Author Topic: savingsCOOL malware I'm trying to remove  (Read 1071 times)

0 Members and 1 Guest are viewing this topic.

April 28, 2018, 08:49:06 am

wolf wolfman

  • Newbie

  • Offline
  • *

  • 5
  • Reputation:
    0
    • View Profile
savingsCOOL malware I'm trying to remove
« on: April 28, 2018, 08:49:06 am »
I have run Malwarebytes, RogueKiller, RKill, AdwCleaner, and HitmanPro

Reply #1April 28, 2018, 04:30:47 pm

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2127
  • Reputation:
    77
    • View Profile
Re: savingsCOOL malware I'm trying to remove
« Reply #1 on: April 28, 2018, 04:30:47 pm »
Hi Wolf,

Welcome to Adlice.com Forum.
Could you please attach RogueKiller full scan report with your next reply ?

Regards.

Note : This thread has been moved to the "Malware removal" section for clarity.

Reply #2April 29, 2018, 03:07:48 am

wolf wolfman

  • Newbie

  • Offline
  • *

  • 5
  • Reputation:
    0
    • View Profile
Re: savingsCOOL malware I'm trying to remove
« Reply #2 on: April 29, 2018, 03:07:48 am »
4/28/2018

Operating System : Windows 10 (10.0.16299) 64 bits version
Started in : Normal mode
User : [Administrator]
Started from : C:\Program Files\RogueKiller\RogueKiller64.exe
C

Processes : 0

Registry : 8
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-1193257731-625740395-4096007851-1001\Software\Microsoft\Internet Explorer\Main | Start Page : http://dell17win10.msn.com/?pc=DCTE  -> Found
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-1193257731-625740395-4096007851-1001\Software\Microsoft\Internet Explorer\Main | Start Page : http://dell17win10.msn.com/?pc=DCTE  -> Found
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-1193257731-625740395-4096007851-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-04282018021617954\Software\Microsoft\Internet Explorer\Main | Start Page : http://dell17win10.msn.com/?pc=DCTE  -> Found
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-1193257731-625740395-4096007851-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-04282018021617954\Software\Microsoft\Internet Explorer\Main | Start Page : http://dell17win10.msn.com/?pc=DCTE  -> Found
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-1193257731-625740395-4096007851-1001\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : http://dell17win10.msn.com/?pc=DCTE  -> Found
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-1193257731-625740395-4096007851-1001\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : http://dell17win10.msn.com/?pc=DCTE  -> Found
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-1193257731-625740395-4096007851-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-04282018021617954\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : http://dell17win10.msn.com/?pc=DCTE  -> Found
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-1193257731-625740395-4096007851-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-04282018021617954\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : http://dell17win10.msn.com/?pc=DCTE  -> Found

Tasks : 0

Files : 1
[PUP.OnlineIO|PUP.Gen1][Folder] C:\Users\donwo\AppData\Roaming\AGData -> Found

WMI : 0

Hosts File : 0

Antirootkit : 0 (Driver: Loaded)

Web browsers : 2
[PUM.HomePage][Chrome:Config] Default [SecurePrefs] : homepage [http://asus.us.msn.com/?pc=ASU2&ocid=ASUDHP] -> Found
[PUM.HomePage][Chrome:Config] Default [SecurePrefs] : session.startup_urls [https://www.wqed.org/fm/player/main|https://us.search.yahoo.com/yhs/web?hspart=omr&hsimp=yhs-001&type=86311158&param1=y6bdVFVIsvuYsgEClQfz8HyFH9tZCHsOZFHNP%2BYwJC1jBiUaoTp2HzLezqyRGgV7ncwZITKKYfhFz7dO3LRCnrTnrNw5Fipj0LOXi1xhp8h3A4SGX6Ugrq6hhxrIimXxjEtndZB5%2FsqGdrXybIxMNeFeied0aPbjX6AJu44xGNc4FJ04kTX%2FJq56XZTIthbue3r05ITxDOFxuXguRKUyCOk8xwyM1L%2Fw%2BoP23YN9jEWMStIDAklxflBEhyVO452MVVEgUyINoRS3cfRvth%2Bn3MDpTbexqy8iXiaj74qBGBY%3D] -> Found

MBR Check :
+++++ PhysicalDrive0: ST1000LM035-1RK172 +++++
--- User ---
[MBR] bbde588f1b2c289c40a8988c4c4d767c
[BSP] 24843b9c464bc54149989a47b2ab6162 : Empty|VT.Unknown MBR Code
Partition table:
0 - [MAN-MOUNT] EFI system partition | Offset (sectors): 2048 | Size: 500 MB
1 - [MAN-MOUNT] Microsoft reserved partition | Offset (sectors): 1026048 | Size: 128 MB
2 - Basic data partition | Offset (sectors): 1288192 | Size: 940675 MB
3 - [SYSTEM][MAN-MOUNT]  | Offset (sectors): 1927792640 | Size: 851 MB
4 - [SYSTEM][MAN-MOUNT]  | Offset (sectors): 1929535488 | Size: 11712 MB

Reply #3April 29, 2018, 09:03:34 pm

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2127
  • Reputation:
    77
    • View Profile
Re: savingsCOOL malware I'm trying to remove
« Reply #3 on: April 29, 2018, 09:03:34 pm »
Hi Wolf,

Please download Farbar Recovery Scan Tool (x64) and save it to your Desktop.
  • Right click to run as administrator (XP users click run after receipt of Windows Security Warning - Open File). When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will produce a log called FRST.txt in the same directory the tool is run from.
  • Please attach log back here.
  • The first time the tool is run it generates another log (Addition.txt - also located in the same directory as FRST.exe). Please also attach that along with the FRST.txt into your reply.
Please attach Malwarebytes report as well.
Do not copy pas the report directy in your message, please use the "Attach" feature under "Attachments and other options".

Regards.

Reply #4May 01, 2018, 03:40:55 am

wolf wolfman

  • Newbie

  • Offline
  • *

  • 5
  • Reputation:
    0
    • View Profile
Re: savingsCOOL malware I'm trying to remove
« Reply #4 on: May 01, 2018, 03:40:55 am »
Saved FRST scan 

Reply #5May 01, 2018, 03:56:45 am

wolf wolfman

  • Newbie

  • Offline
  • *

  • 5
  • Reputation:
    0
    • View Profile
Re: savingsCOOL malware I'm trying to remove
« Reply #5 on: May 01, 2018, 03:56:45 am »
Saved 'Addition'

Reply #6May 01, 2018, 03:59:26 am

wolf wolfman

  • Newbie

  • Offline
  • *

  • 5
  • Reputation:
    0
    • View Profile
Re: savingsCOOL malware I'm trying to remove
« Reply #6 on: May 01, 2018, 03:59:26 am »
Malwarebytes expired
Is there anything else I can do?

Reply #7May 02, 2018, 06:35:24 pm

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2127
  • Reputation:
    77
    • View Profile
Re: savingsCOOL malware I'm trying to remove
« Reply #7 on: May 02, 2018, 06:35:24 pm »
Hi Wolf,

Download attached fixlist.txt file and save it to the Desktop.
NOTE. It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system !

Run FRST and press the Fix button just once and wait.
If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
When finished FRST will generate a log on the Desktop (Fixlog.txt). Please attach it to your reply.

How is your computer running now ?

Regards.