Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


help with farbar recovery scan

  • Please log in to reply
2 replies to this topic

#1 zooz0


  • Members
  • 1 posts
  • Local time:12:55 PM

Posted 24 June 2017 - 05:09 PM

hi for everyone... my problem is that all the time my browser hijack to site ex wonerlandads or igetsend.ru and many more... i instell all the antivirus and spy software, but the problem still exists...

i instell  farbar recovery scan(frst64), and need help with the fixlist.txt...


Attached Files

BC AdBot (Login to Remove)


#2 nasdaq


  • Malware Response Team
  • 40,238 posts
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:55 AM

Posted 25 June 2017 - 09:03 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.

Please copy the entire contents of the code box below to a new file.



HKLM\SOFTWARE\Policies\Microsoft\Windows Defender: Restriction <======= ATTENTION
GroupPolicy\User: Restriction <======= ATTENTION
SearchScopes: HKLM -> DefaultScope value is missing
SearchScopes: HKLM-x32 -> DefaultScope value is missing
CHR Extension: (Chrome Web Store Payments) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2017-03-09]
CHR Extension: (Chrome Media Router) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2017-06-23]
OPR Extension: (Tampermonkey) - C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\Extensions\dhdgffkkebhmkfjojejmpbldmpobfkfo [2017-06-23]
S2 MEmusvc; C:\Program Files\Microvirt\MEmu\MemuService.exe [X]
S2 RtkAudioService; "C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe" [X]
S3 EsgScanner; system32\DRIVERS\EsgScanner.sys [X]
S3 IntcAzAudAddService; system32\drivers\RTKVHD64.sys [X]
S2 memudrv; \??\C:\Program Files\Microvirt\MEmuHyperv\MEmuDrv.sys [X]
U0 Partizan; system32\drivers\Partizan.sys [X]
S3 vmci; \SystemRoot\system32\DRIVERS\vmci.sys [X]
S3 VMnetAdapter; system32\DRIVERS\vmnetadapter.sys [X]
Task: {3CFE4E41-3044-47AE-B725-04A408FE760D} - \{3AA36DEB-08C9-490D-818E-06CD9032DDCF} -> No File <==== ATTENTION
Task: {526AB26C-B1AF-4200-9017-F9DBCC74F1FA} - System32\Tasks\newsfyournetgxcsm => Firefox.exe newsfyour.net/gxcsm <==== ATTENTION
Task: {E9A243F9-06AF-49CB-947B-4CD9000C057F} - System32\Tasks\{6FF11672-5C8B-4F5F-B1CE-7FC9DCAAD5DA} => pcalua.exe -a C:\Users\user\AppData\Local\Temp\jre-8u111-windows-au.exe -d "C:\Program Files\Java\jre1.8.0_45\bin" -c /installmethod=jau-m FAMILYUPGRADE=1 <==== ATTENTION
AlternateDataStreams: C:\ProgramData\TEMP:5C321E34 [127]
AlternateDataStreams: C:\ProgramData\TEMP:DFC5A2B2 [105]

Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.

Reset the browsers that you use and have been compromised.

How To:


Please download Security Analysis by Rocket Grannie from here
  • Save it to your Desktop.
  • Close your security software to avoid potential conflicts.
  • Double click RGSA.exe
  • Click OK on the copyright-disclaimer
  • When finished, a Notepad window will open with the results of the scan.
  • The log named SALog.txt can also be found on the Desktop or in the same folder from where the tool is run if installed elsewhere.
  • For your security I suggest you update all the old programs.
Note: If you get a Warning from Windows about running the program, click on More info and then click Run Anyway to run it even though Windows says it might put your PC at risk.
Note: The link to the most current version of the program will always be in the first post of this topic.
Note: Windows 10 may pop up a warning message.
Note: The current java version on XP will show as "out of date".
Note: Flash Player is pre-installed in Google Chrome and updates automatically!
Note: Flash Player is pre-installed in IE/Hedge and updates automatically!

Please let me know what problem persists with this computer.

#3 nasdaq


  • Malware Response Team
  • 40,238 posts
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:55 AM

Posted 01 July 2017 - 06:52 AM

Are you still with me?

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users