Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Windows services disable on startup


  • This topic is locked This topic is locked
18 replies to this topic

#1 MarkSanchez

MarkSanchez

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:39 PM

Posted 03 April 2017 - 05:21 PM

On restart, a lot of my windows services are disabled, including firewall and update, and some of my registers are edited.

 

The service OpenTrafficB adds itself to the starting services on restart.

 

Malwarebytes only detects the changed registers.

Attached Files



BC AdBot (Login to Remove)

 


#2 MarkSanchez

MarkSanchez
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:39 PM

Posted 06 April 2017 - 03:48 PM

What do I have to do to get help AAAAAAAAAAAAHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH



#3 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,759 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:02:39 PM

Posted 06 April 2017 - 08:15 PM

Welcome. :)

Download the attached file and save it in the same directory FRST64 is saved.

  • Start FRST64 with Administrator privileges.
  • Press the Fix button.
  • When finished, a log file (Fixlog.txt) will pop up and saved in the same location the tool was ran from.

Please copy and paste its contents in your next reply.

Please download Junkware Removal Tool to your Desktop.

  • Please close your security software to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista or 7, right-mouse click it and select Run as administrator.
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete, depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your Desktop and will automatically open.
  • Please post the contents of JRT.txt into your reply.

Download AdwCleaner from here. Save the file to the desktop.


NOTE: If you are using IE 8 or above you may get a warning that stops the program from downloading. Just click on the warning and allow the download to complete.

Close all open windows and browsers.

  • XP users: Double click the AdwCleaner icon to start the program.
  • Vista/7/8 users: Right click the AdwCleaner icon on the desktop, click Run as administrator and accept the UAC prompt to run AdwCleaner.
    You will see the following console:

iO5EZayK.png


  • Click the Scan button and wait for the scan to finish.
  • After the Scan has finished the window may or may not show what it found and above, in the progress bar, you will see: Pending. Please uncheck elements you don't want to remove.
  • Click the Clean button.
  • Everything checked will be moved to Quarantine.
  • When the program has finished cleaning a report appears.Once done it will ask to reboot, allow this

adwcleaner_delete_restart.jpg


  • On reboot a log will be produced please copy / paste that in your next reply. This report is also saved to C:\AdwCleaner\AdwCleaner[S0].txt

 


No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#4 MarkSanchez

MarkSanchez
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:39 PM

Posted 07 April 2017 - 12:34 AM

Fixlog.txt

 

 

Fix result of Farbar Recovery Scan Tool (x64) Version: 15-03-2017
Ran by Skeleton Man (07-04-2017 00:59:22) Run:1
Running from C:\Users\Skeleton Man\Desktop
Loaded Profiles: Skeleton Man (Available Profiles: Skeleton Man)
Boot Mode: Normal
==============================================

fixlist content:
*****************
HKU\S-1-5-21-2619496865-784240961-2526465466-1000\...\Run: [OpenTrafficB] => C:\Users\Skeleton Man\AppData\Local\Browser\ibox64.exe [55446528 2017-04-01] ()
HKLM\Software\Policies\Microsoft\Windows NT\SystemRestore: [DisableSR/DisableConfig]  <===== ATTENTION
GroupPolicy: Restriction <======= ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-2619496865-784240961-2526465466-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
R3 ALSysIO; \??\C:\Users\SKELET~1\AppData\Local\Temp\ALSysIO64.sys [X] <==== ATTENTION
Task: {06E133CC-2357-4DD4-9EB4-79C23EA96872} - \Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B -> No File <==== ATTENTION
Task: {16BEAB62-6BFE-4D94-90FA-599F426FCBEB} - \Microsoft\Windows\Setup\GWXTriggers\MachineUnlock-5d -> No File <==== ATTENTION
Task: {393C29A6-8BA6-465F-B0A3-D75F99DD852D} - \Microsoft\Windows\Setup\GWXTriggers\ScheduleUpgradeTime -> No File <==== ATTENTION
Task: {70EC1538-F1FB-4D11-BE48-0B8933C43AB8} - \Microsoft\Windows\Setup\GWXTriggers\Logon-URT -> No File <==== ATTENTION
Task: {A10B0835-A0FB-4396-8468-491CA5E8AFC2} - \Microsoft\Windows\Setup\GWXTriggers\OutOfSleep-5d -> No File <==== ATTENTION
Task: {AB762683-295A-4FC4-8D6C-3AD448A64DDD} - \Microsoft\Windows\Setup\GWXTriggers\OutOfIdle-5d -> No File <==== ATTENTION
Task: {B0648164-6120-4B37-82AD-9A1ED70925FC} - \Microsoft\Windows\Setup\GWXTriggers\ScheduleUpgradeReminderTime -> No File <==== ATTENTION
Task: {B55BAC82-AB2B-4614-9CA5-CC6022346ED9} - \Microsoft\Windows\Setup\GWXTriggers\Time-5d -> No File <==== ATTENTION
Task: {D802BFCA-9CBA-44F1-8D3A-FCBCC92B2BDA} - \Microsoft\Windows\Setup\GWXTriggers\Logon-5d -> No File <==== ATTENTION
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
Task: {06E133CC-2357-4DD4-9EB4-79C23EA96872} - \Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B -> No File <==== ATTENTION
Task: {16BEAB62-6BFE-4D94-90FA-599F426FCBEB} - \Microsoft\Windows\Setup\GWXTriggers\MachineUnlock-5d -> No File <==== ATTENTION
Task: {393C29A6-8BA6-465F-B0A3-D75F99DD852D} - \Microsoft\Windows\Setup\GWXTriggers\ScheduleUpgradeTime -> No File <==== ATTENTION
Task: {70EC1538-F1FB-4D11-BE48-0B8933C43AB8} - \Microsoft\Windows\Setup\GWXTriggers\Logon-URT -> No File <==== ATTENTION
Task: {A10B0835-A0FB-4396-8468-491CA5E8AFC2} - \Microsoft\Windows\Setup\GWXTriggers\OutOfSleep-5d -> No File <==== ATTENTION
Task: {AB762683-295A-4FC4-8D6C-3AD448A64DDD} - \Microsoft\Windows\Setup\GWXTriggers\OutOfIdle-5d -> No File <==== ATTENTION
Task: {B0648164-6120-4B37-82AD-9A1ED70925FC} - \Microsoft\Windows\Setup\GWXTriggers\ScheduleUpgradeReminderTime -> No File <==== ATTENTION
Task: {B55BAC82-AB2B-4614-9CA5-CC6022346ED9} - \Microsoft\Windows\Setup\GWXTriggers\Time-5d -> No File <==== ATTENTION
Task: {D802BFCA-9CBA-44F1-8D3A-FCBCC92B2BDA} - \Microsoft\Windows\Setup\GWXTriggers\Logon-5d -> No File <==== ATTENTION
Shortcut: C:\Users\Skeleton Man\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\??zill? Fir?f??.lnk -> C:\Program Files (x86)\Mozilla Firefox\firefox.bat (No File)
Shortcut: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\??zill? Fir?f??.lnk -> C:\Program Files (x86)\Mozilla Firefox\firefox.bat (No File)
R3 ALSysIO; \??\C:\Users\SKELET~1\AppData\Local\Temp\ALSysIO64.sys [X] <==== ATTENTION
2017-03-30 20:22 - 2017-03-30 20:22 - 00002758 _____ C:\Windows\System32\Tasks\Core Temp Autostart Skeleton Man
2017-03-27 22:06 - 2017-03-30 20:22 - 00000000 ____D C:\Program Files\Core Temp
2017-03-27 22:06 - 2017-03-30 18:53 - 00000992 _____ C:\Users\Skeleton Man\Desktop\Core Temp.lnk
2017-03-27 22:06 - 2017-03-27 22:06 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Core Temp
2017-03-27 22:05 - 2017-03-27 22:05 - 01206104 _____ (ALCPU ) C:\Users\Skeleton Man\Downloads\Core-Temp-setup.exe
Core Temp 1.7 (HKLM\...\{086D343F-8E78-4AFC-81AC-D6D414AFD8AC}_is1) (Version: 1.7 - ALCPU)
Task: {042B9C05-0569-4675-AA37-84AAD08EB7CD} - System32\Tasks\Core Temp Autostart Skeleton Man => C:\Program Files\Core Temp\Core Temp.exe [2017-03-18] (ALCPU)
2017-04-03 17:52 - 2017-04-03 17:52 - 00148992 _____ () \\?\C:\Users\Skeleton Man\AppData\Local\Temp\5530.tmp.node
MSCONFIG\startupreg: 9070 => "C:\Users\SKELET~1\AppData\Local\Temp\is-2515E.tmp\inst.exe"
2017-04-03 17:52 - 2017-04-03 17:52 - 00148992 _____ () \\?\C:\Users\Skeleton Man\AppData\Local\Temp\5530.tmp.node
MSCONFIG\startupreg: 9070 => "C:\Users\SKELET~1\AppData\Local\Temp\is-2515E.tmp\inst.exe"
CMD: netsh advfirewall reset
CMD: netsh advfirewall set allprofiles state ON
CMD: ipconfig /flushdns
CMD: netsh winsock reset catalog
CMD: netsh int ip reset C:\resettcpip.txt
CMD: FOR /F "usebackq delims==" %i IN (`wevtutil el`) DO wevtutil cl "%i"
CMD: Bitsadmin /Reset /Allusers
EMPTYTEMP:
Reboot:

*****************

HKU\S-1-5-21-2619496865-784240961-2526465466-1000\Software\Microsoft\Windows\CurrentVersion\Run\\OpenTrafficB => value removed successfully
HKLM\Software\Policies\Microsoft\Windows NT\SystemRestore => key removed successfully
C:\Windows\system32\GroupPolicy\Machine => moved successfully
C:\Windows\system32\GroupPolicy\GPT.ini => moved successfully
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer => key removed successfully
HKU\S-1-5-21-2619496865-784240961-2526465466-1000\SOFTWARE\Policies\Microsoft\Internet Explorer => key removed successfully
ALSysIO => Service stopped successfully.
HKLM\System\CurrentControlSet\Services\ALSysIO => key removed successfully
ALSysIO => service removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{06E133CC-2357-4DD4-9EB4-79C23EA96872} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{06E133CC-2357-4DD4-9EB4-79C23EA96872} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{16BEAB62-6BFE-4D94-90FA-599F426FCBEB} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{16BEAB62-6BFE-4D94-90FA-599F426FCBEB} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\MachineUnlock-5d => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{393C29A6-8BA6-465F-B0A3-D75F99DD852D} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{393C29A6-8BA6-465F-B0A3-D75F99DD852D} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\ScheduleUpgradeTime => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{70EC1538-F1FB-4D11-BE48-0B8933C43AB8} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{70EC1538-F1FB-4D11-BE48-0B8933C43AB8} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\Logon-URT => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{A10B0835-A0FB-4396-8468-491CA5E8AFC2} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{A10B0835-A0FB-4396-8468-491CA5E8AFC2} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\OutOfSleep-5d => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{AB762683-295A-4FC4-8D6C-3AD448A64DDD} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{AB762683-295A-4FC4-8D6C-3AD448A64DDD} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\OutOfIdle-5d => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{B0648164-6120-4B37-82AD-9A1ED70925FC} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{B0648164-6120-4B37-82AD-9A1ED70925FC} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\ScheduleUpgradeReminderTime => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{B55BAC82-AB2B-4614-9CA5-CC6022346ED9} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{B55BAC82-AB2B-4614-9CA5-CC6022346ED9} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\Time-5d => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{D802BFCA-9CBA-44F1-8D3A-FCBCC92B2BDA} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{D802BFCA-9CBA-44F1-8D3A-FCBCC92B2BDA} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\Logon-5d => key removed successfully
HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE => key removed successfully
HKLM\Software\Wow6432Node\MozillaPlugins\@microsoft.com/GENUINE => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{06E133CC-2357-4DD4-9EB4-79C23EA96872} => key not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B => key not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{16BEAB62-6BFE-4D94-90FA-599F426FCBEB} => key not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\MachineUnlock-5d => key not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{393C29A6-8BA6-465F-B0A3-D75F99DD852D} => key not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\ScheduleUpgradeTime => key not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{70EC1538-F1FB-4D11-BE48-0B8933C43AB8} => key not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\Logon-URT => key not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{A10B0835-A0FB-4396-8468-491CA5E8AFC2} => key not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\OutOfSleep-5d => key not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{AB762683-295A-4FC4-8D6C-3AD448A64DDD} => key not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\OutOfIdle-5d => key not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{B0648164-6120-4B37-82AD-9A1ED70925FC} => key not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\ScheduleUpgradeReminderTime => key not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{B55BAC82-AB2B-4614-9CA5-CC6022346ED9} => key not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\Time-5d => key not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{D802BFCA-9CBA-44F1-8D3A-FCBCC92B2BDA} => key not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\Logon-5d => key not found.
"C:\Users\Skeleton Man\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\??zill? Fir?f??.lnk" => Could not move.
"C:\ProgramData\Microsoft\Windows\Start Menu\Programs\??zill? Fir?f??.lnk" => Could not move.
ALSysIO => service not found.
C:\Windows\System32\Tasks\Core Temp Autostart Skeleton Man => moved successfully
C:\Program Files\Core Temp => moved successfully
C:\Users\Skeleton Man\Desktop\Core Temp.lnk => moved successfully
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Core Temp => moved successfully
C:\Users\Skeleton Man\Downloads\Core-Temp-setup.exe => moved successfully
Core Temp 1.7 (HKLM\...\{086D343F-8E78-4AFC-81AC-D6D414AFD8AC}_is1) (Version: 1.7 - ALCPU) => Error: No automatic fix found for this entry.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{042B9C05-0569-4675-AA37-84AAD08EB7CD} => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{042B9C05-0569-4675-AA37-84AAD08EB7CD} => key removed successfully
C:\Windows\System32\Tasks\Core Temp Autostart Skeleton Man => not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Core Temp Autostart Skeleton Man => key removed successfully
C:\Users\Skeleton Man\AppData\Local\Temp\5530.tmp.node => moved successfully
HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\9070 => key removed successfully
"C:\Users\Skeleton Man\AppData\Local\Temp\5530.tmp.node" => not found.
HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\9070 => key not found.

========= netsh advfirewall reset =========

Ok.


========= End of CMD: =========


========= netsh advfirewall set allprofiles state ON =========

Ok.


========= End of CMD: =========


========= ipconfig /flushdns =========


Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

========= End of CMD: =========


========= netsh winsock reset catalog =========


Sucessfully reset the Winsock Catalog.
You must restart the computer in order to complete the reset.


========= End of CMD: =========


========= netsh int ip reset C:\resettcpip.txt =========

Reseting Global, OK!
Reseting Interface, OK!
Reseting Unicast Address, OK!
Restart the computer to complete this action.


========= End of CMD: =========


========= FOR /F "usebackq delims==" %i IN (`wevtutil el`) DO wevtutil cl "%i" =========

Failed to clear log DebugChannel. The requested operation cannot be performed over an enabled direct channel. The channel must first be disabled before performing the requested operation.

========= End of CMD: =========


========= Bitsadmin /Reset /Allusers =========


BITSADMIN version 3.0 [ 7.5.7601 ]
BITS administration utility.
© Copyright 2000-2006 Microsoft Corp.

BITSAdmin is deprecated and is not guaranteed to be available in future versions of Windows.
Administrative tools for the BITS service are now provided by BITS PowerShell cmdlets.

0 out of 0 jobs canceled.

========= End of CMD: =========


=========== EmptyTemp: ==========

BITS transfer queue => 8388608 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 9215529 B
Java, Flash, Steam htmlcache => 421357195 B
Windows/system/drivers => 19854922 B
Edge => 0 B
Chrome => 49360626 B
Firefox => 481277590 B
Opera => 0 B

Temp, IE cache, history, cookies, recent:
Users => 0 B
Default => 33125 B
Public => 0 B
ProgramData => 0 B
systemprofile => 58558274 B
systemprofile32 => 69318 B
LocalService => 66228 B
NetworkService => 36140334 B
Skeleton Man => 517610222 B

RecycleBin => 21348693828 B
EmptyTemp: => 21.4 GB temporary data Removed.

================================


The system needed a reboot.

==== End of Fixlog 01:03:15 ====

 

JRT.txt

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Malwarebytes
Version: 8.1.2 (03.10.2017)
Operating System: Windows 7 Ultimate x64
Ran by Skeleton Man (Administrator) on 04/07/2017 Fri at  1:18:15.66
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




File System: 14

Failed to delete: C:\Users\Skeleton Man\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6R6GV9N5 (Temporary Internet Files Folder)
Failed to delete: C:\Users\Skeleton Man\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9AYSRP6Y (Temporary Internet Files Folder)
Failed to delete: C:\Users\Skeleton Man\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UI2FCOO4 (Temporary Internet Files Folder)
Successfully deleted: C:\Program Files (x86)\internet explorer\iexplore.bat (File)
Successfully deleted: C:\Users\Skeleton Man\AppData\Local\browser (Folder)
Successfully deleted: C:\Users\Skeleton Man\AppData\Roaming\3909 (Folder)
Successfully deleted: C:\Users\Skeleton Man\AppData\Roaming\Mozilla\Firefox\Profiles\yy21thyw.default\user.js (File)
Successfully deleted: C:\Users\Skeleton Man\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ATGHOXKG (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6R6GV9N5 (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9AYSRP6Y (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ATGHOXKG (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UI2FCOO4 (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\SysWOW64\REN2681.tmp (File)
Successfully deleted: C:\Windows\SysWOW64\RENDDC0.tmp (File)



Registry: 0





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on 04/07/2017 Fri at  1:20:55.85
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 

 

AdwCleaner[C0].txt

 

# AdwCleaner v6.045 - Logfile created 07/04/2017 at 01:24:58
# Updated on 28/03/2017 by Malwarebytes
# Database : 2017-04-06.1 [Server]
# Operating System : Windows 7 Ultimate Service Pack 1 (X64)
# Username : Skeleton Man - SKELETONMAN-PC
# Running from : C:\Users\Skeleton Man\Desktop\adwcleaner_6.045.exe
# Mode: Clean
# Support : https://www.malwarebytes.com/support



***** [ Services ] *****



***** [ Folders ] *****

[-] Folder deleted: C:\Users\Skeleton Man\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\AppTrailers
[-] Folder deleted: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Hotspot


***** [ Files ] *****



***** [ DLL ] *****



***** [ WMI ] *****



***** [ Shortcuts ] *****



***** [ Scheduled Tasks ] *****



***** [ Registry ] *****

[-] Key deleted: HKLM\SOFTWARE\Classes\CLSID\{1AA60054-57D9-4F99-9A55-D0FBFBE7ECD3}
[-] Key deleted: HKLM\SOFTWARE\Classes\CLSID\{5A4E3A41-FA55-4BDA-AED7-CEBE6E7BCB52}
[-] Key deleted: HKLM\SOFTWARE\Classes\CLSID\{A07E5BFF-B16C-4ABA-A30F-514213A945E6}
[-] Key deleted: HKLM\SOFTWARE\Classes\Interface\{4E6354DE-9115-4AEE-BD21-C46C3E8A49DB}
[-] Key deleted: HKLM\SOFTWARE\Classes\Interface\{FC073BDA-C115-4A1D-9DF9-9B5C461482E5}
[-] Key deleted: HKLM\SOFTWARE\Classes\TypeLib\{A2D733A7-73B0-4C6B-B0C7-06A432950B66}
[-] Key deleted: HKU\.DEFAULT\Software\Hola
[#] Key deleted on reboot: HKU\S-1-5-18\Software\Hola
[-] Key deleted: [x64] HKLM\SOFTWARE\Hola
[-] Key deleted: [x64] HKLM\SOFTWARE\Microsoft\Shared Tools\MsConfig\StartupReg\AppTrailers
[-] Key deleted: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\hola.org


***** [ Web browsers ] *****



*************************

:: "Tracing" keys deleted
:: Winsock settings cleared

*************************

C:\AdwCleaner\AdwCleaner[C0].txt - [1834 Bytes] - [07/04/2017 01:24:58]
C:\AdwCleaner\AdwCleaner[S0].txt - [2092 Bytes] - [07/04/2017 01:23:52]

########## EOF - C:\AdwCleaner\AdwCleaner[C0].txt - [1980 Bytes] ##########
 



#5 MarkSanchez

MarkSanchez
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:39 PM

Posted 07 April 2017 - 12:37 AM

AdwCleaner[S0].txt

 

# AdwCleaner v6.045 - Logfile created 07/04/2017 at 01:23:52
# Updated on 28/03/2017 by Malwarebytes
# Database : 2017-04-06.1 [Server]
# Operating System : Windows 7 Ultimate Service Pack 1 (X64)
# Username : Skeleton Man - SKELETONMAN-PC
# Running from : C:\Users\Skeleton Man\Desktop\adwcleaner_6.045.exe
# Mode: Scan
# Support : https://www.malwarebytes.com/support



***** [ Services ] *****

No malicious services found.


***** [ Folders ] *****

Folder Found:  C:\Users\Skeleton Man\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\AppTrailers
Folder Found:  C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Hotspot


***** [ Files ] *****

No malicious files found.


***** [ DLL ] *****

No malicious DLLs found.


***** [ WMI ] *****

No malicious keys found.


***** [ Shortcuts ] *****

No infected shortcut found.


***** [ Scheduled Tasks ] *****

No malicious task found.


***** [ Registry ] *****

Key Found:  HKLM\SOFTWARE\Classes\CLSID\{1AA60054-57D9-4F99-9A55-D0FBFBE7ECD3}
Key Found:  HKLM\SOFTWARE\Classes\CLSID\{5A4E3A41-FA55-4BDA-AED7-CEBE6E7BCB52}
Key Found:  HKLM\SOFTWARE\Classes\CLSID\{A07E5BFF-B16C-4ABA-A30F-514213A945E6}
Key Found:  HKLM\SOFTWARE\Classes\Interface\{4E6354DE-9115-4AEE-BD21-C46C3E8A49DB}
Key Found:  HKLM\SOFTWARE\Classes\Interface\{FC073BDA-C115-4A1D-9DF9-9B5C461482E5}
Key Found:  HKLM\SOFTWARE\Classes\TypeLib\{A2D733A7-73B0-4C6B-B0C7-06A432950B66}
Key Found:  HKU\.DEFAULT\Software\Hola
Key Found:  HKU\S-1-5-18\Software\Hola
Key Found:  [x64] HKLM\SOFTWARE\Hola
Key Found:  [x64] HKLM\SOFTWARE\Microsoft\Shared Tools\MsConfig\StartupReg\AppTrailers
Key Found:  HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\hola.org


***** [ Web browsers ] *****

No malicious Firefox based browser items found.
No malicious Chromium based browser items found.

*************************

C:\AdwCleaner\AdwCleaner[S0].txt - [1932 Bytes] - [07/04/2017 01:23:52]

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [2005 Bytes] ##########
 



#6 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,759 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:02:39 PM

Posted 07 April 2017 - 12:47 AM

Rescan with Adwcleaner then click on clean.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#7 MarkSanchez

MarkSanchez
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:39 PM

Posted 07 April 2017 - 01:09 PM

Services still disable on startup

 

AdwCleaner[C2]

 

# AdwCleaner v6.045 - Logfile created 07/04/2017 at 14:01:42
# Updated on 28/03/2017 by Malwarebytes
# Database : 2017-04-06.1 [Local]
# Operating System : Windows 7 Ultimate Service Pack 1 (X64)
# Username : Skeleton Man - SKELETONMAN-PC
# Running from : C:\Users\Skeleton Man\Desktop\adwcleaner_6.045.exe
# Mode: Clean
# Support : https://www.malwarebytes.com/support



***** [ Services ] *****



***** [ Folders ] *****



***** [ Files ] *****



***** [ DLL ] *****



***** [ WMI ] *****



***** [ Shortcuts ] *****



***** [ Scheduled Tasks ] *****



***** [ Registry ] *****



***** [ Web browsers ] *****



*************************

:: "Tracing" keys deleted
:: Winsock settings cleared

*************************

C:\AdwCleaner\AdwCleaner[C0].txt - [2067 Bytes] - [07/04/2017 01:24:58]
C:\AdwCleaner\AdwCleaner[C2].txt - [859 Bytes] - [07/04/2017 14:01:42]
C:\AdwCleaner\AdwCleaner[S0].txt - [2092 Bytes] - [07/04/2017 01:23:52]
C:\AdwCleaner\AdwCleaner[S1].txt - [1324 Bytes] - [07/04/2017 14:01:34]

########## EOF - C:\AdwCleaner\AdwCleaner[C2].txt - [1077 Bytes] ##########
 

 

 

AdwCleaner[S1]

 

# AdwCleaner v6.045 - Logfile created 07/04/2017 at 14:01:34
# Updated on 28/03/2017 by Malwarebytes
# Database : 2017-04-06.1 [Local]
# Operating System : Windows 7 Ultimate Service Pack 1 (X64)
# Username : Skeleton Man - SKELETONMAN-PC
# Running from : C:\Users\Skeleton Man\Desktop\adwcleaner_6.045.exe
# Mode: Scan
# Support : https://www.malwarebytes.com/support



***** [ Services ] *****

No malicious services found.


***** [ Folders ] *****

No malicious folders found.


***** [ Files ] *****

No malicious files found.


***** [ DLL ] *****

No malicious DLLs found.


***** [ WMI ] *****

No malicious keys found.


***** [ Shortcuts ] *****

No infected shortcut found.


***** [ Scheduled Tasks ] *****

No malicious task found.


***** [ Registry ] *****

No malicious registry entries found.


***** [ Web browsers ] *****

No malicious Firefox based browser items found.
No malicious Chromium based browser items found.

*************************

C:\AdwCleaner\AdwCleaner[C0].txt - [2067 Bytes] - [07/04/2017 01:24:58]
C:\AdwCleaner\AdwCleaner[S0].txt - [2092 Bytes] - [07/04/2017 01:23:52]
C:\AdwCleaner\AdwCleaner[S1].txt - [1172 Bytes] - [07/04/2017 14:01:34]

########## EOF - C:\AdwCleaner\AdwCleaner[S1].txt - [1245 Bytes] ##########
 


Edited by MarkSanchez, 07 April 2017 - 01:09 PM.


#8 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,759 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:02:39 PM

Posted 07 April 2017 - 02:29 PM

Which services?

Please download Farbar Service Scanner and run it on the computer with the issue.

  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center
    • Windows Update
    • Other Services
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.

Edited by JSntgRvr, 07 April 2017 - 03:29 PM.
typo

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#9 MarkSanchez

MarkSanchez
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:39 PM

Posted 07 April 2017 - 08:35 PM

The disabled services are:

Background intelligent Transfer Service

Internet Connection Sharing (ICS)

Security Center

Windows Defender

Windows Error Reporting Service

Windows Firewall

Windows Update

 

 

FSS.txt

 

Farbar Service Scanner Version: 27-01-2016
Ran by Skeleton Man (administrator) on 07-04-2017 at 21:33:00
Running from "C:\Users\Skeleton Man\Desktop"
Microsoft Windows 7 Ultimate  Service Pack 1 (X64)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo.com is accessible.


Windows Firewall:
=============
MpsSvc Service is not running. Checking service configuration:
The start type of MpsSvc service is set to Disabled. The default start type is Auto.
The ImagePath of MpsSvc service is OK.
The ServiceDll of MpsSvc service is OK.


Firewall Disabled Policy:
==================


System Restore:
============

System Restore Policy:
========================
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore]
"DisableSR"="1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore]
"DisableConfig"="1"


Action Center:
============

wscsvc Service is not running. Checking service configuration:
The start type of wscsvc service is set to Disabled. The default start type is Auto.
The ImagePath of wscsvc service is OK.
The ServiceDll of wscsvc service is OK.


Windows Update:
============
wuauserv Service is not running. Checking service configuration:
The start type of wuauserv service is set to Disabled. The default start type is Auto.
The ImagePath of wuauserv service is OK.
The ServiceDll of wuauserv service is OK.

BITS Service is not running. Checking service configuration:
The start type of BITS service is set to Disabled. The default start type is Auto.
The ImagePath of BITS service is OK.
The ServiceDll of BITS service is OK.


Windows Autoupdate Disabled Policy:
============================


Other Services:
==============


File Check:
========
C:\Windows\System32\nsisvc.dll => File is digitally signed
C:\Windows\System32\drivers\nsiproxy.sys => File is digitally signed
C:\Windows\System32\dhcpcore.dll => File is digitally signed
C:\Windows\System32\drivers\afd.sys => File is digitally signed
C:\Windows\System32\drivers\tdx.sys => File is digitally signed
C:\Windows\System32\Drivers\tcpip.sys => File is digitally signed
C:\Windows\System32\dnsrslvr.dll => File is digitally signed
C:\Windows\System32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\System32\mpssvc.dll => File is digitally signed
C:\Windows\System32\bfe.dll => File is digitally signed
C:\Windows\System32\drivers\mpsdrv.sys => File is digitally signed
C:\Windows\System32\SDRSVC.dll => File is digitally signed
C:\Windows\System32\vssvc.exe => File is digitally signed
C:\Windows\System32\wscsvc.dll => File is digitally signed
C:\Windows\System32\wbem\WMIsvc.dll => File is digitally signed
C:\Windows\System32\wuaueng.dll => File is digitally signed
C:\Windows\System32\qmgr.dll => File is digitally signed
C:\Windows\System32\es.dll => File is digitally signed
C:\Windows\System32\cryptsvc.dll => File is digitally signed
C:\Windows\System32\ipnathlp.dll => File is digitally signed
C:\Windows\System32\iphlpsvc.dll => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed


**** End of log ****



#10 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,759 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:02:39 PM

Posted 07 April 2017 - 09:16 PM

Download the attached file and save it in the same directory FRST64 is saved.

  • Start FRST64 with Administrator privileges.
  • Press the Fix button.
  • When finished, a log file (Fixlog.txt) will pop up and saved in the same location the tool was ran from.

Please copy and paste its contents in your next reply. After the restart, check these services.


No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#11 MarkSanchez

MarkSanchez
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:39 PM

Posted 08 April 2017 - 12:44 PM

Fixlog.txt

 

 

Fix result of Farbar Recovery Scan Tool (x64) Version: 15-03-2017
Ran by Skeleton Man (08-04-2017 13:36:48) Run:2
Running from C:\Users\Skeleton Man\Desktop
Loaded Profiles: Skeleton Man (Available Profiles: Skeleton Man)
Boot Mode: Normal
==============================================

fixlist content:
*****************
CMD: Reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableSR" /t Reg_DWORD /d 0X0 /f
CMD: Reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore  /v "DisableConfig" /t Reg_DWORD /d 0X0 /f
CMD: Reg add "HKLM\SYSTEM\CurrentControlSet\Services\BITS"/v "Start" /t Reg_DWORD /d 0X2 /f
CMD: Reg add "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv"/v "Start" /t Reg_DWORD /d 0X2 /f
CMD: Reg add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc"/v "Start" /t Reg_DWORD /d 0X2 /f
CMD: Reg add "HKLM\SYSTEM\CurrentControlSet\Services\MpsSvc"/v "Start" /t Reg_DWORD /d 0X2 /f
CMD: Reg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess"/v "Start" /t Reg_DWORD /d 0X2 /f
CMD: Reg add "HKLM\SYSTEM\CurrentControlSet\Services\WinDefend"/v "Start" /t Reg_DWORD /d 0X2 /f
CMD: Reg Query "HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting" /s
Reboot:
*****************


========= Reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableSR" /t Reg_DWORD /d 0X0 /f =========

The operation completed successfully.


========= End of CMD: =========


========= Reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore  /v "DisableConfig" /t Reg_DWORD /d 0X0 /f =========


========= End of CMD: =========


========= Reg add "HKLM\SYSTEM\CurrentControlSet\Services\BITS"/v "Start" /t Reg_DWORD /d 0X2 /f =========

ERROR: Invalid syntax.
Type "REG ADD /?" for usage.

========= End of CMD: =========


========= Reg add "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv"/v "Start" /t Reg_DWORD /d 0X2 /f =========

ERROR: Invalid syntax.
Type "REG ADD /?" for usage.

========= End of CMD: =========


========= Reg add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc"/v "Start" /t Reg_DWORD /d 0X2 /f =========

ERROR: Invalid syntax.
Type "REG ADD /?" for usage.

========= End of CMD: =========


========= Reg add "HKLM\SYSTEM\CurrentControlSet\Services\MpsSvc"/v "Start" /t Reg_DWORD /d 0X2 /f =========

ERROR: Invalid syntax.
Type "REG ADD /?" for usage.

========= End of CMD: =========


========= Reg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess"/v "Start" /t Reg_DWORD /d 0X2 /f =========

ERROR: Invalid syntax.
Type "REG ADD /?" for usage.

========= End of CMD: =========


========= Reg add "HKLM\SYSTEM\CurrentControlSet\Services\WinDefend"/v "Start" /t Reg_DWORD /d 0X2 /f =========

ERROR: Invalid syntax.
Type "REG ADD /?" for usage.

========= End of CMD: =========


========= Reg Query "HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting" /s =========


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting
    ErrorPort    REG_SZ    \WindowsErrorReportingServicePort
    MaxQueueSizePercentage    REG_DWORD    0x1
    PurgeThreshholdValueInKB    REG_DWORD    0xa
    ServiceTimeout    REG_DWORD    0xea60
    MachineID    REG_SZ    3666CC62-E311-4E21-BD99-1CBE3F988FB9
    Disabled    REG_DWORD    0x0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\Consent
    NewUserDefaultConsent    REG_DWORD    0x2
    PDUWICA    REG_DWORD    0x4

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\Debug
    ExceptionRecord    REG_BINARY    740300C0010000000000000000000000E2F3C3770000000001000000380037003084CB7700000000030000004001000038010000000000008000000000000000000000000000000000002500000000008000000000000000C05D31000000000060B12F000000000099F4BB770000000000000000000000000000000000000000507B15010000000003000000000000000000000000000000
    StoreLocation    REG_SZ    C:\ProgramData\Microsoft\Windows\WER\ReportArchive\NonCritical_x64_1dcbbdf933c14ec634e3f03ff5545bce31634247_42379703

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\Debug\UIHandles
    CheckingForSolutionDialog    REG_QWORD    0xd072c
    CloseDialog    REG_QWORD    0x6055a
    FirstLevelConsentDialog    REG_QWORD    0x30292
    CollectingDataDialog    REG_QWORD    0x504c4
    SecondLevelConsentDialog    REG_QWORD    0x105a0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\DebugApplications
    w3wp.exe    REG_DWORD    0x1
    aspnet_wp.exe    REG_DWORD    0x1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\Hangs

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\HeapControlledList

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\HeapControlledList\dwm.exe
    EnableHeapThrottle    REG_DWORD    0x1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\KernelFaults

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LiveKernelReports

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps\GFExperience.exe
    DumpFolder    REG_EXPAND_SZ    %PROGRAMDATA%\NVIDIA Corporation\CrashDumps
    DumpCount    REG_DWORD    0xf
    DumpType    REG_DWORD    0x1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps\GfExperienceService64.exe
    DumpFolder    REG_EXPAND_SZ    %PROGRAMDATA%\NVIDIA Corporation\CrashDumps
    DumpCount    REG_DWORD    0xf
    DumpType    REG_DWORD    0x1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps\LaunchGFExperience.exe
    DumpFolder    REG_EXPAND_SZ    %PROGRAMDATA%\NVIDIA Corporation\CrashDumps
    DumpCount    REG_DWORD    0xf
    DumpType    REG_DWORD    0x1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps\NvBackend.exe
    DumpFolder    REG_EXPAND_SZ    %PROGRAMDATA%\NVIDIA Corporation\CrashDumps
    DumpCount    REG_DWORD    0xf
    DumpType    REG_DWORD    0x1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps\NVIDIA.SteamLauncher.exe
    DumpFolder    REG_EXPAND_SZ    %PROGRAMDATA%\NVIDIA Corporation\CrashDumps
    DumpCount    REG_DWORD    0xf
    DumpType    REG_DWORD    0x1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps\NvLedServiceHost.exe
    DumpFolder    REG_EXPAND_SZ    %PROGRAMDATA%\NVIDIA Corporation\CrashDumps
    DumpCount    REG_DWORD    0xf
    DumpType    REG_DWORD    0x1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps\NvLedVisualizer.exe
    DumpFolder    REG_EXPAND_SZ    %PROGRAMDATA%\NVIDIA Corporation\CrashDumps
    DumpCount    REG_DWORD    0xf
    DumpType    REG_DWORD    0x1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps\nvshelper64.exe
    DumpFolder    REG_EXPAND_SZ    %PROGRAMDATA%\NVIDIA Corporation\CrashDumps
    DumpCount    REG_DWORD    0xf
    DumpType    REG_DWORD    0x1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps\nvspcaps64.exe
    DumpFolder    REG_EXPAND_SZ    %PROGRAMDATA%\NVIDIA Corporation\CrashDumps
    DumpCount    REG_DWORD    0xf
    DumpType    REG_DWORD    0x1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps\nvstreamer.exe
    DumpFolder    REG_EXPAND_SZ    %PROGRAMDATA%\NVIDIA Corporation\CrashDumps
    DumpCount    REG_DWORD    0xf
    DumpType    REG_DWORD    0x1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps\NvStreamNetworkService.exe
    DumpFolder    REG_EXPAND_SZ    %PROGRAMDATA%\NVIDIA Corporation\CrashDumps
    DumpCount    REG_DWORD    0xf
    DumpType    REG_DWORD    0x1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps\NvStreamService.exe
    DumpFolder    REG_EXPAND_SZ    %PROGRAMDATA%\NVIDIA Corporation\CrashDumps
    DumpCount    REG_DWORD    0xf
    DumpType    REG_DWORD    0x1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps\NvStreamUserAgent.exe
    DumpFolder    REG_EXPAND_SZ    %PROGRAMDATA%\NVIDIA Corporation\CrashDumps
    DumpCount    REG_DWORD    0xf
    DumpType    REG_DWORD    0x1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps\WLMerger.exe
    DumpFolder    REG_EXPAND_SZ    %PROGRAMDATA%\NVIDIA Corporation\CrashDumps
    DumpCount    REG_DWORD    0xf
    DumpType    REG_DWORD    0x1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\RuntimeExceptionHelperModules
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscordacwks.dll    REG_DWORD    0x0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\WMR
    Disable    REG_DWORD    0x1


========= End of CMD: =========



The system needed a reboot.

==== End of Fixlog 13:36:52 ====



#12 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,759 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:02:39 PM

Posted 08 April 2017 - 01:25 PM

The Windows Reporting Services is not disabled.

There was a Syntax error on the script.

Download the attached file and save it in the same directory FRST64 is saved.
  • Start FRST64 with Administrator privileges.
  • Press the Fix button.
  • When finished, a log file (Fixlog.txt) will pop up and saved in the same location the tool was ran from.
Please copy and paste its contents in your next reply. After the restart, check these services.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#13 MarkSanchez

MarkSanchez
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:39 PM

Posted 08 April 2017 - 03:32 PM

Services still disable on startup, and OpenTrafficB still adds itself to startup programs.

 

Fixlog.txt

 

Fix result of Farbar Recovery Scan Tool (x64) Version: 15-03-2017
Ran by Skeleton Man (08-04-2017 16:24:19) Run:3
Running from C:\Users\Skeleton Man\Desktop
Loaded Profiles: Skeleton Man (Available Profiles: Skeleton Man)
Boot Mode: Normal
==============================================

fixlist content:
*****************
CMD: Reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore" /v DisableSR /t REG_DWORD /d 0X0 /f
CMD: Reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore"  /v DisableConfig /t REG_DWORD /d 0X0 /f
CMD: Reg add HKLM\SYSTEM\CurrentControlSet\Services\BITS /v Start /t REG_DWORD /d 0X2 /f
CMD: Reg add HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v Start /t REG_DWORD /d 0X2 /f
CMD: Reg add HKLM\SYSTEM\CurrentControlSet\Services\wscsvc /v Start /t REG_DWORD /d 0X2 /f
CMD: Reg add HKLM\SYSTEM\CurrentControlSet\Services\MpsSvc /v Start /t REG_DWORD /d 0X2 /f
CMD: Reg add HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess /v Start /t REG_DWORD /d 0X2 /f
CMD: Reg add HKLM\SYSTEM\CurrentControlSet\Services\WinDefend /v Start /t REG_DWORD /d 0X2 /f
Reboot:
*****************


========= Reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore" /v DisableSR /t REG_DWORD /d 0X0 /f =========

The operation completed successfully.


========= End of CMD: =========


========= Reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore"  /v DisableConfig /t REG_DWORD /d 0X0 /f =========

The operation completed successfully.


========= End of CMD: =========


========= Reg add HKLM\SYSTEM\CurrentControlSet\Services\BITS /v Start /t REG_DWORD /d 0X2 /f =========

The operation completed successfully.


========= End of CMD: =========


========= Reg add HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /v Start /t REG_DWORD /d 0X2 /f =========

The operation completed successfully.


========= End of CMD: =========


========= Reg add HKLM\SYSTEM\CurrentControlSet\Services\wscsvc /v Start /t REG_DWORD /d 0X2 /f =========

The operation completed successfully.


========= End of CMD: =========


========= Reg add HKLM\SYSTEM\CurrentControlSet\Services\MpsSvc /v Start /t REG_DWORD /d 0X2 /f =========

The operation completed successfully.


========= End of CMD: =========


========= Reg add HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess /v Start /t REG_DWORD /d 0X2 /f =========

The operation completed successfully.


========= End of CMD: =========


========= Reg add HKLM\SYSTEM\CurrentControlSet\Services\WinDefend /v Start /t REG_DWORD /d 0X2 /f =========

The operation completed successfully.


========= End of CMD: =========



The system needed a reboot.

==== End of Fixlog 16:24:23 ====



#14 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,759 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:02:39 PM

Posted 08 April 2017 - 03:35 PM

Are the services active now?


No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#15 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,759 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:02:39 PM

Posted 08 April 2017 - 03:37 PM

Please follow the instructions below to remove the infection.

  • Download version 1.09.4.1001 of Malwarebytes Anti Rootkit (MBAR)
  • Run the exe.
  • After extraction MBAR should start. Click next.
  • Update by hitting the update button.
  • After the update completes hit next.
  • Hit the scan button. Please let it finish the scan. This rootkit may slow your machine down but MBAR will continue to scan.
  • Once the scan is complete, press the cleanup button and allow MBAR to remove what is found and allow your computer to restart

 



Post the log produced in the MBAR folder as mbar-log-TODAY'S-DATE.txt.


Edited by JSntgRvr, 08 April 2017 - 03:38 PM.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users