Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Hoping someone can help me make a proper fix with frst logs [Closed]

virus wmcagent rootkit

  • This topic is locked This topic is locked

#1
toxinburn

toxinburn

    New Member

  • Member
  • Pip
  • 5 posts

Hi I wont even make excuses for myself this time, I downloaded software from a 3rd party site vs official links and I asked for it, but now that i admitted my stupidity if someone could help me out I am attaching my FRST logs in hopes that someone here can help me to come up with a working fixlist.txt to run to remove this rootkit, it is particularly difficult and it has been awhile that i got something that i couldnt just mess with the registry and use takeownerex to fix anyhow here are the logs if someone can help me to make the list i think i can sort out the rest but feel free to add any additional steps you would advise and i will for sure do those as well.

Attached Files


  • 0

Advertisements


#2
toxinburn

toxinburn

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts

Just letting yall know I seem to have done it myself after reading the guide and looking at another fixlist.txt that was on here regarding the same virus I feel pretty proud of myself and I see how difficult and time consuming this process can be, now I am sure I am not as good at it as many of you but....i was able to rid myself of this horrid virus i am posting my self made fixlist as well for critique and I know portions of it did not complete but luckily the parts that were essential in removing it did work and I have no lasting damage to my system from doing it myself, while I would not encourage someone that is a total newb to this sort of thing to even attempt it....it can be done but it you accidentally tell it to delete an essential part of your OS you would wind up crap creek without a paddle other than a format and reinstall of windows completely which is what you want to avoid for most.

Attached Files


  • 0

#3
JSntgRvr

JSntgRvr

    Global Moderator

  • Global Moderator
  • 11,017 posts
Wont do.

Hi

Welcome :)

I'll be helping you with your computer.

Please read this post completely before beginning. If there's anything that you do not understand, please don't hesitate to ask before proceeding.

Please take note of the guidelines for this fix:
  • Please note that I am a volunteer. I do have a family, a career, and other endeavors that may prevent immediate responses that meet your schedule. Do note that the differences in time zones could present a problem as well. Your patience and understanding will be greatly appreciated.
  • First of all, the procedures we are about to perform are specific to your problem and should only be used on this specific computer.
  • Do not make any changes to your computer that include installing/uninstalling programs, deleting files, modifying the registry, nor running scanners or tools of any kind unless specifically requested by me.
  • Please read ALL instructions carefully and perform the steps fully and in the order they are written.
  • If things appear to be better, let me know. Just because the symptoms no longer exist as before, does not mean that you are clean.
  • Continue to read and follow my instructions until I tell you that your machine is clean.
  • If you have any questions at all, please do not hesitate to ask before performing the task that I ask of you, and please wait for my reply before you proceed.
  • Scanning with programs and reading the logs do take a fair amount of time. Again, your patience will be necessary. :)
Let's begin... :)

The system is infected with a rootkit.

You will need another computer to download FRST64 to a USB drive, run FRST64 in the Recovery Environment, then back in Normal Mode.

Please download Farbar Recovery Scan Tool in an uninfected computer and save it to a flash drive (Pen Drive).

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version. In your case is FRST64.exe

Please also download the attached file Attached File  Fixlist.txt   5.15KB   45 downloads and save it in the same location the FRST64 is saved in the flash drive.

Boot to the Recovery Console's Command prompt in the infected computer.

To enter the Recovery Environment with Windows 10, follow the instructions in this tutorial on TenForums

Note: If you can't access the Recovery Environment using the method above, you'll need to create a Windows installation or repair media. It can be made on the computer itself or another one running the same version of Windows as the one you plan to use it on. For more information, check out this tutorial on TenForums
After any of these actions is performed, all user sessions are signed off and the Boot Options menu is displayed. The PC will restart into the WinRE and the selected feature is launched.

On the boot options, select Troubleshooting > Advanced Options > Command prompt.

Once in the Command Prompt:
  • Insert the USB drive containing FRST64 and the Fixlist
  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\frst64 and press Enter
    Note: Replace letter e with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • First press the Scan button. That will deactivate the rootkit, once the scan is finished, press the Fix button.
  • These actions will make two logs, a Fixlog.txt and a FRST.txt logs in the flash drive. Please copy and paste them in your reply.
Once finished in the Recovery Environment, restart the computer in Normal Mode.

Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version. In your case is FRST64.
  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Make sure that under Optional Scans, there is a checkmark on Addition.txt.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The tool will also produce another log (Addition.txt ). Please attach this to your reply.
I will expect the following reports:

Frst.txt produced in the Recovery Console
Fixlog.txt produced in the Recovery Console
Frst.txt produced in Normal Mode
Addition.txt produced in Normal Mode
  • 1

#4
toxinburn

toxinburn

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts

thanks for the fixlist you prepared however a few of the things you have in it are legit apps that i am aware of such as

 

HKU\S-1-5-21-2037235347-66412534-4019770740-1001\...\Run: [VideoGuardMonitor] => C:\Users\sean\AppData\Local\Cisco\VideoGuardPlayer\VideoGuardMonitor\CiscoVideoGuardMonitor.exe [4155656 2017-06-20] (Cisco)
HKU\S-1-5-21-2037235347-66412534-4019770740-1001\...\Run: [f.lux] => C:\Users\sean\AppData\Local\FluxSoftware\Flux\flux.exe [1681400 2018-01-11] (f.lux Software LLC)

 

the videoguard thing was part of some directv stuff so i could watch it on the web and f.lux is a desktop app for changing brightness etc for you to make it easier on your eyes while gaming etc.

 

and putty i installed that a telnet client but i think the remainder i will try those thanks again, but i really have cleaned the system since the post but will try some of your additions just to be sure, before i could not even update windows but after running my own list i no longer have the service running or the malicious drivers among or malicious processes so i think i have it whipped but FRST is an awesome addition and only thing that i was able to do it with.


  • 0

#5
toxinburn

toxinburn

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts

okay here is the new fixlog with some of your fixes added to what i had already done as you can see most things were no longer found because of the fix i ran, but my error was on the removal of some of the reg keys but before the fix i made i wasnt able to remove some of them because my admin privileges were overridden until i ran the fixlist i had made but yours at least let me clean up a bit more.

 

Fix result of Farbar Recovery Scan Tool (x64) Version: 03.05.2018
Ran by sean (05-05-2018 19:26:12) Run:5
Running from H:\
Loaded Profiles: sean (Available Profiles: sean & Mcx1-TOXINBURN & Mcx2-TOXINBURN)
Boot Mode: Normal
==============================================

fixlist content:
*****************
deletekey: HKLM\SYSTEM\ControlSet001\Services\cxtodk <==== ATTENTION (Rootkit!)
S4 windowsmanagementservice; windowsmanagementservice [X] <==== ATTENTION
C:\WINDOWS\system32\drivers\mbrbehlo.sys
HKU\.DEFAULT\Software\Classes\exefile: "%1" %* <==== ATTENTION
HKU\.DEFAULT\Software\Classes\.exe: exefile => "%1" %* <==== ATTENTION
HKU\S-1-5-21-2037235347-66412534-4019770740-1001\Software\Classes\exefile: "%1" %* <==== ATTENTION
HKU\S-1-5-21-2037235347-66412534-4019770740-1001\Software\Classes\.exe: exefile => "%1" %* <==== ATTENTION
C:\Users\sean\AppData\Local\zabnsgh
C:\Users\sean\AppData\Local\wmcagent
2018-05-04 20:27 - 2018-05-04 20:27 - 000000000 ____D C:\Users\sean\AppData\Local\wicdbvr
2018-05-04 01:16 - 2018-05-04 01:16 - 000000000 ____D C:\Users\sean\AppData\Local\rakgwch
018-05-02 19:01 - 2018-05-04 05:34 - 000000000 ____D C:\Users\sean\AppData\Local\cwizvhm
2018-05-02 19:01 - 2018-05-02 19:03 - 000000000 ____D C:\Users\sean\AppData\Local\wmcagent
2018-05-02 18:58 - 2018-05-04 21:16 - 000000000 ____D C:\Users\sean\AppData\Local\zabnsgh
2018-01-10 23:02 - 2018-01-10 23:02 - 000002584 _____ () C:\Users\sean\AppData\Local\AppVShNotifytvbs.txt
2018-01-10 23:02 - 2018-01-10 23:02 - 000002620 _____ () C:\Users\sean\AppData\Local\AppVShNotifytvbs.vbs
2018-05-04 01:02 - 2018-05-04 01:02 - 000000328 _____ () C:\Users\sean\AppData\Local\NetSupport.zip
2014-12-28 18:54 - 2014-12-28 18:54 - 000005088 _____ () C:\Users\sean\AppData\Local\recently-used.xbel
2015-05-25 04:43 - 2015-05-25 04:43 - 000000003 _____ () C:\Users\sean\AppData\Local\updater.log
2015-05-25 04:43 - 2015-10-02 08:57 - 000000424 _____ () C:\Users\sean\AppData\Local\UserProducts.xml
2016-07-30 19:04 - 2016-10-19 01:11 - 000000168 _____ () C:\Users\sean\AppData\Local\uts.ini
2018-01-10 23:02 - 2018-01-10 23:02 - 000938008 _____ () C:\Users\sean\AppData\Local\WindowsCodecsRaw.txt
2018-01-10 23:02 - 2018-01-10 23:02 - 000001756 _____ () C:\Users\sean\AppData\Local\x
2018-01-10 23:02 - 2018-01-10 23:02 - 000001684 _____ () C:\Users\sean\AppData\Local\XML.txt
2018-01-10 23:02 - 2018-01-10 23:02 - 000001759 _____ () C:\Users\sean\AppData\Local\xx
2018-01-10 23:02 - 2018-01-10 23:02 - 000001684 _____ () C:\Users\sean\AppData\Local\XXML.txt
2018-04-14 23:34 - 2018-05-03 20:43 - 000000000 _____ () C:\Users\sean\AppData\Local\Temp\00e481b5e22dbe1f649fcddd505d3eb7.dll
2018-04-14 23:34 - 2018-05-03 20:43 - 000000017 _____ () C:\Users\sean\AppData\Local\Temp\0a72090ab23f8d000c164eb972d31f09.dll
AlternateDataStreams: C:\Users\sean\AppData\Local\daN6X0LGirE:TVLO1hCy78jAmNhnkqk0IQbF [2376]
AlternateDataStreams: C:\Users\sean\AppData\Local\ycCjUgedXJtQm:2rclflufcOozqJBtFJC8BHtWz [2418]
CustomCLSID: HKU\S-1-5-21-2037235347-66412534-4019770740-1001_Classes\CLSID\{E36606FE-036A-4dd0-ABA9-A58F409803F0}\InprocServer32 -> no filepath
C:\Windows\System32\spcwzonsvc.exe
HKLM\...\Run: [eighteenth] => "C:\Program Files (x86)\Brugge\Obese.exe" ceqsgiw
HKLM\...\Run: [eighteenthnormalization] => "C:\Program Files (x86)\corn\ppr.exe" ceqsgiw
HKLM\...\Run: [eighteentheighteenth] => "C:\Program Files (x86)\Ence\Obese.exe" ceqsgiw
HKLM-x32\...\Run: [chatter] => "C:\Program Files (x86)\Brugge\Obese.exe" ceqsgiw
HKLM-x32\...\Run: [chatteroverreaching] => "C:\Program Files (x86)\corn\ppr.exe" ceqsgiw
HKLM-x32\...\Run: [chatterchatter] => "C:\Program Files (x86)\Ence\Obese.exe" ceqsgiw
HKU\S-1-5-21-2037235347-66412534-4019770740-1001\...\Run: [overreaching] => "C:\Program Files (x86)\Brugge\Obese.exe" ceqsgiw
HKU\S-1-5-21-2037235347-66412534-4019770740-1001\...\Run: [overreachingchatter] => "C:\Program Files (x86)\corn\ppr.exe" ceqsgiw
HKU\S-1-5-21-2037235347-66412534-4019770740-1001\...\Run: [overreachingoverreaching] => "C:\Program Files (x86)\Ence\Obese.exe" ceqsgiw
HKU\S-1-5-21-2037235347-66412534-4019770740-1001\...\Run: [normalization] => "C:\Program Files (x86)\Brugge\Obese.exe" ceqsgiw
HKU\S-1-5-21-2037235347-66412534-4019770740-1001\...\Run: [normalizationeighteenth] => "C:\Program Files (x86)\corn\ppr.exe" ceqsgiw
HKU\S-1-5-21-2037235347-66412534-4019770740-1001\...\Run: [normalizationnormalization] => "C:\Program Files (x86)\Ence\Obese.exe" ceqsgiw
HKU\S-1-5-21-2037235347-66412534-4019770740-1001\...\Run: [mouth] => "C:\Program Files (x86)\wimbush\mouth.exe" ceqsgiw
HKU\S-1-5-21-2037235347-66412534-4019770740-1001\...\Run: [neatest] => "C:\Program Files (x86)\Brugge\Obese.exe" ceqsgiw
*****************

HKLM\SYSTEM\ControlSet001\Services\cxtodk <==== ATTENTION (Rootkit!) => not found
windowsmanagementservice => service not found.
"C:\WINDOWS\system32\drivers\mbrbehlo.sys" => not found
"HKU\.DEFAULT\Software\Classes\exefile" => removed successfully
"HKU\.DEFAULT\Software\Classes\.exe" => removed successfully
"HKU\S-1-5-21-2037235347-66412534-4019770740-1001\Software\Classes\exefile" => removed successfully
"HKU\S-1-5-21-2037235347-66412534-4019770740-1001\Software\Classes\.exe" => removed successfully
"C:\Users\sean\AppData\Local\zabnsgh" => not found
"C:\Users\sean\AppData\Local\wmcagent" => not found
"C:\Users\sean\AppData\Local\wicdbvr" => not found
"C:\Users\sean\AppData\Local\rakgwch" => not found
018-05-02 19:01 - 2018-05-04 05:34 - 000000000 ____D C:\Users\sean\AppData\Local\cwizvhm => Error: No automatic fix found for this entry.
"C:\Users\sean\AppData\Local\wmcagent" => not found
"C:\Users\sean\AppData\Local\zabnsgh" => not found
C:\Users\sean\AppData\Local\AppVShNotifytvbs.txt => moved successfully
C:\Users\sean\AppData\Local\AppVShNotifytvbs.vbs => moved successfully
"C:\Users\sean\AppData\Local\NetSupport.zip" => not found
C:\Users\sean\AppData\Local\recently-used.xbel => moved successfully
C:\Users\sean\AppData\Local\updater.log => moved successfully
C:\Users\sean\AppData\Local\UserProducts.xml => moved successfully
C:\Users\sean\AppData\Local\uts.ini => moved successfully
C:\Users\sean\AppData\Local\WindowsCodecsRaw.txt => moved successfully
C:\Users\sean\AppData\Local\x => moved successfully
C:\Users\sean\AppData\Local\XML.txt => moved successfully
C:\Users\sean\AppData\Local\xx => moved successfully
C:\Users\sean\AppData\Local\XXML.txt => moved successfully
C:\Users\sean\AppData\Local\Temp\00e481b5e22dbe1f649fcddd505d3eb7.dll => moved successfully
C:\Users\sean\AppData\Local\Temp\0a72090ab23f8d000c164eb972d31f09.dll => moved successfully
C:\Users\sean\AppData\Local\daN6X0LGirE => ":TVLO1hCy78jAmNhnkqk0IQbF" ADS removed successfully
C:\Users\sean\AppData\Local\ycCjUgedXJtQm => ":2rclflufcOozqJBtFJC8BHtWz" ADS removed successfully
"HKU\S-1-5-21-2037235347-66412534-4019770740-1001_Classes\CLSID\{E36606FE-036A-4dd0-ABA9-A58F409803F0}" => removed successfully
"C:\Windows\System32\spcwzonsvc.exe" => not found
"HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\eighteenth" => removed successfully
"HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\eighteenthnormalization" => removed successfully
"HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\eighteentheighteenth" => removed successfully
"HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\chatter" => removed successfully
"HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\chatteroverreaching" => removed successfully
"HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\chatterchatter" => removed successfully
"HKU\S-1-5-21-2037235347-66412534-4019770740-1001\Software\Microsoft\Windows\CurrentVersion\Run\\overreaching" => removed successfully
"HKU\S-1-5-21-2037235347-66412534-4019770740-1001\Software\Microsoft\Windows\CurrentVersion\Run\\overreachingchatter" => removed successfully
"HKU\S-1-5-21-2037235347-66412534-4019770740-1001\Software\Microsoft\Windows\CurrentVersion\Run\\overreachingoverreaching" => removed successfully
"HKU\S-1-5-21-2037235347-66412534-4019770740-1001\Software\Microsoft\Windows\CurrentVersion\Run\\normalization" => removed successfully
"HKU\S-1-5-21-2037235347-66412534-4019770740-1001\Software\Microsoft\Windows\CurrentVersion\Run\\normalizationeighteenth" => removed successfully
"HKU\S-1-5-21-2037235347-66412534-4019770740-1001\Software\Microsoft\Windows\CurrentVersion\Run\\normalizationnormalization" => removed successfully
"HKU\S-1-5-21-2037235347-66412534-4019770740-1001\Software\Microsoft\Windows\CurrentVersion\Run\\mouth" => removed successfully
"HKU\S-1-5-21-2037235347-66412534-4019770740-1001\Software\Microsoft\Windows\CurrentVersion\Run\\neatest" => removed successfully

==== End of Fixlog 19:26:13 ====


  • 0

#6
toxinburn

toxinburn

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts

running a new scan for you though just to see if anything remains, feeling like i kinda got the hang of utilizing this after examination of many other fixlists that i have found its really cool to be able to build a customized fix like this. and the i purposely disabled windows anti virus stuff myself in the past manually because i just never really cared for it and i didnt like how microsoft tried to force alot of stuff on the consumer with win 10, anyhow the new scans are attached. I am now able to update windows to 1803 update etc which i was not before due to problems with escalated privileges my next move will be to examine the quarantine more thoroughly because i want to see what i can find out about the person responsible for this rootkit and exactly what info they may have been stealing from me it is actually pretty interesting.

Attached Files


  • 0

#7
JSntgRvr

JSntgRvr

    Global Moderator

  • Global Moderator
  • 11,017 posts

Thanks, toxinburn.

 

Were you able to run FRST in the Recovery Environment?

 

The following actions are in Normal Mode.

Please remove the following program:

GameLauncher

  • Highlight the entire content of the quote box below.

Start::

U0 cxtodk; system32\drivers\mbrbehlo.sys [X]
U0 SR; no ImagePath
U2 srservice; no ImagePath
FirewallRules: [{325DB730-BF8C-478D-92F3-C8217062A3F6}] => (Allow) LPort=9033
FirewallRules: [{5634D1C1-AA9C-446B-A392-E56161A91A35}] => (Allow) LPort=9033
FirewallRules: [{C56E2C74-CB86-4217-BC95-A1853DEC782C}] => (Allow) LPort=12292
FirewallRules: [{7304A553-23BD-4CC2-A398-EF2C5D827871}] => (Allow) LPort=31113
FirewallRules: [{E2C63484-80EC-4CE1-8D99-9504063E22ED}] => (Allow) LPort=31112
FirewallRules: [{1AC6FD5F-09BF-4B1E-8222-FAE24A4A4921}] => (Allow) LPort=31111
FirewallRules: [{240E5175-2865-499E-B31A-1AD1C776D00D}] => (Allow) LPort=31110
FirewallRules: [{C16D04B7-5F6A-45A1-A094-2B4027463407}] => (Allow) LPort=31109
FirewallRules: [{B46069ED-A00B-42F5-B92F-5C18EE5FE5B5}] => (Allow) LPort=31108
FirewallRules: [{4F16EE96-B512-4F91-B947-EDDE8A8E98AB}] => (Allow) LPort=31107
FirewallRules: [{4D855992-B36A-4C10-84C2-7560E5FFA574}] => (Allow) LPort=31106
FirewallRules: [{4C20AC92-2F0D-4EA6-A8C9-23DE1F355046}] => (Allow) LPort=31105
FirewallRules: [{9054A148-01C0-4BA2-8B63-198300D5EB9D}] => (Allow) LPort=31104
FirewallRules: [{36EA9674-4A92-4D38-A54C-2D86794F4B0D}] => (Allow) LPort=20111
FirewallRules: [{FF2B41C1-E139-465C-BE84-1D7A384043D8}] => (Allow) LPort=1689
FirewallRules: [{53F3C693-9466-441C-BCE3-B8B2B9D1F301}] => (Allow) LPort=8920
FirewallRules: [{7C5E8629-87EC-46B4-8633-86089617B526}] => (Allow) LPort=8096
FirewallRules: [{130CEC33-ED11-4993-9C6D-B5C644B291DF}] => (Allow) LPort=7359
FirewallRules: [{1F11A2E1-B791-4525-9522-2A5434F212BB}] => (Allow) LPort=8888
FirewallRules: [{434E93A1-AA33-436A-A1EC-EA93F866C3CE}] => (Allow) LPort=8090
FirewallRules: [{75D3CF3A-E3B9-46B9-95BC-E8320FBD85A0}] => (Allow) LPort=20443
FirewallRules: [{A2F8CA40-60BE-48E3-90FB-5F18CB824BB7}] => (Allow) LPort=33333
FirewallRules: [{D2833600-03F8-4538-BB98-2F328588029E}] => (Allow) LPort=6881
FirewallRules: [{BB3AB843-E8AB-4A40-A209-C38C8217DC63}] => (Allow) LPort=27022
FirewallRules: [{6019BE4F-71A0-414E-80E9-37E2A21D4260}] => (Allow) LPort=7853
FirewallRules: [{7B2BFB66-5456-4BB5-870D-A9799051455B}] => (Allow) LPort=7852
FirewallRules: [{FB12BB9C-6DB0-4A48-847C-D227F86809C1}] => (Allow) LPort=7850
FirewallRules: [{E1658DFB-DC28-4ED5-8674-67EFAB2B8120}] => (Allow) LPort=3478
FirewallRules: [{907BEE3A-294B-4583-930F-BF2052AF05C9}] => (Allow) LPort=20010
FirewallRules: [{F6E474F6-1EB0-418E-A2EC-18E1CE8420B9}] => (Allow) LPort=443
FirewallRules: [{BC952AA4-5696-4EE1-B6F3-951DA301335C}] => (Allow) LPort=80
FirewallRules: [{8673A157-84CD-4450-AFE2-2ABFF5777059}] => (Allow) LPort=1900
FirewallRules: [{B519E6F1-73B1-43E2-A950-2FCB3F2991A3}] => (Allow) LPort=2869
FirewallRules: [{48FD8C0B-93A1-414A-95F3-9F649D43B5C1}] => (Allow) LPort=7935
FirewallRules: [{A0596231-BA07-4C15-8DCD-95A18422E134}] => (Allow) LPort=8888
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender: Restriction <==== ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Restriction <==== ATTENTION
Task: {32EF8FA7-9E1C-4EFB-BBDC-CCE86913225B} - System32\Tasks\Update\Deus Ex Mankind Divided => C:\Users\sean\AppData\Roaming\deusexmd.exe <==== ATTENTION
Task: {61DAAA76-629E-4435-9FE6-B6D6566F1D27} - \Microsoft\Windows\UNP\RunCampaignManager -> No File <==== ATTENTION
Task: {70AD4AC7-C648-4C9E-8C75-9F55CC320E3D} - \UnHackMe Task Scheduler -> No File <==== ATTENTION
Task: {A6B96A73-214E-4979-AD44-0DF39557B3C8} - \WPD\SqmUpload_S-1-5-21-2037235347-66412534-4019770740-1001 -> No File <==== ATTENTION
Task: {B37E9642-B132-4FBC-AB9E-C41270765705} - \Origin -> No File <==== ATTENTION
ShortcutTarget: Install LastPass FF RunOnce.lnk -> C:\Program Files (x86)\Common Files\wruninstall.exe (No File)
ShortcutTarget: Install LastPass IE RunOnce.lnk -> C:\Program Files (x86)\Common Files\wruninstall.exe (No File)
ShortcutTarget: munich.lnk -> C:\Program Files (x86)\Brugge\Obese.exe (No File)
BHO: No Name -> {56bc31de-97ab-4563-8599-ad5d4e9800f9} -> No File
BHO: No Name -> {963C8283-AE7F-4AA6-9B3B-847A8FC62C5E} -> No File
BHO: Webroot Vault -> {c8d5d964-2be8-4c5b-8cf5-6e975aa88504} -> C:\ProgramData\WRData\pkg\LPBar64.dll => No File
BHO-x32: No Name -> {963C8283-AE7F-4AA6-9B3B-847A8FC62C5E} -> No File
BHO-x32: Webroot Vault -> {c8d5d964-2be8-4c5b-8cf5-6e975aa88504} -> C:\ProgramData\WRData\pkg\LPBar.dll => No File
Toolbar: HKLM - VIPRE Search Guard Toolbar - {A924C17A-5E94-4E02-BED5-49720BA6F7FA} - No File
Toolbar: HKLM - Webroot Toolbar - {97ab88ef-346b-4179-a0b1-7445896547a5} - C:\ProgramData\WRData\pkg\LPBar64.dll No File
Toolbar: HKLM-x32 - VIPRE Search Guard Toolbar - {A924C17A-5E94-4E02-BED5-49720BA6F7FA} - No File
Toolbar: HKLM-x32 - Webroot Toolbar - {97ab88ef-346b-4179-a0b1-7445896547a5} - C:\ProgramData\WRData\pkg\LPBar.dll No File
Toolbar: HKU\S-1-5-21-2037235347-66412534-4019770740-1001 -> VIPRE Search Guard Toolbar - {A924C17A-5E94-4E02-BED5-49720BA6F7FA} - No File
Toolbar: HKU\S-1-5-21-2037235347-66412534-4019770740-1001 -> No Name - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File
Handler: vipresg - {47BE2E5B-703B-444F-ABD3-05717D2191C6} - No File
FF Plugin-x32: @esn/esnlaunch,version=2.3.0 -> C:\Program Files (x86)\Battlelog Web Plugins\2.3.0\npesnlaunch.dll [No File]
FF Plugin-x32: @kingsfot.com/npkws -> C:\Program Files (x86)\Kingsoft\kingsoft antivirus\npkws.dll [No File]
FF Plugin HKU\S-1-5-21-2037235347-66412534-4019770740-1001: ubisoft.com/uplaypc -> D:\H.A.W.X. 2\orbit\npuplaypc.dll [No File]
CustomCLSID: HKU\S-1-5-21-2037235347-66412534-4019770740-1001_Classes\CLSID\{0E270DAA-1BE6-48F2-AC49-FE7EDF6CD760}\InprocServer32 -> %%systemroot%%\system32\shell32.dll => No File
ShellIconOverlayIdentifiers: [ YndCase0Sync] -> {63D48440-63AB-44D0-B323-4731DFCDE9E9} => -> No File
ShellIconOverlayIdentifiers: [ YndCase1Modified] -> {7E7DC279-E6BE-4D57-9DEC-14FA0339DBC0} => -> No File
ShellIconOverlayIdentifiers: [ YndCase2Error] -> {FB2FE984-05F5-4512-9D9B-69D3DE61F6D9} => -> No File
ShellIconOverlayIdentifiers: [ YndCase3Shared] -> {AF8D197E-7022-4c3d-BD88-68AD35C9C169} => -> No File
Task: {61DAAA76-629E-4435-9FE6-B6D6566F1D27} - \Microsoft\Windows\UNP\RunCampaignManager -> No File <==== ATTENTION
Task: {70AD4AC7-C648-4C9E-8C75-9F55CC320E3D} - \UnHackMe Task Scheduler -> No File <==== ATTENTION
Task: {A6B96A73-214E-4979-AD44-0DF39557B3C8} - \WPD\SqmUpload_S-1-5-21-2037235347-66412534-4019770740-1001 -> No File <==== ATTENTION
Task: {B37E9642-B132-4FBC-AB9E-C41270765705} - \Origin -> No File <==== ATTENTION
C:\Windows\System32\drivers\SET*.tmp
EMPTYTEMP:
Reboot:
End::

  • Right click on the highlighted text and select Copy.
  • Start FRST (FRST64) with Administrator privileges
  • Press the Fix button. FRST will process the lines copied above from the clipboard.
  • When finished, a log file (Fixlog.txt) will pop up and saved in the same location the tool was ran from.

Please copy and paste its contents in your next reply.

RQKuhw1.pngRogueKiller

  • Download the right version of RogueKiller for your Windows version (32 or 64-bit)
  • Once done, move the executable file to your Desktop, right-click on it and select Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users)
  • Click on the Start Scan button in the right panel, which will bring you to another tab, and click on it again (this time it'll be in the bottom right corner)
  • Wait for the scan to complete
  • On completion, the results will be displayed
  • Check every single entry (threat found), and click on the Remove Selected button
  • On completion, the results will be displayed. Click on the Open Report button in the bottom left corner, followed by the Open TXT button (also in the bottom left corner)
  • This will open the report in Notepad. Copy/paste its content in your next reply

zcMPezJ.pngAdwCleaner - Fix Mode

  • Download AdwCleaner and move it to your Desktop
  • Right-click on AdwCleaner.exe and select Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users)
  • Accept the EULA (I accept), then click on Scan
  • Let the scan complete. Once it's done, make sure that every item listed in the different tabs is checked and click on the Clean button. This will kill all active processes
    5ace519a6ff4a_Dashboard-firstrun.png.567
  • Once the cleaning process is complete, AdwCleaner will ask to restart your computer, do it
  • After the restart, a log will open when logging in. Please copy/paste the content of that log in your next reply

Your next reply(ies) should therefore contain:

  • Copy/pasted RogueKiller clean log
  • Copy/pasted AdwCleaner clean log
  • Copy/pasted Fixlog.txt  log

  • 0

#8
JSntgRvr

JSntgRvr

    Global Moderator

  • Global Moderator
  • 11,017 posts

Any progress?


  • 0

#9
JSntgRvr

JSntgRvr

    Global Moderator

  • Global Moderator
  • 11,017 posts

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.


  • 0






Similar Topics


Also tagged with one or more of these keywords: virus, wmcagent, rootkit

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP