[email protected] 0 Posted April 8, 2020 Report Share Posted April 8, 2020 I ran Emsisoft and received the message that it was unable to remove "C:\Program Files (x86)\IdeaBadaga\IdeaBadaga.exe" I then ran the required 3 tools as your forum requests. I have the 3 files but no idea how to "attach" them here. Any help is appreciated! (This is for my mother-in-law's computer in case the different email matters - hers is ********* KATIE scan_200408-134044.txt Addition.txt FRST.txt Link to post Share on other sites
Kevin Zoll 309 Posted April 8, 2020 Report Share Posted April 8, 2020 Hello, Welcome to the Emsisoft Support Forums. Copy the below code to Notepad; Save As fixlist.txt to your Desktop. Task: {4397C738-BC2F-4CA4-BBC4-3F5DBB3750FC} - \WebDiscover Browser Launch Task -> No File <==== ATTENTION Task: {B1E2AFBC-5126-4326-95B6-16F9D837FCC2} - \WebDiscover Browser Update Task -> No File <==== ATTENTION HKU\S-1-5-21-38456885-260547489-3915582780-1001\Software\Microsoft\Internet Explorer\Main,Start Page = hxxps://us.search.yahoo.com/yhs/web?hspart=omr&hsimp=yhs-001&type=863163140¶m1=y6bdVFVIsvuYsgEClQfz8FBvKkXdqONxqOqRNOxENVaCsf%2BEA%2BUH%2BJwJJs9rEQ3uE1YmjidysZgkHPzrSrtgB%2FdaAYAPUFwzrfwoy0yARbjRxvm4Stt%2Btz06avB63xegs1TV%2FHxb385rX%2BzEHZJAIrnLMdXSq94LIgjoioHMpErMz%2B87K3fe3FSC7XJ10%2FjeGKYR0%2FzYpYdmESTujwP%2FSG%2FNHFBiQTcT20AF4ztGrxbX60s1kF6E%2FxDhuXc%2F%2F%2BA%2B4vtMN6TXBbJjpcScwXAJ5Q%3D%3D HKU\S-1-5-21-38456885-260547489-3915582780-1003\Software\Microsoft\Internet Explorer\Main,Start Page = hxxps://us.search.yahoo.com/yhs/web?hspart=omr&hsimp=yhs-001&type=863163140¶m1=y6bdVFVIsvuYsgEClQfz8FBvKkXdqONxqOqRNOxENVaCsf%2BEA%2BUH%2BJwJJs9rEQ3uE1YmjidysZgkHPzrSrtgB%2FdaAYAPUFwzrfwoy0yARbjRxvm4Stt%2Btz06avB63xegs1TV%2FHxb385rX%2BzEHZJAIrnLMdXSq94LIgjoioHMpErMz%2B87K3fe3FSC7XJ10%2FjeGKYR0%2FzYpYdmESTujwP%2FSG%2FNHFBiQTcT20AF4ztGrxbX60s1kF6E%2FxDhuXc%2F%2F%2BA%2B4vtMN6TXBbJjpcScwXAJ5Q%3D%3D SearchScopes: HKU\S-1-5-21-38456885-260547489-3915582780-1001 -> DefaultScope {8430D776-5C59-4B75-B94B-3D17947BCFF1} URL = hxxps://us.search.yahoo.com/yhs/search?hspart=omr&hsimp=yhs-001&type=863163140¶m1=y6bdVFVIsvuYsgEClQfz8FBvKkXdqONxqOqRNOxENVaCsf%2BEA%2BUH%2BJwJJs9rEQ3ubNumM3Cick8jzUJwAc7LIJgf93wLOZKFsKWcKnx1595gPDmAcOdrrnsrzoZLhr%2BrKdOmeqzHtXP0%2FPeiZHcFdF488hRDmsUSo2y32o32ayKcB%2BUNDt37LgczvfdFmPhpXcf96L2sx5dV2YJSDM3Stm1oOjlsgX0V0ex0PC7ksaSdu%2BjQlH6hugcJiM%2BQZ5tWC8z1AajDn8Squ%2FGZNz%2Bc7Q%3D%3D&p={searchTerms} SearchScopes: HKU\S-1-5-21-38456885-260547489-3915582780-1001 -> {8430D776-5C59-4B75-B94B-3D17947BCFF1} URL = hxxps://us.search.yahoo.com/yhs/search?hspart=omr&hsimp=yhs-001&type=863163140¶m1=y6bdVFVIsvuYsgEClQfz8FBvKkXdqONxqOqRNOxENVaCsf%2BEA%2BUH%2BJwJJs9rEQ3ubNumM3Cick8jzUJwAc7LIJgf93wLOZKFsKWcKnx1595gPDmAcOdrrnsrzoZLhr%2BrKdOmeqzHtXP0%2FPeiZHcFdF488hRDmsUSo2y32o32ayKcB%2BUNDt37LgczvfdFmPhpXcf96L2sx5dV2YJSDM3Stm1oOjlsgX0V0ex0PC7ksaSdu%2BjQlH6hugcJiM%2BQZ5tWC8z1AajDn8Squ%2FGZNz%2Bc7Q%3D%3D&p={searchTerms} SearchScopes: HKU\S-1-5-21-38456885-260547489-3915582780-1001 -> {84C0D776-5C59-4B75-B94B-3D17947BCFF1} URL = SearchScopes: HKU\S-1-5-21-38456885-260547489-3915582780-1003 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxps://us.search.yahoo.com/yhs/search?hspart=omr&hsimp=yhs-001&type=863163140¶m1=y6bdVFVIsvuYsgEClQfz8FBvKkXdqONxqOqRNOxENVaCsf%2BEA%2BUH%2BJwJJs9rEQ3ubNumM3Cick8jzUJwAc7LIJgf93wLOZKFsKWcKnx1595gPDmAcOdrrnsrzoZLhr%2BrKdOmeqzHtXP0%2FPeiZHcFdF488hRDmsUSo2y32o32ayKcB%2BUNDt37LgczvfdFmPhpXcf96L2sx5dV2YJSDM3Stm1oOjlsgX0V0ex0PC7ksaSdu%2BjQlH6hugcJiM%2BQZ5tWC8z1AajDn8Squ%2FGZNz%2Bc7Q%3D%3D&p={searchTerms} SearchScopes: HKU\S-1-5-21-38456885-260547489-3915582780-1003 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxps://us.search.yahoo.com/yhs/search?hspart=omr&hsimp=yhs-001&type=863163140¶m1=y6bdVFVIsvuYsgEClQfz8FBvKkXdqONxqOqRNOxENVaCsf%2BEA%2BUH%2BJwJJs9rEQ3ubNumM3Cick8jzUJwAc7LIJgf93wLOZKFsKWcKnx1595gPDmAcOdrrnsrzoZLhr%2BrKdOmeqzHtXP0%2FPeiZHcFdF488hRDmsUSo2y32o32ayKcB%2BUNDt37LgczvfdFmPhpXcf96L2sx5dV2YJSDM3Stm1oOjlsgX0V0ex0PC7ksaSdu%2BjQlH6hugcJiM%2BQZ5tWC8z1AajDn8Squ%2FGZNz%2Bc7Q%3D%3D&p={searchTerms} SearchScopes: HKU\S-1-5-21-38456885-260547489-3915582780-1003 -> {0A33EE93-D776-472f-A0FF-E1416B8B2E3A} URL = CHR StartupUrls: Default -> "hxxps://news.google.com/news/?gl=US&ned=us&hl=en","hxxps://us.search.yahoo.com/yhs/web?hspart=omr&hsimp=yhs-001&type=863163140¶m1=y6bdVFVIsvuYsgEClQfz8FBvKkXdqONxqOqRNOxENVaCsf%2BEA%2BUH%2BJwJJs9rEQ3uPLD3SefbDh%2BMU1t9OjtOA6ebCmoNa2d8MiJng9LW%2BDnGbQSa%2Fep0qEae%2FvZ7FVbtQZYZJ6HTKU8MYVNI47o9xhtWxCk5P0agOzM9GG30TxV35JIc6%2BZmc7SLw%2Fw5V5gMrcN5J4ERkWRDHUPQCVEKULHdHQbKj%2B6DO0yUx45Cq2qMrSl97hN8rI5YHFLaPDr6N5%2FNlezL1rUch3lLYOKR%2B97ypxupB0JkiWM4StsiAho%3D" CHR NewTab: Default -> Not-active:"chrome-extension://kbgjbpddgbobnkfdoejkcnleiiadlnfh/index.html" CHR DefaultSearchURL: Default -> hxxps://us.search.yahoo.com/yhs/search?hspart=omr&hsimp=yhs-001&type=863163140¶m1=y6bdVFVIsvuYsgEClQfz8FBvKkXdqONxqOqRNOxENVaCsf%2BEA%2BUH%2BJwJJs9rEQ3uaYGjZiE5twUcdpZuknnAUk5IACkazxsGmzjMt5iXTP%2FCKR6nKCPwlVOIsHantH2spjpNCJ43sikwH7oG3r0RGfmw1vN4wJG5VhCFKdROWOw5%2FfQ%2BrsCPsiT%2B7rcKFwm6L1N02fl06jB2v1pY7BVybbwErDlxwk7tP%2B%2FWcsIlbK3oTiXtdHLcsuf40uLIA2nleQn5A%2Bl06nYcZ5aR7FfdRuFX92NQaHcGS3%2Ba%2BxFUX4E%3D&p={searchTerms} CHR DefaultNewTabURL: Default -> hxxps://us.search.yahoo.com/yhs/web?hspart=omr&hsimp=yhs-001&type=863163140¶m1=y6bdVFVIsvuYsgEClQfz8FBvKkXdqONxqOqRNOxENVaCsf%2BEA%2BUH%2BJwJJs9rEQ3uHSggdiZG8Ti%2F5VL%2FM1BFkN3KQLfkR9BvCWQIQfIJDtXzn7aHy7rFMQXgeOdhnb80fqpnPMfboid5hFxhSYk1Ld9QUEGvCLVYsIAd0RNOtt641gkJ3jTrdsG%2BrgRAaaklxnUKWYuaGZtbrUnpS87U8i5jXq8hLRCJHIF3Z%2Ffpg4dladPLwPFAqWM0kbVedYB3BdiAluBocaPTbw6i1aRZzFvo9I%2B3fh13glSaZXOTAiQ%3D CHR DefaultSuggestURL: Default -> hxxps://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command={searchTerms} CHR HomePage: Profile 1 -> hxxps://us.search.yahoo.com/yhs/web?hspart=omr&hsimp=yhs-001&type=863163140¶m1=y6bdVFVIsvuYsgEClQfz8FBvKkXdqONxqOqRNOxENVaCsf%2BEA%2BUH%2BJwJJs9rEQ3uNvNywOuL6c4AsSWYa2ib09pIdyPIScFrRuR0EP%2Fs5vH4cAGTj32xjO7vcRvVOxsTUfoar4G8nzJ9WYjO9kXK3g0f9yTlZuD4%2BTO3jco284En4QkLzPdtDILQEfADpeGWdb%2Be5swzRz%2BIhOl%2F7wvtEALmGoCoIpD0XtZvE%2F%2FmNT%2Fs8yl6QssJUIa1PGLOAMKKpRl08YT7A47BIPdnYILQhcDdp8aJN2g6CewIYzs3e3o%3D CHR StartupUrls: Profile 1 -> "hxxps://us.search.yahoo.com/yhs/web?hspart=omr&hsimp=yhs-001&type=863163140¶m1=y6bdVFVIsvuYsgEClQfz8FBvKkXdqONxqOqRNOxENVaCsf%2BEA%2BUH%2BJwJJs9rEQ3uPLD3SefbDh%2BMU1t9OjtOA6ebCmoNa2d8MiJng9LW%2BDnGbQSa%2Fep0qEae%2FvZ7FVbtQZYZJ6HTKU8MYVNI47o9xhtWxCk5P0agOzM9GG30TxV35JIc6%2BZmc7SLw%2Fw5V5gMrcN5J4ERkWRDHUPQCVEKULHdHQbKj%2B6DO0yUx45Cq2qMrSl97hN8rI5YHFLaPDr6N5%2FNlezL1rUch3lLYOKR%2B97ypxupB0JkiWM4StsiAho%3D" CHR DefaultSearchKeyword: Profile 1 -> search.yahoo.com CHR DefaultNewTabURL: Profile 1 -> hxxps://us.search.yahoo.com/yhs/web?hspart=omr&hsimp=yhs-001&type=863163140¶m1=y6bdVFVIsvuYsgEClQfz8FBvKkXdqONxqOqRNOxENVaCsf%2BEA%2BUH%2BJwJJs9rEQ3uHSggdiZG8Ti%2F5VL%2FM1BFkN3KQLfkR9BvCWQIQfIJDtXzn7aHy7rFMQXgeOdhnb80fqpnPMfboid5hFxhSYk1Ld9QUEGvCLVYsIAd0RNOtt641gkJ3jTrdsG%2BrgRAaaklxnUKWYuaGZtbrUnpS87U8i5jXq8hLRCJHIF3Z%2Ffpg4dladPLwPFAqWM0kbVedYB3BdiAluBocaPTbw6i1aRZzFvo9I%2B3fh13glSaZXOTAiQ%3D CHR DefaultSuggestURL: Profile 1 -> hxxps://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command={searchTerms} R2 IdeaBadaga; C:\Program Files (x86)\IdeaBadaga\IdeaBadaga.exe [5392368 2018-04-05] (Apps Delivered Ltd -> Idea Badaga) [File not signed] 2020-04-04 16:45 - 2020-04-04 16:45 - 000000000 ____D C:\Program Files (x86)\IdeaBadaga 2020-04-04 16:45 - 2020-04-04 16:45 - 000000000 ____D C:\Program Files (x86)\Idea Badaga 2020-03-12 16:15 - 2020-03-12 16:15 - 000000000 ____D C:\WINDOWS\{6567E9E7-5D48-4B5D-BEFF-1F8AD76846E1} ContextMenuHandlers5: [igfxcui] -> {3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} => -> No File AlternateDataStreams: C:\Users\Carol\Desktop\cc.jpeg:�3or4kl4x13tuuug3Byamue2s4b [91] AlternateDataStreams: C:\Users\Carol\Desktop\cc.jpeg:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d} [0] AlternateDataStreams: C:\Users\Carol\Desktop\corner cupboard 2.jpeg:�3or4kl4x13tuuug3Byamue2s4b [91] AlternateDataStreams: C:\Users\Carol\Desktop\corner cupboard 2.jpeg:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d} [0] AlternateDataStreams: C:\Users\Carol\Desktop\corner cupboard.jpeg:�3or4kl4x13tuuug3Byamue2s4b [91] AlternateDataStreams: C:\Users\Carol\Desktop\corner cupboard.jpeg:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d} [0] AlternateDataStreams: C:\Users\Carol\Desktop\Fireplace Form.jpeg:�3or4kl4x13tuuug3Byamue2s4b [91] AlternateDataStreams: C:\Users\Carol\Desktop\Fireplace Form.jpeg:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d} [0] AlternateDataStreams: C:\Users\Carol\Desktop\Nations Ford Rd. Contract.jpeg:�3or4kl4x13tuuug3Byamue2s4b [91] AlternateDataStreams: C:\Users\Carol\Desktop\Nations Ford Rd. Contract.jpeg:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d} [0] C:\Program Files (x86)\IdeaBadaga\IdeaBadaga.exe C:\Program Files (x86)\IdeaBadaga Close Notepad. NOTE: It's important that both files, FRST, and fixlist.txt are in the same location or the fix will not work. NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system IMPORTANT: Save all of your work, as the next step may reboot your computer. Run FRST and press the Fix button just once and wait. If the tool needed a restart please make sure you let the system restart normally and let the tool complete its run after restart. The tool will make a log on the Desktop (Fixlog.txt). Attach it to your reply. NOTE: If the tool warns you about an outdated version please download and run the updated version. Also, let me know how the machine is running now, and what remaining issues you've noticed. Link to post Share on other sites
[email protected] 0 Posted April 9, 2020 Author Report Share Posted April 9, 2020 Thank you, Kevin. Attached is Fixlog.txt The machine is running fine as far as I can tell. VemoPCAP is still there (or back again). Some other issues (Bytefence, QuickDriver, PCAccelerate) seem to be gone. I see a new one now: One Updater but I will get rid of once we resolve Ideabadaga. Thank you, a bunch, for your help! Fixlog.txt Link to post Share on other sites
Kevin Zoll 309 Posted April 9, 2020 Report Share Posted April 9, 2020 I would like you to run a third-party tool that aggressively targets Adware and Junkware. Download AdwCleaner and save it on your Desktop. Close all open programs and Internet browsers (you may want to print out or write down these instructions first). Double click on adwcleaner.exe to run the tool. Click on the Scan button. After the scan has finished, click on the Clean button. Confirm each time with OK. You will be prompted to restart your computer. A text file will open in Notepad after the restart (this is the log of what was removed), which you can save on your Desktop. Attach that log file to your reply. NOTE: If you lose that log file for any reason, you can find it at C:\AdwCleaner on your computer. Link to post Share on other sites
[email protected] 0 Posted April 9, 2020 Author Report Share Posted April 9, 2020 Done. I had run ADWCleaner yesterday before I contacted you. I attached both files but neither, from what I can tell, find any malicious files. (AdwCleaner[C01] is from today and AdwCleaner[S00] is from yesterday) I still have VemoPCAP and One Updater in my Start Menu. Thank you! AdwCleaner[S00].txt AdwCleaner[C01].txt Link to post Share on other sites
Kevin Zoll 309 Posted April 9, 2020 Report Share Posted April 9, 2020 Run a fresh scan with FRST, attach the new FRST scan reports to your reply. How are things running? Link to post Share on other sites
[email protected] 0 Posted April 9, 2020 Author Report Share Posted April 9, 2020 The computer seems to be running fine. It's not mine so I am not working on it. I'm not getting any errors or pop up boxes as before though. The One Updater and VemoPCAP are still in the Start Menu though. Should I try to uninstall them? Attached are the 2 files. Thank you! Addition 02.txt FRST 02.txt Link to post Share on other sites
Kevin Zoll 309 Posted April 10, 2020 Report Share Posted April 10, 2020 Copy the below code to Notepad; Save As fixlist.txt to your Desktop. S2 Dell SupportAssist Remediation; "C:\Program Files\Dell\SARemediation\agent\DellSupportAssistRemedationService.exe" [X] S2 DellDigitalDelivery; "C:\Program Files (x86)\Dell Digital Delivery\DeliveryService.exe" [X] S3 RNDBWM; "C:\Program Files\Rivet Networks\SmartByte\RNDBWMService.exe" [X] S2 SmartByte Network Service x64; "C:\Program Files\Rivet Networks\SmartByte\SmartByteNetworkService.exe" [X] 2020-04-04 17:33 - 2020-04-04 17:33 - 000000000 ____D C:\ProgramData\ByteFence 2020-04-04 16:48 - 2020-04-08 13:52 - 000000000 ____D C:\Program Files (x86)\VemoPCAP 2020-04-04 16:48 - 2020-04-04 16:48 - 000000000 ____D C:\Users\Carol\AppData\Local\VemoPCAP 2020-04-04 16:48 - 2020-04-04 16:48 - 000000000 ____D C:\ProgramData\VemoPCAP 2020-04-04 16:48 - 2020-04-04 16:48 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\VemoPCAP 2020-04-04 16:47 - 2020-04-08 13:23 - 000000000 ____D C:\Users\Carol\AppData\Local\OneUpdater 2020-04-04 16:47 - 2020-04-04 16:49 - 000000000 ____D C:\Users\Carol\AppData\Local\PCAP_Logic_dir 2020-04-04 16:47 - 2020-04-04 16:47 - 000000000 ____D C:\Users\Carol\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\OneUpdater 2020-04-04 16:46 - 2020-04-08 12:43 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ByteFence Anti-Malware SmartByte -> C:\Program Files\WindowsApps\RivetNetworks.SmartByte_2.5.713.0_x64__rh07ty8m5nkag [2019-04-27] (Rivet Networks LLC) AlternateDataStreams: C:\Users\Carol\Desktop\cc.jpeg:3or4kl4x13tuuug3Byamue2s4b [91] AlternateDataStreams: C:\Users\Carol\Desktop\corner cupboard 2.jpeg:3or4kl4x13tuuug3Byamue2s4b [91] AlternateDataStreams: C:\Users\Carol\Desktop\corner cupboard.jpeg:3or4kl4x13tuuug3Byamue2s4b [91] AlternateDataStreams: C:\Users\Carol\Desktop\Fireplace Form.jpeg:3or4kl4x13tuuug3Byamue2s4b [91] AlternateDataStreams: C:\Users\Carol\Desktop\Nations Ford Rd. Contract.jpeg:3or4kl4x13tuuug3Byamue2s4b [91] Close Notepad. NOTE: It's important that both files, FRST, and fixlist.txt are in the same location or the fix will not work. NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system IMPORTANT: Save all of your work, as the next step may reboot your computer. Run FRST and press the Fix button just once and wait. If the tool needed a restart please make sure you let the system restart normally and let the tool complete its run after restart. The tool will make a log on the Desktop (Fixlog.txt). Attach it to your reply. NOTE: If the tool warns you about an outdated version please download and run the updated version. Uninstall the following: ByteFence Anti-Malware OneUpdater SmartByte Drivers and Services SSOption VemoPCAP Also, let me know how the machine is running now, and what remaining issues you've noticed. Link to post Share on other sites
[email protected] 0 Posted April 10, 2020 Author Report Share Posted April 10, 2020 Attached is the fixlog.txt I was only able to uninstall (thru the Windows Control Panel) Smartbyte Drivers & Services, and Smartbyte. I was UNABLE to uninstall Bytefence ("Windows can't find...\Bytefence\uninstall.exe") I was UNABLE to uninstall One Updater ("Windows can't find c:\users\Carol\appdata\local\One Updater\appun.exe") I was UNABLE to uninstall SSOption ("Windows can't find...\Idea Badaga\uninstall.exe") I was UNABLE to uninstall VemoPCAP ("Windows can't find...\VemoPCAP\uninstall.exe") None of these were found in the Start Menu but they do still appear in the list of "Apps" with only the option to "uninstall" which doesn't work. No other issues that I can see. Thank you!! Katie Fixlog.txt Link to post Share on other sites
[email protected] 0 Posted April 10, 2020 Author Report Share Posted April 10, 2020 I searched Vemo - is the 2nd entry from the bottom worrisome? It's not "Quarantined". Link to post Share on other sites
[email protected] 0 Posted April 10, 2020 Author Report Share Posted April 10, 2020 The full path to this "2nd entry from the bottom" above is users\carol\appdata\local\packages\microsoft.windows.cortana_cw5n1h2txyewy/localstate\appiconcache\150\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}_VemoPCAP_VemoPCAP_exe Link to post Share on other sites
Kevin Zoll 309 Posted April 10, 2020 Report Share Posted April 10, 2020 Changing tools. Download RogueKiller from https://www.fosshub.com/RogueKiller.html and save it to your desktop. Double-click on setup.exe to install RogueKiller. Close all programs and disconnect any USB or external drives before running the tool. Right-click RogueKiller.exe and select Run As Administrator to run the tool. Once the Prescan has finished, click Scan. Once the Status box shows "Scan Finished", click on the "Report" button and attach the scan log to your reply. Link to post Share on other sites
[email protected] 0 Posted April 11, 2020 Author Report Share Posted April 11, 2020 Attached here. Thank you! I hope you have a good weekend. as_3BC0.tmp.txt Link to post Share on other sites
Kevin Zoll 309 Posted April 13, 2020 Report Share Posted April 13, 2020 Close all programs and disconnect any USB or external drives before running the tool. Double-click RogueKiller.exe to run the tool again. Once the Prescan has finished, click Scan. Once the Status box shows "Scan Finished". Select the following items: [PUP.ByteFence|PUP.Gen1 (Potentially Malicious)] (X64) HKEY_LOCAL_MACHINE\Software\ByteFence -- N/A -> Found [PUP.ByteFence|PUP.Gen1 (Potentially Malicious)] (X86) HKEY_LOCAL_MACHINE\Software\ByteFence -- N/A -> Found [PUP.ByteFence|PUP.Gen1 (Potentially Malicious)] (X64) HKEY_USERS\S-1-5-21-38456885-260547489-3915582780-1001\Software\ByteFence -- N/A -> Found [PUP.ByteFence|PUP.Gen1 (Potentially Malicious)] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\ByteFence -- N/A -> Found [Tr.Gen0 (Malicious)] (file) 5.txt -- C:\Users\Carol\AppData\Local\Temp\5.txt -> Found [PUP.PCProtect (Potentially Malicious)] (folder) TotalAV -- C:\ProgramData\TotalAV -> Found [PUP.ByteFence|PUP.Gen1 (Potentially Malicious)] (shortcut) $RUXHOWW.lnk -- C:\$Recycle.Bin\S-1-5-21-38456885-260547489-3915582780-1001\$RUXHOWW.lnk => C:\Program Files\ByteFence\ByteFence.exe -> Found Click the Delete button. Attach the RogueKiller report to your next reply. The log can also be found on your desktop labeled (RKreport[X]_D_xxdatexx_xtimex.txt) The highest number of [X], is the most recent Delete log. Link to post Share on other sites
Recommended Posts