AOH 0 Posted October 10, 2018 Report Share Posted October 10, 2018 Since yesterday, my PC has been infected with the virus mentioned in the title of the topic, according to Windows Defender. I deleted a couple of programs that were installed along with the virus but after a couple of restarts, command prompts and unknown programs seem to start along with Windows. In addition, there is a bunch of exclusions for certain programs in folders with made up names that Windows Defender is unable to scan. I never excluded those folders myself. What is more, these said folders are located in the Program Files (x86), ProgramData, AppData\Local\Temp, WINDOWS\Temp folders of my PC. I refrain from logging in in various sites and apps I used to, at least without creating a new password, since I'm terrified that my personal data will be compromised through the malicious program. I do not know whether they've already been compromised or the worst is yet to come. I will stand by, waiting for further instructions as to how to proceed on the matter. Thank you in advance. scan_181011-012112.txt Addition.txt FRST.txt Link to post Share on other sites
Kevin Zoll 309 Posted October 10, 2018 Report Share Posted October 10, 2018 Copy the below code to Notepad; Save As fixlist.txt to your Desktop. (Aztec Media Inc) C:\Program Files (x86)\Assets Manager\smdmf\SmdmFService.exe HKLM-x32\...\Run: [WebP To PNG Converter Software.exe] => [X] HKLM\SOFTWARE\Policies\Microsoft\Windows Defender: Restriction <==== ATTENTION HKU\S-1-5-21-1508180704-3222819172-3449906844-1000\...\MountPoints2: {87008795-8f8b-11e8-b9cc-5cf37067396f} - "G:\autorun.exe" HKU\S-1-5-21-1508180704-3222819172-3449906844-1000\...\MountPoints2: {87008f23-8f8b-11e8-b9cc-5cf37067396f} - "F:\autorun.exe" AppInit_DLLs: C:\ProgramData\Quoteex\Triobam.dll => C:\ProgramData\Quoteex\Triobam.dll [342528 2018-10-10] () AppInit_DLLs-x32: C:\ProgramData\Quoteex\Vaia-Nix.dll => C:\ProgramData\Quoteex\Vaia-Nix.dll [460800 2018-10-10] () GroupPolicy: Restriction - Chrome <==== ATTENTION CHR HKLM\SOFTWARE\Policies\Google: Restriction <==== ATTENTION HKU\S-1-5-21-1508180704-3222819172-3449906844-1000\Software\Microsoft\Internet Explorer\Main,Search Page = hxxps://%66%65%65%64.%73%6F%6E%69%63-%73%65%61%72%63%68.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGKBRGNclVS1AC6sNoH4gFuGAZQsTZQFfiggvTPFy_SyXz1yPXWf44GlcZytQ5mz79M8Yc8YCketN7Y-SxDw5_yNF_-3R-IXZJ6dAAs8CADCavFxbLhc4FYQF-sfFQNLSWUgFeJlu6kRW6nCXpnPz6pS_x3rTTSxCTw6evkBfCaXfedeOycBTVMNjKLZd&q={searchTerms} HKU\S-1-5-21-1508180704-3222819172-3449906844-1000\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://search.domaincentar.com HKU\S-1-5-21-1508180704-3222819172-3449906844-1005\Software\Microsoft\Internet Explorer\Main,Search Page = hxxps://%66%65%65%64.%73%6F%6E%69%63-%73%65%61%72%63%68.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGKBRGNclVS1AC6sNoH4gFuGAZQsTZQFfiggvTPFy_SyXz1yPXWf44GlcZytQ5mz79M8Yc8YCketN7Y-SxDw5_yNF_-3R-IXZJ6dAAs8CADCavFxbLhc4FYQF-sfFQNLSWUgFeJlu6kRW6nCXpnPz6pS_x3rTTSxCTw6evkBfCaXfedeOycBTVMNjKLZd&q={searchTerms} HKU\S-1-5-21-1508180704-3222819172-3449906844-1005\Software\Microsoft\Internet Explorer\Main,Start Page = hxxps://%66%65%65%64.%68%65%6C%70%65%72%62%61%72.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGKBRGNclVS1AC6sNoH4gFuGAZQsTZQFfiggvTPFy_SyXz1yPXWf44GlcZytQ5mz79M8Yc8YCketN7Y-SxDw5_yNF_-3R-IXVV8dB2ZMCy3_E0fw4KWrB614p_Gs592vqm06BXT5-d2cFK79kTFGsEL3DIDW_A12IRLo9QHc9ZaAS2Tm6acNwLV_Ibscz SearchScopes: HKLM -> {9BB47C17-9C68-4BB3-B188-DD9AF0FD2503} URL = hxxp://www.default-search.net/search?sid=503&aid=112&itype=a&ver=15511&tm=504&src=ds&p={searchTerms} SearchScopes: HKLM-x32 -> DefaultScope {ielnksrch} URL = SearchScopes: HKLM-x32 -> ielnksrch URL = hxxps://%66%65%65%64.%73%6F%6E%69%63-%73%65%61%72%63%68.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGKBRGNclVS1AC6sNoH4gFuGAZQsTZQFfiggvTPFy_SyXz1yPXWf44GlcZytQ5mz79M8Yc8YCketN7Y-SxDw5_yNF_-3R-IXZJ6dAAs8CADCavFxbLhc4FYQF-sfFQNLSWUgFeJlu6kRW6nCXpnPz6pS_x3rTTSxCTw6evkBfCaXfedeOycBTVMNjKLZd&q={searchTerms} SearchScopes: HKLM-x32 -> {9BB47C17-9C68-4BB3-B188-DD9AF0FD2503} URL = hxxp://www.default-search.net/search?sid=503&aid=112&itype=a&ver=15511&tm=504&src=ds&p={searchTerms} SearchScopes: HKU\S-1-5-21-1508180704-3222819172-3449906844-1000 -> DefaultScope {ielnksrch} URL = hxxps://%66%65%65%64.%73%6F%6E%69%63-%73%65%61%72%63%68.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGKBRGNclVS1AC6sNoH4gFuGAZQsTZQFfiggvTPFy_SyXz1yPXWf44GlcZytQ5mz79M8Yc8YCketN7Y-SxDw5_yNF_-3R-IXZJ6dAAs8CADCavFxbLhc4FYQF-sfFQNLSWUgFeJlu6kRW6nCXpnPz6pS_x3rTTSxCTw6evkBfCaXfedeOycBTVMNjKLZd&q={searchTerms} SearchScopes: HKU\S-1-5-21-1508180704-3222819172-3449906844-1000 -> {9BB47C17-9C68-4BB3-B188-DD9AF0FD2503} URL = hxxp://www.bing.com/search?q={searchTerms}&form=MSSEDF&pc=MSSE SearchScopes: HKU\S-1-5-21-1508180704-3222819172-3449906844-1000 -> {ielnksrch} URL = hxxps://%66%65%65%64.%73%6F%6E%69%63-%73%65%61%72%63%68.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGKBRGNclVS1AC6sNoH4gFuGAZQsTZQFfiggvTPFy_SyXz1yPXWf44GlcZytQ5mz79M8Yc8YCketN7Y-SxDw5_yNF_-3R-IXZJ6dAAs8CADCavFxbLhc4FYQF-sfFQNLSWUgFeJlu6kRW6nCXpnPz6pS_x3rTTSxCTw6evkBfCaXfedeOycBTVMNjKLZd&q={searchTerms} SearchScopes: HKU\S-1-5-21-1508180704-3222819172-3449906844-1005 -> DefaultScope {ielnksrch} URL = hxxps://%66%65%65%64.%73%6F%6E%69%63-%73%65%61%72%63%68.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGKBRGNclVS1AC6sNoH4gFuGAZQsTZQFfiggvTPFy_SyXz1yPXWf44GlcZytQ5mz79M8Yc8YCketN7Y-SxDw5_yNF_-3R-IXZJ6dAAs8CADCavFxbLhc4FYQF-sfFQNLSWUgFeJlu6kRW6nCXpnPz6pS_x3rTTSxCTw6evkBfCaXfedeOycBTVMNjKLZd&q={searchTerms} SearchScopes: HKU\S-1-5-21-1508180704-3222819172-3449906844-1005 -> {ielnksrch} URL = hxxps://%66%65%65%64.%73%6F%6E%69%63-%73%65%61%72%63%68.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGKBRGNclVS1AC6sNoH4gFuGAZQsTZQFfiggvTPFy_SyXz1yPXWf44GlcZytQ5mz79M8Yc8YCketN7Y-SxDw5_yNF_-3R-IXZJ6dAAs8CADCavFxbLhc4FYQF-sfFQNLSWUgFeJlu6kRW6nCXpnPz6pS_x3rTTSxCTw6evkBfCaXfedeOycBTVMNjKLZd&q={searchTerms} FF Homepage: Mozilla\Firefox\Profiles\i57slaKI.default -> file:///C:/ProgramData/Quoteexs/ff.HP FF NewTab: Mozilla\Firefox\Profiles\i57slaKI.default -> file:///C:/ProgramData/Quoteexs/ff.NT R1 F06DEFF2-5B9C-490D-910F-35D3A91196222; C:\Program Files (x86)\Assets Manager\smdmf\x64\smdmfmgrc3.cfg [45968 2015-01-28] (Aztec Media Inc) S1 sqsxejxn; \??\C:\WINDOWS\system32\drivers\sqsxejxn.sys [X] 2018-10-10 00:42 - 2018-10-10 00:42 - 000003292 _____ C:\WINDOWS\System32\Tasks\MAAEe 2018-10-10 00:41 - 2018-10-10 00:41 - 000000000 ____D C:\ProgramData\Quoteexs 2018-10-10 00:40 - 2018-10-10 01:25 - 000000000 ____D C:\ProgramData\Quoteex 2018-10-10 00:40 - 2018-10-10 00:41 - 001413120 _____ C:\Users\Herc\AppData\Local\sham.db 2018-10-10 00:40 - 2018-10-10 00:40 - 007787008 _____ C:\Users\Herc\AppData\Local\agent.dat 2018-10-10 00:40 - 2018-10-10 00:40 - 002018690 _____ C:\Users\Herc\AppData\Local\Funcore.tst 2018-10-10 00:40 - 2018-10-10 00:40 - 000140800 _____ C:\Users\Herc\AppData\Local\installer.dat 2018-10-10 00:40 - 2018-10-10 00:40 - 000126464 _____ C:\Users\Herc\AppData\Local\noah.dat 2018-10-10 00:40 - 2018-10-10 00:40 - 000070896 _____ C:\Users\Herc\AppData\Local\Config.xml 2018-10-10 00:40 - 2018-10-10 00:40 - 000018432 _____ C:\Users\Herc\AppData\Local\Main.dat 2018-10-10 00:40 - 2018-10-10 00:40 - 000016416 _____ C:\Users\Herc\AppData\Local\InstallationConfiguration.xml 2018-10-10 00:40 - 2018-10-10 00:40 - 000005568 _____ C:\Users\Herc\AppData\Local\md.xml 2018-10-11 00:24 - 2015-02-04 14:36 - 000000000 ____D C:\ProgramData\smdmf 2018-10-10 01:19 - 2013-03-11 01:04 - 000724992 _____ (Electronic Arts Inc.) C:\Users\Herc\AppData\Local\Temp\AutoRun.exe 2018-10-10 01:19 - 2013-03-11 01:04 - 000942080 _____ (Electronic Arts Inc.) C:\Users\Herc\AppData\Local\Temp\AutoRunGUI.dll 2018-10-07 22:39 - 2018-04-12 02:35 - 000607840 _____ (Microsoft Corporation) C:\Users\Herc\AppData\Local\Temp\kernel32.dll 2018-09-05 01:33 - 2018-08-21 13:24 - 000641336 _____ (NVIDIA Corporation) C:\Users\Herc\AppData\Local\Temp\nvSCPAPI.dll 2018-09-05 01:33 - 2018-08-21 13:24 - 000730936 _____ (NVIDIA Corporation) C:\Users\Herc\AppData\Local\Temp\nvSCPAPI64.dll 2018-10-06 03:25 - 2018-08-21 13:24 - 000395576 _____ (NVIDIA Corporation) C:\Users\Herc\AppData\Local\Temp\nvStInst.exe 2018-10-10 00:41 - 2018-10-10 00:41 - 000375522 _____ ( ) C:\Users\Herc\AppData\Local\Temp\p121eyvclzl.exe 2018-10-09 13:37 - 2018-10-09 13:37 - 011990292 _____ () C:\Users\Herc\AppData\Local\Temp\setup.dll 2002-08-31 20:07 - 2002-08-31 20:07 - 000270336 _____ () C:\Users\Herc\AppData\Local\Temp\tdll.dll 2018-10-11 00:27 - 2018-10-11 00:27 - 000010725 _____ () C:\Users\Herc\AppData\Local\Temp\wcupdater.exe ShellIconOverlayIdentifiers: [###MegaShellExtPending] -> {056D528D-CE28-4194-9BA3-BA2E9197FF8C} => C:\Users\Herc\AppData\Local\MEGAsync\ShellExtX64.dll -> No File ShellIconOverlayIdentifiers: [###MegaShellExtSynced] -> {05B38830-F4E9-4329-978B-1DD28605D202} => C:\Users\Herc\AppData\Local\MEGAsync\ShellExtX64.dll -> No File ShellIconOverlayIdentifiers: [###MegaShellExtSyncing] -> {0596C850-7BDD-4C9D-AFDF-873BE6890637} => C:\Users\Herc\AppData\Local\MEGAsync\ShellExtX64.dll -> No File ShellIconOverlayIdentifiers-x32: [###MegaShellExtPending] -> {056D528D-CE28-4194-9BA3-BA2E9197FF8C} => C:\Users\Herc\AppData\Local\MEGAsync\ShellExtX64.dll -> No File ShellIconOverlayIdentifiers-x32: [###MegaShellExtSynced] -> {05B38830-F4E9-4329-978B-1DD28605D202} => C:\Users\Herc\AppData\Local\MEGAsync\ShellExtX64.dll -> No File ShellIconOverlayIdentifiers-x32: [###MegaShellExtSyncing] -> {0596C850-7BDD-4C9D-AFDF-873BE6890637} => C:\Users\Herc\AppData\Local\MEGAsync\ShellExtX64.dll -> No File ContextMenuHandlers1: [###MegaContextMenuExt] -> {0229E5E7-09E9-45CF-9228-0228EC7D5F17} => C:\Users\Herc\AppData\Local\MEGAsync\ShellExtX64.dll -> No File ContextMenuHandlers1-x32-x32: [ZFAdd] -> {8FF88D27-7BD0-11D1-BFB7-00AA00262A11} => C:\Users\Herc\Downloads\Νέος φάκελος (2)\Νέος φάκελος\Νέος φάκελος\arcext.dll -> No File ContextMenuHandlers4: [###MegaContextMenuExt] -> {0229E5E7-09E9-45CF-9228-0228EC7D5F17} => C:\Users\Herc\AppData\Local\MEGAsync\ShellExtX64.dll -> No File ContextMenuHandlers4: [PowerISO] -> {967B2D40-8B7D-4127-9049-61EA0C2C6DCE} => -> No File ContextMenuHandlers4-x32: [ZFAdd] -> {8FF88D27-7BD0-11D1-BFB7-00AA00262A11} => C:\Users\Herc\Downloads\Νέος φάκελος (2)\Νέος φάκελος\Νέος φάκελος\arcext.dll -> No File ContextMenuHandlers5: [Gadgets] -> {6B9228DA-9C15-419e-856C-19E768A13BDC} => -> No File ContextMenuHandlers6: [PowerISO] -> {967B2D40-8B7D-4127-9049-61EA0C2C6DCE} => -> No File Task: {0C2F2F0F-5259-4830-B641-BB967E1A29F2} - System32\Tasks\RegistryDr_Popup => C:\Program Files (x86)\Registry Dr\Splash.exe <==== ATTENTION Task: {1222B2A6-2D52-495B-80FB-46327649449D} - \Microsoft\Windows\Setup\GWXTriggers\Time-5d -> No File <==== ATTENTION Task: {150755D0-136C-452D-B091-5C180275D9D3} - \Microsoft\Windows\UNP\RunCampaignManager -> No File <==== ATTENTION Task: {1AB724ED-71E9-4AFB-A258-6632304C431B} - \Microsoft\Windows\Setup\gwx\refreshgwxconfig -> No File <==== ATTENTION Task: {1FB0339D-2F49-485E-9615-FD4CDF2DD045} - \Microsoft\Windows\Setup\GWXTriggers\ScheduleUpgradeReminderTime -> No File <==== ATTENTION Task: {253E6B98-EFE1-4DF0-A7A8-E8FB9AF8F03B} - System32\Tasks\{32BAC0C2-C312-4DD0-B323-421956B8EE4A} => C:\Windows\system32\pcalua.exe -a C:\WINDOWS\st6unst.exe -c -n "H:\TestDrive\ST6UNST.LOG" Task: {276E8E1C-5ECD-4949-8522-3BB6A126F8D4} - \Microsoft\Windows\Setup\gwx\launchtrayprocess -> No File <==== ATTENTION Task: {4BEED759-A77C-441A-AAB3-2D8F68BEDE7C} - System32\Tasks\{7E437A21-476C-4974-96A1-4515102C4C8F} => C:\WINDOWS\system32\pcalua.exe -a F:\AutoRunLauncher.exe -d F:\ Task: {4C1587FC-89FD-4F32-8B62-A87614F355D4} - System32\Tasks\Start Corsair Link => H:\CorsairLINK.exe Task: {623A466B-926A-4F37-8CC2-5D916E8C5CE8} - System32\Tasks\{D7054C00-64F9-44E7-9527-BA504BEF4891} => C:\Windows\system32\pcalua.exe -a E:\LeagueOfLegends\!\PS\mbig\露出プレ\Install.exe -d E:\LeagueOfLegends\!\PS\mbig\露出プレ Task: {6A5D9B69-3FD2-4FCB-928C-CE8170C11C54} - \Microsoft\Windows\Setup\GWXTriggers\MachineUnlock-5d -> No File <==== ATTENTION Task: {7936610A-D3FF-40EB-9FC7-7D895EDCFAC7} - \Microsoft\Windows\Setup\gwx\refreshgwxcontent -> No File <==== ATTENTION Task: {81AA7FE7-80EF-4C65-9395-B8743EC9CEA7} - \Microsoft\Windows\Setup\GWXTriggers\OnIdle-5d -> No File <==== ATTENTION Task: {86F82812-A1DA-47F1-8F48-CAD6CD6D8E7B} - System32\Tasks\Online Application V2G5 => C:\Program Files (x86)\Microleaves\Online Application\Version 2.6.0\Online-Guardian.exe <==== ATTENTION Task: {87656B93-89F9-4D01-B1D2-27B12298802E} - \Microsoft\Windows\Setup\gwx\rundetector -> No File <==== ATTENTION Task: {8B690231-322A-449B-8A1C-85A51FA58834} - \Microsoft\Windows\Setup\EOONotify -> No File <==== ATTENTION Task: {9A18556F-D048-4EF5-A204-91E7A3A23B48} - \Microsoft\Windows\Setup\GWXTriggers\Logon-5d -> No File <==== ATTENTION Task: {9CBE21DB-6B5F-46DA-9D0F-2459C85A9486} - \OfficeSoftwareProtectionPlatform\SvcRestartTask -> No File <==== ATTENTION Task: {ACEF10B5-DA30-4B74-BD93-91D1E1AAFBFA} - System32\Tasks\Online Application V2G6 => C:\Program Files (x86)\Microleaves\Online Application\Version 2.6.0\Online-Guardian.exe <==== ATTENTION Task: {AD04F6D4-8791-426C-8000-773C8721B035} - System32\Tasks\Online Application V2G3 => C:\Program Files (x86)\Microleaves\Online Application\Version 2.6.0\Online-Guardian.exe <==== ATTENTION Task: {AE94A6EB-DC4D-4678-8A10-270AD980F0EB} - System32\Tasks\Online Application V2G1 => C:\Program Files (x86)\Microleaves\Online Application\Version 2.6.0\Online-Guardian.exe <==== ATTENTION Task: {B8EAC04F-E630-46F3-94C5-23E6867FE6C4} - System32\Tasks\MAAEe => C:\Users\Herc\AppData\Roaming\SSjMN\MAAEe.vbs Task: {BAD864BB-6925-4A77-8619-FBA1BDA56857} - System32\Tasks\{E22BEDF7-76D4-48C4-9735-41B54F562D5D} => C:\Windows\system32\pcalua.exe -a E:\LeagueOfLegends\!\PS\2000rpg\RPG2000RTP.exe -d E:\LeagueOfLegends\!\PS\2000rpg Task: {BB1BDBD1-D288-4B9B-AD34-3C227483518F} - \Microsoft\Windows\Setup\GWXTriggers\OutOfIdle-5d -> No File <==== ATTENTION Task: {BDBAC117-C5FF-4523-9B87-350D9787922F} - System32\Tasks\RegistryDr_Start => C:\Program Files (x86)\Registry Dr\RegistryDr.exe <==== ATTENTION Task: {C1FEF1EE-D645-4C20-956D-37C670E65B7B} - System32\Tasks\Online Application V2G4 => C:\Program Files (x86)\Microleaves\Online Application\Version 2.6.0\Online-Guardian.exe <==== ATTENTION Task: {C6CE1C33-3EFB-4A79-9493-765AF07F57BB} - System32\Tasks\{607A26D3-DA85-4BBD-8C18-EF83FF9AFC05} => C:\WINDOWS\system32\pcalua.exe -a F:\AutoRunLauncher.exe -d F:\ Task: {D2E79D05-EA5E-4772-A723-FF7DCC8FA8B4} - System32\Tasks\{2E411731-3882-4750-BD41-72E046285F79} => C:\WINDOWS\system32\pcalua.exe -a "C:\Users\Herc\Downloads\Castle Attack 2.exe" -d C:\Users\Herc\Downloads Task: {D3925812-34CF-410A-A314-4AB48E098346} - \Microsoft\Windows\Setup\GWXTriggers\ScheduleUpgradeTime -> No File <==== ATTENTION Task: {D9A7D8D5-0819-46DD-A4C2-E1491843287F} - \Microsoft\Windows\Setup\GWXTriggers\Time-Weekend -> No File <==== ATTENTION Task: {DC46A632-19EB-44B3-9450-45FBA88EF150} - System32\Tasks\Updater_Online_Application => C:\Program Files (x86)\Microleaves\Online Application\Online Application Updater.exe <==== ATTENTION Task: {E45A7DD1-7496-4E9F-BC22-01969C416E95} - System32\Tasks\{AF04CA07-98F1-4624-AF44-23A94E6F80D7} => C:\Windows\system32\pcalua.exe -a "C:\Users\Herc\Desktop\Νέος φάκελος\Mafia\Setup.exe" -d "C:\Users\Herc\Desktop\Νέος φάκελος\Mafia" Task: {EA55A283-9264-4DF2-AB12-BEFFF5D5743B} - \Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B -> No File <==== ATTENTION Task: {F5D0775E-7796-484E-889D-DDCB1F5E8AA0} - \Microsoft\Windows\Setup\gwx\refreshgwxconfigandcontent -> No File <==== ATTENTION Task: {FE46BC80-7C11-4546-8CE9-7617D6E46D76} - \Microsoft\Windows\Setup\GWXTriggers\OutOfSleep-5d -> No File <==== ATTENTION Task: C:\WINDOWS\Tasks\Online Application V2G1.job => C:\Program Files (x86)\Microleaves\Online Application\Version 2.6.0\Online-Guardian.exe <==== ATTENTION Task: C:\WINDOWS\Tasks\Online Application V2G2.job => C:\Program Files (x86)\Microleaves\Online Application\Version 2.6.0\Online-Guardian.exe <==== ATTENTION Task: C:\WINDOWS\Tasks\Online Application V2G3.job => C:\Program Files (x86)\Microleaves\Online Application\Version 2.6.0\Online-Guardian.exe <==== ATTENTION Task: C:\WINDOWS\Tasks\Online Application V2G4.job => C:\Program Files (x86)\Microleaves\Online Application\Version 2.6.0\Online-Guardian.exe <==== ATTENTION Task: C:\WINDOWS\Tasks\Online Application V2G5.job => C:\Program Files (x86)\Microleaves\Online Application\Version 2.6.0\Online-Guardian.exe <==== ATTENTION Task: C:\WINDOWS\Tasks\Online Application V2G6.job => C:\Program Files (x86)\Microleaves\Online Application\Version 2.6.0\Online-Guardian.exe <==== ATTENTION Task: C:\WINDOWS\Tasks\Updater_Online_Application.job => C:\Program Files (x86)\Microleaves\Online Application\Online Application Updater.exe <==== ATTENTION AlternateDataStreams: C:\ProgramData\MTA San Andreas All:NT [40] AlternateDataStreams: C:\ProgramData\MTA San Andreas All:NT2 [432] AlternateDataStreams: C:\ProgramData\TEMP:2CB9631F [134] C:\Program Files (x86)\Assets Manager\smdmf\SmdmFService.exe C:\ProgramData\Quoteex\Triobam.dll C:\WINDOWS\TEMP\Smartbar C:\Users\Herc\AppData\Roaming\OpenCandy C:\ProgramData\simplitec C:\ProgramData\smdmf Reg: reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\11598763487076930564" /f Reg: reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\APPID\IEDLL.DLL" /f Reg: reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\APPID\{6A7CD9EC-D8BD-4340-BCD0-77C09A282921}" /f Reg: reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\LINKEY.LINKEY" /f Reg: reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\LINKEY" /f Reg: reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432NODE\LINKEY" /f Reg: reg delete "HKEY_USERS\S-1-5-21-1508180704-3222819172-3449906844-1000\SOFTWARE\LINKEY" /f Reg: reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432NODE\SMDMF" /f Reg: reg delete "HKEY_USERS\.DEFAULT\SOFTWARE\SMDMF" /f Reg: reg delete "HKEY_USERS\S-1-5-21-1508180704-3222819172-3449906844-1000\SOFTWARE\SMDMF" /f Reg: reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CONTROLSET001\SERVICES\SMDMFSERVICE" /f Reg: reg delete "HKEY_USERS\S-1-5-21-1508180704-3222819172-3449906844-1000_CLASSES\WOW6432NODE\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}" /f Reg: reg delete "HKEY_USERS\S-1-5-21-1508180704-3222819172-3449906844-1005_CLASSES\WOW6432NODE\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}" /f Reg: reg delete "HKEY_USERS\S-1-5-21-1508180704-3222819172-3449906844-1000\SOFTWARE\WEBAPP" /f C:\ProgramData\Quoteex C:\Users\Herc\AppData\Local\Temp\is-5LLP8.tmp C:\Users\Herc\AppData\Local\Temp\is-NCK9V.tmp C:\Users\Herc\Downloads\CyberLink PowerDVD Ultra 16.0.1713.60 Multilingual + Keygen [SadeemPC] C:\Users\Herc\Downloads\CyberLink PowerDVD Ultra 17.0.1523.60 Final + Crack-Keygen Close Notepad. NOTE: It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work. NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system Run FRST64 and press the Fix button just once and wait. If the tool needed a restart please make sure you let the system restart normally and let the tool complete its run after restart. The tool will make a log on the Desktop (Fixlog.txt). Attach it to your reply. Note: If the tool warns you about an outdated version please download and run the updated version. Link to post Share on other sites
AOH 0 Posted October 10, 2018 Author Report Share Posted October 10, 2018 When I try to save the file, a warning pops up regarding the fact that Unicode characters are bound to be lost if the file is encoded in ANSI. Should I encode it in Unicode? Link to post Share on other sites
Kevin Zoll 309 Posted October 10, 2018 Report Share Posted October 10, 2018 Yes, use Unicode. Link to post Share on other sites
AOH 0 Posted October 10, 2018 Author Report Share Posted October 10, 2018 Afterwards, I soon as I place the file in the same folder as FRST64, all I have to do is run the program and click Fix? Should I also post the new FRST and Addition logs? Link to post Share on other sites
Kevin Zoll 309 Posted October 11, 2018 Report Share Posted October 11, 2018 Just send the fixlog. I will most likely have you run another tool to find and remove things that are not shown in tehFRST and EEK scans. Link to post Share on other sites
AOH 0 Posted October 11, 2018 Author Report Share Posted October 11, 2018 Here is the fixlog, as requested: Fixlog.txt Link to post Share on other sites
Kevin Zoll 309 Posted October 11, 2018 Report Share Posted October 11, 2018 Please download AdwCleaner and save it on your desktop. Close all open programs and Internet browsers (you may want to print out or write down these instructions first). Double click on the AdwCleaner icon to run it. You will need to accept the license agreement from Malwarebytes in order to continue. Click on the Scan button in the lower-left. When the scan is done, a log will open in Notepad. You can close this Notepad window before continuing. If something was found on your computer, then click on the Clean button in the lower-left (where the "Scan" button was earlier). AdwCleaner will warn you that it will close all running processes (programs). Click OK to continue when ready. After the cleaning process is done, you will be prompted to restart your computer. Please click Reboot now when ready to restart your computer. A text file will open in Notepad after the restart (this is the log of what was removed), which you can save on your desktop. Please attach that log file to a reply for me to review. If you lose that log file for any reason, you can find it at C:\AdwCleaner[C0] on your computer. Link to post Share on other sites
AOH 0 Posted October 11, 2018 Author Report Share Posted October 11, 2018 AdwCleaner prompted me to an updated version on this site: https://www.malwarebytes.com/adwcleaner/?channel=release Should I download it? Link to post Share on other sites
Kevin Zoll 309 Posted October 11, 2018 Report Share Posted October 11, 2018 Yes, update the version. Link to post Share on other sites
AOH 0 Posted October 11, 2018 Author Report Share Posted October 11, 2018 Here is AdwCleaner's fixlog, as requested: AdwCleaner[C00].txt Link to post Share on other sites
Kevin Zoll 309 Posted October 11, 2018 Report Share Posted October 11, 2018 Let's take a fresh look. Run fresh scans with Emsisoft Emergency Kit (EEK) and FRST, attach the new EEK and FRST scans to your reply. Be sure to let me know how things are running. Link to post Share on other sites
AOH 0 Posted October 11, 2018 Author Report Share Posted October 11, 2018 A command prompt window popped up for a brief moment right after restarting my PC as requested by AdwCleaner, which did not happen before the "infection". However, I am now able to remove the excluded folders with made up names in Windows Defender. Other than that, everything else seems to be running smoothly. Here are the requested logs: scan_181011-033009.txt FRST.txt Link to post Share on other sites
Kevin Zoll 309 Posted October 11, 2018 Report Share Posted October 11, 2018 Still a few things that need to be cleaned up. Copy the below code to Notepad; Save As fixlist.txt to your Desktop. Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Windows Startup.lnk [2016-11-28] ShortcutTarget: Windows Startup.lnk -> C:\Windows\Windows_startup.bat () S1 F06DEFF2-5B9C-490D-910F-35D3A91196222; \??\C:\Program Files (x86)\Assets Manager\smdmf\x64\smdmfmgrc3.cfg [X] 2018-10-11 03:06 - 2018-10-11 03:06 - 000000000 ____D C:\ProgramData\simplitec 2018-10-11 03:05 - 2015-02-04 14:36 - 000000000 ____D C:\ProgramData\smdmf C:\ProgramData\simplitec C:\ProgramData\smdmf Reg: reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432NODE\SMDMF" /f C:\Users\Herc\Downloads\CyberLink PowerDVD Ultra 17.0.1523.60 Final + Crack-Keygen Close Notepad. NOTE: It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work. NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system Run FRST64 and press the Fix button just once and wait. If the tool needed a restart please make sure you let the system restart normally and let the tool complete its run after restart. The tool will make a log on the Desktop (Fixlog.txt). Attach it to your reply. Note: If the tool warns you about an outdated version please download and run the updated version. Link to post Share on other sites
AOH 0 Posted October 11, 2018 Author Report Share Posted October 11, 2018 Here is the new fixlog, as requested: Fixlog.txt Link to post Share on other sites
Kevin Zoll 309 Posted October 11, 2018 Report Share Posted October 11, 2018 Because I keep seeing Unicode characters in the log after you run the fix. Changing tools. Download RogueKiller from https://www.fosshub.com/RogueKiller.html and save it to your desktop. • Double-click on setup.exe to install RogueKiller. Close all programs and disconnect any USB or external drives before running the tool. • Right-click RogueKiller.exe and select Run As Administrator to run the tool. • Once the Prescan has finished, click Scan. • Once the Status box shows "Scan Finished", click on the "Report" button and attach the scan log to your reply. This may take a while to run. I'll check the scan report tomorrow after I come back online. Link to post Share on other sites
AOH 0 Posted October 11, 2018 Author Report Share Posted October 11, 2018 Should I disconnect my external hard drive? Link to post Share on other sites
AOH 0 Posted October 11, 2018 Author Report Share Posted October 11, 2018 Here's RogueKiller's report, as requested: Report.txt Link to post Share on other sites
Kevin Zoll 309 Posted October 11, 2018 Report Share Posted October 11, 2018 Run RogueKiller again, press scan and this time select everything it finds and let RogueKiller remove it. Link to post Share on other sites
AOH 0 Posted October 12, 2018 Author Report Share Posted October 12, 2018 Everything found in the second scan has been removed by RogueKiller. Should I send you the scan log, now that the removal is finished? Link to post Share on other sites
Kevin Zoll 309 Posted October 12, 2018 Report Share Posted October 12, 2018 Yes, send me the RogueKiller Clean log, and run fresh scans with Emsisoft and FRST. Link to post Share on other sites
AOH 0 Posted October 12, 2018 Author Report Share Posted October 12, 2018 Here you go: RogueKiller Report.txt scan_181013-020800.txt FRST.txt Link to post Share on other sites
Kevin Zoll 309 Posted October 12, 2018 Report Share Posted October 12, 2018 Run the Google Chrome CleanUp Tool. You can also check for malware manually. Open Chrome. At the top right, click More Settings. At the bottom, click Advanced. Under “Reset and clean up,” click Clean up computer. Click Find. If you're asked to remove unwanted software, click Remove. Copy the below code to Notepad; Save As fixlist.txt to your Desktop. Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\CodecPackUpdateChecker.lnk [2014-10-19] FF NewTab: Mozilla\Firefox\Profiles\i57slaKI.default -> file:///C:/ProgramData/Quoteexs/ff.NT FF SearchPlugin: C:\Users\Herc\AppData\Roaming\Mozilla\Firefox\Profiles\i57slaKI.default\searchplugins\yahoo-lavasoft-ff59.xml [2018-05-09] FF Plugin: @esn/npbattlelog,version=2.6.2 -> C:\Program Files (x86)\Battlelog Web Plugins\2.6.2\npbattlelogx64.dll [No File] FF Plugin-x32: @esn/npbattlelog,version=2.6.2 -> C:\Program Files (x86)\Battlelog Web Plugins\2.6.2\npbattlelog.dll [No File] FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\Program Files (x86)\Microsoft SQL Server Compact Edition\Office14\NPSPWRAP.DLL [No File] FF Plugin HKU\S-1-5-21-1508180704-3222819172-3449906844-1000: ubisoft.com/uplaypc -> C:\Program Files (x86)\Ubisoft\Ubisoft Game Launcher\npuplaypc.dll [No File] S3 Disc Soft Ultra Bus Service; H:\Mi Games\Daemon Tools Ultra 5.2.0.0644 + Pre-Cracked - [CrackzSoft]\DAEMON Tools Ultra\DiscSoftBusServiceUltra.exe [5680320 2017-10-26] (Disc Soft Ltd) 2018-10-12 04:00 - 2018-10-12 04:00 - 000000000 ____D C:\ProgramData\simplitec C:\ProgramData\simplitec Close Notepad. NOTE: It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work. NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system Run FRST64 and press the Fix button just once and wait. If the tool needed a restart please make sure you let the system restart normally and let the tool complete its run after restart. The tool will make a log on the Desktop (Fixlog.txt). Attach it to your reply. Note: If the tool warns you about an outdated version please download and run the updated version. Link to post Share on other sites
AOH 0 Posted October 12, 2018 Author Report Share Posted October 12, 2018 I checked manually for malware through Chrome and nothing was found. Here's FRST's fixlog: Fixlog.txt Link to post Share on other sites
Kevin Zoll 309 Posted October 12, 2018 Report Share Posted October 12, 2018 OK, let's take a fresh look. Run a fresh scan with Emsisoft and FRST, attach the new Emsisoft and FRST scan logs to your reply. Link to post Share on other sites
AOH 0 Posted October 12, 2018 Author Report Share Posted October 12, 2018 Here you go: scan_181013-024858.txt FRST.txt Link to post Share on other sites
Kevin Zoll 309 Posted October 13, 2018 Report Share Posted October 13, 2018 Your logs look fine how are things running? Link to post Share on other sites
AOH 0 Posted October 13, 2018 Author Report Share Posted October 13, 2018 Everything seems fine. My only concern is whether I should change my log in passwords or not. Is it possible that they could have been intercepted? What would you suggest? Link to post Share on other sites
Kevin Zoll 309 Posted October 13, 2018 Report Share Posted October 13, 2018 What was installed was adware. Normally, adware does not intercept login credentials but is not outside the realm of possibles. If you are concerned that your login information was compromised, then go ahead and change your passwords. Link to post Share on other sites
AOH 0 Posted October 13, 2018 Author Report Share Posted October 13, 2018 Thank you very much for being so helpful and analytical throughout this whole process. I truly appreciate your help and advice. You're doing a great job in maintaining this forum as one of the best one should visit when seeking malware removal expertise. Keep it up. Thank you very much once again. Link to post Share on other sites
Kevin Zoll 309 Posted October 13, 2018 Report Share Posted October 13, 2018 You are welcome and thank you for the vote of confidence. You can delete any tool I had you download. Link to post Share on other sites
AOH 0 Posted October 15, 2018 Author Report Share Posted October 15, 2018 Will do. Thank you once again for your help. Link to post Share on other sites
Kevin Zoll 309 Posted October 15, 2018 Report Share Posted October 15, 2018 You are welcome. Link to post Share on other sites
AOH 0 Posted October 16, 2018 Author Report Share Posted October 16, 2018 Actually, before deleting the programs I decided to run a final scan and it looks like a PUP named "Application.AppInstall(A)" and located in C:\ProgramData\simplitec is still there. I remember it showing up in two of the last scans before the logs were finally clean. Could it be coming back after I terminate and start my PC? Here are the logs of the most recent scans: scan_181016-134513.txt Addition.txt FRST.txt Link to post Share on other sites
Kevin Zoll 309 Posted October 16, 2018 Report Share Posted October 16, 2018 This is the most likely culprit: H:\Mi Games\Daemon Tools Ultra 5.2.0.0644 + Pre-Cracked - [CrackzSoft]\DAEMON Tools Ultra\DiscSoftBusServiceUltra.exe Software piracy is not a victimless activity, in fact, most cracks and keygens are malware. Our company policy is to provide no assistance to users whose systems show the presence of pirated or otherwise improperly licensed and activated software. Link to post Share on other sites
AOH 0 Posted October 17, 2018 Author Report Share Posted October 17, 2018 Thank you for bringing this to my attention. I proceeded to completely remove the pirated software from my computer. Here are the new scans: FRST.txt scan_181017-032814.txt Link to post Share on other sites
Kevin Zoll 309 Posted October 17, 2018 Report Share Posted October 17, 2018 Please run FRST again. Next, select and copy the following text, including the words Start:: and End::. Switch back to the FRST program window, and click the Fix button. It should read the fix directly from the clipboard and run the fix. When it is finished, please attach the fixlog.txt file it created in the same folder the FRST program is in. Start::HKU\S-1-5-21-1508180704-3222819172-3449906844-1000\...\MountPoints2: {d713b006-cbe1-11e8-b9e4-5cf37067396f} - "F:\Autorun.exe"S3 Disc Soft Ultra Bus Service; "H:\Mi Games\Daemon Tools Ultra 5.2.0.0644 + Pre-Cracked - [CrackzSoft]\DAEMON Tools Ultra\DiscSoftBusServiceUltra.exe" [X]2018-10-13 14:00 - 2018-10-13 14:00 - 000000000 ____D C:\ProgramData\simplitec2018-10-10 01:17 - 2018-10-10 01:17 - 000000000 ____D C:\ProgramData\DAEMON Tools Ultra2018-10-10 01:11 - 2018-10-10 01:11 - 000000000 ____D C:\Users\Public\Documents\Daemon Tools Images2018-10-10 01:17 - 2018-07-25 02:04 - 000000000 ____D C:\ProgramData\DAEMON Tools ProC:\ProgramData\simplitecEnd:: Link to post Share on other sites
AOH 0 Posted October 17, 2018 Author Report Share Posted October 17, 2018 Here you are: Fixlog.txt Link to post Share on other sites
Kevin Zoll 309 Posted October 18, 2018 Report Share Posted October 18, 2018 OK, Restart the computer and log back on. Let's take a fresh look. Run fresh scans with Emsisoft Emergency Kit (EEK) and FRST, attach the new EEK and FRST scans to your reply. Be sure to let me know how things are running. Link to post Share on other sites
AOH 0 Posted October 18, 2018 Author Report Share Posted October 18, 2018 The problem seems to persist. Here are the new logs: scan_181018-030652.txt FRST.txt Link to post Share on other sites
Kevin Zoll 309 Posted October 18, 2018 Report Share Posted October 18, 2018 I do not see anything else in your logs that would be related to Simplitec and any of their software. Navigate to C:\ProgramData\simplitec and tell me if the folder is empty and if not a list of what is in the folder. Link to post Share on other sites
AOH 0 Posted October 18, 2018 Author Report Share Posted October 18, 2018 The folder is indeed empty. Link to post Share on other sites
Kevin Zoll 309 Posted October 18, 2018 Report Share Posted October 18, 2018 Since the folder is empty, it likely is not something to overly concerned about. You can most likely safely ignore the folder. Link to post Share on other sites
AOH 0 Posted October 18, 2018 Author Report Share Posted October 18, 2018 Should I try to delete the PUP through EEK, restart my PC and run some fresh scans? Link to post Share on other sites
Kevin Zoll 309 Posted October 18, 2018 Report Share Posted October 18, 2018 You can try. If it doesn't delete then there is something preventing the folder from being deleted, like not gaining permission over the folder. Link to post Share on other sites
AOH 0 Posted October 18, 2018 Author Report Share Posted October 18, 2018 Someone under the name "CREATOR OWNER" has rights to that very folder. I managed to remove those rights as well as the PUP through EEK, but after restarting my systerm, the PUP still exists along with the folder. "CREATOR OWNER" still has rights to the folder. Link to post Share on other sites
Kevin Zoll 309 Posted October 18, 2018 Report Share Posted October 18, 2018 Run a scan with RogueKiller and delete anything simplitec related it finds. Link to post Share on other sites
AOH 0 Posted October 18, 2018 Author Report Share Posted October 18, 2018 After running a scan with RogueKiller and deleting the findings, both the folder and the PUP are present, according to EEK's scan that I ran after restarting my system. Here are the logs: RogueKiller Report.txt scan_181018-050058.txt FRST.txt Link to post Share on other sites
Kevin Zoll 309 Posted October 19, 2018 Report Share Posted October 19, 2018 OK, Let's try running AdwCleaner again. Since the folder is empty it posses no threat. Link to post Share on other sites
AOH 0 Posted October 19, 2018 Author Report Share Posted October 19, 2018 Should I run new scans with EEK and FRST? Here's AdwCleaner' log: AdwCleaner[S01].txt Link to post Share on other sites
Recommended Posts