Solved Possible Malware from ccleaner issue

[Broni]

Download RogueKiller from one of the following links and save it to your Desktop:

Link 1
Link 2

• Close all the running programs
• Double click on downloaded setup.exe file to install the program.
• Click on Start Scan button.
• Click on another Start Scan button.
• Wait until the Status box shows Scan Finished
• Click on Remove Selected.
• Wait until the Status box shows Deleting Finished.
• Click on Report and copy/paste the content of the Notepad into your next reply.
• RKreport.txt could also be found on your desktop.
• If more than one log is produced post all logs.

Please download Malwarebytes to your desktop.

• Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program.
• Then click Finish.
• Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu.
• If another update of the definitions is available, it will be implemented before the rest of the scanning procedure.
• When the scan is complete, make sure that all Threats are selected, and click Remove Selected.
• Restart your computer when prompted to do so.
• The Scan log is available throughout History ->Application logs. Please post it contents in your next reply.

Please download AdwCleaner by Xplode and save to your Desktop.

• Double click on AdwCleaner.exe to run the tool.
  Vista/Windows 7/8/10 users right-click and select Run As Administrator
• The tool will start to update the database if one is required.
• Click on the Scan button.
• AdwCleaner will begin...be patient as the scan may take some time to complete.
• After the scan has finished, click on the Logfile button.
• A window will open which lists the logs of your scans.
• Click on the Scan tab.
• Double-click the most recent scan which will be at the top of the list....the log will appear.
• Review the results...see note below
• After reviewing the log, click on the Clean button.
• Press OK when asked to close all programs and follow the onscreen prompts.
• Press OK again to allow AdwCleaner to restart the computer and complete the removal process.
• After rebooting, a logfile report (AdwCleaner[CX].txt) will open automatically (where the largest value of X represents the most recent report).
• To open a Cleaning log, launch AdwareClearer, click on the Logfile button, click on the Cleaning tab and double-click the log at the top of the list.
• Copy and paste the contents of AdwCleaner[CX].txt in your next reply.
• A copy of all logfiles are saved to C:\AdwCleaner.

-- Note: The contents of the AdwCleaner log file may be confusing. Unless you see a program name or entry that you recognize and know should not be removed, don't worry about it. If you see an entry you want to keep, return to AdwCleaner before cleaning...all detected items will be listed (and checked) in each tab. Click on and uncheck any items you want to keep.

Please download Junkware Removal Tool to your desktop.

• Shut down your protection software now to avoid potential conflicts.
• Run the tool by double-clicking it. If you are using Windows Vista or Seven, right-mouse click it and select Run as Administrator.
• The tool will open and start scanning your system.
• Please be patient as this can take a while to complete depending on your system's specifications.
• On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
• Post the contents of JRT.txt into your next message.

 

[curlee729]

RogueKiller V12.11.18.0 (x64) [Oct 2 2017] (Free) by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : https://forum.adlice.com
Website : http://www.adlice.com/download/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Nancy [Administrator]
Started from : C:\Program Files\RogueKiller\RogueKiller64.exe
Mode : Delete -- Date : 10/05/2017 20:52:48 (Duration : 00:20:23)
Switches : -refid

¤¤¤ Processes : 0 ¤¤¤

¤¤¤ Registry : 2 ¤¤¤
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-3111028138-2455618344-1635019946-1000\Software\Microsoft\Internet Explorer\Main | Start Page : https://search.norton.com/?prt=ns&c...a-bc4d-10b16f21a17a&doi=2016-09-01&o=APN11915 -> Replaced (http://go.microsoft.com/fwlink/p/?LinkId=255141)
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-3111028138-2455618344-1635019946-1000\Software\Microsoft\Internet Explorer\Main | Start Page : https://search.norton.com/?prt=ns&c...a-bc4d-10b16f21a17a&doi=2016-09-01&o=APN11915 -> Replaced (http://go.microsoft.com/fwlink/p/?LinkId=255141)

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ WMI : 0 ¤¤¤

¤¤¤ Hosts File : 0 ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤

¤¤¤ Web browsers : 1 ¤¤¤
[PUM.HomePage][Firefox:Config] skr52bhf.default-1506546741849 : user_pref("browser.startup.homepage", "https://mg.mail.yahoo.com/?.src=neo...bautomation.com/|https://www.timeanddate.com/"); -> Replaced (about:home)

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: LITEON LCH-256V2S SCSI Disk Device +++++
--- User ---
[MBR] 1dc2202132417e70ec657b5d4b64c761
[BSP] 234c53eac619243d356ab59639b8859e : Lenovo|VT.Unknown MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 1500 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 3074048 | Size: 227531 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
2 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 469057536 | Size: 15165 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive1: USB Flash Memory USB Device +++++
--- User ---
[MBR] ad199a729095e31034339d352b278492
[BSP] 65d403a1331aaa11017f1ae0b458f9e6 : Unknown|VT.Unknown MBR Code
Partition table:
0 - [XXXXXX] FAT32 (0xb) [VISIBLE] Offset (sectors): 63 | Size: 14799 MB
User = LL1 ... OK
Error reading LL2 MBR! ([32] The request is not supported. )

Thanks - Step 1

 

[curlee729]

Malwarebytes: I had this program installed on my computer and this morning upon waking the computer I was able to do a scan and activate my license (last night I was not able). I did the setup from the program you listed; it stalled on the installing page and the computer froze and I had to do a hard boot. The second time it installed, but It would not let me click on anything to run. It just opened to the main page and that is all I could do- step 2 a failure

Below is the adwcleaner results- the only thing it looks to have found was the norton- search option. I cleaned everything anyway. Step 3 complete.

# AdwCleaner 7.0.3.1 - Logfile created on Fri Oct 06 03:13:51 2017
# Updated on 2017/29/09 by Malwarebytes
# Running on Windows 7 Professional (X64)
# Mode: clean
# Support: https://www.malwarebytes.com/support

***** [ Services ] *****

No malicious services deleted.

***** [ Folders ] *****

No malicious folders deleted.

***** [ Files ] *****

No malicious files deleted.

***** [ DLL ] *****

No malicious DLLs cleaned.

***** [ WMI ] *****

No malicious WMI cleaned.

***** [ Shortcuts ] *****

No malicious shortcuts cleaned.

***** [ Tasks ] *****

No malicious tasks deleted.

***** [ Registry ] *****

Deleted: [Key] - HKCU\Software\Microsoft\Internet Explorer\DOMStorage\nortonsafe.search.ask.com
Deleted: [Key] - HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\ask.com
Deleted: [Key] - HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\nortonsafe.search.ask.com


***** [ Firefox (and derivatives) ] *****

SearchProvider deleted: nortonsafe.search.ask.com - Norton Safe Search


***** [ Chromium (and derivatives) ] *****

No malicious Chromium entries deleted.

*************************

::Tracing keys deleted
::Winsock settings cleared
::Additional Actions: 0



*************************

C:/AdwCleaner/AdwCleaner[S0].txt - [1311 B] - [2017/10/6 3:10:7]


########## EOF - C:\AdwCleaner\AdwCleaner[C0].txt ##########

 

[curlee729]

Hi Broni
Last Step- Not sure if it looks like much.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Malwarebytes
Version: 8.1.4 (07.09.2017)
Operating System: Windows 7 Professional x64
Ran by Nancy (Administrator) on Thu 10/05/2017 at 22:24:55.27
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




File System: 8

Successfully deleted: C:\Users\Nancy\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\METEO79U (Temporary Internet Files Folder)
Successfully deleted: C:\Users\Nancy\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PSYKCKEW (Temporary Internet Files Folder)
Successfully deleted: C:\Users\Nancy\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TSCUSOMZ (Temporary Internet Files Folder)
Successfully deleted: C:\Users\Nancy\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\W8AJYW3A (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\METEO79U (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PSYKCKEW (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TSCUSOMZ (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\W8AJYW3A (Temporary Internet Files Folder)



Registry: 1

Successfully deleted: HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4} (Registry Key)




~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Thu 10/05/2017 at 22:27:10.42
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

[curlee729]

Broni
Firefox program is not letting me close it with the "click on x". I checked the options and it states that firefox Version 48.0.2 dated 8/24/2016 was installed on 10/4/17 at 5:31:08. Version 56, dated 9/28/17 was installed 10/4/17 at 5:36:36. I do not see the firefox.patch.js file popping up yet. Thanks for the help.

 

[curlee729]

Broni
Just an FYI:
Tried Spywareblaster. Protection was disabled for Restricted sites & Mozilla. When I tried to click to enable, nothing happened, just like on Malwarebytes program. By minimizing the program using the task bar I was able to enable the protection again for both. That action seems to turn off whatever is blocking the clicks.

 

[curlee729]

Broni
Woke computer from sleep this morning and I could run a scan on malwarebytes. Found nothing. It must be something with the sleeping that resets the ability to be able to click in the program?

 

[curlee729]

Broni
This morning everything appeared to be working pretty well. Norton did a live update and I had to restart. I opened Mozilla and opened two tabs (yahoo.com) & ( extension page to check them), suddenly I cannot close or minimize with clicking again. I checked spywareblaster, Malwarebytes, gimp and each returned to the same behavior of not closing with a click on the x. Itunes would open and close but it kept providing a screen to login with my appleid & password. I had to cancel it 5 times- it just wouldn't take no for an answer, but I was able to close that program with the click x.

I then decided to check my theory about putting the computer into sleep and sure enought everything began to work again, except itunes: the screen that wanted my appleid and pw just began to flash quickly. I could not close it or close the program. I used task manager to end the session.

So it seems whatever is at work here, begins with a reboot and resets after a sleep session.

 

[Broni]

At this point....

In this forum, we make sure, your computer is free of malware and your computer is clean
Because the access to malware forum is very limited, your best option is to create new topic about your current issue, at Windows section.
You'll get more attention.

Good luck

 

[curlee729]

Ok.
Thanks for your help!

 

[Broni]

You're very welcome