Scan Done See Attached

Discussion in 'Malware Help (A Specialist Will Reply)' started by CG., Dec 7, 2017.

  1. CG.

    CG. Private E-2

    I've been having issues with my 2 year old PC running Windows 10, I was told to scan and post here to make sure I do not have any viruses or Malaware.

    My original thread is here, https://forums.majorgeeks.com/threads/windows-10-pc-issue-on-boot.317678/

    See attached log file, I have not uninstall or removed anything as of yet. Awaiting some response before I proceed
     

    Attached Files:

    CG., Dec 7, 2017
    #1
  2. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    If you want us to check your system for malware, please do the Read and Run First instructions at the top of this forum.
     
    TimW, Dec 7, 2017
    #2
  3. CG.

    CG. Private E-2

    Doing all the scans now one by one, will report back with all the logs once done.

    FYI, the Rogue killer tutorial link does not work.

    Also just to make sure once I have the log from Rogue killer, you do not want the selected items deleted correct. ?? I know it doesn't mention too, but just want to make sure.

    Don
     
    CG., Dec 8, 2017
    #3
  4. dr.moriarty

    dr.moriarty Malware Super Sleuth Staff Member

    The link has been updated... and the instructions specifically directs not to remove any detections, just upload the log.
     
    dr.moriarty, Dec 8, 2017
    #4
    CG. likes this.
  5. CG.

    CG. Private E-2

    Hope I did this right, if not let me know and I'll do it again, see attached
     

    Attached Files:

    CG., Dec 8, 2017
    #5
  6. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    You didn't attach the RogueKiller log.

    In the meantime, open ADWCleaner and remove these:
    PUP.Optional.Conduit, C:\Program Files (x86)\Conduit
    PUP.Optional.Conduit, [Key] - HKLM\SOFTWARE\Conduit
    PUP.Optional.Conduit, [Key] - HKU\S-1-5-21-2223092116-703290192-630354965-1001\Software\Conduit
    PUP.Optional.Conduit, [Key] - HKU\S-1-5-21-2223092116-703290192-630354965-1001\Software\AppDataLow\Software\Conduit
    PUP.Optional.Conduit, [Key] - HKCU\Software\Conduit
    PUP.Optional.Conduit, [Key] - HKCU\Software\AppDataLow\Software\Conduit

    Then open Hitman and remove these:
    Potential Unwanted Programs _________________________________________________

    C:\ProgramData\Babylon\ (Babylon)
    C:\Users\Don\AppData\Local\Babylon\ (Babylon)
    C:\Users\Don\AppData\Local\Babylon\Setup\ (Babylon)
    C:\Users\Don\AppData\Local\Babylon\Setup\latest_tb.zpb (Babylon)
    C:\Users\Don\AppData\Local\Babylon\Setup\Setup-tbmntr181110.zpb (Babylon)
    C:\Users\Don\AppData\Local\Babylon\Setup\Setup-tbmntr903.zpb (Babylon)
    C:\Users\Don\AppData\Roaming\Babylon\ (Babylon)
    HKLM\SOFTWARE\Classes\Prod.cap\ (Claro)
    HKU\S-1-5-21-2223092116-703290192-630354965-1001\Software\AppDataLow\Software\SmartBar\ (Conduit)

    Reboot and rescan with Hitman and attach the new log along with the log from RogueKiller.

    It looks like you only have junkware on your system.
     
    TimW, Dec 8, 2017
    #6
  7. CG.

    CG. Private E-2

    I'll have to do that again, as it's not showing in the Logs, weird. I know i saved it.
     
    CG., Dec 8, 2017
    #7
  8. CG.

    CG. Private E-2

    Sorry here is the RK log, it saved in the C drive section.
     

    Attached Files:

    CG., Dec 8, 2017
    #8
  9. CG.

    CG. Private E-2

    I'm assuming to remove the files mentioned I have to rescan then remove ??
     
    CG., Dec 8, 2017
    #9
  10. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Yes, you probably do need to reopen them.

    Are you using cracked software?

    Please rerun RogueKiller and remove these:
    ¤¤¤ Registry : 4 ¤¤¤
    [Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | UDP Query User{17DB5857-5941-46E4-AC3E-5E1C0AE88512}C:\users\don\appdata\local\temp\keygen.exe : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Public|App=C:\users\don\appdata\local\temp\keygen.exe|Name=keygen.exe|Desc=keygen.exe|Defer=User| [x] -> Found
    [Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | TCP Query User{B32B4D2E-D71B-4AE9-A7F9-1B88800D95A2}C:\users\don\appdata\local\temp\keygen.exe : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Public|App=C:\users\don\appdata\local\temp\keygen.exe|Name=keygen.exe|Desc=keygen.exe|Defer=User| [x] -> Found
    [Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | UDP Query User{A7E1C8D1-5966-4845-80C5-02DB92C508E5}C:\users\don\appdata\local\temp\keygen.exe : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Private|App=C:\users\don\appdata\local\temp\keygen.exe|Name=keygen.exe|Desc=keygen.exe|Defer=User| [x] -> Found
    [Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | TCP Query User{29294B0D-C497-4F5A-9D37-C3B3B209C589}C:\users\don\appdata\local\temp\keygen.exe : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|App=C:\users\don\appdata\local\temp\keygen.exe|Name=keygen.exe|Desc=keygen.exe|Defer=User| [x] -> Found

    And these:
    ¤¤¤ Files : 8 ¤¤¤
    [PUP.Gen1][Folder] C:\ProgramData\Babylon -> Found
    [PUP.Gen1][Folder] C:\Users\Don\AppData\Roaming\Babylon -> Found
    [PUP.Gen1][Folder] C:\Users\Don\AppData\Local\Babylon -> Found
    [PUP.Gen1][Folder] C:\ProgramData\Babylon -> Found
    [PUP.Bandoo|PUP.Gen1][File] C:\$Recycle.Bin\S-1-5-21-2223092116-703290192-630354965-1001\$R2X8B2O.lnk [LNK@] C:\Users\Don\AppData\Local\Torch\Application\torch.exe --run-by-tm http://music.torchbrowser.com -> Found
    [PUP.Bandoo|PUP.Gen1][File] C:\$Recycle.Bin\S-1-5-21-2223092116-703290192-630354965-1001\$RF1H2MA.lnk [LNK@] C:\Users\Don\AppData\Local\Torch\Application\torch.exe --run-by-ddi http://realtor.com/ -> Found
    [PUP.Bandoo|PUP.Gen1][File] C:\$Recycle.Bin\S-1-5-21-2223092116-703290192-630354965-1001\$RJNPZJV.lnk [LNK@] C:\Users\Don\AppData\Local\Torch\Application\torch.exe --run-by-ddi http://elliman.com/ -> Found
    [PUP.Bandoo|PUP.Gen1][File] C:\$Recycle.Bin\S-1-5-21-2223092116-703290192-630354965-1001\$RLD1QUX.lnk [LNK@] C:\Users\Don\AppData\Local\Torch\Application\torch.exe --run-by-tg http://games.torchbrowser.com -> Found

    After you have done all the fixes, reboot and rescan with RogueKiller and attach the new log.
     
    TimW, Dec 8, 2017
    #10
  11. CG.

    CG. Private E-2

    I think yes on one app MS office 2010

    I think I'll install Libreoffice instead to avoid issue.
     
    Last edited: Dec 8, 2017
    CG., Dec 8, 2017
    #11
  12. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Using cracked software is a prime method to get infected. LibreOffice is a good choice.
     
    TimW, Dec 8, 2017
    #12
    CG. likes this.
  13. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Planning on doing this?
     
    TimW, Dec 8, 2017
    #13
    CG. likes this.
  14. CG.

    CG. Private E-2

    Yes sorry, I was out for dinner with family, I just got back, here you go, see attached
     

    Attached Files:

    CG., Dec 8, 2017
    #14
  15. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    You didn't fix any of this:
    ¤¤¤ Registry : 4 ¤¤¤
    [Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | UDP Query User{17DB5857-5941-46E4-AC3E-5E1C0AE88512}C:\users\don\appdata\local\temp\keygen.exe : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Public|App=C:\users\don\appdata\local\temp\keygen.exe|Name=keygen.exe|Desc=keygen.exe|Defer=User| [x] -> Found
    [Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | TCP Query User{B32B4D2E-D71B-4AE9-A7F9-1B88800D95A2}C:\users\don\appdata\local\temp\keygen.exe : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Public|App=C:\users\don\appdata\local\temp\keygen.exe|Name=keygen.exe|Desc=keygen.exe|Defer=User| [x] -> Found
    [Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | UDP Query User{A7E1C8D1-5966-4845-80C5-02DB92C508E5}C:\users\don\appdata\local\temp\keygen.exe : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Private|App=C:\users\don\appdata\local\temp\keygen.exe|Name=keygen.exe|Desc=keygen.exe|Defer=User| [x] -> Found
    [Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | TCP Query User{29294B0D-C497-4F5A-9D37-C3B3B209C589}C:\users\don\appdata\local\temp\keygen.exe : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|App=C:\users\don\appdata\local\temp\keygen.exe|Name=keygen.exe|Desc=keygen.exe|Defer=User| [x] -> Found

    Remove them, reboot and rescan and attach a new log.
     
    TimW, Dec 8, 2017
    #15
  16. CG.

    CG. Private E-2

    Not because I didn't want too, PC is locking up again, waiting on it to load and settle to do so.
     
    CG., Dec 8, 2017
    #16
  17. CG.

    CG. Private E-2

    PC has rebooted twice since, so once done I'll rescan and delete and post the log.

    I'm sure the issue I am having is memory related. driving me nuts.
     
    CG., Dec 8, 2017
    #17
  18. CG.

    CG. Private E-2

    I was able to finally get the PC back up and running and after deleting all the files I will do another RK scan this morning and post the log file

    Before going to bed last night I installed and let run the Tweak app, so lets see what happens today. Thanks again for all your help Tim. ;)
     
    Last edited: Dec 9, 2017
    CG., Dec 9, 2017
    #18
  19. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    You're welcome.
     
    TimW, Dec 9, 2017
    #19
  20. CG.

    CG. Private E-2

    OK, here id the latest RK scan after I deleted all others, I'm assuming this is my IGoogle home page that is still showing in the scan ??

    http://www.igoogleportal.com/mypage/index.php?tabid=0

    PC is a little better since the tweak, but still slow and non responsive, I have been setting up the new AIO PC all morning along with a rain storm and knocked out for for 2 hours and internet for 3, LOL

    Wish there was an app that would save all my data and apps to put back on the new PC, without reinstalling all the programs and settings.
     

    Attached Files:

    CG., Dec 9, 2017
    #20
  21. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Just fix this:
    ¤¤¤ Files : 1 ¤¤¤
    [PUP.Firefox][File] C:\Users\Don\AppData\Roaming\Mozilla\Firefox\Profiles\5m82jf5x.default\Invalidprefs.js -> Found

    There are programs that will let you transfer your data, but not your apps. Ask in the software forum.

    You should probably run the tweak program a couple of times.

    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep Malwarebytes Anti-Malware for scanning/removal of malware.
    2. Renable your Disk Emulation software with Defogger if you had disabled it in step 4 of the READ & RUN ME.
    3. Go to add/remove programs and uninstall HijackThis. If you don't see it or it will not uninstall, don't worry about it. Just move on to the next step.
    4. If running Vista, Win 7 or Win 8 or 10, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    5. Now goto the C:\MGtools folder and find the MGclean.bat file. Double click ( if running Vista, Win7, or Win 8 Right Click and Run As Administrator ) on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
    6. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    7. After doing the above, you should work thru the below link:
     
    TimW, Dec 9, 2017
    #21
    CG. likes this.
  22. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    If tweaking doesn't do the job, you could always do a reset. It will keep your documents but not your apps.
     
    TimW, Dec 9, 2017
    #22
  23. CG.

    CG. Private E-2


    I will do, just curious as I posted in the above post, the PUP Firefox file, is that my Igoogle home page ?? Should I not use that ??

    Yep, once I am done setting up all the programs on the new AIO PC, that is exactly what I will do

    BTW, I did delete the last file as mentioned in FF on RK, but then quickly realized my Xnotifier Neo addon stopped working, so I am sure it is from that, can I ignore it and keep, as I use that to log in to all my Gmail accounts
     
    CG., Dec 9, 2017
    #23
  24. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    TimW, Dec 9, 2017
    #24
    CG. likes this.
  25. CG.

    CG. Private E-2

    CG., Dec 9, 2017
    #25
  26. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    I switched to Chrome a long time ago.
     
    TimW, Dec 9, 2017
    #26
    CG. likes this.
  27. CG.

    CG. Private E-2

    I'll have to check of Xnotifier works on Chrome, a while back it didn't but it might now.
     
    CG., Dec 9, 2017
    #27
  28. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    It does.
     
    TimW, Dec 9, 2017
    #28
    CG. likes this.
  29. CG.

    CG. Private E-2

    Yep, just installed and was coming to tell you but you had already replied, LOL
     
    CG., Dec 9, 2017
    #29
  30. CG.

    CG. Private E-2

    Yep, I Uninstalled and when I reopened FF my Xnotifier extension wouldn't work, so that was probably it.

    I did setup Chrome with a few different profiles, to make it easier to use with different gmail accounts.

    I'm on the new PC now as the other one is locked again, LOL

    Thanks again, when I'm comfortable to reset the PC, as soon as I'm sure I have everything I need, I'll let you know what happens.
     
    CG., Dec 9, 2017
    #30

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds