Suspicious message when initializing windows

Toggle sidebar Toggle sidebar
K

Koentro

Distinguished
Mar 13, 2015
113
4
18,695
Good afternoon, everybody.

My pc is shared by other 3 members of my family, nobody is under age and they have the basics for using pc. Yesterday, I was told one of them downloaded something and the pc got many unwanted programs and files, meaning weird softwares were installed and highly probably viruses were gotten here. I tried restoring the windows but without success. Then I decided to get RevoUninstallerPro to get rid of those unwanted programs, by deleting not only the programs, but also the keys, registers and so on. Whenever I went back to RevoUninstallerPro, I saw some of those programs names but no action could be taken. Then I decided to get Adwcleaner to get rid of leftovers and I had to run it about 7 or 8 times. Meanwhile, I also used Kaspersky Virus Removal Tool about 5 times, doing a full scan once. In the last two attempts of using Kaspersky Tool, it found no threat, same with adwcleaner; now they found nothing, but two things intrigue me: a weird message appears whenever I restart the windows (I'll tell about it later on) and Windows Defender was disabled and gives me error 0x800704ec. I searched on the internet how to enable Windows Defender, through cmd and also going to regedit to give it total access and control over all users, but none of those let me enable it again. I ran Windows Defender about 3 weeks ago and by then I didn't have the windows warning flag to warn me about that problem (I have that flag now telling me to enable Windows Defender as soon as possible).

The other problem is that, whenever I start windows, a window without any program name appears and shows random stuffs, ranging from ''hot deals'' to buy things to installing weird softwares and toolbars (MyStartSearch, for instance). Sometimes it popos out of nothing saying ''Thank you for using our software, would you like to install this and that?''. I tried to start windows without internet conneciton, but the window appears without anything to say (due to lack of internet connection), but it still appears anyway. The last time I started windows, I got to be calm and try to extract the max of information I could from that window and I got this:

11391514_677802362320992_1899372682801822431_n.jpg


I was really hoping it could be connected to Internet Explorer browser, since it was the only browser I haven't reinstalled (I reinstalled Google Chrome only). Also, during the unwanted programs infection, Opera browser was installed, but then I removed it - hopefully - completely.

So, to sum up: My pc got infected by unwanted programs that disabled Windows Defender and made a weird window appears whenever I start windows, showing me offers and random softwares for installation, even though I removed them all with RevoUninstallerPRO.

Maybe the following infos will help us to solve this:

- Unwanted programs installed: CinemaPlus, Shoppers, YTDownloader, SavePass, adblocker, Opera browser and SearchProtect (it's kinda an anti-virus, so I believe it caused Windows Defender total disable).

Pc config:

- Processor: intel i5 4440
- Mobo: GA-B85M-HD3
- GPU: GTS 450 Zotac 1GB DDR 3
- PSU: Thermaltake 550W
- RAM: 4GB
- Windows 7 Ultimate 64 bits

P.S.: I'm thinking of formatting the system to start anew, but then I have tons of important files here. I was considering to use flashdrives to store my files and then put them in the newly installed windows. Thing is that I'm afraid that flashdrive that will get the important files might end up corrupted by some weird virus and corrupt the new windows. Would it hurt the flashdrive, even though Kaspersky says there's no threat?

Thank you very much in advance.
 
Solution
scout_03
you go back to prgram data ronkrolv then see all then start with luuseuo and the 3 other with the same date and time delete them then stop it in the process after open registery and delete all the runkrolv keys until it does not find anymore ,after this use ccleaner and load this to scan registery again for left over keys http://www.glarysoft.com/ the free one ,this is a pop extension you have in the chrome browser you may have to delete it also from it and restore you regular searching page .
Sort by date Sort by votes
adware up the wazoo here.download and run adwcleaner and as before check anything it comes up with for cleaning.then download and run junkware removal tool and let it get rid of anything it detects.then run malwarebytes and quarantine anything it comes up with.post the logs from these scans in your next post to see what it got.also consider that windows defender is not a good antivirus program.even ms will admit that.lol.try avast.
http://www.bleepingcomputer.com/download/adwcleaner/
http://www.bleepingcomputer.com/download/junkware-removal-tool/
https://www.malwarebytes.org/
https://www.avast.com/index
 
Upvote 0 Downvote


There, the logs:

Adwcleaner

# AdwCleaner v4.206 - Relatório criado 09/06/2015 às 15:58:22
# Atualizado 01/06/2015 por Xplode
# Base de dados : 2015-06-09.1 [Servidor]
# Sistema operacional : Windows 7 Ultimate Service Pack 1 (x64)
# Usuário : ADM - ADM-PC
# Executando de : C:\Users\ADM\Downloads\adwcleaner_4.206.exe
# Opção : Verificar

***** [ Serviços ] *****


***** [ Arquivos / Pastas ] *****


***** [ Tarefas agendadas ] *****


***** [ Atalhos ] *****


***** [ Registro ] *****


***** [ Navegadores ] *****

-\\ Internet Explorer v11.0.9600.17728


-\\ Google Chrome v43.0.2357.124


*************************

AdwCleaner[R0].txt - [21894 bytes] - [31/01/2015 15:39:26]
AdwCleaner[R10].txt - [1771 bytes] - [09/06/2015 12:58:45]
AdwCleaner[R11].txt - [1831 bytes] - [09/06/2015 13:24:17]
AdwCleaner[R12].txt - [1891 bytes] - [09/06/2015 13:57:18]
AdwCleaner[R13].txt - [868 bytes] - [09/06/2015 15:58:22]
AdwCleaner[R1].txt - [907 bytes] - [08/06/2015 23:05:28]
AdwCleaner[R2].txt - [1052 bytes] - [08/06/2015 23:39:37]
AdwCleaner[R3].txt - [2022 bytes] - [09/06/2015 02:28:55]
AdwCleaner[R4].txt - [1202 bytes] - [09/06/2015 02:33:33]
AdwCleaner[R5].txt - [2131 bytes] - [09/06/2015 09:04:52]
AdwCleaner[R6].txt - [1591 bytes] - [09/06/2015 11:21:56]
AdwCleaner[R7].txt - [1792 bytes] - [09/06/2015 11:51:07]
AdwCleaner[R8].txt - [1700 bytes] - [09/06/2015 12:08:20]
AdwCleaner[R9].txt - [1741 bytes] - [09/06/2015 12:46:30]
AdwCleaner[S0].txt - [16943 bytes] - [31/01/2015 15:40:58]
AdwCleaner[S1].txt - [1107 bytes] - [09/06/2015 02:21:53]
AdwCleaner[S2].txt - [2065 bytes] - [09/06/2015 02:30:44]
AdwCleaner[S3].txt - [2176 bytes] - [09/06/2015 09:06:51]
AdwCleaner[S4].txt - [1841 bytes] - [09/06/2015 11:52:30]
AdwCleaner[S5].txt - [1754 bytes] - [09/06/2015 12:10:11]
AdwCleaner[S6].txt - [1796 bytes] - [09/06/2015 12:48:05]

########## EOF - C:\AdwCleaner\AdwCleaner[R13].txt - [1871 bytes] ##########



Now JunkRemovalTool

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.9.1 (06.08.2015:1)
OS: Windows 7 Ultimate x64
Ran by ADM on 09/06/2015 at 15:17:43,48
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




~~~ Services



~~~ Tasks



~~~ Registry Values



~~~ Registry Keys



~~~ Files



~~~ Folders

Successfully deleted: [Folder] C:\Program Files (x86)\baidu security
Successfully deleted: [Folder] C:\Users\ADM\appdata\local\crashrpt
Successfully deleted: [Folder] C:\Users\ADM\appdata\local\installer
Successfully deleted: [Folder] C:\Users\ADM\appdata\local\slimware utilities inc
Successfully deleted: [Folder] C:\Users\ADM\appdata\locallow\company
Successfully deleted: [Folder] C:\Windows\syswow64\ai_recyclebin
Successfully deleted: [Folder] C:\ProgramData\12db864551ae4c578eb17db1a9f5d3cf



~~~ Chrome


[C:\Users\ADM\appdata\local\Google\Chrome\User Data\Default\Preferences] - default search provider reset

[C:\Users\ADM\appdata\local\Google\Chrome\User Data\Default\Preferences] - Extensions Deleted:

[C:\Users\ADM\appdata\local\Google\Chrome\User Data\Default\Secure Preferences] - default search provider reset

[C:\Users\ADM\appdata\local\Google\Chrome\User Data\Default\Secure Preferences] - Extensions Deleted:
[]





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on 09/06/2015 at 15:22:44,55
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



Malwarebytes

Malwarebytes Anti-Malware
www.malwarebytes.org

Data da Verificação: 09/06/2015
Hora da Verificação: 15:32:04
Arquivo de Log: Log.txt
Administrador: Sim

Versão: 2.01.6.1022
Base de Dados de Malware: v2015.03.09.05
Base de Dados de Rootkit: v2015.06.02.01
Licença: Avaliação Gratuita
Proteção de Malware: Habilitado
Proteção de Site Malicioso: Habilitado
Auto-Proteção: Desabilitado

SO: Windows 7 Service Pack 1
Processador: x64
Sistema de Arquivos: NTFS
Usuário: ADM

Tipo da Verificação: Verificar Ameaça
Resultado: Terminado
Objetos Verificados: 372651
Tempo Decorrido: 19 min, 40 seg

Memória: Habilitado
Inicialização: Habilitado
Sistema de Arquivos: Habilitado
Arquivos Compactados: Habilitado
Rootkits: Desabilitado
Heurística: Habilitado
PUP: Habilitado
PUM: Habilitado

Processos: 0
(Nenhum item malicioso detectado)

Módulos: 0
(Nenhum item malicioso detectado)

Chaves de Registro: 12
PUP.Optional.CinemaPlus.A, HKLM\SOFTWARE\WOW6432NODE\CinemaPlus-3.2cV08.06-nv, , [bebbd271404a13234e85ab0c0cf715eb],
PUP.Optional.CinemaPlus.A, HKLM\SOFTWARE\WOW6432NODE\CinemaPlus-3.2cV08.06-nv-ie, , [d1a887bc95f58babffd46651a360e61a],
PUP.Optional.SavePass.A, HKLM\SOFTWARE\WOW6432NODE\SavePass 1.1-nv, , [4a2f2f14e7a3003627d09c2c709346ba],
PUP.Optional.SavePass.A, HKLM\SOFTWARE\WOW6432NODE\SavePass 1.1-nv-ie, , [5e1b50f31278b68051a61fa956adff01],
PUP.Optional.CinemaPlus.A, HKU\S-1-5-18\SOFTWARE\CinemaPlus-3.2cV08.06-nv, , [c9b071d274165adcf1e310a7659e16ea],
PUP.Optional.CinemaPlus.A, HKU\S-1-5-18\SOFTWARE\CinemaPlus-3.2cV08.06-nv-ie, , [14650f34246670c630a4c5f2b64dd12f],
PUP.Optional.SavePass.A, HKU\S-1-5-18\SOFTWARE\SavePass 1.1-nv, , [a3d6a59e71197db96b8d8c3c758e03fd],
PUP.Optional.SavePass.A, HKU\S-1-5-18\SOFTWARE\SavePass 1.1-nv-ie, , [483176cdb7d369cdab4deade5aa95da3],
PUP.Optional.CinemaPlus.A, HKU\S-1-5-21-1873337726-2919121028-2996764725-1000\SOFTWARE\CinemaPlus-3.2cV08.06-nv, , [15648db61b6f2d099c387443bb4849b7],
PUP.Optional.CinemaPlus.A, HKU\S-1-5-21-1873337726-2919121028-2996764725-1000\SOFTWARE\CinemaPlus-3.2cV08.06-nv-ie, , [17628cb7eaa01422fed66750d03356aa],
PUP.Optional.SavePass.A, HKU\S-1-5-21-1873337726-2919121028-2996764725-1000\SOFTWARE\SavePass 1.1-nv, , [2b4e70d35535c1759860a028d033857b],
PUP.Optional.SavePass.A, HKU\S-1-5-21-1873337726-2919121028-2996764725-1000\SOFTWARE\SavePass 1.1-nv-ie, , [46335ce741495adc29cf83452cd7bf41],

Valores de Registro: 0
(Nenhum item malicioso detectado)

Dados de Registro: 0
(Nenhum item malicioso detectado)

Pastas: 2
PUP.Optional.GlobalUpdate.A, C:\Users\ADM\AppData\Local\Temp\comh.26289, , [bebb4bf8a4e67cbaaadfb7cbd33014ec],
PUP.Optional.GlobalUpdate.A, C:\Users\ADM\AppData\Local\Temp\comh.490919, , [c2b77dc62a60a2945138265c778ce11f],

Arquivos: 26
PUP.Optional.Nova.A, C:\Program Files (x86)\ArcGIS\236a0d12-23d8-49ee-81ae-ef1e2f5e9ac5.dll, , [81f8b78c404a3303ce405caf91716c94],
PUP.Optional.Nova.A, C:\Program Files (x86)\ArcGIS\499ad6a3-8467-46fa-a1fc-3a2e79175e1d.dll, , [661345fe8901c571bb53020916ec45bb],
PUP.Optional.CrossRider.A, C:\Users\ADM\AppData\Local\Temp\7104.exe, , [473258ebf694af87cd9791831fe7e917],
PUP.Optional.SavePass.A, C:\Users\ADM\AppData\Local\Temp\8623.exe, , [30494df69feb2313e2aed3445ca6d828],
PUP.Optional.OpenCandy, C:\Users\ADM\Downloads\PhotoScape_V3.7.exe, , [1e5bee55aedc2e089f8a17f154b213ed],
PUP.Optional.OpenCandy, C:\Users\ADM\Downloads\PowerISO6-x64.exe, , [2455be8594f6cb6b85a434d4ef17f30d],
PUP.Optional.GlobalUpdate.A, C:\Users\ADM\AppData\Local\Temp\comh.26289\globalupdate.exe, , [bebb4bf8a4e67cbaaadfb7cbd33014ec],
PUP.Optional.GlobalUpdate.A, C:\Users\ADM\AppData\Local\Temp\comh.26289\globalupdateBroker.exe, , [bebb4bf8a4e67cbaaadfb7cbd33014ec],
PUP.Optional.GlobalUpdate.A, C:\Users\ADM\AppData\Local\Temp\comh.26289\globalupdateCrashHandler.exe, , [bebb4bf8a4e67cbaaadfb7cbd33014ec],
PUP.Optional.GlobalUpdate.A, C:\Users\ADM\AppData\Local\Temp\comh.26289\globalupdateHelper.msi, , [bebb4bf8a4e67cbaaadfb7cbd33014ec],
PUP.Optional.GlobalUpdate.A, C:\Users\ADM\AppData\Local\Temp\comh.26289\globalupdateOnDemand.exe, , [bebb4bf8a4e67cbaaadfb7cbd33014ec],
PUP.Optional.GlobalUpdate.A, C:\Users\ADM\AppData\Local\Temp\comh.26289\goopdate.dll, , [bebb4bf8a4e67cbaaadfb7cbd33014ec],
PUP.Optional.GlobalUpdate.A, C:\Users\ADM\AppData\Local\Temp\comh.26289\goopdateres_en.dll, , [bebb4bf8a4e67cbaaadfb7cbd33014ec],
PUP.Optional.GlobalUpdate.A, C:\Users\ADM\AppData\Local\Temp\comh.26289\npglobalupdateUpdate4.dll, , [bebb4bf8a4e67cbaaadfb7cbd33014ec],
PUP.Optional.GlobalUpdate.A, C:\Users\ADM\AppData\Local\Temp\comh.26289\psmachine.dll, , [bebb4bf8a4e67cbaaadfb7cbd33014ec],
PUP.Optional.GlobalUpdate.A, C:\Users\ADM\AppData\Local\Temp\comh.26289\psuser.dll, , [bebb4bf8a4e67cbaaadfb7cbd33014ec],
PUP.Optional.GlobalUpdate.A, C:\Users\ADM\AppData\Local\Temp\comh.490919\globalupdate.exe, , [c2b77dc62a60a2945138265c778ce11f],
PUP.Optional.GlobalUpdate.A, C:\Users\ADM\AppData\Local\Temp\comh.490919\globalupdateBroker.exe, , [c2b77dc62a60a2945138265c778ce11f],
PUP.Optional.GlobalUpdate.A, C:\Users\ADM\AppData\Local\Temp\comh.490919\globalupdateCrashHandler.exe, , [c2b77dc62a60a2945138265c778ce11f],
PUP.Optional.GlobalUpdate.A, C:\Users\ADM\AppData\Local\Temp\comh.490919\globalupdateHelper.msi, , [c2b77dc62a60a2945138265c778ce11f],
PUP.Optional.GlobalUpdate.A, C:\Users\ADM\AppData\Local\Temp\comh.490919\globalupdateOnDemand.exe, , [c2b77dc62a60a2945138265c778ce11f],
PUP.Optional.GlobalUpdate.A, C:\Users\ADM\AppData\Local\Temp\comh.490919\goopdate.dll, , [c2b77dc62a60a2945138265c778ce11f],
PUP.Optional.GlobalUpdate.A, C:\Users\ADM\AppData\Local\Temp\comh.490919\goopdateres_en.dll, , [c2b77dc62a60a2945138265c778ce11f],
PUP.Optional.GlobalUpdate.A, C:\Users\ADM\AppData\Local\Temp\comh.490919\npglobalupdateUpdate4.dll, , [c2b77dc62a60a2945138265c778ce11f],
PUP.Optional.GlobalUpdate.A, C:\Users\ADM\AppData\Local\Temp\comh.490919\psmachine.dll, , [c2b77dc62a60a2945138265c778ce11f],
PUP.Optional.GlobalUpdate.A, C:\Users\ADM\AppData\Local\Temp\comh.490919\psuser.dll, , [c2b77dc62a60a2945138265c778ce11f],

Setores Físicos: 0
(Nenhum item malicioso detectado)


(end)


Some parts are in Portuguese, my mother tongue, but I can translate anything you find relevant so you can understand. Thank you very much for analyzing the logs.

 
Upvote 0 Downvote


So, aldan, it's running fine, though I noticed this process running on my task manager: luudeuo.exe. It seems weird for me, as I've never seen it here. I also opened where it's located. I tried to search on the internet but found nothing regarding it. I found it weird because I was on Google Chrome and suddenly got redirected to that very page of my first screenshot, all of sudden. I have the feeling whatever made me redirect to that shopping page was struggling against malwarebytes. So, I opened this luudeuo.exe process local and I see this folder named RunkRolv, mind the files date:

996112_677994845635077_5050673421917937088_n.jpg


and

11391559_677997428968152_4214184525283324933_n.jpg


The dates refer mostly from the day of the infection up to today, so I'm considering it could be something harmful. Could you maybe compare with your task manager or even tell me if this luudeuo.exe process is safe or something strange? I found nothing about it or RunkRolv, like 1 or 2 results on Google. If deleting is a must, how should I proceed in order to do it? There's a uninstall.exe in that folder (one of the last items in the second screenshot), but I'm not sure about it, as I've seen weird uninstall.exe that disappears after clicked on and does nothing; maybe deleting folder? What would you suggest me?

Thank you for the help once more.

P.S.: Microsoft asked me to run Malicious Software Removal Tool, as you can see in this screenshot (Ferramenta de remoção de Software mal-intencionado)

10419985_678000628967832_2257347993331470246_n.jpg


luudeuo.exe is marked in the screenshot above. Thanks.


EDIT: That weird window randomly appeared again like this:

1422454_678011755633386_3225706963128880629_n.jpg


Thing is that I started to compare the task manager screenshot I posted firstly in this post (before weird window occurence) and now with it open, I'm marking the only different process I saw from the comparison:

1450303_678013398966555_1421866993128376362_n.jpg


dllhost.exe in green referrs to COMSurrogate, which I don't know what it's, but searching on the internet, it seems it's not something bad or so. However, luudeuo.exe is still running. What is my guess? I think luudeuo.exe has been struggling against Malwarebytes to win and pop up as it did now. Why do I think so? Microsoft Malicious Software Removal Tool was running so heavily that I attempted to close the weird no named window and the system got so overloaded that the message ''luudeuo.exe stopped working, please wait'' appeared as the weird window got a bit blurry, meaning it might be highly associated to that weird window. Just reminding that luudeuo.exe is associated to RunkRolv folder, both unable to be found on Google.

What do you think?

This registry path should also be useful - C:\HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\cumymuf, related to Cscservice. There's also daynezyfmo folder, which gives no result on google as well:

11536074_678018205632741_8604617874774398744_n.jpg


Thank you.
 
Upvote 0 Downvote


Yes, I do. Ok, I'll keep on waiting before doing any move.
 
Upvote 0 Downvote
only thing i can find is in vietnamese and the translation is just as hard to understand.lol.looks like its something you can definitely do without.is there anything in control panel>programs and features that looks like this?can you post a screenshot of programs and features?
 
Upvote 0 Downvote


Yea, there's nothing here that looks like those names. Yes, I can post the screenshot of programs and features:

11254317_678089618958933_7685402383537583220_n.jpg


11235386_678089642292264_3753605847169635548_n.jpg


11391259_678089665625595_7791515456202650304_n.jpg


1499632_678089688958926_7383250330252543613_n.jpg


Thanks.

EDIT: If you want me to explain and give reference of each program you ask me, I'll do it.
 
Upvote 0 Downvote
you go back to prgram data ronkrolv then see all then start with luuseuo and the 3 other with the same date and time delete them then stop it in the process after open registery and delete all the runkrolv keys until it does not find anymore ,after this use ccleaner and load this to scan registery again for left over keys http://www.glarysoft.com/ the free one ,this is a pop extension you have in the chrome browser you may have to delete it also from it and restore you regular searching page .
 
Upvote 0 Downvote
Solution


Fine, I'll do it. Whenever I find the bad key, should I also delete the folder where it's located?
 
Upvote 0 Downvote


I'll try what scout said about deleting and then I post results. The issue was going on even without internet connection. It's been hard to end the process, but I'll do it in Safe Mode without internet.

I'll post the results soon.
 
Upvote 0 Downvote
Aldan and Scout, thank you very much for the help, You both did an amazing job, I'm very thankful for this and for the knowledge I got here. Detecting the process and eleting it along keys and registry were the solution, even though aldan also provided an awesome solution. hard to pick the best one. I picked that one so people with similar problems can check task manager right away.

Two days listening to Street Fighter Guile's theme to deal with it! Thank you two!!
 
Upvote 0 Downvote
You must log in or register to reply here.

TRENDING THREADS

Latest posts

Share this page

COMPANY
RESOURCES
FOLLOW
Top Bottom