Adlice forum

General Category => Malware removal help => Topic started by: feradolo on April 22, 2017, 01:20:43 PM

Title: Check Logs
Post by: feradolo on April 22, 2017, 01:20:43 PM

Today i downloaded This powerful Software Named Roguekiller. I scanned and it founded some Viruses/malwares i don't know. Please check my logs :)
(I using Polish Version so maybe can be problem with Understand, but i think Google can help)


RogueKiller V12.10.5.0 [Apr 18 2017] (wersja darmowa) od Adlice Software
Kontakt : http://www.adlice.com/contact/
Forum : https://forum.adlice.com
Strona internetowa : http://www.adlice.com/download/roguekiller/
Blog : http://www.adlice.com

System operacyjny : Windows 7 (6.1.7600) 32 bits version
Tryb rozruchu : Tryb normalny
Użytkownik : Patryk [Administrator]
Lokalizacja programu : C:\Program Files\RogueKiller\RogueKiller.exe
Tryb : Skanowanie -- Data : 04/22/2017 12:11:49 (Duration : 00:36:27)

¤¤¤ Procesy : 4 ¤¤¤
[Proc.Svchost] svchost.exe(1700) -- C:\Windows\System32\svchost.exe[7] -> Wykryto
[Proc.Injected|Proc.RunPE] launcher.exe(2888) -- C:\Program Files\Opera\launcher.exe[7] -> Wykryto
[Proc.Injected] svchost.exe(3028) -- C:\Users\Patryk\AppData\Local\Microsoft\svchost.exe[-] -> Wykryto
[Proc.Svchost] svchost.exe(3028) -- C:\Users\Patryk\AppData\Local\Microsoft\svchost.exe[-] -> Wykryto

¤¤¤ Rejestr : 22 ¤¤¤
[PUP.DllFiles] HKEY_LOCAL_MACHINE\Software\dll-files.com -> Wykryto
[PUP.EventMonitor|PUP.Gen1] HKEY_LOCAL_MACHINE\Software\Event Monitor -> Wykryto
[PUP.Gen1] HKEY_LOCAL_MACHINE\Software\Jawego -> Wykryto
[PUP.UCBrowser|PUP.Gen1] HKEY_LOCAL_MACHINE\Software\UCBrowser -> Wykryto
[PUP.Gen1] HKEY_LOCAL_MACHINE\Software\UCBrowserPID -> Wykryto
[PUP.Gen1] HKEY_USERS\S-1-5-21-663137483-2068535372-257761148-1001\Software\AutoTime -> Wykryto
[PUP.DllFiles] HKEY_USERS\S-1-5-21-663137483-2068535372-257761148-1001\Software\dll-files.com -> Wykryto
[PUP.EventMonitor|PUP.Gen1] HKEY_USERS\S-1-5-21-663137483-2068535372-257761148-1001\Software\Event Monitor -> Wykryto
[PUP.Gen1] HKEY_USERS\S-1-5-21-663137483-2068535372-257761148-1001\Software\IM -> Wykryto
[PUP.Gen1] HKEY_USERS\S-1-5-21-663137483-2068535372-257761148-1001\Software\Installer -> Wykryto
[PUP.Gen1] HKEY_USERS\S-1-5-21-663137483-2068535372-257761148-1001\Software\SNDA -> Wykryto
[PUP.UCBrowser|PUP.Gen1] HKEY_USERS\S-1-5-21-663137483-2068535372-257761148-1001\Software\UCBrowser -> Wykryto
[PUP.Gen1] HKEY_USERS\S-1-5-21-663137483-2068535372-257761148-1001\Software\UCBrowserPID -> Wykryto
[PUP.VideoBox] HKEY_USERS\S-1-5-21-663137483-2068535372-257761148-1001\Software\VideoBox -> Wykryto
[PUP.Gen1] HKEY_USERS\S-1-5-21-663137483-2068535372-257761148-1001\Software\Win -> Wykryto
[PUP.Gen0] HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost | kuaizipupdatesvc : 

• -> Wykryto

[Suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\wfpgameprotect (\??\C:\Users\Patryk\AppData\Local\Temp\5699.tmp.sys) -> Wykryto
[Suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet002\Services\wfpgameprotect (\??\C:\Users\Patryk\AppData\Local\Temp\5699.tmp.sys) -> Wykryto
[PUM.HomePage] HKEY_USERS\S-1-5-21-663137483-2068535372-257761148-1001\Software\Microsoft\Internet Explorer\Main | Start Page : http://faststartpage.com/  -> Wykryto
[PUP.UCBrowser] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {95C72822-C61A-4FD7-9F78-C204FE35BB7A} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|LPort=5353|App=C:\Program Files\UCBrowser\Application\UCBrowser.exe|Name=Chromium (mDNS-In)|Desc=Regu?a dla ruchu przychodz?cego w Chromium zezwalaj?ca na ruch mDNS.|EmbedCtxt=UC???| [7] -> Wykryto
[PUP.UCBrowser] HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {95C72822-C61A-4FD7-9F78-C204FE35BB7A} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|LPort=5353|App=C:\Program Files\UCBrowser\Application\UCBrowser.exe|Name=Chromium (mDNS-In)|Desc=Regu?a dla ruchu przychodz?cego w Chromium zezwalaj?ca na ruch mDNS.|EmbedCtxt=UC???| [7] -> Wykryto
[PUM.Policies] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 0  -> Wykryto

¤¤¤ Zaplanowane zadania : 10 ¤¤¤
[Suspicious.Path] %WINDIR%\Tasks\DLL-Files.Com Fixer_MONTHLY.job -- C:\Users\Patryk\AppData\Local\Temp\Rar$EXa0.239\Dll-Files Fixer 3.3.90.3079 Portable\App\Dll-Files.com Fixer\DLLFixer.exe (scan) -> Wykryto
[Suspicious.Path] %WINDIR%\Tasks\DLL-Files.Com Fixer_Updates.job -- C:\Users\Patryk\AppData\Local\Temp\Rar$EXa0.239\Dll-Files Fixer 3.3.90.3079 Portable\App\Dll-Files.com Fixer\DLLFixer.exe (-updatecheck) -> Wykryto
[Suspicious.Path] \463b8825b2038j5420 -- C:\Windows\system32\rundll32.exe ("C:\ProgramData\463b8825b2038j5420\463b8825b2038j5420.dll",bjDTMMydzy) -> Wykryto
[Suspicious.Path] \DLL-Files.Com Fixer_MONTHLY -- C:\Users\Patryk\AppData\Local\Temp\Rar$EXa0.239\Dll-Files Fixer 3.3.90.3079 Portable\App\Dll-Files.com Fixer\DLLFixer.exe (scan) -> Wykryto
[Suspicious.Path] \DLL-Files.Com Fixer_Updates -- C:\Users\Patryk\AppData\Local\Temp\Rar$EXa0.239\Dll-Files Fixer 3.3.90.3079 Portable\App\Dll-Files.com Fixer\DLLFixer.exe (-updatecheck) -> Wykryto
[PUP.Gen0] \mm -- "C:\Program Files\MyMemory\uninstall.exe " (/S) -> Wykryto
[Suspicious.Path] \RDReminder -- C:\Users\Patryk\AppData\Local\Temp\Rar$EXa0.239\Dll-Files Fixer 3.3.90.3079 Portable\App\Dll-Files.com Fixer\DLLFixer.exe (-rem) -> Wykryto
[Suspicious.Path|Tr.Gen1] \{A180AE35-162B-199E-DD72-CAFC6D1796B1} -- C:\ProgramData\{0556AA48-B2FD-1DE3-4B73-1464029E3619}\7698C24E-C133-75E5-BDA2-E6995DDA8D85.exe (/run) -> Wykryto
[Suspicious.Path|Tr.Gen1] \{C5E24BBE-7249-FC15-50FF-4AD008860FEA} -- C:\ProgramData\{D1328401-6699-33AA-1947-BF5458D52128}\D0AA6C68-6701-DBC3-C74B-04C0BD41FC28.exe (/run) -> Wykryto
[Suspicious.Path|Tr.Gen0] \Microsoft\Windows\Multimedia\Manager -- C:\Users\Patryk\AppData\Roaming\Adobe\Manager.exe (604C4206-B430-43E1-A102-8BF11249AEC2) -> Wykryto

¤¤¤ Pliki : 23 ¤¤¤
[PUP.RegisterObject][Folder] C:\ProgramData\RegisterObject -> Wykryto
[Hj.Shortcut][Plik] C:\Users\Patryk\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk [LNK@] C:\PROGRA~1\INTERN~1\iexplore.exe http://qtipr.com/ -> Wykryto
[Hj.Shortcut][Plik] C:\Users\Patryk\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk [LNK@] C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe http://qtipr.com/ -> Wykryto
[Hj.Shortcut][Plik] C:\Users\Patryk\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk [LNK@] C:\PROGRA~1\INTERN~1\iexplore.exe http://qtipr.com/ -> Wykryto
[PUP.Gen0][Plik] C:\Windows\System32\drivers\ucguard.sys -> Wykryto
[PUP.DllFiles][Folder] C:\Users\Patryk\AppData\Roaming\dll-files.com -> Wykryto
[PUP.Gen1][Folder] C:\Users\Patryk\AppData\Roaming\Note-UP -> Wykryto
[Tr.Gen0][Plik] C:\Users\Patryk\AppData\Roaming\uTorrent\updates\3.4.7_42330\utorrentie.exe -> Wykryto
[Tr.Gen0][Plik] C:\Users\Patryk\AppData\Roaming\uTorrent\updates\3.4.8_42576\utorrentie.exe -> Wykryto
[Tr.Gen0][Plik] C:\Users\Patryk\AppData\Roaming\uTorrent\updates\3.4.9_42606\utorrentie.exe -> Wykryto
[Tr.Gen0][Plik] C:\Users\Patryk\AppData\Roaming\uTorrent\updates\3.4.9_42973\utorrentie.exe -> Wykryto
[Tr.Gen0][Plik] C:\Users\Patryk\AppData\Roaming\uTorrent\updates\3.4.9_43085\utorrentie.exe -> Wykryto
[Tr.Gen0][Plik] C:\Users\Patryk\AppData\Roaming\uTorrent\updates\3.4.9_43295\utorrentie.exe -> Wykryto
[Tr.Gen0][Plik] C:\Users\Patryk\AppData\Roaming\uTorrent\updates\3.4.9_43388\utorrentie.exe -> Wykryto
[Tr.Gen0][Plik] C:\Users\Patryk\AppData\Roaming\uTorrent\updates\3.5.0_43580\utorrentie.exe -> Wykryto
[PUP.UCBrowser][Folder] C:\Users\Patryk\AppData\Local\UCBrowser -> Wykryto
[Hj.Shortcut][Plik] C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk [LNK@] C:\PROGRA~1\Google\Chrome\APPLIC~1\chrome.exe http://qtipr.com/ -> Wykryto
[PUP.RegisterObject][Folder] C:\ProgramData\RegisterObject -> Wykryto
[PUP.Gen1][Folder] C:\Program Files\Caster -> Wykryto
[PUP.Gen1][Folder] C:\Program Files\GreatMaker -> Wykryto
[PUP.Gen1][Folder] C:\Program Files\mpck -> Wykryto
[PUP.UCBrowser][Folder] C:\Program Files\UCBrowser -> Wykryto
[Hj.Shortcut][Plik] C:\Users\Patryk\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk [LNK@] C:\PROGRA~1\INTERN~1\iexplore.exe http://qtipr.com/ -> Wykryto

¤¤¤ WMI : 1 ¤¤¤
[PUP.Yeahbests] instance (ActiveScriptEventConsumer) \ROOT\subscription:ActiveScriptEventConsumer.Name="ASEC" -> Wykryto

¤¤¤ Plik hosts : 0 ¤¤¤

¤¤¤ Rootkity : 0 (Driver: załadowano) ¤¤¤

¤¤¤ Przeglądarki : 0 ¤¤¤

¤¤¤ Sprawdzenie MBR : ¤¤¤
+++++ PhysicalDrive0: MAXTOR STM3250310AS ATA Device +++++
--- User ---
[MBR] 53b28b9846d11d3492d7fd331f5b7dce
[BSP] f096e302d4e3c4d15b6ae34d20face98 : Windows Vista/7/8|VT.Unknown MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 100 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 206848 | Size: 119135 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
2 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 244195328 | Size: 119237 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive1: Generic USB SD Reader USB Device +++++
Error reading User MBR! ([15] Urz?dzenie nie jest gotowe. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] ??danie nie jest obs?ugiwane. )

+++++ PhysicalDrive2: Generic USB CF Reader USB Device +++++
Error reading User MBR! ([15] Urz?dzenie nie jest gotowe. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] ??danie nie jest obs?ugiwane. )

+++++ PhysicalDrive3: Generic USB SM Reader USB Device +++++
Error reading User MBR! ([15] Urz?dzenie nie jest gotowe. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] ??danie nie jest obs?ugiwane. )

+++++ PhysicalDrive4: Generic USB MS Reader USB Device +++++
Error reading User MBR! ([15] Urz?dzenie nie jest gotowe. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] ??danie nie jest obs?ugiwane. )

Title: Re: Check Logs
Post by: Curson on April 22, 2017, 03:20:04 PM

Hi feradolo,

Welcome to Adlice.com Forum.
Your computer is infected.

Please select all lines for deletion, then start the removal process.
Please attach the deletion log with your next reply.

Please download Farbar Recovery Scan Tool (x86) (http://download.bleepingcomputer.com/farbar/FRST.exe) and save it to your Desktop.

• Right click to run as administrator (XP users click run after receipt of Windows Security Warning - Open File). When the tool opens click Yes to disclaimer.
  
• Press Scan button.
  
• It will produce a log called FRST.txt in the same directory the tool is run from.
  
• Please attach log back here.
• The first time the tool is run it generates another log (Addition.txt - also located in the same directory as FRST.exe). Please also attach that along with the FRST.txt into your reply.
  

Regards.

Title: Re: Check Logs
Post by: feradolo on April 22, 2017, 03:38:00 PM

Done


Here is Logs to Download http://www47.zippyshare.com/v/xCGU9PKI/file.html

Title: Re: Check Logs
Post by: Curson on April 22, 2017, 04:52:50 PM

Hi feradolo,

Next time, please attach the logs using the "Attachement and other options" forum feature.
Your computer is very infected. Please make a backup of your personal data.

You are using hacking tools and cracked software, they are the entrypoint of many infections.
I strongly advise you to get rid of them and not to download such stuff in the futur.

Quote

C:\Users\Patryk\Downloads\Raiderz H4x v2.0 - Private_mpgh.net.zip
C:\Users\Patryk\Downloads\WPE PRO WORKING 17.11.2014 by BossRevolution to MPGH.net HAPPY HACK_mpgh.net.rar
C:\Users\Patryk\Downloads\[torrenty.to] Windows 7 SP1  [PL] [x86 x64 bit] [+Aktywator] [ISO].torrent
C:\Users\Patryk\Downloads\[Electro-Torrent.pl] Disney Universe [MULTi3-PROPHET] [Dubbing PL].torrent
C:\Users\Patryk\Downloads\[Electro-Torrent.pl] Ultimate Marvel Vs. Capcom 3 2017 [MULTi6-ENG] [ISO] [CODEX].torrent
C:\Users\Patryk\Downloads\[Electro-Torrent.pl] The Binding Of Isaac- Afterbirth Plus 2017 [All DLCs + All Update Incl.] [ENG] [ISO] [TINYISO].torrent
C:\Users\Patryk\Downloads\[torrenty.to] Mafia 2 [PL] + crack.torrent
C:\Users\Patryk\Downloads\[torrenty.to] Mafia 2- Digital Deluxe Edition -2011- [Multi-PL] [RePack VickNet ] [EXE].torrent
C:\Users\Patryk\Downloads\hydra-8.4.tar.gz
C:\Users\Patryk\Downloads\Resilience 1.6.5.zip

Download attached fixlist.txt file and save it to the Desktop.
NOTE. It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system !

Run FRST and press the Fix button just once and wait.
If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
When finished FRST will generate a log on the Desktop (Fixlog.txt). Please attach it to your reply.

Please download SystemLook (http://jpshortstuff.247fixes.com/SystemLook.exe) and save it to your desktop.

• Double-click SystemLook.exe to run it.
  
• Copy the content of the following codebox into the main textfield:
  

Code: [Select]

:filefind
user32.*
dnsapi.*

• Click the Look button to start the scan.
  
• When finished, a notepad window will open with the results of the scan. Please attach this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

Regards.

Title: Re: Check Logs
Post by: feradolo on April 22, 2017, 05:38:58 PM

Not done. When i was been away someone from my family comed to pc and Offed FRST.... But Log was been created i give it and System Look. I don t tried fix again.

Ps It s cracked system and i know it.
 

Title: Re: Check Logs
Post by: Curson on April 22, 2017, 05:47:18 PM

Hi feradolo,

Download attached fixlist.txt file and save it to the Desktop.
NOTE. It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system !

Run FRST and press the Fix button just once and wait.
If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
When finished FRST will generate a log on the Desktop (Fixlog.txt). Please attach it to your reply.

How is the computer running now ?

Regards.

Title: Re: Check Logs
Post by: feradolo on April 22, 2017, 06:19:56 PM

Done. Computer was not been slowed, he's  this same all time.

Title: Re: Check Logs
Post by: Curson on April 22, 2017, 06:50:19 PM

Hi feradolo,

Your system is now clean.
You can remove SystemLook, FRST and related files/folders.

I noticed you don't run any anti-malware software protection, it may be a good idea to install one.

Regards.

Title: Re: Check Logs
Post by: feradolo on April 22, 2017, 06:58:49 PM

Thanks for your Help ;)

Title: Re: Check Logs
Post by: Curson on April 22, 2017, 07:03:09 PM

Hi feradolo,

You are welcome.
Regards.