Adlice forum

General Category => Malware removal help => Topic started by: feradolo on April 22, 2017, 01:20:43 pm

Title: Check Logs
Post by: feradolo on April 22, 2017, 01:20:43 pm
Today i downloaded This powerful Software Named Roguekiller. I scanned and it founded some Viruses/malwares i don't know. Please check my logs :)
(I using Polish Version so maybe can be problem with Understand, but i think Google can help)


RogueKiller V12.10.5.0 [Apr 18 2017] (wersja darmowa) od Adlice Software
Kontakt : http://www.adlice.com/contact/
Forum : https://forum.adlice.com
Strona internetowa : http://www.adlice.com/download/roguekiller/
Blog : http://www.adlice.com

System operacyjny : Windows 7 (6.1.7600) 32 bits version
Tryb rozruchu : Tryb normalny
Użytkownik : Patryk [Administrator]
Lokalizacja programu : C:\Program Files\RogueKiller\RogueKiller.exe
Tryb : Skanowanie -- Data : 04/22/2017 12:11:49 (Duration : 00:36:27)

Procesy : 4
[Proc.Svchost] svchost.exe(1700) -- C:\Windows\System32\svchost.exe[7] -> Wykryto
[Proc.Injected|Proc.RunPE] launcher.exe(2888) -- C:\Program Files\Opera\launcher.exe[7] -> Wykryto
[Proc.Injected] svchost.exe(3028) -- C:\Users\Patryk\AppData\Local\Microsoft\svchost.exe[-] -> Wykryto
[Proc.Svchost] svchost.exe(3028) -- C:\Users\Patryk\AppData\Local\Microsoft\svchost.exe[-] -> Wykryto

Rejestr : 22
[PUP.DllFiles] HKEY_LOCAL_MACHINE\Software\dll-files.com -> Wykryto
[PUP.EventMonitor|PUP.Gen1] HKEY_LOCAL_MACHINE\Software\Event Monitor -> Wykryto
[PUP.Gen1] HKEY_LOCAL_MACHINE\Software\Jawego -> Wykryto
[PUP.UCBrowser|PUP.Gen1] HKEY_LOCAL_MACHINE\Software\UCBrowser -> Wykryto
[PUP.Gen1] HKEY_LOCAL_MACHINE\Software\UCBrowserPID -> Wykryto
[PUP.Gen1] HKEY_USERS\S-1-5-21-663137483-2068535372-257761148-1001\Software\AutoTime -> Wykryto
[PUP.DllFiles] HKEY_USERS\S-1-5-21-663137483-2068535372-257761148-1001\Software\dll-files.com -> Wykryto
[PUP.EventMonitor|PUP.Gen1] HKEY_USERS\S-1-5-21-663137483-2068535372-257761148-1001\Software\Event Monitor -> Wykryto
[PUP.Gen1] HKEY_USERS\S-1-5-21-663137483-2068535372-257761148-1001\Software\IM -> Wykryto
[PUP.Gen1] HKEY_USERS\S-1-5-21-663137483-2068535372-257761148-1001\Software\Installer -> Wykryto
[PUP.Gen1] HKEY_USERS\S-1-5-21-663137483-2068535372-257761148-1001\Software\SNDA -> Wykryto
[PUP.UCBrowser|PUP.Gen1] HKEY_USERS\S-1-5-21-663137483-2068535372-257761148-1001\Software\UCBrowser -> Wykryto
[PUP.Gen1] HKEY_USERS\S-1-5-21-663137483-2068535372-257761148-1001\Software\UCBrowserPID -> Wykryto
[PUP.VideoBox] HKEY_USERS\S-1-5-21-663137483-2068535372-257761148-1001\Software\VideoBox -> Wykryto
[PUP.Gen1] HKEY_USERS\S-1-5-21-663137483-2068535372-257761148-1001\Software\Win -> Wykryto
[PUP.Gen0] HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost | kuaizipupdatesvc :  [Suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\wfpgameprotect (\??\C:\Users\Patryk\AppData\Local\Temp\5699.tmp.sys) -> Wykryto
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet002\Services\wfpgameprotect (\??\C:\Users\Patryk\AppData\Local\Temp\5699.tmp.sys) -> Wykryto
[PUM.HomePage] HKEY_USERS\S-1-5-21-663137483-2068535372-257761148-1001\Software\Microsoft\Internet Explorer\Main | Start Page : http://faststartpage.com/  -> Wykryto
[PUP.UCBrowser] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {95C72822-C61A-4FD7-9F78-C204FE35BB7A} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|LPort=5353|App=C:\Program Files\UCBrowser\Application\UCBrowser.exe|Name=Chromium (mDNS-In)|Desc=Regu?a dla ruchu przychodz?cego w Chromium zezwalaj?ca na ruch mDNS.|EmbedCtxt=UC???| [7] -> Wykryto
[PUP.UCBrowser] HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {95C72822-C61A-4FD7-9F78-C204FE35BB7A} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|LPort=5353|App=C:\Program Files\UCBrowser\Application\UCBrowser.exe|Name=Chromium (mDNS-In)|Desc=Regu?a dla ruchu przychodz?cego w Chromium zezwalaj?ca na ruch mDNS.|EmbedCtxt=UC???| [7] -> Wykryto
[PUM.Policies] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 0  -> Wykryto

Zaplanowane zadania : 10
[Suspicious.Path] %WINDIR%\Tasks\DLL-Files.Com Fixer_MONTHLY.job -- C:\Users\Patryk\AppData\Local\Temp\Rar$EXa0.239\Dll-Files Fixer 3.3.90.3079 Portable\App\Dll-Files.com Fixer\DLLFixer.exe (scan) -> Wykryto
[Suspicious.Path] %WINDIR%\Tasks\DLL-Files.Com Fixer_Updates.job -- C:\Users\Patryk\AppData\Local\Temp\Rar$EXa0.239\Dll-Files Fixer 3.3.90.3079 Portable\App\Dll-Files.com Fixer\DLLFixer.exe (-updatecheck) -> Wykryto
[Suspicious.Path] \463b8825b2038j5420 -- C:\Windows\system32\rundll32.exe ("C:\ProgramData\463b8825b2038j5420\463b8825b2038j5420.dll",bjDTMMydzy) -> Wykryto
[Suspicious.Path] \DLL-Files.Com Fixer_MONTHLY -- C:\Users\Patryk\AppData\Local\Temp\Rar$EXa0.239\Dll-Files Fixer 3.3.90.3079 Portable\App\Dll-Files.com Fixer\DLLFixer.exe (scan) -> Wykryto
[Suspicious.Path] \DLL-Files.Com Fixer_Updates -- C:\Users\Patryk\AppData\Local\Temp\Rar$EXa0.239\Dll-Files Fixer 3.3.90.3079 Portable\App\Dll-Files.com Fixer\DLLFixer.exe (-updatecheck) -> Wykryto
[PUP.Gen0] \mm -- "C:\Program Files\MyMemory\uninstall.exe " (/S) -> Wykryto
[Suspicious.Path] \RDReminder -- C:\Users\Patryk\AppData\Local\Temp\Rar$EXa0.239\Dll-Files Fixer 3.3.90.3079 Portable\App\Dll-Files.com Fixer\DLLFixer.exe (-rem) -> Wykryto
[Suspicious.Path|Tr.Gen1] \{A180AE35-162B-199E-DD72-CAFC6D1796B1} -- C:\ProgramData\{0556AA48-B2FD-1DE3-4B73-1464029E3619}\7698C24E-C133-75E5-BDA2-E6995DDA8D85.exe (/run) -> Wykryto
[Suspicious.Path|Tr.Gen1] \{C5E24BBE-7249-FC15-50FF-4AD008860FEA} -- C:\ProgramData\{D1328401-6699-33AA-1947-BF5458D52128}\D0AA6C68-6701-DBC3-C74B-04C0BD41FC28.exe (/run) -> Wykryto
[Suspicious.Path|Tr.Gen0] \Microsoft\Windows\Multimedia\Manager -- C:\Users\Patryk\AppData\Roaming\Adobe\Manager.exe (604C4206-B430-43E1-A102-8BF11249AEC2) -> Wykryto

Pliki : 23
[PUP.RegisterObject][Folder] C:\ProgramData\RegisterObject -> Wykryto
[Hj.Shortcut][Plik] C:\Users\Patryk\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk [LNK@] C:\PROGRA~1\INTERN~1\iexplore.exe http://qtipr.com/ -> Wykryto
[Hj.Shortcut][Plik] C:\Users\Patryk\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk [LNK@] C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe http://qtipr.com/ -> Wykryto
[Hj.Shortcut][Plik] C:\Users\Patryk\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk [LNK@] C:\PROGRA~1\INTERN~1\iexplore.exe http://qtipr.com/ -> Wykryto
[PUP.Gen0][Plik] C:\Windows\System32\drivers\ucguard.sys -> Wykryto
[PUP.DllFiles][Folder] C:\Users\Patryk\AppData\Roaming\dll-files.com -> Wykryto
[PUP.Gen1][Folder] C:\Users\Patryk\AppData\Roaming\Note-UP -> Wykryto
[Tr.Gen0][Plik] C:\Users\Patryk\AppData\Roaming\uTorrent\updates\3.4.7_42330\utorrentie.exe -> Wykryto
[Tr.Gen0][Plik] C:\Users\Patryk\AppData\Roaming\uTorrent\updates\3.4.8_42576\utorrentie.exe -> Wykryto
[Tr.Gen0][Plik] C:\Users\Patryk\AppData\Roaming\uTorrent\updates\3.4.9_42606\utorrentie.exe -> Wykryto
[Tr.Gen0][Plik] C:\Users\Patryk\AppData\Roaming\uTorrent\updates\3.4.9_42973\utorrentie.exe -> Wykryto
[Tr.Gen0][Plik] C:\Users\Patryk\AppData\Roaming\uTorrent\updates\3.4.9_43085\utorrentie.exe -> Wykryto
[Tr.Gen0][Plik] C:\Users\Patryk\AppData\Roaming\uTorrent\updates\3.4.9_43295\utorrentie.exe -> Wykryto
[Tr.Gen0][Plik] C:\Users\Patryk\AppData\Roaming\uTorrent\updates\3.4.9_43388\utorrentie.exe -> Wykryto
[Tr.Gen0][Plik] C:\Users\Patryk\AppData\Roaming\uTorrent\updates\3.5.0_43580\utorrentie.exe -> Wykryto
[PUP.UCBrowser][Folder] C:\Users\Patryk\AppData\Local\UCBrowser -> Wykryto
[Hj.Shortcut][Plik] C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk [LNK@] C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe http://qtipr.com/ -> Wykryto
[PUP.RegisterObject][Folder] C:\ProgramData\RegisterObject -> Wykryto
[PUP.Gen1][Folder] C:\Program Files\Caster -> Wykryto
[PUP.Gen1][Folder] C:\Program Files\GreatMaker -> Wykryto
[PUP.Gen1][Folder] C:\Program Files\mpck -> Wykryto
[PUP.UCBrowser][Folder] C:\Program Files\UCBrowser -> Wykryto
[Hj.Shortcut][Plik] C:\Users\Patryk\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk [LNK@] C:\PROGRA~1\INTERN~1\iexplore.exe http://qtipr.com/ -> Wykryto

WMI : 1
[PUP.Yeahbests] instance (ActiveScriptEventConsumer) \ROOT\subscription:ActiveScriptEventConsumer.Name="ASEC" -> Wykryto

Plik hosts : 0

Rootkity : 0 (Driver: załadowano)

Przeglądarki : 0

Sprawdzenie MBR :
+++++ PhysicalDrive0: MAXTOR STM3250310AS ATA Device +++++
--- User ---
[MBR] 53b28b9846d11d3492d7fd331f5b7dce
[BSP] f096e302d4e3c4d15b6ae34d20face98 : Windows Vista/7/8|VT.Unknown MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 100 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 206848 | Size: 119135 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
2 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 244195328 | Size: 119237 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive1: Generic USB SD Reader USB Device +++++
Error reading User MBR! ([15] Urz?dzenie nie jest gotowe. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] ??danie nie jest obs?ugiwane. )

+++++ PhysicalDrive2: Generic USB CF Reader USB Device +++++
Error reading User MBR! ([15] Urz?dzenie nie jest gotowe. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] ??danie nie jest obs?ugiwane. )

+++++ PhysicalDrive3: Generic USB SM Reader USB Device +++++
Error reading User MBR! ([15] Urz?dzenie nie jest gotowe. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] ??danie nie jest obs?ugiwane. )

+++++ PhysicalDrive4: Generic USB MS Reader USB Device +++++
Error reading User MBR! ([15] Urz?dzenie nie jest gotowe. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] ??danie nie jest obs?ugiwane. )

Title: Re: Check Logs
Post by: Curson on April 22, 2017, 03:20:04 pm
Hi feradolo,

Welcome to Adlice.com Forum.
Your computer is infected.

Please select all lines for deletion, then start the removal process.
Please attach the deletion log with your next reply.

Please download Farbar Recovery Scan Tool (x86) (http://download.bleepingcomputer.com/farbar/FRST.exe) and save it to your Desktop.
Regards.
Title: Re: Check Logs
Post by: feradolo on April 22, 2017, 03:38:00 pm
Done


Here is Logs to Download http://www47.zippyshare.com/v/xCGU9PKI/file.html
Title: Re: Check Logs
Post by: Curson on April 22, 2017, 04:52:50 pm
Hi feradolo,

Next time, please attach the logs using the "Attachement and other options" forum feature.
Your computer is very infected. Please make a backup of your personal data.

You are using hacking tools and cracked software, they are the entrypoint of many infections.
I strongly advise you to get rid of them and not to download such stuff in the futur.
Quote
C:\Users\Patryk\Downloads\Raiderz H4x v2.0 - Private_mpgh.net.zip
C:\Users\Patryk\Downloads\WPE PRO WORKING 17.11.2014 by BossRevolution to MPGH.net HAPPY HACK_mpgh.net.rar
C:\Users\Patryk\Downloads\[torrenty.to] Windows 7 SP1  [PL] [x86 x64 bit] [+Aktywator] [ISO].torrent
C:\Users\Patryk\Downloads\[Electro-Torrent.pl] Disney Universe [MULTi3-PROPHET] [Dubbing PL].torrent
C:\Users\Patryk\Downloads\[Electro-Torrent.pl] Ultimate Marvel Vs. Capcom 3 2017 [MULTi6-ENG] [ISO] [CODEX].torrent
C:\Users\Patryk\Downloads\[Electro-Torrent.pl] The Binding Of Isaac- Afterbirth Plus 2017 [All DLCs + All Update Incl.] [ENG] [ISO] [TINYISO].torrent
C:\Users\Patryk\Downloads\[torrenty.to] Mafia 2 [PL] + crack.torrent
C:\Users\Patryk\Downloads\[torrenty.to] Mafia 2- Digital Deluxe Edition -2011- [Multi-PL] [RePack VickNet ] [EXE].torrent
C:\Users\Patryk\Downloads\hydra-8.4.tar.gz
C:\Users\Patryk\Downloads\Resilience 1.6.5.zip

Download attached fixlist.txt file and save it to the Desktop.
NOTE. It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system !

Run FRST and press the Fix button just once and wait.
If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
When finished FRST will generate a log on the Desktop (Fixlog.txt). Please attach it to your reply.

Please download SystemLook (http://jpshortstuff.247fixes.com/SystemLook.exe) and save it to your desktop.
Code: [Select]
:filefind
user32.*
dnsapi.*
Note: The log can also be found on your Desktop entitled SystemLook.txt

Regards.
Title: Re: Check Logs
Post by: feradolo on April 22, 2017, 05:38:58 pm
Not done. When i was been away someone from my family comed to pc and Offed FRST.... But Log was been created i give it and System Look. I don t tried fix again.

Ps It s cracked system and i know it.
 

Title: Re: Check Logs
Post by: Curson on April 22, 2017, 05:47:18 pm
Hi feradolo,

Download attached fixlist.txt file and save it to the Desktop.
NOTE. It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system !

Run FRST and press the Fix button just once and wait.
If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
When finished FRST will generate a log on the Desktop (Fixlog.txt). Please attach it to your reply.

How is the computer running now ?

Regards.
Title: Re: Check Logs
Post by: feradolo on April 22, 2017, 06:19:56 pm
Done. Computer was not been slowed, he's  this same all time.
Title: Re: Check Logs
Post by: Curson on April 22, 2017, 06:50:19 pm
Hi feradolo,

Your system is now clean.
You can remove SystemLook, FRST and related files/folders.

I noticed you don't run any anti-malware software protection, it may be a good idea to install one.

Regards.
Title: Re: Check Logs
Post by: feradolo on April 22, 2017, 06:58:49 pm
Thanks for your Help ;)
Title: Re: Check Logs
Post by: Curson on April 22, 2017, 07:03:09 pm
Hi feradolo,

You are welcome.
Regards.