Solved Two Malware keep coming back

ronakb

Thread Starter
Joined
Jun 18, 2020
Messages
15
Fix result of Farbar Recovery Scan Tool (x64) Version: 23-06-2020
Ran by ronak (25-06-2020 16:33:14) Run:1
Running from C:\Users\ronak\OneDrive\Desktop
Loaded Profiles: ronak
Boot Mode: Normal
==============================================

fixlist content:
*****************
createrestorepoint:
closeprocesses:
AlternateDataStreams: C:\ProgramData:iSpring Solutions [128]
AlternateDataStreams: C:\Users\All Users:iSpring Solutions [128]
AlternateDataStreams: C:\ProgramData\Application Data:iSpring Solutions [128]
AlternateDataStreams: C:\Users\Public\AppData:CSM [468]
AlternateDataStreams: C:\Users\Public\Shared Files:VersionCache [482]
AlternateDataStreams: C:\Users\ronak\Application Data:fbd50e2f7662a5c33287ddc6e65ab5a1 [394]
AlternateDataStreams: C:\Users\ronak\Application Data:iSpring Solutions [128]
AlternateDataStreams: C:\Users\ronak\AppData\Roaming:fbd50e2f7662a5c33287ddc6e65ab5a1 [394]
AlternateDataStreams: C:\Users\ronak\AppData\Roaming:iSpring Solutions [128]
HKU\S-1-5-21-967612687-317417442-2657877818-1002\Software\Classes\.scr: EAGLESCR => <==== ATTENTION
FirewallRules: [UDP Query User{9A5EA710-BCD1-4085-9842-F8FD71ED88BD}C:\program files\v-rep3\v-rep_pro_edu\rcsserver.exe] => (Allow) C:\program files\v-rep3\v-rep_pro_edu\rcsserver.exe => No File
FirewallRules: [TCP Query User{61D1D00C-7B07-4EDD-9A89-B467E370D90F}C:\program files\v-rep3\v-rep_pro_edu\rcsserver.exe] => (Allow) C:\program files\v-rep3\v-rep_pro_edu\rcsserver.exe => No File
FirewallRules: [UDP Query User{D71FD7C5-F6ED-4563-BEDC-85510CB838CF}C:\program files\v-rep3\v-rep_pro_edu\vrep.exe] => (Allow) C:\program files\v-rep3\v-rep_pro_edu\vrep.exe => No File
FirewallRules: [TCP Query User{574DB7EE-0FC2-4347-AAB7-3C72AEB9BFE5}C:\program files\v-rep3\v-rep_pro_edu\vrep.exe] => (Allow) C:\program files\v-rep3\v-rep_pro_edu\vrep.exe => No File
FirewallRules: [{018A1ADC-00A0-4BF2-BCBB-6E6515E6750B}] => (Allow) G:\Grand Theft Auto V\GTA5.exe => No File
FirewallRules: [{4861E3F2-3875-451A-985A-4CB9C81CEC97}] => (Allow) G:\Grand Theft Auto V\GTA5.exe => No File
FirewallRules: [{0AA5F0D6-EDBC-47B6-9AAC-91A4E3356B88}] => (Allow) C:\Program Files (x86)\Common Files\Mcafee\MMSSHost\MMSSHost.exe => No File
FirewallRules: [{5F79000E-0C12-4592-869B-C80145592D5D}] => (Allow) C:\Program Files\Common Files\McAfee\MMSSHost\MMSSHost.exe => No File
FirewallRules: [{A959F09A-D03C-47D5-97C8-28018BB1243A}] => (Allow) F:\Grand Theft Auto V\GTA5.exe => No File
FirewallRules: [{922A251D-4AC0-4A44-9810-26B642C4DC85}] => (Allow) F:\Grand Theft Auto V\GTA5.exe => No File
FirewallRules: [{1D305C9D-B499-41ED-A95C-113C6D4127B9}] => (Allow) D:\Program Files\Nox\bin\Nox.exe => No File
FirewallRules: [{FD3DD8D1-F30C-44B9-869D-547BE02BF49A}] => (Allow) C:\Program Files (x86)\Bignox\BigNoxVM\RT\NoxVMHandle.exe => No File
HKU\S-1-5-21-967612687-317417442-2657877818-1002\...\Policies\Explorer: []
Task: {FEF3C79D-4AB6-46A2-AD7D-C9AA3B377C92} - System32\Tasks\App Explorer => C:\Users\ronak\AppData\Local\Host App Service\Engine\HostAppServiceUpdater.exe [7499944 2020-05-13] (SweetLabs Inc. -> SweetLabs, Inc) <==== ATTENTION
SearchScopes: HKU\S-1-5-21-967612687-317417442-2657877818-1002 -> DefaultScope {213A0E1F-19B8-4255-9C97-20F8695A8C2B} URL =
SearchScopes: HKU\S-1-5-21-967612687-317417442-2657877818-1002 -> {213A0E1F-19B8-4255-9C97-20F8695A8C2B} URL =
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~2\mcafee\SITEAD~1\mcieplg.dll No File
R2 McAfee WebAdvisor; C:\Program Files\McAfee\WebAdvisor\ServiceHost.exe [905472 2019-08-23] (McAfee, LLC -> McAfee, Inc.)
S3 McSecDashboardService; C:\Program Files\McAfeeDashboard\McSecDashboardService.exe [1270536 2019-02-26] (McAfee, Inc. -> McAfee, Inc.)
S3 EasyAntiCheat; C:\Program Files (x86)\EasyAntiCheat\EasyAntiCheat.exe [X]
C:\ProgramData\McAfee
C:\program files\v-rep3
C:\Program Files (x86)\Common Files\Mcafee
C:\Program Files (x86)\Bignox
C:\Users\ronak\AppData\Local\Host App Service
c:\PROGRA~2\mcafee
C:\Program Files\McAfee
C:\Program Files\McAfeeDashboard
C:\Program Files (x86)\EasyAntiCheat
hosts:
emptytemp:

*****************

Restore point was successfully created.
Processes closed successfully.
C:\ProgramData => ":iSpring Solutions" ADS removed successfully
"C:\Users\All Users" => ":iSpring Solutions" ADS not found.
"C:\ProgramData\Application Data" => ":iSpring Solutions" ADS not found.
C:\Users\Public\AppData => ":CSM" ADS removed successfully
C:\Users\Public\Shared Files => ":VersionCache" ADS removed successfully
C:\Users\ronak\Application Data => ":fbd50e2f7662a5c33287ddc6e65ab5a1" ADS removed successfully
C:\Users\ronak\Application Data => ":iSpring Solutions" ADS removed successfully
"C:\Users\ronak\AppData\Roaming" => ":fbd50e2f7662a5c33287ddc6e65ab5a1" ADS not found.
"C:\Users\ronak\AppData\Roaming" => ":iSpring Solutions" ADS not found.
HKU\S-1-5-21-967612687-317417442-2657877818-1002\Software\Classes\.scr => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\UDP Query User{9A5EA710-BCD1-4085-9842-F8FD71ED88BD}C:\program files\v-rep3\v-rep_pro_edu\rcsserver.exe" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\TCP Query User{61D1D00C-7B07-4EDD-9A89-B467E370D90F}C:\program files\v-rep3\v-rep_pro_edu\rcsserver.exe" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\UDP Query User{D71FD7C5-F6ED-4563-BEDC-85510CB838CF}C:\program files\v-rep3\v-rep_pro_edu\vrep.exe" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\TCP Query User{574DB7EE-0FC2-4347-AAB7-3C72AEB9BFE5}C:\program files\v-rep3\v-rep_pro_edu\vrep.exe" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{018A1ADC-00A0-4BF2-BCBB-6E6515E6750B}" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{4861E3F2-3875-451A-985A-4CB9C81CEC97}" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{0AA5F0D6-EDBC-47B6-9AAC-91A4E3356B88}" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{5F79000E-0C12-4592-869B-C80145592D5D}" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{A959F09A-D03C-47D5-97C8-28018BB1243A}" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{922A251D-4AC0-4A44-9810-26B642C4DC85}" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{1D305C9D-B499-41ED-A95C-113C6D4127B9}" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{FD3DD8D1-F30C-44B9-869D-547BE02BF49A}" => removed successfully
"HKU\S-1-5-21-967612687-317417442-2657877818-1002\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\\" => removed successfully
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{FEF3C79D-4AB6-46A2-AD7D-C9AA3B377C92}" => removed successfully
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{FEF3C79D-4AB6-46A2-AD7D-C9AA3B377C92}" => removed successfully
C:\WINDOWS\System32\Tasks\App Explorer => moved successfully
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\App Explorer" => removed successfully
"HKU\S-1-5-21-967612687-317417442-2657877818-1002\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope" => removed successfully
HKU\S-1-5-21-967612687-317417442-2657877818-1002\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{213A0E1F-19B8-4255-9C97-20F8695A8C2B} => removed successfully
HKLM\Software\Classes\PROTOCOLS\Handler\sacore => removed successfully
HKLM\Software\Classes\CLSID\{5513F07E-936B-4E52-9B00-067394E91CC5} => removed successfully
HKLM\System\CurrentControlSet\Services\McAfee WebAdvisor => removed successfully
McAfee WebAdvisor => service removed successfully
HKLM\System\CurrentControlSet\Services\McSecDashboardService => removed successfully
McSecDashboardService => service removed successfully
HKLM\System\CurrentControlSet\Services\EasyAntiCheat => removed successfully
EasyAntiCheat => service removed successfully
C:\ProgramData\McAfee => moved successfully
C:\program files\v-rep3 => moved successfully
C:\Program Files (x86)\Common Files\Mcafee => moved successfully
"C:\Program Files (x86)\Bignox" => not found
C:\Users\ronak\AppData\Local\Host App Service => moved successfully
c:\PROGRA~2\mcafee => moved successfully
C:\Program Files\McAfee => moved successfully
C:\Program Files\McAfeeDashboard => moved successfully
"C:\Program Files (x86)\EasyAntiCheat" => not found
C:\Windows\System32\Drivers\etc\hosts => moved successfully
Hosts restored successfully.

=========== EmptyTemp: ==========

BITS transfer queue => 11034624 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 1119505395 B
Java, Flash, Steam htmlcache => 238788687 B
Windows/system/drivers => 15144788 B
Edge => 3242555 B
Chrome => 1187135020 B
Firefox => 0 B
Opera => 0 B

Temp, IE cache, history, cookies, recent:
Default => 0 B
Users => 0 B
ProgramData => 0 B
Public => 0 B
systemprofile => 0 B
systemprofile32 => 0 B
LocalService => 50250 B
NetworkService => 6718550 B
ronak => 3635426060 B
orchi => 3707769875 B

RecycleBin => 551478089 B
EmptyTemp: => 9.8 GB temporary data Removed.

================================


The system needed a reboot.

==== End of Fixlog 16:59:12 ====
 

DR.M

Malware Trainee
Joined
Sep 4, 2019
Messages
383
Hi, ronakb.

1. Malwarebytes scan (Scan mode)
  • Open Malwarebytes you already have installed in your computer.
  • Click the little gear on the top right (Settings) and when it opens, click the Security tab and make sure about the following:
Code:
Under the title Scan Options, all the options are checked.
Under the title Windows Security Center (Premium only) is unchecked.
Under the title Potentially unwanted items are set to Always.
  • Click on the little gear to return to the main menu and select Scan. The program will start scanning your computer. This may take about 10 minutes, but in some cases it may be take longer.
  • When finished, you will see the Thread Scan Summary window open.
  • If threads are not found, click View Report and proceed to the two last steps below.
  • If threats are found, make sure that all threats are not selected, close the program and proceed to the next steps below.
  • Open Malwarebytes again, click on the Scanner, and then on the Reports tab.
  • Find the report with the most recent date and double click on it.
  • Click on Export and then Copy to Clipboard.
  • Paste its content here, in your next reply.
2. AdwCleaner scan (Scan mode)

Download AdwCleaner and save it to your desktop.
  • Double click AdwCleaner.exe to run it.
  • Click Scan Now.
    • When the scan has finished, a Scan Results window will open.
    • Click Cancel (at this point do not attempt to Quarantine anything that is found)
  • Now click the Log Filestab.
    • Double click on the latest scan log (Scan logs have a [S0*] suffix, where * is replaced by a number. The latest scan will have the largest number)
    • A Notepad file will open containing the results of the scan.
    • Please post the contents of the file in your next reply.

In your next reply, please make sure to post:
  1. The MBAM report
  2. AdwCleaner[S0*].txt
 

ronakb

Thread Starter
Joined
Jun 18, 2020
Messages
15
Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 6/25/20
Scan Time: 7:36 PM
Log File: 02743dfc-b6ed-11ea-b0b7-54e1ad50a114.json

-Software Information-
Version: 4.1.0.56
Components Version: 1.0.955
Update Package Version: 1.0.26007
License: Free

-System Information-
OS: Windows 10 (Build 18362.900)
CPU: x64
File System: NTFS
User: NIGHTFURY\ronak

-Scan Summary-
Scan Type: Threat Scan
Scan Initiated By: Manual
Result: Completed
Objects Scanned: 458678
Threats Detected: 0
Threats Quarantined: 0
Time Elapsed: 19 min, 33 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Detect
PUM: Detect

-Scan Details-
Process: 0
(No malicious items detected)

Module: 0
(No malicious items detected)

Registry Key: 0
(No malicious items detected)

Registry Value: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 0
(No malicious items detected)

File: 0
(No malicious items detected)

Physical Sector: 0
(No malicious items detected)

WMI: 0
(No malicious items detected)


(end)



-----------------------------------------------------------------------------------------------------------------------

# -------------------------------
# Malwarebytes AdwCleaner 8.0.5.0
# -------------------------------
# Build: 05-25-2020
# Database: 2020-06-15.1 (Cloud)
# Support: https://www.malwarebytes.com/support
#
# -------------------------------
# Mode: Scan
# -------------------------------
# Start: 06-25-2020
# Duration: 00:01:32
# OS: Windows 10 Home Single Language
# Scanned: 31836
# Detected: 39


***** [ Services ] *****

No malicious services found.

***** [ Folders ] *****

Adware.pokki C:\ProgramData\Host App Service
Adware.pokki C:\Users\Default\AppData\Local\Host App Service
Adware.pokki C:\Users\orchi\AppData\Local\Host App Service
Adware.pokki C:\Windows\ServiceProfiles\LocalService\AppData\Local\Host App Service
Adware.pokki C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Host App Service

***** [ Files ] *****

Adware.pokki C:\Windows\System32\Tasks_Migrated\App Explorer

***** [ DLL ] *****

No malicious DLLs found.

***** [ WMI ] *****

No malicious WMI found.

***** [ Shortcuts ] *****

No malicious shortcuts found.

***** [ Tasks ] *****

No malicious tasks found.

***** [ Registry ] *****

Adware.pokki HKCU\Software\App Host Service
Adware.pokki HKCU\Software\Host App Service
Adware.pokki HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\Host App Service
PUP.Optional.Banggood HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\banggood.com
PUP.Optional.Banggood HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\banggood.in
PUP.Optional.Banggood HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\www.banggood.com
PUP.Optional.Banggood HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\www.banggood.in
PUP.Optional.Banggood HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\banggood.com
PUP.Optional.Banggood HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\banggood.in
PUP.Optional.Banggood HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\www.banggood.com
PUP.Optional.Banggood HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\www.banggood.in

***** [ Chromium (and derivatives) ] *****

PUP.Optional.Legacy ccjleegmemocfpghkhpjmiccjcacackp
PUP.Optional.Legacy icphmmimmfdlgaaglejeokffekamhplg
PUP.Optional.PCProtect hljlcojjbmffoecdmhomhgfjhkllhknp

***** [ Chromium URLs ] *****

No malicious Chromium URLs found.

***** [ Firefox (and derivatives) ] *****

No malicious Firefox entries found.

***** [ Firefox URLs ] *****

No malicious Firefox URLs found.

***** [ Hosts File Entries ] *****

No malicious hosts file entries found.

***** [ Preinstalled Software ] *****

Preinstalled.CyberLinkShellExtension Registry HKLM\Software\Classes\CLSID\{3E2A0A32-6E14-4BAD-AA87-BBB6A75EBFF2}
Preinstalled.LenovoIMController Folder C:\ProgramData\LENOVO\IMCONTROLLER
Preinstalled.LenovoIMController Folder C:\Users\orchi\AppData\Local\LENOVO\IMCONTROLLER
Preinstalled.LenovoIMController Folder C:\Users\ronak\AppData\Local\LENOVO\IMCONTROLLER
Preinstalled.LenovoIMController Folder C:\Windows\LENOVO\IMCONTROLLER
Preinstalled.LenovoIMController Folder C:\Windows\System32\Tasks\LENOVO\IMCONTROLLER
Preinstalled.LenovoIMController Registry HKLM\Software\Wow6432Node\\Microsoft\Windows\CurrentVersion\Uninstall\Lenovo Dependency Package_is1
Preinstalled.LenovoPower2Go Folder C:\Program Files (x86)\LENOVO\POWER2GO
Preinstalled.LenovoPower2Go Registry HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{7B8BA228-9D04-47A6-8EA6-32CFC794B671}
Preinstalled.LenovoPower2Go Registry HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\CLVDLauncher
Preinstalled.LenovoPower2Go Registry HKLM\Software\Wow6432Node\\Microsoft\Windows\CurrentVersion\Uninstall\InstallShield_{2A87D48D-3FDF-41fd-97CD-A1E370EFFFE2}
Preinstalled.LenovoPower2Go Registry HKLM\Software\Wow6432Node\\Microsoft\Windows\CurrentVersion\Uninstall\{2A87D48D-3FDF-41fd-97CD-A1E370EFFFE2}
Preinstalled.LenovoPower2Go Task C:\Windows\System32\Tasks\CLVDLAUNCHER
Preinstalled.LenovoServiceBridge Folder C:\Users\ronak\AppData\Local\PROGRAMS\LENOVO\LENOVO SERVICE BRIDGE
Preinstalled.LenovoServiceBridge Registry HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\{2C74547D-EF88-47F4-85F5-BE46A31E26B7}_is1
Preinstalled.LenovoUtility Folder C:\Program Files\LENOVO\LENOVOUTILITY
Preinstalled.LenovoUtility Registry HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run|LenovoUtility
Preinstalled.LenovoUtility Registry HKLM\Software\Microsoft\Windows\CurrentVersion\Run|LenovoUtility
Preinstalled.LenovoUtility Registry HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\{12ABAC82-7D83-4CB8-9DD2-434DC9AF2942}_is1



########## EOF - C:\AdwCleaner\Logs\AdwCleaner[S00].txt ##########
 

DR.M

Malware Trainee
Joined
Sep 4, 2019
Messages
383
Hi, ronakb.

Many apologies for this delay.

The fixlog went well. Although Malwarebytes found nothing, AdwCleaner detected, many potentially unwanted programs (PUPs) and adware. Let's clean.

1. AdwCleaner (Clean mode)

Let me explain to you the log created by AdwCleaner:

The findings in the Registry and in the Files and Folders sessions are either adware or PUPs, which stands for Potentially Unwanted Programs. In the instructions below, I will list them all to be removed.

The section at the bottom under "Preinstalled Software" is software that was apparently installed when the device was new, which your may or may not use. Examples of these programs: POWER2GO, IMCONTROLER, LENOVOUTILITY and others. Feel free to keep or remove them.

To proceed, please do the following:
  • Double click AdwCleaner.exe on your Desktop, to run it as you did before.
  • Click Scan Now.
  • When the scan has finished a Scan Results window will open.
  • Please select all the items found and then click Quarantine.
  • Click Next.
    • If any pre-installed software was found on your machine, a prompt window will open. Click OK to close it.
    • Check any pre-installed software items you want to remove.
    • Click Quarantine.
  • A prompt to save your work will appear.
    • Click Continue when you're ready to proceed.
  • A prompt to restart your computer will appear.
    • Click Restart Now.
  • Once your computer has restarted:
    • If it doesn't open automatically, please start AdwCleaner.
    • Click the Log Files tab.
    • Double click on the latest Clean log (Clean logs have a [C0*] suffix, where * is replaced by a number, the latest scan will have the largest number)
    • A Notepad file will open containing the results of the removal.
    • Please post the contents of the file in your next reply.

2. Eset online scan

Download ESET Online Scanner and save it to your desktop.
  • Right-click on esetonlinescanner_enu.exe and select Run as Administrator.
  • When the tool opens, click Get Started.
  • Read and accept the license agreement.
  • At the Welcome to ESET Online Scanner window, click Get Started.
  • Select whether you would like to send anonymous data to ESET.
  • Note: if you see the "Welcome Back to ESET Online Scanner" screen, click Computer Scan > Full Scan.
  • Click on the Full Scan option.
  • Select Enable ESET to detect and remove potentially unwanted applications, then click Start scan.
  • ESET will now begin scanning your computer. This may take some time.
  • When the scan is finished and if threats have been detected, select Save scan log. Save it to your desktop as eset.txt. Click on Continue.
  • ESET Online Scanner may ask if you'd like to turn on the Periodic Scan feature. Click on Continue.
  • On the next screen, you can leave feedback about the program if you wish. Check the box for Delete application data on closing. If you left feedback, click Submit and continue. If not, Close without feedback.
  • Open the scan log on your desktop (eset.txt) and copy and paste its contents into your next reply.

3. Fresh FRST logs
  • Double-click on the FRST icon to run it, as you did before. When the tool opens click Yes to disclaimer.
  • Press Scan button and wait for a while.
  • The scanner will produced two logs on your Desktop: FRST.txt and Addition.txt.
  • Please copy and paste the content of these two logs in your next reply.

In your next reply, please post:
  1. AdwCleaner[C0*].txt
  2. ESET report
  3. FRST and Addition logs

How is the computer now?
 

ronakb

Thread Starter
Joined
Jun 18, 2020
Messages
15
# -------------------------------
# Malwarebytes AdwCleaner 8.0.5.0
# -------------------------------
# Build: 05-25-2020
# Database: 2020-06-15.1 (Cloud)
# Support: https://www.malwarebytes.com/support
#
# -------------------------------
# Mode: Clean
# -------------------------------
# Start: 06-28-2020
# Duration: 00:00:15
# OS: Windows 10 Home Single Language
# Cleaned: 20
# Failed: 0


***** [ Services ] *****

No malicious services cleaned.

***** [ Folders ] *****

Deleted C:\ProgramData\Host App Service
Deleted C:\Users\Default\AppData\Local\Host App Service
Deleted C:\Users\orchi\AppData\Local\Host App Service
Deleted C:\Windows\ServiceProfiles\LocalService\AppData\Local\Host App Service
Deleted C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Host App Service

***** [ Files ] *****

Deleted C:\Windows\System32\Tasks_Migrated\App Explorer

***** [ DLL ] *****

No malicious DLLs cleaned.

***** [ WMI ] *****

No malicious WMI cleaned.

***** [ Shortcuts ] *****

No malicious shortcuts cleaned.

***** [ Tasks ] *****

No malicious tasks cleaned.

***** [ Registry ] *****

Deleted HKCU\Software\App Host Service
Deleted HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\banggood.com
Deleted HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\banggood.in
Deleted HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\www.banggood.com
Deleted HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\www.banggood.in
Deleted HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\banggood.com
Deleted HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\banggood.in
Deleted HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\www.banggood.com
Deleted HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\www.banggood.in
Deleted HKCU\Software\Host App Service
Deleted HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\Host App Service

***** [ Chromium (and derivatives) ] *****

Deleted ccjleegmemocfpghkhpjmiccjcacackp
Deleted hljlcojjbmffoecdmhomhgfjhkllhknp
Deleted icphmmimmfdlgaaglejeokffekamhplg

***** [ Chromium URLs ] *****

No malicious Chromium URLs cleaned.

***** [ Firefox (and derivatives) ] *****

No malicious Firefox entries cleaned.

***** [ Firefox URLs ] *****

No malicious Firefox URLs cleaned.

***** [ Hosts File Entries ] *****

No malicious hosts file entries cleaned.

***** [ Preinstalled Software ] *****

No Preinstalled Software cleaned.


*************************

[+] Delete Tracing Keys
[+] Reset Winsock

*************************

AdwCleaner[S00].txt - [6224 octets] - [25/06/2020 20:07:07]
AdwCleaner[S01].txt - [6285 octets] - [28/06/2020 10:24:50]

########## EOF - C:\AdwCleaner\Logs\AdwCleaner[C01].txt ##########


P.S. I deleted the quarantined files after restart
-----------------------------------------------------------------------------------------------------------------------
 

DR.M

Malware Trainee
Joined
Sep 4, 2019
Messages
383
Hi, ronakb.

The log seems fine, since the detected items are deleted.

We are waiting for the ESET scan to finish now. It can take some hours, depending on the files in the computer, so ... patience. :)

How is the computer doing now?
 

ronakb

Thread Starter
Joined
Jun 18, 2020
Messages
15
The ESET scan is taking a long time and would mostly take the whole day, so I will post those tomorrow. The computer seems to be running just fine. i have not been having any speed issues nor have I been facing any redirects on the browser. Also, thanks to you, I got rid of 9.8GB worth of temp files I never knew existed.
 

ronakb

Thread Starter
Joined
Jun 18, 2020
Messages
15
ESET Scan result

29-06-2020 06:01:39
Files scanned: 1842949
Detected files: 1
Cleaned files: 1
Total scan time 13:17:12
Scan status: Finished


C:\FRST\Quarantine\C\Users\ronak\AppData\Local\Host App Service\Uninstall (1).exe a variant of Win32/Pokki.A potentially unwanted application cleaned by deleting

13 hours for 1 result

--------------------------------------------------------------------------------------------------------------------------

FRST logs too long for thread. So attached
 

Attachments

DR.M

Malware Trainee
Joined
Sep 4, 2019
Messages
383
Thanks, ronakb.

You have so many programs installed in your computer, so I'm not surprised ESET took so long to finish. :)

Currently reviewing your new logs.
 

DR.M

Malware Trainee
Joined
Sep 4, 2019
Messages
383
Hi, ronakb.
The results are good. Some tidiness here, before we finish.

1. Java update

You have an outdated Java, and this is a risk for your computer's safety. I would keep Java 8 update 251 (latest version) and remove the rest.
  • Press the Windows Key + R.
  • Type appwiz.cpl in the Run box and click OK.
  • The Add/Remove Programs list will open. Locate the following program in the list:
Code:
Java 8 Update 161 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F32180251F0}) (Version: 8.0.2510.8 - Oracle Corporation)
  • Select the above program and click Uninstall.
  • Restart the computer.

2. Please do the following to run a FRST fix.

NOTICE: This script was written specifically for this user. Running it on another machine may cause damage to your operating system
  • Please select the entire contents of the code box below, from the "Start::" line to "End::", including both lines. Right-click and select "Copy ". No need to paste anything to anywhere.
Code:
Start::
CreateRestorePoint:
CloseProcesses:
ContextMenuHandlers1: [ FileSyncEx] -> {CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B} =>  -> No File
ContextMenuHandlers3: [{4A7C4306-57E0-4C0C-83A9-78C1528F618C}] -> {4A7C4306-57E0-4C0C-83A9-78C1528F618C} =>  -> No File
ContextMenuHandlers4: [ FileSyncEx] -> {CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B} =>  -> No File
EmptyTemp:
End::
  • Please right-click on FRST64 on your Desktop, to run it as administrator. When the tool opens, click "yes" to the disclaimer.
  • Press the Fix button once and wait.
  • FRST will process fixlist.txt
  • When finished, it will produce a log fixlog.txt on your Desktop.
  • Please post the log in your next reply.
 

ronakb

Thread Starter
Joined
Jun 18, 2020
Messages
15
Fix result of Farbar Recovery Scan Tool (x64) Version: 28-06-2020
Ran by ronak (30-06-2020 10:54:18) Run:2
Running from C:\Users\ronak\OneDrive\Desktop
Loaded Profiles: ronak
Boot Mode: Normal
==============================================

fixlist content:
*****************
CreateRestorePoint:
CloseProcesses:
ContextMenuHandlers1: [ FileSyncEx] -> {CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B} => -> No File
ContextMenuHandlers3: [{4A7C4306-57E0-4C0C-83A9-78C1528F618C}] -> {4A7C4306-57E0-4C0C-83A9-78C1528F618C} => -> No File
ContextMenuHandlers4: [ FileSyncEx] -> {CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B} => -> No File
EmptyTemp:

*****************

Restore point was successfully created.
Processes closed successfully.
HKLM\Software\Classes\*\ShellEx\ContextMenuHandlers\ FileSyncEx => removed successfully
HKLM\Software\Classes\AllFileSystemObjects\ShellEx\ContextMenuHandlers\{4A7C4306-57E0-4C0C-83A9-78C1528F618C} => removed successfully
HKLM\Software\Classes\Directory\ShellEx\ContextMenuHandlers\ FileSyncEx => removed successfully

=========== EmptyTemp: ==========

BITS transfer queue => 11034624 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 51837062 B
Java, Flash, Steam htmlcache => 0 B
Windows/system/drivers => 9127958 B
Edge => 13824 B
Chrome => 800614933 B
Firefox => 0 B
Opera => 0 B

Temp, IE cache, history, cookies, recent:
Default => 0 B
Users => 0 B
ProgramData => 0 B
Public => 0 B
systemprofile => 0 B
systemprofile32 => 0 B
LocalService => 0 B
NetworkService => 55942 B
ronak => 3569064657 B
orchi => 3569064657 B

RecycleBin => 256468979 B
EmptyTemp: => 7.7 GB temporary data Removed.

================================


The system needed a reboot.

==== End of Fixlog 11:02:41 ====
 

DR.M

Malware Trainee
Joined
Sep 4, 2019
Messages
383
Hi, ronakb.

Congratulations! Your computer is clean now and you are ready to go. :)

The following tool will remove the tools we used as well as reset system restore points:

Download KpRm by kernel-panik and save it to your desktop.
  • Right-click kprm_(version).exe and select Run as Administrator.
  • Read and accept the disclaimer.
  • When the tool opens, ensure all boxes under Actions are checked.
  • Under Delete Quarantines select Delete Now, then click Run.
  • Once complete, click OK.
  • A log will open in Notepad titled kprm-(date).txt.
  • Please copy and paste its contents in your next reply.

Now your computer is clean, here are some final tips about your computer's security from now on:

Some of the following, are from Klein's (2005) article, So how did I get infected in the first place. Since then, the article has been reproduced or linked to in dozens of locations. As a result, many malware experts have continued updating it, to include current operating systems and software program information. My source is Security Garden, and I marked for you the following:

1. Keep your Windows updated!
It is important always to keep current with the latest security fixes from Microsoft. This can patch many of the security holes through which attackers can infect your computer.

2. Update 3rd Party Software Programs
Third Party software programs have long been targets for malware creators. It has been stated that "Adobe’s Reader and Flash and all versions of Java are together responsible for a total of 66 percent of the vulnerabilities in Windows systems exploited by malware.'' It's important to keep everything updated.

3. Update the browsers you use
Many malware infections install themselves by exploiting security holes in the Internet browser that you use. So... Keep them updated.

4. Be careful about what you download and what you open!
  • Many "freeware" programs come with an enormous amount of bundled spyware that will slow down your system, spawn pop-up advertisements, or just plain crash your browser or even Windows itself. Watch for pre-checked options such as toolbars that are not essential to the operation of the installed software.
  • Peer-to-peer (P2P) programs like Kazaa, BearShare, Imesh, Warez P2P, and others, allow the creation of a network enabling people to connect with other users and upload or download material in a fast efficient manner. BUT even if the P2P software you are using is "clean", a large percentage of the files served on the P2P network are likely to be infected.
  • Cracked or pirated programs are not only illegal, but also can make your computer a malware target. Have this in mind.
  • Do not open any files without being certain of what they are!
5. Avoid questionable web sites!
Visit web sites that are trustworthy and reputable. Many disreputable sites will attempt to install malware on your system through "drive-by" exploits just by visiting the site in your browser. Lyrics sites, free software sites (especially ones that target young children), cracked software sites, and pornography sites are some of the worst offenders. Also, never give out personal information of any sort online or click "OK" to a pop-up unless it is signed by a reputable company and you know what it is.

6. PC means personal computer!
Don't give access to your computer to friends or family who appear to be clueless about what they are doing.

7. Back-up your work!
Make back-ups of your personal files frequently. You never know when you'll have to reformat and start from scratch. You can always reformat and reinstall programs, but you cannot replace your data if you haven't made backups.

8. Must-Have Software
An anti-virus and an anti-spyware program is a necessity for the security of your computer. Be sure that you keep them updated, and that real time protection is enabled.


If you have any questions or concerns please don't hesitate to ask.

I'm glad I was able to help you.
:)
 

ronakb

Thread Starter
Joined
Jun 18, 2020
Messages
15
# Run at 01-07-2020 08:51:50
# KpRm (Kernel-panik) version 2.8
# Website https://kernel-panik.me/tool/kprm/
# Run by ronak from C:\Users\ronak\OneDrive\Desktop
# Computer Name: NIGHTFURY
# OS: Windows 10 X64 (18363)
# Number of passes: 1

- Checked options -

~ Registry Backup
~ Delete Tools
~ Restore System Settings
~ UAC Restore
~ Delete Restore Points
~ Create Restore Point
~ Delete Quarantines

- Create Registry Backup -

~ [OK] Hive C:\WINDOWS\System32\config\SOFTWARE backed up
~ [OK] Hive C:\Users\ronak\NTUSER.dat backed up

[OK] Registry Backup: C:\KPRM\backup\2020-07-01-08-51-50

- Delete Tools -


## AdwCleaner
[OK] C:\Users\ronak\OneDrive\Desktop\AdwCleaner.exe deleted
[OK] C:\AdwCleaner deleted

## ESET Online Scanner
[OK] C:\Users\ronak\OneDrive\Desktop\ESET Online Scanner.lnk deleted
[OK] C:\Users\ronak\OneDrive\Desktop\esetonlinescanner.exe deleted
[OK] C:\Users\ronak\AppData\Local\ESET\ESETOnlineScanner deleted

## FRST
[OK] C:\Users\ronak\OneDrive\Desktop\Addition.txt deleted
[OK] C:\Users\ronak\OneDrive\Desktop\Fixlog.txt deleted
[OK] C:\Users\ronak\OneDrive\Desktop\FRST-OlderVersion deleted
[OK] C:\Users\ronak\OneDrive\Desktop\FRST.txt deleted
[OK] C:\Users\ronak\OneDrive\Desktop\FRST64.exe deleted
[OK] C:\Users\ronak\OneDrive\Desktop\Quarantine\Addition.txt deleted
[OK] C:\Users\ronak\OneDrive\Desktop\Quarantine\Fixlog.txt deleted
[OK] C:\Users\ronak\OneDrive\Desktop\Quarantine\FRST.txt deleted
[OK] C:\FRST deleted

## Malwarebytes (log)
[OK] C:\Users\ronak\OneDrive\Desktop\Quarantine\malwarebyte0.txt deleted
[OK] C:\Users\ronak\OneDrive\Desktop\Quarantine\malwarebyte1.txt deleted

- Restore System Settings -

[OK] Reset WinSock
[OK] FLUSHDNS
[OK] Hide Hidden file.
[OK] Show Extensions for known file types
[OK] Hide protected operating system files

- Restore UAC -

[OK] Set EnableLUA with default (1) value
[OK] Set ConsentPromptBehaviorAdmin with default (5) value
[OK] Set ConsentPromptBehaviorUser with default (3) value
[OK] Set EnableInstallerDetection with default (0) value
[OK] Set EnableSecureUIAPaths with default (1) value
[OK] Set EnableUIADesktopToggle with default (0) value
[OK] Set EnableVirtualization with default (1) value
[OK] Set FilterAdministratorToken with default (0) value
[OK] Set PromptOnSecureDesktop with default (1) value
[OK] Set ValidateAdminCodeSignatures with default (0) value

- Clear Restore Points -

~ [OK] RP named Installed Oracle VM VirtualBox 6.1.8 created at 06/20/2020 14:27:07 deleted
~ [OK] RP named Installed Oracle VM VirtualBox 6.1.8 created at 06/22/2020 06:39:36 deleted
~ [OK] RP named Windows Update created at 06/24/2020 05:24:38 deleted
~ [OK] RP named Installed 11IMFSGRESetup created at 06/27/2020 04:55:17 deleted
~ [OK] RP named AdwCleaner_BeforeCleaning_28/06/2020_11:19:15 created at 06/28/2020 05:49:21 deleted
~ [OK] RP named Installed Universal Adb Driver created at 06/29/2020 02:29:10 deleted
~ [OK] RP named Removed Universal Adb Driver created at 06/29/2020 02:38:13 deleted
~ [OK] RP named Installed Universal Adb Driver created at 06/29/2020 05:13:01 deleted
~ [OK] RP named Installed spacedesk Windows DRIVER created at 06/29/2020 06:34:08 deleted
~ [OK] RP named Removed Universal Adb Driver created at 06/29/2020 12:08:03 deleted
~ [OK] RP named Removed Java 8 Update 161 (64-bit) created at 06/30/2020 04:22:19 deleted
[OK] All system restore points have been successfully deleted

- Create Restore Point -

[OK] System Restore Point created

- Display System Restore Point -

~ RP named KpRm created at 07/01/2020 03:24:41

-- KPRM finished in 275.41s --

-----------------------------------------------------------------------------------------------------------------------
Thank you for the help!
 

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Top