Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

infected DNSAPI.DLL


  • This topic is locked This topic is locked
3 replies to this topic

#1 tony3xl

tony3xl

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:03:23 PM

Posted 09 September 2016 - 09:19 PM

Help I have a laptop which cant connect to the internet from any browser. Seems like the DNSAPI.DLL infection, ran avast and malwarebytes which removed a lot of malware. Avast indicated dnsapi was infected but it could not correct. Here is the FRST log.. 

Thanks for any help you can provide.

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 31-08-2016
Ran by Emma (administrator) on EMMA (09-09-2016 22:03:01)
Running from C:\Users\new user\Desktop
Loaded Profiles: Emma (Available Profiles:  & Emma)
Platform: Windows 10 Pro Version 1511 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: Edge)
Boot Mode: Safe Mode (with Networking)
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Corporation) C:\Windows\HelpPane.exe
 
 
==================== Registry (Whitelisted) ===========================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [SynTPEnh] => C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2174760 2010-06-03] (Synaptics Incorporated)
HKLM\...\Run: [RtsCM] => C:\Windows\RTSCM64.EXE [155864 2013-12-10] (Realtek Semiconductor Corp.)
HKLM\...\Run: [iTunesHelper] => C:\Program Files\iTunes\iTunesHelper.exe [176952 2016-06-01] (Apple Inc.)
HKLM\...\Run: [SysTrayApp] => C:\Program Files\IDT\WDM\sttray64.exe [489472 2010-09-08] (IDT, Inc.)
HKLM-x32\...\Run: [HP Software Update] => C:\Program Files (x86)\Hp\HP Software Update\HPWuSchd2.exe [96056 2013-05-30] (Hewlett-Packard)
HKLM-x32\...\Run: [] => [X]
HKLM-x32\...\Run: [Wondershare Helper Compact.exe] => C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.exe [2087264 2014-09-11] (Wondershare)
HKLM-x32\...\Run: [win_en_77] => [X]
HKLM-x32\...\Run: [AvastUI.exe] => C:\Program Files\AVAST Software\Avast\AvastUI.exe [9107104 2016-09-08] (AVAST Software)
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
HKU\S-1-5-19\Control Panel\Desktop\\SCRNSAVE.EXE -> 
HKU\S-1-5-20\Control Panel\Desktop\\SCRNSAVE.EXE -> 
HKU\S-1-5-21-195251298-2067403668-857910257-1000\...\Run: [Skype] => C:\Program Files (x86)\Skype\Phone\Skype.exe [29538432 2016-08-17] (Skype Technologies S.A.)
HKU\S-1-5-21-195251298-2067403668-857910257-1000\...\Run: [Google Update] => C:\Users\new user\AppData\Local\Google\Update\GoogleUpdate.exe [144200 2015-10-11] (Google Inc.)
HKU\S-1-5-21-195251298-2067403668-857910257-1000\...\Run: [campy] => "C:\Program Files (x86)\dependent\emergent.exe"
HKU\S-1-5-21-195251298-2067403668-857910257-1000\...\Run: [SC.exe] => C:\WINDOWS\SysWOW64\SpcOptimizer.exe
HKU\S-1-5-21-195251298-2067403668-857910257-1000\...\Run: [29LUTX801U] => "C:\Program Files (x86)\DPower\73DTOGGDJE.exe"
HKU\S-1-5-21-195251298-2067403668-857910257-1000\...\RunOnce: [Uninstall C:\Users\new user\AppData\Local\Microsoft\OneDrive\17.3.5892.0626\amd64] => C:\WINDOWS\system32\cmd.exe /q /c rmdir /s /q "C:\Users\new user\AppData\Local\Microsoft\OneDrive\17.3.5892.0626\amd64"
HKU\S-1-5-21-195251298-2067403668-857910257-1000\...\RunOnce: [Uninstall C:\Users\new user\AppData\Local\Microsoft\OneDrive\17.3.6281.1202\amd64] => C:\WINDOWS\system32\cmd.exe /q /c rmdir /s /q "C:\Users\new user\AppData\Local\Microsoft\OneDrive\17.3.6281.1202\amd64"
HKU\S-1-5-21-195251298-2067403668-857910257-1000\...\RunOnce: [Uninstall C:\Users\new user\AppData\Local\Microsoft\OneDrive\17.3.6301.0127\amd64] => C:\WINDOWS\system32\cmd.exe /q /c rmdir /s /q "C:\Users\new user\AppData\Local\Microsoft\OneDrive\17.3.6301.0127\amd64"
HKU\S-1-5-21-195251298-2067403668-857910257-1000\...\RunOnce: [Uninstall C:\Users\new user\AppData\Local\Microsoft\OneDrive\17.3.6302.0225\amd64] => C:\WINDOWS\system32\cmd.exe /q /c rmdir /s /q "C:\Users\new user\AppData\Local\Microsoft\OneDrive\17.3.6302.0225\amd64"
HKU\S-1-5-21-195251298-2067403668-857910257-1000\...\RunOnce: [Uninstall C:\Users\new user\AppData\Local\Microsoft\OneDrive\17.3.6386.0412\amd64] => C:\WINDOWS\system32\cmd.exe /q /c rmdir /s /q "C:\Users\new user\AppData\Local\Microsoft\OneDrive\17.3.6386.0412\amd64"
HKU\S-1-5-21-195251298-2067403668-857910257-1000\Control Panel\Desktop\\SCRNSAVE.EXE -> 
HKU\S-1-5-18\Control Panel\Desktop\\SCRNSAVE.EXE -> 
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\AVAST Software\Avast\ashShA64.dll [2016-09-08] (AVAST Software)
ShellIconOverlayIdentifiers-x32: [ SkyDrivePro1 (ErrorConflict)] -> {8BA85C75-763B-4103-94EB-9470F12FE0F7} => C:\Program Files\Microsoft Office 15\root\Office15\GROOVEEX.DLL [2016-04-12] (Microsoft Corporation)
ShellIconOverlayIdentifiers-x32: [ SkyDrivePro2 (SyncInProgress)] -> {CD55129A-B1A1-438E-A425-CEBC7DC684EE} => C:\Program Files\Microsoft Office 15\root\Office15\GROOVEEX.DLL [2016-04-12] (Microsoft Corporation)
ShellIconOverlayIdentifiers-x32: [ SkyDrivePro3 (InSync)] -> {E768CD3B-BDDC-436D-9C13-E1B39CA257B1} => C:\Program Files\Microsoft Office 15\root\Office15\GROOVEEX.DLL [2016-04-12] (Microsoft Corporation)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk [2016-06-07]
ShortcutTarget: HP Digital Imaging Monitor.lnk -> C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe (Hewlett-Packard Co.)
Startup: C:\Users\new user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\parmentier.lnk [2016-06-07]
ShortcutTarget: parmentier.lnk -> C:\Program Files (x86)\dependent\emergent.exe (No File)
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
Tcpip\Parameters: [DhcpNameServer] 192.168.1.254
Tcpip\Parameters: [NameServer] 8.8.8.8,8.8.8.4
Tcpip\..\Interfaces\{6b1b7d5d-262e-44e6-8f36-d6415309a94c}: [DhcpNameServer] 192.168.1.254
Tcpip\..\Interfaces\{e7221a76-17a8-42df-8ef2-3b05c32c994b}: [NameServer] 188.120.239.115,8.8.8.8
Tcpip\..\Interfaces\{e7221a76-17a8-42df-8ef2-3b05c32c994b}: [DhcpNameServer] 192.168.1.254
 
Internet Explorer:
==================
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-195251298-2067403668-857910257-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = www.google.com
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com
BHO: Skype for Business Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX64\Microsoft Office\Office15\OCHelper.dll [2016-04-12] (Microsoft Corporation)
BHO: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre7\bin\ssv.dll [2015-03-16] (Oracle Corporation)
BHO: Skype Click to Call for Internet Explorer -> {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} -> C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll [2016-05-25] (Microsoft Corporation)
BHO: Microsoft SkyDrive Pro Browser Helper -> {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} -> C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX64\Microsoft Office\Office15\GROOVEEX.DLL [2016-04-12] (Microsoft Corporation)
BHO: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre7\bin\jp2ssv.dll [2015-03-16] (Oracle Corporation)
BHO-x32: HP Print Enhancer -> {0347C33E-8762-4905-BF09-768834316C61} -> C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll [2009-10-22] (Hewlett-Packard Co.)
BHO-x32: Skype for Business Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files\Microsoft Office 15\root\Office15\OCHelper.dll [2016-04-12] (Microsoft Corporation)
BHO-x32: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre1.8.0_40\bin\ssv.dll [2015-03-16] (Oracle Corporation)
BHO-x32: Skype Click to Call for Internet Explorer -> {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} -> C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll [2016-05-25] (Microsoft Corporation)
BHO-x32: Microsoft SkyDrive Pro Browser Helper -> {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} -> C:\Program Files\Microsoft Office 15\root\Office15\GROOVEEX.DLL [2016-04-12] (Microsoft Corporation)
BHO-x32: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre1.8.0_40\bin\jp2ssv.dll [2015-03-16] (Oracle Corporation)
BHO-x32: HP Smart BHO Class -> {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} -> C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll [2009-10-22] (Hewlett-Packard Co.)
Handler-x32: osf - {D924BDC6-C83A-4BD5-90D0-095128A113D1} - C:\Program Files\Microsoft Office 15\root\Office15\MSOSB.DLL [2015-02-03] (Microsoft Corporation)
Handler-x32: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll [2016-02-01] (Skype Technologies)
Handler: skypec2c - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll [2016-05-25] (Microsoft Corporation)
Handler-x32: skypec2c - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll [2016-05-25] (Microsoft Corporation)
 
FireFox:
========
FF ProfilePath: C:\Users\new user\AppData\Roaming\Mozilla\Firefox\Profiles\se74wicg.default
FF Plugin: @java.com/DTPlugin,version=10.76.2 -> C:\Program Files\Java\jre7\bin\dtplugin\npDeployJava1.dll [2015-03-16] (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=10.76.2 -> C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll [2015-03-16] (Oracle Corporation)
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.50428.0\npctrl.dll [2016-04-27] ( Microsoft Corporation)
FF Plugin-x32: @Apple.com/iTunes,version=1.0 -> C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll [2015-12-18] ()
FF Plugin-x32: @java.com/DTPlugin,version=11.40.2 -> C:\Program Files (x86)\Java\jre1.8.0_40\bin\dtplugin\npDeployJava1.dll [2015-03-16] (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=11.40.2 -> C:\Program Files (x86)\Java\jre1.8.0_40\bin\plugin2\npjp2.dll [2015-03-16] (Oracle Corporation)
FF Plugin-x32: @microsoft.com/Lync,version=15.0 -> C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX86\Mozilla Firefox\plugins\npmeetingjoinpluginoc.dll [2015-11-03] (Microsoft Corporation)
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.50428.0\npctrl.dll [2016-04-27] ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\Program Files\Microsoft Office 15\root\Office15\NPSPWRAP.DLL [2013-07-11] (Microsoft Corporation)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll [2015-05-01] (Adobe Systems Inc.)
FF Plugin HKU\S-1-5-21-195251298-2067403668-857910257-1000: @tools.google.com/Google Update;version=3 -> C:\Users\new user\AppData\Local\Google\Update\1.3.31.5\npGoogleUpdate3.dll [2016-07-28] (Google Inc.)
FF Plugin HKU\S-1-5-21-195251298-2067403668-857910257-1000: @tools.google.com/Google Update;version=9 -> C:\Users\new user\AppData\Local\Google\Update\1.3.31.5\npGoogleUpdate3.dll [2016-07-28] (Google Inc.)
FF Extension: (No Name) - C:\Users\new user\AppData\Roaming\Mozilla\Firefox\Profiles\se74wicg.default\extensions\ascsurfingprotection@iobit.com [not found]
FF Extension: (No Name) - C:\Program Files (x86)\Epson Software\E-Web Print\Firefox Add-on [not found]
FF Extension: (No Name) - C:\Program Files (x86)\IObit Apps Toolbar\FF [not found]
FF Extension: (Avira Browser Safety) - C:\Users\new user\AppData\Roaming\Mozilla\Firefox\Profiles\se74wicg.default\Extensions\abs@avira.com [2014-10-15] [not signed]
FF Extension: (AD Block) - C:\Users\new user\AppData\Roaming\Mozilla\Firefox\Profiles\se74wicg.default\Extensions\searchads@instair.net [2014-07-06] [not signed]
FF HKLM\...\Firefox\Extensions: [sp@avast.com] - C:\Program Files\AVAST Software\Avast\SafePrice\FF
FF Extension: (Avast SafePrice) - C:\Program Files\AVAST Software\Avast\SafePrice\FF [2016-09-08]
FF HKLM\...\Firefox\Extensions: [wrc@avast.com] - C:\Program Files\AVAST Software\Avast\WebRep\FF
FF Extension: (Avast Online Security) - C:\Program Files\AVAST Software\Avast\WebRep\FF [2016-09-08]
FF HKLM-x32\...\Firefox\Extensions: [smartwebprinting@hp.com] - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3
FF Extension: (HP Smart Web Printing) - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3 [2013-10-28] [not signed]
FF HKLM-x32\...\Firefox\Extensions: [sp@avast.com] - C:\Program Files\AVAST Software\Avast\SafePrice\FF
FF HKLM-x32\...\Firefox\Extensions: [wrc@avast.com] - C:\Program Files\AVAST Software\Avast\WebRep\FF
FF HKU\S-1-5-21-195251298-2067403668-857910257-1000\...\Firefox\Extensions: [smartwebprinting@hp.com] - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3
 
Chrome: 
=======
CHR HomePage: Profile 1 -> hxxp://google.com/
CHR StartupUrls: Profile 1 -> "hxxps://us.search.yahoo.com/yhs/web?hspart=omr&hsimp=yhs-001&type=86311236&param1=y6bdVFVIsvuYsgEClQfz8HyFH9tZCHsOZFHNP%2BYwJC1dylyxXDDsY2U2d3WJNNl2gE1GQ8Gm7RCH4QqeY1bIP1fLiIEUXaqJurLF0PzlWbQBFAgCa%2B%2FQwi%2BNWmWsbKjAdlkbldn1DA0vQ99giRPfeC8kjWqwDq3CF7GqemxasmBIdXfUlRwp%2B5mS7HS8BkT7%2F0JHEIBg0mVJ6lqiH3gZdI3%2FLoDIV5r1TizLFUIwfZQ%3D","search.mpc.am"
CHR DefaultSearchURL: Profile 1 -> hxxp://www-searching.com/search.aspx?site=shdefault1&prd=smw&pid=s&shr=d&q={searchTerms}&s=G67zswatn1AQ,ff06529e-5044-4661-8774-c8343e360ce0,
CHR DefaultSearchKeyword: Profile 1 -> www-searching.com
CHR DefaultSuggestURL: Profile 1 -> hxxp://api.searchpredict.com/api/?rqtype=ffplugin&siteID=8661&dbCode=1&command={searchTerms}
CHR Profile: C:\Users\new user\AppData\Local\Google\Chrome\User Data\Profile 1
CHR Extension: (Google Slides) - C:\Users\new user\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2016-01-04]
CHR Extension: (Google Docs) - C:\Users\new user\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\aohghmighlieiainnegkcijnfilokake [2016-06-07]
CHR Extension: (Google Drive) - C:\Users\new user\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\apdfllckaahabafndbhieahigkjlhalf [2016-01-04]
CHR Extension: (YouTube) - C:\Users\new user\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2016-01-04]
CHR Extension: (Archive Poster) - C:\Users\new user\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\ceakpicibkmdilicebgddflnfbpmcpgd [2016-06-18]
CHR Extension: (Google Search) - C:\Users\new user\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2016-01-04]
CHR Extension: (Google Sheets) - C:\Users\new user\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2016-01-04]
CHR Extension: (Google Docs Offline) - C:\Users\new user\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2016-03-27]
CHR Extension: (AdBlock) - C:\Users\new user\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\gighmmpiobklfepjocnamgkkbiglidom [2016-08-23]
CHR Extension: (Chrome Web Store Payments) - C:\Users\new user\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-04-07]
CHR Extension: (Gmail) - C:\Users\new user\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2016-01-04]
CHR HKLM\...\Chrome\Extension: [flliilndjeohchalpbbcdekjklbdgfkk] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [flliilndjeohchalpbbcdekjklbdgfkk] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [gomekmidlodglbbmalcneegieacbdmki] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [lifbcibllhkdhoafpjfnlhfpfgnpldfl] - C:\Program Files (x86)\Skype\Toolbars\ChromeExtension\skype_chrome_extension.crx [2016-05-25]
 
==================== Services (Whitelisted) ========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
S2 Apple Mobile Device Service; C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe [83768 2016-03-02] (Apple Inc.)
S2 avast! Antivirus; C:\Program Files\AVAST Software\Avast\AvastSvc.exe [197128 2016-09-08] (AVAST Software)
S2 c2cautoupdatesvc; C:\Program Files (x86)\Skype\Toolbars\AutoUpdate\SkypeC2CAutoUpdateSvc.exe [1364096 2016-05-25] (Microsoft Corporation)
S2 c2cpnrsvc; C:\Program Files (x86)\Skype\Toolbars\PNRSvc\SkypeC2CPNRSvc.exe [1687680 2016-05-25] (Microsoft Corporation)
S2 ClickToRunSvc; C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe [3009264 2016-05-17] (Microsoft Corporation)
S2 EPSON_PM_RPCV4_06; C:\Program Files\Common Files\EPSON\EPW!3 SSRP\E_S60RPB.EXE [152640 2013-04-26] (SEIKO EPSON CORPORATION)
S2 HP Support Assistant Service; C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe [86528 2012-09-27] (Hewlett-Packard Company) [File not signed]
S2 hpHotkeyMonitor; C:\Program Files (x86)\Hewlett-Packard\HP Hotkey Support\HPHotkeyMonitor.exe [523680 2012-09-12] (Hewlett-Packard Company)
S2 HPSLPSVC; C:\Program Files (x86)\HP\Digital Imaging\bin\HPSLPSVC64.DLL [1039360 2010-10-22] (Hewlett-Packard Co.) [File not signed]
S2 HPSupportSolutionsFrameworkService; C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe [89840 2015-03-28] (Hewlett-Packard Company)
S2 LiveUpdateSvc; C:\Program Files (x86)\IObit\LiveUpdate\LiveUpdate.exe [2585376 2015-04-28] (IObit)
S2 Net Driver HPZ12; C:\Windows\system32\HPZinw12.dll [71680 2010-08-06] (Hewlett-Packard) [File not signed]
S2 Pml Driver HPZ12; C:\Windows\system32\HPZipm12.dll [89600 2010-08-06] (Hewlett-Packard) [File not signed]
S3 vmicvss; C:\Windows\System32\ICSvc.dll [511488 2015-10-30] (Microsoft Corporation)
S3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [364464 2015-10-30] (Microsoft Corporation)
S3 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [24864 2015-10-30] (Microsoft Corporation)
S2 wltrysvc; C:\Program Files\Broadcom\Broadcom 802.11\bcmwltry.exe [5878272 2014-01-29] (Broadcom Corporation) [File not signed]
S2 Gongexw; "C:\Users\new user\AppData\Roaming\JadbopInarc\Okoil.exe" -cms [X]
 
===================== Drivers (Whitelisted) ==========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
S3 aswHwid; C:\Windows\system32\drivers\aswHwid.sys [37656 2016-09-08] (AVAST Software)
R1 aswKbd; C:\Windows\system32\drivers\aswKbd.sys [37144 2016-09-08] (AVAST Software)
S2 aswMonFlt; C:\Windows\system32\drivers\aswMonFlt.sys [108816 2016-09-08] (AVAST Software)
R1 aswRdr; C:\Windows\system32\drivers\aswRdr2.sys [103064 2016-09-08] (AVAST Software)
S0 aswRvrt; C:\Windows\System32\Drivers\aswRvrt.sys [74544 2016-09-08] (AVAST Software)
S1 aswSnx; C:\Windows\system32\drivers\aswSnx.sys [969560 2016-09-08] (AVAST Software)
S1 aswSP; C:\Windows\system32\drivers\aswSP.sys [513496 2016-09-08] (AVAST Software)
S2 aswStm; C:\Windows\system32\drivers\aswStm.sys [163416 2016-09-08] (AVAST Software)
S0 aswVmm; C:\Windows\System32\Drivers\aswVmm.sys [292704 2016-09-08] (AVAST Software)
S3 bpenum; C:\Windows\System32\DRIVERS\bpenum.sys [84480 2012-07-03] (Intel Corporation) [File not signed]
S1 HWiNFO32; C:\Windows\SysWOW64\drivers\HWiNFO64A.SYS [26528 2015-10-11] (REALiX™)
S3 MBAMSwissArmy; C:\WINDOWS\system32\drivers\MBAMSwissArmy.sys [192216 2016-09-09] (Malwarebytes)
S3 PSI; C:\Windows\System32\DRIVERS\psi_mf_amd64.sys [18456 2013-12-06] (Secunia)
S3 rtsuvc; C:\Windows\system32\DRIVERS\rtsuvc.sys [9101016 2013-12-10] (Realtek Semiconductor Corp.)
S3 tsusbhub; C:\Windows\System32\drivers\tsusbhub.sys [117248 2010-11-20] (Microsoft Corporation) [File not signed]
S3 WdBoot; C:\Windows\system32\drivers\WdBoot.sys [44568 2015-10-30] (Microsoft Corporation)
S3 WdFilter; C:\Windows\system32\drivers\WdFilter.sys [293216 2015-10-30] (Microsoft Corporation)
S3 WdNisDrv; C:\Windows\System32\Drivers\WdNisDrv.sys [118112 2015-10-30] (Microsoft Corporation)
U3 idsvc; no ImagePath
U3 wpcsvc; no ImagePath
 
==================== NetSvcs (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== One Month Created files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2016-09-09 22:03 - 2016-09-09 22:04 - 00021345 _____ C:\Users\new user\Desktop\FRST.txt
2016-09-09 22:00 - 2016-09-09 22:03 - 00000000 ____D C:\FRST
2016-09-09 21:59 - 2016-09-09 22:00 - 02397696 _____ (Farbar) C:\Users\new user\Desktop\FRST64.exe
2016-09-09 21:27 - 2016-09-09 21:55 - 01747968 _____ (Farbar) C:\Users\new user\Downloads\FRST.exe
2016-09-09 21:26 - 2016-09-09 21:32 - 00000000 ____D C:\AdwCleaner
2016-09-09 21:18 - 2016-09-09 21:23 - 00006212 _____ C:\Users\new user\Desktop\Rkill.txt
2016-09-09 21:17 - 2016-09-09 21:26 - 03826240 _____ C:\Users\new user\Downloads\AdwCleaner.exe
2016-09-09 21:17 - 2016-09-09 21:18 - 02030536 _____ (Bleeping Computer, LLC) C:\Users\new user\Downloads\rkill.exe
2016-09-08 21:49 - 2016-09-08 21:54 - 00003998 _____ C:\WINDOWS\System32\Tasks\SafeZone scheduled Autoupdate 1473385770
2016-09-08 21:49 - 2016-09-08 21:54 - 00001088 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Avast SafeZone Browser.lnk
2016-09-08 21:49 - 2016-09-08 21:49 - 00001088 _____ C:\Users\Public\Desktop\Avast SafeZone Browser.lnk
2016-09-08 21:49 - 2016-09-08 21:48 - 00037144 _____ (AVAST Software) C:\WINDOWS\system32\Drivers\aswKbd.sys
2016-09-08 21:48 - 2016-09-08 21:48 - 00000000 ____D C:\Users\new user\AppData\Roaming\AVAST Software
2016-09-08 21:47 - 2016-09-08 21:47 - 00001979 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Avast Free Antivirus.lnk
2016-09-08 21:47 - 2016-09-08 21:47 - 00001967 _____ C:\Users\Public\Desktop\Avast Free Antivirus.lnk
2016-09-08 21:46 - 2016-09-08 21:46 - 00513496 _____ (AVAST Software) C:\WINDOWS\system32\Drivers\aswSP.sys
2016-09-08 21:46 - 2016-09-08 21:46 - 00391496 _____ (AVAST Software) C:\WINDOWS\system32\aswBoot.exe
2016-09-08 21:46 - 2016-09-08 21:46 - 00292704 _____ (AVAST Software) C:\WINDOWS\system32\Drivers\aswVmm.sys
2016-09-08 21:46 - 2016-09-08 21:46 - 00163416 _____ (AVAST Software) C:\WINDOWS\system32\Drivers\aswStm.sys
2016-09-08 21:46 - 2016-09-08 21:46 - 00108816 _____ (AVAST Software) C:\WINDOWS\system32\Drivers\aswMonFlt.sys
2016-09-08 21:46 - 2016-09-08 21:46 - 00103064 _____ (AVAST Software) C:\WINDOWS\system32\Drivers\aswRdr2.sys
2016-09-08 21:46 - 2016-09-08 21:46 - 00074544 _____ (AVAST Software) C:\WINDOWS\system32\Drivers\aswRvrt.sys
2016-09-08 21:46 - 2016-09-08 21:46 - 00037656 _____ (AVAST Software) C:\WINDOWS\system32\Drivers\aswHwid.sys
2016-09-08 21:46 - 2016-09-08 21:46 - 00004004 _____ C:\WINDOWS\System32\Tasks\avast! Emergency Update
2016-09-08 21:46 - 2016-09-08 21:45 - 00969560 _____ (AVAST Software) C:\WINDOWS\system32\Drivers\aswSnx.sys
2016-09-08 21:45 - 2016-09-08 21:48 - 00000000 ____D C:\Program Files\AVAST Software
2016-09-08 21:45 - 2016-09-08 21:45 - 00053208 _____ (AVAST Software) C:\WINDOWS\avastSS.scr
2016-09-08 19:25 - 2016-09-08 20:29 - 00001171 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2016-09-08 19:25 - 2016-09-08 19:25 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2016-09-08 19:25 - 2016-03-10 14:09 - 00065408 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\mwac.sys
2016-09-08 19:25 - 2016-03-10 14:08 - 00140672 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\mbamchameleon.sys
2016-09-08 19:25 - 2016-03-10 14:08 - 00027008 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\mbam.sys
2016-09-08 19:15 - 2016-09-08 19:16 - 06334648 _____ (AVAST Software) C:\Users\new user\Downloads\avast_free_antivirus_setup_online (1).exe
2016-09-08 19:15 - 2016-09-08 19:15 - 06334648 _____ (AVAST Software) C:\Users\new user\Downloads\Unconfirmed 606676.crdownload
2016-09-08 19:11 - 2016-09-08 19:12 - 06334648 _____ (AVAST Software) C:\Users\new user\Downloads\avast_free_antivirus_setup_online.exe
2016-09-08 18:00 - 2016-09-08 20:29 - 01300844 _____ C:\WINDOWS\ntbtlog.txt
2016-09-08 16:00 - 2016-09-08 16:00 - 00003948 _____ C:\WINDOWS\System32\Tasks\Adobe Flash Player PPAPI Notifier
2016-09-07 22:08 - 2016-09-07 22:08 - 00000000 _____ C:\Users\new user\AppData\Local\{DFC9A3FB-C957-4817-8365-597A93097D5B}
2016-09-07 20:16 - 2016-09-07 22:12 - 00000000 ____D C:\Users\new user\AppData\Local\DailyBee
2016-09-07 20:15 - 2016-09-08 21:22 - 00000000 ____D C:\Program Files\Yhid
2016-09-07 20:14 - 2016-09-07 22:09 - 00000000 ____D C:\Program Files (x86)\EZSearch
2016-09-06 19:39 - 2016-09-06 19:39 - 00000000 ____D C:\Users\new user\AppData\Local\CrashRpt
2016-09-06 19:37 - 2016-09-09 17:42 - 00000000 ___HD C:\Program Files (x86)\reemerge
2016-09-06 19:37 - 2016-09-09 17:42 - 00000000 ___HD C:\Program Files (x86)\objecting
2016-09-06 19:36 - 2016-09-06 19:36 - 00000000 ____D C:\WINDOWS\system32\sstmp
2016-09-06 19:10 - 2016-09-06 19:10 - 00313856 _____ C:\WINDOWS\settings.dll
2016-09-06 19:10 - 2016-09-06 19:10 - 00194048 _____ C:\WINDOWS\naren.exe
2016-09-06 19:10 - 2016-09-06 19:10 - 00127644 _____ C:\Users\new user\AppData\Local\65958514.exe
2016-08-30 18:35 - 2016-09-06 14:51 - 00000000 ____D C:\Users\new user\Downloads\Tumblr Pictures
2016-08-30 18:32 - 2016-08-30 18:33 - 00000000 ____D C:\Users\new user\Downloads\Album Covers
 
==================== One Month Modified files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2016-09-09 22:02 - 2016-01-04 11:27 - 00000214 _____ C:\WINDOWS\Tasks\CreateExplorerShellUnelevatedTask.job
2016-09-09 22:01 - 2015-10-30 02:28 - 00524288 ___SH C:\WINDOWS\system32\config\BBI
2016-09-09 21:56 - 2016-01-04 04:57 - 00000006 ____H C:\WINDOWS\Tasks\SA.DAT
2016-09-09 21:56 - 2015-12-17 14:41 - 00000000 ____D C:\WINDOWS\pss
2016-09-09 21:31 - 2013-10-28 10:36 - 00000000 ____D C:\Users\new user\AppData\Roaming\Yahoo!
2016-09-09 21:30 - 2016-01-04 04:23 - 00000000 ____D C:\Users\new user
2016-09-09 20:59 - 2016-06-07 15:03 - 00192216 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\MBAMSwissArmy.sys
2016-09-09 19:28 - 2013-05-25 04:23 - 00000000 ___HD C:\Users\new user\AppData\Roaming\Adobe
2016-09-09 18:24 - 2015-10-30 03:24 - 00000000 ____D C:\WINDOWS\AppReadiness
2016-09-09 18:23 - 2016-01-04 10:29 - 00000000 ____D C:\Users\new user\AppData\Local\Packages
2016-09-09 17:54 - 2013-05-24 14:39 - 00000000 ____D C:\Users\new user\AppData\Roaming\Skype
2016-09-09 17:53 - 2016-01-04 11:12 - 00000000 ___RD C:\Program Files (x86)\Skype
2016-09-09 17:53 - 2013-05-24 14:38 - 00000000 ____D C:\ProgramData\Skype
2016-09-09 17:52 - 2013-05-24 14:29 - 00000000 ____D C:\Program Files (x86)\Google
2016-09-09 17:42 - 2016-06-06 21:02 - 00000000 ___HD C:\Program Files (x86)\momentous
2016-09-09 17:34 - 2015-10-30 03:21 - 00000000 ____D C:\WINDOWS\INF
2016-09-08 22:15 - 2016-01-04 03:05 - 00346480 _____ C:\WINDOWS\system32\FNTCACHE.DAT
2016-09-08 22:11 - 2015-10-30 05:07 - 00000000 ____D C:\Program Files\Windows Journal
2016-09-08 22:11 - 2015-10-30 03:24 - 00000000 ___SD C:\WINDOWS\system32\DiagSvcs
2016-09-08 22:11 - 2015-10-30 03:24 - 00000000 ___RD C:\WINDOWS\PrintDialog
2016-09-08 22:11 - 2015-10-30 03:24 - 00000000 ___RD C:\WINDOWS\ImmersiveControlPanel
2016-09-08 22:11 - 2015-10-30 03:24 - 00000000 ___RD C:\WINDOWS\DevicesFlow
2016-09-08 22:11 - 2015-10-30 03:24 - 00000000 ____D C:\WINDOWS\system32\SystemResetPlatform
2016-09-08 22:11 - 2015-10-30 03:24 - 00000000 ____D C:\WINDOWS\system32\oobe
2016-09-08 22:11 - 2015-10-30 03:24 - 00000000 ____D C:\WINDOWS\system32\appraiser
2016-09-08 22:11 - 2015-10-30 03:24 - 00000000 ____D C:\WINDOWS\Provisioning
2016-09-08 22:11 - 2015-10-30 03:24 - 00000000 ____D C:\WINDOWS\PolicyDefinitions
2016-09-08 22:11 - 2015-10-30 03:24 - 00000000 ____D C:\WINDOWS\bcastdvr
2016-09-08 22:11 - 2015-10-30 03:24 - 00000000 ____D C:\Program Files\Windows Photo Viewer
2016-09-08 22:11 - 2015-10-30 03:24 - 00000000 ____D C:\Program Files\Windows Defender
2016-09-08 22:11 - 2015-10-30 03:24 - 00000000 ____D C:\Program Files (x86)\Windows Photo Viewer
2016-09-08 22:11 - 2015-10-30 03:24 - 00000000 ____D C:\Program Files (x86)\Windows Defender
2016-09-08 21:48 - 2015-03-16 10:57 - 00000000 ____D C:\ProgramData\AVAST Software
2016-09-08 21:47 - 2015-10-30 03:24 - 00000000 ____D C:\WINDOWS\system32\SecureBootUpdates
2016-09-08 21:47 - 2015-10-30 03:11 - 00000000 ____D C:\WINDOWS\CbsTemp
2016-09-08 21:23 - 2015-10-30 03:24 - 00000000 ____D C:\WINDOWS\InputMethod
2016-09-08 20:14 - 2015-10-30 03:24 - 00000000 ____D C:\WINDOWS\addins
2016-09-08 19:25 - 2016-06-07 15:02 - 00000000 ____D C:\Program Files (x86)\Malwarebytes Anti-Malware
2016-09-08 19:09 - 2015-12-17 14:39 - 00000000 ____D C:\Users\new user\AppData\Local\ElevatedDiagnostics
2016-09-08 17:29 - 2015-10-30 03:24 - 00000000 ____D C:\WINDOWS\system32\NDF
2016-09-08 17:07 - 2013-05-27 11:39 - 00000000 ____D C:\Program Files\Microsoft Silverlight
2016-09-08 17:07 - 2013-05-27 11:39 - 00000000 ____D C:\Program Files (x86)\Microsoft Silverlight
2016-09-08 16:59 - 2013-07-11 07:39 - 00000000 ____D C:\WINDOWS\system32\MRT
2016-09-08 16:53 - 2013-05-14 19:34 - 147640136 ____C (Microsoft Corporation) C:\WINDOWS\system32\MRT.exe
2016-09-08 16:48 - 2013-05-27 11:40 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Silverlight
2016-09-08 16:00 - 2015-10-30 03:24 - 00000000 ____D C:\WINDOWS\SysWOW64\Macromed
2016-09-08 16:00 - 2015-10-30 03:24 - 00000000 ____D C:\WINDOWS\system32\Macromed
2016-09-08 15:59 - 2013-05-27 00:21 - 00000000 ____D C:\Users\new user\AppData\Local\Adobe
2016-09-08 01:15 - 2016-02-20 00:52 - 00000000 ____D C:\Users\new user\AppData\Roaming\Spotydl
2016-09-08 01:13 - 2013-05-25 15:57 - 00002259 _____ C:\WINDOWS\epplauncher.mif
2016-09-07 22:09 - 2016-06-07 23:20 - 00000000 ____D C:\bin
2016-09-07 22:04 - 2015-10-30 03:24 - 00000000 ___RD C:\WINDOWS\Offline Web Pages
2016-09-06 19:06 - 2013-11-15 10:04 - 00000000 ____D C:\ProgramData\ProductData
2016-08-30 18:37 - 2016-01-02 21:56 - 00000000 ____D C:\Users\new user\Documents\School Work
 
==================== Files in the root of some directories =======
 
2016-06-06 21:11 - 2016-06-06 21:11 - 6859776 _____ () C:\Users\new user\AppData\Roaming\agent.dat
2016-06-06 21:08 - 2016-06-06 21:08 - 0128512 _____ () C:\Users\new user\AppData\Roaming\Installer.dat
2016-06-06 21:11 - 2016-06-06 21:11 - 0018432 _____ () C:\Users\new user\AppData\Roaming\Main.dat
2016-09-06 19:10 - 2016-09-06 19:10 - 0127644 _____ () C:\Users\new user\AppData\Local\65958514.exe
2014-08-16 22:21 - 2014-08-16 22:21 - 0020480 _____ () C:\Users\new user\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2015-12-23 23:41 - 2015-12-23 23:41 - 0969860 _____ () C:\Users\new user\AppData\Local\Webcam-Picture-Taker_1243.rar
2016-09-07 22:08 - 2016-09-07 22:08 - 0000000 _____ () C:\Users\new user\AppData\Local\{DFC9A3FB-C957-4817-8365-597A93097D5B}
2015-06-27 21:33 - 2015-06-27 21:33 - 0000057 _____ () C:\ProgramData\Ament.ini
2015-02-04 19:32 - 2015-02-04 19:32 - 0000196 _____ () C:\ProgramData\defraggler_list.txt
2013-10-28 10:30 - 2016-06-06 21:19 - 0006127 _____ () C:\ProgramData\hpzinstall.log
 
Some files in TEMP:
====================
C:\Users\new user\AppData\Local\Temp\AWNRSJJ8UC.exe
C:\Users\new user\AppData\Local\Temp\GHAOETDSIH.exe
C:\Users\new user\AppData\Local\Temp\GUR96C7.exe
C:\Users\new user\AppData\Local\Temp\libeay32.dll
C:\Users\new user\AppData\Local\Temp\MMq7VoWH-upd.exe
C:\Users\new user\AppData\Local\Temp\msvcr120.dll
C:\Users\new user\AppData\Local\Temp\Q5G90WY3JN.exe
C:\Users\new user\AppData\Local\Temp\Setup.exe
C:\Users\new user\AppData\Local\Temp\Setup_2048.exe
C:\Users\new user\AppData\Local\Temp\sqlite3.dll
C:\Users\new user\AppData\Local\Temp\t0OJyUWFmb.exe
C:\Users\new user\AppData\Local\Temp\yVtYH0eBM5.exe
 
 
==================== Bamital & volsnap =================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\WINDOWS\system32\winlogon.exe => File is digitally signed
C:\WINDOWS\system32\wininit.exe => File is digitally signed
C:\WINDOWS\explorer.exe => File is digitally signed
C:\WINDOWS\SysWOW64\explorer.exe => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\SysWOW64\svchost.exe => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll => File is digitally signed
C:\WINDOWS\SysWOW64\User32.dll => File is digitally signed
C:\WINDOWS\system32\userinit.exe => File is digitally signed
C:\WINDOWS\SysWOW64\userinit.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\dnsapi.dll
[2016-04-12 22:09] - [2016-04-12 22:09] - 0686976 ____N (Microsoft Corporation) 3F6D7440CAA79653BBC3E1A6F4A50DD9
 
C:\WINDOWS\SysWOW64\dnsapi.dll
[2016-04-12 22:09] - [2016-04-12 22:09] - 0535080 ____N (Microsoft Corporation) CABC60CA8218494F8E29EEC4F6B7E7EF
 
C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed
 
 
LastRegBack: 2016-06-07 20:50
 
==================== End of FRST.txt ============================


BC AdBot (Login to Remove)

 


#2 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,697 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:23 PM

Posted 10 September 2016 - 02:04 PM

Hi tony3xl :)

My name is Aura and I'll be assisting you with your malware issue. Since we'll be working together, you can call me Aura or Yoan, which is my real name, it's up to you! Now that we've broke the ice, I'll just ask you a few things during the time we'll be working together to clean your system and get it back to an operational state.
  • As you'll notice, the logs we are asking for here are quite lenghty, so it's normal for me to not reply exactly after you post them. This is because I need some time to analyse them and then act accordingly. However, I'll always reply within 24 hours, 48 hours at most if something unexpected happens;
  • As long as I'm assisting you on BleepingComputer, in this thread, I'll ask you to not seek assistance anywhere else for any issue related to the system we are working on. If you have an issue, question, etc. about your computer, please ask it in this thread and I'll assist you;
  • The same principle applies to any modifications you make to your system, I would like you to ask me before you do any manipulations that aren't in the instructions I posted. This is to ensure that we are operating in sync and I know exactly what's happening on your system;
  • If you aren't sure about an instruction I'm giving you, ask me about it. This is to ensure that the clean-up process goes without any issue. I'll answer you and even give you more precise instructions/explanations if you need. There's no shame in asking questions here, better be safe than sorry!;
  • If you don't reply to your thread within 3 days, I'll bump this thread to let you know that I'm waiting for you. If you don't reply after 5 days, it'll be closed. If you return after that period, you can send me a PM to get it unlocked and we'll continue where we left off;
  • Since malware can work quickly, we want to get rid of them as fast as we can, before they make unknown changes to the system. This being said, I would appreciate if you could reply to this thread within 24 hours of me posting. This way, we'll have a good clean-up rhythm and the chances of complications will be reduced;
  • I'm against any form of pirated, illegal and counterfeit software and material. So if you have any installed on your system, I'll ask you to uninstall them right now. You don't have to tell me if you indeed had some or not, I'll give you the benefit of the doubt. Plus, this would be against BleepingComputer's rules;
  • In the end, you are the one asking for assistance here. So if you wish to go a different way during the clean-up, like format and reinstall Windows, you are free to do so. I would appreciate you to let me know about it first, and if you need, I can also assist you in the process;
  • I would appreciate if you were to stay with me until the end, which means, until I declare your system clean. Just because your system isn't behaving weirdly anymore, or is running better than before, it doesn't mean that the infection is completely gone;
    This being said, I have a full time job, and I also have night classes on Mondays and Wednesdays, which means that if you reply during these two days, it'll take longer for me to reply to you. Don't worry, you'll be my first priority as soon as I get home and have time to look at your thread;
This being said, it's time to clean-up some malware, so let's get started, shall we? :)

It looks like I'm missing your Addition.txt log, so we'll just run JRT and AdwCleaner first, and then grab a fresh set of logs. Follow the instructions below please.

iT103hr.pngJunkware Removal Tool (JRT)
  • Download Junkware Removal Tool (JRT) and move it to your Desktop;
  • Right-click on JRT.exe and select Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users);
  • Press on any key to launch the scan and let it complete;
    tLsXbWy.png
    Credits : BleepingComputer.com
  • Once the scan is complete, a log will open. Please copy/paste the content of the output log in your next reply;
zcMPezJ.pngAdwCleaner - Fix Mode
  • Download AdwCleaner and move it to your Desktop;
  • Right-click on AdwCleaner.exe and select Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users);
  • Accept the EULA (I accept), let the database update, then click on Scan;
  • Let the scan complete. Once it's done, make sure that every item listed in the different tabs is checked and click on the Cleaning button. This will kill all the active processes;
    CfdTLN1.png
  • Once the cleaning process is complete, AdwCleaner will ask to restart your computer, do it;
  • After the restart, a log will open when logging in. Please copy/paste the content of that log in your next reply;
iO3R662.pngFarbar Recovery Scan Tool (FRST) - Scan mode
Follow the instructions below to download and execute a scan on your system with FRST, and provide the logs in your next reply.
  • Right-click on the executable and select Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users);
  • Accept the disclaimer by clicking on Yes, and FRST will then do a back-up of your Registry which should take a few seconds;
  • Check the Addition.txt option;
  • Click on the Scan button;
  • On completion, two message box will open, saying that the results were saved to FRST.txt and Addition.txt, then open two Notepad files;
  • Copy and paste the content of both FRST.txt and Addition.txt in your next reply;
Your next reply(ies) should include:
  • Copy/pasted content of the JRT.txt log;
  • Copy/pasted content of the AdwCleaner clean log;
  • Copy/pasted content of FRST.txt;
  • Copy/pasted content of Addition.txt;

animinionsmalltext.gif
unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#3 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,697 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:23 PM

Posted 13 September 2016 - 07:16 AM

Hi tony,

Are you still with me? Can you follow the instructions in my previous post?

animinionsmalltext.gif
unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#4 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,697 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:23 PM

Posted 15 September 2016 - 06:47 PM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.

animinionsmalltext.gif
unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users