Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

W32.Sality found on system


  • This topic is locked This topic is locked
4 replies to this topic

#1 brainlinq

brainlinq

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Earth, USA, Texas, Some town you never heard of
  • Local time:03:01 PM

Posted 10 December 2016 - 11:27 AM

Someone creates an account on a server through an inadvertently opened RDP port on a firewall.  This has been closed and the account has been disabled.

 

The system is infected with W32.Sality (according to WebRoot) and I cannot remove the infection.

 

------------

 

FRST.txt:

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 07-12-2016
Ran by administrator (administrator) on SERVER2 (10-12-2016 10:02:26)
Running from C:\Users\administrator.MOOREEYECENTER\Desktop
Loaded Profiles: QBDataServiceUser20 & administrator (Available Profiles: mooreeye & QBDataServiceUser20 & zeiss & Glimpse & owner & admin & administrator & Classic .NET AppPool)
Platform: Windows Server 2008 R2 Standard Service Pack 1 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: IE)
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(Webroot) C:\Program Files (x86)\Webroot\WRSA.exe
(Microsoft Corporation) C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe
(Cisco WebEx LLC) C:\Windows\SysWOW64\atashost.exe
(Microsoft Corporation) C:\Windows\System32\certsrv.exe
() D:\CZM\FORUM\database\bin\mysqld.exe
(Carl Zeiss Meditec AG) C:\Program Files (x86)\CZM\FORUM Glaucoma Workplace\Czm.DiagnosticWorkplace.Server.Host.exe
(Microsoft Corporation) C:\Windows\System32\dfsrs.exe
(Microsoft Corporation) C:\Windows\System32\dns.exe
(Glimpse Live) C:\Program Files\Glimpse\Glimpse OMate Plugin.exe
(Microsoft Corporation) C:\Windows\System32\inetsrv\inetinfo.exe
(Microsoft Corporation) C:\Windows\System32\ismserv.exe
(Microsoft Corporation) C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe
(Microsoft Corporation) C:\Windows\System32\ntfrs.exe
(Intuit) C:\Program Files (x86)\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
(Intuit, Inc.) C:\Program Files (x86)\Intuit\QuickBooks 2010\QBDBMgrN.exe
(Microsoft Corporation) C:\Windows\System32\Locator.exe
(Microsoft Corporation) C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe
(Microsoft Corporation) C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
() C:\Program Files (x86)\EDGESyncNode\EDGESyncNode.exe
(Microsoft Corporation) C:\Windows\System32\tssdis.exe
(GlavSoft LLC.) C:\Program Files\TightVNC\tvnserver.exe
(Microsoft Corporation) C:\Windows\System32\WINS.EXE
(Microsoft Corporation) C:\Windows\System32\dfssvc.exe
(Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe
(Microsoft Corporation) C:\Windows\System32\vds.exe
(Webroot) C:\Program Files (x86)\Webroot\WRSA.exe
(Malwarebytes) C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe
(Novosoft LLC) C:\Program Files\Novosoft\Handy Backup 7\BackupClient.exe
() D:\CZM\FORUM\server\mq\bin\imqbrokersvc.exe
(Oracle Corporation) D:\CZM\FORUM\java\jre\bin\java.exe
(Novosoft LLC) C:\Program Files\Novosoft\Handy Backup 7\BackupServer.exe
(Microsoft Corporation) C:\Windows\SysWOW64\dllhost.exe
(Novosoft LLC) C:\Program Files\Novosoft\Handy Backup 7\BackupNetworkCoordinator.exe
(Novosoft LLC) C:\Program Files\Novosoft\Handy Backup 7\BackupNotifyService.exe
(Novosoft LLC) C:\Program Files\Novosoft\Handy Backup 7\ws64\BackupWorkstation.exe
(Microsoft Corporation) C:\Windows\System32\iashost.exe
(Apache Software Foundation) C:\Program Files (x86)\CZM\FORUM Glaucoma Workplace\prunsrv.exe
(Microsoft Corporation) C:\Windows\System32\inetsrv\w3wp.exe
(LogMeIn, Inc.) C:\Program Files (x86)\LogMeIn\x64\LMIGuardianSvc.exe
(LogMeIn, Inc.) C:\Program Files (x86)\LogMeIn\x64\LogMeIn.exe
(LogMeIn, Inc.) C:\Program Files (x86)\LogMeIn\x64\ramaint.exe
(LogMeIn, Inc.) C:\Program Files (x86)\LogMeIn\x64\LogMeInSystray.exe
(LogMeIn, Inc.) C:\Program Files (x86)\LogMeIn\x64\LogMeIn.exe
 
==================== Registry (Whitelisted) ====================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [LogMeIn GUI] => C:\Program Files (x86)\LogMeIn\x64\LogMeInSystray.exe [57928 2014-02-07] (LogMeIn, Inc.)
HKLM\...\Run: [Malwarebytes TrayApp] => C:\PROGRAM FILES\MALWAREBYTES\ANTI-MALWARE\mbamtray.exe [2786768 2016-11-29] (Malwarebytes)
HKLM-x32\...\Run: [WRSVC] => C:\Program Files (x86)\Webroot\WRSA.exe [987392 2016-12-09] (Webroot)
HKLM\...\Policies\Explorer: [ShowSuperHidden] 1
HKU\S-1-5-21-3404979109-244703653-2463615033-500\...\Run: [Handy Backup 7] => C:\Program Files\Novosoft\Handy Backup 7\BackupClient.exe [3010040 2014-09-26] (Novosoft LLC)
HKU\S-1-5-21-3404979109-244703653-2463615033-500\...\MountPoints2: {89f05a1b-cef1-11e1-8ae4-806e6f6e6963} - E:\FORUM.exe
SecurityProviders: credssp.dll, pwdssp.dll
Startup: C:\Users\administrator.MOOREEYECENTER\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Openfire Server.lnk [2012-08-12]
ShortcutTarget: Openfire Server.lnk -> C:\Program Files (x86)\Openfire\bin\openfire.exe (Ignite Realtime RTC Community)
AlternateShell: 
GroupPolicy: Restriction <======= ATTENTION
GroupPolicy\User: Restriction <======= ATTENTION
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
Hosts: 69.64.71.218 handybackup.com www.handybackup.com www.softlogica.com softlogica.com
Tcpip\..\Interfaces\{85FFAFCA-B08C-4CE1-9AF5-9466D6977C3C}: [NameServer] 208.67.222.222,208.67.220.220,192.168.1.240,127.0.0.1
 
Internet Explorer:
==================
HKU\S-1-5-21-3404979109-244703653-2463615033-500\Software\Microsoft\Internet Explorer\Main,Start Page = res://iesetup.dll/SoftAdmin.htm
BHO: Safe Money Plugin -> {9E6D0D23-3D72-4A94-AE1F-2D167624E3D9} -> C:\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security 3\x64\IEExt\OnlineBanking\online_banking_bho.dll => No File
BHO: Webroot Filtering Extension -> {C9C42510-9B41-42c1-9DCD-7282A2D07C61} -> C:\Program Files\Common Files\Webroot\WebFiltering\wrflt.dll [2016-12-09] (Webroot)
BHO-x32: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre7\bin\ssv.dll [2013-10-08] (Oracle Corporation)
BHO-x32: Safe Money Plugin -> {9E6D0D23-3D72-4A94-AE1F-2D167624E3D9} -> C:\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security 3\IEExt\OnlineBanking\online_banking_bho.dll => No File
BHO-x32: Webroot Filtering Extension -> {C9C42510-9B41-42c1-9DCD-7282A2D07C61} -> C:\Program Files (x86)\Common Files\Webroot\WebFiltering\wrflt.dll [2016-12-09] (Webroot)
BHO-x32: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll [2013-10-08] (Oracle Corporation)
 
FireFox:
========
FF DefaultProfile: j2dp40ug.Eyefinity_EHR
FF ProfilePath: C:\Users\administrator.MOOREEYECENTER\AppData\Roaming\Mozilla\Firefox\Profiles\j2dp40ug.Eyefinity_EHR [2015-04-30]
FF Homepage: Mozilla\Firefox\Profiles\j2dp40ug.Eyefinity_EHR -> hxxp://www.eyefinity.com
FF HKLM\...\Firefox\Extensions: [webrootsecure@webroot.com] - C:\ProgramData\WRData\PKG\FIREFOX\WebrootSecure_SocketServer
FF Extension: (Webroot Filtering Extension) - C:\ProgramData\WRData\PKG\FIREFOX\WebrootSecure_SocketServer [2016-12-09]
FF HKLM-x32\...\Firefox\Extensions: [webrootsecure@webroot.com] - C:\ProgramData\WRData\PKG\FIREFOX\WebrootSecure_SocketServer
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files\Microsoft Silverlight\5.1.30514.0\npctrl.dll [2014-05-13] ( Microsoft Corporation)
FF Plugin-x32: @java.com/DTPlugin,version=10.45.2 -> C:\Program Files (x86)\Java\jre7\bin\dtplugin\npDeployJava1.dll [2013-10-08] (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=10.45.2 -> C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll [2013-10-08] (Oracle Corporation)
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\npctrl.dll [2014-05-13] ( Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.31.5\npGoogleUpdate3.dll [2016-07-28] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.31.5\npGoogleUpdate3.dll [2016-07-28] (Google Inc.)
FF Plugin HKU\S-1-5-21-3404979109-244703653-2463615033-500: @citrixonline.com/appdetectorplugin -> C:\Users\administrator.MOOREEYECENTER\AppData\Local\Citrix\Plugins\104\npappdetector.dll [2014-06-06] (Citrix Online)
StartMenuInternet: FIREFOX.EXE - C:\Program Files (x86)\Mozilla Firefox for Eyefinity EHR\firefox.exe
 
Chrome: 
=======
CHR DefaultProfile: Default
CHR Plugin: (Shockwave Flash) - C:\Program Files (x86)\Google\Chrome\Application\54.0.2840.99\PepperFlash\pepflashplayer.dll => No File
CHR Plugin: (Shockwave Flash) - C:\Program Files (x86)\Google\Chrome\Application\54.0.2840.99\gcswf32.dll => No File
CHR Plugin: (Native Client) - C:\Program Files (x86)\Google\Chrome\Application\54.0.2840.99\ppGoogleNaClPluginChrome.dll => No File
CHR Plugin: (Chrome PDF Viewer) - C:\Program Files (x86)\Google\Chrome\Application\54.0.2840.99\pdf.dll => No File
CHR Plugin: (Java™ Platform SE 7 U5) - C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\plugin2\npjp2.dll (Oracle Corporation)
CHR Plugin: (Java Deployment Toolkit 7.0.50.255) - C:\Windows\SysWOW64\npDeployJava1.dll => No File
CHR Profile: C:\Users\administrator.MOOREEYECENTER\AppData\Local\Google\Chrome\User Data\Default [2016-12-10]
CHR Extension: (No Name) - C:\Users\administrator.MOOREEYECENTER\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2015-10-21]
CHR Extension: (No Name) - C:\Users\administrator.MOOREEYECENTER\AppData\Local\Google\Chrome\User Data\Default\Extensions\jlhmfgmfgeifomenelglieieghnjghma [2014-11-24]
CHR Extension: (Webroot Filtering Extension) - C:\Users\administrator.MOOREEYECENTER\AppData\Local\Google\Chrome\User Data\Default\Extensions\kjeghcllfecehndceplomkocgfbklffd [2016-12-09]
CHR Extension: (Chrome Web Store Payments) - C:\Users\administrator.MOOREEYECENTER\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-04-25]
CHR Extension: (No Name) - C:\Users\administrator.MOOREEYECENTER\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2015-04-28]
CHR Extension: (Chrome Media Router) - C:\Users\administrator.MOOREEYECENTER\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2016-12-09]
CHR HKLM-x32\...\Chrome\Extension: [kjeghcllfecehndceplomkocgfbklffd] - hxxps://clients2.google.com/service/update2/crx
StartMenuInternet: Google Chrome.5HEQUUUV5FAI3OK3BBNA6Y3UJI - C:\Users\Administrator\AppData\Local\Google\Chrome\Application\chrome.exe
StartMenuInternet: Google Chrome.RYGMKM3H5NWIUAHXKLAHQQWQQQ - C:\Users\administrator.MOOREEYECENTER\AppData\Local\Google\Chrome\Application\chrome.exe
 
==================== Services (Whitelisted) ====================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 ADWS; C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe [487424 2013-01-25] (Microsoft Corporation)
R2 CertSvc; C:\Windows\system32\certsrv.exe [746496 2009-07-13] (Microsoft Corporation)
R2 CZM-Database-Service; d:\CZM\FORUM\database\bin\mysqld.exe [8155136 2011-07-13] () [File not signed]
R2 CZM-FORUM-Glaucoma-Workplace-Analysis-Service; C:\Program Files (x86)\Czm\FORUM Glaucoma Workplace\Czm.DiagnosticWorkplace.Server.Host.exe [6144 2015-03-16] (Carl Zeiss Meditec AG) [File not signed]
R2 CZM-FORUM-Glaucoma-Workplace-Service; C:\Program Files (x86)\Czm\FORUM Glaucoma Workplace\prunsrv.exe [74752 2015-03-16] (Apache Software Foundation) [File not signed]
S2 CZM-Server-Service; d:\CZM\FORUM\server\glassfish\domains\archive\bin\CZM-Server-ServiceService.exe [43008 2014-06-06] (CloudBees, Inc.) [File not signed]
R2 Dfs; C:\Windows\system32\dfssvc.exe [377344 2010-11-20] (Microsoft Corporation)
R2 DFSR; C:\Windows\system32\DFSRs.exe [4518400 2010-11-20] (Microsoft Corporation)
R2 DHCPServer; C:\Windows\System32\dhcpssvc.dll [729088 2010-11-20] (Microsoft Corporation)
R2 DNS; C:\Windows\system32\dns.exe [696832 2012-07-15] (Microsoft Corporation)
S3 EFSyncService; C:\Program Files (x86)\Eyefinity Sync\EF.FAL.Integration.WindowsService.EFSync.exe [21504 2016-08-01] () [File not signed]
S3 FCRegSvc; C:\Windows\system32\FCRegSvc.dll [25600 2009-07-13] (Microsoft Corporation)
R2 GlimpseOfficeMate; C:\Program Files\Glimpse\Glimpse OMate Plugin.exe [1307648 2016-11-30] (Glimpse Live) [File not signed]
R2 IAS; C:\Windows\System32\ias.dll [26624 2009-07-13] (Microsoft Corporation)
R2 IAS; C:\Windows\SysWOW64\ias.dll [19456 2009-07-13] (Microsoft Corporation)
R2 IISADMIN; C:\Windows\system32\inetsrv\inetinfo.exe [15872 2010-11-20] (Microsoft Corporation)
R2 IsmServ; C:\Windows\System32\ismserv.exe [59392 2010-11-20] (Microsoft Corporation)
R2 kdc; C:\Windows\System32\lsass.exe [31232 2014-04-11] (Microsoft Corporation)
R2 LMIGuardianSvc; C:\Program Files (x86)\LogMeIn\x64\LMIGuardianSvc.exe [419336 2016-10-18] (LogMeIn, Inc.)
R2 LMIMaint; C:\Program Files (x86)\LogMeIn\x64\RaMaint.exe [509448 2016-10-18] (LogMeIn, Inc.)
R2 LogMeIn; C:\Program Files (x86)\LogMeIn\x64\LogMeIn.exe [407424 2014-02-07] (LogMeIn, Inc.)
R2 LPDSVC; C:\Windows\system32\lpdsvc.dll [45568 2009-07-13] (Microsoft Corporation)
R2 MBAMService; C:\Program Files\Malwarebytes\Anti-Malware\mbamservice.exe [4317648 2016-11-29] (Malwarebytes)
R2 MSSQL$OMSQL; C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [29293408 2010-12-10] (Microsoft Corporation)
R2 Net Driver HPZ12; C:\Windows\system32\HPZinw12.dll [50688 2011-04-13] (Hewlett-Packard) [File not signed]
R2 NTDS; C:\Windows\System32\lsass.exe [31232 2014-04-11] (Microsoft Corporation)
R2 NtFrs; C:\Windows\system32\ntfrs.exe [1020416 2010-11-20] (Microsoft Corporation)
R2 Pml Driver HPZ12; C:\Windows\system32\HPZipm12.dll [66048 2011-04-13] (Hewlett-Packard) [File not signed]
R2 QBCFMonitorService; C:\Program Files (x86)\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe [24576 2009-09-03] (Intuit) [File not signed]
R2 QuickBooksDB20; C:\Program Files (x86)\Intuit\QuickBooks 2010\QBDBMgrN.exe [678912 2009-08-18] (Intuit, Inc.) [File not signed]
R3 RPCHTTPLBS; C:\Windows\System32\RpcProxy\LBService.dll [24576 2010-11-20] (Microsoft Corporation)
S3 rqs; C:\Windows\system32\rqs.exe [41472 2010-11-20] (Microsoft Corporation)
S3 RSoPProv; C:\Windows\system32\RSoPProv.exe [91648 2009-07-13] (Microsoft Corporation)
S3 sacsvr; C:\Windows\system32\sacsvr.dll [14848 2009-07-13] (Microsoft Corporation)
S2 ScanServer; C:\Windows\system32\WSDScanRepository.dll [343552 2010-11-20] (Microsoft Corporation)
S3 SMTPSVC; C:\Windows\system32\inetsrv\inetinfo.exe [15872 2010-11-20] (Microsoft Corporation)
S3 SrmReports; C:\Windows\system32\srmhost.exe [76288 2010-11-20] (Microsoft Corporation)
R2 SrmSvc; C:\Windows\system32\srmsvc.dll [3489792 2010-11-20] (Microsoft Corporation)
R2 SyncNode; C:\Program Files (x86)\EDGESyncNode\EDGESyncNode.exe [15632 2015-08-06] ()
R3 TermService; C:\Windows\System32\termsrv.dll [683520 2015-07-16] (Microsoft Corporation) [File not signed]
R2 TermServLicensing; C:\Windows\System32\lserver.dll [694784 2010-11-20] (Microsoft Corporation)
R2 TScPubRPC; C:\Windows\system32\TSCPUBSvr.dll [180224 2010-11-20] (Microsoft Corporation)
R2 TSGateway; C:\Windows\system32\aaedge.dll [306688 2010-11-20] (Microsoft Corporation)
R2 Tssdis; C:\Windows\System32\tssdis.exe [605696 2010-11-20] (Microsoft Corporation)
R2 tvnserver; C:\Program Files\TightVNC\tvnserver.exe [1652280 2012-06-26] (GlavSoft LLC.)
R2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-26] (Microsoft Corporation)
R2 WINS; C:\Windows\System32\wins.exe [287744 2011-08-08] (Microsoft Corporation)
R2 WRSVC; C:\Program Files (x86)\Webroot\WRSA.exe [987392 2016-12-09] (Webroot)
 
===================== Drivers (Whitelisted) ======================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
S3 bccfg3; C:\Windows\system32\drivers\bccfg3.sys [22256 2011-10-14] (Dell Inc.)
S3 bcraid3; C:\Windows\system32\drivers\bcraid3.sys [536304 2011-10-14] (Dell Inc.)
R0 Datascrn; C:\Windows\System32\drivers\datascrn.sys [79936 2009-07-13] (Microsoft Corporation)
R1 DfsDriver; C:\Windows\System32\drivers\dfs.sys [51776 2009-07-13] (Microsoft Corporation)
R0 DfsrRo; C:\Windows\System32\drivers\dfsrro.sys [66944 2010-11-20] (Microsoft Corporation)
R3 e1rexpress; C:\Windows\System32\DRIVERS\e1r62x64.sys [487704 2014-03-24] (Intel Corporation)
R1 ESProtectionDriver; C:\Windows\system32\drivers\mbae64.sys [77408 2016-12-09] ()
R3 G200eR; C:\Windows\System32\DRIVERS\G200eRm.sys [248320 2011-09-08] (Matrox Graphics Inc.)
S3 ioatdma; C:\Windows\System32\Drivers\qd260x64.sys [35328 2009-06-10] (Intel Corporation)
R2 LMIInfo; C:\Program Files (x86)\LogMeIn\x64\RaInfo.sys [16056 2014-02-07] (LogMeIn, Inc.)
S4 LMIRfsClientNP; no ImagePath
R2 MBAMChameleon; C:\Windows\system32\drivers\MBAMChameleon.sys [176064 2016-12-09] (Malwarebytes)
R3 MBAMFarflt; C:\Windows\system32\drivers\farflt.sys [102856 2016-12-09] (Malwarebytes)
R3 MBAMProtection; C:\Windows\system32\drivers\mbam.sys [43968 2016-12-09] (Malwarebytes)
R0 MBAMSwissArmy; C:\Windows\System32\drivers\MBAMSwissArmy.sys [250816 2016-12-09] (Malwarebytes)
R3 MBAMWebProtection; C:\Windows\system32\drivers\mwac.sys [81696 2016-12-09] (Malwarebytes)
R3 MRxDAV; C:\Windows\SysWOW64\drivers\mrxdav.sys [115712 2013-07-04] (Microsoft Corporation)
R0 percsas2; C:\Windows\System32\drivers\percsas2.sys [55048 2013-04-03] (LSI Corporation)
R0 Quota; C:\Windows\System32\drivers\quota.sys [168016 2009-07-13] (Microsoft Corporation)
S0 sacdrv; C:\Windows\System32\DRIVERS\sacdrv.sys [96320 2009-07-13] (Microsoft Corporation)
S1 VBoxNetAdp; C:\Windows\System32\DRIVERS\VBoxNetAdp6.sys [121248 2016-09-12] (Oracle Corporation)
R0 WRkrn; C:\Windows\System32\drivers\WRkrn.sys [138576 2016-12-10] (Webroot)
S3 wrUrlFlt; C:\Windows\system32\DRIVERS\wrUrlFlt.sys [66328 2016-12-09] (Webroot)
U0 SR; no ImagePath
U2 srservice; no ImagePath
 
==================== NetSvcs (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
NETSVC: sacsvr -> C:\Windows\system32\sacsvr.dll (Microsoft Corporation)
 
==================== One Month Created files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2016-12-10 10:02 - 2016-12-10 10:02 - 00018818 _____ C:\Users\administrator.MOOREEYECENTER\Desktop\FRST.txt
2016-12-10 10:02 - 2016-12-10 10:02 - 00000000 ____D C:\FRST
2016-12-10 10:00 - 2016-12-10 10:00 - 02420224 _____ (Farbar) C:\Users\administrator.MOOREEYECENTER\Desktop\FRST64.exe
2016-12-10 09:50 - 2016-12-10 09:50 - 00103140 _____ C:\ahff.exe
2016-12-09 18:51 - 2016-12-09 18:52 - 00000000 ____D C:\Users\administrator.MOOREEYECENTER\AppData\Roaming\Notepad++
2016-12-09 18:51 - 2016-12-09 18:51 - 00001039 _____ C:\Users\Public\Desktop\Notepad++.lnk
2016-12-09 18:51 - 2016-12-09 18:51 - 00000986 _____ C:\Users\Public\Desktop\FileZilla.lnk
2016-12-09 18:51 - 2016-12-09 18:51 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Notepad++
2016-12-09 18:51 - 2016-12-09 18:51 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\FileZilla FTP Client
2016-12-09 18:51 - 2016-12-09 18:51 - 00000000 ____D C:\Program Files\FileZilla FTP Client
2016-12-09 18:51 - 2016-12-09 18:51 - 00000000 ____D C:\Program Files (x86)\Notepad++
2016-12-09 18:50 - 2016-12-09 18:51 - 00422480 _____ (Secure By Design Inc.) C:\Users\administrator.MOOREEYECENTER\Downloads\Ninite FileZilla Notepad Installer.exe
2016-12-09 18:08 - 2016-12-10 10:02 - 00000000 ____D C:\Users\administrator.MOOREEYECENTER\AppData\Local\Temp\1
2016-12-09 18:08 - 2016-12-09 18:08 - 00000000 _____ C:\Users\administrator.MOOREEYECENTER\AppData\Local\Temp\FXSAPIDebugLogFile.txt
2016-12-09 16:33 - 2016-12-10 09:50 - 00000000 ____D C:\ProgramData\WRData
2016-12-09 16:33 - 2016-12-10 02:19 - 00138576 _____ (Webroot) C:\Windows\system32\Drivers\WRkrn.sys
2016-12-09 16:33 - 2016-12-09 16:33 - 00987392 _____ (Webroot) C:\Users\administrator.MOOREEYECENTER\Downloads\0456gsmta96b41564d34.exe
2016-12-09 16:33 - 2016-12-09 16:33 - 00184760 _____ (Webroot) C:\Windows\SysWOW64\WRusr.dll
2016-12-09 16:33 - 2016-12-09 16:33 - 00118384 _____ (Webroot) C:\Windows\system32\WRusr.dll
2016-12-09 16:33 - 2016-12-09 16:33 - 00066328 ____T (Webroot) C:\Windows\system32\Drivers\wrUrlFlt.sys
2016-12-09 16:33 - 2016-12-09 16:33 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Webroot SecureAnywhere
2016-12-09 16:33 - 2016-12-09 16:33 - 00000000 ____D C:\Program Files\Common Files\Webroot
2016-12-09 16:33 - 2016-12-09 16:33 - 00000000 ____D C:\Program Files (x86)\Webroot
2016-12-09 14:45 - 2016-12-09 14:52 - 341898268 _____ (OfficeMate Software Solutions) C:\Users\administrator.MOOREEYECENTER\Downloads\OMSuite_12.0.2.exe
2016-12-09 14:34 - 2016-12-09 14:34 - 00000000 ____D C:\Users\administrator.MOOREEYECENTER\AppData\Local\Temp\mbam
2016-12-09 14:32 - 2016-12-09 14:32 - 00001464 _____ C:\Users\Public\Desktop\ReportWRITER.lnk
2016-12-09 14:31 - 2016-12-09 14:31 - 00001477 _____ C:\Users\Public\Desktop\ExamWRITER.lnk
2016-12-09 13:20 - 2016-12-09 14:27 - 00000000 ____D C:\OM_SQL_TEMP
2016-12-09 12:41 - 2016-12-09 18:08 - 00102856 _____ (Malwarebytes) C:\Windows\system32\Drivers\farflt.sys
2016-12-09 12:41 - 2016-12-09 18:08 - 00081696 _____ (Malwarebytes) C:\Windows\system32\Drivers\mwac.sys
2016-12-09 12:41 - 2016-12-09 18:07 - 00250816 _____ (Malwarebytes) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2016-12-09 12:41 - 2016-12-09 18:07 - 00043968 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbam.sys
2016-12-09 12:41 - 2016-12-09 16:42 - 00001913 _____ C:\Users\Public\Desktop\Malwarebytes.lnk
2016-12-09 12:41 - 2016-12-09 13:42 - 00077408 _____ C:\Windows\system32\Drivers\mbae64.sys
2016-12-09 12:41 - 2016-12-09 12:41 - 00176064 _____ (Malwarebytes) C:\Windows\system32\Drivers\MBAMChameleon.sys
2016-12-09 12:41 - 2016-12-09 12:41 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes
2016-12-09 12:41 - 2016-12-09 12:41 - 00000000 ____D C:\ProgramData\Malwarebytes
2016-12-09 12:41 - 2016-12-09 12:41 - 00000000 ____D C:\Program Files\Malwarebytes
2016-12-09 12:37 - 2016-12-09 12:37 - 51969976 _____ (Malwarebytes ) C:\Users\administrator.MOOREEYECENTER\Downloads\mb3-setup-consumer-3.0.4.1269.exe
2016-12-09 12:19 - 2016-12-09 12:19 - 00000000 ____D C:\Users\admin\AppData\Roaming\TeamViewer
2016-12-09 10:10 - 2016-12-09 13:42 - 00000000 ____D C:\Program Files\Microsoft SQL Server
2016-12-09 09:33 - 2016-12-09 13:42 - 00000000 ____D C:\Program Files (x86)\Microsoft SQL Server
2016-12-09 08:03 - 2016-12-09 13:28 - 00000338 _____ C:\Users\administrator.MOOREEYECENTER\Desktop\Notes.txt
2016-12-05 20:15 - 2016-12-05 20:15 - 00000110 _____ C:\Users\mooreeye.MOOREEYECENTER\Desktop\SQLSID.txt
2016-12-05 20:12 - 2016-12-05 20:19 - 00002992 _____ C:\Users\mooreeye.MOOREEYECENTER\Desktop\SQL SID Backup.reg
2016-12-05 19:19 - 2016-12-05 19:20 - 58503520 _____ (Microsoft Corporation) C:\Users\mooreeye.MOOREEYECENTER\Downloads\sqlserver2005expresssp4-kb2463332-x86-enu_896d55b16d7d0978618378f6bbbb3b6ab23296cc.exe
2016-12-05 18:37 - 2016-12-05 18:37 - 00901136 _____ (Cisco WebEx LLC) C:\Users\mooreeye.MOOREEYECENTER\Downloads\Cisco_WebEx_Add-On.exe
2016-12-05 18:37 - 2016-12-05 18:37 - 00000000 ____D C:\Users\mooreeye.MOOREEYECENTER\AppData\LocalLow\WebEx
2016-12-03 21:00 - 2016-12-03 21:00 - 00040761 _____ C:\Users\mooreeye.MOOREEYECENTER\Downloads\EdgeCheck.zip
2016-11-23 08:05 - 2016-11-23 08:10 - 00000000 ____D C:\Program Files (x86)\Citrix
2016-11-17 06:35 - 2016-11-17 06:36 - 00000000 ____D C:\Program Files (x86)\Pandora Recovery
2016-11-17 06:35 - 2016-11-17 06:35 - 00002008 _____ C:\Users\Public\Desktop\Pandora Recovery.lnk
2016-11-17 06:35 - 2016-11-17 06:35 - 00000000 ____D C:\Users\admin\AppData\Roaming\PandoraRecovery
2016-11-17 06:35 - 2016-11-17 06:35 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Pandora Recovery
 
==================== One Month Modified files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2016-12-10 09:54 - 2014-10-10 13:34 - 00000000 ____D C:\ProgramData\LogMeIn
2016-12-10 09:50 - 2014-09-30 12:05 - 00000376 _____ C:\Windows\Tasks\Demandforce DFLink Upload.job
2016-12-10 09:48 - 2016-04-08 10:25 - 00000898 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2016-12-10 09:48 - 2014-09-30 12:05 - 00000380 _____ C:\Windows\Tasks\2-Way Appt Confirmation.job
2016-12-10 09:47 - 2015-07-16 15:43 - 00000000 ____D C:\Users\admin
2016-12-10 09:41 - 2014-06-06 11:27 - 00000554 _____ C:\Windows\Tasks\G2MUpdateTask-S-1-5-21-3404979109-244703653-2463615033-500.job
2016-12-10 09:30 - 2014-09-30 12:05 - 00000366 _____ C:\Windows\Tasks\Demandforce DFLink Update.job
2016-12-10 09:16 - 2016-01-18 10:40 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2016-12-10 09:07 - 2012-08-10 17:30 - 00000000 ____D C:\Windows\system32\dhcp
2016-12-10 08:24 - 2015-05-30 21:26 - 00000650 _____ C:\Windows\Tasks\G2MUploadTask-S-1-5-21-3404979109-244703653-2463615033-500.job
2016-12-10 00:07 - 2014-11-21 13:55 - 00000000 ____D C:\Program Files\Glimpse
2016-12-09 18:22 - 2012-08-10 16:37 - 00000000 ____D C:\Windows\NTDS
2016-12-09 18:19 - 2014-10-10 13:35 - 00000990 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\LogMeIn Control Panel.lnk
2016-12-09 18:19 - 2009-07-13 22:49 - 00020512 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2016-12-09 18:19 - 2009-07-13 22:49 - 00020512 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2016-12-09 18:13 - 2009-07-13 23:10 - 01206680 _____ C:\Windows\system32\PerfStringBackup.INI
2016-12-09 18:13 - 2009-07-13 21:20 - 00000000 ____D C:\Windows\inf
2016-12-09 18:09 - 2009-07-13 21:20 - 00000000 ____D C:\Windows\system32\inetsrv
2016-12-09 18:08 - 2016-04-08 10:25 - 00000894 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2016-12-09 18:07 - 2012-08-10 17:31 - 00000000 ____D C:\Windows\system32\CertLog
2016-12-09 18:07 - 2012-08-10 17:30 - 00000000 ____D C:\Windows\system32\tssesdir
2016-12-09 18:07 - 2012-08-10 17:30 - 00000000 ____D C:\Windows\system32\lserver
2016-12-09 18:07 - 2012-08-10 16:47 - 00005816 _____ C:\Windows\system32\config\netlogon.dnb
2016-12-09 18:07 - 2012-08-10 16:47 - 00002347 _____ C:\Windows\system32\config\netlogon.dns
2016-12-09 18:07 - 2012-08-10 16:37 - 00000000 ____D C:\Windows\system32\dns
2016-12-09 18:07 - 2012-08-10 13:38 - 00000000 ____D C:\Windows\system32\wins
2016-12-09 18:07 - 2009-07-13 23:06 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2016-12-09 17:10 - 2012-08-10 13:25 - 00000000 ____D C:\ProgramData\WebEx
2016-12-09 16:12 - 2016-10-07 14:45 - 00000000 ____D C:\TEMP
2016-12-09 14:57 - 2014-04-21 17:51 - 00000000 ____D C:\OfficeMate
2016-12-09 14:32 - 2012-08-10 16:03 - 00000000 ____D C:\WebSystem2
2016-12-09 14:31 - 2012-08-10 13:14 - 00000000 ____D C:\Program Files (x86)\3D-Eye Draw
2016-12-09 14:31 - 2012-08-10 13:13 - 00001445 _____ C:\Users\Public\Desktop\OfficeMate.lnk
2016-12-09 14:30 - 2012-08-10 12:11 - 00003134 _____ C:\Windows\SQLInstall.err
2016-12-09 14:30 - 2012-08-10 12:11 - 00000951 _____ C:\Windows\InstallPreReqsData.dat
2016-12-09 14:28 - 2014-04-21 17:51 - 00001445 _____ C:\Windows\OMATE32.INI
2016-12-09 13:04 - 2014-07-15 13:56 - 00000000 ____D C:\Users\administrator.MOOREEYECENTER\AppData\LocalLow\Temp
2016-12-09 12:48 - 2012-08-14 16:25 - 00000000 ____D C:\Users\administrator.MOOREEYECENTER\AppData\LocalLow\WebEx
2016-12-09 12:33 - 2009-07-13 22:49 - 00281304 _____ C:\Windows\system32\FNTCACHE.DAT
2016-12-09 12:20 - 2016-11-06 20:43 - 00000000 ____D C:\Perl
2016-12-09 12:19 - 2014-06-06 11:20 - 00000000 ____D C:\Program Files (x86)\TeamViewer
2016-12-09 11:31 - 2014-04-17 14:05 - 00002174 __RSH C:\Users\mooreeye.MOOREEYECENTER\ntuser.pol
2016-12-09 11:31 - 2014-04-17 14:05 - 00000000 ____D C:\Users\mooreeye.MOOREEYECENTER
2016-12-09 10:49 - 2012-08-10 13:38 - 00000000 ____D C:\Windows\system32\FxsTmp
2016-12-09 10:36 - 2012-08-10 12:22 - 01157008 _____ C:\Windows\SysWOW64\PerfStringBackup.INI
2016-12-09 10:36 - 2009-07-13 21:20 - 00000000 ____D C:\Windows\Registration
2016-12-09 10:20 - 2012-08-10 14:34 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft SQL Server 2005
2016-12-09 10:14 - 2012-07-27 12:08 - 00001282 __RSH C:\ProgramData\ntuser.pol
2016-12-09 10:12 - 2009-07-13 21:20 - 00000000 ____D C:\Windows\security
2016-12-09 08:29 - 2015-08-03 16:04 - 00000000 ____D C:\Windows\SysWOW64\log
2016-12-08 23:04 - 2016-10-10 20:00 - 00000000 ____D C:\Users\administrator.MOOREEYECENTER\AppData\Local\Temp\2
2016-12-07 19:16 - 2012-08-10 18:03 - 00000000 ____D C:\Users\administrator.MOOREEYECENTER\Documents\SQL Server Management Studio Express
2016-12-05 19:32 - 2015-07-16 15:43 - 00000000 ____D C:\Users\admin\AppData\Local\Temp\TeamViewer
2016-12-05 18:37 - 2016-08-03 14:45 - 00000000 ____D C:\Users\mooreeye.MOOREEYECENTER\AppData\Roaming\Mozilla
2016-12-05 18:37 - 2015-06-10 08:09 - 00000000 ____D C:\Users\mooreeye.MOOREEYECENTER\AppData\LocalLow\Temp
2016-12-03 20:58 - 2015-12-02 18:30 - 00000000 ____D C:\Users\mooreeye.MOOREEYECENTER\AppData\Local\Temp\TeamViewer
2016-12-03 19:56 - 2015-12-23 13:47 - 00000000 ____D C:\Program Files (x86)\EDGESyncNode
2016-11-21 17:05 - 2015-12-28 08:07 - 00001704 _____ C:\Users\Public\Desktop\Recuva.lnk
2016-11-21 17:05 - 2014-12-19 13:27 - 00002470 _____ C:\Users\Public\Desktop\Mozilla Firefox for Eyefinity EHR.lnk
2016-11-14 14:50 - 2016-04-08 10:26 - 00002197 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
2016-11-14 14:50 - 2016-04-08 10:26 - 00002185 _____ C:\Users\Public\Desktop\Google Chrome.lnk
 
==================== Files in the root of some directories =======
 
2016-01-08 16:09 - 2016-01-08 23:14 - 0062686 _____ () C:\Users\administrator.MOOREEYECENTER\AppData\Roaming\FileDrTool.log
2016-04-25 16:13 - 2016-05-03 09:43 - 0007607 _____ () C:\Users\administrator.MOOREEYECENTER\AppData\Local\Resmon.ResmonCfg
2012-08-31 12:10 - 2012-08-31 12:21 - 0000843 _____ () C:\ProgramData\hpzinstall.log
 
==================== Bamital & volsnap ======================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed
 
LastRegBack: 2016-12-08 23:27
 
==================== End of FRST.txt ============================
 
 
 
 

Attached Files



BC AdBot (Login to Remove)

 


#2 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,669 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:01 PM

Posted 15 December 2016 - 11:30 AM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

step1.gif In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> https://www.bleepingcomputer.com/logreply/634446 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

step2.gifIf you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new FRST log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download FRST by Farbar from the following link if you no longer have it available and save it to your destop.

    FRST Download Link

  • When you go to the above page, there will be 32-bit and 64-bit downloads available. Please click on the appropriate one for your version of Windows. If you are unsure as to whether your Windows is 32-bit or 64-bit, please see this tutorial.
  • Double click on the FRST icon and allow it to run.
  • Agree to the usage agreement and FRST will open. Do not make any changes and click on the Scan button.
  • Notepad will open with the results.
  • Post the new logs as explained in the prep guide.
  • Close the program window, and delete the program from your desktop.


As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,801 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:02:01 PM

Posted 19 December 2016 - 11:00 AM

Greetings brainlinq and :welcome: to BleepingComputer's Virus/Trojan/Spyware/Malware Removal forum.

My name is Oh My! and I am here to help you! Now that we are "friends" please call me Gary.

If you would allow me to call you by your first name I would prefer to do that.

===================================================

Ground Rules:
  • First, I would like to inform you that most of us here at Bleeping Computer offer our expert assistance out of the goodness of our hearts. Please try to match our commitment to you with your patience toward us. If this was easy we would never have met.
  • Please do not run any tools or take any steps other than those I will provide for you while we work on your computer together. I need to be certain about the state of your computer in order to provide appropriate and effective steps for you to take. Most often "well intentioned" (and usually panic driven!) independent efforts can make things much worse for both of us. If at any point you would prefer to take your own steps please let me know, I will not be offended. I would be happy to focus on the many others who are waiting in line for assistance.
  • Please perform all steps in the order they are listed in each set of instructions. Some steps may be a bit complicated. If things are not clear, be sure to stop and let me know. We need to work on this together with confidence.
  • Please copy and paste all logs into your post unless directed otherwise. Please do not re-run any programs I suggest. If you encounter problems simply stop and tell me.
  • When you post your reply, use the Replytopic.jpg button instead.
  • In the upper right hand corner of the topic you will see the Followtopic.jpg button. Click on this then choose Immediate E-Mail notification and then Proceed and you will be sent an email once I have posted a response.
  • If you do not reply to your topic after 5 days we assume it has been abandoned and I will close it.
  • When your computer is clean I will alert you of such. I will also provide for you detailed information about how you can combat future infections.
  • I would like to remind you to make no further changes to your computer unless I direct you to do so.
===================================================

Now that I am assisting you, you can expect that I will be very responsive to your situation. If you are able, I would request you check this thread at least once per day so that we can try to resolve your issues effectively and efficiently. If you are going to be delayed please be considerate and post that information so that I know you are still with me. Unfortunately, there are many people waiting to be assisted and not enough of us at BleepingComputer to go around. I appreciate your understanding and diligence.

Thank you for your patience thus far. Part of the reason for the delay in replying to you is because we don't normally work on Servers. I am willing to take a look at the state of your computer but I will be hesitant to be aggressive in dealing with potential issues because of my unfamiliarity with the Operating System.

If you still desire help please run a fresh FRST scan and copy/paste both reports in your reply.
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#4 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,801 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:02:01 PM

Posted 22 December 2016 - 08:28 PM

Greetings,

===================================================

Do You Still Need Help?

It has been 3 days since my last post.
  • Do you still need help with this?
  • If you have not replied within 48 hours I will assume you have abandoned the Topic and it will be closed.

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#5 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,801 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:02:01 PM

Posted 24 December 2016 - 11:48 AM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users