AOH

Infected with Trojan:Win32/Socelars

Recommended Posts

Since yesterday, my PC has been infected with the virus mentioned in the title of the topic, according to Windows Defender. I deleted a couple of programs that were installed along with the virus but after a couple of restarts, command prompts and unknown programs seem to start along with Windows. In addition, there is a bunch of exclusions for certain programs in folders with made up names that Windows Defender is unable to scan. I never excluded those folders myself. What is more, these said folders are located in the Program Files (x86), ProgramData, AppData\Local\Temp, WINDOWS\Temp folders of my PC. I refrain from logging in in various sites and apps I used to, at least without creating a new password, since I'm terrified that my personal data will be compromised through the malicious program. I do not know whether they've already been compromised or the worst is yet to come. I will stand by, waiting for further instructions as to how to proceed on the matter. Thank you in advance.

scan_181011-012112.txt

Addition.txt

FRST.txt

Share this post


Link to post
Share on other sites

Copy the below code to Notepad; Save As fixlist.txt to your Desktop.

(Aztec Media Inc) C:\Program Files (x86)\Assets Manager\smdmf\SmdmFService.exe
HKLM-x32\...\Run: [WebP To PNG Converter Software.exe] => [X]
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender: Restriction <==== ATTENTION
HKU\S-1-5-21-1508180704-3222819172-3449906844-1000\...\MountPoints2: {87008795-8f8b-11e8-b9cc-5cf37067396f} - "G:\autorun.exe"
HKU\S-1-5-21-1508180704-3222819172-3449906844-1000\...\MountPoints2: {87008f23-8f8b-11e8-b9cc-5cf37067396f} - "F:\autorun.exe"
AppInit_DLLs: C:\ProgramData\Quoteex\Triobam.dll => C:\ProgramData\Quoteex\Triobam.dll [342528 2018-10-10] ()
AppInit_DLLs-x32: C:\ProgramData\Quoteex\Vaia-Nix.dll => C:\ProgramData\Quoteex\Vaia-Nix.dll [460800 2018-10-10] ()
GroupPolicy: Restriction - Chrome <==== ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Restriction <==== ATTENTION
HKU\S-1-5-21-1508180704-3222819172-3449906844-1000\Software\Microsoft\Internet Explorer\Main,Search Page = hxxps://%66%65%65%64.%73%6F%6E%69%63-%73%65%61%72%63%68.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGKBRGNclVS1AC6sNoH4gFuGAZQsTZQFfiggvTPFy_SyXz1yPXWf44GlcZytQ5mz79M8Yc8YCketN7Y-SxDw5_yNF_-3R-IXZJ6dAAs8CADCavFxbLhc4FYQF-sfFQNLSWUgFeJlu6kRW6nCXpnPz6pS_x3rTTSxCTw6evkBfCaXfedeOycBTVMNjKLZd&q={searchTerms}
HKU\S-1-5-21-1508180704-3222819172-3449906844-1000\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://search.domaincentar.com
HKU\S-1-5-21-1508180704-3222819172-3449906844-1005\Software\Microsoft\Internet Explorer\Main,Search Page = hxxps://%66%65%65%64.%73%6F%6E%69%63-%73%65%61%72%63%68.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGKBRGNclVS1AC6sNoH4gFuGAZQsTZQFfiggvTPFy_SyXz1yPXWf44GlcZytQ5mz79M8Yc8YCketN7Y-SxDw5_yNF_-3R-IXZJ6dAAs8CADCavFxbLhc4FYQF-sfFQNLSWUgFeJlu6kRW6nCXpnPz6pS_x3rTTSxCTw6evkBfCaXfedeOycBTVMNjKLZd&q={searchTerms}
HKU\S-1-5-21-1508180704-3222819172-3449906844-1005\Software\Microsoft\Internet Explorer\Main,Start Page = hxxps://%66%65%65%64.%68%65%6C%70%65%72%62%61%72.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGKBRGNclVS1AC6sNoH4gFuGAZQsTZQFfiggvTPFy_SyXz1yPXWf44GlcZytQ5mz79M8Yc8YCketN7Y-SxDw5_yNF_-3R-IXVV8dB2ZMCy3_E0fw4KWrB614p_Gs592vqm06BXT5-d2cFK79kTFGsEL3DIDW_A12IRLo9QHc9ZaAS2Tm6acNwLV_Ibscz
SearchScopes: HKLM -> {9BB47C17-9C68-4BB3-B188-DD9AF0FD2503} URL = hxxp://www.default-search.net/search?sid=503&aid=112&itype=a&ver=15511&tm=504&src=ds&p={searchTerms}
SearchScopes: HKLM-x32 -> DefaultScope {ielnksrch} URL =
SearchScopes: HKLM-x32 -> ielnksrch URL = hxxps://%66%65%65%64.%73%6F%6E%69%63-%73%65%61%72%63%68.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGKBRGNclVS1AC6sNoH4gFuGAZQsTZQFfiggvTPFy_SyXz1yPXWf44GlcZytQ5mz79M8Yc8YCketN7Y-SxDw5_yNF_-3R-IXZJ6dAAs8CADCavFxbLhc4FYQF-sfFQNLSWUgFeJlu6kRW6nCXpnPz6pS_x3rTTSxCTw6evkBfCaXfedeOycBTVMNjKLZd&q={searchTerms}
SearchScopes: HKLM-x32 -> {9BB47C17-9C68-4BB3-B188-DD9AF0FD2503} URL = hxxp://www.default-search.net/search?sid=503&aid=112&itype=a&ver=15511&tm=504&src=ds&p={searchTerms}
SearchScopes: HKU\S-1-5-21-1508180704-3222819172-3449906844-1000 -> DefaultScope {ielnksrch} URL = hxxps://%66%65%65%64.%73%6F%6E%69%63-%73%65%61%72%63%68.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGKBRGNclVS1AC6sNoH4gFuGAZQsTZQFfiggvTPFy_SyXz1yPXWf44GlcZytQ5mz79M8Yc8YCketN7Y-SxDw5_yNF_-3R-IXZJ6dAAs8CADCavFxbLhc4FYQF-sfFQNLSWUgFeJlu6kRW6nCXpnPz6pS_x3rTTSxCTw6evkBfCaXfedeOycBTVMNjKLZd&q={searchTerms}
SearchScopes: HKU\S-1-5-21-1508180704-3222819172-3449906844-1000 -> {9BB47C17-9C68-4BB3-B188-DD9AF0FD2503} URL = hxxp://www.bing.com/search?q={searchTerms}&form=MSSEDF&pc=MSSE
SearchScopes: HKU\S-1-5-21-1508180704-3222819172-3449906844-1000 -> {ielnksrch} URL = hxxps://%66%65%65%64.%73%6F%6E%69%63-%73%65%61%72%63%68.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGKBRGNclVS1AC6sNoH4gFuGAZQsTZQFfiggvTPFy_SyXz1yPXWf44GlcZytQ5mz79M8Yc8YCketN7Y-SxDw5_yNF_-3R-IXZJ6dAAs8CADCavFxbLhc4FYQF-sfFQNLSWUgFeJlu6kRW6nCXpnPz6pS_x3rTTSxCTw6evkBfCaXfedeOycBTVMNjKLZd&q={searchTerms}
SearchScopes: HKU\S-1-5-21-1508180704-3222819172-3449906844-1005 -> DefaultScope {ielnksrch} URL = hxxps://%66%65%65%64.%73%6F%6E%69%63-%73%65%61%72%63%68.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGKBRGNclVS1AC6sNoH4gFuGAZQsTZQFfiggvTPFy_SyXz1yPXWf44GlcZytQ5mz79M8Yc8YCketN7Y-SxDw5_yNF_-3R-IXZJ6dAAs8CADCavFxbLhc4FYQF-sfFQNLSWUgFeJlu6kRW6nCXpnPz6pS_x3rTTSxCTw6evkBfCaXfedeOycBTVMNjKLZd&q={searchTerms}
SearchScopes: HKU\S-1-5-21-1508180704-3222819172-3449906844-1005 -> {ielnksrch} URL = hxxps://%66%65%65%64.%73%6F%6E%69%63-%73%65%61%72%63%68.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGKBRGNclVS1AC6sNoH4gFuGAZQsTZQFfiggvTPFy_SyXz1yPXWf44GlcZytQ5mz79M8Yc8YCketN7Y-SxDw5_yNF_-3R-IXZJ6dAAs8CADCavFxbLhc4FYQF-sfFQNLSWUgFeJlu6kRW6nCXpnPz6pS_x3rTTSxCTw6evkBfCaXfedeOycBTVMNjKLZd&q={searchTerms}
FF Homepage: Mozilla\Firefox\Profiles\i57slaKI.default -> file:///C:/ProgramData/Quoteexs/ff.HP
FF NewTab: Mozilla\Firefox\Profiles\i57slaKI.default -> file:///C:/ProgramData/Quoteexs/ff.NT
R1 F06DEFF2-5B9C-490D-910F-35D3A91196222; C:\Program Files (x86)\Assets Manager\smdmf\x64\smdmfmgrc3.cfg [45968 2015-01-28] (Aztec Media Inc)
S1 sqsxejxn; \??\C:\WINDOWS\system32\drivers\sqsxejxn.sys [X]
2018-10-10 00:42 - 2018-10-10 00:42 - 000003292 _____ C:\WINDOWS\System32\Tasks\MAAEe
2018-10-10 00:41 - 2018-10-10 00:41 - 000000000 ____D C:\ProgramData\Quoteexs
2018-10-10 00:40 - 2018-10-10 01:25 - 000000000 ____D C:\ProgramData\Quoteex
2018-10-10 00:40 - 2018-10-10 00:41 - 001413120 _____ C:\Users\Herc\AppData\Local\sham.db
2018-10-10 00:40 - 2018-10-10 00:40 - 007787008 _____ C:\Users\Herc\AppData\Local\agent.dat
2018-10-10 00:40 - 2018-10-10 00:40 - 002018690 _____ C:\Users\Herc\AppData\Local\Funcore.tst
2018-10-10 00:40 - 2018-10-10 00:40 - 000140800 _____ C:\Users\Herc\AppData\Local\installer.dat
2018-10-10 00:40 - 2018-10-10 00:40 - 000126464 _____ C:\Users\Herc\AppData\Local\noah.dat
2018-10-10 00:40 - 2018-10-10 00:40 - 000070896 _____ C:\Users\Herc\AppData\Local\Config.xml
2018-10-10 00:40 - 2018-10-10 00:40 - 000018432 _____ C:\Users\Herc\AppData\Local\Main.dat
2018-10-10 00:40 - 2018-10-10 00:40 - 000016416 _____ C:\Users\Herc\AppData\Local\InstallationConfiguration.xml
2018-10-10 00:40 - 2018-10-10 00:40 - 000005568 _____ C:\Users\Herc\AppData\Local\md.xml
2018-10-11 00:24 - 2015-02-04 14:36 - 000000000 ____D C:\ProgramData\smdmf
2018-10-10 01:19 - 2013-03-11 01:04 - 000724992 _____ (Electronic Arts Inc.) C:\Users\Herc\AppData\Local\Temp\AutoRun.exe
2018-10-10 01:19 - 2013-03-11 01:04 - 000942080 _____ (Electronic Arts Inc.) C:\Users\Herc\AppData\Local\Temp\AutoRunGUI.dll
2018-10-07 22:39 - 2018-04-12 02:35 - 000607840 _____ (Microsoft Corporation) C:\Users\Herc\AppData\Local\Temp\kernel32.dll
2018-09-05 01:33 - 2018-08-21 13:24 - 000641336 _____ (NVIDIA Corporation) C:\Users\Herc\AppData\Local\Temp\nvSCPAPI.dll
2018-09-05 01:33 - 2018-08-21 13:24 - 000730936 _____ (NVIDIA Corporation) C:\Users\Herc\AppData\Local\Temp\nvSCPAPI64.dll
2018-10-06 03:25 - 2018-08-21 13:24 - 000395576 _____ (NVIDIA Corporation) C:\Users\Herc\AppData\Local\Temp\nvStInst.exe
2018-10-10 00:41 - 2018-10-10 00:41 - 000375522 _____ (                                                            ) C:\Users\Herc\AppData\Local\Temp\p121eyvclzl.exe
2018-10-09 13:37 - 2018-10-09 13:37 - 011990292 _____ () C:\Users\Herc\AppData\Local\Temp\setup.dll
2002-08-31 20:07 - 2002-08-31 20:07 - 000270336 _____ () C:\Users\Herc\AppData\Local\Temp\tdll.dll
2018-10-11 00:27 - 2018-10-11 00:27 - 000010725 _____ () C:\Users\Herc\AppData\Local\Temp\wcupdater.exe
ShellIconOverlayIdentifiers: [###MegaShellExtPending] -> {056D528D-CE28-4194-9BA3-BA2E9197FF8C} => C:\Users\Herc\AppData\Local\MEGAsync\ShellExtX64.dll -> No File
ShellIconOverlayIdentifiers: [###MegaShellExtSynced] -> {05B38830-F4E9-4329-978B-1DD28605D202} => C:\Users\Herc\AppData\Local\MEGAsync\ShellExtX64.dll -> No File
ShellIconOverlayIdentifiers: [###MegaShellExtSyncing] -> {0596C850-7BDD-4C9D-AFDF-873BE6890637} => C:\Users\Herc\AppData\Local\MEGAsync\ShellExtX64.dll -> No File
ShellIconOverlayIdentifiers-x32: [###MegaShellExtPending] -> {056D528D-CE28-4194-9BA3-BA2E9197FF8C} => C:\Users\Herc\AppData\Local\MEGAsync\ShellExtX64.dll -> No File
ShellIconOverlayIdentifiers-x32: [###MegaShellExtSynced] -> {05B38830-F4E9-4329-978B-1DD28605D202} => C:\Users\Herc\AppData\Local\MEGAsync\ShellExtX64.dll -> No File
ShellIconOverlayIdentifiers-x32: [###MegaShellExtSyncing] -> {0596C850-7BDD-4C9D-AFDF-873BE6890637} => C:\Users\Herc\AppData\Local\MEGAsync\ShellExtX64.dll -> No File
ContextMenuHandlers1: [###MegaContextMenuExt] -> {0229E5E7-09E9-45CF-9228-0228EC7D5F17} => C:\Users\Herc\AppData\Local\MEGAsync\ShellExtX64.dll -> No File
ContextMenuHandlers1-x32-x32: [ZFAdd] -> {8FF88D27-7BD0-11D1-BFB7-00AA00262A11} => C:\Users\Herc\Downloads\Νέος φάκελος (2)\Νέος φάκελος\Νέος φάκελος\arcext.dll -> No File
ContextMenuHandlers4: [###MegaContextMenuExt] -> {0229E5E7-09E9-45CF-9228-0228EC7D5F17} => C:\Users\Herc\AppData\Local\MEGAsync\ShellExtX64.dll -> No File
ContextMenuHandlers4: [PowerISO] -> {967B2D40-8B7D-4127-9049-61EA0C2C6DCE} =>  -> No File
ContextMenuHandlers4-x32: [ZFAdd] -> {8FF88D27-7BD0-11D1-BFB7-00AA00262A11} => C:\Users\Herc\Downloads\Νέος φάκελος (2)\Νέος φάκελος\Νέος φάκελος\arcext.dll -> No File
ContextMenuHandlers5: [Gadgets] -> {6B9228DA-9C15-419e-856C-19E768A13BDC} =>  -> No File
ContextMenuHandlers6: [PowerISO] -> {967B2D40-8B7D-4127-9049-61EA0C2C6DCE} =>  -> No File
Task: {0C2F2F0F-5259-4830-B641-BB967E1A29F2} - System32\Tasks\RegistryDr_Popup => C:\Program Files (x86)\Registry Dr\Splash.exe <==== ATTENTION
Task: {1222B2A6-2D52-495B-80FB-46327649449D} - \Microsoft\Windows\Setup\GWXTriggers\Time-5d -> No File <==== ATTENTION
Task: {150755D0-136C-452D-B091-5C180275D9D3} - \Microsoft\Windows\UNP\RunCampaignManager -> No File <==== ATTENTION
Task: {1AB724ED-71E9-4AFB-A258-6632304C431B} - \Microsoft\Windows\Setup\gwx\refreshgwxconfig -> No File <==== ATTENTION
Task: {1FB0339D-2F49-485E-9615-FD4CDF2DD045} - \Microsoft\Windows\Setup\GWXTriggers\ScheduleUpgradeReminderTime -> No File <==== ATTENTION
Task: {253E6B98-EFE1-4DF0-A7A8-E8FB9AF8F03B} - System32\Tasks\{32BAC0C2-C312-4DD0-B323-421956B8EE4A} => C:\Windows\system32\pcalua.exe -a C:\WINDOWS\st6unst.exe -c -n "H:\TestDrive\ST6UNST.LOG"
Task: {276E8E1C-5ECD-4949-8522-3BB6A126F8D4} - \Microsoft\Windows\Setup\gwx\launchtrayprocess -> No File <==== ATTENTION
Task: {4BEED759-A77C-441A-AAB3-2D8F68BEDE7C} - System32\Tasks\{7E437A21-476C-4974-96A1-4515102C4C8F} => C:\WINDOWS\system32\pcalua.exe -a F:\AutoRunLauncher.exe -d F:\
Task: {4C1587FC-89FD-4F32-8B62-A87614F355D4} - System32\Tasks\Start Corsair Link => H:\CorsairLINK.exe
Task: {623A466B-926A-4F37-8CC2-5D916E8C5CE8} - System32\Tasks\{D7054C00-64F9-44E7-9527-BA504BEF4891} => C:\Windows\system32\pcalua.exe -a E:\LeagueOfLegends\!\PS\mbig\露出プレ\Install.exe -d E:\LeagueOfLegends\!\PS\mbig\露出プレ
Task: {6A5D9B69-3FD2-4FCB-928C-CE8170C11C54} - \Microsoft\Windows\Setup\GWXTriggers\MachineUnlock-5d -> No File <==== ATTENTION
Task: {7936610A-D3FF-40EB-9FC7-7D895EDCFAC7} - \Microsoft\Windows\Setup\gwx\refreshgwxcontent -> No File <==== ATTENTION
Task: {81AA7FE7-80EF-4C65-9395-B8743EC9CEA7} - \Microsoft\Windows\Setup\GWXTriggers\OnIdle-5d -> No File <==== ATTENTION
Task: {86F82812-A1DA-47F1-8F48-CAD6CD6D8E7B} - System32\Tasks\Online Application V2G5 => C:\Program Files (x86)\Microleaves\Online Application\Version 2.6.0\Online-Guardian.exe <==== ATTENTION
Task: {87656B93-89F9-4D01-B1D2-27B12298802E} - \Microsoft\Windows\Setup\gwx\rundetector -> No File <==== ATTENTION
Task: {8B690231-322A-449B-8A1C-85A51FA58834} - \Microsoft\Windows\Setup\EOONotify -> No File <==== ATTENTION
Task: {9A18556F-D048-4EF5-A204-91E7A3A23B48} - \Microsoft\Windows\Setup\GWXTriggers\Logon-5d -> No File <==== ATTENTION
Task: {9CBE21DB-6B5F-46DA-9D0F-2459C85A9486} - \OfficeSoftwareProtectionPlatform\SvcRestartTask -> No File <==== ATTENTION
Task: {ACEF10B5-DA30-4B74-BD93-91D1E1AAFBFA} - System32\Tasks\Online Application V2G6 => C:\Program Files (x86)\Microleaves\Online Application\Version 2.6.0\Online-Guardian.exe <==== ATTENTION
Task: {AD04F6D4-8791-426C-8000-773C8721B035} - System32\Tasks\Online Application V2G3 => C:\Program Files (x86)\Microleaves\Online Application\Version 2.6.0\Online-Guardian.exe <==== ATTENTION
Task: {AE94A6EB-DC4D-4678-8A10-270AD980F0EB} - System32\Tasks\Online Application V2G1 => C:\Program Files (x86)\Microleaves\Online Application\Version 2.6.0\Online-Guardian.exe <==== ATTENTION
Task: {B8EAC04F-E630-46F3-94C5-23E6867FE6C4} - System32\Tasks\MAAEe => C:\Users\Herc\AppData\Roaming\SSjMN\MAAEe.vbs
Task: {BAD864BB-6925-4A77-8619-FBA1BDA56857} - System32\Tasks\{E22BEDF7-76D4-48C4-9735-41B54F562D5D} => C:\Windows\system32\pcalua.exe -a E:\LeagueOfLegends\!\PS\2000rpg\RPG2000RTP.exe -d E:\LeagueOfLegends\!\PS\2000rpg
Task: {BB1BDBD1-D288-4B9B-AD34-3C227483518F} - \Microsoft\Windows\Setup\GWXTriggers\OutOfIdle-5d -> No File <==== ATTENTION
Task: {BDBAC117-C5FF-4523-9B87-350D9787922F} - System32\Tasks\RegistryDr_Start => C:\Program Files (x86)\Registry Dr\RegistryDr.exe <==== ATTENTION
Task: {C1FEF1EE-D645-4C20-956D-37C670E65B7B} - System32\Tasks\Online Application V2G4 => C:\Program Files (x86)\Microleaves\Online Application\Version 2.6.0\Online-Guardian.exe <==== ATTENTION
Task: {C6CE1C33-3EFB-4A79-9493-765AF07F57BB} - System32\Tasks\{607A26D3-DA85-4BBD-8C18-EF83FF9AFC05} => C:\WINDOWS\system32\pcalua.exe -a F:\AutoRunLauncher.exe -d F:\
Task: {D2E79D05-EA5E-4772-A723-FF7DCC8FA8B4} - System32\Tasks\{2E411731-3882-4750-BD41-72E046285F79} => C:\WINDOWS\system32\pcalua.exe -a "C:\Users\Herc\Downloads\Castle Attack 2.exe" -d C:\Users\Herc\Downloads
Task: {D3925812-34CF-410A-A314-4AB48E098346} - \Microsoft\Windows\Setup\GWXTriggers\ScheduleUpgradeTime -> No File <==== ATTENTION
Task: {D9A7D8D5-0819-46DD-A4C2-E1491843287F} - \Microsoft\Windows\Setup\GWXTriggers\Time-Weekend -> No File <==== ATTENTION
Task: {DC46A632-19EB-44B3-9450-45FBA88EF150} - System32\Tasks\Updater_Online_Application => C:\Program Files (x86)\Microleaves\Online Application\Online Application Updater.exe <==== ATTENTION
Task: {E45A7DD1-7496-4E9F-BC22-01969C416E95} - System32\Tasks\{AF04CA07-98F1-4624-AF44-23A94E6F80D7} => C:\Windows\system32\pcalua.exe -a "C:\Users\Herc\Desktop\Νέος φάκελος\Mafia\Setup.exe" -d "C:\Users\Herc\Desktop\Νέος φάκελος\Mafia"
Task: {EA55A283-9264-4DF2-AB12-BEFFF5D5743B} - \Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B -> No File <==== ATTENTION
Task: {F5D0775E-7796-484E-889D-DDCB1F5E8AA0} - \Microsoft\Windows\Setup\gwx\refreshgwxconfigandcontent -> No File <==== ATTENTION
Task: {FE46BC80-7C11-4546-8CE9-7617D6E46D76} - \Microsoft\Windows\Setup\GWXTriggers\OutOfSleep-5d -> No File <==== ATTENTION
Task: C:\WINDOWS\Tasks\Online Application V2G1.job => C:\Program Files (x86)\Microleaves\Online Application\Version 2.6.0\Online-Guardian.exe <==== ATTENTION
Task: C:\WINDOWS\Tasks\Online Application V2G2.job => C:\Program Files (x86)\Microleaves\Online Application\Version 2.6.0\Online-Guardian.exe <==== ATTENTION
Task: C:\WINDOWS\Tasks\Online Application V2G3.job => C:\Program Files (x86)\Microleaves\Online Application\Version 2.6.0\Online-Guardian.exe <==== ATTENTION
Task: C:\WINDOWS\Tasks\Online Application V2G4.job => C:\Program Files (x86)\Microleaves\Online Application\Version 2.6.0\Online-Guardian.exe <==== ATTENTION
Task: C:\WINDOWS\Tasks\Online Application V2G5.job => C:\Program Files (x86)\Microleaves\Online Application\Version 2.6.0\Online-Guardian.exe <==== ATTENTION
Task: C:\WINDOWS\Tasks\Online Application V2G6.job => C:\Program Files (x86)\Microleaves\Online Application\Version 2.6.0\Online-Guardian.exe <==== ATTENTION
Task: C:\WINDOWS\Tasks\Updater_Online_Application.job => C:\Program Files (x86)\Microleaves\Online Application\Online Application Updater.exe <==== ATTENTION
AlternateDataStreams: C:\ProgramData\MTA San Andreas All:NT [40]
AlternateDataStreams: C:\ProgramData\MTA San Andreas All:NT2 [432]
AlternateDataStreams: C:\ProgramData\TEMP:2CB9631F [134]
C:\Program Files (x86)\Assets Manager\smdmf\SmdmFService.exe
C:\ProgramData\Quoteex\Triobam.dll
C:\WINDOWS\TEMP\Smartbar
C:\Users\Herc\AppData\Roaming\OpenCandy
C:\ProgramData\simplitec
C:\ProgramData\smdmf
Reg: reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\11598763487076930564" /f
Reg: reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\APPID\IEDLL.DLL" /f
Reg: reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\APPID\{6A7CD9EC-D8BD-4340-BCD0-77C09A282921}" /f
Reg: reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\LINKEY.LINKEY" /f
Reg: reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\LINKEY" /f
Reg: reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432NODE\LINKEY" /f
Reg: reg delete "HKEY_USERS\S-1-5-21-1508180704-3222819172-3449906844-1000\SOFTWARE\LINKEY" /f
Reg: reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432NODE\SMDMF" /f
Reg: reg delete "HKEY_USERS\.DEFAULT\SOFTWARE\SMDMF" /f
Reg: reg delete "HKEY_USERS\S-1-5-21-1508180704-3222819172-3449906844-1000\SOFTWARE\SMDMF" /f
Reg: reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CONTROLSET001\SERVICES\SMDMFSERVICE" /f
Reg: reg delete "HKEY_USERS\S-1-5-21-1508180704-3222819172-3449906844-1000_CLASSES\WOW6432NODE\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}" /f
Reg: reg delete "HKEY_USERS\S-1-5-21-1508180704-3222819172-3449906844-1005_CLASSES\WOW6432NODE\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}" /f
Reg: reg delete "HKEY_USERS\S-1-5-21-1508180704-3222819172-3449906844-1000\SOFTWARE\WEBAPP" /f
C:\ProgramData\Quoteex
C:\Users\Herc\AppData\Local\Temp\is-5LLP8.tmp
C:\Users\Herc\AppData\Local\Temp\is-NCK9V.tmp
C:\Users\Herc\Downloads\CyberLink PowerDVD Ultra 16.0.1713.60 Multilingual + Keygen [SadeemPC]
C:\Users\Herc\Downloads\CyberLink PowerDVD Ultra 17.0.1523.60 Final + Crack-Keygen

Close Notepad.

NOTE: It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST64 and press the Fix button just once and wait.

If the tool needed a restart please make sure you let the system restart normally and let the tool complete its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Attach it to your reply.

Note: If the tool warns you about an outdated version please download and run the updated version.

Share this post


Link to post
Share on other sites

When I try to save the file, a warning pops up regarding the fact that Unicode characters are bound to be lost if the file is encoded in ANSI. Should I encode it in Unicode?

Share this post


Link to post
Share on other sites

Afterwards, I soon as I place the file in the same folder as FRST64, all I have to do is run the program and click Fix?
Should I also post the new FRST and Addition logs?

Share this post


Link to post
Share on other sites

Just send the fixlog.  I will most likely have you run another tool to find and remove things that are not shown in tehFRST and EEK scans.

Share this post


Link to post
Share on other sites

Please download AdwCleaner and save it on your desktop.

  1. Close all open programs and Internet browsers (you may want to print out or write down these instructions first).
  2. Double click on the AdwCleaner icon to run it.
  3. You will need to accept the license agreement from Malwarebytes in order to continue.
  4. Click on the Scan button in the lower-left.
  5. When the scan is done, a log will open in Notepad. You can close this Notepad window before continuing.
  6. If something was found on your computer, then click on the Clean button in the lower-left (where the "Scan" button was earlier).
  7. AdwCleaner will warn you that it will close all running processes (programs). Click OK to continue when ready.
  8. After the cleaning process is done, you will be prompted to restart your computer. Please click Reboot now when ready to restart your computer.
  9. A text file will open in Notepad after the restart (this is the log of what was removed), which you can save on your desktop.
  10. Please attach that log file to a reply for me to review.
  11. If you lose that log file for any reason, you can find it at C:\AdwCleaner[C0] on your computer.

Share this post


Link to post
Share on other sites

Let's take a fresh look.

Run fresh scans with Emsisoft Emergency Kit (EEK) and FRST, attach the new EEK and FRST scans to your reply.

Be sure to let me know how things are running.

Share this post


Link to post
Share on other sites

A command prompt window popped up for a brief moment right after restarting my PC as requested by AdwCleaner, which did not happen before the "infection". However, I am now able to remove the excluded folders with made up names in Windows Defender.
Other than that, everything else seems to be running smoothly.
Here are the requested logs:

scan_181011-033009.txt

FRST.txt

Share this post


Link to post
Share on other sites

Still a few things that need to be cleaned up.

Copy the below code to Notepad; Save As fixlist.txt to your Desktop.

Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Windows Startup.lnk [2016-11-28]
ShortcutTarget: Windows Startup.lnk -> C:\Windows\Windows_startup.bat ()
S1 F06DEFF2-5B9C-490D-910F-35D3A91196222; \??\C:\Program Files (x86)\Assets Manager\smdmf\x64\smdmfmgrc3.cfg [X]
2018-10-11 03:06 - 2018-10-11 03:06 - 000000000 ____D C:\ProgramData\simplitec
2018-10-11 03:05 - 2015-02-04 14:36 - 000000000 ____D C:\ProgramData\smdmf
C:\ProgramData\simplitec
C:\ProgramData\smdmf
Reg: reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432NODE\SMDMF" /f
C:\Users\Herc\Downloads\CyberLink PowerDVD Ultra 17.0.1523.60 Final + Crack-Keygen

Close Notepad.

NOTE: It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST64 and press the Fix button just once and wait.

If the tool needed a restart please make sure you let the system restart normally and let the tool complete its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Attach it to your reply.

Note: If the tool warns you about an outdated version please download and run the updated version.

Share this post


Link to post
Share on other sites

Because I keep seeing Unicode characters in the log after you run the fix.

Changing tools.

Download RogueKiller from https://www.fosshub.com/RogueKiller.html and save it to your desktop.

• Double-click on setup.exe to install RogueKiller.

Close all programs and disconnect any USB or external drives before running the tool.

• Right-click RogueKiller.exe and select Run As Administrator to run the tool.
• Once the Prescan has finished, click Scan.
• Once the Status box shows "Scan Finished", click on the "Report" button and attach the scan log to your reply.

This may take a while to run.  I'll check the scan report tomorrow after I come back online.

Share this post


Link to post
Share on other sites

Everything found in the second scan has been removed by RogueKiller. Should I send you the scan log, now that the removal is finished?

Share this post


Link to post
Share on other sites

Run the Google Chrome CleanUp Tool.

You can also check for malware manually.

  1. Open Chrome.
  2. At the top right, click More Moreand then Settings.
  3. At the bottom, click Advanced.
  4. Under “Reset and clean up,” click Clean up computer.
  5. Click Find.

If you're asked to remove unwanted software, click Remove.

Copy the below code to Notepad; Save As fixlist.txt to your Desktop.

Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\CodecPackUpdateChecker.lnk [2014-10-19]
FF NewTab: Mozilla\Firefox\Profiles\i57slaKI.default -> file:///C:/ProgramData/Quoteexs/ff.NT
FF SearchPlugin: C:\Users\Herc\AppData\Roaming\Mozilla\Firefox\Profiles\i57slaKI.default\searchplugins\yahoo-lavasoft-ff59.xml [2018-05-09]
FF Plugin: @esn/npbattlelog,version=2.6.2 -> C:\Program Files (x86)\Battlelog Web Plugins\2.6.2\npbattlelogx64.dll [No File]
FF Plugin-x32: @esn/npbattlelog,version=2.6.2 -> C:\Program Files (x86)\Battlelog Web Plugins\2.6.2\npbattlelog.dll [No File]
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\Program Files (x86)\Microsoft SQL Server Compact Edition\Office14\NPSPWRAP.DLL [No File]
FF Plugin HKU\S-1-5-21-1508180704-3222819172-3449906844-1000: ubisoft.com/uplaypc -> C:\Program Files (x86)\Ubisoft\Ubisoft Game Launcher\npuplaypc.dll [No File]
S3 Disc Soft Ultra Bus Service; H:\Mi Games\Daemon Tools Ultra 5.2.0.0644 + Pre-Cracked - [CrackzSoft]\DAEMON Tools Ultra\DiscSoftBusServiceUltra.exe [5680320 2017-10-26] (Disc Soft Ltd)
2018-10-12 04:00 - 2018-10-12 04:00 - 000000000 ____D C:\ProgramData\simplitec
C:\ProgramData\simplitec

Close Notepad.

NOTE: It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST64 and press the Fix button just once and wait.

If the tool needed a restart please make sure you let the system restart normally and let the tool complete its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Attach it to your reply.

Note: If the tool warns you about an outdated version please download and run the updated version.

 

Share this post


Link to post
Share on other sites

OK, let's take a fresh look.

Run a fresh scan with Emsisoft and FRST, attach the new Emsisoft and FRST scan logs to your reply.

Share this post


Link to post
Share on other sites

Everything seems fine. My only concern is whether I should change my log in passwords or not. Is it possible that they could have been intercepted? What would you suggest?

Share this post


Link to post
Share on other sites

What was installed was adware.  Normally, adware does not intercept login credentials but is not outside the realm of possibles.  If you are concerned that your login information was compromised, then go ahead and change your passwords.

Share this post


Link to post
Share on other sites

Thank you very much for being so helpful and analytical throughout this whole process. I truly appreciate your help and advice. You're doing a great job in maintaining this forum as one of the best one should visit when seeking malware removal expertise. Keep it up. Thank you very much once again.

Share this post


Link to post
Share on other sites

Actually, before deleting the programs I decided to run a final scan and it looks like a PUP named "Application.AppInstall(A)" and located in C:\ProgramData\simplitec is still there. I remember it showing up in two of the last scans before the logs were finally clean. Could it be coming back after I terminate and start my PC? Here are the logs of the most recent scans:

scan_181016-134513.txt

Addition.txt

FRST.txt

Share this post


Link to post
Share on other sites

This is the most likely culprit:

H:\Mi Games\Daemon Tools Ultra 5.2.0.0644 + Pre-Cracked - [CrackzSoft]\DAEMON Tools Ultra\DiscSoftBusServiceUltra.exe

Software piracy is not a victimless activity, in fact, most cracks and keygens are malware.

Our company policy is to provide no assistance to users whose systems show the presence of pirated or otherwise improperly licensed and activated software. 

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.