Can't delete UCGuard

Hello,

• Download MalwareBytes Anti Malware here.
• Launch MalwareByte's Anti Malware from your desktop
• Click on the tab Settings -> Detection & Protection -> PUP/PUM and check "Treat these detections like malware".
• Tab Exam choose Threats, click on Scan now, and click on Launch the exam.
• If something is detected, choose to Quarantine everything. If it asks you to reboot the computer, do it.
• After the reboot (or at the end of the exam), launch Malwarebytes -> click on History -> Application logs -> Select the last exam log -> Show.
• Click on Export -> text file (*.txt) -> Choose the desktop as destination, name the file "report-mbam" for example, and click on Save.
• Paste the logfile in your next answer.

Best regards,

I don't have a tab "Exam" . Do you mean the "Scan one"? ( https://gyazo.com/3a8031657b4499e05de41e695c64fcb2  ) If it is indeed that tab, I think this is what you want:

Malwarebytes Anti-Malware www.malwarebytes.org

Scan Date: 30/09/2016 Scan Time: 00:32 Logfile: test.txt Administrator: Yes

Version: 2.2.1.1043 Malware Database: v2016.09.29.13 Rootkit Database: v2016.09.26.02 License: Free Malware Protection: Disabled Malicious Website Protection: Disabled Self-protection: Disabled

OS: Windows 10 CPU: x64 File System: NTFS User: Pedro Teixeira

Scan Type: Threat Scan Result: Completed Objects Scanned: 333306 Time Elapsed: 6 min, 21 sec

Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Enabled PUM: Enabled

Processes: 0 (No malicious items detected)

Modules: 0 (No malicious items detected)

Registry Keys: 0 (No malicious items detected)

Registry Values: 0 (No malicious items detected)

Registry Data: 0 (No malicious items detected)

Folders: 0 (No malicious items detected)

Files: 5 PUP.Optional.Trotux, C:\Users\Pedro Teixeira\AppData\Roaming\Profiles\Graied.default\prefs.js, Good: (), Bad: (user_pref("browser.search.searchengine.hp", "http://www.trotux.com/?z=6db978ed94a770620263118g0zamfc4c3m4oemcobt&from=clc&uid=WDCXWD10EZEX-00BN5A0_WD-WCC3F4KP0E9UP0E9U&type=hp");), Replaced,[eb06ee89504a60d64a5aa9438282956b] PUP.Optional.Trotux, C:\Users\Pedro Teixeira\AppData\Roaming\Profiles\Graied.default\prefs.js, Good: (), Bad: (ref("browser.cache.disk.capacity", 358400); user_pref("browser.cache.disk.filsmart_size.use_old_max", false); user_pref("browser.cache.frecency_experiment", 2); user_pref("browser.download.dir", "D:), Replaced,[bb36f582693139fdb7ed4ba115efe31d] PUP.Optional.Trotux, C:\Users\Pedro Teixeira\AppData\Roaming\Profiles\Graied.default\prefs.js, Good: (), Bad: (r_pref("browser.cache.frecency_experiment", 2); user_pref("browser.download.dir", "D:\\Downloads"); user_pref("browser.download.folderList", 2); user_pref("browser.download.importedFromSqlite", true)), Replaced,[727f235463372d09f7adc82440c455ab] PUP.Optional.Trotux, C:\Users\Pedro Teixeira\AppData\Roaming\Profiles\Graied.default\prefs.js, Good: (), Bad: (.capacity", 358400); user_pref("browser.cache.disk.f), Replaced,[30c1532484166cca950f727a0bf9aa56] PUP.Optional.Trotux, C:\Users\Pedro Teixeira\AppData\Roaming\Profiles\Graied.default\prefs.js, Good: (), Bad: ("browser.download.save_converter_index", 0); user_pref("browser.migration.version", 37);

user_pref("browser.newtabpage.enhanced", true); user_pref("browser.newtabpage.), Replaced,[d918ed8a0b8f94a26b397f6d729251af]

Physical Sectors: 0 (No malicious items detected)

(end)

And this is what went to quarantine:

https://gyazo.com/5be47efeb58258eaa48f2ffaf39c3b35

it did not ask me to restart my computer

Trying it now while I wait for the admin to answer, thank you! I'll leave feedback in a moment

So I was really happy that roguekiller found ucguard.sys.. was suposed to remove it but I scanned with adwcleaner and it's still there.. This UCGuard is really annoying, ffs..

the problem is that it actually found the ucguard.sys.. and then it asked me to restart the computer to remove it but it is still there

Yes, it shows nothing. I've tried many malware removal software and most of them show nothing. But adwcleaner and roguekiller still show the UCGuard. And I can't delete it with them

Hello,

@gamezertruth: Thanks for the help, but it's preferable if the person who first took the topic keeps it until resolution, except if she/he needs help.

@pedromatt:

We'll proceed differently:

• Download FRST
• Right-click on the file -> "Execute as Administrator"
• Click on the "Scan" button
• The logfile is saved as FRST.txt , and additional informations are in Addition.txt.
• Please host them on Up2Share and share the generated link.

Best regards,

Thank you for both your help.

Here is FRST.txt:

https://up2sha.re/file?f=9bmBOjvBMkSo

Here is Addition.txt:

https://up2sha.re/file?f=FgNuwG6LAtc0

Help please

Hello,

Sorry for the delay. I'll answer you in a few hours.

no problem..

pedromatt,

1) Do  you have installed Driver Booster? If yes, then I advise you to uninstall.

2) Download fixlist.txt file and save it to the Desktop.

NOTE. It's important that both files, FRST/FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system.

Run FRST/FRST64 and press the Fix button just once and wait. If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run. When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post it to your reply.

pedromatt,

 

1) Do  you have installed Driver Booster? If yes, then I advise you to uninstall.

 

2) Download fixlist.txt file and save it to the Desktop.

NOTE. It's important that both files, FRST/FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system.

Run FRST/FRST64 and press the Fix button just once and wait. If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run. When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post it to your reply.

 

 

---

regist, 2016-10-06 18:54:21 (UTC)

Sorry wasn't here last night. Thank you for your help, here is the fixlog.txt:

Fix result of Farbar Recovery Scan Tool (x64) Version: 04-10-2016 Ran by Pedro Teixeira (07-10-2016 17:19:34) Run:1 Running from C:\Users\Pedro Teixeira\Desktop\fix Loaded Profiles: Pedro Teixeira (Available Profiles: Pedro Teixeira) Boot Mode: Normal ==============================================

fixlist content: ***************** start CreateRestorePoint: Task: {86778E9B-77C0-4E94-A719-46F27E81F666} - System32\Tasks\UCBrowserUpdater => C:\Program Files (x86)\UCBrowser\Application\update_task.exe <==== ATTENTION Task: C:\WINDOWS\Tasks\UCBrowserUpdater.job => C:\Program Files (x86)\UCBrowser\Application\update_task.exe <==== ATTENTION 127.0.0.1       down.baidu2016.com 127.0.0.1       123.sogou.com 127.0.0.1       www.czzsyzgm.com 127.0.0.1       www.czzsyzxl.com 127.0.0.1       union.baidu2019.com 127.0.0.1       down.baidu2016.com 127.0.0.1       123.sogou.com 127.0.0.1       www.czzsyzgm.com 127.0.0.1       www.czzsyzxl.com 127.0.0.1       union.baidu2019.com HKLM-x32\...\Run: [] => [X] HKLM-x32\...\Run: [win_en_77] => [X] ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} =>  No File ShellIconOverlayIdentifiers: [KzShlobj2] -> {AAA0C5B8-933F-4200-93AD-B143D7FFF9F3} =>  No File GroupPolicy: Restriction <======= ATTENTION R1 UCGuard; C:\Windows\System32\DRIVERS\ucguard.sys [81792 2016-08-02] (Huorong Borui (Beijing) Technology Co., Ltd.) <==== ATTENTION U0 aswVmm; no ImagePath Folder: C:\Program Files (x86)\gq0FF58 2016-09-08 23:13 - 2016-09-08 23:13 - 00000000 ____D C:\ProgramData\Avira 2016-09-08 23:13 - 2016-09-08 23:13 - 00000000 ____D C:\ProgramData\Avg Folder: C:\WINDOWS\Ogiedplofipy 2016-09-08 23:09 - 2016-09-08 23:14 - 00000000 ____D C:\Users\Pedro Teixeira\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\UC浏览器 2016-09-08 23:08 - 2016-09-30 19:57 - 00000506 _____ C:\WINDOWS\Tasks\UCBrowserUpdater.job EmptyTemp: Reboot: end *****************

Restore point was successfully created. "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{86778E9B-77C0-4E94-A719-46F27E81F666}" => key removed successfully "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{86778E9B-77C0-4E94-A719-46F27E81F666}" => key removed successfully C:\WINDOWS\System32\Tasks\UCBrowserUpdater => moved successfully "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\UCBrowserUpdater" => key removed successfully C:\WINDOWS\Tasks\UCBrowserUpdater.job => moved successfully 127.0.0.1       down.baidu2016.com => Error: No automatic fix found for this entry. 127.0.0.1       123.sogou.com => Error: No automatic fix found for this entry. 127.0.0.1       www.czzsyzgm.com => Error: No automatic fix found for this entry. 127.0.0.1       www.czzsyzxl.com => Error: No automatic fix found for this entry. 127.0.0.1       union.baidu2019.com => Error: No automatic fix found for this entry. 127.0.0.1       down.baidu2016.com => Error: No automatic fix found for this entry. 127.0.0.1       123.sogou.com => Error: No automatic fix found for this entry. 127.0.0.1       www.czzsyzgm.com => Error: No automatic fix found for this entry. 127.0.0.1       www.czzsyzxl.com => Error: No automatic fix found for this entry. 127.0.0.1       union.baidu2019.com => Error: No automatic fix found for this entry. HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\ => value removed successfully HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\win_en_77 => value removed successfully "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\00avast" => key removed successfully HKCR\CLSID\{472083B0-C522-11CF-8763-00608CC02F24} => key not found. "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\KzShlobj2" => key removed successfully HKCR\CLSID\{AAA0C5B8-933F-4200-93AD-B143D7FFF9F3} => key not found. C:\WINDOWS\system32\GroupPolicy\Machine => moved successfully C:\WINDOWS\system32\GroupPolicy\GPT.ini => moved successfully UCGuard => Unable to stop service. UCGuard => service removed successfully aswVmm => service removed successfully

========================= Folder: C:\Program Files (x86)\gq0FF58 ========================

====== End of Folder: ======

C:\ProgramData\Avira => moved successfully C:\ProgramData\Avg => moved successfully

========================= Folder: C:\WINDOWS\Ogiedplofipy ========================

C:\WINDOWS\Ogiedplofipy => File

====== End of Folder: ======

C:\Users\Pedro Teixeira\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\UC浏览器 => moved successfully "C:\WINDOWS\Tasks\UCBrowserUpdater.job" => not found.

=========== EmptyTemp: ==========

BITS transfer queue => 1135043 B DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 94324392 B Java, Flash, Steam htmlcache => 419820907 B Windows/system/drivers => 44975993 B Edge => 4635859 B Chrome => 0 B Firefox => 394072197 B Opera => 0 B

Temp, IE cache, history, cookies, recent: Default => 0 B ProgramData => 0 B Public => 0 B systemprofile => 0 B systemprofile32 => 0 B LocalService => 10220 B NetworkService => 4084 B Pedro Teixeira => 42813908187 B

RecycleBin => 0 B EmptyTemp: => 40.8 GB temporary data Removed.

================================

The system needed a reboot.

==== End of Fixlog 17:22:28 ====

https://up2sha.re/file?f=fmm8W0qTNqR

If it's more helpful

pedromatt,

1) Do  you have installed Driver Booster? If yes, then I advise you to uninstall.

1) You did not answer.

https://up2sha.re/file?f=fmm8W0qTNqR

 

If it's more helpful

 

---

pedromatt, 2016-10-07 16:26:38 (UTC)

2) Link is not correct.

3) Make new FRST logs.  

1) I installed it after I installed windows but I've unnistalled it some months ago.

2) Sorry, here is the correct link: https://up2sha.re/file?f=91kFxbulMbgk

3) Do you want me to run the program again?

3) Do you want me to run the program again?

---

pedromatt, 2016-10-07 17:04:20 (UTC)

Yes, run FRST again and share links on new logs.

https://up2sha.re/file?f=ODYToPiRRsHn

 New logs  are needed as it is written here.