Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Lingering virus preventing internet access


  • This topic is locked This topic is locked
24 replies to this topic

#16 satchfan

satchfan

  • Malware Response Team
  • 2,792 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:10:54 AM

Posted 19 June 2016 - 03:47 AM

Sorry for the delay but was a tad busy.

Run Farbar Recovery Scan Tool

Open notepad. Please copy the contents of the code box below and paste it into Notepad.

CloseProcesses:
HKLM-x32\...\Run: [AvgUi] => "C:\Program Files (x86)\AVG\Framework\Common\avguirnx.exe" /lps=fmw
Winsock: Catalog5 03 C:\Windows\SysWOW64\mswsock.dll [231424 2016-05-11] (Microsoft Corporation) ATTENTION: LibraryPath should be "%SystemRoot%\system32\NLAapi.dll"
Winsock: Catalog5-x64 01 C:\Windows\System32\mswsock.dll [327168 2016-05-11] (Microsoft Corporation) ATTENTION: LibraryPath should be "%SystemRoot%\system32\NLAapi.dll"
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-691505584-3256853444-1998314781-1002\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
SearchScopes: HKLM -> DefaultScope value is missing
SearchScopes: HKLM -> {008F6831-ECBA-4246-911D-F1DF440F0458} URL = hxxp://www.amazon.com/s/ref=azs_osd_iea?ie=UTF-8&tag=hp-us2-vsb-20&link%5Fcode=qs&index=aps&field-keywords={searchTerms}
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKLM -> {73cd434e-8e1e-46b6-bb8d-7dd935140717} URL = hxxp://www.bing.com/search?q={searchTerms}&form=HPNTDF&pc=HPNTDF&src=IE-SearchBox
SearchScopes: HKLM -> {b7fca997-d0fb-4fe0-8afd-255e89cf9671} URL = hxxp://search.yahoo.com/search?p={searchTerms}&ei={inputEncoding}&fr=chr-hp-psg&type=HPNTDF
SearchScopes: HKLM -> {d43b3890-80c7-4010-a95d-1e77b5924dc3} URL = hxxp://en.wikipedia.org/wiki/Special:Search?search={searchTerms}
SearchScopes: HKLM -> {D944BB61-2E34-4DBF-A683-47E505C587DC} URL = hxxp://rover.ebay.com/rover/1/711-30572-11896-2/4?mpre=hxxp://www.ebay.com/sch/i.html?_nkw={searchTerms}
SearchScopes: HKLM-x32 -> DefaultScope value is missing
SearchScopes: HKLM-x32 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.bing.com/search?q={searchTerms}&form=HPNTDF&pc=HPNTDF&src=IE-SearchBox
SearchScopes: HKLM-x32 -> {D944BB61-2E34-4DBF-A683-47E505C587DC} URL = hxxp://rover.ebay.com/rover/1/711-30572-11896-2/4?mpre=hxxp://www.ebay.com/sch/i.html?_nkw={searchTerms}
SearchScopes: HKU\S-1-5-21-691505584-3256853444-1998314781-1002 -> {012E1000-F331-11DB-8314-0800200C9A66} URL = hxxp://www.google.com/search?q={searchTerms}
SearchScopes: HKU\S-1-5-21-691505584-3256853444-1998314781-1002 -> {73cd434e-8e1e-46b6-bb8d-7dd935140717} URL = hxxp://www.bing.com/search?q={searchTerms}&form=HPNTDF&pc=HPNTDF&src=IE-SearchBox
SearchScopes: HKU\S-1-5-21-691505584-3256853444-1998314781-1002 -> {D944BB61-2E34-4DBF-A683-47E505C587DC} URL = hxxp://rover.ebay.com/rover/1/711-30572-11896-2/4?mpre=hxxp://www.ebay.com/sch/i.html?_nkw={searchTerms}
BHO: TmBpIeBHO Class -> {BBACBAFD-FA5E-4079-8B33-00EB9F13D4AC} -> No File
BHO-x32: TmBpIeBHO Class -> {BBACBAFD-FA5E-4079-8B33-00EB9F13D4AC} -> No File
Toolbar: HKU\S-1-5-21-691505584-3256853444-1998314781-1002 -> No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} -  No File
Toolbar: HKU\S-1-5-21-691505584-3256853444-1998314781-1002 -> No Name - {47833539-D0C5-4125-9FA8-0819E2EAAC93} -  No File
DPF: HKLM-x32 {8AD9C840-044E-11D1-B3E9-00805F499D93} hxxp://javadl-esd.sun.com/update/1.4.2/jinstall-1_4_2-windows-i586.cab
Handler: tmbp - {1A77E7DC-C9A0-4110-8A37-2F36BAE71ECF} -  No File
FF NetworkProxy: "type", 4
FF Plugin-x32: @EDVR/WebClient -> C:\windows\system32\WebClient\npwebclient.dll [No File]
FF Plugin-x32: @pandonetworks.com/PandoWebPlugin -> C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll [No File]
FF Plugin HKU\S-1-5-21-691505584-3256853444-1998314781-1002: wacom.com/WacomTabletPlugin -> C:\Program Files\TabletPlugins\npWacomTabletPlugin.dll [No File]
S3 Tosrfcom; no ImagePath
S1 A2DDA; \??\C:\Users\Aaron\Desktop\Run\a2ddax64.sys [X]
S3 catchme; \??\C:\ComboFix\catchme.sys [X]
S1 eamonm; system32\DRIVERS\eamonm.sys [X]
S1 ehdrv; system32\DRIVERS\ehdrv.sys [X]
S1 fkjpbclc; \??\C:\Windows\system32\drivers\fkjpbclc.sys [X]
S1 gmtweagw; \??\C:\Windows\system32\drivers\gmtweagw.sys [X]
S1 kgquubom; \??\C:\Windows\system32\drivers\kgquubom.sys [X]
S1 pfnrymhh; \??\C:\Windows\system32\drivers\pfnrymhh.sys [X]
U2 TMAgent; no ImagePath
S0 tspor; System32\drivers\cfqr.sys [X]
2016-06-05 13:10 - 2016-06-05 20:59 - 00002491 _____ C:\Users\Public\Desktop\AVG Driver Updater.lnk
2016-06-05 13:10 - 2016-06-05 20:59 - 00002491 _____ C:\ProgramData\Desktop\AVG Driver Updater.lnk
2016-06-05 13:10 - 2016-06-05 13:10 - 01124512 _____ (SlimWare Utilities, Inc.) C:\Users\Aaron\Desktop\AVG_Driver_Updater_Setup_11_1.exe
2016-06-05 13:10 - 2016-06-05 13:10 - 00000000 ____D C:\Users\Aaron\AppData\Local\AVG Netherlands BV
2016-06-05 13:10 - 2016-06-05 13:10 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AVG Driver Updater
2016-06-05 13:10 - 2016-06-05 13:10 - 00000000 ____D C:\Program Files (x86)\AVG Driver Updater
2016-06-05 12:19 - 2016-06-01 15:12 - 00053008 _____ (AVG Technologies CZ, s.r.o.) C:\Windows\system32\TURegOpt.exe
2016-06-05 12:19 - 2016-06-01 15:05 - 00044304 _____ (AVG Technologies CZ, s.r.o.) C:\Windows\system32\authuitu.dll
2016-06-05 12:19 - 2016-06-01 15:05 - 00039696 _____ (AVG Technologies CZ, s.r.o.) C:\Windows\SysWOW64\authuitu.dll
2016-06-05 12:09 - 2016-06-05 12:09 - 03135696 _____ (AVG Technologies CZ, s.r.o.) C:\Users\Aaron\Desktop\AVG_PCTuneUp_879.exe
2016-06-04 12:31 - 2016-06-12 14:24 - 00000000 ____D C:\Users\Aaron\AppData\Roaming\AVG
2016-06-04 12:29 - 2016-06-12 21:27 - 00000000 ____D C:\Program Files\Common Files\AV
2016-06-03 22:42 - 2016-06-12 21:21 - 00000000 ____D C:\AVG_Remover
2016-06-03 22:42 - 2016-06-03 22:42 - 08065568 _____ ( ) C:\Users\Aaron\Desktop\AVG_Remover.exe
2016-06-03 22:15 - 2016-06-03 22:20 - 257024472 _____ (AVG Technologies CZ, s.r.o.) C:\Users\Aaron\Desktop\AVG_Internet_Security_x64_696.exe
2016-06-03 22:07 - 2016-06-03 22:07 - 00000000 ____D C:\Users\Aaron\AppData\Local\MFAData
2016-06-03 22:07 - 2016-06-03 22:07 - 00000000 ____D C:\Users\Aaron\AppData\Local\Avg2015
2016-06-03 22:00 - 2016-06-03 22:05 - 204851760 _____ (AVG Technologies) C:\Users\Aaron\Desktop\avg_free_x64_all_2015_ltst_221.exe
2016-06-03 21:25 - 2016-06-12 21:27 - 00000000 ____D C:\ProgramData\Avg
2016-06-03 21:21 - 2016-06-12 21:27 - 00000000 ____D C:\Users\Aaron\AppData\Local\Avg
2016-06-03 21:19 - 2016-06-03 21:19 - 03078064 _____ (AVG Technologies CZ, s.r.o.) C:\Users\Aaron\Desktop\AVG_Protection_Free_1606.exe
2016-06-03 13:28 - 2016-06-03 13:28 - 00000000 _____ C:\Users\Aaron School\AppData\Local\{3AC57209-7AB1-40FB-BEAA-7D3D7837BEEC}
CustomCLSID: HKU\S-1-5-21-691505584-3256853444-1998314781-1002_Classes\CLSID\{092dfa86-5807-5a94-bf3b-5a53ba9e5308}\InprocServer32 -> C:\Program Files\TabletPlugins\npWacomTabletPlugin.dll => No File
Task: {08F9B5A8-230D-455A-A08C-82EAFAE76A4F} - System32\Tasks\AutoKMS => C:\Windows\AutoKMS\AutoKMS.exe
Task: {8275472E-5348-453F-BA52-8149C0F2ED49} - System32\Tasks\{5101D055-3A46-4A84-9CC6-1ED3EC603E9A} => pcalua.exe -a G:\Setup.exe -d G:\
Task: {C692A4A8-67BA-4722-896E-DEDBB930EE0B} - \GoforFilesUpdate -> No File <==== ATTENTION
Task: {D1526F02-320A-42F8-B4CD-C68F6521A5B8} - \SecurityApps2 -> No File <==== ATTENTION
Task: {F36DE198-BB3B-41C8-9F04-43B25EC37DA5} - \RealPlayer (32-bit)  -> No File <==== ATTENTION
HKLM\...\.scr: SageThumbsImage.scr => "%1" /S <===== ATTENTION
AVG PC TuneUp (x32 Version: 16.42.6 - AVG Technologies) Hidden
C:\Program Files (x86)\AVG
C:\Windows\AutoKMS\AutoKMS.exe
CMD: bitsadmin /reset /allusers
CMD: ipconfig /flushdns
EmptyTemp:

NOTE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

  • save the files as fixlist.txt in the same folder as FRST – NOTE: It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work
  • run FRST64 then click Fix just once and wait
  • it will create a log on your desktop, (Fixlog.txt); please post it to your reply.

================================================

Uninstall programs

Please uninstall this program:

AVG PC TuneUp

When you’ve done that please run FRST again and make sure there is a checkmark next to "Addition.txt" before you hit “Scan”.

Logs to include with next post:

Fixlog.txt
New Frst.txt
New Addition.txt


Thanks

Satchfan


Edited by satchfan, 19 June 2016 - 03:49 AM.

My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


BC AdBot (Login to Remove)

 


#17 Atrav

Atrav
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:10:54 AM

Posted 19 June 2016 - 01:23 PM

Hey Satchfan. So I did as instructed and then was promoted to restart the computer. upon reboot there is just a black screen with the cusor. I've tried rebooting in normal mode a few times and also in safe mode with networking and it won't get past the black screen

#18 satchfan

satchfan

  • Malware Response Team
  • 2,792 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:10:54 AM

Posted 19 June 2016 - 04:42 PM

  • restart your computer and hit the F8 key constantly until a menu shows up
  • use the arrow keys to navigate to Last Known Good Configuration
  • press Enter

===================================================

When you’ve done that, if all is OK please run FRST again and make sure there is a checkmark next to "Addition.txt" before you hit “Scan”.

Logs to include with next post:

New Frst.txt
New Addition.txt


Thanks

Satchfan


My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#19 Atrav

Atrav
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:10:54 AM

Posted 19 June 2016 - 10:11 PM

I've tried as suggested and it still won't get past the black screen with the the cursor unfortunately.

#20 satchfan

satchfan

  • Malware Response Team
  • 2,792 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:10:54 AM

Posted 20 June 2016 - 02:14 AM

Do you get as far as the menu after pressing F8?


My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#21 Atrav

Atrav
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:10:54 AM

Posted 20 June 2016 - 12:38 PM

Yes, so it shows the options. I.e safe mode with networking, start Windows normally, last known working configuration etc. after I choose any of those it doesn't show the Log in screen and just remains black with a cursor

#22 satchfan

satchfan

  • Malware Response Team
  • 2,792 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:10:54 AM

Posted 20 June 2016 - 05:09 PM

This has not come about due to anything that we have done here and may be a Windows problem; therefore I would suggest that you start a topic in the Windows forum because they will be the best people to advise and help with this current problem.

 

I'll keep this open so that you can return here and continue.

 

Satchfan


My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#23 Atrav

Atrav
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:10:54 AM

Posted 24 June 2016 - 03:04 PM

Hey Satchfan so I ended up backing up all of my data and then doing a factory reset and things are back up and running. Thanks for the assistance.

#24 satchfan

satchfan

  • Malware Response Team
  • 2,792 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:10:54 AM

Posted 24 June 2016 - 04:23 PM

Hi Atrav

 

Glad you got it sorted and thank you for replying and keeping me informed.

 

I'll close this now. Safe computing.

 

Regards

 

Satchfan


My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#25 satchfan

satchfan

  • Malware Response Team
  • 2,792 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:10:54 AM

Posted 24 June 2016 - 04:27 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users