Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Resolved HJT Threads

User Tag List

Cant Get Rid Of Malware/Adware

This is a discussion on Cant Get Rid Of Malware/Adware within the Resolved HJT Threads forums, part of the Tech Support Forum category. I Have Some Malware or Adware On My PC. I Somehow Downloaded Some Program Called CrossBrowse And WebShield. It Also


 
 
Thread Tools Search this Thread
Old 05-31-2015, 06:18 AM   #1
Registered Member
 
Join Date: May 2015
Posts: 11
OS: Win8.1


Arrow

I Have Some Malware or Adware On My PC. I Somehow Downloaded Some Program Called CrossBrowse And WebShield. It Also Came With A Bunch Of Little Programs One Of Them Was Named Storm Watch And I Cant Remember The Others Because I Used IObit Uninstaller Instantly. Now I Have Random Pop-up And Web Shield Ads, For Example There Would Be Certain Words That Have A Double Blue Line Under Them And When I Hover Over It They Will Show A Web Shield Ad. I Have Done A Scan Using Awcleaner 4.205 And It Found Some Stuff Pertaining To It But Didn't Fix It. Also Did Scan With Malware Bytes It Didn't Up With Anything And Hitman Pro Found Some Stuff But Didn't Fix The Problem.

Please Any Help Will Be Greatly Appreciated.
kinsouls is offline  
Sponsored Links
Advertisement
 
Old 05-31-2015, 02:29 PM   #2
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Hello and Welcome to TSF.

If you haven't already, please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant notification by email, then click Add Subscription.

Please note that the forum is very busy and if I don't hear from you within three days this thread will be closed.

------------------------------------------------------

Please download AdwCleaner from here and save it to your desktop.
  • Do NOT click the green 'Download' button(if visible).
  • Click the blue 'Download now @bleepingcomputer' button.
  • Run AdwCleaner and select Scan
  • Once the Scan is done, select Cleaning
  • Once done it will ask to reboot, please allow the reboot.
  • On reboot, a log will be produced. It can also be found at C:\AdwCleaner\AdwCleaner[S#].txt
  • Please copy/paste the contents of the log in your next reply.
------------------------------------------------------

Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system.
If you are not sure which version applies to your system download both of them and try to run them.
Only one of them will run on your system, that will be the right version.
  • Double-click to run it. When the tool opens click Yes to the disclaimer.
  • Make sure the Addition.txt button is ticked.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The first time the tool is run, it also makes another log (Addition.txt). Please attach it to your reply.
------------------------------------------------------
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 05-31-2015, 04:44 PM   #3
Registered Member
 
Join Date: May 2015
Posts: 11
OS: Win8.1



Sorry I Thought I Added Those File To My Post But I Didnt Hit Upload, Let Me Try Agian..
Here Is The First Log Of AdwCleaner:

# AdwCleaner v4.205 - Logfile created 30/05/2015 at 03:46:48
# Updated 21/05/2015 by Xplode
# Database : 2015-05-25.3 [Server]
# Operating system : Windows 8.1 Pro (x64)
# Username : Soul - PIRATESOULUTION
# Running from : S:\Users\Soul\Downloads\adwcleaner_4.205.exe
# Option : Scan

***** [ Services ] *****


***** [ Files / Folders ] *****

File Found : C:\Users\DAVIDM\AppData\Roaming\Mozilla\Firefox\Profiles\rqieas38.default\user.js
File Found : C:\Windows\patsearch.bin
Folder Found : C:\Program Files (x86)\Crossbrowse
Folder Found : C:\Program Files (x86)\predm
Folder Found : C:\ProgramData\~0
Folder Found : C:\ProgramData\Right Soft
Folder Found : C:\Users\DAVIDM\AppData\Local\eSupport.com
Folder Found : C:\Users\DAVIDM\AppData\Local\SearchProtect
Folder Found : C:\Users\DAVIDM\AppData\Local\Temp\Yula
Folder Found : C:\Users\DAVIDM\AppData\Local\WebShield
Folder Found : C:\Windows\SysWOW64\config\systemprofile\AppData\Local\StormWatch

***** [ Scheduled tasks ] *****

Task Found : Crossbrowse
Task Found : LaunchPreSignup
Task Found : 0ac6e505-f2d3-44e6-b431-360c3665c302-5
Task Found : 0ac6e505-f2d3-44e6-b431-360c3665c302-5_user
Task Found : 0ac6e505-f2d3-44e6-b431-360c3665c302-5
Task Found : 0ac6e505-f2d3-44e6-b431-360c3665c302-5_user

***** [ Shortcuts ] *****


***** [ Registry ] *****

Data Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings [ProxyOverride] - <local>;*.local
Data Found : HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings [ProxyEnable] - 1
Data Found : HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings [ProxyOverride] - <-loopback>
Data Found : HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings [ProxyServer] - hxxp=127.0.0.1:63854;hxxps=127.0.0.1:63854
Key Found : HKCU\Software\AppDataLow\Software\Crossrider
Key Found : HKCU\Software\AppDataLow\Software\DynConIE
Key Found : HKCU\Software\ArenaHD
Key Found : HKCU\Software\Bitberry
Key Found : HKCU\Software\Conduit
Key Found : HKCU\Software\CrossBrowser
Key Found : HKCU\Software\Escolade
Key Found : HKCU\Software\eSupport.com
Key Found : HKCU\Software\HighDefAction
Key Found : HKCU\Software\InstalledBrowserExtensions
Key Found : HKCU\Software\onekit
Key Found : HKCU\Software\StormWatchApp
Key Found : HKCU\Software\YorkNewCin
Key Found : [x64] HKCU\Software\ArenaHD
Key Found : [x64] HKCU\Software\Bitberry
Key Found : [x64] HKCU\Software\Conduit
Key Found : [x64] HKCU\Software\CrossBrowser
Key Found : [x64] HKCU\Software\Escolade
Key Found : [x64] HKCU\Software\eSupport.com
Key Found : [x64] HKCU\Software\HighDefAction
Key Found : [x64] HKCU\Software\InstalledBrowserExtensions
Key Found : [x64] HKCU\Software\onekit
Key Found : [x64] HKCU\Software\StormWatchApp
Key Found : [x64] HKCU\Software\YorkNewCin
Key Found : HKLM\SOFTWARE\ArenaHD
Key Found : HKLM\SOFTWARE\Classes\AppID\{4D6A5312-AB4D-41AA-8BED-0E019B87CA11}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{6E993643-8FBC-44FE-BC85-D318495C4D96}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{9C4EFBD5-1ADF-41E6-BE26-AF44326E30E4}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{BA0C978D-D909-49B6-AFE2-8BDE245DC7E6}
Key Found : HKLM\SOFTWARE\Google\Chrome\Extensions\nfengeggddojhakldhlpjdlddgkkjkdd
Key Found : HKLM\SOFTWARE\HighDefAction
Key Found : HKLM\SOFTWARE\InstalledBrowserExtensions
Key Found : HKLM\SOFTWARE\Microsoft\Mediaplayer\Shiminclusionlist\crossbrowse.exe
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\crossbrowse.exe
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BA0C978D-D909-49B6-AFE2-8BDE245DC7E6}
Key Found : HKLM\SOFTWARE\StormWatchApp
Key Found : HKLM\SOFTWARE\YorkNewCin
Key Found : [x64] HKLM\SOFTWARE\ArenaHD
Key Found : [x64] HKLM\SOFTWARE\Classes\CLSID\{051E9166-B275-4683-907B-372FAE22BC7C}
Key Found : [x64] HKLM\SOFTWARE\Classes\CLSID\{9C4EFBD5-1ADF-41E6-BE26-AF44326E30E4}
Key Found : [x64] HKLM\SOFTWARE\Classes\CLSID\{E5A7A645-8318-4895-B85C-EDC606B80DB6}
Key Found : [x64] HKLM\SOFTWARE\HighDefAction
Key Found : [x64] HKLM\SOFTWARE\InstalledBrowserExtensions
Key Found : [x64] HKLM\SOFTWARE\WebBar
Key Found : [x64] HKLM\SOFTWARE\YorkNewCin
Value Found : HKLM\SOFTWARE\Classes\.htm\OpenWithProgids [CRSBRWSHTML]
Value Found : HKLM\SOFTWARE\Classes\.html\OpenWithProgids [CRSBRWSHTML]
Value Found : HKLM\SOFTWARE\RegisteredApplications [Crossbrowse]
Value Found : HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings [DefaultConnectionSettings]
Value Found : HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings [SavedLegacySettings]

***** [ Web browsers ] *****

-\\ Internet Explorer v11.0.9600.17416


-\\ Mozilla Firefox v38.0.1 (x86 en-US)

[rqieas38.default] - Line Found : user_pref("extensions.crossrider.bic", "14da28298ef702406e1be9fe3052ad70");

-\\ Google Chrome v43.0.2357.81


*************************

AdwCleaner[R0].txt - [4941 bytes] - [30/05/2015 03:46:48]

########## EOF - C:\AdwCleaner\AdwCleaner[R0].txt - [5000 bytes] ##########

I Also Scan It Again Because It Didnt Work:

# AdwCleaner v4.205 - Logfile created 31/05/2015 at 06:28:13
# Updated 21/05/2015 by Xplode
# Database : 2015-05-25.3 [Server]
# Operating system : Windows 8.1 Pro (x64)
# Username : Soul - PIRATESOULUTION
# Running from : S:\Users\Soul\Desktop\adwcleaner_4.205.exe
# Option : Cleaning

***** [ Services ] *****


***** [ Files / Folders ] *****

Folder Deleted : C:\Users\DAVIDM\AppData\Local\WebShield

***** [ Scheduled tasks ] *****


***** [ Shortcuts ] *****


***** [ Registry ] *****

Data Deleted : HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings [ProxyServer] - hxxp=127.0.0.1:63854;hxxps=127.0.0.1:63854
Data Deleted : HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings [ProxyEnable] - 1
Data Deleted : HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings [ProxyOverride] - <-loopback>

***** [ Web browsers ] *****

-\\ Internet Explorer v11.0.9600.17416


-\\ Mozilla Firefox v38.0.1 (x86 en-US)


-\\ Google Chrome v43.0.2357.81


*************************

AdwCleaner[R0].txt - [5155 bytes] - [30/05/2015 03:47:30]
AdwCleaner[R1].txt - [1552 bytes] - [30/05/2015 03:53:29]
AdwCleaner[R2].txt - [1614 bytes] - [30/05/2015 03:57:59]
AdwCleaner[R3].txt - [1729 bytes] - [30/05/2015 05:03:07]
AdwCleaner[R4].txt - [1788 bytes] - [30/05/2015 16:56:34]
AdwCleaner[R5].txt - [1905 bytes] - [31/05/2015 03:57:07]
AdwCleaner[R6].txt - [2022 bytes] - [31/05/2015 06:20:57]
AdwCleaner[R7].txt - [2081 bytes] - [31/05/2015 06:26:54]
AdwCleaner[S0].txt - [4509 bytes] - [30/05/2015 03:49:26]
AdwCleaner[S1].txt - [1398 bytes] - [30/05/2015 03:55:35]
AdwCleaner[S2].txt - [1634 bytes] - [30/05/2015 17:03:39]
AdwCleaner[S3].txt - [1751 bytes] - [31/05/2015 03:58:43]
AdwCleaner[S4].txt - [1788 bytes] - [31/05/2015 06:28:13]

########## EOF - C:\AdwCleaner\AdwCleaner[S4].txt - [1847 bytes] ##########
Attached Files
File Type: txt FRST.txt (59.5 KB, 27 views)
File Type: txt Addition.txt (79.5 KB, 220 views)
kinsouls is offline  
Sponsored Links
Advertisement
 
Old 05-31-2015, 04:50 PM   #4
Registered Member
 
Join Date: May 2015
Posts: 11
OS: Win8.1



Also I Just Noticed Something In My IOBit Startup Manager Tool Called VZMmcKoBrp, Manufacturer: Irrational Number Application. I Think That Has Something To Do With The Webshield Because When I Researched WebShield It Said To Uninstalling WebShield Or Anything By Irrational Number Application
kinsouls is offline  
Old 05-31-2015, 06:41 PM   #5
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Hello kinsouls.

Check for additional security risks:
  • Please download CKScanner© by askey127 and save it to your desktop.
  • Double-click on CKScanner.exe and click Search For Files.
  • After a very short time, when the cursor hourglass disappears, click Save List To File. You will be prompted, just click OK.
  • Post the contents of ckfiles.txt in your next reply. It is located on your desktop.
------------------------------------------------------
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 05-31-2015, 07:45 PM   #6
Registered Member
 
Join Date: May 2015
Posts: 11
OS: Win8.1



Here Is The CKScanner Text

CKScanner 2.5 - Additional Security Risks - These are not necessarily bad
c:\users\davidm\appdata\local\six networks\shared\tools\mingw\bin\ssh-keygen.exe
c:\users\davidm\appdata\roaming\utorrent\ea games freedom fighters 2003 incl crack and keygen @ only by the rain.torrent
c:\users\davidm\appdata\roaming\utorrent\utorrent 3.4.3 build 40298.torrent
c:\users\osha&pat\desktop\macdrive-v8.0.5.31.zip
scanner sequence 3.FF.11.MLNAPZ
----- EOF -----
kinsouls is offline  
Old 05-31-2015, 07:47 PM   #7
Registered Member
 
Join Date: May 2015
Posts: 11
OS: Win8.1



Quote:
Originally Posted by kinsouls View Post
Also I Just Noticed Something In My IOBit Startup Manager Tool Called VZMmcKoBrp, Manufacturer: Irrational Number Application. I Think That Has Something To Do With The Webshield Because When I Researched WebShield It Said To Uninstalling WebShield Or Anything By Irrational Number Application

Also The File VZMmcKoBrp Is Under The Services Tab On My IOBit Startup Manager
kinsouls is offline  
Old 05-31-2015, 08:16 PM   #8
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Quote:
c:\users\davidm\appdata\local\six networks\shared\tools\mingw\bin\ssh-keygen.exe
c:\users\davidm\appdata\roaming\utorrent\ea games freedom fighters 2003 incl crack and keygen @ only by the rain.torrent
c:\users\davidm\appdata\roaming\utorrent\utorrent 3.4.3 build 40298.torrent
C:\Users\Osha&Pat\Desktop\MacDrive-v8.0.5.31-Keygen.included.zip
This is one reason your computer is infected. Visiting cracksites/warezsites - and other questionable/illegal sites is always a risk.

Even a single click on the site can drop multiple forms of very serious malware, many of which disable your onboard protection, and System Restore.

If you install the cracked software, you are running executable files from these dubious, unknown sources. You are in effect giving these sources access to information on your hard disk, and potential control over the operation of your computer.

Additionally, cracked programs are illegal. Before posting for help, we ask that you uninstall any such applications, as indicated in this sticky topic.

Referring to the Forum Rules which you should have read at the time of Registering at this forum, TSF does not support illegal activity. As such, be advised that any request for assistance in removing malware may go unanswered, or may be discontinued, if the cracked (illegal) software is still present on the machine.

A study revealed that more often than not, keygens and crack tools downloaded from peer-to-peer networks contained malicious or "unwanted" software.

------------------------------------------------------

==== Installed Programs ====

µTorrent
Freedom Fighters


------------------------------------------------------
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 05-31-2015, 08:29 PM   #9
Registered Member
 
Join Date: May 2015
Posts: 11
OS: Win8.1



Ok I Removed Them All.
kinsouls is offline  
Old 05-31-2015, 10:45 PM   #10
Registered Member
 
Join Date: May 2015
Posts: 11
OS: Win8.1



I've Found Where The Malware/Spyware Is Located As well as The Registry Location. Should I Delete The Registry And Force Uninstall The VZMmcKoBrp.exe? There Is Also Another Folder Inside Named data With These Two EXE Files In It gFJrbKI.exe And KWFKKYW.exe. I Got This From Downloading A Fake Java Flash Update.
kinsouls is offline  
Old 06-01-2015, 05:50 PM   #11
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



I see the malware. Did you remove the cracked applications via Programs and Features as well?

If so, please run FRST again and post/attach new logs.
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 06-01-2015, 06:36 PM   #12
Registered Member
 
Join Date: May 2015
Posts: 11
OS: Win8.1



Quote:
Originally Posted by chemist View Post
I see the malware. Did you remove the cracked applications via Programs and Features as well?

If so, please run FRST again and post/attach new logs.
Yes I Removed The Cracked Applications, And Here Is The Logs.

I Also Uninstalled The Files VZMmcKoBrp.exe, gFJrbKI.exe, And KWFKKYW.exe And Deleted The Registry Entries. This Seem To Have Fixed The Problem. There Are No Double Blue Line Under Words And No Random Pop-ups When I Click On Screen.
Attached Files
File Type: txt FRST.txt (65.8 KB, 29 views)
File Type: txt Addition.txt (82.1 KB, 222 views)
kinsouls is offline  
Old 06-01-2015, 08:02 PM   #13
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Hello again, kinsouls. You're still infected.

------------------------------------------------------

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Please stay with me until given the 'all clear' even if symptoms seemingly abate.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by a helper.

------------------------------------------------------

If there are any personal files, pics, etc. on your computer you cannot live without, back them up now just as a precaution.

Emergency Backup Procedure - Tech Support Forum

What happened to Backup and Restore? - Windows Help

You can also download recovery software if you don't have an installation DVD:

Create installation media for Windows 8.1 - Windows Help

------------------------------------------------------

Also, if you haven't done so already, you might want to create a USB recovery drive. It's really easy and quick.

Create a USB recovery drive - Windows Help

------------------------------------------------------

Advanced SystemCare

We do not recommend the use of registry cleaners. Our colleague miekiemoes has an excellent writeup here

We suggest uninstalling them via Programs and Features in your Control Panel.

------------------------------------------------------

I see you have P2P software ( uTorrent ) installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It may be contributing to your current situation.

Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.

A reference for the risk of these programs is here

I would strongly recommend that you uninstall it. You can do so via Control Panel >> Programs and Features.

------------------------------------------------------

I noticed you have these installed:

Driver Booster
IObit Malware Fighter
IOBit Uninstaller
Smart Defrag
Surfing Protection


Please read this and decide if you want to keep them:

Beware: IObit Malware Fighter

We suggest uninstalling them via Programs and Features in your Control Panel.

------------------------------------------------------
  • Open Notepad (Start > All Programs > Accessories > Notepad).
  • Please copy all the text in the codebox below. (To do this highlight the contents of the box, right-click on it and select Copy. Right-click in the open Notepad and select Paste).
  • Save it as fixlist.txt next to FRST64.exe

    NOTE: Both FRST64.exe and the fixlist.txt must be in the same location or the fix will not work.


    Code:
    start
    createrestorepoint:
    Task: {2CD7EFF7-D243-4D45-809B-92144202FDA7} - System32\Tasks\Safer-Networking\Spybot - Search and Destroy\Check for updates => C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdate.exe
    Task: {398F5847-4A32-498F-9A7D-56CB1AA0FA6C} - System32\Tasks\Safer-Networking\Spybot - Search and Destroy\Refresh immunization => C:\Program Files (x86)\Spybot - Search & Destroy 2\SDImmunize.exe
    Task: {5DEE9B24-992A-4300-BAE0-E8F42DE4D551} - System32\Tasks\ASC7U_SkipUac_Soul => S:\Program Files (x86)\IObit\Advanced SystemCare Ultimate 7\ASC.exe
    Task: {60DB28FA-D55F-4F0F-B916-191D4487D2A2} - System32\Tasks\Safer-Networking\Spybot - Search and Destroy\Scan the system => C:\Program Files (x86)\Spybot - Search & Destroy 2\SDScan.exe
    Task: {808F3917-3132-46E6-A767-7EC12993F2CC} - System32\Tasks\ASC8_PerformanceMonitor => S:\Program Files (x86)\IObit\Advanced SystemCare 8\Monitor.exe [2015-01-23] (IObit)
    Task: {9E01FE44-667A-4E7A-A6B8-F45147E46D91} - System32\Tasks\ASC8_SkipUac_Soul => S:\Program Files (x86)\IObit\Advanced SystemCare 8\ASC.exe [2015-01-27] (IObit)
    Task: {E369AA20-6708-4C63-83AE-0E0B981B7780} - System32\Tasks\Origin => C:\Users\DAVIDM\AppData\Roaming\Origin\update.vbe [2015-03-04] () <==== ATTENTION
    Task: C:\Windows\Tasks\ASC7U_SkipUac_Soul.job => S:\Program Files (x86)\IObit\Advanced SystemCare Ultimate 7\ASC.exe
    Task: C:\Windows\Tasks\ASC8_SkipUac_Soul.job => S:\Program Files (x86)\IObit\Advanced SystemCare 8\ASC.exe
    2015-05-02 16:04 - 2014-07-11 16:04 - 01106720 _____ () S:\Program Files (x86)\IObit\Advanced SystemCare 8\RealTimeProtector.exe
    2015-05-02 16:04 - 2013-10-25 12:08 - 00517408 _____ () S:\Program Files (x86)\IObit\Advanced SystemCare 8\sqlite3.dll
    2015-05-02 16:04 - 2013-01-15 18:48 - 00348992 _____ () S:\Program Files (x86)\IObit\Advanced SystemCare 8\madExcept_.bpl
    2015-05-02 16:04 - 2013-01-15 18:48 - 00183616 _____ () S:\Program Files (x86)\IObit\Advanced SystemCare 8\madBasic_.bpl
    2015-05-02 16:04 - 2013-01-15 18:48 - 00051008 _____ () S:\Program Files (x86)\IObit\Advanced SystemCare 8\madDisAsm_.bpl
    2015-05-02 16:04 - 2013-01-15 18:47 - 00893248 _____ () S:\Program Files (x86)\IObit\Advanced SystemCare 8\webres.dll
    HKU\S-1-5-21-546242771-2270780612-121426341-1001\Software\Classes\.exe: exefile =>  <===== ATTENTION!
    HKU\S-1-5-21-546242771-2270780612-121426341-1001\Software\Classes\exefile:  <===== ATTENTION!
    c:\users\davidm\appdata\local\six networks\shared\tools\mingw\bin\ssh-keygen.exe
    c:\users\davidm\appdata\roaming\utorrent
    c:\users\osha&pat\desktop\macdrive-v8.0.5.31.zip
    (IObit) S:\Program Files (x86)\IObit\Advanced SystemCare 8\ASCService.exe
    (IObit) S:\Program Files (x86)\IObit\Advanced SystemCare 8\Monitor.exe
    (IObit) S:\Program Files (x86)\IObit\Advanced SystemCare 8\ASCTray.exe
    () S:\Program Files (x86)\IObit\Advanced SystemCare 8\RealTimeProtector.exe
    HKLM\...\Run: [MacDrive 9 application] => C:\Program Files\Mediafour\MacDrive 9\MacDrive.exe [516480 2014-12-10] (Mediafour Corporation)
    C:\Program Files\Mediafour
    AppInit_DLLs-x32: ￿Ȅ为䥔邔㐀ᐸ讑㱠樵￿⤠梲￿ => "￿Ȅ为䥔邔㐀ᐸ讑㱠樵￿⤠梲￿" File not found
    ShellIconOverlayIdentifiers: [MacDriveVolumeIcon] -> {6B21AF46-EE37-40D0-A707-C06C17D06CE9} => C:\Program Files\Mediafour\MacDrive 9\MDVolumeIcons.dll [2013-11-01] (Mediafour Corporation)
    ShellIconOverlayIdentifiers: [MacDriveVolumeIconReadOnly] -> {E9BC4DCA-0A4E-4C65-9D40-621C9D0CDC5F} => C:\Program Files\Mediafour\MacDrive 9\MDVolumeIcons.dll [2013-11-01] (Mediafour Corporation)
    HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
    HKU\S-1-5-21-546242771-2270780612-121426341-1001\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
    ProxyEnable: [.DEFAULT] => Internet Explorer proxy is enabled
    ProxyServer: [.DEFAULT] => http=127.0.0.1:63854;https=127.0.0.1:63854
    SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
    SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
    SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
    BHO: ExplorerWnd Helper -> {10921475-03CE-4E04-90CE-E2E7EF20C814} -> C:\Program Files (x86)\IObit\IObit Uninstaller\UninstallExplorer64.dll [2015-04-30] (IObit)
    Toolbar: HKU\S-1-5-21-546242771-2270780612-121426341-1001 -> No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} -  No File
    Handler: WSIEChrome - No CLSID Value
    Handler: WSWSVCUchrome - No CLSID Value
    R2 AdvancedSystemCareService8; S:\Program Files (x86)\IObit\Advanced SystemCare 8\ASCService.exe [815392 2014-11-04] (IObit)
    S3 EasyAntiCheat; C:\Windows\SysWOW64\EasyAntiCheat.exe [237352 2015-04-11] (EasyAntiCheat Ltd)
    R2 MacDrive9Service; C:\Program Files\Mediafour\MacDrive 9\MacDrive9Service.exe [187256 2014-12-10] (Mediafour Corporation)
    R3 hitmanpro37; C:\Windows\system32\drivers\hitmanpro37.sys [43664 2015-06-01] ()
    R0 MDFSYSNT; C:\Windows\System32\Drivers\MDFSYSNT.sys [332072 2015-01-30] (Mediafour Corporation)
    R0 MDPMGRNT; C:\Windows\System32\DRIVERS\MDPMGRNT.SYS [44328 2015-01-30] (Mediafour Corporation)
    R0 MDRAID; C:\Windows\System32\drivers\MDRAID.sys [189256 2015-01-30] (Mediafour Corporation)
    S3 MWAC; \??\C:\Windows\system32\drivers\ [0 ] () <==== ATTENTION (zero byte File/Folder)
    S3 MWAC; \??\C:\Windows\SysWOW64\drivers\ [0 ] () <==== ATTENTION (zero byte File/Folder)
    2015-05-31 17:24 - 2015-05-31 17:24 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MacDrive*9 Pro
    2015-05-31 17:24 - 2015-05-31 17:24 - 00000000 ____D () C:\ProgramData\Mediafour
    2015-05-31 17:24 - 2015-05-31 17:24 - 00000000 ____D () C:\Program Files\Mediafour
    2015-05-31 17:24 - 2015-05-31 17:24 - 00000000 ____D () C:\Program Files\Common Files\Mediafour
    2015-05-31 17:24 - 2015-05-31 17:24 - 00000000 ____D () C:\Program Files (x86)\Mediafour
    2015-05-31 17:24 - 2015-01-30 10:54 - 00044328 _____ (Mediafour Corporation) C:\Windows\system32\Drivers\MDPMGRNT.SYS
    2015-05-30 22:21 - 2015-05-30 22:21 - 00000000 ____D () C:\ProgramData\Spybot - Search & Destroy
    2015-05-30 17:16 - 2015-05-30 17:16 - 00000000 ____D () C:\Windows\System32\Tasks\Safer-Networking
    2015-05-30 16:55 - 2015-05-30 16:55 - 00000000 ____D () C:\Program Files\HitmanPro
    2015-05-30 04:08 - 2015-05-30 04:16 - 00000000 ____D () C:\ProgramData\HitmanPro
    2015-05-02 16:06 - 2015-05-02 16:06 - 00003196 _____ () C:\Windows\System32\Tasks\ASC8_PerformanceMonitor
    2015-05-02 16:05 - 2015-06-01 17:31 - 00000272 _____ () C:\Windows\Tasks\ASC8_SkipUac_Soul.job
    2015-05-02 16:05 - 2015-05-02 16:05 - 00002370 _____ () C:\Windows\System32\Tasks\ASC8_SkipUac_Soul
    2015-05-02 16:04 - 2015-06-01 06:04 - 00001115 _____ () C:\Users\Public\Desktop\Advanced SystemCare 8.lnk
    2015-05-02 16:04 - 2015-06-01 06:04 - 00001115 _____ () C:\ProgramData\Desktop\Advanced SystemCare 8.lnk
    2015-05-02 16:04 - 2015-05-02 16:04 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Advanced SystemCare 8
    2015-05-03 03:37 - 2015-04-14 02:03 - 00000080 _____ () C:\Users\DAVIDM\AppData\Local剜捯獫慴⁲慇敭屳呇⁁屖湥楴汴浥湥⹴湩潦
    C:\Users\DAVIDM\AppData\Roaming\Origin
    EmptyTemp:
    end
  • Double-click FRST64 to run the tool. If the tool warns you the version is outdated, please download and run the updated version.
  • Click the Fix button just once, and wait.
  • If you receive a message that a reboot is required, please make sure you allow it to restart normally.
  • The tool will complete its run after the restart.
  • When finished, the tool will make a log (Fixlog.txt) in the same location from where it was run. Please post the Fixlog.txt log in your reply.

NOTE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

------------------------------------------------------
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 06-01-2015, 10:56 PM   #14
Registered Member
 
Join Date: May 2015
Posts: 11
OS: Win8.1



Ok I Followed What You Said And Here Is The fixlist Log:


Fix result of Farbar Recovery Scan Tool (x64) Version: 29-05-2015
Ran by Soul at 2015-06-01 22:36:38 Run:1
Running from S:\Users\Soul\Desktop
Loaded Profiles: Soul (Available Profiles: Soul & Osha&Pat)
Boot Mode: Normal
==============================================

fixlist content:
*****************
start
createrestorepoint:
Task: {2CD7EFF7-D243-4D45-809B-92144202FDA7} - System32\Tasks\Safer-Networking\Spybot - Search and Destroy\Check for updates => C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdate.exe
Task: {398F5847-4A32-498F-9A7D-56CB1AA0FA6C} - System32\Tasks\Safer-Networking\Spybot - Search and Destroy\Refresh immunization => C:\Program Files (x86)\Spybot - Search & Destroy 2\SDImmunize.exe
Task: {5DEE9B24-992A-4300-BAE0-E8F42DE4D551} - System32\Tasks\ASC7U_SkipUac_Soul => S:\Program Files (x86)\IObit\Advanced SystemCare Ultimate 7\ASC.exe
Task: {60DB28FA-D55F-4F0F-B916-191D4487D2A2} - System32\Tasks\Safer-Networking\Spybot - Search and Destroy\Scan the system => C:\Program Files (x86)\Spybot - Search & Destroy 2\SDScan.exe
Task: {808F3917-3132-46E6-A767-7EC12993F2CC} - System32\Tasks\ASC8_PerformanceMonitor => S:\Program Files (x86)\IObit\Advanced SystemCare 8\Monitor.exe [2015-01-23] (IObit)
Task: {9E01FE44-667A-4E7A-A6B8-F45147E46D91} - System32\Tasks\ASC8_SkipUac_Soul => S:\Program Files (x86)\IObit\Advanced SystemCare 8\ASC.exe [2015-01-27] (IObit)
Task: {E369AA20-6708-4C63-83AE-0E0B981B7780} - System32\Tasks\Origin => C:\Users\DAVIDM\AppData\Roaming\Origin\update.vbe [2015-03-04] () <==== ATTENTION
Task: C:\Windows\Tasks\ASC7U_SkipUac_Soul.job => S:\Program Files (x86)\IObit\Advanced SystemCare Ultimate 7\ASC.exe
Task: C:\Windows\Tasks\ASC8_SkipUac_Soul.job => S:\Program Files (x86)\IObit\Advanced SystemCare 8\ASC.exe
2015-05-02 16:04 - 2014-07-11 16:04 - 01106720 _____ () S:\Program Files (x86)\IObit\Advanced SystemCare 8\RealTimeProtector.exe
2015-05-02 16:04 - 2013-10-25 12:08 - 00517408 _____ () S:\Program Files (x86)\IObit\Advanced SystemCare 8\sqlite3.dll
2015-05-02 16:04 - 2013-01-15 18:48 - 00348992 _____ () S:\Program Files (x86)\IObit\Advanced SystemCare 8\madExcept_.bpl
2015-05-02 16:04 - 2013-01-15 18:48 - 00183616 _____ () S:\Program Files (x86)\IObit\Advanced SystemCare 8\madBasic_.bpl
2015-05-02 16:04 - 2013-01-15 18:48 - 00051008 _____ () S:\Program Files (x86)\IObit\Advanced SystemCare 8\madDisAsm_.bpl
2015-05-02 16:04 - 2013-01-15 18:47 - 00893248 _____ () S:\Program Files (x86)\IObit\Advanced SystemCare 8\webres.dll
HKU\S-1-5-21-546242771-2270780612-121426341-1001\Software\Classes\.exe: exefile => <===== ATTENTION!
HKU\S-1-5-21-546242771-2270780612-121426341-1001\Software\Classes\exefile: <===== ATTENTION!
c:\users\davidm\appdata\local\six networks\shared\tools\mingw\bin\ssh-keygen.exe
c:\users\davidm\appdata\roaming\utorrent
c:\users\osha&pat\desktop\macdrive-v8.0.5.31.zip
(IObit) S:\Program Files (x86)\IObit\Advanced SystemCare 8\ASCService.exe
(IObit) S:\Program Files (x86)\IObit\Advanced SystemCare 8\Monitor.exe
(IObit) S:\Program Files (x86)\IObit\Advanced SystemCare 8\ASCTray.exe
() S:\Program Files (x86)\IObit\Advanced SystemCare 8\RealTimeProtector.exe
HKLM\...\Run: [MacDrive 9 application] => C:\Program Files\Mediafour\MacDrive 9\MacDrive.exe [516480 2014-12-10] (Mediafour Corporation)
C:\Program Files\Mediafour
AppInit_DLLs-x32: ￿Ȅ为䥔邔㐀ᐸ讑㱠樵￿⤠梲￿ => "￿Ȅ为䥔邔㐀ᐸ讑㱠樵￿⤠梲￿" File not found
ShellIconOverlayIdentifiers: [MacDriveVolumeIcon] -> {6B21AF46-EE37-40D0-A707-C06C17D06CE9} => C:\Program Files\Mediafour\MacDrive 9\MDVolumeIcons.dll [2013-11-01] (Mediafour Corporation)
ShellIconOverlayIdentifiers: [MacDriveVolumeIconReadOnly] -> {E9BC4DCA-0A4E-4C65-9D40-621C9D0CDC5F} => C:\Program Files\Mediafour\MacDrive 9\MDVolumeIcons.dll [2013-11-01] (Mediafour Corporation)
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\S-1-5-21-546242771-2270780612-121426341-1001\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
ProxyEnable: [.DEFAULT] => Internet Explorer proxy is enabled
ProxyServer: [.DEFAULT] => http=127.0.0.1:63854;https=127.0.0.1:63854
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
BHO: ExplorerWnd Helper -> {10921475-03CE-4E04-90CE-E2E7EF20C814} -> C:\Program Files (x86)\IObit\IObit Uninstaller\UninstallExplorer64.dll [2015-04-30] (IObit)
Toolbar: HKU\S-1-5-21-546242771-2270780612-121426341-1001 -> No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
Handler: WSIEChrome - No CLSID Value
Handler: WSWSVCUchrome - No CLSID Value
R2 AdvancedSystemCareService8; S:\Program Files (x86)\IObit\Advanced SystemCare 8\ASCService.exe [815392 2014-11-04] (IObit)
S3 EasyAntiCheat; C:\Windows\SysWOW64\EasyAntiCheat.exe [237352 2015-04-11] (EasyAntiCheat Ltd)
R2 MacDrive9Service; C:\Program Files\Mediafour\MacDrive 9\MacDrive9Service.exe [187256 2014-12-10] (Mediafour Corporation)
R3 hitmanpro37; C:\Windows\system32\drivers\hitmanpro37.sys [43664 2015-06-01] ()
R0 MDFSYSNT; C:\Windows\System32\Drivers\MDFSYSNT.sys [332072 2015-01-30] (Mediafour Corporation)
R0 MDPMGRNT; C:\Windows\System32\DRIVERS\MDPMGRNT.SYS [44328 2015-01-30] (Mediafour Corporation)
R0 MDRAID; C:\Windows\System32\drivers\MDRAID.sys [189256 2015-01-30] (Mediafour Corporation)
S3 MWAC; \??\C:\Windows\system32\drivers\ [0 ] () <==== ATTENTION (zero byte File/Folder)
S3 MWAC; \??\C:\Windows\SysWOW64\drivers\ [0 ] () <==== ATTENTION (zero byte File/Folder)
2015-05-31 17:24 - 2015-05-31 17:24 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MacDrive*9 Pro
2015-05-31 17:24 - 2015-05-31 17:24 - 00000000 ____D () C:\ProgramData\Mediafour
2015-05-31 17:24 - 2015-05-31 17:24 - 00000000 ____D () C:\Program Files\Mediafour
2015-05-31 17:24 - 2015-05-31 17:24 - 00000000 ____D () C:\Program Files\Common Files\Mediafour
2015-05-31 17:24 - 2015-05-31 17:24 - 00000000 ____D () C:\Program Files (x86)\Mediafour
2015-05-31 17:24 - 2015-01-30 10:54 - 00044328 _____ (Mediafour Corporation) C:\Windows\system32\Drivers\MDPMGRNT.SYS
2015-05-30 22:21 - 2015-05-30 22:21 - 00000000 ____D () C:\ProgramData\Spybot - Search & Destroy
2015-05-30 17:16 - 2015-05-30 17:16 - 00000000 ____D () C:\Windows\System32\Tasks\Safer-Networking
2015-05-30 16:55 - 2015-05-30 16:55 - 00000000 ____D () C:\Program Files\HitmanPro
2015-05-30 04:08 - 2015-05-30 04:16 - 00000000 ____D () C:\ProgramData\HitmanPro
2015-05-02 16:06 - 2015-05-02 16:06 - 00003196 _____ () C:\Windows\System32\Tasks\ASC8_PerformanceMonitor
2015-05-02 16:05 - 2015-06-01 17:31 - 00000272 _____ () C:\Windows\Tasks\ASC8_SkipUac_Soul.job
2015-05-02 16:05 - 2015-05-02 16:05 - 00002370 _____ () C:\Windows\System32\Tasks\ASC8_SkipUac_Soul
2015-05-02 16:04 - 2015-06-01 06:04 - 00001115 _____ () C:\Users\Public\Desktop\Advanced SystemCare 8.lnk
2015-05-02 16:04 - 2015-06-01 06:04 - 00001115 _____ () C:\ProgramData\Desktop\Advanced SystemCare 8.lnk
2015-05-02 16:04 - 2015-05-02 16:04 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Advanced SystemCare 8
2015-05-03 03:37 - 2015-04-14 02:03 - 00000080 _____ () C:\Users\DAVIDM\AppData\Local剜捯獫慴⁲慇敭屳呇⁁屖湥楴汴浥湥⹴湩潦
C:\Users\DAVIDM\AppData\Roaming\Origin
EmptyTemp:
end
*****************

Restore point was successfully created.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{2CD7EFF7-D243-4D45-809B-92144202FDA7}" => key Removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{2CD7EFF7-D243-4D45-809B-92144202FDA7}" => key Removed successfully
C:\Windows\System32\Tasks\Safer-Networking\Spybot - Search and Destroy\Check for updates => Moved successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Safer-Networking\Spybot - Search and Destroy\Check for updates" => key Removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{398F5847-4A32-498F-9A7D-56CB1AA0FA6C}" => key Removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{398F5847-4A32-498F-9A7D-56CB1AA0FA6C}" => key Removed successfully
C:\Windows\System32\Tasks\Safer-Networking\Spybot - Search and Destroy\Refresh immunization => Moved successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Safer-Networking\Spybot - Search and Destroy\Refresh immunization" => key Removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{5DEE9B24-992A-4300-BAE0-E8F42DE4D551}" => key Removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{5DEE9B24-992A-4300-BAE0-E8F42DE4D551}" => key Removed successfully
C:\Windows\System32\Tasks\ASC7U_SkipUac_Soul => Moved successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\ASC7U_SkipUac_Soul" => key Removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{60DB28FA-D55F-4F0F-B916-191D4487D2A2}" => key Removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{60DB28FA-D55F-4F0F-B916-191D4487D2A2}" => key Removed successfully
C:\Windows\System32\Tasks\Safer-Networking\Spybot - Search and Destroy\Scan the system => Moved successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Safer-Networking\Spybot - Search and Destroy\Scan the system" => key Removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{808F3917-3132-46E6-A767-7EC12993F2CC}" => key Removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{808F3917-3132-46E6-A767-7EC12993F2CC}" => key Removed successfully
C:\Windows\System32\Tasks\ASC8_PerformanceMonitor => Moved successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\ASC8_PerformanceMonitor" => key Removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{9E01FE44-667A-4E7A-A6B8-F45147E46D91}" => key Removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{9E01FE44-667A-4E7A-A6B8-F45147E46D91}" => key Removed successfully
C:\Windows\System32\Tasks\ASC8_SkipUac_Soul => Moved successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\ASC8_SkipUac_Soul" => key Removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{E369AA20-6708-4C63-83AE-0E0B981B7780}" => key Removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{E369AA20-6708-4C63-83AE-0E0B981B7780}" => key Removed successfully
C:\Windows\System32\Tasks\Origin => Moved successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Origin" => key Removed successfully
C:\Windows\Tasks\ASC7U_SkipUac_Soul.job => Moved successfully.
C:\Windows\Tasks\ASC8_SkipUac_Soul.job => Moved successfully.
"2015-05-02 16:04 - 2014-07-11 16:04 - 01106720 _____ () S:\Program Files (x86)\IObit\Advanced SystemCare 8\RealTimeProtector.exe" => File/Folder not found.
"2015-05-02 16:04 - 2013-10-25 12:08 - 00517408 _____ () S:\Program Files (x86)\IObit\Advanced SystemCare 8\sqlite3.dll" => File/Folder not found.
"2015-05-02 16:04 - 2013-01-15 18:48 - 00348992 _____ () S:\Program Files (x86)\IObit\Advanced SystemCare 8\madExcept_.bpl" => File/Folder not found.
"2015-05-02 16:04 - 2013-01-15 18:48 - 00183616 _____ () S:\Program Files (x86)\IObit\Advanced SystemCare 8\madBasic_.bpl" => File/Folder not found.
"2015-05-02 16:04 - 2013-01-15 18:48 - 00051008 _____ () S:\Program Files (x86)\IObit\Advanced SystemCare 8\madDisAsm_.bpl" => File/Folder not found.
"2015-05-02 16:04 - 2013-01-15 18:47 - 00893248 _____ () S:\Program Files (x86)\IObit\Advanced SystemCare 8\webres.dll" => File/Folder not found.
"HKU\S-1-5-21-546242771-2270780612-121426341-1001\Software\Classes\exefile" => key Removed successfully
"HKU\S-1-5-21-546242771-2270780612-121426341-1001\Software\Classes\.exe" => key Removed successfully
HKU\S-1-5-21-546242771-2270780612-121426341-1001\Software\Classes\exefile => key not found.
c:\users\davidm\appdata\local\six networks\shared\tools\mingw\bin\ssh-keygen.exe => Moved successfully.
c:\users\davidm\appdata\roaming\utorrent => Moved successfully.
"c:\users\osha&pat\desktop\macdrive-v8.0.5.31.zip" => File/Folder not found.
[1016] S:\Program Files (x86)\IObit\Advanced SystemCare 8\ASCService.exe => process closed successfully.
[3888] S:\Program Files (x86)\IObit\Advanced SystemCare 8\Monitor.exe => process closed successfully.
[2784] S:\Program Files (x86)\IObit\Advanced SystemCare 8\ASCTray.exe => process closed successfully.
[5160] S:\Program Files (x86)\IObit\Advanced SystemCare 8\RealTimeProtector.exe => process closed successfully.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\MacDrive 9 application => value Removed successfully
C:\Program Files\Mediafour => Moved successfully.
"￿Ȅ为䥔邔㐀ᐸ讑㱠樵￿⤠梲￿" => value data Removed successfully.
"HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\MacDriveVolumeIcon" => key Removed successfully
"HKCR\CLSID\{6B21AF46-EE37-40D0-A707-C06C17D06CE9}" => key Removed successfully
"HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\MacDriveVolumeIconReadOnly" => key Removed successfully
"HKCR\CLSID\{E9BC4DCA-0A4E-4C65-9D40-621C9D0CDC5F}" => key Removed successfully
"HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer" => key Removed successfully
"HKU\S-1-5-21-546242771-2270780612-121426341-1001\SOFTWARE\Policies\Microsoft\Internet Explorer" => key Removed successfully
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyEnable => value Removed successfully
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyServer => value Removed successfully
HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value Removed successfully
HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value Removed successfully
HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value Removed successfully
"HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{10921475-03CE-4E04-90CE-E2E7EF20C814}" => key Removed successfully
"HKCR\CLSID\{10921475-03CE-4E04-90CE-E2E7EF20C814}" => key Removed successfully
HKU\S-1-5-21-546242771-2270780612-121426341-1001\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} => value Removed successfully
HKCR\CLSID\{2318C2B1-4965-11D4-9B18-009027A5CD4F} => key not found.
"HKCR\PROTOCOLS\Handler\WSIEChrome" => key Removed successfully
"HKCR\PROTOCOLS\Handler\WSWSVCUchrome" => key Removed successfully
AdvancedSystemCareService8 => Service Removed successfully
EasyAntiCheat => Service Removed successfully
MacDrive9Service => Unable to stop service.
MacDrive9Service => Service Removed successfully
hitmanpro37 => Service not found.
MDFSYSNT => Unable to stop service.
MDFSYSNT => Service Removed successfully
MDPMGRNT => Unable to stop service.
MDPMGRNT => Service Removed successfully
MDRAID => Unable to stop service.
MDRAID => Service Removed successfully
MWAC => Service Removed successfully
MWAC => Service not found.

"C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MacDrive*9 Pro" folder move:

Could not move "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MacDrive*9 Pro" folder => Scheduled to move on reboot.

C:\ProgramData\Mediafour => Moved successfully.
"C:\Program Files\Mediafour" => File/Folder not found.
C:\Program Files\Common Files\Mediafour => Moved successfully.
C:\Program Files (x86)\Mediafour => Moved successfully.
C:\Windows\system32\Drivers\MDPMGRNT.SYS => Moved successfully.
C:\ProgramData\Spybot - Search & Destroy => Moved successfully.
C:\Windows\System32\Tasks\Safer-Networking => Moved successfully.
C:\Program Files\HitmanPro => Moved successfully.
C:\ProgramData\HitmanPro => Moved successfully.
"C:\Windows\System32\Tasks\ASC8_PerformanceMonitor" => File/Folder not found.
"C:\Windows\Tasks\ASC8_SkipUac_Soul.job" => File/Folder not found.
"C:\Windows\System32\Tasks\ASC8_SkipUac_Soul" => File/Folder not found.
C:\Users\Public\Desktop\Advanced SystemCare 8.lnk => Moved successfully.
"C:\ProgramData\Desktop\Advanced SystemCare 8.lnk" => File/Folder not found.
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Advanced SystemCare 8 => Moved successfully.
C:\Users\DAVIDM\AppData\Local剜捯獫慴⁲慇敭屳呇⁁屖湥楴汴浥湥⹴湩潦 => Moved successfully.
C:\Users\DAVIDM\AppData\Roaming\Origin => Moved successfully.
EmptyTemp: => Removed 279.3 MB temporary data.

Result of scheduled files to move (Boot Mode: Normal) (Date&Time: 2015-06-01 22:41:30)<=

"C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MacDrive*9 Pro" => Could not move

==== End of Fixlog 22:41:30 ====



Also The Keygen File In The Play With Six Folders "c:\users\davidm\appdata\local\six networks\shared\tools\mingw\bin\ssh-keygen.exe" Is From A Program Used To Mod ARMA III For A Zombie Mode,. I Dont See A Keygen Only A Keyscan. But Im Going To Uninstall Play With Six Since I Dont Play ARMA III Anymore
kinsouls is offline  
Old 06-02-2015, 07:01 AM   #15
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Hello again, kinsouls. How is the machime behaving now?

------------------------------------------------------
  • Launch Malwarebytes' Anti-Malware
  • On the Dashboard, click the Scan Now button.
  • A check for database updates will be performed.
  • After the update check completes, a Threat Scan will begin.
  • When the scan is complete, if there have been detections, click Remove Selected to allow MBAM to clean what was detected.
  • In most cases, a restart will be required and a prompt will be shown.
  • Wait for the prompt to restart the computer to appear, then click on Yes
  • After the restart once you are back at your desktop, open MBAM once more.
  • Click on the History tab > Application Logs
  • Double-click on the scan log which shows the Date and Time of the scan just performed.
  • Click Export
  • Click Text file (*.txt)
  • In the Save File dialog box which appears, click on Desktop.
  • In the File name: box type a name for your scan log.
  • A message box named File Saved should appear stating "Your file has been successfully exported".
  • Click Ok
  • Attach that saved log to your next reply.
------------------------------------------------------

Uninstall the following via the Programs and Features Panel (Start->(Settings)->Control Panel->Programs->Programs and Features):

Java 7 Update 75 (64-bit)

These are all outdated, and security risks by having them installed still. Reboot your computer once all those Java components are removed.

Leave this one as it has the latest definitions:

Java 8 Update 45 (64-bit)

Going forward, Java will overwrite existing installs, so removing older versions should not be required after this.

When updating in the future, make sure you untick the box next to whatever free program they prompt you to install, unless you want it.

------------------------------------------------------

Please run this online scan to help look for remnants. Ensure your external and/or USB drives are inserted during the scan.

In Microsoft Windows Vista/Win7/Win8, you must open the Web browser via a right-click using the Run as administrator command.

Go here and click 'Run ESET Online Scanner'.
  • If you are not using Internet Explorer, double-click esetsmartinstaller_enu.exe to install it, then click 'Run'.
  • Turn off the real-time scanner of any existing antivirus program while performing the online scan. Here's how
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • If using Internet Explorer, allow the ActiveX control to install when asked.
  • Once the components have downloaded, tick the option Enable detection of potentially unwanted applications
  • Click on Advanced Settings
  • Make sure that the option Remove found threats is unticked.
  • Ensure these options are ticked:
    • Scan Archives
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • Next to 'Current scan targets: Operating memory, Local drives', click the Change... button.
  • Tick all the boxes that correspond to your external/inserted drives.
  • Click Start
  • Wait for the scan to finish.
  • When the scan is done, if it shows a screen that says "Threats found!", click "List of found threats", and then click "Export to text file..."
  • Save that text file to your desktop, and then copy/paste the contents in your next reply.
------------------------------------------------------

Please post the following in your next reply:

MBAM log
ESET report
report on system behavior
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 06-02-2015, 06:19 PM   #16
Registered Member
 
Join Date: May 2015
Posts: 11
OS: Win8.1



My Computer Is Behaving Just Fine, No Ads No Pop-ups And It Seem To Boot Faster



Here Is The ESET Log:
C:\FRST\Quarantine\C\users\davidm\appdata\roaming\Origin\update.vbe VBS/Kryptik.DC trojan
C:\Windows\System32\config\systemprofile\AppData\Roaming\Origin\update.vbe VBS/Kryptik.DC trojan
C:\Windows\SysWOW64\config\systemprofile\Application Data\Origin\update.vbe VBS/Kryptik.DC trojan
S:\Downloads\Ebooks\Zip Files.rar NSIS/TrojanDownloader.Adload.L trojan
S:\Users\Soul\Downloads\Setup.exe a variant of Win32/SoftPulse.AG potentially unwanted application
S:\Users\Soul\Downloads\VobSub_2.23.exe a variant of Win32/DownloadAssistant.A potentially unwanted application.


The MalwareBytes Log Is Attached
Attached Files
File Type: txt MalwareByte Scan2.txt (71.3 KB, 27 views)
kinsouls is offline  
Old 06-02-2015, 11:21 PM   #17
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Hello again, kinsouls. Glad to hear it.

The FRST find has already been quarantined and will get deleted when we uninstall FRST.

------------------------------------------------------

Open Notepad and copy/paste the entire contents of the codebox below into Notepad:

Code:
@echo off
if exist "%temp%\log.txt" del "%temp%\log.txt"

for %%g in (

"S:\Downloads\Ebooks\Zip Files.rar"
"S:\Users\Soul\Downloads\Setup.exe"
"S:\Users\Soul\Downloads\VobSub_2.23.exe"

) do (
del /a/f/q %%g >nul 2>&1
if exist %%g echo.%%~g>>"%temp%\log.txt"
)

for %%g in (

"C:\Windows\System32\config\systemprofile\AppData\Roaming\Origin"
"C:\Windows\SysWOW64\config\systemprofile\Application Data\Origin"

) do (
rd /s/q %%g >nul 2>&1
if exist %%g echo.%%~g>>"%temp%\log.txt"
)

if exist "%temp%\log.txt" ( start notepad "%temp%\log.txt"
) else echo.Deleted Successfully !!

pause
del %0
Save this Notepad file as fix.bat and choose to Save as type: - All Files to your desktop then close the Notepad file.
It should look like this:

Right-click on fix.bat and choose 'Run as administrator' to allow it to run.

Tell me what it says in your next reply. Press any key to continue.

------------------------------------------------------

Congratulations. Well done! Your logs appear clean. You should be good to go.

------------------------------------------------------
  • Press the Windows "logo" key and "R" key then type cleanmgr into the Run box and click OK.
  • Select your hard drive(usually C:\) then click 'OK'.
  • You should see the scanning screenshot for a few seconds.
  • Click 'Clean up system files'
  • If prompted by UAC, then click 'Yes'.
  • Select your hard drive(usually C:\) then click 'OK'.
  • Click on the 'More Options' tab, and click on the 'Clean up' button under the 'System Restore and Shadow Copies' section.
  • Click/tap on the Delete button in the confirm deletion window.
This will remove all but the most recent Restore Point.

------------------------------------------------------

Please re-enable your antivirus program and any other antispyware programs disabled earlier if you haven't already.
  • Run AdwCleaner and select Uninstall
  • Confirm by clicking Yes
------------------------------------------------------

Press the Windows "logo" key and "R" key then copy/paste the following single-line command into the Run box and click OK:

cmd /c rd /s /q "C:\FRST"

A DOS window will open and close again, this is normal.

------------------------------------------------------

You can safely delete any tools downloaded or any logs, files, and any shortcuts on your desktop that were created during this fix.

Keep MBAM, update and run a Quick Scan weekly.

Empty your Recycle Bin if it does not do so automatically.

------------------------------------------------------

MICROSOFT UPDATES
It is very important that you get all of the critical updates for your Operating System and Internet Explorer. Keeping your OS and browser up to date will help make you less susceptible to attacks by Trojans and viruses. Please go to Microsoft and download all the critical updates to help prevent possible re-infection.

------------------------------------------------------

Make sure you backup your system, so possible reformatting in the future isn't necessary:

What happened to Backup and Restore? - Windows Help

Backup and Recovery of Windows 8 & Windows 8.1 - Tip-of-the-Day - KeithMayer.com - Site Home - TechNet Blogs

------------------------------------------------------

Important

Due to continued exploits of zero-day vulnerabilities in Oracle's Java application, it is the recommendation of many security experts, as well as the TSF Security Team, that you disable Java in your web browsers.

Java

US-CERT Alert TA13-010A - Oracle Java 7 Security Manager Bypass Vulnerability

We recommend disabling Java in your browsers, and enabling it only when needed by certain websites.

Please disable Java in your browser(s) by following these instructions:

How do I disable Java in my web browser?

------------------------------------------------------

SPYWARE PREVENTION
In light of your recent problem, I'm sure you'd like to avoid any future infections. Please read this well written article: To help protect your computer in the future I recommend that you get the following free programs if you do not already have them:
  • WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware, or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:
    • Green to go
    • Yellow for caution
    • Red to stop
    WOT has an add-on available for IE, Firefox, and Chrome.
  • MVPS HOSTS FILE replaces your current HOSTS file with one that will restrict known ad sites from serving you unsolicited advertisements. It basically prevents your computer from connecting to those sites by redirecting them to 127.0.0.1, which is the IP of your local computer. See guide for Windows 8 here
Keep your antivirus program and antispyware programs updated and scan with them on a regular basis.

Please respond to this thread one more time so we can mark this thread as resolved.
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 06-03-2015, 01:53 AM   #18
Registered Member
 
Join Date: May 2015
Posts: 11
OS: Win8.1



After Running The fix.bat File It Said "Deletion Successful". Did Everything You Said And My System Is Running Normal.


Thanks For All Your Hard Work!

Very Much Appreciated, KinSouls
kinsouls is offline  
Old 06-03-2015, 06:52 PM   #19
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



You're very welcome, KinSouls! Glad to have helped.
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
 

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Similar Threads
Thread Thread Starter Forum Replies Last Post
Cab't Get Rid of Snap.Do
Snap.Do installed itself on my Windows 7, SP1 PC and I can't getid of it. I tried the normal Uninstal using Control Panel, and IO Bit Uninstaller and neither one gets rid of it. How can I get rid of it once and for all?
aerophil Windows 7 , Windows Vista Support 1 04-13-2015 08:18 PM
I have a trogan.sirefef.kh b. How do I get rid of it?
I have trogan.sirefef.kh b. How can I get rid of it? I have used Emsisoft already and it detected all the trogans, but could not delete trogan.sirefef.kh b. When I go into normal mode on my computer, a white screen comes up with a calculator on it. How do I get rid of this trogan?
Big E12 Resolved HJT Threads 1 05-12-2013 07:37 AM
Please help me get rid of FreeRideGames malware
Dear Tech Support, I downloaded Teleport Pro from CNET and found I had also downloaded a piece of malware called FreeRideGames. I used Superantispyware to get rid of it but I now find there is some residual code that I can’t shake off. It appears as a blank (white) rectangle occupying the...
RichardMilton Resolved HJT Threads 10 04-17-2013 05:12 PM
RID pool exhausted!!!
Hi. One of Dcs' in my environment have exhausted its RID pool and was not fetching new RID pool from RID master. I did replication test and RIDmanager test, but all came positive but still no luck. Then I tried invalidating RID pool and found that rid pool has been invalidated. Now I am trying...
suryansha Windows Servers 4 11-23-2011 04:40 AM
Windows Vista get rid of startup message in system tray
I am using Windows Vista. When go to Mscconfig and uncheck startup programs there. Whenever I start Windows Vista I will get this message. How do I get rid of get rid of startup message in system tray which says this- Windows has blocked some startup programs. Windows blocks...
zhong Windows 7 , Windows Vista Support 3 02-05-2011 06:48 AM

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is on
Smilies are on
[IMG] code is on
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Post a Question


» Site Navigation
 > FAQ
  > 10.0.0.2
Powered by vBadvanced CMPS v3.2.3


All times are GMT -7. The time now is 02:45 PM.


Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2020, vBulletin Solutions, Inc.
vBulletin Security provided by vBSecurity v2.2.2 (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
User Alert System provided by Advanced User Tagging v3.1.0 (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
Copyright 2001 - 2018, Tech Support Forum

Windows 10 - Windows 7 - Windows XP - Windows Vista - Trojan Removal - Spyware Removal - Virus Removal - Networking - Security - Top Web Hosts