Adlice forum

General Category => Malware removal help => Topic started by: wolf wolfman on April 28, 2018, 08:49:06 AM

Title: savingsCOOL malware I'm trying to remove
Post by: wolf wolfman on April 28, 2018, 08:49:06 AM
I have run Malwarebytes, RogueKiller, RKill, AdwCleaner, and HitmanPro
Title: Re: savingsCOOL malware I'm trying to remove
Post by: Curson on April 28, 2018, 04:30:47 PM
Hi Wolf,

Welcome to Adlice.com Forum.
Could you please attach RogueKiller full scan report with your next reply ?

Regards.

Note : This thread has been moved to the "Malware removal" section for clarity.
Title: Re: savingsCOOL malware I'm trying to remove
Post by: wolf wolfman on April 29, 2018, 03:07:48 AM
4/28/2018

Operating System : Windows 10 (10.0.16299) 64 bits version
Started in : Normal mode
User : [Administrator]
Started from : C:\Program Files\RogueKiller\RogueKiller64.exe
C

¤¤¤ Processes : 0 ¤¤¤

¤¤¤ Registry : 8 ¤¤¤
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-1193257731-625740395-4096007851-1001\Software\Microsoft\Internet Explorer\Main | Start Page : http://dell17win10.msn.com/?pc=DCTE  -> Found
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-1193257731-625740395-4096007851-1001\Software\Microsoft\Internet Explorer\Main | Start Page : http://dell17win10.msn.com/?pc=DCTE  -> Found
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-1193257731-625740395-4096007851-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-04282018021617954\Software\Microsoft\Internet Explorer\Main | Start Page : http://dell17win10.msn.com/?pc=DCTE  -> Found
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-1193257731-625740395-4096007851-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-04282018021617954\Software\Microsoft\Internet Explorer\Main | Start Page : http://dell17win10.msn.com/?pc=DCTE  -> Found
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-1193257731-625740395-4096007851-1001\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : http://dell17win10.msn.com/?pc=DCTE  -> Found
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-1193257731-625740395-4096007851-1001\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : http://dell17win10.msn.com/?pc=DCTE  -> Found
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-1193257731-625740395-4096007851-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-04282018021617954\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : http://dell17win10.msn.com/?pc=DCTE  -> Found
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-1193257731-625740395-4096007851-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-04282018021617954\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : http://dell17win10.msn.com/?pc=DCTE  -> Found

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 1 ¤¤¤
[PUP.OnlineIO|PUP.Gen1][Folder] C:\Users\donwo\AppData\Roaming\AGData -> Found

¤¤¤ WMI : 0 ¤¤¤

¤¤¤ Hosts File : 0 ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤

¤¤¤ Web browsers : 2 ¤¤¤
[PUM.HomePage][Chrome:Config] Default [SecurePrefs] : homepage [http://asus.us.msn.com/?pc=ASU2&ocid=ASUDHP] -> Found
[PUM.HomePage][Chrome:Config] Default [SecurePrefs] : session.startup_urls [https://www.wqed.org/fm/player/main|https://us.search.yahoo.com/yhs/web?hspart=omr&hsimp=yhs-001&type=86311158&param1=y6bdVFVIsvuYsgEClQfz8HyFH9tZCHsOZFHNP%2BYwJC1jBiUaoTp2HzLezqyRGgV7ncwZITKKYfhFz7dO3LRCnrTnrNw5Fipj0LOXi1xhp8h3A4SGX6Ugrq6hhxrIimXxjEtndZB5%2FsqGdrXybIxMNeFeied0aPbjX6AJu44xGNc4FJ04kTX%2FJq56XZTIthbue3r05ITxDOFxuXguRKUyCOk8xwyM1L%2Fw%2BoP23YN9jEWMStIDAklxflBEhyVO452MVVEgUyINoRS3cfRvth%2Bn3MDpTbexqy8iXiaj74qBGBY%3D] -> Found

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: ST1000LM035-1RK172 +++++
--- User ---
[MBR] bbde588f1b2c289c40a8988c4c4d767c
[BSP] 24843b9c464bc54149989a47b2ab6162 : Empty|VT.Unknown MBR Code
Partition table:
0 - [MAN-MOUNT] EFI system partition | Offset (sectors): 2048 | Size: 500 MB
1 - [MAN-MOUNT] Microsoft reserved partition | Offset (sectors): 1026048 | Size: 128 MB
2 - Basic data partition | Offset (sectors): 1288192 | Size: 940675 MB
3 - [SYSTEM][MAN-MOUNT]  | Offset (sectors): 1927792640 | Size: 851 MB
4 - [SYSTEM][MAN-MOUNT]  | Offset (sectors): 1929535488 | Size: 11712 MB
Title: Re: savingsCOOL malware I'm trying to remove
Post by: Curson on April 29, 2018, 09:03:34 PM
Hi Wolf,

Please download Farbar Recovery Scan Tool (x64) (http://download.bleepingcomputer.com/farbar/FRST64.exe) and save it to your Desktop.
Please attach Malwarebytes report as well.
Do not copy pas the report directy in your message, please use the "Attach" feature under "Attachments and other options".

Regards.
Title: Re: savingsCOOL malware I'm trying to remove
Post by: wolf wolfman on May 01, 2018, 03:40:55 AM
Saved FRST scan 
Title: Re: savingsCOOL malware I'm trying to remove
Post by: wolf wolfman on May 01, 2018, 03:56:45 AM
Saved 'Addition'
Title: Re: savingsCOOL malware I'm trying to remove
Post by: wolf wolfman on May 01, 2018, 03:59:26 AM
Malwarebytes expired
Is there anything else I can do?
Title: Re: savingsCOOL malware I'm trying to remove
Post by: Curson on May 02, 2018, 06:35:24 PM
Hi Wolf,

Download attached fixlist.txt file and save it to the Desktop.
NOTE. It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system !

Run FRST and press the Fix button just once and wait.
If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
When finished FRST will generate a log on the Desktop (Fixlog.txt). Please attach it to your reply.

How is your computer running now ?

Regards.