Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with ZeroAccess, Can't run any exe files.


  • Please log in to reply
11 replies to this topic

#1 daport6332

daport6332

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:00 PM

Posted 14 June 2016 - 02:19 PM

My PC has been infected with ZeroAccess preventing me from running any exe files such as TDSSKiller or Rkill, or ComboFix. Google chrome also crashes on startup so I've been using mozilla firefox. I've also been using the Administrator account but it still tell me that "Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item." Ive also download Kaspersky rescue disk on a USB flashdrive on my other PC and booted the infected PC on the flashdrive but the scan takes way too long. The farthest the scan has ever gone was 33% and that was after 4 days.

 

FRST.txt:

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:13-06-2016
Ran by Administrator (administrator) on BALINDAY (14-06-2016 15:01:37)
Running from C:\Users\Administrator.balinday\Desktop
Loaded Profiles: Administrator (Available Profiles: Riza & Administrator & Guest)
Platform: Windows 7 Home Premium Service Pack 1 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(ESET) C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
(AMD) C:\Windows\System32\atiesrxx.exe
(IDT, Inc.) C:\Program Files\IDT\WDM\stacsv64.exe
(Hewlett-Packard) C:\Windows\System32\hpservice.exe
(ESET) C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
(SUPERAntiSpyware.com) C:\Program Files\SUPERAntiSpyware\SASCore64.exe
(Andrea Electronics Corporation) C:\Program Files\IDT\WDM\AESTSr64.exe
(Advanced Micro Devices, Inc.) C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe
(Apple Inc.) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
() C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe
(IDT, Inc.) C:\Program Files\IDT\WDM\sttray64.exe
(Apple Inc.) C:\Program Files\iTunes\iTunesHelper.exe
(Hewlett-Packard) C:\Program Files (x86)\Hewlett-Packard\HP Advisor\Dock\HPAdvisorDock.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Microsoft Corporation) C:\Windows\SysWOW64\rundll32.exe
(Hewlett-Packard Company) C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe
(CinemaNow, Inc.) C:\Program Files (x86)\CinemaNow\CinemaNow Media Manager\CinemaNowSvc.exe
(DeviceVM, Inc.) C:\SwSetup\QuickWeb\QW.SYS\config\DVMExportService.exe
(Spotify Ltd) C:\Users\Administrator.balinday\AppData\Roaming\Spotify\SpotifyWebHelper.exe
(SUPERAntiSpyware) C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
(Microsoft Corporation) C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
(Microsoft Corporation) C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
(Yahoo! Inc.) C:\Program Files (x86)\Yahoo!\SoftwareUpdate\YahooAUService.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
(Microsoft Corporation) C:\Windows\System32\alg.exe
(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
(Hewlett-Packard) C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe
(Hewlett-Packard Company) C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\HPSupportSolutionsFrameworkService.exe
(Hewlett-Packard Company) C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe


==================== Registry (Whitelisted) ===========================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [SynTPEnh] => C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2028328 2010-01-22] (Synaptics Incorporated)
HKLM\...\Run: [AmIcoSinglun64] => "C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe"
HKLM\...\Run: [SmartMenu] => C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe [611896 2010-01-20] ()
HKLM\...\Run: [SysTrayApp] => C:\Program Files\IDT\WDM\sttray64.exe [525312 2011-03-30] (IDT, Inc.)
HKLM\...\Run: [HPWirelessAssistant] => C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Main.exe [363064 2010-04-05] (Hewlett-Packard)
HKLM\...\Run: [iTunesHelper] => C:\Program Files\iTunes\iTunesHelper.exe [176952 2016-03-19] (Apple Inc.)
HKLM-x32\...\Run: [HP Software Update] => C:\Program Files (x86)\Hp\HP Software Update\HPWuSchd2.exe [54576 2008-12-08] (Hewlett-Packard)
HKLM-x32\...\Run: [APSDaemon] => C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [67384 2016-03-18] (Apple Inc.)
HKLM-x32\...\Run: [StartCCC] => C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe [642304 2013-04-30] (Advanced Micro Devices, Inc.)
HKLM-x32\...\Run: [AMD AVT] => C:\Program Files (x86)\AMD AVT\bin\kdbsync.exe [20992 2012-03-19] ()
HKLM-x32\...\RunOnce: [Malwarebytes Anti-Malware (cleanup)] => C:\ProgramData\Malwarebytes\Malwarebytes Anti-Malware\mbamdor.exe [55264 2016-03-10] (Malwarebytes)
HKU\S-1-5-21-3881042335-2106862652-1563815087-500\...\Run: [HPAdvisorDock] => C:\Program Files (x86)\Hewlett-Packard\HP Advisor\Dock\HPAdvisorDock.exe [1715768 2010-09-28] (Hewlett-Packard)
HKU\S-1-5-21-3881042335-2106862652-1563815087-500\...\Run: [LightScribe Control Panel] => C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe [2363392 2010-02-22] (Hewlett-Packard Company)
HKU\S-1-5-21-3881042335-2106862652-1563815087-500\...\Run: [Spotify Web Helper] => C:\Users\Administrator.balinday\AppData\Roaming\Spotify\SpotifyWebHelper.exe [1554032 2016-06-09] (Spotify Ltd)
HKU\S-1-5-21-3881042335-2106862652-1563815087-500\...\Run: [SUPERAntiSpyware] => C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe [7943072 2016-05-31] (SUPERAntiSpyware)
HKU\S-1-5-21-3881042335-2106862652-1563815087-500\...\Policies\system: [LogonHoursAction] 2
HKU\S-1-5-21-3881042335-2106862652-1563815087-500\...\Policies\system: [DontDisplayLogonHoursWarnings] 1
HKU\S-1-5-21-3881042335-2106862652-1563815087-500\...\MountPoints2: G - G:\autorun.exe
HKU\S-1-5-21-3881042335-2106862652-1563815087-500\...\MountPoints2: {8b67d183-fed8-11df-823b-d8d3853647c8} - G:\autorun.exe
HKU\S-1-5-18\...\RunOnce: [iCloud] => C:\Program Files (x86)\Common Files\Apple\Internet Services\iCloud.exe [60688 2015-12-01] (Apple Inc.)
Startup: C:\Users\doray\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk [2013-11-10]
ShortcutTarget: OneNote 2007 Screen Clipper and Launcher.lnk -> C:\Program Files (x86)\Microsoft Office\Office12\ONENOTEM.EXE (Microsoft Corporation)
Startup: C:\Users\Riza\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Citrix Receiver.lnk [2016-01-26]
ShortcutTarget: Citrix Receiver.lnk -> C:\Program Files (x86)\Citrix\ICA Client\SelfServicePlugin\SelfServicePlugin.exe (No File)
Startup: C:\Users\Riza\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk [2011-04-04]
ShortcutTarget: OneNote 2007 Screen Clipper and Launcher.lnk -> C:\Program Files (x86)\Microsoft Office\Office12\ONENOTEM.EXE (Microsoft Corporation)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Winsock: Catalog5 10 C:\Program Files (x86)\Bonjour\mdnsNSP.dll No File
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
Tcpip\..\Interfaces\{222069A4-B243-4FA8-AB1B-6E92BA529430}: [DhcpNameServer] 192.168.1.1

Internet Explorer:
==================
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Search Page = about:blank
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKU\S-1-5-21-3881042335-2106862652-1563815087-500\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://go.microsoft.com/fwlink/?LinkID=617910&ResetID=131086405613947404&GUID=00000000-0000-0000-0000-000000000000
HKU\S-1-5-21-3881042335-2106862652-1563815087-500\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://g.msn.com/HPNOT/1
SearchScopes: HKLM -> DefaultScope {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL = hxxp://www.bing.com/search?q={searchTerms}&form=MSSEDF&pc=MSE1
SearchScopes: HKLM -> {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL = hxxp://www.bing.com/search?q={searchTerms}&form=MSSEDF&pc=MSE1
SearchScopes: HKLM-x32 -> DefaultScope {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL = hxxp://www.bing.com/search?q={searchTerms}&form=MSSEDF&pc=MSE1
SearchScopes: HKLM-x32 -> {3A2A0CA1-D7F1-4449-B951-3A8D3384B75A} URL = hxxp://www.bing.com/search?q={searchTerms}&form=HPNTDF&pc=HPNTDF&src=IE-SearchBox
SearchScopes: HKLM-x32 -> {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL = hxxp://www.bing.com/search?q={searchTerms}&form=MSSEDF&pc=MSE1
SearchScopes: HKLM-x32 -> {9B66C25E-1ABB-4FAA-B24B-6BFD7CEC259B} URL = hxxp://www.ask.com/web?q={searchterms}&l=dis&o=ushpl
SearchScopes: HKU\.DEFAULT -> DefaultScope {3A2A0CA1-D7F1-4449-B951-3A8D3384B75A} URL =
SearchScopes: HKU\S-1-5-21-3881042335-2106862652-1563815087-500 -> DefaultScope {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL = hxxp://www.bing.com/search?q={searchTerms}&form=MSSEDF&pc=MSE1
SearchScopes: HKU\S-1-5-21-3881042335-2106862652-1563815087-500 -> {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL = hxxp://www.bing.com/search?q={searchTerms}&form=MSSEDF&pc=MSE1
BHO: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2010-09-21] (Microsoft Corp.)
BHO: HP Network Check Helper -> {E76FD755-C1BA-4DCB-9F13-99BD91223ADE} -> C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPNetworkCheck\HPNetworkCheckPluginx64.dll [2016-02-25] (HP)
BHO-x32: No Name -> {02478D38-C3F9-4efb-9B51-7695ECA05670} -> No File
BHO-x32: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2010-09-21] (Microsoft Corp.)
BHO-x32: Skype Plug-In -> {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} -> C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll [2010-11-22] (Skype Technologies S.A.)
BHO-x32: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre1.8.0_31\bin\jp2ssv.dll [2015-01-24] (Oracle Corporation)
BHO-x32: HP Network Check Helper -> {E76FD755-C1BA-4DCB-9F13-99BD91223ADE} -> C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPNetworkCheck\HPNetworkCheckPlugin.dll [2016-02-25] (HP)
DPF: HKLM-x32 {233C1507-6A77-46A4-9443-F871F945D258} hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: HKLM-x32 {784797A8-342D-4072-9486-03C8D0F2F0A1} hxxps://www.battlefieldheroes.com/static/updater/BFHUpdater_5.0.31.0.cab
DPF: HKLM-x32 {C345E174-3E87-4F41-A01C-B066A90A49B4} hxxp://trial.trymicrosoftoffice.com/trialoaa/buymsoffice_assets/framework//microsoft/wrc32.ocx
DPF: HKLM-x32 {E008A543-CEFB-4559-912F-C27C2B89F13B} hxxps://took2.notes.duke.edu/dwa7W.cab
Handler-x32: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll [2010-11-22] (Skype Technologies S.A.)
Handler-x32: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll [2014-05-02] (Skype Technologies)

FireFox:
========
FF ProfilePath: C:\Users\Administrator.balinday\AppData\Roaming\Mozilla\Firefox\Profiles\9ri1drmr.default
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_21_0_0_242.dll [2016-05-14] ()
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.41212.0\npctrl.dll [2015-12-12] ( Microsoft Corporation)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_21_0_0_242.dll [2016-05-14] ()
FF Plugin-x32: @adobe.com/ShockwavePlayer -> C:\Windows\system32\Adobe\Director\np32dsw.dll [No File]
FF Plugin-x32: @Apple.com/iTunes,version=1.0 -> C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll [2016-03-08] ()
FF Plugin-x32: @Google.com/GoogleEarthPlugin -> C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll [2015-05-21] (Google)
FF Plugin-x32: @java.com/DTPlugin,version=11.31.2 -> C:\Program Files (x86)\Java\jre1.8.0_31\bin\dtplugin\npDeployJava1.dll [2015-01-24] (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin -> C:\Program Files (x86)\Java\jre1.8.0_31\bin\new_plugin\npjp2.dll [No File]
FF Plugin-x32: @java.com/JavaPlugin,version=11.31.2 -> C:\Program Files (x86)\Java\jre1.8.0_31\bin\plugin2\npjp2.dll [2015-01-24] (Oracle Corporation)
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.41212.0\npctrl.dll [2015-12-12] ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3502.0922 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [2010-11-10] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3508.1109 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [2010-11-10] (Microsoft Corporation)
FF Plugin-x32: @pandonetworks.com/PandoWebPlugin -> C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll [2012-06-17] (Pando Networks)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.30.3\npGoogleUpdate3.dll [2016-05-10] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.30.3\npGoogleUpdate3.dll [2016-05-10] (Google Inc.)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll [2016-04-23] (Adobe Systems Inc.)
FF Plugin HKU\S-1-5-21-3881042335-2106862652-1563815087-500: @unity3d.com/UnityPlayer,version=1.0 -> C:\Users\Administrator.balinday\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll [2014-09-05] (Unity Technologies ApS)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\NPOFF12.DLL [2006-10-26] (Microsoft Corporation)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\nppdf32.dll [2016-04-23] (Adobe Systems Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\browser\plugins\npatgpc.dll [2014-02-27] (Cisco WebEx LLC)
FF Extension: Skype extension - C:\Program Files (x86)\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1} [2016-05-06] [not signed]

Chrome:
=======
CHR Plugin: (Widevine Content Decryption Module) - C:\Users\Administrator.balinday\AppData\Local\Google\Chrome\User Data\WidevineCDM\1.4.8.866\_platform_specific\win_x86\widevinecdmadapter.dll => No File
CHR Plugin: (Shockwave Flash) - C:\Users\Administrator.balinday\AppData\Local\Google\Chrome\User Data\PepperFlash\20.0.0.267\pepflashplayer.dll => No File
CHR Profile: C:\Users\Administrator.balinday\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Drive) - C:\Users\Administrator.balinday\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2016-04-15]
CHR Extension: (Adblock Plus) - C:\Users\Administrator.balinday\AppData\Local\Google\Chrome\User Data\Default\Extensions\cfhdojbkjhnklbpkdaibdccddilifddb [2016-06-01]
CHR Extension: (Google Docs Offline) - C:\Users\Administrator.balinday\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2016-06-12]
CHR Extension: (AdBlock) - C:\Users\Administrator.balinday\AppData\Local\Google\Chrome\User Data\Default\Extensions\gighmmpiobklfepjocnamgkkbiglidom [2016-06-01]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Administrator.balinday\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-04-23]
CHR HKLM\...\Chrome\Extension: [flliilndjeohchalpbbcdekjklbdgfkk] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [flliilndjeohchalpbbcdekjklbdgfkk] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [lifbcibllhkdhoafpjfnlhfpfgnpldfl] - C:\Program Files (x86)\Skype\Toolbars\Skype for Chromium\skype_chrome_extension.crx [2010-11-22]
StartMenuInternet: Google Chrome.doray - C:\Users\doray\AppData\Local\Google\Chrome\Application\chrome.exe

==================== Services (Whitelisted) ========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 !SASCORE; C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE [172344 2014-07-22] (SUPERAntiSpyware.com)
R2 AMD FUEL Service; C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [361984 2013-04-29] (Advanced Micro Devices, Inc.) [File not signed]
R2 Apple Mobile Device Service; C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe [83768 2016-03-02] (Apple Inc.)
R2 DvmMDES; C:\SwSetup\QuickWeb\QW.SYS\config\DVMExportService.exe [338168 2010-03-13] (DeviceVM, Inc.)
R2 ekrn; C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe [2519904 2016-04-13] (ESET)
R2 HPSupportSolutionsFrameworkService; C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\HPSupportSolutionsFrameworkService.exe [28552 2016-04-26] (Hewlett-Packard Company)
R2 MSSQL$SOSHOME309; c:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [29293408 2010-12-10] (Microsoft Corporation)
R2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-27] (Microsoft Corporation)
S2 LightScribeService; "C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe" [X]
S2 WebrootSpySweeperService; "C:\Program Files (x86)\Webroot\Security\current\plugins\antimalware\AEI.exe" [X]

===================== Drivers (Whitelisted) ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 AODDriver4.1; C:\Program Files\ATI Technologies\ATI.ACE\Fuel\amd64\AODDriver2.sys [53888 2012-03-05] (Advanced Micro Devices)
R1 DVMIO; C:\Windows\System32\DRIVERS\dvmio.sys [20056 2010-01-29] (DeviceVM, Inc.)
R1 eamonm; C:\Windows\System32\DRIVERS\eamonm.sys [264552 2016-05-12] (ESET)
S3 ebdrv; C:\Windows\system32\DRIVERS\evbda.sys [3286016 2009-06-10] (Broadcom Corporation)
R1 ehdrv; C:\Windows\System32\DRIVERS\ehdrv.sys [186784 2016-05-12] (ESET)
R2 epfwwfpr; C:\Windows\system32\DRIVERS\epfwwfpr.sys [170792 2016-05-12] (ESET)
R1 SASDIFSV; C:\Program Files\SUPERAntiSpyware\SASDIFSV64.SYS [14928 2011-07-22] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
R1 SASKUTIL; C:\Program Files\SUPERAntiSpyware\SASKUTIL64.SYS [12368 2011-07-12] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
S3 EagleX64; \??\C:\Windows\system32\drivers\EagleX64.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-06-14 15:01 - 2016-06-14 15:02 - 00019734 _____ C:\Users\Administrator.balinday\Desktop\FRST.txt
2016-06-14 14:59 - 2016-06-14 15:01 - 00000000 ____D C:\FRST
2016-06-14 14:58 - 2016-06-14 14:59 - 02385920 _____ (Farbar) C:\Users\Administrator.balinday\Desktop\FRST64.exe
2016-06-13 21:19 - 2016-06-13 21:19 - 04727984 _____ (Kaspersky Lab ZAO) C:\Users\Riza\Desktop\notlol.exe
2016-06-12 22:48 - 2016-06-12 22:48 - 00085504 _____ C:\Users\Administrator.balinday\Desktop\haha.exe
2016-06-12 22:10 - 2016-06-12 22:45 - 00000000 ___SD C:\32788R22FWJFW
2016-06-12 22:09 - 2016-06-12 22:09 - 05659224 ____R (Swearware) C:\Users\Administrator.balinday\Desktop\ComboFix.exe
2016-06-12 22:01 - 2016-06-12 22:01 - 00286655 _____ C:\Users\Administrator.balinday\Downloads\ExeFix.scr
2016-06-12 19:51 - 2016-06-12 19:51 - 00000000 ____D C:\SUPERDelete
2016-06-12 19:46 - 2016-06-12 19:46 - 00001808 _____ C:\Users\Public\Desktop\SUPERAntiSpyware Free Edition.lnk
2016-06-12 19:46 - 2016-06-12 19:46 - 00000526 _____ C:\Windows\Tasks\SUPERAntiSpyware Scheduled Task f3fef64b-a1a0-4772-be67-c439bc81c87c.job
2016-06-12 19:46 - 2016-06-12 19:46 - 00000526 _____ C:\Windows\Tasks\SUPERAntiSpyware Scheduled Task bc49ce92-55e7-4739-8236-c93cda44eaac.job
2016-06-12 19:46 - 2016-06-12 19:46 - 00000000 ____D C:\Users\Administrator.balinday\AppData\Roaming\SUPERAntiSpyware.com
2016-06-12 19:46 - 2016-06-12 19:46 - 00000000 ____D C:\ProgramData\SUPERAntiSpyware.com
2016-06-12 19:46 - 2016-06-12 19:46 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SUPERAntiSpyware
2016-06-12 19:46 - 2016-06-12 19:46 - 00000000 ____D C:\Program Files\SUPERAntiSpyware
2016-06-12 19:44 - 2016-06-12 19:44 - 26189360 _____ (SUPERAntiSpyware) C:\Users\Administrator.balinday\Downloads\SUPERAntiSpyware.exe
2016-06-12 19:42 - 2016-06-12 19:51 - 00002646 _____ C:\Users\Administrator.balinday\Desktop\Rkill.txt
2016-06-12 19:42 - 2016-06-12 19:42 - 02030536 _____ (Bleeping Computer, LLC) C:\Users\Administrator.balinday\Downloads\rkill.scr
2016-06-12 19:40 - 2016-06-12 19:42 - 00219224 _____ C:\TDSSKiller.3.1.0.9_12.06.2016_19.40.56_log.txt
2016-06-12 19:40 - 2016-06-12 19:40 - 04727984 _____ (Kaspersky Lab ZAO) C:\Users\Administrator.balinday\Downloads\tdsskiller.exe
2016-06-12 19:39 - 2016-06-12 19:39 - 00000335 _____ C:\Users\Administrator.balinday\Downloads\FixExe.reg
2016-06-12 19:20 - 2016-06-12 19:20 - 04727984 _____ (Kaspersky Lab ZAO) C:\Users\Administrator.balinday\Desktop\doneric.com.exe
2016-06-12 19:12 - 2016-06-12 19:13 - 04727984 _____ (Kaspersky Lab ZAO) C:\Users\Administrator.balinday\Desktop\lolololol.com
2016-06-12 19:10 - 2016-06-12 19:10 - 00000879 _____ C:\Users\Public\Desktop\herdProtect.lnk
2016-06-12 19:10 - 2016-06-12 19:10 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\herdProtect
2016-06-12 19:10 - 2016-06-12 19:10 - 00000000 ____D C:\Program Files\Reason
2016-06-12 17:28 - 2016-06-12 17:28 - 02873112 _____ (Reason Company Software Inc.) C:\Users\Administrator.balinday\Downloads\lmfao.exe
2016-06-10 15:31 - 2016-06-12 19:41 - 00151346 _____ C:\Windows\ntbtlog.txt
2016-06-10 14:37 - 2016-06-12 13:22 - 00000000 ____D C:\Kaspersky Rescue Disk 10.0
2016-06-09 22:32 - 2016-06-09 22:32 - 00000000 ____D C:\Users\Administrator.balinday\AppData\Local\Launcher
2016-06-09 22:32 - 2016-06-09 22:32 - 00000000 ____D C:\Users\Administrator.balinday\AppData\Local\ESET
2016-06-09 22:28 - 2016-06-09 22:28 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ESET
2016-06-09 22:28 - 2016-06-09 22:28 - 00000000 ____D C:\ProgramData\ESET
2016-06-09 22:27 - 2016-06-09 22:27 - 00000000 ____D C:\Program Files\ESET
2016-06-09 21:48 - 2016-06-09 21:48 - 00002944 _____ C:\Windows\System32\Tasks\{F5298A95-41BD-492E-87C9-FE596557A611}
2016-06-09 21:48 - 2016-06-09 21:48 - 00002944 _____ C:\Windows\System32\Tasks\{F13A5AD4-BFDF-4A73-B3F8-8A5C22C965C1}
2016-06-09 21:48 - 2016-06-09 21:48 - 00002944 _____ C:\Windows\System32\Tasks\{E3CFA149-6B8F-4D05-98C9-260F10C3A3CD}
2016-06-09 21:48 - 2016-06-09 21:48 - 00002944 _____ C:\Windows\System32\Tasks\{E19C5109-6E70-4B0F-8F93-B805CEC50925}
2016-06-09 21:48 - 2016-06-09 21:48 - 00002944 _____ C:\Windows\System32\Tasks\{CEC3B523-3AA4-4D27-B567-E9816EF17CC6}
2016-06-09 21:48 - 2016-06-09 21:48 - 00002944 _____ C:\Windows\System32\Tasks\{C804FAEE-D192-4BB4-BF8A-482F95193681}
2016-06-09 21:48 - 2016-06-09 21:48 - 00002944 _____ C:\Windows\System32\Tasks\{9262FF37-83A1-41E0-87DC-8B13177941EE}
2016-06-09 21:48 - 2016-06-09 21:48 - 00002944 _____ C:\Windows\System32\Tasks\{2FE68C4E-73FC-47A7-AFEC-4F707D182AFD}
2016-06-09 21:48 - 2016-06-09 21:48 - 00002944 _____ C:\Windows\System32\Tasks\{27933BEE-A292-4454-85CA-297A860D0709}
2016-06-09 21:47 - 2016-06-09 21:47 - 00002944 _____ C:\Windows\System32\Tasks\{77A10264-00CF-4110-BBC0-4777AC2DEBC1}
2016-06-09 21:47 - 2016-06-09 21:47 - 00002944 _____ C:\Windows\System32\Tasks\{0F0E7D8D-42FA-4543-AAE4-14F64B76206D}
2016-06-09 21:24 - 2016-06-09 21:24 - 00000204 _____ C:\Users\Public\Desktop\MapleStory.url
2016-06-09 21:07 - 2016-06-10 15:36 - 00000000 ____D C:\Users\Administrator.balinday\Desktop\ms
2016-06-09 21:06 - 2016-06-09 21:07 - 00000000 ____D C:\Users\Administrator.balinday\Desktop\New Folder
2016-06-09 17:58 - 2016-06-09 17:58 - 00001890 _____ C:\Users\Administrator.balinday\Desktop\Spotify.lnk
2016-06-09 17:58 - 2016-06-09 17:58 - 00001876 _____ C:\Users\Administrator.balinday\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Spotify.lnk
2016-06-01 01:58 - 2016-06-01 01:58 - 04537650 _____ C:\Users\Riza\Downloads\Gold-Investors-Manual-FINAL_54d5194e64c0e(1).pdf
2016-05-30 20:25 - 2016-06-08 22:43 - 00003234 _____ C:\Windows\System32\Tasks\HPCeeScheduleForAdministrator
2016-05-30 20:25 - 2016-06-08 22:43 - 00000364 _____ C:\Windows\Tasks\HPCeeScheduleForAdministrator.job
2016-05-26 11:06 - 2016-05-26 11:06 - 00278744 _____ C:\Users\Riza\Downloads\app-lab-test-results(1).pdf
2016-05-23 12:57 - 2016-05-23 12:57 - 00439609 _____ C:\Users\Riza\Downloads\HighBallListingCOINMethod.pdf
2016-05-23 12:52 - 2016-05-23 12:52 - 00439588 _____ C:\Users\Riza\Downloads\PBN-Highball-Listing-Report.pdf
2016-05-23 12:51 - 2016-05-23 12:51 - 00765067 _____ C:\Users\Riza\Downloads\COINSystemScreeningMethod.pdf
2016-05-23 12:12 - 2016-05-23 12:12 - 00765061 _____ C:\Users\Riza\Downloads\PBNSpecialReport_9U3DEEP1Y7.pdf
2016-05-23 11:57 - 2016-05-23 11:57 - 00082905 _____ C:\Users\Riza\Downloads\2016_4_Statement.pdf
2016-05-21 17:37 - 2016-05-21 17:37 - 00003720 _____ C:\Windows\System32\Tasks\Registration
2016-05-20 15:31 - 2016-06-09 21:45 - 00000000 ____D C:\Users\Administrator.balinday\AppData\Local\Spotify
2016-05-20 15:31 - 2016-06-09 20:48 - 00000000 ____D C:\Users\Administrator.balinday\AppData\Roaming\Spotify
2016-05-17 21:57 - 2016-05-17 21:57 - 00195007 _____ C:\Users\Riza\Downloads\readpdfmessage(2)
2016-05-17 21:44 - 2016-05-17 21:44 - 00138449 _____ C:\Users\Riza\Downloads\Stmnt_052016_6474
2016-05-16 16:48 - 2016-05-16 16:48 - 00000000 ____D C:\Users\Administrator.balinday\AppData\Local\CEF
2016-05-16 08:03 - 2016-05-16 08:03 - 00000000 ____D C:\Users\Riza\AppData\Local\AMD
2016-05-15 16:51 - 2016-06-09 22:49 - 00000000 ____D C:\Users\Administrator.balinday\AppData\Local\Discord

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-06-14 15:01 - 2009-07-14 00:45 - 00026192 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2016-06-14 15:01 - 2009-07-14 00:45 - 00026192 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2016-06-13 21:19 - 2012-06-13 16:43 - 00000000 ____D C:\Users\Riza\AppData\Local\PMB Files
2016-06-12 20:01 - 2013-11-23 22:53 - 00000000 ____D C:\Users\Riza\AppData\Local\WhiteListing
2016-06-12 19:54 - 2010-04-07 14:51 - 00000000 ____D C:\Program Files (x86)\HP Games
2016-06-12 19:54 - 2009-07-14 01:32 - 00000000 ___RD C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games
2016-06-12 19:52 - 2013-06-11 00:25 - 00000000 ____D C:\Users\doray\AppData\LocalLow\Sony Online Entertainment
2016-06-12 19:35 - 2009-07-14 01:13 - 00848318 _____ C:\Windows\system32\PerfStringBackup.INI
2016-06-12 19:35 - 2009-07-13 23:20 - 00000000 ____D C:\Windows\inf
2016-06-12 11:03 - 2011-10-11 15:58 - 00000000 ____D C:\Users\doray
2016-06-12 10:58 - 2014-04-12 23:50 - 00000000 ____D C:\Users\Administrator.balinday
2016-06-10 16:28 - 2012-05-29 21:55 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2016-06-10 16:26 - 2013-11-12 21:23 - 00000000 ____D C:\Users\Riza\AppData\Local\NativeMessaging
2016-06-10 15:37 - 2015-02-27 16:28 - 00192216 _____ (Malwarebytes) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2016-06-10 15:36 - 2015-02-27 16:28 - 00000906 _____ C:\Users\Public\Desktop\not.lnk
2016-06-10 15:33 - 2016-05-06 00:37 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2016-06-10 13:17 - 2013-05-30 15:05 - 00000000 ____D C:\Program Files (x86)\Avira
2016-06-09 22:31 - 2011-02-12 19:18 - 00000898 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2016-06-09 22:27 - 2010-04-07 14:22 - 00000000 ____D C:\Program Files (x86)\Hewlett-Packard
2016-06-09 22:19 - 2014-10-22 12:53 - 00000000 ____D C:\ProgramData\Package Cache
2016-06-09 22:19 - 2013-05-30 15:05 - 00000000 ____D C:\ProgramData\Avira
2016-06-09 22:18 - 2014-05-22 11:31 - 00000536 _____ C:\Windows\Tasks\G2MUpdateTask-S-1-5-21-3881042335-2106862652-1563815087-1001.job
2016-06-09 22:18 - 2014-04-12 23:56 - 00000000 ____D C:\Users\Administrator.balinday\AppData\Roaming\Avira
2016-06-09 22:18 - 2013-05-30 15:11 - 00000000 ____D C:\Users\Riza\AppData\Roaming\Avira
2016-06-09 22:12 - 2010-12-16 08:07 - 00000912 _____ C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3881042335-2106862652-1563815087-1003UA.job
2016-06-09 22:09 - 2011-11-14 19:20 - 00000908 _____ C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3881042335-2106862652-1563815087-1007UA.job
2016-06-09 22:07 - 2011-02-12 19:18 - 00000894 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2016-06-09 21:56 - 2009-07-14 01:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2016-06-09 21:52 - 2010-12-02 22:55 - 00000904 _____ C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3881042335-2106862652-1563815087-1001UA.job
2016-06-09 21:48 - 2014-09-26 19:46 - 00000000 ____D C:\Users\Administrator.balinday\AppData\Local\ElevatedDiagnostics
2016-06-09 21:48 - 2012-08-23 13:52 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2016-06-09 21:25 - 2015-05-30 21:49 - 00000632 _____ C:\Windows\Tasks\G2MUploadTask-S-1-5-21-3881042335-2106862652-1563815087-1001.job
2016-06-09 21:10 - 2011-02-12 09:14 - 00000000 ____D C:\Nexon
2016-06-09 17:09 - 2011-11-14 19:20 - 00000856 _____ C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3881042335-2106862652-1563815087-1007Core.job
2016-06-09 13:52 - 2010-12-02 22:55 - 00000852 _____ C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3881042335-2106862652-1563815087-1001Core.job
2016-06-09 07:12 - 2010-12-16 08:07 - 00000860 _____ C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3881042335-2106862652-1563815087-1003Core.job
2016-06-08 14:27 - 2009-07-13 23:20 - 00000000 ____D C:\Windows\system32\NDF
2016-06-07 19:08 - 2016-04-11 20:44 - 00000328 _____ C:\Windows\Tasks\HPCeeScheduleForRiza.job
2016-06-07 01:31 - 2016-04-11 20:44 - 00003180 _____ C:\Windows\System32\Tasks\HPCeeScheduleForRiza
2016-06-06 21:04 - 2010-11-01 15:36 - 00003922 _____ C:\Windows\System32\Tasks\User_Feed_Synchronization-{379E316D-328C-4915-86AC-E87C7E1A3947}
2016-06-06 17:12 - 2016-01-09 14:58 - 00000000 ____D C:\Users\Administrator.balinday\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Hammer & Chisel, Inc
2016-06-06 17:11 - 2016-01-09 14:57 - 00000000 ____D C:\Users\Administrator.balinday\AppData\Local\SquirrelTemp
2016-06-05 15:15 - 2011-11-16 15:57 - 00003218 _____ C:\Windows\System32\Tasks\HPCeeScheduleForBALINDAY$
2016-06-05 15:15 - 2011-11-16 15:57 - 00000342 _____ C:\Windows\Tasks\HPCeeScheduleForBALINDAY$.job
2016-05-31 07:05 - 2014-04-12 23:51 - 00000000 ____D C:\Users\Administrator.balinday\AppData\Roaming\Apple Computer
2016-05-30 19:54 - 2014-04-13 00:23 - 00000000 ____D C:\Users\Administrator.balinday\AppData\Roaming\Skype
2016-05-25 11:30 - 2011-03-31 23:55 - 00000084 _____ C:\Users\Riza\AppData\Roaming\wklnhst.dat
2016-05-25 11:29 - 2009-07-14 01:32 - 00000000 ____D C:\Windows\system32\FxsTmp
2016-05-21 17:37 - 2014-04-12 23:54 - 00000000 ____D C:\Users\Administrator.balinday\AppData\Local\Hewlett-Packard
2016-05-21 17:36 - 2014-04-12 23:51 - 00000000 ____D C:\Users\Administrator.balinday\AppData\Roaming\Hewlett-Packard
2016-05-21 17:30 - 2009-09-06 21:57 - 00000000 ____D C:\Windows\Panther
2016-05-19 15:10 - 2015-05-30 21:49 - 00003660 _____ C:\Windows\System32\Tasks\G2MUploadTask-S-1-5-21-3881042335-2106862652-1563815087-1001
2016-05-19 15:10 - 2014-05-22 11:31 - 00003564 _____ C:\Windows\System32\Tasks\G2MUpdateTask-S-1-5-21-3881042335-2106862652-1563815087-1001
2016-05-19 14:23 - 2014-04-30 20:08 - 00000950 _____ C:\Users\Riza\Desktop\magicJack.lnk
2016-05-19 14:23 - 2014-04-30 20:08 - 00000936 _____ C:\Users\Riza\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\magicJack.lnk
2016-05-19 14:23 - 2010-12-03 08:38 - 00000000 ____D C:\Users\Riza\AppData\Roaming\mjusbsp
2016-05-17 20:41 - 2014-01-23 21:03 - 00000000 ____D C:\Users\Riza\Documents\Receipts
2016-05-17 10:34 - 2013-07-01 17:36 - 00002441 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Reader XI.lnk
2016-05-16 09:40 - 2016-02-13 10:21 - 00000000 ___HD C:\$WINDOWS.~BT
2016-05-16 09:26 - 2010-11-28 02:39 - 00000000 ____D C:\Users\Riza\AppData\Local\ElevatedDiagnostics
2016-05-15 21:11 - 2014-09-26 19:55 - 00000000 ____D C:\Users\Administrator.balinday\AppData\Local\Battle.net
2016-05-15 21:10 - 2016-05-10 22:18 - 00000000 ____D C:\Program Files (x86)\Battle.net
2016-05-15 16:52 - 2016-01-09 14:58 - 00000000 ____D C:\Users\Administrator.balinday\AppData\Roaming\discord

Files to move or delete:
====================
C:\Users\doray\cache.dat


==================== Bamital & volsnap =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed


ATTENTION: ==> Could not access BCD.


LastRegBack: 2016-06-08 15:27

==================== End of FRST.txt ============================

Attached Files



BC AdBot (Login to Remove)

 


#2 olgun52

olgun52

  • Malware Response Team
  • 3,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:00 PM

Posted 14 June 2016 - 05:29 PM

Hello daport6332 and Welcome to the BleepingComputer. :welcome:  
 
My name is Yılmaz and I'll help you with the cleanup of malware from your computer.

Before we move on, please read the following points carefully.
  • Please complete all steps in the specified order.
  • Even if tools don't find malware, I want you to post the logfiles anyway.
  • Please copy and paste the logfiles directly into your posts. Please do not attach them unless you are instructed to do so.
  • Read the instructions carefully. If you have problems, stop what you  were doing and describe the problems you encountered as precisely as  you can.
  • Don't install or uninstall software during the cleanup unless you are told to do so.
  • Ensure your external and/or USB drives are inserted during always the scan.
  • If you can't answer for the next few days, please let me know. If  you haven't answered within 5 days, I am assuming that you don't need  help anymore and your topic will be closed.
  • If you have illegal/cracked software, cracks, keygens, etc. on the system, please remove or uninstall them now!
  • I can not guarantee that we will find and be able to remove all  malware. The cleaning process is not instant. Please continue to review  my answers until I tell you that your computer is clean
  • Please reply to this thread. Do not start a new topic
  • As my first language is not English, please do not use slang or idioms. It could be hard for me to understand.
  • Please open as administrator  the computer. How is open as administrator  the computer?
  • Disable your AntiVirus and AntiSpyware applications, as they will  interfere with our tools and the removal. If you are unsure how to do  this, please refer to get help here
Thanks
 
I am currently reviewing your log.I will be back with a fix for your problem as soon as possible.Please be patient with me during this time.
 
Sincerely
:hello:

Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#3 olgun52

olgun52

  • Malware Response Team
  • 3,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:00 PM

Posted 14 June 2016 - 07:06 PM

Hi again,
Step 1:

 FRST Script:
 Please download this attached Attached File  Fixlist.txt   5.47KB   8 downloads and save it in the same directory as FRST

  • Close any open browsers or any other programs that are open
  • Start FRST with Administrator privileges.
  • Press the Fix button.
  • When finished, a log file (Fixlog.txt) pops up and is saved to the same location the tool was run from.
    Please copy and paste its contents in your next reply.

Step 2:

ComboFix run:

Please be sure to run our tools with administrator rights.

* IMPORTAN: 1   Place ComboFix.exe on your Desktop

* IMPORTAN: 2   Ensure your external and/or USB drives are inserted during the scan

Next, download ComboFix Save to the Desktop

  • Disable all antivirus and antispyware programs. Get help here
  • Now, close all open windows
  • Double-click combofix.exe to run the program
  • Follow the prompts.
  • If the option is offered, it is in your best interest to allow the download and install of the Recovery Console when prompted.
  • When told that the RC is installed correctly, press YES to continue scanning for malware.
  • ComboFix will run. Please don't click on the window while the program is running, it may cause your system to stall.
  • CF may reboot the computer and resume running when it restarts.
  • When finished, a log, ComboFix.txt, is produced.

Please provide the contents of the ComboFix report in your reply.

 

Have a nice day.
:hello:


Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#4 daport6332

daport6332
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:00 PM

Posted 15 June 2016 - 02:26 AM

Fixlog.txt

Fix result of Farbar Recovery Scan Tool (x64) Version:13-06-2016
Ran by Administrator (2016-06-15 02:45:00) Run:1
Running from C:\Users\Administrator.balinday\Desktop
Loaded Profiles: Administrator (Available Profiles: Riza & Administrator & Guest)
Boot Mode: Normal
==============================================

fixlist content:
*****************
CreateRestorePoint:
CloseProcesses:
Task: {466A9A5E-F589-4183-B917-98998A38F930} - System32\Tasks\{B0D4FA24-DD05-4D30-8687-789334439774} => pcalua.exe -a C:\Users\doray\AppData\Local\Temp\{6EB19D79-F16A-4DFB-9318-4FC07D57DE32}\adobeshockwavextrabundle.exe -d C:\Users\doray\AppData\Local\Google\Chrome\Application\21.0.1180.60 -c /xtrabundle=BC_SwaStrm
Task: {A976B8C7-CCCF-4641-996A-903BD0D5109D} - System32\Tasks\{A344C17B-4151-4979-9780-9405A12054EA} => pcalua.exe -a C:\Users\Riza\Downloads\avira_antivir_personal_en.exe -d C:\Users\Riza\Downloads
AlternateDataStreams: C:\ProgramData\Temp:373E1720 [139]
HKU\S-1-5-21-3881042335-2106862652-1563815087-500\...\MountPoints2: G - G:\autorun.exe
HKU\S-1-5-21-3881042335-2106862652-1563815087-500\...\MountPoints2: {8b67d183-fed8-11df-823b-d8d3853647c8} - G:\autorun.exe
HKU\S-1-5-21-3881042335-2106862652-1563815087-500\...\Policies\system: [LogonHoursAction] 2
HKU\S-1-5-21-3881042335-2106862652-1563815087-500\...\Policies\system: [DontDisplayLogonHoursWarnings] 1
Winsock: Catalog5 10 C:\Program Files (x86)\Bonjour\mdnsNSP.dll No File
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Search Page = about:blank
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKU\S-1-5-21-3881042335-2106862652-1563815087-500\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://go.microsoft.com/fwlink/?LinkID=617910&ResetID=131086405613947404&GUID=00000000-0000-0000-0000-000000000000
SearchScopes: HKLM -> DefaultScope {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL = hxxp://www.bing.com/search?q={searchTerms}&form=MSSEDF&pc=MSE1
SearchScopes: HKLM -> {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL = hxxp://www.bing.com/search?q={searchTerms}&form=MSSEDF&pc=MSE1
SearchScopes: HKLM-x32 -> DefaultScope {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL = hxxp://www.bing.com/search?q={searchTerms}&form=MSSEDF&pc=MSE1
SearchScopes: HKLM-x32 -> {3A2A0CA1-D7F1-4449-B951-3A8D3384B75A} URL = hxxp://www.bing.com/search?q={searchTerms}&form=HPNTDF&pc=HPNTDF&src=IE-SearchBox
SearchScopes: HKLM-x32 -> {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL = hxxp://www.bing.com/search?q={searchTerms}&form=MSSEDF&pc=MSE1
SearchScopes: HKLM-x32 -> {9B66C25E-1ABB-4FAA-B24B-6BFD7CEC259B} URL = hxxp://www.ask.com/web?q={searchterms}&l=dis&o=ushpl
SearchScopes: HKU\.DEFAULT -> DefaultScope {3A2A0CA1-D7F1-4449-B951-3A8D3384B75A} URL =
SearchScopes: HKU\S-1-5-21-3881042335-2106862652-1563815087-500 -> DefaultScope {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL = hxxp://www.bing.com/search?q={searchTerms}&form=MSSEDF&pc=MSE1
SearchScopes: HKU\S-1-5-21-3881042335-2106862652-1563815087-500 -> {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL = hxxp://www.bing.com/search?q={searchTerms}&form=MSSEDF&pc=MSE1
BHO-x32: No Name -> {02478D38-C3F9-4efb-9B51-7695ECA05670} -> No File
DPF: HKLM-x32 {C345E174-3E87-4F41-A01C-B066A90A49B4} hxxp://trial.trymicrosoftoffice.com/trialoaa/buymsoffice_assets/framework//microsoft/wrc32.ocx
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @adobe.com/ShockwavePlayer -> C:\Windows\system32\Adobe\Director\np32dsw.dll [No File]
FF Plugin-x32: @java.com/JavaPlugin -> C:\Program Files (x86)\Java\jre1.8.0_31\bin\new_plugin\npjp2.dll [No File]
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
CHR Plugin: (Widevine Content Decryption Module) - C:\Users\Administrator.balinday\AppData\Local\Google\Chrome\User Data\WidevineCDM\1.4.8.866\_platform_specific\win_x86\widevinecdmadapter.dll => No File
CHR Plugin: (Shockwave Flash) - C:\Users\Administrator.balinday\AppData\Local\Google\Chrome\User Data\PepperFlash\20.0.0.267\pepflashplayer.dll => No File
CHR HKLM\...\Chrome\Extension: [flliilndjeohchalpbbcdekjklbdgfkk] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [flliilndjeohchalpbbcdekjklbdgfkk] - hxxps://clients2.google.com/service/update2/crx
S2 WebrootSpySweeperService; "C:\Program Files (x86)\Webroot\Security\current\plugins\antimalware\AEI.exe" [X]
S3 EagleX64; \??\C:\Windows\system32\drivers\EagleX64.sys [X]
(Kaspersky Lab ZAO) C:\Users\Riza\Desktop\notlol.exe
C:\32788R22FWJFW
C:\Users\Administrator.balinday\Downloads\ExeFix.scr
C:\Users\Administrator.balinday\Downloads\FixExe.reg
(Kaspersky Lab ZAO) C:\Users\Administrator.balinday\Desktop\doneric.com.exe
(Kaspersky Lab ZAO) C:\Users\Administrator.balinday\Desktop\lolololol.com
C:\Program Files (x86)\Avira
C:\ProgramData\Avira
2016-06-09 22:18 - 2014-04-12 23:56 - 00000000 ____D C:\Users\Administrator.balinday\AppData\Roaming\Avira
2016-06-09 22:18 - 2013-05-30 15:11 - 00000000 ____D C:\Users\Riza\AppData\Roaming\Avira
C:\Users\Riza\AppData\Roaming\wklnhst.dat
C:\Users\doray\cache.dat
CMD: type "C:\TDSSKiller.3.1.0.9_12.06.2016_19.40.56_log.txt"
CMD: netsh advfirewall reset
CMD: netsh advfirewall set allprofiles state on
CMD: ipconfig /flushdns
Emptytemp:





*****************

Error: (0) Failed to create a restore point.
Processes closed successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{466A9A5E-F589-4183-B917-98998A38F930}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{466A9A5E-F589-4183-B917-98998A38F930}" => key removed successfully
Could not move "C:\Windows\System32\Tasks\{B0D4FA24-DD05-4D30-8687-789334439774}" => Scheduled to move on reboot.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\{B0D4FA24-DD05-4D30-8687-789334439774}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{A976B8C7-CCCF-4641-996A-903BD0D5109D}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{A976B8C7-CCCF-4641-996A-903BD0D5109D}" => key removed successfully
Could not move "C:\Windows\System32\Tasks\{A344C17B-4151-4979-9780-9405A12054EA}" => Scheduled to move on reboot.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\{A344C17B-4151-4979-9780-9405A12054EA}" => key removed successfully
C:\ProgramData\Temp => ":373E1720" ADS removed successfully.
"HKU\S-1-5-21-3881042335-2106862652-1563815087-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\G" => key removed successfully
"HKU\S-1-5-21-3881042335-2106862652-1563815087-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{8b67d183-fed8-11df-823b-d8d3853647c8}" => key removed successfully
HKCR\CLSID\{8b67d183-fed8-11df-823b-d8d3853647c8} => key not found.
HKU\S-1-5-21-3881042335-2106862652-1563815087-500\Software\Microsoft\Windows\CurrentVersion\Policies\system\\LogonHoursAction => value could not remove.
HKU\S-1-5-21-3881042335-2106862652-1563815087-500\Software\Microsoft\Windows\CurrentVersion\Policies\system\\DontDisplayLogonHoursWarnings => value could not remove.
HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000010 => key could not remove.
"HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer" => key removed successfully
HKLM\Software\\Microsoft\Internet Explorer\Main\\Start Page => value restored successfully
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main\\Start Page => value restored successfully
HKLM\Software\\Microsoft\Internet Explorer\Main\\Search Page => value restored successfully
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main\\Search Page => value restored successfully
HKLM\Software\\Microsoft\Internet Explorer\Main\\Default_Page_URL => value restored successfully
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main\\Default_Page_URL => value restored successfully
HKLM\Software\\Microsoft\Internet Explorer\Main\\Default_Search_URL => value restored successfully
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main\\Default_Search_URL => value restored successfully
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main\\Start Page => value removed successfully
HKU\S-1-5-21-3881042335-2106862652-1563815087-500\Software\Microsoft\Internet Explorer\Main\\Start Page => value restored successfully
HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value restored successfully
"HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}" => key removed successfully
HKCR\CLSID\{6A1806CD-94D4-4689-BA73-E35EA1EA9990} => key not found.
HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value restored successfully
"HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{3A2A0CA1-D7F1-4449-B951-3A8D3384B75A}" => key removed successfully
HKCR\Wow6432Node\CLSID\{3A2A0CA1-D7F1-4449-B951-3A8D3384B75A} => key not found.
"HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}" => key removed successfully
HKCR\Wow6432Node\CLSID\{6A1806CD-94D4-4689-BA73-E35EA1EA9990} => key not found.
"HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{9B66C25E-1ABB-4FAA-B24B-6BFD7CEC259B}" => key removed successfully
HKCR\Wow6432Node\CLSID\{9B66C25E-1ABB-4FAA-B24B-6BFD7CEC259B} => key not found.
HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value removed successfully
HKU\S-1-5-21-3881042335-2106862652-1563815087-500\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value removed successfully
"HKU\S-1-5-21-3881042335-2106862652-1563815087-500\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}" => key removed successfully
HKCR\CLSID\{6A1806CD-94D4-4689-BA73-E35EA1EA9990} => key not found.
"HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}" => key removed successfully
HKCR\Wow6432Node\CLSID\{02478D38-C3F9-4efb-9B51-7695ECA05670} => key not found.
"HKLM\SOFTWARE\Wow6432Node\Microsoft\Code Store Database\Distribution Units\{C345E174-3E87-4F41-A01C-B066A90A49B4}" => key removed successfully
"HKCR\Wow6432Node\CLSID\{C345E174-3E87-4F41-A01C-B066A90A49B4}" => key removed successfully
"HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE" => key removed successfully
"HKLM\Software\Wow6432Node\MozillaPlugins\@adobe.com/ShockwavePlayer" => key removed successfully
"HKLM\Software\Wow6432Node\MozillaPlugins\@java.com/JavaPlugin" => key removed successfully
"HKLM\Software\Wow6432Node\MozillaPlugins\@microsoft.com/GENUINE" => key removed successfully
C:\Users\Administrator.balinday\AppData\Local\Google\Chrome\User Data\WidevineCDM\1.4.8.866\_platform_specific\win_x86\widevinecdmadapter.dll => not found.
C:\Users\Administrator.balinday\AppData\Local\Google\Chrome\User Data\PepperFlash\20.0.0.267\pepflashplayer.dll => not found.
"HKLM\SOFTWARE\Google\Chrome\Extensions\flliilndjeohchalpbbcdekjklbdgfkk" => key removed successfully
"HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\flliilndjeohchalpbbcdekjklbdgfkk" => key removed successfully
WebrootSpySweeperService => service could not remove
EagleX64 => service could not remove
C:\Users\Riza\Desktop\notlol.exe => No running process found
C:\32788R22FWJFW => moved successfully
C:\Users\Administrator.balinday\Downloads\ExeFix.scr => moved successfully
C:\Users\Administrator.balinday\Downloads\FixExe.reg => moved successfully
C:\Users\Administrator.balinday\Desktop\doneric.com.exe => No running process found
C:\Users\Administrator.balinday\Desktop\lolololol.com => No running process found
C:\Program Files (x86)\Avira => moved successfully
C:\ProgramData\Avira => moved successfully
C:\Users\Administrator.balinday\AppData\Roaming\Avira => moved successfully
C:\Users\Riza\AppData\Roaming\Avira => moved successfully
C:\Users\Riza\AppData\Roaming\wklnhst.dat => moved successfully
C:\Users\doray\cache.dat => moved successfully

=========  type "C:\TDSSKiller.3.1.0.9_12.06.2016_19.40.56_log.txt" =========


========= End of CMD: =========


=========  netsh advfirewall reset =========


========= End of CMD: =========


=========  netsh advfirewall set allprofiles state on =========


========= End of CMD: =========


=========  ipconfig /flushdns =========


========= End of CMD: =========

EmptyTemp: => 1.4 GB temporary data Removed.
 



#5 daport6332

daport6332
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:00 PM

Posted 15 June 2016 - 02:33 AM

I had no success with combofix as it kept on failing to install. It would stop at "Output Folder: C:\32788R22FWJFW".



#6 olgun52

olgun52

  • Malware Response Team
  • 3,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:00 PM

Posted 15 June 2016 - 05:37 PM

Please combofix software install again and run !!

 

Run MalwareBytes if still have problem

  • Please download rkill (Courtesy of Bleepingcomputer.com).
  • There are 5 different versions of this tool. If one of them will not run, please try the next one in the list.
  • Note: Vista and Windows 7 Users must right click and select "Run as Administrator" to run the tool.
  • Note: You only need to get one of the tools to run, not all of them.

1. rkill.exe

2. rkill.com

3. rkill.scr

4. WiNlOgOn.exe

5. uSeRiNiT.exe

 
next....
 
Scan with Malwarebytes Antimalware

  • Please update the database by clicking on the "Update Now" button.
  • Following the update and click "Settings" and go to "Detection and Protection"
  • Make sure "Scan for Rootkits" is checked.
  • Click on Dashboard, then click on Scan Now to start the scan.
  • If Malware or Potentially Unwanted Programs ''PUPs'' are found, you will receive a prompt so that you can decide what you want to do. I suggest "Quarantine". Click the button: Apply All Actions.
  • A window with an option to view the detailed log will appear. Click on "View Detailed Log".
  • After viewing the results, please click on the "Copy to Clipboard" button and then OK.
  • Return to our forum. Paste your log into your next reply.

Edited by olgun52, 15 June 2016 - 05:42 PM.

Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#7 daport6332

daport6332
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:00 PM

Posted 16 June 2016 - 11:35 PM

Combofix still would not work, Malwarebytes also would not work because it could not load the Anti Rootkit drivers, I attempted to reinstall but it would prevent me from running the install. I think the registries might have been changed. I did however get RKill to work after a few tries. here's the log:

 

RKill Log:

 http://www.bleepingcomputer.com/forums/topic308364.html

Program started at: 06/15/2016 11:47:44 PM in x64 mode.
Windows Version: Windows 7 Home Premium Service Pack 1

Checking for Windows services to stop:

 * No malware services found to stop.

Checking for processes to terminate:

 * No malware processes found to kill.

Checking Registry for malware related settings:

 * No issues found in the Registry.

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks:

 * No issues found.

Checking Windows Service Integrity:

 * TBS [Missing Service]

Searching for Missing Digital Signatures:

 * No issues found.

Checking HOSTS File:

 * No issues found.

Program finished at: 06/15/2016 11:53:43 PM
Execution time: 0 hours(s), 5 minute(s), and 59 seconds(s)
 



#8 olgun52

olgun52

  • Malware Response Team
  • 3,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:00 PM

Posted 18 June 2016 - 10:19 AM

Hi again,

 

Scan with FRST

Download Farbar Recovery Scan Tool x64 and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:

  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.

To enter System Recovery Options by using Windows installation disc:

  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.

On the System Recovery Options menu you will get the following options:

    • Startup Repair
      System Restore
      Windows Complete PC Restore
      Windows Memory Diagnostic Tool
      Command Prompt
  • Select Command Prompt
  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
    Note: Replace letter e with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • Press Scan button.

It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.


Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#9 daport6332

daport6332
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:00 PM

Posted 02 July 2016 - 03:16 PM

Srry ive had complications the past 2 weeks, i will now attempt to do this.

#10 olgun52

olgun52

  • Malware Response Team
  • 3,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:00 PM

Posted 03 July 2016 - 04:18 PM

Srry ive had complications the past 2 weeks, i will now attempt to do this.

Ok. I am waiting.


Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 


#11 daport6332

daport6332
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:00 PM

Posted 09 July 2016 - 10:17 PM

The scan keeps freezing

#12 olgun52

olgun52

  • Malware Response Team
  • 3,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:00 PM

Posted 10 July 2016 - 05:56 PM

Hi again;

Please do the following

 

Avira Uninstall;
A manual uninstallation of the Avira Antivirus should be performed only if a conventional uninstallation via the Windows Control Panel is no longer possible.

  1. Download the free Avira RegistryCleaner tool (Remember the saving location)

  2. Start your computer in Safe Mode. Therefore, reboot your computer and press continuously during restart the F8 key until the “Advanced Boot Options” screen appears. Select Safe Mode and confirm this with Enter

  3. Open the Windows Explorer with the keyboard shortcut Win + E and delete manually all Avira directories available under the program and application file
    • Windows 7: C:\Program Files\
      Windows 7: C:\ProgramData\
  4. Clean up the Windows registry using the previously downloaded "Avira Registry Cleaner" tool
    • Double-click the downloaded avira_registry_cleaner_en.exe file
    • Accept the license terms
    • Select ALL Avira products
    • Click Remove
  5. Reboot the computer to complete the manual uninstallation

======================================================================================
Please try run;
Download Combofix and safe it to your flash disk.
Start your computer in safe mode with command prompt.
Plug the flashdrive into the infected PC.

In the command window:

  • type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\combofix.exe and press Enter
  • Note: Replace letter e with the drive letter of your flash drive.

Best regards
 
paypal.gif
If you wish to show appreciation and support me personally fighting against malware, then you can consider a donation. Thank you. :thumbup2:
Malware fix forum
If I don't reply within 24 hours please PM me!

 


 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users