Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

# I am Infected. No Admin permission. Nine/consultant.exe

6 replies to this topic

### #1 Badthingsmann

Badthingsmann

• Members
• 12 posts
• OFFLINE
•
• Gender:Male
• Local time:12:59 PM

Posted 15 August 2016 - 10:52 PM

Admin privileges are basically gone.

I have been using ADW the Browsers, lots disease.

The best thing i could say is music would or an audio commercial

I would open Task Manager and kill something called  "nine" I would end and audio ad would stop

the details upon right click were "consultant.exe" which I would delete and do the cycle over again

I can provide what you wish I tried on my own but i am a failure

any help would be a blessing

shawn

### #2 Oh My!

Oh My!

Adware and Spyware and Malware.....

• Malware Response Instructor
• 37,457 posts
• OFFLINE
•
• Gender:Male
• Location:California
• Local time:04:59 AM

Posted 19 August 2016 - 05:29 PM

Greetings Shawn and to BleepingComputer's Virus/Trojan/Spyware/Malware Removal forum.

My name is Oh My! and I am here to help you! Now that we are "friends" please call me Gary.

===================================================

Ground Rules:
• First, I would like to inform you that most of us here at Bleeping Computer offer our expert assistance out of the goodness of our hearts. Please try to match our commitment to you with your patience toward us. If this was easy we would never have met.
• Please do not run any tools or take any steps other than those I will provide for you while we work on your computer together. I need to be certain about the state of your computer in order to provide appropriate and effective steps for you to take. Most often "well intentioned" (and usually panic driven!) independent efforts can make things much worse for both of us. If at any point you would prefer to take your own steps please let me know, I will not be offended. I would be happy to focus on the many others who are waiting in line for assistance.
• Please perform all steps in the order they are listed in each set of instructions. Some steps may be a bit complicated. If things are not clear, be sure to stop and let me know. We need to work on this together with confidence.
• Please copy and paste all logs into your post unless directed otherwise. Please do not re-run any programs I suggest. If you encounter problems simply stop and tell me.
• When you post your reply, use the button instead.
• In the upper right hand corner of the topic you will see the button. Click on this then choose Immediate E-Mail notification and then Proceed and you will be sent an email once I have posted a response.
• If you do not reply to your topic after 5 days we assume it has been abandoned and I will close it.
• When your computer is clean I will alert you of such. I will also provide for you detailed information about how you can combat future infections.
• I would like to remind you to make no further changes to your computer unless I direct you to do so.
===================================================

Now that I am assisting you, you can expect that I will be very responsive to your situation. If you are able, I would request you check this thread at least once per day so that we can try to resolve your issues effectively and efficiently. If you are going to be delayed please be considerate and post that information so that I know you are still with me. Unfortunately, there are many people waiting to be assisted and not enough of us at BleepingComputer to go around. I appreciate your understanding and diligence.

Thank you for your patience thus far. Please allow me just a bit of time to review what you have posted.
Gary

If I do not reply within 24 hours please send me a Personal Message.

"May you be richly rewarded by the Lord, the God of Israel, under whose wings you have come to take refuge."

### #3 Oh My!

Oh My!

Adware and Spyware and Malware.....

• Malware Response Instructor
• 37,457 posts
• OFFLINE
•
• Gender:Male
• Location:California
• Local time:04:59 AM

Posted 19 August 2016 - 06:31 PM

Greetings.

Can you tell me if this looks familiar to you?

Israel Tel Aviv Xglobe Online Ltd

Please consider and do this.

===================================================

Peer to Peer (P2P) Warning

--------------------

Going over your logs I noticed that you have evidence of P2P downloads. It is pretty much certain that if you continue to use P2P programs, you will get infected again.
• Avoid gaming sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs.
• They are a security risk which can make your computer susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites.
• Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users.
• The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications.
If you are still leaning toward using this program, please take a look at this information about Ransomware which can be delivered via P2P file transfers. The newest variation of Ransomware can make it impossible to recover the files this malicious software encrypts. In other words, you will probably lose most if not all of your valuable information, including pictures. In addition it has recently been reported that P2P downloads may be tracked resulting in your IP address being monitored by copyright authorities.

===================================================

Farbar's Recovery Scan Tool - Run Fix in Normal or Safe Mode

--------------------
• Press the Windows key + r on your keyboard at the same time. Type in notepad and press Enter
• Please copy and paste the contents of the below code box into the open notepad and save it as fixlist.txt in the same location/folder as FRST.exe (<<<Important)
CloseProcesses:
HKLM\...\Run: [blabbed] => "C:\Program Files (x86)\gatsby\consultant.exe"
C:\Program Files (x86)\gatsby
HKLM-x32\...\Run: [gabriela] => "C:\Program Files (x86)\gatsby\consultant.exe"
HKLM-x32\...\RunOnce: [DeleteOnReboot] => C:\Users\SCP\AppData\Local\Temp\DeleteOnReboot.bat [188 2016-08-15] () <===== ATTENTION
C:\Users\SCP\AppData\Local\Temp\DeleteOnReboot.bat
ShellIconOverlayIdentifiers: [ OneDrive1] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} =>  No File
ShellIconOverlayIdentifiers: [ OneDrive2] -> {5AB7172C-9C11-405C-8DD5-AF20F3606282} =>  No File
ShellIconOverlayIdentifiers: [ OneDrive3] -> {A78ED123-AB77-406B-9962-2A5D9D2F7F30} =>  No File
ShellIconOverlayIdentifiers: [ OneDrive4] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} =>  No File
ShellIconOverlayIdentifiers: [ OneDrive5] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} =>  No File
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-4286382873-1239181767-2200445674-1001\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
URLSearchHook: HKLM-x32 - (No Name) - {6341761b-babe-406d-b0d6-8d99b81c2ee5} - No File
URLSearchHook: HKU\S-1-5-21-4286382873-1239181767-2200445674-1001 - (No Name) - {6341761b-babe-406d-b0d6-8d99b81c2ee5} - No File
SearchScopes: HKLM-x32 -> DefaultScope {afdbddaa-5d3f-42ee-b79c-185a7020515b} URL =
BHO-x32: Adblock Plus for IE Browser Helper Object -> {FFCB3198-32F3-4E8B-9539-4324694ED664} -> C:\Program Files\Adblock Plus for IE\AdblockPlus32.dll => No File
Handler: WSAllMyTubechrome - {0A0C95CF-A116-4C74 -  No File
FF HKLM-x32\...\Thunderbird\Extensions: [eplgTb@eset.com] - C:\Program Files\ESET\ESET NOD32 Antivirus\Mozilla Thunderbird => not found
FF HKU\S-1-5-21-4286382873-1239181767-2200445674-1001\...\SeaMonkey\Extensions: [mozilla_cc2@internetdownloadmanager.com] - C:\Program Files (x86)\Internet Download Manager\idmmzcc2.xpi => not found
S2 gupdate; "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /svc [X]
S3 gupdatem; "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /medsvc [X]
S2 ibtsiva; %SystemRoot%\system32\ibtsiva [X]
S1 1e2edd601191a4324294037fc91a028e; \??\C:\WINDOWS\system32\drivers\1e2edd601191a4324294037fc91a028e.sys [X]
2016-08-15 23:15 - 2016-08-15 23:15 - 00000302 _____ C:\WINDOWS\Tasks\Da7237674072376740.job
2016-08-15 23:14 - 2016-08-09 07:21 - 00319488 _____ C:\Users\SCP\AppData\Local\consultant.exe
2016-08-15 22:51 - 2016-08-15 22:51 - 00000180 _____ C:\WINDOWS\system32\{A6D608F0-0BDE-491A-97AE-5C4B05D86E01}.bat
2016-08-15 11:02 - 2016-08-15 23:15 - 00000348 _____ C:\WINDOWS\Tasks\72376740.job
2016-08-09 10:59 - 2016-08-09 11:22 - 00000000 ____D C:\Users\SCP\Downloads\bleepu
2016-08-09 10:30 - 2016-08-14 18:56 - 00000080 _____ C:\Users\SCP\Desktop\Internet Explorer.lnk
2016-08-09 08:46 - 2016-08-09 08:46 - 00000000 ___HD C:\Program Files (x86)\reprints
2016-08-09 08:44 - 2016-08-09 08:45 - 00000000 ____D C:\WINDOWS\system32\SSL
2016-08-09 08:44 - 2016-08-09 08:44 - 00031443 _____ C:\WINDOWS\ee618e655ce8647e1e4db21895190569.ps1
2016-08-09 08:44 - 2016-08-09 08:44 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Social2Se Browser Enhancer
2016-08-09 08:44 - 2016-08-08 11:04 - 00519696 ___SH C:\Users\SCP\AppData\Roaming\KSAaDJSIHghQ
2016-08-09 08:44 - 2016-08-08 11:04 - 00036423 ___SH C:\Users\SCP\AppData\Roaming\EeIQKCHSHPgVUTdGdPR
2016-08-09 07:21 - 2016-08-09 07:21 - 00319488 _____ C:\WINDOWS\oxidizes.exe
2016-07-25 10:28 - 2016-07-10 15:42 - 00000000 ____D C:\iolo
2016-08-15 23:14 - 2016-08-09 07:21 - 0319488 _____ () C:\Users\SCP\AppData\Local\consultant.exe
2016-05-27 14:28 - 2016-05-27 14:28 - 0004864 _____ () C:\ProgramData\oqztiqep.adk
C:\Users\SCP\AppData\Local\Temp\DeleteOnReboot.bat
C:\Users\SCP\dism.exe
C:\Users\SCP\update-bfbc2.bat
C:\Users\SCP\update-mw3.bat
C:\Users\SCP\update-NBA2K16.bat
C:\Users\SCP\update-NFSMW2012.bat
C:\Windows\Tasks\{41E416B6-ADCD-0679-F263-47F63A4C3895}.job
Task: C:\WINDOWS\Tasks\72376740.job => C:\Users\SCP\AppData\Local\consultant.exe
Task: C:\WINDOWS\Tasks\Da7237674072376740.job => C:\Users\SCP\AppData\Local\consultant.exe
Task: C:\WINDOWS\Tasks\HPCeeScheduleForSCP.job =>
Task: C:\WINDOWS\Tasks\{41E416B6-ADCD-0679-F263-47F63A4C3895}.job =>
CMD: type "C:\ComboFix.txt"

• Right click on FRST.exe, select Run as administrator then press the Fix button
• When completed he tool will create a log on the desktop called Fixlog.txt. Please copy and paste the contents of the file in your reply.
• Boot into Normal Boot and check the performance
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it.
• Fixlog
• Update on computer performance

Gary

If I do not reply within 24 hours please send me a Personal Message.

"May you be richly rewarded by the Lord, the God of Israel, under whose wings you have come to take refuge."

### #4 Badthingsmann

Badthingsmann
• Topic Starter

• Members
• 12 posts
• OFFLINE
•
• Gender:Male
• Local time:12:59 PM

Posted 22 August 2016 - 07:34 AM

Fix result of Farbar Recovery Scan Tool (x64) Version: 21-08-2016 01
Ran by SCP (22-08-2016 07:41:20) Run:1
Running from C:\Users\SCP\Desktop\bleep
Loaded Profiles: SCP (Available Profiles: SCP & scp11 & Guest)
Boot Mode: Normal
==============================================

fixlist content:
*****************
CloseProcesses:
HKLM\...\Run: [blabbed] => "C:\Program Files (x86)\gatsby\consultant.exe"
C:\Program Files (x86)\gatsby
HKLM-x32\...\Run: [gabriela] => "C:\Program Files (x86)\gatsby\consultant.exe"
HKLM-x32\...\RunOnce: [DeleteOnReboot] => C:\Users\SCP\AppData\Local\Temp\DeleteOnReboot.bat [188 2016-08-15] () <===== ATTENTION
C:\Users\SCP\AppData\Local\Temp\DeleteOnReboot.bat
ShellIconOverlayIdentifiers: [ OneDrive1] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} =>  No File
ShellIconOverlayIdentifiers: [ OneDrive2] -> {5AB7172C-9C11-405C-8DD5-AF20F3606282} =>  No File
ShellIconOverlayIdentifiers: [ OneDrive3] -> {A78ED123-AB77-406B-9962-2A5D9D2F7F30} =>  No File
ShellIconOverlayIdentifiers: [ OneDrive4] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} =>  No File
ShellIconOverlayIdentifiers: [ OneDrive5] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} =>  No File
HKLM\SOFTWARE\Policies\Microsoft
Internet
Explorer
: Restriction <======= ATTENTION
HKU\S-1-5-21-4286382873-1239181767-2200445674-1001\SOFTWARE\Policies\Microsoft
Internet
Explorer
: Restriction <======= ATTENTION
URLSearchHook: HKLM-x32 - (No Name) - {6341761b-babe-406d-b0d6-8d99b81c2ee5} - No File
URLSearchHook: HKU\S-1-5-21-4286382873-1239181767-2200445674-1001 - (No Name) - {6341761b-babe-406d-b0d6-8d99b81c2ee5} - No File
SearchScopes: HKLM-x32 -> DefaultScope {afdbddaa-5d3f-42ee-b79c-185a7020515b} URL =
BHO-x32: Adblock Plus for IE Browser Helper Object -> {FFCB3198-32F3-4E8B-9539-4324694ED664} -> C:\Program Files\Adblock Plus for IE\AdblockPlus32.dll => No File
Handler: WSAllMyTubechrome - {0A0C95CF-A116-4C74 -  No File
FF HKLM-x32\...\Thunderbird\Extensions: [eplgTb@eset.com] - C:\Program Files\ESET\ESET NOD32 Antivirus\Mozilla Thunderbird => not found
FF HKU\S-1-5-21-4286382873-1239181767-2200445674-1001\...\SeaMonkey\Extensions: [mozilla_cc2@internetdownloadmanager.com] - C:\Program Files (x86)\Internet Download Manager\idmmzcc2.xpi => not found
S2 gupdate; "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /svc [X]
S3 gupdatem; "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /medsvc [X]
S2 ibtsiva; %SystemRoot%\system32\ibtsiva [X]
S1 1e2edd601191a4324294037fc91a028e; \??\C:\WINDOWS\system32\drivers\1e2edd601191a4324294037fc91a028e.sys [X]
2016-08-15 23:15 - 2016-08-15 23:15 - 00000302 _____ C:\WINDOWS\Tasks\Da7237674072376740.job
2016-08-15 23:14 - 2016-08-09 07:21 - 00319488 _____ C:\Users\SCP\AppData\Local\consultant.exe
2016-08-15 22:51 - 2016-08-15 22:51 - 00000180 _____ C:\WINDOWS\system32\{A6D608F0-0BDE-491A-97AE-5C4B05D86E01}.bat
2016-08-15 11:02 - 2016-08-15 23:15 - 00000348 _____ C:\WINDOWS\Tasks\72376740.job
2016-08-09 10:59 - 2016-08-09 11:22 - 00000000 ____D C:\Users\SCP\Downloads\bleepu
2016-08-09 10:30 - 2016-08-14 18:56 - 00000080 _____ C:\Users\SCP\Desktop
Internet
Explorer
.lnk
2016-08-09 08:46 - 2016-08-09 08:46 - 00000000 ___HD C:\Program Files (x86)\reprints
2016-08-09 08:44 - 2016-08-09 08:45 - 00000000 ____D C:\WINDOWS\system32\SSL
2016-08-09 08:44 - 2016-08-09 08:44 - 00031443 _____ C:\WINDOWS\ee618e655ce8647e1e4db21895190569.ps1
2016-08-09 08:44 - 2016-08-09 08:44 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Social2Se Browser Enhancer
2016-08-09 08:44 - 2016-08-08 11:04 - 00519696 ___SH C:\Users\SCP\AppData\Roaming\KSAaDJSIHghQ
2016-08-09 08:44 - 2016-08-08 11:04 - 00036423 ___SH C:\Users\SCP\AppData\Roaming\EeIQKCHSHPgVUTdGdPR
2016-08-09 07:21 - 2016-08-09 07:21 - 00319488 _____ C:\WINDOWS\oxidizes.exe
2016-07-25 10:28 - 2016-07-10 15:42 - 00000000 ____D C:\iolo
2016-08-15 23:14 - 2016-08-09 07:21 - 0319488 _____ () C:\Users\SCP\AppData\Local\consultant.exe
2016-05-27 14:28 - 2016-05-27 14:28 - 0004864 _____ () C:\ProgramData\oqztiqep.adk
C:\Users\SCP\AppData\Local\Temp\DeleteOnReboot.bat
C:\Users\SCP\dism.exe
C:\Users\SCP\update-bfbc2.bat
C:\Users\SCP\update-mw3.bat
C:\Users\SCP\update-NBA2K16.bat
C:\Users\SCP\update-NFSMW2012.bat
C:\Windows\Tasks\{41E416B6-ADCD-0679-F263-47F63A4C3895}.job
Task: C:\WINDOWS\Tasks\72376740.job => C:\Users\SCP\AppData\Local\consultant.exe
Task: C:\WINDOWS\Tasks\Da7237674072376740.job => C:\Users\SCP\AppData\Local\consultant.exe
Task: C:\WINDOWS\Tasks\HPCeeScheduleForSCP.job =>
Task: C:\WINDOWS\Tasks\{41E416B6-ADCD-0679-F263-47F63A4C3895}.job =>
CMD: type "C:\ComboFix.txt"
*****************

Processes closed successfully.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\blabbed => value removed successfully
"C:\Program Files (x86)\gatsby" => not found.
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\gabriela => value removed successfully
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\\DeleteOnReboot => value not found.
C:\Users\SCP\AppData\Local\Temp\DeleteOnReboot.bat => moved successfully
"HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ OneDrive1" => key removed successfully
HKCR\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524} => key not found.
"HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ OneDrive2" => key removed successfully
HKCR\CLSID\{5AB7172C-9C11-405C-8DD5-AF20F3606282} => key not found.
"HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ OneDrive3" => key removed successfully
HKCR\CLSID\{A78ED123-AB77-406B-9962-2A5D9D2F7F30} => key not found.
"HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ OneDrive4" => key removed successfully
HKCR\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A} => key not found.
"HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ OneDrive5" => key removed successfully
HKCR\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} => key not found.
HKLM\SOFTWARE\Policies\Microsoft => Error: No automatic fix found for this entry.
Internet => Error: No automatic fix found for this entry.
Explorer => Error: No automatic fix found for this entry.
: Restriction <======= ATTENTION => Error: No automatic fix found for this entry.
HKU\S-1-5-21-4286382873-1239181767-2200445674-1001\SOFTWARE\Policies\Microsoft => Error: No automatic fix found for this entry.
Internet => Error: No automatic fix found for this entry.
Explorer => Error: No automatic fix found for this entry.
: Restriction <======= ATTENTION => Error: No automatic fix found for this entry.
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\URLSearchHooks\\{6341761b-babe-406d-b0d6-8d99b81c2ee5} => value removed successfully
HKU\S-1-5-21-4286382873-1239181767-2200445674-1001\Software\Microsoft\Internet Explorer\URLSearchHooks\\{6341761b-babe-406d-b0d6-8d99b81c2ee5} => value removed successfully
HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value restored successfully
"HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FFCB3198-32F3-4E8B-9539-4324694ED664}" => key removed successfully
"HKCR\Wow6432Node\CLSID\{FFCB3198-32F3-4E8B-9539-4324694ED664}" => key removed successfully
"HKCR\PROTOCOLS\Handler\WSAllMyTubechrome" => key removed successfully
HKLM\Software\Wow6432Node\Mozilla\Thunderbird\Extensions\\eplgTb@eset.com => value removed successfully
HKU\S-1-5-21-4286382873-1239181767-2200445674-1001\Software\Mozilla\SeaMonkey\Extensions\\mozilla_cc2@internetdownloadmanager.com => value removed successfully
gupdate => service removed successfully
gupdatem => service removed successfully
ibtsiva => service removed successfully
1e2edd601191a4324294037fc91a028e => service removed successfully
"C:\WINDOWS\Tasks\Da7237674072376740.job" => not found.
"C:\Users\SCP\AppData\Local\consultant.exe" => not found.
C:\WINDOWS\system32\{A6D608F0-0BDE-491A-97AE-5C4B05D86E01}.bat => moved successfully
"C:\WINDOWS\Tasks\72376740.job" => not found.
"C:\Users\SCP\Downloads\bleepu" => not found.
"C:\Users\SCP\Desktop" => Warning: FRST is scripted not to move this directory.
Internet => Error: No automatic fix found for this entry.
Explorer => Error: No automatic fix found for this entry.
.lnk => Error: No automatic fix found for this entry.
C:\Program Files (x86)\reprints => moved successfully
C:\WINDOWS\system32\SSL => moved successfully
C:\WINDOWS\ee618e655ce8647e1e4db21895190569.ps1 => moved successfully
"C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Social2Se Browser Enhancer" => not found.
C:\Users\SCP\AppData\Roaming\KSAaDJSIHghQ => moved successfully
C:\Users\SCP\AppData\Roaming\EeIQKCHSHPgVUTdGdPR => moved successfully
"C:\WINDOWS\oxidizes.exe" => not found.
C:\iolo => moved successfully
"C:\Users\SCP\AppData\Local\consultant.exe" => not found.
C:\ProgramData\oqztiqep.adk => moved successfully
"C:\Users\SCP\AppData\Local\Temp\DeleteOnReboot.bat" => not found.
C:\Users\SCP\dism.exe => moved successfully
C:\Users\SCP\update-bfbc2.bat => moved successfully
C:\Users\SCP\update-mw3.bat => moved successfully
C:\Users\SCP\update-NBA2K16.bat => moved successfully
C:\Users\SCP\update-NFSMW2012.bat => moved successfully
C:\Windows\Tasks\{41E416B6-ADCD-0679-F263-47F63A4C3895}.job => moved successfully
C:\WINDOWS\Tasks\72376740.job => not found.
C:\WINDOWS\Tasks\Da7237674072376740.job => not found.
C:\WINDOWS\Tasks\HPCeeScheduleForSCP.job => moved successfully
C:\WINDOWS\Tasks\{41E416B6-ADCD-0679-F263-47F63A4C3895}.job => not found.

========= type "C:\ComboFix.txt" =========

The system cannot find the file specified.

========= End of CMD: =========

The system needed a reboot.

==== End of Fixlog 07:41:24 ====

things seem calm...
Thank you!!!

Edited by Badthingsmann, 22 August 2016 - 07:35 AM.

### #5 Oh My!

Oh My!

Adware and Spyware and Malware.....

• Malware Response Instructor
• 37,457 posts
• OFFLINE
•
• Gender:Male
• Location:California
• Local time:04:59 AM

Posted 22 August 2016 - 09:09 AM

Glad to hear we are making progress. Please do this.

===================================================

Farbar's Recovery Scan Tool - Run Fix in Normal or Safe Mode

--------------------
• Press the Windows key + r on your keyboard at the same time. Type in notepad and press Enter
• Please copy and paste the contents of the below code box into the open notepad and save it as fixlist.txt in the same location/folder as FRST.exe (<<<Important)
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-4286382873-1239181767-2200445674-1001\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
2016-08-09 10:30 - 2016-08-14 18:56 - 00000080 _____ C:\Users\SCP\Desktop\Internet Explorer.lnk
emptytemp:

• Right click on FRST.exe, select Run as administrator then press the Fix button
• When completed he tool will create a log on the desktop called Fixlog.txt. Please copy and paste the contents of the file in your reply.
===================================================

Emsisoft Emergency Kit Scan

--------------------
• Download Emsisoft Emergency Kit and save it to your desktop.
• Double-click icon then click Install
• A Window should open highlighting Start Emergency Kit Scanner
• Double click that icon and allow the program to load
• Click Yes to run an online update
• Once the update is completed select Settings under Scan
• Uncheck Join the Emsisoft Anti-Malware Network
• Click Scan at the top
• Click Yes to detect Potentially Unwanted Programs
• Click Malware Scan
• Once completed click View Report
• Save the file to your Desktop using the default file name
• Click Quarantine selected (all should be selected by default)
• Copy and paste the report in your reply
===================================================

screen317's Security Check

--------------------
• Please download screen317's Security Check to your desktop
• Double-click icon then click Run
• Press any key to launch the program
• Note: If you receive an error message saying UNSUPPORTED OPERATING SYSTEM! ABORTED! reboot your computer and attempt to run it again
• Allow the program to run
• When completed a Notepad document will open on your desktop. Please copy and paste the contents in your reply
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it.
• Fixlog
• Emsisoft log
• Security Check log

Gary

If I do not reply within 24 hours please send me a Personal Message.

"May you be richly rewarded by the Lord, the God of Israel, under whose wings you have come to take refuge."

### #6 Oh My!

Oh My!

Adware and Spyware and Malware.....

• Malware Response Instructor
• 37,457 posts
• OFFLINE
•
• Gender:Male
• Location:California
• Local time:04:59 AM

Posted 25 August 2016 - 05:34 PM

Greetings,

===================================================

Do You Still Need Help?

It has been 3 days since my last post.
• Do you still need help with this?
• If you have not replied within 48 hours I will assume you have abandoned the Topic and it will be closed.

Gary

If I do not reply within 24 hours please send me a Personal Message.

"May you be richly rewarded by the Lord, the God of Israel, under whose wings you have come to take refuge."

### #7 Oh My!

Oh My!

Adware and Spyware and Malware.....

• Malware Response Instructor
• 37,457 posts
• OFFLINE
•
• Gender:Male
• Location:California
• Local time:04:59 AM

Posted 27 August 2016 - 02:48 PM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.
Gary

If I do not reply within 24 hours please send me a Personal Message.

"May you be richly rewarded by the Lord, the God of Israel, under whose wings you have come to take refuge."

#### 0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users