Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HijackThis Log: Please help me diagnose


  • This topic is locked This topic is locked
4 replies to this topic

#1 MrUgly

MrUgly

  • Members
  • 2 posts
  • OFFLINE
  •  

Posted 14 June 2017 - 09:51 PM

Logfile of Trend Micro HijackThis v2.0.5
Scan saved at 10:45:28 PM, on 6/14/2017
Platform: Unknown Windows (WinNT 6.02.1008)
MSIE: Internet Explorer v11.0 (11.00.9600.16384)
CHROME: 58.0.3029.110
FIREFOX: 48.0 (x86 en-US)
Boot mode: Normal
 
Running processes:
C:\Windows\SearchIndexer.exe
C:\Users\PC\AppData\Local\FluxSoftware\Flux\flux.exe
C:\Users\PC\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\PC\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\PC\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\PC\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\PC\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\PC\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\PC\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\PC\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\PC\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\PC\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\PC\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\CSISYNCCLIENT.EXE
C:\Program Files (x86)\Microsoft Office\Root\Office16\MsoSync.exe
C:\Users\PC\Desktop\HijackThis\HijackThis.exe
C:\Windows\SysWOW64\DllHost.exe
 
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://pesonal-spage.com/sen/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/p/?LinkId=255141
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = www.google.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = <-loopback>
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
F2 - REG:system.ini: UserInit=userinit.exe,
O1 - Hosts: cme.com # source server
O2 - BHO: (no name) - AutorunsDisabled - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre1.8.0_111\bin\ssv.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre1.8.0_111\bin\jp2ssv.dll
O4 - HKCU\..\Run: [Google Update] C:\Users\PC\AppData\Local\Google\Update\1.3.33.5\GoogleUpdateCore.exe
O4 - HKUS\S-1-5-18\..\Run: []  (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: []  (User 'Default user')
O4 - Startup: AutorunsDisabled
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE/3000
O8 - Extra context menu item: Se&nd to OneNote - res://C:\Program Files (x86)\Microsoft Office\Root\Office16\ONBttnIE.dll/105
O9 - Extra button: (no name) - AutorunsDisabled - (no file)
O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
O18 - Protocol: mso-minsb-roaming.16 - {83C25742-A9F7-49FB-9138-434302C88D07} - C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSB.DLL
O18 - Protocol: mso-minsb.16 - {42089D2D-912D-4018-9087-2B87803E93FB} - C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSB.DLL
O18 - Protocol: osf-roaming.16 - {42089D2D-912D-4018-9087-2B87803E93FB} - C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSB.DLL
O18 - Protocol: osf.16 - {5504BE45-A83B-4808-900A-3A5C36E7F77A} - C:\Program Files (x86)\Microsoft Office\root\Office16\MSOSB.DLL
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)
O23 - Service: Energy Server Service queencreek (ESRV_SVC_QUEENCREEK) - Unknown owner - C:\Program Files\Intel\SUR\QUEENCREEK\esrv_svc.exe
O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)
O23 - Service: Google Update Service (gupdate) (gupdate) - Unknown owner - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe (file missing)
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Unknown owner - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe (file missing)
O23 - Service: @oem5.inf,%hpservice_desc%;HP Service (hpsrv) - Unknown owner - C:\Windows\system32\Hpservice.exe (file missing)
O23 - Service: @%SystemRoot%\system32\ieetwcollectorres.dll,-1000 (IEEtwCollectorService) - Unknown owner - C:\Windows\system32\IEEtwCollector.exe (file missing)
O23 - Service: JumpStart Wi-Fi Protected Setup (jswpsapi) - Unknown owner - C:\Program Files (x86)\Jumpstart\jswpsapi.exe (file missing)
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: MBAMScheduler - Malwarebytes Corporation - C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\stlang64.dll,-10101 (STacSV) - IDT, Inc. - C:\Program Files\IDT\WDM\STacSV64.exe
O23 - Service: Intel® System Usage Report Service SystemUsageReportSvc_QUEENCREEK (SystemUsageReportSvc_QUEENCREEK) - Unknown owner - C:\Program Files\Intel Driver Update Utility\SUR\SurSvc.exe
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: User Energy Server Service queencreek (USER_ESRV_SVC_QUEENCREEK) - Unknown owner - C:\Program Files\Intel\SUR\QUEENCREEK\esrv_svc.exe
O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: VNC Server (vncserver) - RealVNC Ltd - C:\Program Files\RealVNC\VNC Server\vncserver.exe
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
O23 - Service: @%ProgramFiles%\Windows Defender\MpAsDesc.dll,-320 (WdNisSvc) - Unknown owner - C:\Program Files (x86)\Windows Defender\NisSrv.exe (file missing)
O23 - Service: @%ProgramFiles%\Windows Defender\MpAsDesc.dll,-310 (WinDefend) - Unknown owner - C:\Program Files (x86)\Windows Defender\MsMpEng.exe (file missing)
O23 - Service: Windows Indexer - Unknown owner - C:\Windows\SearchIndexer.exe
O23 - Service: WindscribeService - Unknown owner - C:\Program Files (x86)\Windscribe\WindscribeService.exe
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)
 
--
End of file - 8894 bytes


BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 39,926 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:35 AM

Posted 15 June 2017 - 08:55 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Download the version of this tool for your operating system.
Farbar Recovery Scan Tool (64 bit)
Farbar Recovery Scan Tool (32 bit)
and save it to a folder on your computer's Desktop.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

How to attach a file to your reply:
In the Reply section in the bottom of the topic Click the "more reply Options" button.
attachlogs.png

Attach the file.
Select the "Choose a File" navigate to the location of the File.
Click the file you wish to Attach.
Click Attach this file.
Click the Add reply button.
===


Please post the logs.

Let me know what problems persists.

===

p.s.
HijackThis is no longer supported and not ready for your Operating system.
I suggest your remove via the Control panel > Programs > Programs and Features.
Use the Farbar tool from now on to report problems.
<<<>>>

#3 MrUgly

MrUgly
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  

Posted 15 June 2017 - 02:24 PM

Here you go!

Attached Files



#4 nasdaq

nasdaq

  • Malware Response Team
  • 39,926 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:35 AM

Posted 16 June 2017 - 08:07 AM

Hi,

Remove this program in bold via the Control Panel > Programs > Programs and Features.
Unity Web Player (HKU\S-1-5-21-2610410241-4258760236-833724361-1001\...\UnityWebPlayer) (Version: 5.3.6f1 - Unity Technologies ApS)
Unity Web Player (HKU\S-1-5-21-2610410241-4258760236-833724361-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\...\UnityWebPlayer) (Version: 5.3.6f1 - Unity Technologies ApS)
===

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.

Please copy the entire contents of the code box below to a new file.


Start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

HKU\S-1-5-18-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\...\Run: [] => [X]
HKU\S-1-5-18\...\Run: [] => [X]
IFEO\taskmgr.exe: [Debugger] "C:\USERS\PC\DESKTOP\PROCEXP64.EXE"
GroupPolicyScripts: Restriction <======= ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-2610410241-4258760236-833724361-1001\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-2610410241-4258760236-833724361-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-2610410241-4258760236-833724361-1001\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://pesonal-spage.com/sen/
FF DefaultSearchEngine: Mozilla\Firefox\Profiles\rhx6vjde.default -> Yahoo! Powered
FF SelectedSearchEngine: Mozilla\Firefox\Profiles\rhx6vjde.default -> Yahoo! Powered
FF Homepage: Mozilla\Firefox\Profiles\rhx6vjde.default -> user_pref("browser.startup.homepage","hxxp://pesonal-spage.com/sen/");
FF Plugin HKU\S-1-5-21-2610410241-4258760236-833724361-1001: @unity3d.com/UnityPlayer,version=1.0 -> C:\Users\PC\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll [2016-07-14] (Unity Technologies ApS)
FF Plugin HKU\S-1-5-21-2610410241-4258760236-833724361-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0: @unity3d.com/UnityPlayer,version=1.0 -> C:\Users\PC\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll [2016-07-14] (Unity Technologies ApS)
CHR HomePage: Default -> hxxp://%66%65%65%64.%73%6E%61%70%64%6F.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGIjVkxlyIP4NYe17aVLWvsniqknnm6GRBDpTCHM3xmTeV1GfUmch-dXANcXXDPVVu0g8yG-qLJojc8TdX2r9hVEBHt55xVLS803dL7hPtS6zi6YCeHGihHp1_16EPIQkRdpCXS46dDuyWL20CktaQQDacBF2G2flzYvCoUgD8egDS3rHR8V_zipaRJHT
CHR Extension: (Fake Followers) - C:\Users\PC\AppData\Local\Google\Chrome\User Data\Default\Extensions\eklhkfonoplfidhhblionobmfpphpgfa [2017-03-05]
CHR Extension: (EditThisCookie) - C:\Users\PC\AppData\Local\Google\Chrome\User Data\Default\Extensions\fngmhnnpilhplaeedifhccceomclgfbg [2017-02-11]
CHR Extension: (Chrome Web Store Payments) - C:\Users\PC\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2017-03-21]
CHR Extension: (Chrome Media Router) - C:\Users\PC\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2017-06-15]
S3 jswpsapi; C:\Program Files (x86)\Jumpstart\jswpsapi.exe [X]
U0 bkny; C:\Windows\System32\drivers\aokab.sys [79064 2017-06-14] (Malwarebytes Corporation)
S4 cpuz137; \??\C:\Users\PC\AppData\Local\Temp\cpuz137\cpuz137_x64.sys [X] <==== ATTENTION
S4 ipxdioxk; \??\C:\Windows\system32\drivers\ipxdioxk.sys [X]
S4 lpwjyrcj; \??\C:\Windows\system32\drivers\lpwjyrcj.sys [X]
S4 pozmhbmk; \??\C:\Windows\system32\drivers\pozmhbmk.sys [X]
S4 vjmggafd; \??\C:\Windows\system32\drivers\vjmggafd.sys [X]
S4 VMnetAdapter; \SystemRoot\system32\DRIVERS\vmnetadapter.sys [X]
S4 wmpzigdd; \??\C:\Windows\system32\drivers\wmpzigdd.sys [X]
CustomCLSID: HKU\S-1-5-21-2610410241-4258760236-833724361-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0_Classes\CLSID\{590C4387-5EBD-4D46-8A84-CD0BA2EF2856}\InprocServer32 -> C:\Users\PC\AppData\Local\Google\Update\1.3.30.3\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-2610410241-4258760236-833724361-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0_Classes\CLSID\{59B55F04-DE14-4BB8-92FF-C4A22EF2E5F4}\InprocServer32 -> C:\Users\PC\AppData\Local\Google\Update\1.3.31.5\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-2610410241-4258760236-833724361-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0_Classes\CLSID\{CB492AF1-2CEF-4E58-BE47-471C77D0C8BA}\InprocServer32 -> C:\Users\PC\AppData\Local\Google\Update\1.3.32.7\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-2610410241-4258760236-833724361-1001_Classes\CLSID\{590C4387-5EBD-4D46-8A84-CD0BA2EF2856}\InprocServer32 -> C:\Users\PC\AppData\Local\Google\Update\1.3.30.3\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-2610410241-4258760236-833724361-1001_Classes\CLSID\{59B55F04-DE14-4BB8-92FF-C4A22EF2E5F4}\InprocServer32 -> C:\Users\PC\AppData\Local\Google\Update\1.3.31.5\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-2610410241-4258760236-833724361-1001_Classes\CLSID\{CB492AF1-2CEF-4E58-BE47-471C77D0C8BA}\InprocServer32 -> C:\Users\PC\AppData\Local\Google\Update\1.3.32.7\psuser_64.dll => No File
Task: {08AB5408-6312-4216-9665-9ADE7FA1A932} - \OneDrive Standalone Update Task -> No File <==== ATTENTION
Task: {4038FB8C-5203-4228-9FAD-0AC043B70B8A} - \Microsoft OneDrive Auto Update Task-S-1-5-21-2610410241-4258760236-833724361-1001 -> No File <==== ATTENTION
Task: {5DC06455-8C4F-4095-80B5-A671449D294A} - System32\Tasks\AutoKMSCustom => C:\Windows\AutoKMS\AutoKMS.exe [2016-12-02] ()
Task: {67DE2A00-E5E8-4CFA-A7D6-BA5E3E816CBF} - \GoogleUpdateTaskMachineCore -> No File <==== ATTENTION
Task: {8263721A-0817-4CAE-81B1-B487498DCC50} - \{5530133C-5263-43FC-8128-2F6FB2C92AF2} -> No File <==== ATTENTION
Task: {A1B7ACBD-D5DF-4D5C-B065-4D6CC7020139} - \GoogleUpdateTaskMachineUA -> No File <==== ATTENTION
Task: {F3A1418A-E488-4ABC-8D23-CEF90507041B} - \StartRemoteKeyboardService -> No File <==== ATTENTION
Shortcut: C:\Users\PC\Desktop\Start ??r ?r?ws?r.lnk -> C:\Users\PC\AppData\Roaming\Browsers\exe.xoferif.bat (No File) <===== Cyrillic
Shortcut: C:\Users\PC\Desktop\Tor Browser\Start ??r ?rows?r.lnk -> C:\Users\PC\AppData\Roaming\Browsers\exe.xoferif.bat (No File) <===== Cyrillic
Shortcut: C:\Users\PC\Desktop\Priv\Start ??r ?r?ws?r.lnk -> C:\Users\PC\AppData\Roaming\Browsers\exe.xoferif.bat (No File) <===== Cyrillic
Shortcut: C:\Users\PC\Desktop\Priv\?ozill? Fir?fo?.lnk -> C:\Users\PC\AppData\Roaming\Browsers\exe.xoferif.bat (No File) <===== Cyrillic
Shortcut: C:\Users\PC\Desktop\Priv\Tor Browser\Start ?or ?rows?r.lnk -> C:\Users\PC\AppData\Roaming\Browsers\exe.xoferif.bat (No File) <===== Cyrillic
Shortcut: C:\Users\PC\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Googl? ?hrom?.lnk -> C:\Users\PC\AppData\Roaming\Browsers\exe.emorhc.bat (No File) <===== Cyrillic
Shortcut: C:\Users\PC\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Int?rn?t ???lor?r.lnk -> C:\Users\PC\AppData\Roaming\Browsers\exe.erolpxei.bat (No File) <===== Cyrillic
Shortcut: C:\Users\PC\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Start ?or ?rows?r.lnk -> C:\Users\PC\AppData\Roaming\Browsers\exe.xoferif.bat (No File) <===== Cyrillic
Shortcut: C:\Users\PC\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\?amp?rmonk?y.lnk -> C:\Users\PC\AppData\Roaming\Browsers\exe.emorhc.bat (No File) <===== Cyrillic
Shortcut: C:\Users\PC\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Googl? ?hr?m?.lnk -> C:\Users\PC\AppData\Roaming\Browsers\exe.emorhc.bat (No File) <===== Cyrillic
Shortcut: C:\Users\PC\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Laun?h Int?rn?t ??plor?r ?rows?r.lnk -> C:\Users\PC\AppData\Roaming\Browsers\exe.erolpxei.bat (No File) <===== Cyrillic
Shortcut: C:\Users\PC\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Googl? ?hrom?.lnk -> C:\Users\PC\AppData\Roaming\Browsers\exe.emorhc.bat (No File) <===== Cyrillic
Shortcut: C:\Users\PC\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Int?rn?t ???lor?r.lnk -> C:\Users\PC\AppData\Roaming\Browsers\exe.erolpxei.bat (No File) <===== Cyrillic
Shortcut: C:\Users\PC\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\ImplicitAppShortcuts\e61f4bd9447e70e0\Go?gl? ?hr?m?.lnk -> C:\Users\PC\AppData\Roaming\Browsers\exe.emorhc.bat (No File) <===== Cyrillic
Shortcut: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\?ozilla Fir?fo?.lnk -> C:\Users\PC\AppData\Roaming\Browsers\exe.xoferif.bat (No File) <===== Cyrillic
Shortcut: C:\Users\Public\Desktop\Winds?rib?.lnk -> C:\Users\PC\AppData\Roaming\Browsers\exe.rehcnualebircsdniw.bat (No File) <===== Cyrillic
C:\Windows\System32\Tasks\AutoKMSCustom
C:\Windows\AutoKMS
C:\Windows\System32\drivers\aokab.sys

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Reset Chrome...
Open Google Chrome, click on menu icon google-chrome-setting-icon.png which is located right side top of the google chrome.
 
Click "Settings" then "Show advanced settings" at the bottom of the screen.
 
Click "Reset browser settings" button.
 
Restart Chrome.
===

Please let me know what problem persists with this computer.

#5 nasdaq

nasdaq

  • Malware Response Team
  • 39,926 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:35 AM

Posted 22 June 2017 - 07:03 AM

Are you still with me?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users