. On top of that my computer is running great, I haven't had anymore ads or redirected links!

It looks like my problem is solved!

 

Thank you very much for your help and time, you're a lifesaver!

 

Greetings Stefan






1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users