Hey,
I seem to have become infected with a PUP process.
I ran adwcleaner and it seems to have removed it.
I just want to make sure the system is clean.
MBAM came up as clean.
Hey,
I seem to have become infected with a PUP process.
I ran adwcleaner and it seems to have removed it.
I just want to make sure the system is clean.
MBAM came up as clean.
Possibly infected?
No, your system is infected !
One of the causes is that you are using cracked software.
Use this fixlist to start with.
Start
CreateRestorePoint:
Closeprocesses:
Emptytemp:
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
S3 cleanhlp; \??\C:\Users\Ali Khan\Desktop\bin\cleanhlp64.sys [X]
U4 CmdAgent; No ImagePath
S1 SASDIFSV; \??\C:\Users\ALIKHA~1\AppData\Local\Temp\SAS_SelfExtract\SASDIFSV64.SYS [X]
S1 SASKUTIL; \??\C:\Users\ALIKHA~1\AppData\Local\Temp\SAS_SelfExtract\SASKUTIL64.SYS [X]
2015-03-23 19:05 - 2015-03-24 16:04 - 00000202 _____ () C:\Windows\Tasks\AutoKMSDaily.job
2015-03-08 16:54 - 2015-03-08 16:54 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome
2015-03-24 16:30 - 2013-12-05 23:42 - 00000830 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2015-03-24 16:11 - 2009-07-14 04:45 - 00019056 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2015-03-24 16:11 - 2009-07-14 04:45 - 00019056 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2015-03-24 16:04 - 2014-08-12 19:13 - 00000206 _____ () C:\Windows\Tasks\AutoKMS.job
2015-03-24 16:04 - 2014-07-05 16:15 - 00078848 _____ () C:\Windows\KMSEmulator.exe
FF Plugin HKU\S-1-5-21-2847728861-3915489070-3157556616-1000: @acestream.net/acestreamplugin,version=2.1.5 -> C:\Users\Ali Khan\AppData\Roaming\ACEStream\player\npace_plugin.dll No File
FF Plugin HKU\S-1-5-21-2847728861-3915489070-3157556616-1000: @acestream.net/acestreamplugin,version=3.0.11 -> C:\Users\Ali Khan\AppData\Roaming\ACEStream\player\npace_plugin.dll No File
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
HKLM Group Policy restriction on software: *.avi*.pif <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %appdata%\*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.jpeg*.com <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\LocalLow\*\*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.divx*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.mp4*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.rar*.com <====== ATTENTION
HKLM Group Policy restriction on software: %programdata%\Microsoft\Windows\Start Menu\Programs\Startup\*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.jpeg*.scr <====== ATTENTION
HKLM Group Policy restriction on software: vssadmin.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.pub*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %allusersprofile%\*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.wmv*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Roaming\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: %appdata%\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.mp4*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.ppt*.pif <====== ATTENTION
HKLM Group Policy restriction on software: %programdata%\Microsoft\Windows\Start Menu\Programs\Startup\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.doc*.pif <====== ATTENTION
HKLM Group Policy restriction on software: %programdata%\Microsoft\Windows\Start Menu\Programs\Startup\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.pptx*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %appdata%\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.jpg*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.wmv*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.gif*.pif <====== ATTENTION
HKLM Group Policy restriction on software: %appdata%\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.docx*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %appdata%\*\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.wmv*.pif <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\LocalLow\*\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.mp3*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.gif*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.pdf*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.txt*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.xls*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.zip*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.rar*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.bmp*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.bmp*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.divx*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.doc*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Roaming\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.xlsx*.exe <====== ATTENTION
HKLM Group Policy restriction on software: lsassw86s.exe <====== ATTENTION
HKLM Group Policy restriction on software: C:\Users\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.zip*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.png*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.txt*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Local\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\LocalLow\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Local\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.divx*.pif <====== ATTENTION
HKLM Group Policy restriction on software: syskey.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.mp3*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.mp3*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.wav*.com <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Roaming\*\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %programdata%\Microsoft\Windows\Start Menu\Programs\Startup\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.xls*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.pub*.pif <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\LocalLow\*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.pdf*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.ppt*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.rtf*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.pub*.exe <====== ATTENTION
HKLM Group Policy restriction on software: ** <====== ATTENTION
HKLM Group Policy restriction on software: *.wav*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.rtf*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.7z*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.pub*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.docx*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %appdata%\*\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.wmv*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.avi*.exe <====== ATTENTION
HKLM Group Policy restriction on software: cipher.exe <====== ATTENTION
HKLM Group Policy restriction on software: scsvserv.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.xls*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.docx*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.wav*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Roaming\*\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.mp4*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.wma*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.wma*.pif <====== ATTENTION
HKLM Group Policy restriction on software: C:\Users\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.pdf*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.pptx*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.bmp*.pif <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.zip*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: C:\Users\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.wma*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.avi*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.doc*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\LocalLow\*\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.mp4*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Local\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.gif*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Local\*.com <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\*.com <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Roaming\*\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: %programfiles%\*\svchost.exe <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\LocalLow\*\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %appdata%\*\*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.ppt*.com <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Roaming\*\*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.bmp*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.gif*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.7z*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.png*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.wav*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.jpg*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.avi*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.png*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.wma*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.rar*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %allusersprofile%\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: lsassvrtdbks.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.xlsx*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.7z*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %allusersprofile%\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.xlsx*.pif <====== ATTENTION
HKLM Group Policy restriction on software: %systemdrive%\*\svchost.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.docx*.pif <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Roaming\*.com <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\Appdata\Roaming\Microsoft\Windows\IEUpdate\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %programdata%\*\svchost.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.rtf*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.txt*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.xls*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %appdata%\*\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.mp3*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.rar*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.7z*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Roaming\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.doc*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.pptx*.scr <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\LocalLow\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.jpg*.com <====== ATTENTION
HKLM Group Policy restriction on software: %allusersprofile%\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.jpeg*.pif <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\LocalLow\*.pif <====== ATTENTION
HKLM Group Policy restriction on software: *.png*.pif <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.divx*.scr <====== ATTENTION
HKLM Group Policy restriction on software: *.pdf*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.zip*.com <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.jpg*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.rtf*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.txt*.com <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*.com <====== ATTENTION
HKLM Group Policy restriction on software: %programfiles(x86)%\*\svchost.exe <====== ATTENTION
HKLM Group Policy restriction on software: *.pptx*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.xlsx*.com <====== ATTENTION
HKLM Group Policy restriction on software: *.jpeg*.exe <====== ATTENTION
HKLM Group Policy restriction on software: *:\$Recycle.Bin <====== ATTENTION
HKLM Group Policy restriction on software: *.ppt*.exe <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Roaming\utorrent\utorrent.exe <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\LocalLow\utorrent\utorrent.exe <====== ATTENTION
HKLM Group Policy restriction on software: %appdata%\utorrent\utorrent.exe <====== ATTENTION
HKLM Group Policy restriction on software: %userprofile%\AppData\Local\utorrent\utorrent.exe <====== ATTENTION
HKU\S-1-5-21-2847728861-3915489070-3157556616-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
DPF: HKLM-x32 {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab
Task: {1AEFF0BB-B5CD-43B9-8631-994AC40DEA7E} - System32\Tasks\AutoKMS => C:\Windows\AutoKMS.exe [2014-08-12] ()
Task: {9D327168-3041-42CF-B545-894168234766} - System32\Tasks\AutoKMSDaily => C:\Windows\AutoKMS.exe [2014-08-12] ()
Task: C:\Windows\Tasks\AutoKMS.job => C:\Windows\AutoKMS.exe
Task: C:\Windows\Tasks\AutoKMSDaily.job => C:\Windows\AutoKMS.exe
CMD: ipconfig /flushdns
CMD: ipconfig /release
CMD: ipconfig /renew
CMD: netsh winsock reset catalog
CMD: bitsadmin /reset /allusers
End
I know the AutoKMS and KMSEmulator is for Office. I’ve been running that for a while since my genuine key doesn’t seem to work. I’ll remove that in a bit.
Regarding the policies, I think they’re set by Cryptoprevent?
Why not use Libre Office ?
It is free.
You also have a limited office included in your hotmail account https://office.live.com/start/default.aspx
What problems are you experiencing ?
CAUTION : This fix is only valid for this specific machine, using it on another may break your computer
Open notepad and copy/paste the text in the quotebox below into it:
CreateRestorePoint: HKU\S-1-5-21-2847728861-3915489070-3157556616-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION S2 3a37b93a; "C:\Windows\system32\rundll32.exe" "c:\Program Files (x86)\Optimizer Pro 3.64\OptProMon.dll",ENT Task: {F5058FD6-4BDC-415B-B84E-438F14F74637} - System32\Tasks\CIS_{81EFDD93-DBBE-415B-BE6E-49B9664E3E82} => C:\ProgramData\cisE272.exe <==== ATTENTION c:\Program Files (x86)\Optimizer Pro 3.64 C:\ProgramData\cisE272.exe Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f RemoveProxy: EmptyTemp: CMD: bitsadmin /reset /allusers
Save this as fixlist.txt, in the same location as FRST.exe
https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG
Run FRST and press Fix
On completion a log will be generated please post that
I was infected with a PUP process with adwcleaner seems to have gotten rid off.
My PC does feel a bit slower than normal so I just wanted to ensure that I am not infected.
I have attached the log.
Have you tried a defragment ?
Yes, I’m not too concerned about the speed, I’ll manage to get that sorted.
I’m more worried about the infections.
Log looks nice and clean now
Ah, thanks.
There’s nothing to worry about the policies set by Cryptoprevent, right?
Correct, I have a shedload of them on my system
Ah, thanks for the help.