Author Topic: Scan Log (Read 6318 times)

Ruizi Lin · « **on:** April 20, 2017, 03:26:18 PM »

Hi, have not been able to scan my laptop in very long as have been busy with work. Apparently it's very infected. Could someone kindly tell me which ones are legit? Thanks very much.

RogueKiller V12.9.5.0 (x64) [Jan 23 2017] (Free) by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/download/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 10 (10.0.14393) 64 bits version
Started in : Normal mode
User : Lin Ruizi [Administrator]
Started from : C:\Program Files\RogueKiller\RogueKiller64.exe
Mode : Scan -- Date : 04/20/2017 20:47:03 (Duration : 00:36:56)

¤¤¤ Processes : 2 ¤¤¤
[Proc.Svchost] svchost.exe(8452) --

-> Found

[PUP.Ghokswa|VT.Adware.Elex] (SVC) FirefoxU -- "C:\Program Files (x86)\Firefox\bin\FirefoxUpdate.exe"[7] -> Found

¤¤¤ Registry : 21 ¤¤¤
[PUP.Gen1] (X64) HKEY_LOCAL_MACHINE\Software\ByteFence -> Found
[PUP.Gen1] (X86) HKEY_LOCAL_MACHINE\Software\ByteFence -> Found
[PUP.Ghokswa] (X86) HKEY_LOCAL_MACHINE\Software\Firefox -> Found
[PUP.Gen1] (X64) HKEY_USERS\S-1-5-21-1039236554-2026590368-1264704972-1001\Software\ByteFence -> Found
[PUP.Gen1] (X64) HKEY_USERS\S-1-5-21-1039236554-2026590368-1264704972-1001\Software\csastats -> Found
[PUP.Ghokswa] (X64) HKEY_USERS\S-1-5-21-1039236554-2026590368-1264704972-1001\Software\Firefox -> Found
[PUP.Gen1] (X64) HKEY_USERS\S-1-5-21-1039236554-2026590368-1264704972-1001\Software\ProductSetup -> Found
[PUP.Gen1] (X86) HKEY_USERS\S-1-5-21-1039236554-2026590368-1264704972-1001\Software\ByteFence -> Found
[PUP.Gen1] (X86) HKEY_USERS\S-1-5-21-1039236554-2026590368-1264704972-1001\Software\csastats -> Found
[PUP.Ghokswa] (X86) HKEY_USERS\S-1-5-21-1039236554-2026590368-1264704972-1001\Software\Firefox -> Found
[PUP.Gen1] (X86) HKEY_USERS\S-1-5-21-1039236554-2026590368-1264704972-1001\Software\ProductSetup -> Found
[PUP.Gen1] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\ByteFence -> Found
[PUP.Gen1] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ByteFenceService ("C:\Program Files\ByteFence\ByteFenceService.exe") -> Found
[PUP.Ghokswa|VT.Adware.Elex] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\FirefoxU ("C:\Program Files (x86)\Firefox\bin\FirefoxUpdate.exe") -> Found
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-1039236554-2026590368-1264704972-1001\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : http://asus15.msn.com/?pc=ASTE -> Found
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-1039236554-2026590368-1264704972-1001\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : http://asus15.msn.com/?pc=ASTE -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{a15ef035-b447-4258-8ef5-8f693f06c9e4} | DhcpNameServer : 192.15.128.24 ([United Arab Emirates]) -> Found
[PUP.Ghokswa|VT.Adware.Elex] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {31CF73E3-DB6F-4C4D-8F2F-5BC7F9260232} : v2.26|Action=Allow|Active=TRUE|Dir=In|App=C:\Program Files (x86)\Firefox\bin\FirefoxUpdate.exe|Name=Update service| [7] -> Found
[PUP.Ghokswa|VT.Riskware ( 0040eff71 )] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {3D8AC36A-4FE2-48AE-8BD3-1A5B6738FFEF} : v2.26|Action=Allow|Active=TRUE|Dir=In|App=C:\Program Files (x86)\Firefox\Firefox.exe|Name=Firefox browser| [7] -> Found
[PUM.Policies] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 0 -> Found
[PUM.Policies] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 0 -> Found

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 11 ¤¤¤
[PUP.Gen1][Folder] C:\ProgramData\ByteFence -> Found
[PUP.Ghokswa][File] C:\Users\Public\Desktop\Mozilla Firefox.lnk [LNK@] C:\PROGRA~2\Firefox\Firefox.exe -> Found
[PUP.Ghokswa][File] C:\Users\Lin Ruizi\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Mozilla Firefox.lnk [LNK@] C:\PROGRA~2\Firefox\Firefox.exe -> Found
[PUP.Ghokswa][Folder] C:\Users\Lin Ruizi\AppData\Roaming\Firefox -> Found
[PUP.Ghokswa][Folder] C:\Users\Lin Ruizi\AppData\Local\Firefox -> Found
[PUP.Gen1][Folder] C:\ProgramData\ByteFence -> Found
[PUP.Gen1][Folder] C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ByteFence Anti-Malware -> Found
[PUP.Ghokswa][File] C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk [LNK@] C:\PROGRA~2\Firefox\Firefox.exe -> Found
[PUP.Gen1][Folder] C:\Program Files\ByteFence -> Found
[PUP.Ghokswa][Folder] C:\Program Files (x86)\Firefox -> Found
[PUP.Ghokswa][File] C:\Users\Public\Desktop\Mozilla Firefox.lnk [LNK@] C:\PROGRA~2\Firefox\Firefox.exe -> Found

¤¤¤ WMI : 0 ¤¤¤

¤¤¤ Hosts File : 0 ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤

¤¤¤ Web browsers : 2 ¤¤¤
[PUM.SearchEngine][Firefox:Config] 9ihe183y.default : user_pref("browser.search.selectedEngine", "Yahoo! Powered Search"); -> Found
[PUM.SearchEngine][Firefox:Config] 9ihe183y.default : user_pref("browser.search.defaultenginename", "Yahoo! Powered Search"); -> Found

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: SanDisk SD8SNAT256G1002 +++++
--- User ---
[MBR] 76a3e864959330840f047da5e2ecbca0
[BSP] 82f7a7df82cffadfe275867bb4734edd : Empty|VT.Unknown MBR Code
Partition table:
0 - [MAN-MOUNT] EFI system partition | Offset (sectors): 2048 | Size: 260 MB
1 - [MAN-MOUNT] Microsoft reserved partition | Offset (sectors): 534528 | Size: 16 MB
2 - Basic data partition | Offset (sectors): 567296 | Size: 243422 MB
3 - [SYSTEM][MAN-MOUNT] Basic data partition | Offset (sectors): 499095552 | Size: 499 MB
User = LL1 ... OK
User = LL2 ... OK

Curson · « **Reply #1 on:** April 20, 2017, 05:10:56 PM »

Hi Ruizi,

You are using an outdated version of RogueKiller (Jan 2017).
Could you please update it then redo a scan ?

Regards.

Ruizi Lin · « **Reply #2 on:** April 21, 2017, 06:20:56 PM »

Hi here it is, thanks a lot!

RogueKiller V12.10.5.0 (x64) [Apr 18 2017] (Free) by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : https://forum.adlice.com
Website : http://www.adlice.com/download/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 10 (10.0.14393) 64 bits version
Started in : Normal mode
User : Lin Ruizi [Administrator]
Started from : C:\Program Files\RogueKiller\RogueKiller64.exe
Mode : Scan -- Date : 04/21/2017 22:46:59 (Duration : 00:40:33)

¤¤¤ Processes : 0 ¤¤¤

¤¤¤ Registry : 19 ¤¤¤
[PUP.ByteFence|PUP.Gen1] (X64) HKEY_LOCAL_MACHINE\Software\ByteFence -> Found
[PUP.ByteFence|PUP.Gen1] (X86) HKEY_LOCAL_MACHINE\Software\ByteFence -> Found
[PUP.Ghokswa] (X86) HKEY_LOCAL_MACHINE\Software\Firefox -> Found
[PUP.ByteFence|PUP.Gen1] (X64) HKEY_USERS\S-1-5-21-1039236554-2026590368-1264704972-1001\Software\ByteFence -> Found
[PUP.Gen1] (X64) HKEY_USERS\S-1-5-21-1039236554-2026590368-1264704972-1001\Software\csastats -> Found
[PUP.Ghokswa] (X64) HKEY_USERS\S-1-5-21-1039236554-2026590368-1264704972-1001\Software\Firefox -> Found
[PUP.Gen1] (X64) HKEY_USERS\S-1-5-21-1039236554-2026590368-1264704972-1001\Software\ProductSetup -> Found
[PUP.ByteFence|PUP.Gen1] (X86) HKEY_USERS\S-1-5-21-1039236554-2026590368-1264704972-1001\Software\ByteFence -> Found
[PUP.Gen1] (X86) HKEY_USERS\S-1-5-21-1039236554-2026590368-1264704972-1001\Software\csastats -> Found
[PUP.Ghokswa] (X86) HKEY_USERS\S-1-5-21-1039236554-2026590368-1264704972-1001\Software\Firefox -> Found
[PUP.Gen1] (X86) HKEY_USERS\S-1-5-21-1039236554-2026590368-1264704972-1001\Software\ProductSetup -> Found
[PUP.ByteFence|PUP.Gen1] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\ByteFence -> Found
[PUP.ByteFence|PUP.Gen1] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ByteFenceService ("C:\Program Files\ByteFence\ByteFenceService.exe") -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\FirefoxDL ("C:\Users\LINRUI~1\AppData\Local\Temp\fE440.tmp\QQBrowser.exe" -isvc) -> Found
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-1039236554-2026590368-1264704972-1001\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : http://asus15.msn.com/?pc=ASTE -> Found
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-1039236554-2026590368-1264704972-1001\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : http://asus15.msn.com/?pc=ASTE -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{a15ef035-b447-4258-8ef5-8f693f06c9e4} | DhcpNameServer : 192.15.128.24 ([United Arab Emirates]) -> Found
[PUM.Policies] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 0 -> Found
[PUM.Policies] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 0 -> Found

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 6 ¤¤¤
[PUP.ByteFence|PUP.Gen1][Folder] C:\ProgramData\ByteFence -> Found
[PUP.ByteFence|PUP.Gen1][Folder] C:\ProgramData\ByteFence -> Found
[PUP.Gen1][Folder] C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ByteFence Anti-Malware -> Found
[PUP.Ghokswa][File] C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk [LNK@] C:\PROGRA~2\Firefox\Firefox.exe -> Found
[PUP.ByteFence|PUP.Gen1][Folder] C:\Program Files\ByteFence -> Found
[PUP.Ghokswa][Folder] C:\Program Files (x86)\Firefox -> Found

¤¤¤ WMI : 0 ¤¤¤

¤¤¤ Hosts File : 0 ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: SanDisk SD8SNAT256G1002 +++++
--- User ---
[MBR] 76a3e864959330840f047da5e2ecbca0
[BSP] 82f7a7df82cffadfe275867bb4734edd : Empty|VT.Unknown MBR Code
Partition table:
0 - [MAN-MOUNT] EFI system partition | Offset (sectors): 2048 | Size: 260 MB
1 - [MAN-MOUNT] Microsoft reserved partition | Offset (sectors): 534528 | Size: 16 MB
2 - Basic data partition | Offset (sectors): 567296 | Size: 243422 MB
3 - [SYSTEM][MAN-MOUNT] Basic data partition | Offset (sectors): 499095552 | Size: 499 MB
User = LL1 ... OK
User = LL2 ... OK

Curson · « **Reply #3 on:** April 21, 2017, 08:06:11 PM »

Hi Lin,

Are you located in the United Arab Emirates ?
Please select the following lines for deletion, then star the removal process :

Quote

[PUP.ByteFence|PUP.Gen1] (X64) HKEY_LOCAL_MACHINE\Software\ByteFence -> Found
[PUP.ByteFence|PUP.Gen1] (X86) HKEY_LOCAL_MACHINE\Software\ByteFence -> Found
[PUP.Ghokswa] (X86) HKEY_LOCAL_MACHINE\Software\Firefox -> Found
[PUP.ByteFence|PUP.Gen1] (X64) HKEY_USERS\S-1-5-21-1039236554-2026590368-1264704972-1001\Software\ByteFence -> Found
[PUP.Gen1] (X64) HKEY_USERS\S-1-5-21-1039236554-2026590368-1264704972-1001\Software\csastats -> Found
[PUP.Ghokswa] (X64) HKEY_USERS\S-1-5-21-1039236554-2026590368-1264704972-1001\Software\Firefox -> Found
[PUP.Gen1] (X64) HKEY_USERS\S-1-5-21-1039236554-2026590368-1264704972-1001\Software\ProductSetup -> Found
[PUP.ByteFence|PUP.Gen1] (X86) HKEY_USERS\S-1-5-21-1039236554-2026590368-1264704972-1001\Software\ByteFence -> Found
[PUP.Gen1] (X86) HKEY_USERS\S-1-5-21-1039236554-2026590368-1264704972-1001\Software\csastats -> Found
[PUP.Ghokswa] (X86) HKEY_USERS\S-1-5-21-1039236554-2026590368-1264704972-1001\Software\Firefox -> Found
[PUP.Gen1] (X86) HKEY_USERS\S-1-5-21-1039236554-2026590368-1264704972-1001\Software\ProductSetup -> Found
[PUP.ByteFence|PUP.Gen1] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\ByteFence -> Found
[PUP.ByteFence|PUP.Gen1] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ByteFenceService ("C:\Program Files\ByteFence\ByteFenceService.exe") -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\FirefoxDL ("C:\Users\LINRUI~1\AppData\Local\Temp\fE440.tmp\QQBrowser.exe" -isvc) -> Found
[PUP.ByteFence|PUP.Gen1][Folder] C:\ProgramData\ByteFence -> Found
[PUP.ByteFence|PUP.Gen1][Folder] C:\ProgramData\ByteFence -> Found
[PUP.Gen1][Folder] C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ByteFence Anti-Malware -> Found
[PUP.Ghokswa][File] C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk [LNK@] C:\PROGRA~2\Firefox\Firefox.exe -> Found
[PUP.ByteFence|PUP.Gen1][Folder] C:\Program Files\ByteFence -> Found
[PUP.Ghokswa][Folder] C:\Program Files (x86)\Firefox -> Found

How is your computer running ?
Please attach the deletion log with your next reply.

Regards.

Ruizi Lin · « **Reply #4 on:** April 21, 2017, 10:13:12 PM »

Hi no I'm from Singapore. Thanks for the advice. The deletion log is attached.

Curson · « **Reply #5 on:** April 22, 2017, 03:13:30 PM »

Hi Lin,

Just to be sure, please redo a scan and select the following line for deletion :

Quote

[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{a15ef035-b447-4258-8ef5-8f693f06c9e4} | DhcpNameServer : 192.15.128.24 ([United Arab Emirates]) -> Found

How is the computer running ?

Regards.

Author Topic: Scan Log (Read 6318 times)

Ruizi Lin

Scan Log

Curson

Re: Scan Log

Ruizi Lin

Re: Scan Log

Curson

Re: Scan Log

Ruizi Lin

Re: Scan Log

Curson

Re: Scan Log