Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

CMD Prompt pops up by itself every hour (need far bar fix list)


  • This topic is locked This topic is locked
6 replies to this topic

#1 Tunak

Tunak

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:01 PM

Posted 21 January 2017 - 01:56 PM

Stupidly downloaded some torrents, and got a large amount of viruses. I ran Malware virus scan, Windows defender, ADW Cleaner, Mcafee, and just downloaded farbar. I scanned with farbar and got the FRST.txt I'm just not sure how to make the fix list and did not want to mess up anymore. If anyone could help me I would greatly appreciate it.

Attached Files


Edited by Tunak, 21 January 2017 - 01:57 PM.


BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 40,754 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:01 AM

Posted 24 January 2017 - 10:35 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

--RogueKiller--
  • Download & SAVE to your Desktop Download RogueKiller
  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or above, right-click the program file and select "Run as Administrator"
  • Accept the user agreements.
  • Execute the scan and wait until it has finished.
  • If a Windows opens to explain what [PUM's] are, read about it.
  • Click the RoguKiller icon on your taksbar to return to the report.
  • Click open the Report
  • Click Export TXT button
  • Save the file as ReportRogue.txt
  • Click the Remove button to delete the items in RED
  • Click Finish and close the program.
  • Locate the ReportRogue.txt file on your Desktop and copy/paste the contents in your next.
=======

Temporarily disable your AV program so it does not interfere.
Info on how to disable your security applications How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs - Security Mini-Guides.

Download Zoek tool from here

When the download appears, save to the Desktop.
On the Desktop, right-click the Zoek.exe file and select: Run as Administrator
(Give it a few seconds to appear.)

Next, copy/paste the entire script inside the code box below to the input field of Zoek:
createsrpoint;
autoclean;
emptyclsid;
emptyffcache;
FFdefaults;
emptyiecache;
iedefaults;
emptychrcache;
CHRdefaults;
emptyalltemp;
emptyfolderscheck;delete
ipconfig /flushdns;b
Now...
Close any open Browsers.
Click the Run script button, and wait. It takes a few minutes to run all the script.

When the tool finishes, the zoek-results.log is opened in Notepad.
The log is also found on the systemdrive, normally C:\
If a reboot is needed, the log is opened after the reboot.

Please attach the zoek-results.log in your reply.
===

Also, please provide an update on how the computer is behaving after running the above script.

#3 Tunak

Tunak
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:01 PM

Posted 24 January 2017 - 01:47 PM

CMD is still popping up, I saw someone on this forum with the same exact problem as me and they fixed it with farbar.

 

 
Zoek.exe v5.0.0.1 Updated 19-September-2016
Tool run by chris on Tue 01/24/2017 at 12:47:14.03.
Microsoft Windows 7 Home Premium  6.1.7601 Service Pack 1 x64
Running in: Normal Mode Internet Access Detected
Launched: C:\Users\chris\Downloads\zoek.exe [Scan all users] [Script inserted] 
 
==== System Restore Info ======================
 
1/24/2017 12:52:50 PM Zoek.exe System Restore Point Created Successfully.
 
==== Empty Folders Check ======================
 
C:\Users\chris\AppData\Roaming\Publish Providers deleted successfully
C:\Users\chris\AppData\Local\EmieBrowserModeList deleted successfully
C:\Users\chris\AppData\Local\EmieSiteList deleted successfully
C:\Users\chris\AppData\Local\EmieUserList deleted successfully
C:\Users\chris\AppData\Local\Skype deleted successfully
 
==== Deleting CLSID Registry Keys ======================
 
HKEY_USERS\S-1-5-21-807219481-1858425333-2305609683-1000\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F72DD28E-2B93-4F04-B086-3257C842F634} deleted successfully
HKEY_USERS\S-1-5-21-807219481-1858425333-2305609683-1000\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{F72DD28E-2B93-4F04-B086-3257C842F634} deleted successfully
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{F72DD28E-2B93-4F04-B086-3257C842F634} deleted successfully
HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{F72DD28E-2B93-4F04-B086-3257C842F634} deleted successfully
HKEY_CLASSES_ROOT\CLSID\{F72DD28E-2B93-4F04-B086-3257C842F634} deleted successfully
HKEY_CLASSES_ROOT\Wow6432Node\CLSID\{F72DD28E-2B93-4F04-B086-3257C842F634} deleted successfully
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F72DD28E-2B93-4F04-B086-3257C842F634} deleted successfully
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F72DD28E-2B93-4F04-B086-3257C842F634} deleted successfully
 
==== Deleting CLSID Registry Values ======================
 
HKEY_USERS\S-1-5-21-807219481-1858425333-2305609683-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} deleted successfully
 
==== Deleting Services ======================
 
 
==== Batch Command(s) Run By Tool======================
 
 
==== Deleting Files \ Folders ======================
 
C:\PROGRA~2\VstPlugins deleted
C:\Users\chris\AppData\Roaming\Curse Client deleted
C:\PROGRA~2\The Elder Scrolls V Skyrim Special Edition deleted
C:\Users\chris\AppData\Roaming\Common deleted
C:\PROGRA~3\win_mpwd_sys.dat deleted
C:\PROGRA~3\Package Cache deleted
C:\windows\SysNative\GroupPolicy\Machine deleted
C:\windows\SysNative\GroupPolicy\User deleted
C:\windows\SysNative\GroupPolicy\GPT.INI deleted
C:\Windows\Syswow64\GroupPolicy\gpt.ini deleted
C:\Windows\Syswow64\SET1DB9.tmp deleted
C:\Windows\Syswow64\SET32AD.tmp deleted
C:\Windows\Syswow64\SET52B.tmp deleted
C:\Windows\Syswow64\SET640C.tmp deleted
C:\Windows\Syswow64\SET6584.tmp deleted
C:\Windows\Syswow64\SET6672.tmp deleted
C:\Windows\Syswow64\SET6686.tmp deleted
C:\Windows\Syswow64\SET6B38.tmp deleted
C:\Windows\Syswow64\SET6C61.tmp deleted
C:\Windows\Syswow64\SET6DBD.tmp deleted
C:\Windows\Syswow64\SET6EB3.tmp deleted
C:\Windows\Syswow64\SET7578.tmp deleted
C:\Windows\Syswow64\SET75E0.tmp deleted
C:\Windows\Syswow64\SET786C.tmp deleted
C:\Windows\Syswow64\SET78C2.tmp deleted
C:\Windows\Syswow64\SET7D12.tmp deleted
C:\Windows\Syswow64\SET801B.tmp deleted
C:\Windows\Syswow64\SET88A6.tmp deleted
C:\Windows\Syswow64\SET8AB9.tmp deleted
C:\Windows\Syswow64\SET8E94.tmp deleted
C:\Windows\Syswow64\SET8FC1.tmp deleted
C:\Windows\Syswow64\SET911A.tmp deleted
C:\Windows\Syswow64\SET916A.tmp deleted
C:\Windows\Syswow64\SET9623.tmp deleted
C:\Windows\Syswow64\SET9713.tmp deleted
C:\Windows\Syswow64\SET9754.tmp deleted
C:\Windows\Syswow64\SET9D4C.tmp deleted
C:\Windows\Syswow64\SET9DDA.tmp deleted
C:\Windows\Syswow64\SETA7F.tmp deleted
C:\Windows\Syswow64\SETB4C.tmp deleted
C:\Windows\Syswow64\SETC7D.tmp deleted
C:\Windows\Syswow64\SETD69.tmp deleted
C:\Windows\Syswow64\SETDEFE.tmp deleted
C:\Windows\Syswow64\SETE4ED.tmp deleted
C:\Windows\Syswow64\SETEF37.tmp deleted
C:\Windows\Syswow64\SETF54D.tmp deleted
C:\Windows\Syswow64\SETFA2B.tmp deleted
"C:\Users\chris\AppData\Roaming\CgYlKK" deleted
 
==== Firefox Extensions Registry ======================
 
[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Mozilla\Firefox\Extensions]
"{D19CA586-DD6C-4a0a-96F8-14644F340D60}"="C:\Program Files (x86)\Common Files\McAfee\SystemCore" [01/15/2017 08:22 PM]
 
==== Chromium Look ======================
 
 
Chrome Media Router - chris\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm
 
==== Chromium Fix ======================
 
C:\Users\chris\AppData\Local\Google\Chrome\User Data\Default\Local Storage\https_d10lpsik1i8c69.cloudfront.net_0.localstorage deleted successfully
C:\Users\chris\AppData\Local\Google\Chrome\User Data\Default\Local Storage\https_d10lpsik1i8c69.cloudfront.net_0.localstorage-journal deleted successfully
C:\Users\chris\AppData\Local\Google\Chrome\User Data\Default\Local Storage\https_d22j4fzzszoii2.cloudfront.net_0.localstorage deleted successfully
C:\Users\chris\AppData\Local\Google\Chrome\User Data\Default\Local Storage\https_d22j4fzzszoii2.cloudfront.net_0.localstorage-journal deleted successfully
 
==== Set IE to Default ======================
 
Old Values:
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes]
"DefaultScope"="{0633EE93-D776-472f-A0FF-E1416B8B2E3A}"
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}] not found
 
New Values:
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes]
"DefaultScope"="{012E1000-F331-11DB-8314-0800200C9A66}"
 
==== All HKLM and HKCU SearchScopes ======================
 
HKLM\SearchScopes "DefaultScope"="{0633EE93-D776-472f-A0FF-E1416B8B2E3A}"
HKLM\SearchScopes\{2f23ab71-4ac6-41f2-a955-ea576e553146} - http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
HKLM\Wow6432Node\SearchScopes "DefaultScope"="{0633EE93-D776-472f-A0FF-E1416B8B2E3A}"
HKLM\Wow6432Node\SearchScopes\{2f23ab71-4ac6-41f2-a955-ea576e553146} - http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
HKCU\SearchScopes "DefaultScope"="{012E1000-F331-11DB-8314-0800200C9A66}"
HKCU\SearchScopes\{012E1000-F331-11DB-8314-0800200C9A66} - http://www.google.com/search?q={searchTerms}
HKCU\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} - http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC
HKCU\SearchScopes\{2f23ab71-4ac6-41f2-a955-ea576e553146} - http://www.bing.com/search?q={searchTerms}&form=MSSEDF&pc=MSSE
 
==== Reset Google Chrome ======================
 
C:\Users\chris\AppData\Local\Google\Chrome\User Data\Default\Preferences was reset successfully
C:\Users\chris\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences was reset successfully
C:\Users\chris\AppData\Local\Google\Chrome\User Data\Default\Web Data was reset successfully
C:\Users\chris\AppData\Local\Google\Chrome\User Data\Default\Web Data-journal was reset successfully
 
==== Deleting Registry Keys ======================
 
HKEY_LOCAL_MACHINE\Software\wow6432node\Policies\Google deleted successfully
 
==== Empty IE Cache ======================
 
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
C:\Users\chris\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
C:\Users\chris\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5 emptied successfully
C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
C:\Windows\sysWoW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
C:\Windows\serviceprofiles\Localservice\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
C:\Windows\sysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
 
==== Empty FireFox Cache ======================
 
No FireFox Profiles found
 
==== Empty Chrome Cache ======================
 
C:\Users\chris\AppData\Local\Google\Chrome\User Data\Default\Cache emptied successfully
 
==== Empty All Flash Cache ======================
 
Flash Cache Emptied Successfully
 
==== Empty All Java Cache ======================
 
No Java Cache Found
 
==== C:\zoek_backup content ======================
 
C:\zoek_backup (files=4165 folders=568 20604034535 bytes)
 
==== Empty Temp Folders ======================
 
C:\Users\chris\AppData\Local\Temp will be emptied at reboot
C:\Users\Default\AppData\Local\Temp emptied successfully
C:\Users\Default User\AppData\Local\Temp emptied successfully
C:\Windows\serviceprofiles\networkservice\AppData\Local\Temp emptied successfully
C:\Windows\serviceprofiles\Localservice\AppData\Local\Temp emptied successfully
C:\Windows\Temp will be emptied at reboot
 
==== After Reboot ======================
 
==== Empty Temp Folders ======================
 
C:\Windows\Temp successfully emptied
C:\Users\chris\AppData\Local\Temp successfully emptied
 
==== Empty Recycle Bin ======================
 
C:\$RECYCLE.BIN successfully emptied
 
==== EOF on Tue 01/24/2017 at 13:44:23.07 ======================


#4 nasdaq

nasdaq

  • Malware Response Team
  • 40,754 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:01 AM

Posted 24 January 2017 - 02:28 PM


All that have found as not required in your logs.

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.
 
start

CreateRestorePoint:
CloseProcesses:

HKU\S-1-5-21-807219481-1858425333-2305609683-1000\...\Run: [ASRockXTU] => [X]
HKU\S-1-5-21-807219481-1858425333-2305609683-1000\...\Run: [zASRockInstantBoot] => [X]
HKU\S-1-5-21-807219481-1858425333-2305609683-1000\...\Run: [AdobeBridge] => [X]
GroupPolicy: Restriction <======= ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Restriction <======= ATTENTION
BHO: RaeepliuApp -> {F72DD28E-2B93-4F04-B086-3257C842F634} -> C:\Program Files (x86)\RaeepliuApp\4IzP4vgL13OBcn.x64.dll => No File
BHO-x32: RaeepliuApp -> {F72DD28E-2B93-4F04-B086-3257C842F634} -> C:\Program Files (x86)\RaeepliuApp\4IzP4vgL13OBcn.dll => No File
Toolbar: HKU\S-1-5-21-807219481-1858425333-2305609683-1000 -> No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} -  No File
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @softnyxNpruntime -> C:\Game\SoftnyxGame\NyxLauncherIS\npSoftnyx.dll [No File]
CHR StartupUrls: Default -> "hxxp://search.conduit.com/?ctid=CT3310511&SearchSource=48&CUI=UN35458693107671154&UM=2"
CHR Extension: (Chrome Web Store Payments) - C:\Users\chris\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2017-01-18]
CHR Extension: (Chrome Media Router) - C:\Users\chris\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2017-01-15]
S3 DrvAgent64; \??\C:\Windows\SysWOW64\Drivers\DrvAgent64.SYS [X]
S1 MpKsl6c8b1ab5; \??\c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{5792485E-8F41-468A-8804-445BFD59B63B}\MpKsl6c8b1ab5.sys [X]
CustomCLSID: HKU\S-1-5-21-807219481-1858425333-2305609683-1000_Classes\CLSID\{073CB204-6B29-46FC-AB98-451F1D068741}\InprocServer32 -> C:\Program Files\Autodesk\3ds Max 2015\Inventor Server\Bin\TestServer.dll => No File
CustomCLSID: HKU\S-1-5-21-807219481-1858425333-2305609683-1000_Classes\CLSID\{8C23B656-4E6E-4B45-9920-9617168D39A3}\InprocServer32 -> C:\Program Files\Autodesk\3ds Max 2015\Inventor Server\Bin\TestServer.dll => No File
CustomCLSID: HKU\S-1-5-21-807219481-1858425333-2305609683-1000_Classes\CLSID\{E5B0515D-48D2-4F04-906D-0192ED65A2DD}\InprocServer32 -> C:\Program Files\Autodesk\3ds Max 2015\Inventor Server\Bin\TestServer.dll => No File
HKU\S-1-5-21-807219481-1858425333-2305609683-1000\Software\Classes\regfile: regedit.exe "%1" <===== ATTENTION

Reboot:


End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Please post the Fixldog.txt and let me know what problem persists.

p.s.
If CMD.exe runs again let me know if you get a DOS prompt or some other Windows.

#5 Tunak

Tunak
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:01 PM

Posted 24 January 2017 - 10:04 PM

Damn still happening, it's a DOS prompt. I just want to throw in I appreciate you taking the time to help me try and figure this out.

 

Fix result of Farbar Recovery Scan Tool (x64) Version: 22-01-2017
Ran by chris (24-01-2017 18:01:05) Run:2
Running from C:\Users\chris\Desktop\New folder (2)
Loaded Profiles: chris (Available Profiles: chris)
Boot Mode: Normal
==============================================
 
fixlist content:
*****************
start
 
CreateRestorePoint:
CloseProcesses:
 
HKU\S-1-5-21-807219481-1858425333-2305609683-1000\...\Run: [ASRockXTU] => [X]
HKU\S-1-5-21-807219481-1858425333-2305609683-1000\...\Run: [zASRockInstantBoot] => [X]
HKU\S-1-5-21-807219481-1858425333-2305609683-1000\...\Run: [AdobeBridge] => [X]
GroupPolicy: Restriction <======= ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Restriction <======= ATTENTION
BHO: RaeepliuApp -> {F72DD28E-2B93-4F04-B086-3257C842F634} -> C:\Program Files (x86)\RaeepliuApp\4IzP4vgL13OBcn.x64.dll => No File
BHO-x32: RaeepliuApp -> {F72DD28E-2B93-4F04-B086-3257C842F634} -> C:\Program Files (x86)\RaeepliuApp\4IzP4vgL13OBcn.dll => No File
Toolbar: HKU\S-1-5-21-807219481-1858425333-2305609683-1000 -> No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} -  No File
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @softnyxNpruntime -> C:\Game\SoftnyxGame\NyxLauncherIS\npSoftnyx.dll [No File]
CHR StartupUrls: Default -> "hxxp://search.conduit.com/?ctid=CT3310511&SearchSource=48&CUI=UN35458693107671154&UM=2"
CHR Extension: (Chrome Web Store Payments) - C:\Users\chris\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2017-01-18]
CHR Extension: (Chrome Media Router) - C:\Users\chris\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2017-01-15]
S3 DrvAgent64; \??\C:\Windows\SysWOW64\Drivers\DrvAgent64.SYS [X]
S1 MpKsl6c8b1ab5; \??\c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{5792485E-8F41-468A-8804-445BFD59B63B}\MpKsl6c8b1ab5.sys [X]
CustomCLSID: HKU\S-1-5-21-807219481-1858425333-2305609683-1000_Classes\CLSID\{073CB204-6B29-46FC-AB98-451F1D068741}\InprocServer32 -> C:\Program Files\Autodesk\3ds Max 2015\Inventor Server\Bin\TestServer.dll => No File
CustomCLSID: HKU\S-1-5-21-807219481-1858425333-2305609683-1000_Classes\CLSID\{8C23B656-4E6E-4B45-9920-9617168D39A3}\InprocServer32 -> C:\Program Files\Autodesk\3ds Max 2015\Inventor Server\Bin\TestServer.dll => No File
CustomCLSID: HKU\S-1-5-21-807219481-1858425333-2305609683-1000_Classes\CLSID\{E5B0515D-48D2-4F04-906D-0192ED65A2DD}\InprocServer32 -> C:\Program Files\Autodesk\3ds Max 2015\Inventor Server\Bin\TestServer.dll => No File
HKU\S-1-5-21-807219481-1858425333-2305609683-1000\Software\Classes\regfile: regedit.exe "%1" <===== ATTENTION
 
Reboot:
 
 
End
*****************
 
Restore point was successfully created.
Processes closed successfully.
HKU\S-1-5-21-807219481-1858425333-2305609683-1000\Software\Microsoft\Windows\CurrentVersion\Run\\ASRockXTU => value removed successfully
HKU\S-1-5-21-807219481-1858425333-2305609683-1000\Software\Microsoft\Windows\CurrentVersion\Run\\zASRockInstantBoot => value removed successfully
HKU\S-1-5-21-807219481-1858425333-2305609683-1000\Software\Microsoft\Windows\CurrentVersion\Run\\AdobeBridge => value removed successfully
"C:\Windows\system32\GroupPolicy\Machine" => not found.
HKLM\SOFTWARE\Policies\Google => key not found. 
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F72DD28E-2B93-4F04-B086-3257C842F634} => key not found. 
HKCR\CLSID\{F72DD28E-2B93-4F04-B086-3257C842F634} => key not found. 
HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F72DD28E-2B93-4F04-B086-3257C842F634} => key not found. 
HKCR\Wow6432Node\CLSID\{F72DD28E-2B93-4F04-B086-3257C842F634} => key not found. 
HKU\S-1-5-21-807219481-1858425333-2305609683-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} => value not found.
HKCR\CLSID\{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} => key not found. 
HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE => key removed successfully
HKLM\Software\Wow6432Node\MozillaPlugins\@microsoft.com/GENUINE => key removed successfully
HKLM\Software\Wow6432Node\MozillaPlugins\@softnyxNpruntime => key removed successfully
Chrome StartupUrls => not found.
C:\Users\chris\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda => moved successfully
C:\Users\chris\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm => moved successfully
HKLM\System\CurrentControlSet\Services\DrvAgent64 => key removed successfully
DrvAgent64 => service removed successfully
HKLM\System\CurrentControlSet\Services\MpKsl6c8b1ab5 => key removed successfully
MpKsl6c8b1ab5 => service removed successfully
HKU\S-1-5-21-807219481-1858425333-2305609683-1000_Classes\CLSID\{073CB204-6B29-46FC-AB98-451F1D068741} => key removed successfully
HKU\S-1-5-21-807219481-1858425333-2305609683-1000_Classes\CLSID\{8C23B656-4E6E-4B45-9920-9617168D39A3} => key removed successfully
HKU\S-1-5-21-807219481-1858425333-2305609683-1000_Classes\CLSID\{E5B0515D-48D2-4F04-906D-0192ED65A2DD} => key removed successfully
HKU\S-1-5-21-807219481-1858425333-2305609683-1000\Software\Classes\regfile => key removed successfully
 
 
The system needed a reboot.
 
==== End of Fixlog 18:01:32 ====


#6 nasdaq

nasdaq

  • Malware Response Team
  • 40,754 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:01 AM

Posted 25 January 2017 - 08:59 AM

Lets find out where it's coming from.

Please run the Farbar Recovery Scan Tool. Enter cmd.exe in the Search Box.
Click the Search Registry button, post the content of the Search.txt file in your next reply.

#7 nasdaq

nasdaq

  • Malware Response Team
  • 40,754 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:01 AM

Posted 31 January 2017 - 10:31 AM

Are you still with me?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users