Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

help me deleting aiasfacoiaksf ,virus,


  • This topic is locked This topic is locked
3 replies to this topic

#1 keviavi

keviavi

  • Members
  • 2 posts
  • OFFLINE
  •  

Posted 28 July 2016 - 06:03 AM

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 27-07-2016
Ran by Compaq (administrator) on COMPAQ-PC (29-07-2016 16:29:36)
Running from C:\Users\Compaq\Downloads
Loaded Profiles: Compaq (Available Profiles: Compaq)
Platform: Windows 7 Ultimate Service Pack 1 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: Chrome)
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(Realsil Microelectronics Inc.) C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe
(CANON INC.) C:\Windows\System32\CNAB4RPD.EXE
() C:\ProgramData\MobileBrServ\mbbService.exe
(Intel Corporation) C:\Windows\System32\igfxtray.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
( ) C:\Users\Compaq\AppData\Roaming\Images\image.exe
() C:\Users\Compaq\AppData\Roaming\NsCpuCNMiner\IMG002.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(CyberLink Corp.) C:\Program Files (x86)\CyberLink\YouCam\YouCamService.exe
( ) C:\Users\Compaq\AppData\Roaming\Images\image.exe
() C:\Users\Compaq\AppData\Roaming\NsCpuCNMiner\IMG002.exe
() C:\Users\Compaq\AppData\Roaming\NsCpuCNMiner\NsCpuCNMiner64.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
 
 
==================== Registry (Whitelisted) ===========================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [SynTPEnh] => C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2821416 2011-08-20] (Synaptics Incorporated)
HKLM-x32\...\Run: [Adobe ARM] => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [959904 2014-05-08] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [QuickTime Task] => C:\Program Files (x86)\QuickTime\QTTask.exe [421888 2010-11-29] (Apple Inc.)
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
HKU\S-1-5-21-322109716-3765770398-843547552-1000\...\Run: [Coin] => C:\Users\Compaq\AppData\Roaming\Images\image.exe [4678871 2015-05-19] ( )
HKU\S-1-5-21-322109716-3765770398-843547552-1000\...\Run: [] => C:\Users\Compaq\AppData\Roaming\NsCpuCNMiner\IMG002.exe [3412673 2015-10-12] ()
HKU\S-1-5-21-322109716-3765770398-843547552-1000\...\Run: [asodakaossd] => C:\Windows\system32\cmd.exe /c start C:\Users\Compaq\AppData\Roaming\aiasfacoafiasksf.vbs exit
HKU\S-1-5-21-322109716-3765770398-843547552-1000\...\MountPoints2: {1081ea76-aaff-11e5-922a-74de2b8c1bae} - F:\AutoRun.exe
HKU\S-1-5-21-322109716-3765770398-843547552-1000\...\MountPoints2: {2d639623-f0d1-11e5-be37-74de2b8c78a6} - F:\Lenovo_Suite.exe
HKU\S-1-5-21-322109716-3765770398-843547552-1000\...\MountPoints2: {dc2b4e98-981c-11e5-badc-74de2b8c1bae} - G:\Lenovo_Suite.exe
HKU\S-1-5-21-322109716-3765770398-843547552-1000\...\MountPoints2: {e6308017-44fc-11e6-8875-74de2b8c1bae} - F:\Windows/AutoRun.exe
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Canon LBP2900 Status Window.lnk [2016-03-31]
ShortcutTarget: Canon LBP2900 Status Window.lnk -> C:\Windows\System32\spool\drivers\x64\3\CNAB4LAD.EXE (CANON INC.)
Startup: C:\Users\Compaq\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\asodakaossd.lnk [2016-07-29]
ShortcutTarget: asodakaossd.lnk -> C:\Windows\System32\cmd.exe (Microsoft Corporation)
Startup: C:\Users\Compaq\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\image.lnk [2016-07-29]
ShortcutTarget: image.lnk -> C:\Users\Compaq\AppData\Roaming\Images\image.exe ( )
Startup: C:\Users\Compaq\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Run.lnk [2016-07-29]
ShortcutTarget: Run.lnk -> C:\Users\Compaq\AppData\Roaming\NsCpuCNMiner\IMG002.exe ()
Startup: C:\Users\kevi\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MagicDisc.lnk [2015-05-11]
ShortcutTarget: MagicDisc.lnk -> C:\Program Files (x86)\MagicDisc\MagicDisc.exe (No File)
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1 192.168.1.1
Tcpip\..\Interfaces\{107486E6-12D6-4741-BC1D-764B302B9F8E}: [DhcpNameServer] 192.168.1.1 192.168.1.1
Tcpip\..\Interfaces\{546F6CA4-5272-49CD-B31E-1773767D47E5}: [DhcpNameServer] 192.168.1.1 192.168.1.1
Tcpip\..\Interfaces\{8B07204E-BF85-498B-9910-9816FFCBB2A3}: [DhcpNameServer] 192.168.1.1
Tcpip\..\Interfaces\{CAF3BA7B-574C-48D1-9AE5-B914F9AC142F}: [DhcpNameServer] 192.168.1.1 192.168.1.1
 
Internet Explorer:
==================
BHO-x32: Groove GFS Browser Helper -> {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -> C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll [2009-02-27] (Microsoft Corporation)
BHO-x32: QUICKfind BHO Object -> {C08DF07A-3E49-4E25-9AB0-D3882835F153} -> C:\PROGRA~2\IDM\QUICKF~1\PlugIns\IEHelp.dll => No File
 
FireFox:
========
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.30.3\npGoogleUpdate3.dll [2016-05-22] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.30.3\npGoogleUpdate3.dll [2016-05-22] (Google Inc.)
FF Plugin-x32: @videolan.org/vlc,version=2.1.3 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2014-07-23] (VideoLAN)
FF Plugin-x32: @videolan.org/vlc,version=2.1.5 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2014-07-23] (VideoLAN)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll [2014-08-05] (Adobe Systems Inc.)
 
Chrome: 
=======
CHR Profile: C:\Users\Compaq\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Docs) - C:\Users\Compaq\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2016-02-08]
CHR Extension: (Google Drive) - C:\Users\Compaq\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2016-02-08]
CHR Extension: (YouTube) - C:\Users\Compaq\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2016-02-08]
CHR Extension: (Google Search) - C:\Users\Compaq\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2016-02-08]
CHR Extension: (Google Docs Offline) - C:\Users\Compaq\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2016-03-18]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Compaq\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-04-07]
CHR Extension: (Gmail) - C:\Users\Compaq\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2016-02-08]
 
==================== Services (Whitelisted) ========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 IconMan_R; C:\Program Files (x86)\Realtek\Realtek PCIE Card Reader\RIconMan.exe [1817088 2010-12-27] (Realsil Microelectronics Inc.) [File not signed]
R2 Mobile Broadband HL Service; C:\ProgramData\MobileBrServ\mbbservice.exe [242264 2014-11-20] ()
R2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2009-07-14] (Microsoft Corporation)
 
===================== Drivers (Whitelisted) ==========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
S3 ebdrv; C:\Windows\system32\drivers\evbda.sys [3286016 2009-06-11] (Broadcom Corporation)
R0 iaStorF; C:\Windows\System32\DRIVERS\iaStorF.sys [28008 2013-12-18] (Intel Corporation)
S3 USBAAPL64; C:\Windows\System32\Drivers\usbaapl64.sys [54784 2015-06-17] (Apple, Inc.) [File not signed]
S3 VGPU; System32\drivers\rdvgkmd.sys [X]
 
==================== NetSvcs (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== One Month Created files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2016-07-29 16:29 - 2016-07-29 16:30 - 00008826 _____ C:\Users\Compaq\Downloads\FRST.txt
2016-07-29 16:29 - 2016-07-29 16:29 - 00000000 ____D C:\FRST
2016-07-29 16:28 - 2016-07-29 16:28 - 02394112 _____ (Farbar) C:\Users\Compaq\Downloads\FRST64.exe
2016-07-29 16:15 - 2016-07-29 16:15 - 00000000 _____ C:\Users\Compaq\Desktop\New Text Document.txt
2016-07-29 16:11 - 2016-07-29 16:11 - 00000000 ____D C:\Users\Compaq\AppData\Roaming\Synaptics
2016-07-29 16:11 - 2016-07-29 16:11 - 00000000 ____D C:\ProgramData\Synaptics
2016-07-29 16:05 - 2016-07-29 16:05 - 00000000 _____ C:\Windows\RTLHandleProcess.ini
2016-07-29 15:48 - 2016-07-29 16:09 - 00000000 ____D C:\AdwCleaner
2016-07-29 15:48 - 2016-07-29 15:48 - 00000000 ____D C:\Windows\SysWOW64\sda
2016-07-29 15:47 - 2016-07-29 15:47 - 00003130 _____ C:\Windows\System32\Tasks\{140E58CB-7033-41E7-BBA8-A7845637B8F7}
2016-07-29 15:47 - 2016-07-29 15:47 - 00000000 ____D C:\Program Files (x86)\Realtek
2016-07-29 15:47 - 2011-02-15 11:37 - 09888360 _____ (Realtek Semiconductor Corp.) C:\Windows\SysWOW64\RtsPStorIcon.dll
2016-07-29 15:47 - 2011-02-15 11:37 - 00335464 _____ (Realtek Semiconductor Corp.) C:\Windows\system32\Drivers\RtsPStor.sys
2016-07-29 15:46 - 2016-07-29 15:46 - 03712064 _____ C:\Users\Compaq\Downloads\AdwCleaner.exe
2016-07-29 15:45 - 2016-07-29 15:45 - 00000000 ____H C:\Windows\system32\Drivers\Msft_Kernel_SynTP_01009.Wdf
2016-07-29 15:44 - 2016-07-29 15:44 - 00000000 ____D C:\Program Files\Synaptics
2016-07-29 15:43 - 2016-07-29 15:43 - 00000000 ____D C:\Program Files\ATI
2016-07-29 15:43 - 2016-07-29 15:43 - 00000000 ____D C:\Program Files (x86)\AMD APP
2016-07-29 15:42 - 2016-07-29 15:42 - 00000000 ____D C:\Program Files\ATI Technologies
2016-07-29 15:39 - 2016-07-29 15:40 - 00000000 ____D C:\Program Files (x86)\AMD High-Definition Graphics Driver
2016-07-29 15:37 - 2016-07-29 15:37 - 00008499 _____ C:\Users\Compaq\Downloads\DriverEasyOnline.Scan (1).application
2016-07-29 15:36 - 2016-07-29 15:36 - 00000000 ____D C:\Users\Compaq\AppData\Local\Deployment
2016-07-29 15:36 - 2016-07-29 15:36 - 00000000 ____D C:\Users\Compaq\AppData\Local\Apps\2.0
2016-07-29 15:35 - 2016-07-29 15:35 - 00008499 _____ C:\Users\Compaq\Downloads\DriverEasyOnline.Scan.application
2016-07-29 14:48 - 2016-07-29 14:48 - 00000000 ____D C:\Users\Compaq\AppData\Local\WinISO Computing
2016-07-29 14:48 - 2016-07-29 14:48 - 00000000 ____D C:\Program Files (x86)\WinISO Computing
2016-07-29 14:43 - 2016-07-29 14:43 - 00004096 _____ C:\Users\Compaq\Downloads\windows7boot-32bit (1).bif
2016-07-29 14:41 - 2016-07-29 14:41 - 00004096 _____ C:\Users\Compaq\Downloads\windows7boot-32bit.bif
2016-07-29 13:02 - 2016-07-30 04:54 - 00000000 ____D C:\Users\Compaq\AppData\Local\Apps\Windows 7 USB DVD Download Tool
2016-07-29 13:01 - 2016-07-29 13:02 - 02721168 _____ (Microsoft Corporation) C:\Users\Compaq\Downloads\Windows7-USB-DVD-Download-Tool-Installer-en-US.exe
2016-07-29 11:21 - 2016-07-29 11:46 - 108497112 _____ (Hewlett-Packard ) C:\Users\Compaq\Downloads\sp54983.exe
2016-07-29 11:17 - 2016-07-29 11:19 - 09764576 _____ (Hewlett-Packard ) C:\Users\Compaq\Downloads\sp52186.exe
2016-07-29 11:11 - 2016-07-29 11:16 - 22970256 _____ (Hewlett-Packard Company ) C:\Users\Compaq\Downloads\sp52212.exe
2016-07-29 11:08 - 2016-07-29 11:10 - 11275144 _____ (Hewlett-Packard Company ) C:\Users\Compaq\Downloads\sp55843.exe
2016-07-29 10:37 - 2016-07-29 11:07 - 167961429 _____ (Hewlett-Packard ) C:\Users\Compaq\Downloads\sp54988 (1).exe
2016-07-29 08:16 - 2016-07-29 08:16 - 00000000 ____D C:\Users\Compaq\AppData\Roaming\Macromedia
2016-07-13 08:35 - 2016-07-29 16:06 - 00000278 _____ C:\Users\Compaq\AppData\Roaming\greethhefsf.exe
2016-07-13 08:35 - 2016-07-13 08:35 - 19492032 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerInstaller.exe
2016-07-08 17:02 - 2016-07-29 16:13 - 00000000 ____D C:\Users\Compaq\AppData\Roaming\NsCpuCNMiner
 
==================== One Month Modified files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2016-07-30 04:54 - 2009-07-14 08:50 - 00000000 ___HD C:\Windows\system32\GroupPolicy
2016-07-30 04:54 - 2009-07-14 08:50 - 00000000 ____D C:\Windows\SysWOW64\GroupPolicy
2016-07-30 04:54 - 2009-07-14 08:50 - 00000000 ____D C:\Windows\registration
2016-07-29 16:18 - 2009-07-14 10:15 - 00034048 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2016-07-29 16:18 - 2009-07-14 10:15 - 00034048 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2016-07-29 16:16 - 2009-07-14 10:43 - 00006166 _____ C:\Windows\system32\PerfStringBackup.INI
2016-07-29 16:12 - 2016-05-22 13:09 - 00000000 ____D C:\Users\Compaq\AppData\Roaming\Images
2016-07-29 16:12 - 2015-10-25 11:27 - 00000000 ____D C:\Users\Compaq\Documents\Youcam
2016-07-29 16:11 - 2014-08-11 18:30 - 00000894 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2016-07-29 16:11 - 2009-07-14 10:38 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2016-07-29 15:58 - 2014-08-11 18:30 - 00000898 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2016-07-29 15:48 - 2009-07-14 08:50 - 00000000 ____D C:\Windows\inf
2016-07-29 15:47 - 2014-11-22 06:23 - 00000000 ___HD C:\Program Files (x86)\InstallShield Installation Information
2016-07-29 15:47 - 2012-07-25 13:47 - 00000000 ___DC C:\SWSetup
2016-07-29 15:35 - 2014-08-11 18:43 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2016-07-29 15:32 - 2015-07-09 11:02 - 00000000 ____D C:\Users\Compaq
2016-07-29 12:01 - 2015-10-25 19:27 - 00000000 ____D C:\Users\Compaq\AppData\Roaming\vlc
2016-07-29 11:12 - 2014-08-11 18:30 - 00002207 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
2016-07-13 21:30 - 2015-05-11 21:51 - 00000000 ____D C:\Users\kevi
2016-07-13 21:26 - 2016-01-25 20:08 - 00000000 ____D C:\Program Files\iPod
2016-07-13 21:24 - 2016-01-25 20:05 - 00000000 ____D C:\ProgramData\Apple
2016-07-13 08:35 - 2014-08-11 18:43 - 00796352 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2016-07-13 08:35 - 2014-08-11 18:43 - 00142528 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2016-07-13 08:35 - 2014-08-11 18:43 - 00003768 _____ C:\Windows\System32\Tasks\Adobe Flash Player Updater
2016-07-13 08:31 - 2009-07-14 08:50 - 00000000 ____D C:\Windows\system32\NDF
2016-07-05 20:38 - 2016-03-24 22:26 - 00000000 ____D C:\Users\Compaq\AppData\Roaming\dvdcss
 
==================== Files in the root of some directories =======
 
2016-07-13 08:35 - 2016-07-29 16:06 - 0000278 _____ () C:\Users\Compaq\AppData\Roaming\greethhefsf.exe
2015-12-11 17:19 - 2015-12-11 17:19 - 104648704 __RSH (slowthanwrote.com) C:\Users\Compaq\AppData\Roaming\obeolrsaho.exe
2015-11-24 23:04 - 2015-11-24 23:04 - 0000000 _____ () C:\Users\Compaq\AppData\Local\{76E1CFB6-B6AD-453F-8607-3CC5DE87782A}
2016-06-15 18:07 - 2016-06-15 18:07 - 0000000 _____ () C:\Users\Compaq\AppData\Local\{9E23F4D5-32BF-487F-9C48-660812002D4A}
 
Some files in TEMP:
====================
C:\Users\Compaq\AppData\Local\Temp\libeay32.dll
C:\Users\Compaq\AppData\Local\Temp\msvcr120.dll
C:\Users\Compaq\AppData\Local\Temp\sqlite3.dll
C:\Users\Compaq\AppData\Local\Temp\Syncios.exe
C:\Users\Compaq\AppData\Local\Temp\SynciosDeviceService.exe
C:\Users\Compaq\AppData\Local\Temp\{6FC8AFEB-9800-4DC7-832C-D44275788D87}-48.0.2564.103_47.0.2526.111_chrome_updater_3stage.exe
 
 
==================== Bamital & volsnap =================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed
 
 
LastRegBack: 2016-06-30 18:38
 
==================== End of FRST.txt ============================
 
 
 


BC AdBot (Login to Remove)

 


#2 keviavi

keviavi
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  

Posted 28 July 2016 - 06:05 AM

Additional scan result of Farbar Recovery Scan Tool (x64) Version: 27-07-2016
Ran by Compaq (2016-07-29 16:30:25)
Running from C:\Users\Compaq\Downloads
Windows 7 Ultimate Service Pack 1 (X64) (2015-07-09 05:32:12)
Boot Mode: Normal
==========================================================
 
 
==================== Accounts: =============================
 
Administrator (S-1-5-21-322109716-3765770398-843547552-500 - Administrator - Disabled)
Compaq (S-1-5-21-322109716-3765770398-843547552-1000 - Administrator - Enabled) => C:\Users\Compaq
Guest (S-1-5-21-322109716-3765770398-843547552-501 - Limited - Disabled)
HomeGroupUser$ (S-1-5-21-322109716-3765770398-843547552-1002 - Limited - Enabled)
 
==================== Security Center ========================
 
(If an entry is included in the fixlist, it will be removed.)
 
AS: Windows Defender (Enabled - Out of date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
 
==================== Installed Programs ======================
 
(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)
 
2007 Microsoft Office Suite Service Pack 3 (SP3) (HKLM-x32\...\{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{6E107EB7-8B55-48BF-ACCB-199F86A2CD93}) (Version:  - Microsoft)
2007 Microsoft Office Suite Service Pack 3 (SP3) (x32 Version:  - Microsoft) Hidden
Adobe Flash Player 22 ActiveX (HKLM-x32\...\Adobe Flash Player ActiveX) (Version: 22.0.0.192 - Adobe Systems Incorporated)
Adobe PageMaker 7.0 (HKLM-x32\...\Adobe PageMaker 7.0) (Version: 7.0 - Adobe Systems, Inc.)
Adobe Photoshop 7.0 (HKLM-x32\...\Adobe Photoshop 7.0) (Version: 7.0 - Adobe Systems, Inc.)
Adobe Reader XI (11.0.08) (HKLM-x32\...\{AC76BA86-7AD7-1033-7B44-AB0000000001}) (Version: 11.0.08 - Adobe Systems Incorporated)
ATI Catalyst Install Manager (HKLM\...\{B3C4ADC9-637E-DDD9-A66C-782AE5E2E667}) (Version: 3.0.829.0 - ATI Technologies, Inc.)
Cambridge School Dictionary (HKLM-x32\...\NSIS_csd) (Version:  - )
Canon LBP2900 (HKLM\...\Canon LBP2900) (Version:  - )
CorelDRAW Graphics Suite 12 (HKLM-x32\...\{505AFDC0-5E72-4928-8368-5DEA385E3647}) (Version: 12.0.0.458 - Corel Corporation)
CyberLink YouCam (HKLM-x32\...\InstallShield_{01FB4998-33C4-4431-85ED-079E3EEFE75D}) (Version: 5.0.3.3907 - CyberLink Corp.)
Google Chrome (HKLM-x32\...\Google Chrome) (Version: 51.0.2704.103 - Google Inc.)
Google Update Helper (x32 Version: 1.3.24.15 - Google Inc.) Hidden
Google Update Helper (x32 Version: 1.3.30.3 - Google Inc.) Hidden
Intel® Processor Graphics (HKLM-x32\...\{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}) (Version: 9.17.10.3372 - Intel Corporation)
K-Lite Codec Pack 10.6.5 Full (HKLM-x32\...\KLiteCodecPack_is1) (Version: 10.6.5 - )
Microsoft .NET Framework 4.5 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.5.50709 - Microsoft Corporation)
Microsoft Office Enterprise 2007 (HKLM-x32\...\ENTERPRISE) (Version: 12.0.6612.1000 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{837b34e3-7c30-493c-8f6a-2b0f04e2912c}) (Version: 8.0.59193 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Mobile Broadband HL Service (HKLM-x32\...\Mobile Broadband HL Service) (Version: 22.001.26.01.284 - Huawei Technologies Co.,Ltd)
Mozilla Firefox 33.1.1 (x86 en-US) (HKLM-x32\...\Mozilla Firefox 33.1.1 (x86 en-US)) (Version: 33.1.1 - Mozilla)
Mozilla Maintenance Service (HKLM-x32\...\MozillaMaintenanceService) (Version: 33.1.1 - Mozilla)
Nero Burning ROM_Nero Express (HKLM-x32\...\Nero Burning ROM_Nero Express) (Version:  - )
QUICKfind server v1.1 (HKLM-x32\...\QUICKfind) (Version:  - IDM)
QuickTime (HKLM-x32\...\{57752979-A1C9-4C02-856B-FBB27AC4E02C}) (Version: 7.69.80.9 - Apple Inc.)
Realtek PCIE Card Reader (HKLM-x32\...\{C1594429-8296-4652-BF54-9DBE4932A44C}) (Version: 6.1.7600.77 - Realtek Semiconductor Corp.)
Synaptics TouchPad Driver (HKLM\...\SynTPDeinstKey) (Version: 15.3.21.0 - Synaptics Incorporated)
The KMPlayer (remove only) (HKLM-x32\...\The KMPlayer) (Version: 3.9.0.127 - PandoraTV)
VLC media player (HKLM-x32\...\VLC media player) (Version: 2.1.5 - VideoLAN)
WinRAR 5.10 (64-bit) (HKLM\...\WinRAR archiver) (Version: 5.10.0 - win.rar GmbH)
 
==================== Custom CLSID (Whitelisted): ==========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== Scheduled Tasks (Whitelisted) =============
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
Task: {0A479E20-9707-4DFD-9AF8-1FE1841ED499} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2016-07-13] (Adobe Systems Incorporated)
Task: {0D9363D2-83CC-492B-9AA0-380847F1C93C} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2016-01-26] (Google Inc.)
Task: {544BCABB-9906-48DE-A9E1-EAE6108DA857} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2016-01-26] (Google Inc.)
Task: {6746DECA-B41D-47AB-8A7D-F0D6827C18A3} - System32\Tasks\YCMServiceAgent => C:\Program Files (x86)\CyberLink\YouCam\YouCamService.exe [2014-03-07] (CyberLink Corp.)
Task: {9DBDE330-B131-4BC8-A136-92AE9129C4A9} - System32\Tasks\{140E58CB-7033-41E7-BBA8-A7845637B8F7} => pcalua.exe -a C:\Users\Compaq\Downloads\sp52212.exe -d C:\Users\Compaq\Downloads
 
(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)
 
Task: C:\Windows\Tasks\Adobe Flash Player Updater.job => C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
 
==================== Shortcuts =============================
 
(The entries could be listed to be restored or removed.)
 
==================== Loaded Modules (Whitelisted) ==============
 
2016-05-22 19:23 - 2014-11-20 14:18 - 00242264 _____ () C:\ProgramData\MobileBrServ\mbbservice.exe
2015-07-09 11:06 - 2013-12-06 23:16 - 00094208 _____ () C:\Windows\System32\IccLibDll_x64.dll
2016-07-08 17:02 - 2015-10-12 12:07 - 03412673 _____ () C:\Users\Compaq\AppData\Roaming\NsCpuCNMiner\IMG002.exe
2014-07-23 17:39 - 2014-07-23 17:39 - 01563136 _____ () C:\Users\Compaq\AppData\Roaming\NsCpuCNMiner\NsCpuCNMiner64.exe
2016-07-29 16:12 - 2016-07-29 16:12 - 00011264 _____ () C:\Users\Compaq\AppData\Local\Temp\nsaAEE5.tmp\System.dll
2016-07-29 11:12 - 2016-06-15 14:45 - 01745560 _____ () C:\Program Files (x86)\Google\Chrome\Application\51.0.2704.103\libglesv2.dll
2016-07-29 11:12 - 2016-06-15 14:45 - 00091288 _____ () C:\Program Files (x86)\Google\Chrome\Application\51.0.2704.103\libegl.dll
2016-07-29 16:12 - 2016-07-29 16:12 - 00011264 _____ () C:\Users\Compaq\AppData\Local\Temp\nsaFB5F.tmp\System.dll
 
==================== Alternate Data Streams (Whitelisted) =========
 
(If an entry is included in the fixlist, only the ADS will be removed.)
 
 
==================== Safe Mode (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)
 
 
==================== Association (Whitelisted) ===============
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed.)
 
 
==================== Internet Explorer trusted/restricted ===============
 
(If an entry is included in the fixlist, it will be removed from the registry.)
 
 
==================== Hosts content: ===============================
 
(If needed Hosts: directive could be included in the fixlist to reset Hosts.)
 
2009-07-14 08:04 - 2009-06-11 02:30 - 00000824 ____A C:\Windows\system32\Drivers\etc\hosts
 
 
==================== Other Areas ============================
 
(Currently there is no automatic fix for this section.)
 
HKU\S-1-5-21-322109716-3765770398-843547552-1000\Control Panel\Desktop\\Wallpaper -> C:\Users\Compaq\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpg
DNS Servers: 192.168.1.1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
Windows Firewall is enabled.
 
==================== MSCONFIG/TASK MANAGER disabled items ==
 
(Currently there is no automatic fix for this section.)
 
MSCONFIG\startupfolder: C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk => C:\Windows\pss\Adobe Gamma Loader.lnk.CommonStartup
MSCONFIG\startupreg: CorelDRAW Graphics Suite 11b => C:\Program Files (x86)\Corel\Corel Graphics 12\Languages\EN\Programs\Registration.exe /title="CorelDRAW Graphics Suite 12" /date=120614 serial=DR12WEX-1504397-KTY lang=EN
MSCONFIG\startupreg: GrooveMonitor => "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe"
 
==================== FirewallRules (Whitelisted) ===============
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
FirewallRules: [{2B501853-5B6D-4AB6-B6EA-279D97CEBA61}] => (Allow) C:\Program Files (x86)\PANDORA.TV\PanService\PandoraService.exe
FirewallRules: [{C5753F84-569E-417B-A94A-C0A511D64030}] => (Allow) C:\Program Files (x86)\PANDORA.TV\PanService\PandoraService.exe
FirewallRules: [{52D80554-AB5D-46D4-AB28-1290A10908CC}] => (Allow) C:\Program Files (x86)\Bonjour\mDNSResponder.exe
FirewallRules: [{809F1C55-78D4-46EF-A03D-5CDBF8D7283F}] => (Allow) C:\Program Files (x86)\Bonjour\mDNSResponder.exe
FirewallRules: [{027C1CF8-9B53-485D-AD61-803AEDCECCB4}] => (Allow) C:\Windows\System32\CNAB4RPD.EXE
FirewallRules: [{0F5A167F-1DF1-4AE6-BFCE-FBEEAD2DBD0D}] => (Allow) C:\Windows\System32\CNAB4RPD.EXE
FirewallRules: [{8385E4A5-3BC8-4728-9920-2664BE14D852}] => (Allow) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
 
==================== Restore Points =========================
 
10-06-2016 20:37:51 Scheduled Checkpoint
01-07-2016 16:59:08 Scheduled Checkpoint
13-07-2016 13:30:59 Windows Update
13-07-2016 21:24:00 Removed Apple Application Support (32-bit)
13-07-2016 21:25:34 Removed iTunes
29-07-2016 13:02:28 Installed Windows 7 USB/DVD Download Tool
29-07-2016 15:47:39 Installed Realtek PCIE Card Reader
 
==================== Faulty Device Manager Devices =============
 
 
==================== Event log errors: =========================
 
Application errors:
==================
Error: (07/29/2016 04:16:28 PM) (Source: Microsoft-Windows-LoadPerf) (EventID: 3011) (User: NT AUTHORITY)
Description: Unloading the performance counter strings for service WmiApRpl (WmiApRpl) failed. The first DWORD in the Data section contains the error code.
 
Error: (07/29/2016 04:16:28 PM) (Source: Microsoft-Windows-LoadPerf) (EventID: 3012) (User: NT AUTHORITY)
Description: The performance strings in the Performance registry value is corrupted when process Performance extension counter provider. The BaseIndex value from the Performance registry is the first DWORD in the Data section, LastCounter value is the second DWORD in the Data section, and LastHelp value is the third DWORD in the Data section.
 
Error: (07/29/2016 04:12:52 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
Error: (07/29/2016 03:58:10 PM) (Source: Microsoft-Windows-LoadPerf) (EventID: 3011) (User: NT AUTHORITY)
Description: Unloading the performance counter strings for service WmiApRpl (WmiApRpl) failed. The first DWORD in the Data section contains the error code.
 
Error: (07/29/2016 03:58:10 PM) (Source: Microsoft-Windows-LoadPerf) (EventID: 3012) (User: NT AUTHORITY)
Description: The performance strings in the Performance registry value is corrupted when process Performance extension counter provider. The BaseIndex value from the Performance registry is the first DWORD in the Data section, LastCounter value is the second DWORD in the Data section, and LastHelp value is the third DWORD in the Data section.
 
Error: (07/29/2016 03:50:22 PM) (Source: Microsoft-Windows-LoadPerf) (EventID: 3011) (User: NT AUTHORITY)
Description: Unloading the performance counter strings for service WmiApRpl (WmiApRpl) failed. The first DWORD in the Data section contains the error code.
 
Error: (07/29/2016 03:50:22 PM) (Source: Microsoft-Windows-LoadPerf) (EventID: 3012) (User: NT AUTHORITY)
Description: The performance strings in the Performance registry value is corrupted when process Performance extension counter provider. The BaseIndex value from the Performance registry is the first DWORD in the Data section, LastCounter value is the second DWORD in the Data section, and LastHelp value is the third DWORD in the Data section.
 
Error: (07/29/2016 03:36:12 PM) (Source: Microsoft-Windows-LoadPerf) (EventID: 3011) (User: NT AUTHORITY)
Description: Unloading the performance counter strings for service WmiApRpl (WmiApRpl) failed. The first DWORD in the Data section contains the error code.
 
Error: (07/29/2016 03:36:12 PM) (Source: Microsoft-Windows-LoadPerf) (EventID: 3012) (User: NT AUTHORITY)
Description: The performance strings in the Performance registry value is corrupted when process Performance extension counter provider. The BaseIndex value from the Performance registry is the first DWORD in the Data section, LastCounter value is the second DWORD in the Data section, and LastHelp value is the third DWORD in the Data section.
 
Error: (07/29/2016 03:33:37 PM) (Source: WinMgmt) (EventID: 10) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
 
System errors:
=============
Error: (07/29/2016 04:17:19 PM) (Source: Service Control Manager) (EventID: 7023) (User: )
Description: The Peer Name Resolution Protocol service terminated with the following error: 
%%-2140993535
 
Error: (07/29/2016 04:17:19 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The Peer Networking Grouping service depends on the Peer Name Resolution Protocol service which failed to start because of the following error: 
%%-2140993535
 
Error: (07/29/2016 04:17:19 PM) (Source: Service Control Manager) (EventID: 7023) (User: )
Description: The Peer Name Resolution Protocol service terminated with the following error: 
%%-2140993535
 
Error: (07/29/2016 04:17:19 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The Peer Networking Grouping service depends on the Peer Name Resolution Protocol service which failed to start because of the following error: 
%%-2140993535
 
Error: (07/29/2016 04:17:19 PM) (Source: Service Control Manager) (EventID: 7023) (User: )
Description: The Peer Name Resolution Protocol service terminated with the following error: 
%%-2140993535
 
Error: (07/29/2016 04:17:19 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The Peer Networking Grouping service depends on the Peer Name Resolution Protocol service which failed to start because of the following error: 
%%-2140993535
 
Error: (07/29/2016 04:17:19 PM) (Source: PNRPSvc) (EventID: 102) (User: )
Description: 0x80630801
 
Error: (07/29/2016 04:17:19 PM) (Source: PNRPSvc) (EventID: 102) (User: )
Description: 0x80630801
 
Error: (07/29/2016 04:17:19 PM) (Source: PNRPSvc) (EventID: 102) (User: )
Description: 0x80630801
 
Error: (07/29/2016 04:12:09 PM) (Source: Service Control Manager) (EventID: 7001) (User: )
Description: The Peer Networking Grouping service depends on the Peer Name Resolution Protocol service which failed to start because of the following error: 
%%-2140993535
 
 
CodeIntegrity:
===================================
  Date: 2016-07-01 16:53:06.049
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\ELAMBKUP\klelam.sys because the set of per-page image hashes could not be found on the system.
 
  Date: 2016-07-01 16:53:06.049
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\ELAMBKUP\klelam.sys because the set of per-page image hashes could not be found on the system.
 
  Date: 2016-07-01 16:53:06.049
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\ELAMBKUP\klelam.sys because the set of per-page image hashes could not be found on the system.
 
  Date: 2016-07-01 16:53:06.018
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 14.0.0\KLELAMX64\klelam.sys because the set of per-page image hashes could not be found on the system.
 
  Date: 2016-07-01 16:53:06.018
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 14.0.0\KLELAMX64\klelam.sys because the set of per-page image hashes could not be found on the system.
 
  Date: 2016-07-01 16:53:06.018
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 14.0.0\KLELAMX64\klelam.sys because the set of per-page image hashes could not be found on the system.
 
  Date: 2016-06-30 18:39:31.542
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\ELAMBKUP\klelam.sys because the set of per-page image hashes could not be found on the system.
 
  Date: 2016-06-30 18:39:31.527
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\ELAMBKUP\klelam.sys because the set of per-page image hashes could not be found on the system.
 
  Date: 2016-06-30 18:39:31.527
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Windows\ELAMBKUP\klelam.sys because the set of per-page image hashes could not be found on the system.
 
  Date: 2016-06-30 18:39:31.511
  Description: Code Integrity is unable to verify the image integrity of the file \Device\HarddiskVolume2\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 14.0.0\KLELAMX64\klelam.sys because the set of per-page image hashes could not be found on the system.
 
 
==================== Memory info =========================== 
 
Processor: Intel® Pentium® CPU B960 @ 2.20GHz
Percentage of memory in use: 62%
Total physical RAM: 1899.86 MB
Available physical RAM: 719.89 MB
Total Virtual: 3799.72 MB
Available Virtual: 2337.14 MB
 
==================== Drives ================================
 
Drive c: () (Fixed) (Total:122.02 GB) (Free:89.33 GB) NTFS
Drive d: (Backup) (Fixed) (Total:48.78 GB) (Free:48.68 GB) NTFS
Drive e: (PLZ USE) (Fixed) (Total:127.19 GB) (Free:127.09 GB) NTFS
 
==================== MBR & Partition Table ==================
 
========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 298.1 GB) (Disk ID: 1707A8A5)
Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=122 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=127.2 GB) - (Type=07 NTFS)
Partition 4: (Not Active) - (Size=48.8 GB) - (Type=OF Extended)
 
==================== End of Addition.txt ============================

Edited by hamluis, 28 July 2016 - 06:51 AM.
Moved from Win 7 to Malware Removal Logs - Hamluis.


#3 nasdaq

nasdaq

  • Malware Response Team
  • 40,476 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:13 AM

Posted 29 July 2016 - 09:53 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.

Please copy the entire contents of the code box below to a new file.


Start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

( ) C:\Users\Compaq\AppData\Roaming\Images\image.exe
( ) C:\Users\Compaq\AppData\Roaming\Images\image.exe
() C:\Users\Compaq\AppData\Roaming\NsCpuCNMiner\NsCpuCNMiner64.exe
HKU\S-1-5-21-322109716-3765770398-843547552-1000\...\Run: [Coin] => C:\Users\Compaq\AppData\Roaming\Images\image.exe [4678871 2015-05-19] ( )
HKU\S-1-5-21-322109716-3765770398-843547552-1000\...\Run: [] => C:\Users\Compaq\AppData\Roaming\NsCpuCNMiner\IMG002.exe [3412673 2015-10-12] ()
HKU\S-1-5-21-322109716-3765770398-843547552-1000\...\Run: [asodakaossd] => C:\Windows\system32\cmd.exe /c start C:\Users\Compaq\AppData\Roaming\aiasfacoafiasksf.vbs exit
Startup: C:\Users\Compaq\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\asodakaossd.lnk [2016-07-29]
ShortcutTarget: asodakaossd.lnk -> C:\Windows\System32\cmd.exe (Microsoft Corporation)
Startup: C:\Users\Compaq\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\image.lnk [2016-07-29]
ShortcutTarget: image.lnk -> C:\Users\Compaq\AppData\Roaming\Images\image.exe ( )
Startup: C:\Users\Compaq\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Run.lnk [2016-07-29]
ShortcutTarget: Run.lnk -> C:\Users\Compaq\AppData\Roaming\NsCpuCNMiner\IMG002.exe ()
BHO-x32: QUICKfind BHO Object -> {C08DF07A-3E49-4E25-9AB0-D3882835F153} -> C:\PROGRA~2\IDM\QUICKF~1\PlugIns\IEHelp.dll => No File
CHR Extension: (Chrome Web Store Payments) - C:\Users\Compaq\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-04-07]
S3 VGPU; System32\drivers\rdvgkmd.sys [X]
C:\Users\Compaq\AppData\Roaming\Images
C:\Users\Compaq\AppData\Roaming\NsCpuCNMiner
C:\Users\Compaq\AppData\Roaming\aiasfacoafiasksf.vbs
C:\Users\Compaq\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\asodakaossd.lnk
C:\Users\Compaq\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\image.lnk
C:\Users\Compaq\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Run.lnk
C:\Users\Compaq\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda
C:\Users\Compaq\AppData\Local\Temp\nsaAEE5.tmp

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Download Malwarebytes' Anti-Malware from Here

Double-click mbam-setup-2.X.X.XXXX.exe to install the application (X's are the current version number).
  • Make sure a checkmark is placed next to Launch Malwarebytes' Anti-Malware, then click Finish.
  • Once MBAM opens, when it says Your databases are out of date, click the Fix Now button.
  • Click the Settings tab at the top, and then in the left column, select Detections and Protections, and if not already checked place a checkmark in the selection box for Scan for rootkits.
  • Click the Scan tab at the top of the program window, select Threat Scan and click the Scan Now button.
  • If you receive a message that updates are available, click the Update Now button (the update will be downloaded, installed, and the scan will start).
  • The scan may take some time to finish,so please be patient.
  • If potential threats are detected, ensure that Quarantine is selected as the Action for all the listed items, and click the Apply Actions button.
  • While still on the Scan tab, click the link for View detailed log, and in the window that opens click the Export button, select Text file (*.txt), and save the log to your Desktop.
  • The log is automatically saved by MBAM and can also be viewed by clicking the History tab and then selecting Application Logs.
POST THE LOG FOR MY REVIEW.

Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.

===

Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Click the LogFile button and the report will open in Notepad.
IMPORTANT
  • If you click the Clean button all items listed in the report will be removed.
If you find some false positive items or programs that you wish to keep, Close the AdwCleaner windows.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Check off the element(s) you wish to keep.
  • Click on the Clean button follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleanerCx.txt (x is a number).
===

Please post the logs and let me know what problem persists with this computer.

#4 nasdaq

nasdaq

  • Malware Response Team
  • 40,476 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:13 AM

Posted 04 August 2016 - 10:16 AM

Are you still with me?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users