Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

ndistpr64.sys and tprdpw64.exe


  • This topic is locked This topic is locked
10 replies to this topic

#1 Dragonhunter

Dragonhunter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:25 PM

Posted 24 July 2017 - 08:31 PM

Need help removing these please 

 

 

Attached Files



BC AdBot (Login to Remove)

 


#2 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,751 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:03:25 PM

Posted 24 July 2017 - 11:24 PM

Welcome :)

 

  • Please download Malwarebytes Anti-Rootkit and save the file to your Desktop.
  • Right-Click MBAR.exe and select AVOiBNU.jpgRun as administrator to run the installer.
  • Select your Desktop as the location to extract the contents and click OK. The programme should open upon completion.
  • Click Next, followed by Update. Upon update completion, click Next.
  • Ensure Drivers, Sectors & System are checked and click Scan.
  • Note: Do not use your computer during the scan.
  • Upon completion:
    • If no infection is found, close the MBAR window.
    • If an infection is found, ensure Create Restore Point is checked and click Cleanup. Reboot when prompted.

  • Two logs (mbar-log.txt and system-log.txt) will be created. Copy the contents of both logs and paste in your next reply. Both logs can be found in the MBAR folder.

 


No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#3 Dragonhunter

Dragonhunter
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:25 PM

Posted 25 July 2017 - 12:35 AM

Thank you for coming to my aid here are the files requested 

 

Malwarebytes Anti-Rootkit BETA 1.9.4.1001
www.malwarebytes.org
 
Database version:
  main:    v2017.07.25.02
  rootkit: v2017.05.27.01
 
Windows 10 x64 NTFS
Internet Explorer 11.483.15063.0
Austin :: DESKTOP-HTM1PCN [administrator]
 
7/24/2017 9:48:19 PM
mbar-log-2017-07-24 (21-48-19).txt
 
Scan type: Quick scan
Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken
Scan options disabled: 
Objects scanned: 334912
Time elapsed: 27 minute(s), 41 second(s)
 
Memory Processes Detected: 0
(No malicious items detected)
 
Memory Modules Detected: 0
(No malicious items detected)
 
Registry Keys Detected: 17
HKLM\SOFTWARE\Soci2Sear Browser Enhancer (Adware.Social2Search) -> Delete on reboot. [45312446abfe84b2ad19fbd639c8b44c]
HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{693D15DF-055A-4EE5-BBC3-126336D76659} (Adware.DotDo.DotPrx) -> Delete on reboot. [c6b0e78370396dc91b12b036ec157f81]
HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{BCD81503-CD9E-4BB5-92BC-295A232D03D3} (Adware.DotDo.DotPrx) -> Delete on reboot. [c0b64c1ed7d27bbb5c837c6c51b0f907]
HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{CEA4C185-58EE-43DD-8A27-F95A28F952BC} (Adware.DotDo.DotPrx) -> Delete on reboot. [393de8822c7d6accf56f4a9eea1748b8]
HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{E50455A9-E3AE-425F-B9AE-B64CB02A9492} (Adware.DotDo.DotPrx) -> Delete on reboot. [a6d01258f5b4053123a664814db4669a]
HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{EDE2BA31-421E-4383-BCC2-88F4D4A1F62E} (Adware.Agent.Generic) -> Delete on reboot. [16604921aefb38fe8df30b77dd24e41c]
HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\1806835 (Adware.DotDo.DotPrx) -> Delete on reboot. [c3b371f94663ed496063f70cc63c639d]
HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\24653938 (Adware.DotDo.DotPrx) -> Delete on reboot. [85f15812b9f0122473157b6aa65b6997]
HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\k45532835 (Adware.Agent.Generic) -> Delete on reboot. [ea8c4b1f0b9ed561cfedcf70d72a42be]
HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\ts18068351806835 (Adware.DotDo.DotPrx) -> Delete on reboot. [aacc5812c8e1b18500c523c5669b4eb2]
HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\ts2465393824653938 (Adware.DotDo.DotPrx) -> Delete on reboot. [76001456fbae0531ccd5bc2c659c738d]
HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\tsk45532835k45532835 (Adware.DotDo.DotPrx) -> Delete on reboot. [cbab1e4cb3f638fe371a5195f40dcb35]
HKLM\SOFTWARE\WOW6432NODE\Soci2Sear Browser Enhancer (Adware.Social2Search) -> Delete on reboot. [0b6b6efc9910eb4becda25acd72a8d73]
HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\drmkpro64 (Rootkit.Agent.PUA) -> Delete on reboot. [94e2bbafc0e9ab8b5e35e869ff0253ad]
HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\DATAUP (Trojan.Clicker) -> Delete on reboot. [b8be26448821d2645946f02fb84957a9]
HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\EVENTLOG\APPLICATION\Dataup (Trojan.Clicker) -> Delete on reboot. [adc92d3dbfeafa3cad2fe638e91854ac]
HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\WINDOWSMANAGEMENTSERVICE (Trojan.Clicker) -> Delete on reboot. [2c4aa8c26d3cfe385e85eddf29d8e818]
 
Registry Values Detected: 9
HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{693D15DF-055A-4EE5-BBC3-126336D76659}|Path (Adware.DotDo.DotPrx) -> Data: \ts18068351806835 -> Delete on reboot. [c6b0e78370396dc91b12b036ec157f81]
HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{BCD81503-CD9E-4BB5-92BC-295A232D03D3}|Path (Adware.DotDo.DotPrx) -> Data: \24653938 -> Delete on reboot. [c0b64c1ed7d27bbb5c837c6c51b0f907]
HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{CEA4C185-58EE-43DD-8A27-F95A28F952BC}|Path (Adware.DotDo.DotPrx) -> Data: \ts2465393824653938 -> Delete on reboot. [393de8822c7d6accf56f4a9eea1748b8]
HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{E50455A9-E3AE-425F-B9AE-B64CB02A9492}|Path (Adware.DotDo.DotPrx) -> Data: \tsk45532835k45532835 -> Delete on reboot. [a6d01258f5b4053123a664814db4669a]
HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{EDE2BA31-421E-4383-BCC2-88F4D4A1F62E}|Path (Adware.Agent.Generic) -> Data: \k45532835 -> Delete on reboot. [16604921aefb38fe8df30b77dd24e41c]
HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|cpx (Trojan.Clicker) -> Data: "C:\Users\Austin\AppData\Local\ntuserlitelist\cpx\cpx.exe" -starup -> Delete on reboot. [96e07dedb0f90e28e8146b6235cc13ed]
HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|svcvmx (Trojan.Clicker) -> Data: "C:\Users\Austin\AppData\Local\ntuserlitelist\svcvmx\svcvmx.exe" -starup -> Delete on reboot. [284ed7936940cf670e91eab8cf313dc3]
HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\DATAUP|ImagePath (Trojan.Clicker) -> Data: C:\Users\Austin\AppData\Local\ntuserlitelist\dataup\dataup.exe -> Delete on reboot. [b8be26448821d2645946f02fb84957a9]
HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\WINDOWSMANAGEMENTSERVICE|ImagePath (Trojan.Clicker) -> Data: C:\Users\Austin\AppData\Local\jwzsvpf\oybrgv\ct.exe -> Delete on reboot. [2c4aa8c26d3cfe385e85eddf29d8e818]
 
Registry Data Items Detected: 0
(No malicious items detected)
 
Folders Detected: 0
(No malicious items detected)
 
Files Detected: 11
C:\WINDOWS\SYSTEM32\drivers\ndistpr64.sys (Rootkit.Agent.PUA) -> Delete on reboot. [a1184d89fddc3c481bce6ecc1384a192]
C:\Users\Austin\AppData\Local\Temp\1500791786\s5m_install_325.exe (Trojan.Clicker) -> Delete on reboot. [d4a2a7c34168d95d55c131a3936eae52]
C:\Users\Austin\AppData\Local\Temp\191639265\ic-0.3c893ea12ad8f.exe (Adware.Agent) -> Delete on reboot. [c2b4c1a92980a690a4106c87e21fed13]
C:\Users\Austin\AppData\Local\Temp\191639265\ic-0.98e603e138af1.exe (Adware.SquareNet) -> Delete on reboot. [472fa3c77a2fa6902c3c5a83e61bef11]
C:\Users\Austin\AppData\Local\Temp\191709218\ic-0.1576962a1f7e5.exe (Adware.SquareNet) -> Delete on reboot. [78fe3931cddc4de9a8c0f9e491707090]
C:\Windows\System32\Tasks\k45532835 (Adware.Agent.Generic) -> Delete on reboot. [096d82e85455cc6ab5f2d4623bc6a759]
C:\Windows\System32\Tasks\24653938 (Adware.DotDo.DotPrx) -> Delete on reboot. [73033238faaf181e8ed617cea061ae52]
C:\Windows\System32\Tasks\tsk45532835k45532835 (Adware.DotDo.DotPrx) -> Delete on reboot. [482e7af07336cf672b9d8d582ad751af]
C:\Windows\System32\Tasks\ts18068351806835 (Adware.DotDo.DotPrx) -> Delete on reboot. [2155f1794d5c92a479c776709c650cf4]
C:\Windows\System32\Tasks\ts2465393824653938 (Adware.DotDo.DotPrx) -> Delete on reboot. [8aecf07a496038fe44bc6394b948a15f]
C:\Windows\System32\Tasks\1806835 (Adware.DotDo.DotPrx) -> Delete on reboot. [1e58a7c30f9ace688be53bdfb54d0000]
 
Physical Sectors Detected: 0
(No malicious items detected)
 
(end)


#4 Dragonhunter

Dragonhunter
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:25 PM

Posted 25 July 2017 - 12:38 AM

system log is longer so i attached it instead

Attached Files



#5 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,751 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:03:25 PM

Posted 25 July 2017 - 11:53 AM

  • Highlight the entire content of the quote box below.

Start::  
S2 Dataup; C:\Users\Austin\AppData\Local\ntuserlitelist\dataup\dataup.exe [X] <==== ATTENTION
S2 windowsmanagementservice; C:\Users\Austin\AppData\Local\jwzsvpf\oybrgv\ct.exe [X] <==== ATTENTION
HKLM-x32\...\Run: [cpx] => "C:\Users\Austin\AppData\Local\ntuserlitelist\cpx\cpx.exe" -starup <==== ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender: Restriction <==== ATTENTION
GroupPolicy: Restriction <==== ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Restriction <==== ATTENTION
FF ProfilePath: C:\Users\Austin\AppData\Roaming\Mozilla\Firefox\Profiles\eoddUgoP.default [not found] <==== ATTENTION
C:\Windows\system32\drivers\drmkpro64
C:\Users\Austin\AppData\Local\ntuserlitelist
C:\Users\Austin\AppData\Local\jwzsvpf
S2 Dataup; C:\Users\Austin\AppData\Local\ntuserlitelist\dataup\dataup.exe [X] <==== ATTENTION
S2 windowsmanagementservice; C:\Users\Austin\AppData\Local\jwzsvpf\oybrgv\ct.exe [X] <==== ATTENTION
Task: {BCD81503-CD9E-4BB5-92BC-295A232D03D3} - System32\Tasks\24653938 => C:\Program Files (x86)\Toni\stressors.exe <==== ATTENTION
Task: {E9A92A26-22EF-4897-B01D-980321885154} - System32\Tasks\1806835 => C:\Users\Austin\AppData\Local\stressors.exe <==== ATTENTION
ContextMenuHandlers01: [WinRAR32] -> {B41DB860-8EE4-11D2-9906-E49FADC173CA} =>  -> No File
ContextMenuHandlers05: [igfxcui] -> {3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} =>  -> No File
ContextMenuHandlers05: [igfxDTCM] -> {9B5F5829-A529-4B12-814A-E81BCB8D93FC} =>  -> No File
ContextMenuHandlers06: [WinRAR32] -> {B41DB860-8EE4-11D2-9906-E49FADC173CA} =>  -> No File
2017-07-19 21:47 - 2017-07-19 21:47 - 00000000 _____ C:\Users\Austin\Downloads\Gw2.tmp
HOSTS:
Removeproxy:
CMD: netsh advfirewall reset
CMD: netsh advfirewall set allprofiles state ON
CMD: ipconfig /flushdns
CMD: netsh winsock reset catalog
CMD: netsh int ip reset C:\resettcpip.txt
CMD: FOR /F "usebackq delims==" %i IN (`wevtutil el`) DO wevtutil cl "%i"
CMD: Bitsadmin /Reset /Allusers
EMPTYTEMP:
Reboot:
End::

  • Right click on the highlighted text and select Copy.
  • Start FRST (FRST64) with Administrator privileges
  • Press the Fix button.
  • When finished, a log file (Fixlog.txt) will pop up and saved in the same location the tool was ran from.
Please copy and paste its contents in your next reply.

Please download Junkware Removal Tool to your Desktop.
  • Please close your security software to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista or 7, right-mouse click it and select Run as administrator.
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete, depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your Desktop and will automatically open.
  • Please post the contents of JRT.txt into your reply.
Download AdwCleaner from here. Save the file to the desktop.

NOTE: If you are using IE 8 or above you may get a warning that stops the program from downloading. Just click on the warning and allow the download to complete.

Close all open windows and browsers.
  • XP users: Double click the AdwCleaner icon to start the program.
  • Vista/7/8/10 users: Right click the AdwCleaner icon on the desktop, click Run as administrator and accept the UAC prompt to run AdwCleaner.
    You will see the following console:
65MBhLLb.png
  • Click the Scan button and wait for the scan to finish.
  • After the Scan has finished the window may or may not show what it found and above, in the progress bar, you will see: Pending. Please uncheck elements you don't want to remove.
  • Click the Clean button.
  • Everything checked will be moved to Quarantine.
  • When the program has finished cleaning a report appears.Once done it will ask to reboot, allow this
adwcleaner_delete_restart.jpg
  • On reboot a log will be produced please copy / paste that in your next reply. This report is also saved to C:\AdwCleaner\AdwCleaner[C0].txt

Edited by JSntgRvr, 25 July 2017 - 12:01 PM.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#6 Dragonhunter

Dragonhunter
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:25 PM

Posted 25 July 2017 - 01:25 PM

Here you go

Attached Files



#7 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,751 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:03:25 PM

Posted 25 July 2017 - 05:38 PM

How is the computer doing?

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#8 Dragonhunter

Dragonhunter
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:25 PM

Posted 25 July 2017 - 05:50 PM

better the files are now gone and is a bit faster 



#9 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,751 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:03:25 PM

Posted 26 July 2017 - 09:53 AM

Congratulations.

Lets remove the quarantined item.

Please download DelFix by Xplode and save to your Desktop.
  • Double-click on delfix.exe to run the tool.
    Vista/Windows 7/8/10 users right-click and select Run As Administrator.
  • Put a check mark next to these items:
    - Remove disinfection tools
    - Create registry backup
    delfix.jpg
    .
  • Click the "Run" button.
  • When the tool has finished, it will create and open a log report (DelFix.txt)
Always keep an antivirus active and updated.

Best regards. :)

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#10 Dragonhunter

Dragonhunter
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:25 PM

Posted 26 July 2017 - 12:49 PM

Will do thank you very much :) 



#11 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,751 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:03:25 PM

Posted 26 July 2017 - 01:58 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users