Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Possibly infected[2]

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Re: Possibly infected[2]

Unread postby pgmigg » October 26th, 2017, 6:44 pm

Hello OrangeRanger,

OrangeRanger wrote:Forewarning, Elobuddy is a hack for League of Legends, the company was taken down and sued by Riot, so therefore the program no longer works, I just never deleted it.
I will deal with it a little bit later...
OrangeRanger wrote:Also I thought I completely removed KMS, but apparently not, good news is ESET wants to get rid of it completely for me, which is good.

This scan took 10hrs due to how large my E drive is, will I have to rescan in order to clean what it found?
By the reason that ESET may scan many hours, we use other tools to delete entries found by ESET scanner.
OrangeRanger wrote:And obviously anything in E:\FileHistory\... is just automatically backed up even after I delete anything on my live version of Windows.
Because the external drive (E:) is your backup drive used by system File History backup utility, I will not touch it at all.

Personally, I don't like internal programs like File History Backup under Windows 10, which can make meaningless uncontrollable actions. Actually, I prefer to use some third party backups which are Windows's independent such as Western Digital Smart Incremental Backup or similar, but it is separate story.

Let's return back to our treatment. Please do the following:

Step 1.
FRST Fix
  1. Close all your programs.
  2. You should still have FRST64.exe on your Desktop. If not please download it HERE and save it on your Desktop.
  3. Please press the Windows Key + R.
  4. Type notepad.exe into the text box and click OK.
  5. A blank Notepad page should open.
    • Copy and Paste the following script into Notepad, but do not include the words Code: Select all.
    • (Click the Select all button next to Code: to select the entire script).
    Code: Select all
    CreateRestorePoint:
    
    C:\Program Files (x86)\EloBuddy
    C:\Users\Lucas\AppData\Roaming\EloBuddy
    
    EmptyTemp:
    CMD: ipconfig /flushdns
  6. Save it next to FRST64.exe as fixlist.txt.
    Important! fixlist.txt must be saved in the same directory as FRST64.exe to work.
  7. Right click on FRST64.exe and select Run as administrator.
  8. Press the Fix button one time only and wait.
  9. When FRST finishes you will be prompted to reboot your computer. Click OK.
  10. Your computer should now restart. On reboot navigate to your Desktop where you should find Fixlog.txt. Copy and paste the contents in your reply.

Step 2.
FRST Registry Search
  1. Close all your programs.
  2. You should still have FRST64.exe on your Desktop. If not please download it HERE and save it on your Desktop.
  3. Right click on FRST64.exe and select Run as administrator.
  4. When the tool opens click Yes to the disclaimer.
  5. Copy/Paste or Type the following line into the Search: box.
    EloBuddy;AutoKMS
  6. Press the Search Registry button.
  7. When finished searching a Search.txt log file will open on your Desktop
  8. Please post it in your next reply.

Step 3.
Show Hidden Files and Folders
  1. Please type File Explorer on Search Windows and run it.
  2. Click on the File tab and select Change folders and search options.
  3. In the Folder Options window click on the View tab.
  4. Check Show hidden files, folders and drives
  5. Uncheck Hide extensions for known file types and Hide protected operating system files.
  6. Click OK.

Step 4.
Upload Files to VirusTotal
  1. Please go to VirusTotlal.
  2. Click the Upload and scan file button and navigate to first of the following files:
    C:\Windows\SECOH-QAD.dll
    C:\Windows\SECOH-QAD.exe
    C:\Users\Lucas\Desktop\7 Script\7 Script.exe
    C:\Windows\System32\drivers\netfilter2.sys
    D:\Users\Lucas\Downloads\Unlocker1.9.2.exe
  3. You might see a message saying File already analysed, if you do click Reanalyse.
  4. Wait for all the scans to finish until message "Analysis in progress..." disappeared, then copy and paste the web address from your broswer's address bar.
  5. Navigate to the next file in the list and repeat procedure for every file until the list ends.
  6. Include all web links in your next reply.
    Note: if you cannot find one or both of the files let do not worry. Finish the rest of the steps and let me know in your reply which file(s) you could not find.

Please post each log separately to prevent it being cut off by the forum post size limiter.
Check each after you've posted it to make sure it's all present, if any log is cut off you'll have to post it in sections....

Please include in your next reply:
  1. Do you have any problems executing the instructions?
  2. Contents of the Fixlog.txt log file
  3. Contents of the Search.txt log file
  4. The resulting web links after online file scans by Virus Total
  5. Do you see any changes in computer behavior?

Thanks,
pgmigg

Failure to post replies within 72 hours will result in this thread being closed
User avatar
pgmigg
Admin/Teacher
Admin/Teacher
 
Posts: 4608
Joined: July 8th, 2008, 1:25 pm
Location: GMT-05:00
Advertisement
Register to Remove

Re: Possibly infected[2]

Unread postby OrangeRanger » October 26th, 2017, 7:03 pm

Do you have any problems executing the instructions?: No
Do you see any changes in computer behavior? Nope

Code: Select all
Fix result of Farbar Recovery Scan Tool (x64) Version: 26-10-2017
Ran by Lucas (26-10-2017 17:47:47) Run:3
Running from C:\Users\Lucas\Desktop
Loaded Profiles: Lucas (Available Profiles: Lucas & Luucas & DefaultAppPool)
Boot Mode: Normal
==============================================

fixlist content:
*****************
CreateRestorePoint:

C:\Program Files (x86)\EloBuddy
C:\Users\Lucas\AppData\Roaming\EloBuddy

EmptyTemp:
CMD: ipconfig /flushdns
*****************

Restore point was successfully created.
C:\Program Files (x86)\EloBuddy => moved successfully
C:\Users\Lucas\AppData\Roaming\EloBuddy => moved successfully

========= ipconfig /flushdns =========


Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

========= End of CMD: =========


=========== EmptyTemp: ==========

BITS transfer queue => 32768 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 10830943 B
Java, Flash, Steam htmlcache => 343 B
Windows/system/drivers => 10796 B
Edge => 0 B
Chrome => 448325015 B
Firefox => 0 B
Opera => 0 B

Temp, IE cache, history, cookies, recent:
Default => 0 B
Users => 0 B
ProgramData => 0 B
Public => 0 B
systemprofile => 128 B
systemprofile32 => 0 B
LocalService => 0 B
NetworkService => 2744 B
Lucas => 204880355 B
purpl => 0 B
DefaultAppPool => 0 B

RecycleBin => 0 B
EmptyTemp: => 633.3 MB temporary data Removed.

================================


The system needed a reboot.

==== End of Fixlog 17:48:08 ====
OrangeRanger
Regular Member
 
Posts: 19
Joined: October 23rd, 2017, 5:06 am

Re: Possibly infected[2]

Unread postby OrangeRanger » October 26th, 2017, 7:03 pm

SearchReg.txt

Code: Select all
Farbar Recovery Scan Tool (x64) Version: 26-10-2017
Ran by Lucas (26-10-2017 17:54:07)
Running from C:\Users\Lucas\Desktop
Boot Mode: Normal

================== Search Registry: "EloBuddy;AutoKMS" ===========


===================== Search result for "EloBuddy" ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\elobuddy]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\elobuddy]
""="URL:elobuddy Protocol"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\elobuddy\DefaultIcon]
""="C:\Program Files (x86)\EloBuddy\EloBuddy.Loader.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\elobuddy\shell\open\command]
""=""C:\Program Files (x86)\EloBuddy\EloBuddy.Loader.exe" "%1" "%2""

[HKEY_USERS\S-1-5-21-3154826165-2591789761-3766887662-1001\SOFTWARE\Microsoft\VisualStudio\14.0\MRUItems\{a9c4a31f-f9cb-47a9-abc0-49ce82d0b3ac}\Items]
"2"="%UserProfile%\Desktop\EloBuddy-Addons-master\AddonTemplate\AddonTemplate.sln|{00000000-0000-0000-0000-000000000000}|False|AddonTemplate
{00000000-0000-0000-0000-000000000000}"

[HKEY_USERS\S-1-5-21-3154826165-2591789761-3766887662-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\ApplicationAssociationToasts]
"elobuddy_elobuddy"="0"

[HKEY_USERS\S-1-5-21-3154826165-2591789761-3766887662-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.csproj\OpenWithList]
"c"="EloBuddy.Loader.exe"

[HKEY_USERS\S-1-5-21-3154826165-2591789761-3766887662-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ebaddon\OpenWithList]
"a"="EloBuddy.Loader.exe"

[HKEY_USERS\S-1-5-21-3154826165-2591789761-3766887662-1001\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store]
"C:\Program Files (x86)\EloBuddy\EloBuddy.Loader.exe"="0x534143500100000000000000070000002800000000B418000000000001000000000000000000000AF122000033504C2B57DFD10100000000000000000200000028000000000000000000004000000000000000000000000000000000A6F44400000000001100000011000000"


===================== Search result for "AutoKMS" ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{F78D36C5-18B8-4F57-B337-5CEBC262292C}]
"Path"="\AutoKMS"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{F78D36C5-18B8-4F57-B337-5CEBC262292C}]
"Description"="AutoKMS"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{F78D36C5-18B8-4F57-B337-5CEBC262292C}]
"URI"="\AutoKMS"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\AutoKMS]

[HKEY_USERS\S-1-5-21-3154826165-2591789761-3766887662-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{FCFC11FB-6125-4771-82C8-1FA0AFAFB0C0}\RecentItems\{74CC1B48-18BE-4CE2-991C-EC5C7152A736}]
"Path"="C:\Windows\AutoKMS\AutoKMS.log"

[HKEY_USERS\S-1-5-21-3154826165-2591789761-3766887662-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{FCFC11FB-6125-4771-82C8-1FA0AFAFB0C0}\RecentItems\{74CC1B48-18BE-4CE2-991C-EC5C7152A736}]
"DisplayName"="AutoKMS.log"

====== End of Search ======
OrangeRanger
Regular Member
 
Posts: 19
Joined: October 23rd, 2017, 5:06 am

Re: Possibly infected[2]

Unread postby OrangeRanger » October 26th, 2017, 7:04 pm

Virus Total Links

Code: Select all
https://www.virustotal.com/#/file/0398221231cff97e1fdc03d357ac4610afb8f3cdde4c90a9ec4d7823b405699e/detection
https://www.virustotal.com/#/file/9896a6fcb9bb5ac1ec5297b4a65be3f647589adf7c37b45f3f7466decd6a4a7f/detection
https://www.virustotal.com/#/file/d022296d431ebb3160088d50919397d46a2c115ef6c99a8af90ded37f099c1e2/detection
https://www.virustotal.com/#/file/e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855/detection
https://www.virustotal.com/#/file/b3284358029388637e642077f99e81e81144d8dab2f2623e263dbb5b625be746/detection
OrangeRanger
Regular Member
 
Posts: 19
Joined: October 23rd, 2017, 5:06 am

Re: Possibly infected[2]

Unread postby pgmigg » October 26th, 2017, 9:20 pm

Hello OrangeRanger,

Code: Select all
https://www.virustotal.com/#/file/e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855/detection
This web link (number 4 in your list) was created by mistake. Instead of C:\Windows\System32\drivers\netfilter2.sys, you found and select AllItems.aspx file. Please rerun VirusTotal for proper file. After that I will prepare the new fix for you.

Upload File to VirusTotal
  1. Please go to VirusTotlal.
  2. Click the Upload and scan file button and navigate to the following file:
    C:\Windows\System32\drivers\netfilter2.sys
  3. You might see a message saying File already analysed, if you do click Reanalyse.
  4. Wait for all the scans to finish until message "Analysis in progress..." disappeared, then copy and paste the web address from your broswer's address bar.
  5. Include web link in your next reply.
    Note: if you cannot find one or both of the files let do not worry. Finish the rest of the steps and let me know in your reply which file(s) you could not find.

Please post each log separately to prevent it being cut off by the forum post size limiter.
Check each after you've posted it to make sure it's all present, if any log is cut off you'll have to post it in sections....

Please include in your next reply:
  1. Do you have any problems executing the instructions?
  2. The resulting web link after online file scan by Virus Total
  3. Do you see any changes in computer behavior?

Thanks,
pgmigg

Failure to post replies within 72 hours will result in this thread being closed
User avatar
pgmigg
Admin/Teacher
Admin/Teacher
 
Posts: 4608
Joined: July 8th, 2008, 1:25 pm
Location: GMT-05:00

Re: Possibly infected[2]

Unread postby OrangeRanger » October 26th, 2017, 10:11 pm

That's the correct link for the correct file Below is a gif showing you.

GIF:
https://i.gyazo.com/6382ced9f4cd58f291a ... b38fba.gif

Do you have any problems executing the instructions? Apparently
The resulting web link after online file scan by Virus Total https://www.virustotal.com/#/file/e3b0c ... /detection
Do you see any changes in computer behavior? No
OrangeRanger
Regular Member
 
Posts: 19
Joined: October 23rd, 2017, 5:06 am

Re: Possibly infected[2]

Unread postby OrangeRanger » October 26th, 2017, 10:15 pm

Never mind, I had to drag it onto my desktop in order for it to work. For some reason when I dragged it into VirusTotal, it was coming up with "wt.html", and when I went to manually search for it through VirusTotal, no drivers were showing up, even with the file selection set to "All Files".

https://www.virustotal.com/#/file/92894 ... /detection
OrangeRanger
Regular Member
 
Posts: 19
Joined: October 23rd, 2017, 5:06 am

Re: Possibly infected[2]

Unread postby pgmigg » October 26th, 2017, 11:10 pm

Hello OrangeRanger,

Well done! :D

Step 1.
FRST Fix
  1. Close all your programs.
  2. You should still have FRST64.exe on your Desktop. If not please download it HERE and save it on your Desktop.
  3. Please press the Windows Key + R.
  4. Type notepad.exe into the text box and click OK.
  5. A blank Notepad page should open.
    • Copy and Paste the following script into Notepad, but do not include the words Code: Select all.
    • (Click the Select all button next to Code: to select the entire script).
    Code: Select all
    CreateRestorePoint:
    
    Task: {F78D36C5-18B8-4F57-B337-5CEBC262292C} - System32\Tasks\AutoKMS => C:\WINDOWS\AutoKMS\AutoKMS.exe
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\elobuddy]
    [HKEY_USERS\S-1-5-21-3154826165-2591789761-3766887662-1001\SOFTWARE\Microsoft\VisualStudio\14.0\MRUItems\{a9c4a31f-f9cb-47a9-abc0-49ce82d0b3ac}\Items]
    "2"=-
    [HKEY_USERS\S-1-5-21-3154826165-2591789761-3766887662-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\ApplicationAssociationToasts]
    "elobuddy_elobuddy"=-
    [HKEY_USERS\S-1-5-21-3154826165-2591789761-3766887662-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.csproj\OpenWithList]
    "c"=-
    [HKEY_USERS\S-1-5-21-3154826165-2591789761-3766887662-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ebaddon\OpenWithList]
    "a"=-
    [HKEY_USERS\S-1-5-21-3154826165-2591789761-3766887662-1001\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store]
    "C:\Program Files (x86)\EloBuddy\EloBuddy.Loader.exe"=-
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{F78D36C5-18B8-4F57-B337-5CEBC262292C}]
    "Path"=-
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{F78D36C5-18B8-4F57-B337-5CEBC262292C}]
    "Description"=-
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{F78D36C5-18B8-4F57-B337-5CEBC262292C}]
    "URI"=-
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\AutoKMS]
    [HKEY_USERS\S-1-5-21-3154826165-2591789761-3766887662-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{FCFC11FB-6125-4771-82C8-1FA0AFAFB0C0}\RecentItems\{74CC1B48-18BE-4CE2-991C-EC5C7152A736}]
    "Path"=-
    [HKEY_USERS\S-1-5-21-3154826165-2591789761-3766887662-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{FCFC11FB-6125-4771-82C8-1FA0AFAFB0C0}\RecentItems\{74CC1B48-18BE-4CE2-991C-EC5C7152A736}]
    "DisplayName"=-
    
    C:\Program Files (x86)\EloBuddy
    C:\Users\Lucas\AppData\Roaming\EloBuddy
    C:\WINDOWS\AutoKMS
    C:\Windows\SECOH-QAD.dll
    C:\Windows\SECOH-QAD.exe
    C:\Users\Lucas\Desktop\7 Script\7 Script.exe
    C:\Windows\System32\drivers\netfilter2.sys
    C:\Users\Lucas\Desktop\netfilter2.sys
    D:\Users\Lucas\Downloads\Unlocker1.9.2.exe
    
    EmptyTemp:
    
  6. Save it next to FRST64.exe as fixlist.txt.
    Important! fixlist.txt must be saved in the same directory as FRST64.exe to work.
  7. Right click on FRST64.exe and select Run as administrator.
  8. Press the Fix button one time only and wait.
  9. When FRST finishes you will be prompted to reboot your computer. Click OK.
  10. Your computer should now restart. On reboot navigate to your Desktop where you should find Fixlog.txt. Copy and paste the contents in your reply.

Please post each log separately to prevent it being cut off by the forum post size limiter.
Check each after you've posted it to make sure it's all present, if any log is cut off you'll have to post it in sections....

Please include in your next reply:
  1. Do you have any problems executing the instructions?
  2. Contents of the Fixlog.txt log file
  3. Do you see any changes in computer behavior?

Thanks,
pgmigg

Failure to post replies within 72 hours will result in this thread being closed
User avatar
pgmigg
Admin/Teacher
Admin/Teacher
 
Posts: 4608
Joined: July 8th, 2008, 1:25 pm
Location: GMT-05:00

Re: Possibly infected[2]

Unread postby OrangeRanger » October 26th, 2017, 11:19 pm

Do you have any problems executing the instructions? No
Do you see any changes in computer behavior? Windows took a bit longer to load into, but other than that, nope.

Code: Select all
Fix result of Farbar Recovery Scan Tool (x64) Version: 26-10-2017
Ran by Lucas (26-10-2017 22:16:46) Run:4
Running from C:\Users\Lucas\Desktop
Loaded Profiles: Lucas (Available Profiles: Lucas & Luucas & DefaultAppPool)
Boot Mode: Normal
==============================================

fixlist content:
*****************
CreateRestorePoint:

Task: {F78D36C5-18B8-4F57-B337-5CEBC262292C} - System32\Tasks\AutoKMS => C:\WINDOWS\AutoKMS\AutoKMS.exe
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\elobuddy]
[HKEY_USERS\S-1-5-21-3154826165-2591789761-3766887662-1001\SOFTWARE\Microsoft\VisualStudio\14.0\MRUItems\{a9c4a31f-f9cb-47a9-abc0-49ce82d0b3ac}\Items]
"2"=-
[HKEY_USERS\S-1-5-21-3154826165-2591789761-3766887662-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\ApplicationAssociationToasts]
"elobuddy_elobuddy"=-
[HKEY_USERS\S-1-5-21-3154826165-2591789761-3766887662-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.csproj\OpenWithList]
"c"=-
[HKEY_USERS\S-1-5-21-3154826165-2591789761-3766887662-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ebaddon\OpenWithList]
"a"=-
[HKEY_USERS\S-1-5-21-3154826165-2591789761-3766887662-1001\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store]
"C:\Program Files (x86)\EloBuddy\EloBuddy.Loader.exe"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{F78D36C5-18B8-4F57-B337-5CEBC262292C}]
"Path"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{F78D36C5-18B8-4F57-B337-5CEBC262292C}]
"Description"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{F78D36C5-18B8-4F57-B337-5CEBC262292C}]
"URI"=-
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\AutoKMS]
[HKEY_USERS\S-1-5-21-3154826165-2591789761-3766887662-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{FCFC11FB-6125-4771-82C8-1FA0AFAFB0C0}\RecentItems\{74CC1B48-18BE-4CE2-991C-EC5C7152A736}]
"Path"=-
[HKEY_USERS\S-1-5-21-3154826165-2591789761-3766887662-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{FCFC11FB-6125-4771-82C8-1FA0AFAFB0C0}\RecentItems\{74CC1B48-18BE-4CE2-991C-EC5C7152A736}]
"DisplayName"=-

C:\Program Files (x86)\EloBuddy
C:\Users\Lucas\AppData\Roaming\EloBuddy
C:\WINDOWS\AutoKMS
C:\Windows\SECOH-QAD.dll
C:\Windows\SECOH-QAD.exe
C:\Users\Lucas\Desktop\7 Script\7 Script.exe
C:\Windows\System32\drivers\netfilter2.sys
C:\Users\Lucas\Desktop\netfilter2.sys
D:\Users\Lucas\Downloads\Unlocker1.9.2.exe

EmptyTemp:
*****************

Restore point was successfully created.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Boot\{F78D36C5-18B8-4F57-B337-5CEBC262292C} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{F78D36C5-18B8-4F57-B337-5CEBC262292C} => key removed successfully
C:\WINDOWS\System32\Tasks\AutoKMS => moved successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\AutoKMS => key removed successfully
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\elobuddy => key removed successfully
[HKEY_USERS\S-1-5-21-3154826165-2591789761-3766887662-1001\SOFTWARE\Microsoft\VisualStudio\14.0\MRUItems\{a9c4a31f-f9cb-47a9-abc0-49ce82d0b3ac}\Items] => Error: No automatic fix found for this entry.
"2"=- => Error: No automatic fix found for this entry.
[HKEY_USERS\S-1-5-21-3154826165-2591789761-3766887662-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\ApplicationAssociationToasts] => Error: No automatic fix found for this entry.
"elobuddy_elobuddy"=- => Error: No automatic fix found for this entry.
[HKEY_USERS\S-1-5-21-3154826165-2591789761-3766887662-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.csproj\OpenWithList] => Error: No automatic fix found for this entry.
"c"=- => Error: No automatic fix found for this entry.
[HKEY_USERS\S-1-5-21-3154826165-2591789761-3766887662-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ebaddon\OpenWithList] => Error: No automatic fix found for this entry.
"a"=- => Error: No automatic fix found for this entry.
[HKEY_USERS\S-1-5-21-3154826165-2591789761-3766887662-1001\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store] => Error: No automatic fix found for this entry.
"C:\Program Files (x86)\EloBuddy\EloBuddy.Loader.exe=-" => not found.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{F78D36C5-18B8-4F57-B337-5CEBC262292C}] => Error: No automatic fix found for this entry.
"Path"=- => Error: No automatic fix found for this entry.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{F78D36C5-18B8-4F57-B337-5CEBC262292C}] => Error: No automatic fix found for this entry.
"Description"=- => Error: No automatic fix found for this entry.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{F78D36C5-18B8-4F57-B337-5CEBC262292C}] => Error: No automatic fix found for this entry.
"URI"=- => Error: No automatic fix found for this entry.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\AutoKMS => key not found. 
[HKEY_USERS\S-1-5-21-3154826165-2591789761-3766887662-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{FCFC11FB-6125-4771-82C8-1FA0AFAFB0C0}\RecentItems\{74CC1B48-18BE-4CE2-991C-EC5C7152A736}] => Error: No automatic fix found for this entry.
"Path"=- => Error: No automatic fix found for this entry.
[HKEY_USERS\S-1-5-21-3154826165-2591789761-3766887662-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\{FCFC11FB-6125-4771-82C8-1FA0AFAFB0C0}\RecentItems\{74CC1B48-18BE-4CE2-991C-EC5C7152A736}] => Error: No automatic fix found for this entry.
"DisplayName"=- => Error: No automatic fix found for this entry.
"C:\Program Files (x86)\EloBuddy" => not found.
"C:\Users\Lucas\AppData\Roaming\EloBuddy" => not found.
"C:\WINDOWS\AutoKMS" => not found.
C:\Windows\SECOH-QAD.dll => moved successfully
C:\Windows\SECOH-QAD.exe => moved successfully
C:\Users\Lucas\Desktop\7 Script\7 Script.exe => moved successfully
C:\Windows\System32\drivers\netfilter2.sys => moved successfully
"C:\Users\Lucas\Desktop\netfilter2.sys" => not found.
D:\Users\Lucas\Downloads\Unlocker1.9.2.exe => moved successfully

=========== EmptyTemp: ==========

BITS transfer queue => 1134528 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 12900033 B
Java, Flash, Steam htmlcache => 0 B
Windows/system/drivers => 226886 B
Edge => 0 B
Chrome => 351221321 B
Firefox => 0 B
Opera => 0 B

Temp, IE cache, history, cookies, recent:
Default => 0 B
Users => 0 B
ProgramData => 0 B
Public => 0 B
systemprofile => 0 B
systemprofile32 => 0 B
LocalService => 0 B
NetworkService => 1062 B
Lucas => 144399034 B
purpl => 0 B
DefaultAppPool => 0 B

RecycleBin => 0 B
EmptyTemp: => 486.3 MB temporary data Removed.

================================


The system needed a reboot.

==== End of Fixlog 22:17:07 ====
OrangeRanger
Regular Member
 
Posts: 19
Joined: October 23rd, 2017, 5:06 am

Re: Possibly infected[2]

Unread postby pgmigg » October 26th, 2017, 11:36 pm

Hello OrangeRanger,

Your latest set of logs appear to be clean! :cheers:
This is my general post for when your logs show no more signs of malware.
Before I give you instructions how to keep your computer clean and secure, you need to make a few additional steps.

Step 1.
Please download delfix and save it to your Desktop.
  1. Right-click on delfix.exe and select "Run as administrator"to run it.
  2. Check the following boxes then click on Run.
    1. Activate UAC
    2. Remove disinfection tools
    3. Create registry backup
    4. Reset system settings
  3. All tools we used to clean your computer should be gone now.
  4. You can now delete any tools/logs we used if they remain on your computer.

Then:
  • Please don't forget to enable and update all your defense software!

Finally:
Please click HERE to find a short guide to staying safer online.

Please don't hesitate to ask any additional questions.

Stay Safe! ;)
pgmigg
User avatar
pgmigg
Admin/Teacher
Admin/Teacher
 
Posts: 4608
Joined: July 8th, 2008, 1:25 pm
Location: GMT-05:00

Re: Possibly infected[2]

Unread postby OrangeRanger » October 26th, 2017, 11:47 pm

Done! Thank you so much, I'm really happy with how thorough you were. Usually I know what's on my computer, but I was surprised what you found, and I'm happy you removed them.

Quick question, what does Reset system settings do?

Also, delfix removed a lot of older stuff as well.

Code: Select all
# DelFix v1.010 - Logfile created 26/10/2017 at 22:44:15
# Updated 26/04/2015 by Xplode
# Username : Lucas - LUCAS-PC
# Operating System : Windows 10 Pro  (64 bits)

~ Activating UAC ... OK

~ Removing disinfection tools ...

Deleted : C:\Qoobox
Deleted : C:\FRST
Deleted : C:\AdwCleaner
Deleted : C:\RegBackup
Deleted : C:\Users\Lucas\Desktop\FRST-OlderVersion
Deleted : C:\Users\Lucas\Desktop\Addition.txt
Deleted : C:\Users\Lucas\Desktop\adwcleaner_7.0.3.1.exe
Deleted : C:\Users\Lucas\Desktop\CKScanner.exe
Deleted : C:\Users\Lucas\Desktop\Fixlog.txt
Deleted : C:\Users\Lucas\Desktop\FRST.txt
Deleted : C:\Users\Lucas\Desktop\FRST64.exe
Deleted : C:\WINDOWS\grep.exe
Deleted : C:\WINDOWS\PEV.exe
Deleted : C:\WINDOWS\NIRCMD.exe
Deleted : C:\WINDOWS\MBR.exe
Deleted : C:\WINDOWS\SED.exe
Deleted : C:\WINDOWS\SWREG.exe
Deleted : C:\WINDOWS\SWSC.exe
Deleted : C:\WINDOWS\SWXCACLS.exe
Deleted : C:\WINDOWS\Zip.exe
Deleted : HKLM\SOFTWARE\Swearware

~ Creating registry backup ... OK

~ Resetting system settings ... OK

########## - EOF - ##########
OrangeRanger
Regular Member
 
Posts: 19
Joined: October 23rd, 2017, 5:06 am

Re: Possibly infected[2]

Unread postby pgmigg » October 27th, 2017, 12:26 am

You are very welcome OrangeRanger,

OrangeRanger wrote:what does Reset system settings do?
During the process of malware removal some tools may change some systems settings or it may be made by helper manually - show/hide hidden files, change file/folder attributes and permissions, etc. The Delfix resets such settings to default values.
OrangeRanger wrote:Also, delfix removed a lot of older stuff as well.
Any out of date programs are potentially dangerous from a security point of view and especially this applies to tools/scanners used for malware removal/detection. The best way to work with it is downloading of fresh most recent version of required tool at the time when it is needed - so the Delfix removes most of old outdated tools.

Stay Safe! ;)
pgmigg
User avatar
pgmigg
Admin/Teacher
Admin/Teacher
 
Posts: 4608
Joined: July 8th, 2008, 1:25 pm
Location: GMT-05:00

Re: Possibly infected[2]

Unread postby pgmigg » October 27th, 2017, 12:55 am

As the problems seem to be resolved, this topic is now closed.

We are pleased we could help you resolve your computer's malware issues.

If you would like to make a comment or leave a compliment regarding the help you have received, please see
Feedback for Our Helpers - Say "Thanks" Here.
User avatar
pgmigg
Admin/Teacher
Admin/Teacher
 
Posts: 4608
Joined: July 8th, 2008, 1:25 pm
Location: GMT-05:00
Advertisement
Register to Remove

Previous

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 98 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware