25 replies to this topic

[HypoCheese]

I bought this PC recently, I might have downloaded malware, not sure. I've also followed the malware removal processes provided by this website as well, still occurs. It never happened on other devices, only on this new PC. I have cracked games and such which may have come with the malware/virus' themselves.

 

I've also attached the FRST results + aswMBR.txt files and also a picture of the actual issue that occurs.

 

The website opens on anything that requires internet - steam browser, google chrome (automatically opens up a browser no matter what), razer cortex (when looking at rewards).

 

Sites I generally visit:

- GMAIL

- FarmSkins.com

- Forums

- Youtube 

- Crack download sites

 

If you need any other information, please inform me, thanks,

 

HypoCheese.

Attached Thumbnails

• 

Attached Files

•  FRST.txt   157.19KB   332 downloads
•  aswMBR.txt   2.2KB   370 downloads
•  Addition.txt   74.84KB   385 downloads

Edited by HypoCheese, 19 April 2017 - 05:09 AM.

[ken545]

 

Read this about cracked software, its all infected. As this forum does not support the use of cracked/keygen/warez software the only way we can proceed is if you install it first

https://forums.whatt...showtopic=92526

 

After you uninstall the illegal software run this program and post the log please

 

 

Download CKScanner by askey127 from Here & save it to your Desktop.

•  

• Doubleclick CKScanner.exe then click Search For Files

• When the cursor hourglass disappears, click Save List To File

• A message box will verify the file saved

• Please Run this program only once

• Double-click the CKFiles.txt icon on your desktop then copy/paste the contents in your next reply

 

[HypoCheese]

 

There's what you asked for, also, I uninstalled the Sony Vegas 14 Pro crack, got Adobe anyways from school, thanks anyways.

 

 

CKScanner 2.5 - Additional Security Risks - These are not necessarily bad

c:\program files (x86)\steam\steamapps\common\heroes & generals\_packed\environments\pictures\architecture\decals\airstripconcretecracks1a_diffuse.crn

c:\program files (x86)\steam\steamapps\common\heroes & generals\_packed\environments\pictures\architecture\walls\crackedpaintburned1a_diffuse.crn

c:\program files (x86)\steam\steamapps\common\heroes & generals\_packed\environments\pictures\architecture\walls\crackedpaintburned1a_normal.crn

c:\program files (x86)\steam\steamapps\common\heroes & generals\_packed\environments\pictures\architecture\walls\crackedpaintwhite1a_diffuse.crn

c:\program files (x86)\steam\steamapps\common\heroes & generals\_packed\environments\pictures\architecture\walls\crackedpaintwhite1a_normal.crn

c:\program files (x86)\steam\steamapps\common\rocketleague\tagame\cookedpcconsole\antenna_nutcracker_sf.upk

c:\program files (x86)\steam\steamapps\common\rocketleague\tagame\cookedpcconsole\paintfinish_cracked_sf.upk

scanner sequence 3.FA.11.ETNADZ

 ----- EOF ----- 

[ken545]

Good Morning

 

Thanks for understanding our position on this . Like I said earlier, almost 100% of illegal sofware is infected, if you use your computer to do any online banking or purchases with a credit card it would be in your best interest to stay way from these types of software.

 

Lets run these  programs and see what they find and remove

 

All our tools and scanners work more efficiently when run from the DESKTOP in lieu of being buried in some folder, so download and run these tools right from the DESKTOP

 

 

-AdwCleaner-by Xplode

 

Click on this link to download : ADWCleaner TO YOUR DESKTOP

 

Use my link only, do not do a search for AdwCleaner as there is a bogus copy going around by scammers

 

 

 

•  

• Close all open programs and internet browsers.

• Double click on AdwCleaner.exe to run the tool.

• Click on Scan.

• After the scan is complete click on "Clean"

• Confirm each time with Ok.

• Your computer will be rebooted automatically. A text file will open after the restart.

• Please post the content of that logfile with your next reply.

• You can find the logfile at C:\AdwCleaner[S1].txt as well.

 

 

 

===============================================================================

 

 

 

 

Please download Junkware Removal Tool TO YOUR DESKTOP

•  

• Download the one from Bleeping Computer

• Shut down your protection software now to avoid potential conflicts.

• Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".

• The tool will open and start scanning your system.

• Please be patient as this can take a while to complete depending on your system's specifications.

• On completion, a log (JRT.txt) is saved to your desktop and will automatically open.

• Post the contents of JRT.txt into your next message.

 

 

 

 

===============================================================================

 

 

 

Download Malwarebytes' Anti-Malware  TO YOUR DESKTOP

 

•  

• Windows XP : Double click on the icon to run it.

• Windows Vista, Windows 7 , 8, 8.1 and 10 : Right click and select "Run as Administrator"

 

 

 

 

•  

• After the installation IS complete let it update if it asks.

• Under SETTINGS.....APPLICATIONS leave everything at default

• Under SETTINGS.....PROTECTION make sure AUTOMATIC QUARANTINE is on. 

• Then go to the Dashboard and click on SCAN NOW

• When the scan is finished click on EXPORT SUMMARY......COPY TO CLIPBOARD

• Then come back to this thread and and under REPLY TO THIS TOPIC, right click in the reply and select Paste

• Then click on POST

• Exit Malwarebytes

 

[HypoCheese]

As asked for all files were opened from the desktop and as admin:

 

ADWCleaner - 

# AdwCleaner v6.045 - Logfile created 22/04/2017 at 21:34:17

# Updated on 28/03/2017 by Malwarebytes

# Database : 2017-04-22.1 [Server]

# Operating System : Windows 10 Home  (X64)

# Username : user - VIKTOR

# Running from : C:\Users\user\Downloads\AdwCleaner.exe

# Mode: Clean

# Support : https://www.malwarebytes.com/support

 

 

 

***** [ Services ] *****

 

 

 

***** [ Folders ] *****

 

[-] Folder deleted: C:\users\user\AppData\Roaming\Enigma Software Group

[-] Folder deleted: C:\users\user\Documents\vShare

[-] Folder deleted: C:\Program Files\Enigma Software Group

[-] Folder deleted: C:\sh4ldr

 

 

***** [ Files ] *****

 

[-] File deleted: C:\Users\user\AppData\Local\Google\Chrome\User Data\Profile 1\Local Storage\hxxps_balabolka.en.softonic.com_0.localstorage

[-] File deleted: C:\Users\user\AppData\Local\Google\Chrome\User Data\Profile 1\Local Storage\hxxps_balabolka.en.softonic.com_0.localstorage-journal

[-] File deleted: C:\Users\user\AppData\Local\Google\Chrome\User Data\Profile 1\Local Storage\hxxp_funsafetab.com_0.localstorage

[-] File deleted: C:\Users\user\AppData\Local\Google\Chrome\User Data\Profile 1\Local Storage\hxxp_funsafetab.com_0.localstorage-journal

[-] File deleted: C:\Users\user\AppData\Local\Google\Chrome\User Data\Profile 1\Local Storage\hxxp_search.funsafetabsearch.com_0.localstorage

[-] File deleted: C:\Users\user\AppData\Local\Google\Chrome\User Data\Profile 1\Local Storage\hxxp_search.funsafetabsearch.com_0.localstorage-journal

[-] File deleted: C:\Users\user\AppData\Local\Google\Chrome\User Data\Profile 1\Local Storage\hxxp_www.vshare.com_0.localstorage

[-] File deleted: C:\Users\user\AppData\Local\Google\Chrome\User Data\Profile 1\Local Storage\hxxp_www.vshare.com_0.localstorage-journal

 

 

***** [ DLL ] *****

 

 

 

***** [ WMI ] *****

 

 

 

***** [ Shortcuts ] *****

 

 

 

***** [ Scheduled Tasks ] *****

 

 

 

***** [ Registry ] *****

 

[-] Key deleted: [x64] HKLM\SOFTWARE\Ludashi

[-] Key deleted: [x64] HKLM\SOFTWARE\EnigmaSoftwareGroup

[-] Key deleted: HKLM\SOFTWARE\Classes\AppID\OverlayIcon.DLL

 

 

***** [ Web browsers ] *****

 

[-] [C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web data] [Search Provider] Deleted: search.snap.do

[-] [C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web data] [Search Provider] Deleted: aol.com

[-] [C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web data] [Search Provider] Deleted: ask.com

[-] [C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web data] [Search Provider] Deleted: search.snapdo.com

 

 

*************************

 

:: "Tracing" keys deleted

:: Winsock settings cleared

 

*************************

 

C:\AdwCleaner\AdwCleaner[C0].txt - [2699 Bytes] - [22/04/2017 21:34:17]

C:\AdwCleaner\AdwCleaner[S0].txt - [2844 Bytes] - [22/04/2017 21:32:54]

 

########## EOF - C:\AdwCleaner\AdwCleaner[C0].txt - [2845 Bytes] ##########

 

JRT - 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Junkware Removal Tool (JRT) by Malwarebytes

Version: 8.1.3 (04.10.2017)

Operating System: Windows 10 Home x64 

Ran by user (Administrator) on Sat 22/04/2017 at 21:28:05.83

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

 

 

 

File System: 1 

 

Successfully deleted: C:\Users\user\AppData\Roaming\vshare (Folder) 

 

 

 

Registry: 1 

 

Successfully deleted: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\\GoogleChromeAutoLaunch_4E874A737D5662A34EBBEADB3A9C4A09 (Registry Value) 

 

 

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Scan was completed on Sat 22/04/2017 at 21:28:42.60

End of JRT log

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

MalwareBytes Test Results Summary - 

Malwarebytes

www.malwarebytes.com

 

-Log Details-

Scan Date: 4/22/17

Scan Time: 9:41 PM

Logfile: malwarebytes test.txt

Administrator: Yes

 

-Software Information-

Version: 3.0.6.1469

Components Version: 1.0.103

Update Package Version: 1.0.1784

License: Free

 

-System Information-

OS: Windows 10

CPU: x64

File System: NTFS

User: VIKTOR\user

 

-Scan Summary-

Scan Type: Threat Scan

Result: Completed

Objects Scanned: 450398

Time Elapsed: 2 min, 2 sec

 

-Scan Options-

Memory: Enabled

Startup: Enabled

Filesystem: Enabled

Archives: Enabled

Rootkits: Disabled

Heuristics: Enabled

PUP: Enabled

PUM: Enabled

 

-Scan Details-

Process: 0

(No malicious items detected)

 

Module: 0

(No malicious items detected)

 

Registry Key: 0

(No malicious items detected)

 

Registry Value: 0

(No malicious items detected)

 

Registry Data: 0

(No malicious items detected)

 

Data Stream: 0

(No malicious items detected)

 

Folder: 0

(No malicious items detected)

 

File: 0

(No malicious items detected)

 

Physical Sector: 0

(No malicious items detected)

 

 

(end)

 

 

Thanks, 

 

HypoCheese.

[ken545]

Lets run one more program and see what it finds

 

 

Download RogueKiller from Here or Here To your DESKTOP

Quit all programs that you may have started.

Please disconnect any USB or external drives from the computer before you run this scan!

For Windows Vista,  Windows 7, 8 or 10  right-click on RogueKiller and select "Run as  Administrator" to start the program.

For Windows XP, double-click on RogueKiller to start the program.

If the program has been blocked by malware, try to rename it to winlogon.exe, or change its file extension with .com (ex: Roguekiller.com)

If a message pops up telling you your running the 32 bit version just click on "Run Anyway"

The free version will not allow you to change any setting so just leave it all be.

The scan is triggered with the Start Scan button. The scan does not modify your system. 

Wait until the Status box shows "Scan Finished"

Click on "Report" and copy/paste the content of the Notepad into your next reply.

The log should be found in RKreport[1].txt on your Desktop

Exit/Close RogueKiller

[HypoCheese]

It only found a 'PUM', some sort of a DCHP, here is the information it gave me in a text document:

 

RogueKiller V12.10.5.0 (x64) [Apr 18 2017] (Free) by Adlice Software

mail : http://www.adlice.com/contact/

Feedback : https://forum.adlice.com

Website : http://www.adlice.co...ad/roguekiller/

Blog : http://www.adlice.com

 

Operating System : Windows 10 (10.0.14393) 64 bits version

Started in : Normal mode

User : user [Administrator]

Started from : C:\Program Files\RogueKiller\RogueKiller64.exe

Mode : Scan -- Date : 04/23/2017 15:31:03 (Duration : 00:23:54)

 

¤¤¤ Processes : 0 ¤¤¤

 

¤¤¤ Registry : 1 ¤¤¤

[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{587654c8-49d8-4a53-a696-b7c9c573e35f} | DhcpNameServer : 10.10.103.200 10.10.102.200 ([][])  -> Found

 

¤¤¤ Tasks : 0 ¤¤¤

 

¤¤¤ Files : 0 ¤¤¤

 

¤¤¤ WMI : 0 ¤¤¤

 

¤¤¤ Hosts File : 0 ¤¤¤

 

¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤

 

¤¤¤ Web browsers : 0 ¤¤¤

 

¤¤¤ MBR Check : ¤¤¤

+++++ PhysicalDrive0: KINGSTON SUV400S37240G +++++

--- User ---

[MBR] 8b97d4c4dbec737dc4d7f53e553ed511

[BSP] d7286a69f96537c2c8097d231cb165fc : Windows Vista/7/8|VT.Unknown MBR Code

Partition table:

0 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 500 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]

1 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 1026048 | Size: 228434 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]

User = LL1 ... OK

User = LL2 ... OK

 

+++++ PhysicalDrive1: WDC WD20EARX-00PASB0 +++++

--- User ---

[MBR] ac1246d58dfe9bdf4baab5b0063ad8e7

[BSP] da4258d18d27526adca214bac7ca7945 : Linux|VT.Unknown MBR Code

Partition table:

0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 1907725 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]

User = LL1 ... OK

User = LL2 ... OK

 

That's all, thanks,

 

Hypocheese.

Edited by HypoCheese, 23 April 2017 - 12:04 AM.

[ken545]

That IP address is a private network, it dosen't show who owns it, it may be set up by one of your games, do you know anything about this ?

[HypoCheese]

Not that I know off, also once I restart my internet, after a minute of no internet the popup comes up, it just did after I had to restart my internet due to constant 4000 ping. 

 

Thanks,

 

HypoCheese.

[HypoCheese]

Edit: I've been getting my first ever spam emails within the 5 years of this email being in use, not good advertisements either...

 

Thanks,

 

HypoCheese.

[ken545]

As far as those spam emails, you may be getting them when you signed up for different games. Not much we can do here about that. Just dont open any of them , if you do the sender will know your email is legit and you will just get more and more of them.  I always use another email address that I really never use except for signing up for things , I never use my real email address.

 

 

Lets remove that entry

 

Close all Programs

 

•  

• Right Click on RogueKiller and  select Run as Administrator'

• After it has completed it's prescan, click on Scan

• Click on the “Registry” tab

• Put a checkmark in the following entries

 

 

[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{587654c8-49d8-4a53-a696-b7c9c573e35f} | DhcpNameServer : 10.10.103.200 10.10.102.200 ([][])  -> Found

 

 

Then click on the Delete Button and post the log it produces

[HypoCheese]

Will do, I have also run into another issue... I write a link into the search engine (usually 'Google') and half the screen is black, I'm not sure what that is, but is it because I did 'ipconfig /flushdns'.

 

Thanks,

 

HypoCheese.

[ken545]

That would not cause this, after you run the RougeKiller fix, right click on FRST64 and select RUN AS ADMINISTRATOR. When it loads keep everything at default, but put a checkmark in ADDITIONS ONLY,  click on SCAN and post both new logs please

[HypoCheese]

I wouldn't be able to copy paste the actual logs due to their length, what way would I be able to upload the log files?

 

Thanks,

 

HypoCheese.

[ken545]

Make sure you have FRST set up like this, note whats checked and whats not

 

 

 

If you still cant paste the log than attach them by going to More Reply Options