savingsCOOL malware I'm trying to remove

[wolf wolfman]

I have run Malwarebytes, RogueKiller, RKill, AdwCleaner, and HitmanPro

[Curson]

Hi Wolf,

Welcome to Adlice.com Forum.
Could you please attach RogueKiller full scan report with your next reply ?

Regards.

Note : This thread has been moved to the "Malware removal" section for clarity.

[wolf wolfman]

4/28/2018

Operating System : Windows 10 (10.0.16299) 64 bits version
Started in : Normal mode
User : [Administrator]
Started from : C:\Program Files\RogueKiller\RogueKiller64.exe
C

¤¤¤ Processes : 0 ¤¤¤

¤¤¤ Registry : 8 ¤¤¤
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-1193257731-625740395-4096007851-1001\Software\Microsoft\Internet Explorer\Main | Start Page : http://dell17win10.msn.com/?pc=DCTE  -> Found
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-1193257731-625740395-4096007851-1001\Software\Microsoft\Internet Explorer\Main | Start Page : http://dell17win10.msn.com/?pc=DCTE  -> Found
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-1193257731-625740395-4096007851-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-04282018021617954\Software\Microsoft\Internet Explorer\Main | Start Page : http://dell17win10.msn.com/?pc=DCTE  -> Found
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-1193257731-625740395-4096007851-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-04282018021617954\Software\Microsoft\Internet Explorer\Main | Start Page : http://dell17win10.msn.com/?pc=DCTE  -> Found
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-1193257731-625740395-4096007851-1001\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : http://dell17win10.msn.com/?pc=DCTE  -> Found
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-1193257731-625740395-4096007851-1001\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : http://dell17win10.msn.com/?pc=DCTE  -> Found
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-1193257731-625740395-4096007851-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-04282018021617954\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : http://dell17win10.msn.com/?pc=DCTE  -> Found
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-1193257731-625740395-4096007851-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-04282018021617954\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : http://dell17win10.msn.com/?pc=DCTE  -> Found

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 1 ¤¤¤
[PUP.OnlineIO|PUP.Gen1][Folder] C:\Users\donwo\AppData\Roaming\AGData -> Found

¤¤¤ WMI : 0 ¤¤¤

¤¤¤ Hosts File : 0 ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤

¤¤¤ Web browsers : 2 ¤¤¤
[PUM.HomePage][Chrome:Config] Default [SecurePrefs] : homepage [http://asus.us.msn.com/?pc=ASU2&ocid=ASUDHP] -> Found
[PUM.HomePage][Chrome:Config] Default [SecurePrefs] : session.startup_urls [https://www.wqed.org/fm/player/main|https://us.search.yahoo.com/yhs/web?hspart=omr&hsimp=yhs-001&type=86311158&param1=y6bdVFVIsvuYsgEClQfz8HyFH9tZCHsOZFHNP%2BYwJC1jBiUaoTp2HzLezqyRGgV7ncwZITKKYfhFz7dO3LRCnrTnrNw5Fipj0LOXi1xhp8h3A4SGX6Ugrq6hhxrIimXxjEtndZB5%2FsqGdrXybIxMNeFeied0aPbjX6AJu44xGNc4FJ04kTX%2FJq56XZTIthbue3r05ITxDOFxuXguRKUyCOk8xwyM1L%2Fw%2BoP23YN9jEWMStIDAklxflBEhyVO452MVVEgUyINoRS3cfRvth%2Bn3MDpTbexqy8iXiaj74qBGBY%3D] -> Found

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: ST1000LM035-1RK172 +++++
--- User ---
[MBR] bbde588f1b2c289c40a8988c4c4d767c
[BSP] 24843b9c464bc54149989a47b2ab6162 : Empty|VT.Unknown MBR Code
Partition table:
0 - [MAN-MOUNT] EFI system partition | Offset (sectors): 2048 | Size: 500 MB
1 - [MAN-MOUNT] Microsoft reserved partition | Offset (sectors): 1026048 | Size: 128 MB
2 - Basic data partition | Offset (sectors): 1288192 | Size: 940675 MB
3 - [SYSTEM][MAN-MOUNT]  | Offset (sectors): 1927792640 | Size: 851 MB
4 - [SYSTEM][MAN-MOUNT]  | Offset (sectors): 1929535488 | Size: 11712 MB

[Curson]

Hi Wolf,

Please download Farbar Recovery Scan Tool (x64) and save it to your Desktop.

• Right click to run as administrator (XP users click run after receipt of Windows Security Warning - Open File). When the tool opens click Yes to disclaimer.
  
• Press Scan button.
  
• It will produce a log called FRST.txt in the same directory the tool is run from.
  
• Please attach log back here.
• The first time the tool is run it generates another log (Addition.txt - also located in the same directory as FRST.exe). Please also attach that along with the FRST.txt into your reply.
  

Please attach Malwarebytes report as well.
Do not copy pas the report directy in your message, please use the "Attach" feature under "Attachments and other options".

Regards.

[wolf wolfman]

Saved FRST scan 

[wolf wolfman]

Saved 'Addition'

[wolf wolfman]

Malwarebytes expired
Is there anything else I can do?

[Curson]

Hi Wolf,

Download attached fixlist.txt file and save it to the Desktop.
NOTE. It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system !

Run FRST and press the Fix button just once and wait.
If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
When finished FRST will generate a log on the Desktop (Fixlog.txt). Please attach it to your reply.

How is your computer running now ?

Regards.