Unknown MBR Code - funny behaviour at times

[REDACTED]

No, instead please run FRST once more time as follows:

Scan with Farbar Recovery Scan Tool

Please download Farbar Recovery Scan Tool and save it to your Desktop.
There will be two versions to download: 32-bit and 64-bit. Please download the one that is designed for your system. If you don't know which one should it be, download both of them and try each other out. Only one will run - this is the right one. Please leave it and delete the other.

• Right-click on icon and select Run as Administrator to start the tool.
  > XP users click run after receipt of Windows Security Warning - Open File.
  > 8 users will be prompted about Windows SmartScreen protection - click More information and Run.
  
• When the tool opens click Yes to disclaimer.
  
• Make sure that Addition option is checked.
  
• Press Scan button and wait.
  
• The tool will produce two logfiles on your desktop: FRST.txt and Addition.txt.

Please include their content in your next reply.

[REDACTED]

Hey the FSRT is too long and I can't even include it in two replies. So I hope it is okay if I just attach the files, yeah?

[REDACTED]

Hey here are the FRST and Addition logs.

[REDACTED]

Scan with CKScanner

Download CKScanner by askey127 and save it to your desktop.

• Right-click on icon and select Run as Administrator to start the tool.
  
• click Search For Files.
  
• When finished, click Save List To File.
  
• Remember to run this tool once only, if not asked to run it again.

Please include the content of CKFiles.txt in your next reply.

[REDACTED]

Hey morning,
I ran the CKScanner and found the last two  entries in the log file suspicious (mabye I am wrong). I must admit I once used a cracked version of Office 13. I have since removed the Office version and the KMS crack that it used. I thought I had I removed everything (even with CCleaner), so I am not sure if this is related. Is there some serious problem?

CKScanner 2.4 - Additional Security Risks - These are not necessarily bad
c:\program files (x86)\matlab\r2013a\resources\pde\en\crackg.xml
c:\program files (x86)\matlab\r2013a\toolbox\pde\crackb.m
c:\program files (x86)\matlab\r2013a\toolbox\pde\crackg.m
c:\program files (x86)\matlab\r2013a\toolbox\pde\ja\crackb.m
c:\program files (x86)\matlab\r2013a\toolbox\pde\ja\crackg.m
c:\program files (x86)\matlab\r2014a\resources\pde\en\crackg.xml
c:\program files (x86)\matlab\r2014a\toolbox\pde\crackb.m
c:\program files (x86)\matlab\r2014a\toolbox\pde\crackg.m
c:\program files (x86)\matlab\r2014a\toolbox\pde\ja\crackb.m
c:\program files (x86)\matlab\r2014a\toolbox\pde\ja\crackg.m
c:\windows\system32\config\systemprofile\appdata\local\microsoft\clr_v2.0_32\usagelogs\multikms.exe.log
c:\windows\syswow64\config\systemprofile\appdata\local\microsoft\clr_v2.0_32\usagelogs\multikms.exe.log
scanner sequence 3.FF.11.LSNAXZ
 ----- EOF -----

EDIT: funny thing is I dont see the MultiKMS.exe.log when I follow the above path (I have activated the hidden files option).

[REDACTED]

Good. Let's take care about uninstalls now.

Hitman Pro... this is what I usually paste users with HitmanPro installed:

In any case don't remove on your own anything that Hitman Pro detects!
This scanner, as it is a really good for checking, has been known for deleting files instead od curing them, which in some cases may render the machine unbootable.
Any removals will be done manually after careful analysis of the scan results!

Bare this in mind, as it may really render a machine unbootable due to removal of infected files that should be cured.


Please tell me what other issues remain.

[REDACTED]

Hey, I ran HitmanPro. Detected FRST as false positive.

Code: [Select]

HitmanPro 3.7.9.221
www.hitmanpro.com

   Computer name . . . . : XXXXX
   Windows . . . . . . . : 6.3.0.9600.X64/4
   User name . . . . . . : XXXXX\XXXXX
   UAC . . . . . . . . . : Enabled
   License . . . . . . . : Trial (17 days left)

   Scan date . . . . . . : 2014-08-27 16:15:47
   Scan mode . . . . . . : Normal
   Scan duration . . . . : 4m 7s
   Disk access mode  . . : Direct disk access (SRB)
   Cloud . . . . . . . . : Internet
   Reboot  . . . . . . . : No

   Threats . . . . . . . : 0
   Traces  . . . . . . . : 2

   Objects scanned . . . : 2.414.769
   Files scanned . . . . : 22.789
   Remnants scanned  . . : 935.852 files / 1.456.128 keys

Suspicious files ____________________________________________________________

   C:\Users\XXXXX\Desktop\FRST-OlderVersion\FRST64.exe
      Size . . . . . . . : 2.101.760 bytes
      Age  . . . . . . . : 8.0 days (2014-08-19 17:14:29)
      Entropy  . . . . . : 7.5
      SHA-256  . . . . . : 9F1800B31D22595C5CC7853BE2BF6ACC824059774CB83B1DB161BCB8CD6A0063
      Needs elevation  . : Yes
      Fuzzy  . . . . . . : 23.0
         Program has no publisher information but prompts the user for permission elevation.
         Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
         Authors name is missing in version info. This is not common to most programs.
         Version control is missing. This file is probably created by an individual. This is not typical for most programs.
         Time indicates that the file appeared recently on this computer.

   C:\Users\XXXXX\Desktop\FRST64.exe
      Size . . . . . . . : 2.103.296 bytes
      Age  . . . . . . . : 3.7 days (2014-08-23 22:58:03)
      Entropy  . . . . . : 7.5
      SHA-256  . . . . . : 1405F78FF116A9DC6E711F32582BCFBBE8B4B7EC5201E8E453CAC33824957D96
      Needs elevation  . : Yes
      Source URL . . . . : hxxp://download.bleepingcomputer.com/dl/215de54f31d8bcae606cdad41a3e23fb/53f9005a/windows/security/security-utilities/f/farbar-recovery-scan-tool/64/FRST64.exe
      Fuzzy  . . . . . . : 27.0
         Program has no publisher information but prompts the user for permission elevation.
         Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
         The file is downloaded from the Internet to this computer.
         Authors name is missing in version info. This is not common to most programs.
         Version control is missing. This file is probably created by an individual. This is not typical for most programs.
         Time indicates that the file appeared recently on this computer.
      Forensic Cluster
         -1.3s C:\Users\XXXXX\AppData\Local\Microsoft\Windows\INetCookies\P61W61YU.txt
         -1.3s C:\Users\XXXXX\AppData\Local\Microsoft\Windows\INetCache\IE\ZLV9ZWQD\82[1].htm
         -1.3s C:\Users\XXXXX\AppData\Local\Microsoft\Windows\INetCookies\9F4XK5YO.txt
         -1.3s C:\Users\XXXXX\AppData\Local\Microsoft\Windows\INetCookies\9F4XK5YO.txt
         -0.1s C:\Users\XXXXX\AppData\Local\Microsoft\Windows\INetCache\IE\I2RJ1WPS\FRST64[1].exe
          0.0s C:\Users\XXXXX\Desktop\FRST64.exe
          2.0s C:\Users\XXXXX\Desktop\FRST-OlderVersion\





[REDACTED]

I wasn't asking you to run HitmanPro. I told you - this scanner can be dangerous when used unproperly and without some level of knowledge. Well-known are cases where it left system unbootable, so for your own good leave it and don't use it to remove anything.

Please tell me what other issues remain.

[REDACTED]

Oh ok, sorry. :/
Yeah, I have to uninstall quite a few softwares that I have installed in the last few days. I have not encountered any problems yet (for example the Task Manager acting funny like I had mentioned). In your opinion the computer is completely clean?

[REDACTED]

It is. Let me now clean my toys

Clean with DelFix

Please download DelFix by Xplode and save it to your desktop.

• Right-click on icon and select Run as Administrator to start the tool.
  
• Ensure that Remove disinfection tools, Purge system restore and Reset system settings are checked.
  
• Push Run.
  
• When finished, it will display a notepad report.

Include it for my review.
Please also manually reboot your machine after posting your logfile.

[REDACTED]

Haha, ok. Here's the DelFix log:

# DelFix v10.8 - Datei am 27/08/2014 um 17:26:22 erstellt
# Aktualisiert am 29/07/2014 von Xplode
# Benutzer : XXXXX - XXXXX
# Betriebssystem : Windows 8.1  (64 bits)

~ Entferne die Bereinigungsprogramme ...

Gelöscht : C:\FRST
Gelöscht : C:\zoek_backup
Gelöscht : C:\TDSSKiller_Quarantine
Gelöscht : C:\AdwCleaner
Gelöscht : C:\Users\XXXXX\Desktop\FRST-OlderVersion
Gelöscht : C:\Users\XXXXX\Desktop\mbar
Gelöscht : C:\dds.scr
Gelöscht : C:\TDSSKiller.3.0.0.40_24.08.2014_12.45.15_log.txt
Gelöscht : C:\TDSSKiller.3.0.0.40_24.08.2014_12.47.26_log.txt
Gelöscht : C:\TDSSKiller.3.0.0.40_24.08.2014_13.02.12_log.txt
Gelöscht : C:\TDSSKiller.3.0.0.40_24.08.2014_13.03.35_log.txt
Gelöscht : C:\TDSSKiller.3.0.0.40_24.08.2014_13.07.18_log.txt
Gelöscht : C:\zoek-results.log
Gelöscht : C:\Users\XXXXX\Desktop\Addition 230814.txt
Gelöscht : C:\Users\XXXXX\Desktop\Addition.txt
Gelöscht : C:\Users\XXXXX\Desktop\AdwCleaner[S0].txt
Gelöscht : C:\Users\XXXXX\Desktop\AdwCleaner[S1].txt
Gelöscht : C:\Users\XXXXX\Desktop\adwcleaner_3.308.exe
Gelöscht : C:\Users\XXXXX\Desktop\CKScanner.exe
Gelöscht : C:\Users\XXXXX\Desktop\dds.com
Gelöscht : C:\Users\XXXXX\Desktop\Defogger.exe
Gelöscht : C:\Users\XXXXX\Desktop\defogger_disable.log
Gelöscht : C:\Users\XXXXX\Desktop\defogger_enable.log
Gelöscht : C:\Users\XXXXX\Desktop\esetsmartinstaller_deu.exe
Gelöscht : C:\Users\XXXXX\Desktop\FRST 230814.txt
Gelöscht : C:\Users\XXXXX\Desktop\FRST.txt
Gelöscht : C:\Users\XXXXX\Desktop\FRST64.exe
Gelöscht : C:\Users\XXXXX\Desktop\JRT.txt
Gelöscht : C:\Users\XXXXX\Desktop\JRT_6.1.4.exe
Gelöscht : C:\Users\XXXXX\Desktop\MBR.dat
Gelöscht : C:\Users\XXXXX\Desktop\mbrmastr.exe
Gelöscht : C:\Users\XXXXX\Desktop\MBRMastr_2014.08.19_16.09.54.txt
Gelöscht : C:\Users\XXXXX\Desktop\MBRMastr_2014.08.24_14.28.17.txt
Gelöscht : C:\Users\XXXXX\Desktop\MbrScan.exe
Gelöscht : C:\Users\XXXXX\Desktop\MbrScan.log
Gelöscht : C:\Users\XXXXX\Desktop\RogueKiller.exe
Gelöscht : C:\Users\XXXXX\Desktop\tdsskiller.exe
Gelöscht : C:\Users\XXXXX\Desktop\zoek.exe
Gelöscht : HKLM\SOFTWARE\AdwCleaner

~ Lösche die Wiederherstellungspunkte ...

Gelöscht : RP #42 [zoek.exe restore point | 08/25/2014 13:11:40]

Ein neuer Wiederherstellungspunkt wurde erstellt !

~ Stelle die Systemeinstellungen wieder her ... OK

########## - EOF - ##########

[REDACTED]

So that's it. I'm sending you on your merry way

Recommended reading:

MUST READ - security tips: Computer Security - a short guide to staying safer online.
MUST READ - general maintenance: What to do if your Computer is running slowly?

 

Recommended additional software:

TFC - to clean unneeded temporary files.
Malwarebytes' Anti-Malware - to scan your system from time to time in search for malware.
Malwarebytes' Anti-Exploit - to prevent plenty of mostly exploited vulnerabilities.
McShield - to prevent infections spread by removable media.
CryptoPrevent - to secure yourself from very severe CryptoLocker infection.
Unchecky - to prevent from installing additional foistware, implemented in legitimate installations.


Now if you have any other questions, feel free to ask me. Otherwise simply acknowledge my recommendations and this topic will be closed.

Stay safe,
Naat

[REDACTED]

Hi Naat,

the laptop and especially the browser seems to be working ok. Thanks so much for taking time out and helping me! I'll go through the links above about safe browsing etc. Dziekuje bardzo! Cheers!

[REDACTED]

You're welcome