Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

My PC won't accept my psw after an adware? attack


  • This topic is locked This topic is locked
149 replies to this topic

#16 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,769 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:05:07 AM

Posted 14 August 2017 - 09:00 AM

Greetings,

I would really like to make some consistent progress on this if it is at all possible. Please let me know what I can do to assist you if you are having difficulties.
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

BC AdBot (Login to Remove)

 


#17 ecar65

ecar65
  • Topic Starter

  • Members
  • 78 posts
  • OFFLINE
  •  
  • Local time:01:07 PM

Posted 14 August 2017 - 11:22 AM

Hi Gary,

 

I just tried my new SanDisk Ultra USB 3.0 Flash drive with the same result as previously.   That is the automatic file name when using the 64 bit download "save as"  was download.htm  54 KB;  filetype Chrome HTML document.

 

I know you said, go ahead and try it anyway, but I cannot see how an HTML document is going to execute.   Do you?    

 

Question:   Have you tried to download the 64-bit version of Farbar's Recovery Tool to an USB drive?     It should be easy enough to verify if it is only me or if perhaps the problem lies with Farbar.   In the latter case, do you have any possibility to contact Farbar and see if they can rewrite their code so it works for a "save as" version also?

 

Thanks and hope you have some good answers.

 

ecar65



#18 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,769 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:05:07 AM

Posted 14 August 2017 - 11:36 AM

The download to USB works fine.

 

Make sure the Save as type: looks the same as below. If not, click the arrow and select that type.

 

 

frst.jpg


Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#19 ecar65

ecar65
  • Topic Starter

  • Members
  • 78 posts
  • OFFLINE
  •  
  • Local time:01:07 PM

Posted 14 August 2017 - 12:28 PM

Thank you Gary,

 

I now have an FRST64.exe file on my USB.   I transferred the USB to my infected PC and began to follow your steps.   I came as far as 

 

X:\windows\system32>      I typed in Notepad and got a Notepad Window entitled No name but it is empty and nowhere is there any sign of My PC

 

X:\windows\system32>

 

 

Where did I go wrong?

 

ecar65



#20 ecar65

ecar65
  • Topic Starter

  • Members
  • 78 posts
  • OFFLINE
  •  
  • Local time:01:07 PM

Posted 14 August 2017 - 12:32 PM

PS Gary

 

In my top left corner I have a very miniscule rectangle in which I believe I can see  c:\-

 

Is this any help?

 

ecar65



#21 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,769 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:05:07 AM

Posted 14 August 2017 - 12:34 PM

Sorry, it was my error in the instructions. With the Notepad window open click File, then Open... and you should see My PC or something similar.

Edited by Oh My!, 14 August 2017 - 12:34 PM.

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#22 ecar65

ecar65
  • Topic Starter

  • Members
  • 78 posts
  • OFFLINE
  •  
  • Local time:01:07 PM

Posted 14 August 2017 - 12:57 PM

Gary,

 

I have made the scan and a FRST text file has been created.   Will attempt to include a copy of the file 

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 12-08-2017
Ran by SYSTEM on MININT-KL0VSMN (14-08-2017 19:47:59)
Running from F:\
Platform: Windows 10 Home Version 1607 (X64) Language: Svenska (Sverige)
Internet Explorer Version 11
Boot Mode: Recovery
Default: ControlSet001
ATTENTION!:=====> If the system is bootable FRST must be run from normal or Safe mode to create a complete log.
 
 
==================== Registry (Whitelisted) ====================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [cAudioFilterAgent] => C:\Program Files\Conexant\cAudioFilterAgent\cAudioFilterAgent64.exe [920280 2015-04-17] (Conexant Systems, Inc.)
HKLM\...\Run: [SmartAudio] => C:\Program Files\CONEXANT\SAII\SACpl.exe [1830616 2014-04-10] (Conexant Systems, Inc.)
HKLM\...\Run: [NvBackend] => C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe [2464072 2014-11-06] (NVIDIA Corporation)
HKLM\...\Run: [ShadowPlay] => C:\Windows\system32\rundll32.exe C:\Windows\system32\nvspcap64.dll,ShadowPlayOnSystemStart
HKLM\...\Run: [iTunesHelper] => C:\Program Files\iTunes\iTunesHelper.exe [170256 2015-12-17] (Apple Inc.)
HKLM-x32\...\Run: [ROGNB] => C:\Program Files (x86)\ASUS Gaming Mouse\hid.exe [463872 2013-05-15] ()
HKLM-x32\...\Run: [CLMLServer_For_P2G8] => C:\Program Files (x86)\CyberLink\Power2Go8\CLMLSvc_P2G8.exe [111576 2013-08-05] (CyberLink)
HKLM-x32\...\Run: [CLVirtualDrive] => C:\Program Files (x86)\CyberLink\Power2Go8\VirtualDrive.exe [492808 2014-05-06] (CyberLink Corp.)
HKLM-x32\...\Run: [ControlCenter4] => C:\Program Files (x86)\ControlCenter4\BrCcBoot.exe [139776 2013-12-05] (Brother Industries, Ltd.)
HKLM-x32\...\Run: [BrStsMon00] => C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe [4513792 2014-05-22] (Brother Industries, Ltd.)
Lsa: [Notification Packages] scecli C:\Program Files\TrueKey\McAfeeTrueKeyPasswordFilter
 
==================== Services (Whitelisted) ====================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
S4 Apple Mobile Device Service; C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe [77104 2015-10-07] (Apple Inc.)
S4 AsusGameFirstService; C:\Program Files (x86)\ASUS\ROG Game First III\AsusGameFirstService.exe [347960 2014-10-27] (ASUSTeK)
S4 DevMgmtService; C:\Program Files\Bitdefender\Bitdefender Device Management\DevMgmtService.exe [100448 2016-12-19] (Bitdefender)
S4 DriverMFTService; C:\Program Files (x86)\Asus\ASUS Video DSP\DriverMFTService.exe [9728 2014-10-29] (ASUSTek Computer Inc.)
S4 f967ccb6036424a873524778164e2038; c:\program files\8ea006585fea3c7287aa2fa5f959128d\25388980c7758ebf541c5d042ce44c73.exe [21479424 2016-09-15] ()
S4 GamesAppIntegrationService; C:\Program Files (x86)\WildTangent Games\App\GamesAppIntegrationService.exe [349728 2015-12-23] (WildTangent)
S4 GfExperienceService; C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe [1148744 2014-11-06] (NVIDIA Corporation)
S4 igfxCUIService2.0.0.0; C:\Windows\system32\igfxCUIService.exe [373728 2016-11-30] (Intel Corporation)
S4 Intel® Capability Licensing Service TCP IP Interface; C:\Program Files\Intel\iCLS Client\SocketHeciServer.exe [887256 2014-05-13] (Intel® Corporation)
S4 jhi_service; C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe [154584 2014-09-03] (Intel Corporation)
S4 NvNetworkService; C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe [1795912 2014-11-06] (NVIDIA Corporation)
S4 NvStreamSvc; C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe [19819848 2014-11-06] (NVIDIA Corporation)
S4 ProductAgentService; C:\Program Files\Bitdefender Agent\ProductAgentService.exe [1230824 2017-02-22] (Bitdefender)
S4 TrueKey; C:\Program Files\TrueKey\McAfee.TrueKey.Service.exe [996736 2017-04-18] (McAfee, Inc.)
S4 TrueKeyScheduler; C:\Program Files\TrueKey\McTkSchedulerService.exe [16160 2017-04-18] (McAfee, Inc.)
S4 TrueKeyServiceHelper; C:\Program Files\TrueKey\McAfee.TrueKey.ServiceHelper.exe [86776 2017-04-18] (McAfee, Inc.)
S2 UPDATESRV; C:\Program Files\Bitdefender\Bitdefender 2017\updatesrv.exe [218416 2017-04-26] (Bitdefender)
S2 VSSERV; C:\Program Files\Bitdefender\Bitdefender 2017\vsserv.exe [1424224 2017-05-10] (Bitdefender)
S2 vsservp; C:\Program Files\Bitdefender\Bitdefender 2017\vsservp.exe [524872 2016-08-25] (Bitdefender)
S3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [347320 2017-04-28] (Microsoft Corporation)
S3 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [103712 2017-04-28] (Microsoft Corporation)
S4 ibtsiva; %SystemRoot%\system32\ibtsiva [X]
S2 InstallerService; C:\Program Files\TrueKey\Mcafee.TrueKey.InstallerService.exe -originalversion 4.4.127.0 [X]
 
===================== Drivers (Whitelisted) ======================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
S3 ATP; C:\Windows\System32\drivers\AsusTP.sys [101368 2015-12-14] (ASUS Corporation)
S0 avc3; C:\Windows\System32\DRIVERS\avc3.sys [1605376 2016-09-20] (BitDefender)
S3 avckf; C:\Windows\System32\DRIVERS\avckf.sys [878072 2016-09-20] (BitDefender)
S0 bdelam; C:\Windows\System32\drivers\bdelam.sys [23672 2016-03-14] (Bitdefender)
S1 bdfwfpf; C:\Program Files\Common Files\Bitdefender\Bitdefender Firewall\bdfwfpf.sys [128400 2016-06-24] (BitDefender LLC)
S1 BDVEDISK; C:\Windows\system32\DRIVERS\bdvedisk.sys [87912 2015-12-04] (BitDefender)
S1 CLVirtualDrive; C:\Windows\system32\DRIVERS\CLVirtualDrive.sys [91912 2013-11-12] (CyberLink)
S0 gzflt; C:\Windows\System32\DRIVERS\gzflt.sys [182944 2016-10-29] (BitDefender LLC)
S3 ibtusb; C:\Windows\system32\DRIVERS\ibtusb.sys [250624 2016-10-14] (Intel Corporation)
S0 ignis; C:\Windows\system32\DRIVERS\ignis.sys [305120 2017-03-23] (Bitdefender)
S0 IntelHSWPcc; C:\Windows\System32\drivers\IntelPcc.sys [79528 2014-10-16] (Intel Corporation)
S3 kbfiltr; C:\Windows\System32\drivers\kbfiltr.sys [17280 2012-08-06] ( )
S3 MEIx64; C:\Windows\system32\DRIVERS\TeeDriverx64.sys [126976 2014-09-03] (Intel Corporation)
S0 mfeelamk; C:\Windows\System32\drivers\mfeelamk.sys [83096 2015-11-25] (McAfee, Inc.)
S3 NetAdapterCx; C:\Windows\System32\drivers\NetAdapterCx.sys [90624 2016-07-16] ()
S3 Netwtw04; C:\Windows\System32\drivers\Netwtw04.sys [7918840 2016-12-19] (Intel Corporation)
S1 NFC_Driver; C:\Windows\System32\drivers\NFC_Driver.sys [48336 2014-03-27] (Titan ARC Corp.)
S3 nvlddmkm; C:\Windows\System32\DriverStore\FileRepository\nvamwu.inf_amd64_d4715679184092a8\nvlddmkm.sys [13754936 2016-09-12] (NVIDIA Corporation)
S3 NvStreamKms; C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamKms.sys [19784 2014-11-06] (NVIDIA Corporation)
S3 nvvad_WaveExtensible; C:\Windows\system32\drivers\nvvad64v.sys [38216 2014-10-03] (NVIDIA Corporation)
S3 RTSPER; C:\Windows\system32\DRIVERS\RtsPer.sys [751632 2015-05-14] (Realsil Semiconductor Corporation)
S3 sshid; C:\Windows\System32\drivers\sshid.sys [51400 2015-10-27] (SteelSeries ApS)
S0 trufos; C:\Windows\System32\DRIVERS\trufos.sys [520032 2016-06-22] (BitDefender S.R.L.)
S3 WdBoot; C:\Windows\system32\drivers\WdBoot.sys [44056 2016-07-16] (Microsoft Corporation)
S3 WdFilter; C:\Windows\system32\drivers\WdFilter.sys [290144 2016-07-16] (Microsoft Corporation)
S3 WdNisDrv; C:\Windows\System32\Drivers\WdNisDrv.sys [123232 2016-07-16] (Microsoft Corporation)
 
==================== NetSvcs (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== One Month Created files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2017-08-14 19:45 - 2017-08-14 19:45 - 000000000 ____D C:\FRST
 
==================== One Month Modified files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2017-08-14 18:08 - 2016-10-20 18:14 - 000000006 ____H C:\Windows\Tasks\SA.DAT
2017-08-01 10:44 - 2016-07-16 07:04 - 000065536 _____ C:\Windows\System32\config\ELAM
 
Files to move or delete:
====================
C:\ProgramData\SetWallpaperPlus.exe
 
 
==================== Known DLLs (Whitelisted) =========================
 
 
==================== Bamital & volsnap ======================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\System32\winlogon.exe
[2017-05-10 16:59] - [2017-04-28 00:39] - 000673792 _____ (Microsoft Corporation) B2151FE002A8D3F41E2DF935F260E3A8
 
C:\Windows\System32\wininit.exe
[2016-07-16 12:42] - [2016-07-16 12:42] - 000304240 _____ (Microsoft Corporation) 99A19C9A74E2F9820E501DCE77F84F70
 
C:\Windows\explorer.exe
[2017-05-10 16:59] - [2017-04-28 01:34] - 004674360 _____ (Microsoft Corporation) 679D17F8CDB938C7100D7A647953677E
 
C:\Windows\SysWOW64\explorer.exe
[2017-05-10 17:00] - [2017-04-28 01:39] - 004312248 _____ (Microsoft Corporation) 6E46F7CBC16009E381015C69F4FA22B1
 
C:\Windows\System32\svchost.exe
[2016-07-16 12:42] - [2016-07-16 12:42] - 000044496 _____ (Microsoft Corporation) 36F670D89040709013F6A460176767EC
 
C:\Windows\SysWOW64\svchost.exe
[2016-07-16 12:42] - [2016-07-16 12:42] - 000038792 _____ (Microsoft Corporation) 1F8434DD4907C832E6E90D6298EAB85B
 
C:\Windows\System32\services.exe
[2017-05-10 17:00] - [2017-04-28 01:28] - 000453536 _____ (Microsoft Corporation) 9A3B47CD17283B299311013AD3D21D26
 
C:\Windows\System32\User32.dll
[2016-12-13 21:01] - [2016-12-09 11:10] - 001461200 _____ (Microsoft Corporation) C46EA86BF0E7C96235E9064CBAD6ED26
 
C:\Windows\SysWOW64\User32.dll
[2016-12-13 21:02] - [2016-12-09 10:52] - 001435896 _____ (Microsoft Corporation) 4BEC594A3D4AEAFAC400D88F7E328C7B
 
C:\Windows\System32\userinit.exe
[2016-07-16 12:42] - [2016-07-16 12:42] - 000033280 _____ (Microsoft Corporation) C1B1FFC800BE2F31EB2CF8CB40629C69
 
C:\Windows\SysWOW64\userinit.exe
[2016-07-16 12:42] - [2016-07-16 12:42] - 000027648 _____ (Microsoft Corporation) FA900E6CCCF0A429D5B720C6F0E2274B
 
C:\Windows\System32\rpcss.dll
[2017-05-10 16:59] - [2017-04-28 00:41] - 000890368 _____ (Microsoft Corporation) 4A7015195E49A3BA7DB967B277B21E9D
 
C:\Windows\System32\dnsapi.dll
[2017-03-23 10:45] - [2017-03-04 08:24] - 000646688 _____ (Microsoft Corporation) 2813C62F5BE7FAF0A1C5CC37E5C2F25D
 
C:\Windows\SysWOW64\dnsapi.dll
[2017-03-23 10:46] - [2017-03-04 08:09] - 000497416 _____ (Microsoft Corporation) AA86DC342B4ED1C1F839C3BC8AEA64B1
 
C:\Windows\System32\Drivers\volsnap.sys
[2016-07-16 12:42] - [2016-07-16 12:42] - 000391520 _____ (Microsoft Corporation) BF2546583BB75F01DDA60A7921DFB230
 
 
==================== Association (Whitelisted) =============
 
 
==================== Restore Points  =========================
 
 
==================== Memory info =========================== 
 
Percentage of memory in use: 11%
Total physical RAM: 8080.99 MB
Available physical RAM: 7122.15 MB
Total Virtual: 8080.99 MB
Available Virtual: 7178.32 MB
 
==================== Drives ================================
 
Drive c: (OS) (Fixed) (Total:118.56 GB) (Free:79.98 GB) NTFS ==>[system with boot components (obtained from drive)]
Drive d: (Data2) (Fixed) (Total:465.76 GB) (Free:465.23 GB) NTFS
Drive f: () (Removable) (Total:14.52 GB) (Free:14.5 GB) FAT32
Drive h: () (Fixed) (Total:0.46 GB) (Free:0.08 GB) NTFS
Drive x: (Boot) (Fixed) (Total:0.5 GB) (Free:0.49 GB) NTFS
Drive y: (Data1) (Fixed) (Total:465.75 GB) (Free:465.28 GB) NTFS
 
==================== MBR & Partition Table ==================
 
========================================================
Disk: 0 (Size: 931.5 GB) (Disk ID: 4D7D489E)
 
Partition: GPT.
 
========================================================
Disk: 1 (Size: 119.2 GB) (Disk ID: A347BA2F)
 
Partition: GPT.
 
========================================================
Disk: 2 (Size: 14.5 GB) (Disk ID: 00000000)
 
Partition: GPT.
 
LastRegBack: 2017-04-27 14:46
 
==================== End of FRST.txt ============================


#23 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,769 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:05:07 AM

Posted 14 August 2017 - 01:58 PM

Excellent work.

Do you recall the date you first starting having issues?

Please do this.

===================================================

Farbar's Recovery Scan Tool - Run Fix

--------------------
  • Using your USB containing FRST press the Windows Key + R on your keyboard at the same time. Type in notepad and press Enter
  • Please copy and paste the contents of the below code box into the open notepad and save it on the USB device as fixlist.txt
File: c:\program files\8ea006585fea3c7287aa2fa5f959128d\25388980c7758ebf541c5d042ce44c73.exe
Folder: c:\program files\8ea006585fea3c7287aa2fa5f959128d
C:\ProgramData\SetWallpaperPlus.exe
  • Insert the USB device into your infected computer
  • Enter the System Recovery Options as you previously did then select Command Prompt.
  • Launch FRST again and press the Fix button
  • The tool will create a Fixlog.txt document on your USB device. Copy and paste that information in your reply.
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • Date you couldn't log in?
  • Fixlog

Edited by Oh My!, 14 August 2017 - 02:06 PM.

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#24 ecar65

ecar65
  • Topic Starter

  • Members
  • 78 posts
  • OFFLINE
  •  
  • Local time:01:07 PM

Posted 15 August 2017 - 08:01 AM

Gary,

 

It is difficult to say when the attack occurred.   I have lived with it so long searching for a solution, but best estimate about mid-May.

 

Regards,

 

ecar65

 

Fix result of Farbar Recovery Scan Tool (x64) Version: 12-08-2017
Ran by SYSTEM (15-08-2017 14:55:20) Run:1
Running from F:\
Boot Mode: Recovery
==============================================
 
fixlist content:
*****************
File: c:\program files\8ea006585fea3c7287aa2fa5f959128d\25388980c7758ebf541c5d042ce44c73.exe
Folder: c:\program files\8ea006585fea3c7287aa2fa5f959128d
C:\ProgramData\SetWallpaperPlus.exe
*****************
 
 
========================= File: c:\program files\8ea006585fea3c7287aa2fa5f959128d\25388980c7758ebf541c5d042ce44c73.exe ========================
 
MD5: 038026FDF8BDDCB5B8809351AB2B15CC
Creation and modification date: 2016-09-15 10:07 - 2016-09-15 10:07
Size: 021479424
Attributes: ----A
Company Name: 
Internal Name: GH0PBSOIAJ
Original Name: QVZYXCR9
Product: 
Description: QPMJLJ9IP
File Version: 1.68.10.21
Product Version: 1.68.10.21
Copyright: Copyright © 2014
VirusTotal: 0
 
====== End of File: ======
 
 
========================= Folder: c:\program files\8ea006585fea3c7287aa2fa5f959128d ========================
 
2016-09-15 10:07 - 2016-09-15 10:07 - 021479424 _____ () c:\program files\8ea006585fea3c7287aa2fa5f959128d\25388980c7758ebf541c5d042ce44c73.exe
2016-09-15 10:07 - 2016-10-19 16:50 - 000085747 _____ () c:\program files\8ea006585fea3c7287aa2fa5f959128d\2c6c69fedcaf45b133fa2140dd09590e
2016-09-15 10:07 - 2016-10-18 22:30 - 001224151 _____ () c:\program files\8ea006585fea3c7287aa2fa5f959128d\301512b19916462a6e34235d1c1f9fc4.exe
2016-09-15 10:07 - 2016-10-19 20:30 - 000028422 _____ () c:\program files\8ea006585fea3c7287aa2fa5f959128d\3a7b86b236106384b82ee73f45f92331
2016-09-15 10:07 - 2016-09-15 10:07 - 000961565 _____ () c:\program files\8ea006585fea3c7287aa2fa5f959128d\69f657c7ade2d274a939651742101318.exe
2016-09-15 10:07 - 2016-09-15 10:07 - 001073813 _____ () c:\program files\8ea006585fea3c7287aa2fa5f959128d\d0bac2fb420637bccaf77b6160e02fdc.exe
2016-09-15 10:07 - 2016-09-15 10:07 - 035441664 _____ () c:\program files\8ea006585fea3c7287aa2fa5f959128d\fc913869a7b6c3f53f4e5841623b3852.exe
2016-09-15 10:07 - 2016-09-15 10:07 - 000000000 ____D () c:\program files\8ea006585fea3c7287aa2fa5f959128d\03445c18d7703cc8cd7e9e041f71fcaa
2016-09-15 10:07 - 2016-01-18 17:01 - 000003262 _____ () c:\program files\8ea006585fea3c7287aa2fa5f959128d\03445c18d7703cc8cd7e9e041f71fcaa\1a2feb5e53ed9f39b8b5cbfdbca8487a.ico
2016-09-15 10:07 - 2016-01-18 17:01 - 000003262 _____ () c:\program files\8ea006585fea3c7287aa2fa5f959128d\03445c18d7703cc8cd7e9e041f71fcaa\1b1a3f3858e66998be6b4acb40923148.ico
2016-09-15 10:07 - 2016-01-18 17:01 - 000003262 _____ () c:\program files\8ea006585fea3c7287aa2fa5f959128d\03445c18d7703cc8cd7e9e041f71fcaa\2218bdb1111df01007111175a6f4c6b6.ico
2016-09-15 10:07 - 2016-01-18 17:01 - 000003262 _____ () c:\program files\8ea006585fea3c7287aa2fa5f959128d\03445c18d7703cc8cd7e9e041f71fcaa\362ac13e8188bec9e7cbb79f53d676fd.ico
2016-09-15 10:07 - 2016-01-18 17:01 - 000003262 _____ () c:\program files\8ea006585fea3c7287aa2fa5f959128d\03445c18d7703cc8cd7e9e041f71fcaa\3f17a4516ebb4e0da2f4592d59ff41d6.ico
2016-09-15 10:07 - 2016-01-18 17:01 - 000003262 _____ () c:\program files\8ea006585fea3c7287aa2fa5f959128d\03445c18d7703cc8cd7e9e041f71fcaa\4bea1e58c14aea5f80d206310be2c65c.ico
2016-09-15 10:07 - 2016-01-18 17:01 - 000003262 _____ () c:\program files\8ea006585fea3c7287aa2fa5f959128d\03445c18d7703cc8cd7e9e041f71fcaa\54e5dc0fc701572b006feb3c867edfd0.ico
2016-09-15 10:07 - 2016-01-18 17:01 - 000003262 _____ () c:\program files\8ea006585fea3c7287aa2fa5f959128d\03445c18d7703cc8cd7e9e041f71fcaa\5d656ce7159988259058cb4356c8def4.ico
2016-09-15 10:07 - 2016-01-18 17:01 - 000003262 _____ () c:\program files\8ea006585fea3c7287aa2fa5f959128d\03445c18d7703cc8cd7e9e041f71fcaa\665162023fde3be87306f581c8252107.ico
2016-09-15 10:07 - 2016-01-18 17:01 - 000003262 _____ () c:\program files\8ea006585fea3c7287aa2fa5f959128d\03445c18d7703cc8cd7e9e041f71fcaa\66af0f2bb211cb9254dc7651eda2c1ce.ico
2016-09-15 10:07 - 2016-01-18 17:01 - 000003262 _____ () c:\program files\8ea006585fea3c7287aa2fa5f959128d\03445c18d7703cc8cd7e9e041f71fcaa\84100acd244bc2aca474647a7c3cfedd.ico
2016-09-15 10:07 - 2016-01-18 17:01 - 000003262 _____ () c:\program files\8ea006585fea3c7287aa2fa5f959128d\03445c18d7703cc8cd7e9e041f71fcaa\87af9aa9e6dcd32ed302610118307853.ico
2016-09-15 10:07 - 2016-01-18 17:01 - 000003262 _____ () c:\program files\8ea006585fea3c7287aa2fa5f959128d\03445c18d7703cc8cd7e9e041f71fcaa\8f5e808214cbda8e6712afb482bd9722.ico
2016-09-15 10:07 - 2016-01-18 17:01 - 000003262 _____ () c:\program files\8ea006585fea3c7287aa2fa5f959128d\03445c18d7703cc8cd7e9e041f71fcaa\942a46b5e0cb65426644e2110b8d2a64.ico
2016-09-15 10:07 - 2016-02-01 12:29 - 000004286 _____ () c:\program files\8ea006585fea3c7287aa2fa5f959128d\03445c18d7703cc8cd7e9e041f71fcaa\99c16a3b34b39c14d2cf952c5d09ed23.ico
2016-09-15 10:07 - 2016-01-18 17:01 - 000003262 _____ () c:\program files\8ea006585fea3c7287aa2fa5f959128d\03445c18d7703cc8cd7e9e041f71fcaa\9a96e8e9cf6f5add2719d6e1e6cb55d5.ico
2016-09-15 10:07 - 2016-01-18 17:01 - 000003262 _____ () c:\program files\8ea006585fea3c7287aa2fa5f959128d\03445c18d7703cc8cd7e9e041f71fcaa\9d3ebd359efdc4c77e0e5d1dcacf1f4a.ico
2016-09-15 10:07 - 2016-01-18 17:01 - 000003262 _____ () c:\program files\8ea006585fea3c7287aa2fa5f959128d\03445c18d7703cc8cd7e9e041f71fcaa\9fd08e33f4ea0abe2fa595d21f23cf93.ico
2016-09-15 10:07 - 2016-01-18 17:01 - 000003262 _____ () c:\program files\8ea006585fea3c7287aa2fa5f959128d\03445c18d7703cc8cd7e9e041f71fcaa\b076e8bd54e0930baa77c6127b179ea2.ico
2016-09-15 10:07 - 2016-01-18 17:01 - 000003262 _____ () c:\program files\8ea006585fea3c7287aa2fa5f959128d\03445c18d7703cc8cd7e9e041f71fcaa\b4b511f583d981e6dd356d7e9f0b06f7.ico
2016-09-15 10:07 - 2016-01-18 17:01 - 000003262 _____ () c:\program files\8ea006585fea3c7287aa2fa5f959128d\03445c18d7703cc8cd7e9e041f71fcaa\c2705b91cf9f3d223d16e13fb53d22fb.ico
2016-09-15 10:07 - 2016-01-18 17:01 - 000003262 _____ () c:\program files\8ea006585fea3c7287aa2fa5f959128d\03445c18d7703cc8cd7e9e041f71fcaa\c804b27bb42b420b6804b4680f0282d3.ico
2016-09-15 10:07 - 2016-01-18 17:01 - 000003262 _____ () c:\program files\8ea006585fea3c7287aa2fa5f959128d\03445c18d7703cc8cd7e9e041f71fcaa\dcc68f9902724fc176a618c145ed802a.ico
2016-09-15 10:07 - 2016-01-18 17:01 - 000003262 _____ () c:\program files\8ea006585fea3c7287aa2fa5f959128d\03445c18d7703cc8cd7e9e041f71fcaa\e0f40e0965dd8412e102d4659c0ca995.ico
2016-09-15 10:07 - 2016-01-18 17:01 - 000003262 _____ () c:\program files\8ea006585fea3c7287aa2fa5f959128d\03445c18d7703cc8cd7e9e041f71fcaa\ea92a2914b0c69244fa2b38508e09c99.ico
2016-09-15 10:07 - 2016-01-18 17:01 - 000003262 _____ () c:\program files\8ea006585fea3c7287aa2fa5f959128d\03445c18d7703cc8cd7e9e041f71fcaa\eba0006e8e24ca35fa723a4cd32047b4.ico
2016-09-15 10:07 - 2016-01-18 17:01 - 000003262 _____ () c:\program files\8ea006585fea3c7287aa2fa5f959128d\03445c18d7703cc8cd7e9e041f71fcaa\f08a9594d739e8cfac47967d29d55c24.ico
2016-09-15 10:07 - 2016-02-01 12:29 - 000004286 _____ () c:\program files\8ea006585fea3c7287aa2fa5f959128d\03445c18d7703cc8cd7e9e041f71fcaa\f716fd0a18307c766318e7e4d57510fa.ico
2016-09-15 10:07 - 2016-01-18 17:01 - 000003262 _____ () c:\program files\8ea006585fea3c7287aa2fa5f959128d\03445c18d7703cc8cd7e9e041f71fcaa\fa82a418034271201034a97bfaa8ad31.ico
2016-09-15 10:07 - 2016-01-18 17:01 - 000003262 _____ () c:\program files\8ea006585fea3c7287aa2fa5f959128d\03445c18d7703cc8cd7e9e041f71fcaa\fc013268feca83ffe76ed6ccf394c1d8.ico
2016-09-15 10:07 - 2016-10-18 22:30 - 000000000 ____D () c:\program files\8ea006585fea3c7287aa2fa5f959128d\4ecf2268fe2f8fe0028e4cdc0ed461fe
2016-10-18 22:30 - 2016-10-18 22:30 - 017679360 _____ () c:\program files\8ea006585fea3c7287aa2fa5f959128d\4ecf2268fe2f8fe0028e4cdc0ed461fe\agprxa.dll
2016-10-18 22:30 - 2016-10-18 22:30 - 025458176 _____ () c:\program files\8ea006585fea3c7287aa2fa5f959128d\4ecf2268fe2f8fe0028e4cdc0ed461fe\qqdxzu.dll
 
====== End of Folder: ======
 
C:\ProgramData\SetWallpaperPlus.exe => moved successfully
 
==== End of Fixlog 14:55:21 ====


#25 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,769 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:05:07 AM

Posted 15 August 2017 - 09:36 AM

Thank you.

Though I don't expect this to resolve your issue let's do this next.

===================================================

Farbar's Recovery Scan Tool - Run Fix

--------------------
  • Using your USB containing FRST press the Windows Key + R on your keyboard at the same time. Type in notepad and press Enter
  • Please copy and paste the contents of the below code box into the open notepad and save it on the USB device as fixlist.txt
c:\program files\8ea006585fea3c7287aa2fa5f959128d
emptytemp:
  • Insert the USB device into your infected computer
  • Enter the System Recovery Options as you previously did then select Command Prompt.
  • Launch FRST again and press the Fix button
  • The tool will create a Fixlog.txt document on your USB device. Copy and paste that information in your reply.
  • Attempt to sign into your account
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • Fixlog
  • Can you sign in?

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#26 ecar65

ecar65
  • Topic Starter

  • Members
  • 78 posts
  • OFFLINE
  •  
  • Local time:01:07 PM

Posted 15 August 2017 - 10:31 AM

Gary,

 

Missed your question.  even after the fix,  I still cannot log in.

 

ecar65



#27 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,769 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:05:07 AM

Posted 15 August 2017 - 02:06 PM

Do you have a fixlog.txt document on your USB device? Can you copy/paste the contents in your reply?

Do you recall setting up a Microsoft account when first setting up your computer?

Please do this.

===================================================

Farbar's Recovery Scan Tool Search

--------------------
  • Boot to the System Recovery Options again and run FRST
  • Type the following in the Search Field
utilman.exe
  • Click Search File(s) button
  • A Search.txt document will be saved to your USB device
  • Copy and paste the contents of that document your reply
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • Search.txt

Edited by Oh My!, 15 August 2017 - 07:57 PM.

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#28 ecar65

ecar65
  • Topic Starter

  • Members
  • 78 posts
  • OFFLINE
  •  
  • Local time:01:07 PM

Posted 17 August 2017 - 02:01 PM

Gary,

 

Sorry something went wrong when I tried to do your instructions from 15/8.   

 

I first created the fixlist.txt in my USB directory

I then launched the FRST64,  I scanned and received a message on the screen that the scan was complete and saved.  However, when I clicked OK the Fix button was no longer available (in fact the whole FRST64 screen disappeared.   I tried it several times with same result.

 

When I moved the USB disk back to my good computer and looked at the fixlist.txt file (just to check that I had copied in the line that you had indicated) there was a message below the copied in line;

 

Error:  this direction works only outside recovery mode;

 

One observation:  I noted that the text you wanted me to copy into the notepad did not end with an .exe  like the previous file that I copied into notepad.   ??  

 

Suggestions?

 

ecar65

 



#29 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,769 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:05:07 AM

Posted 17 August 2017 - 02:15 PM

Greetings.
 
Once you launch FRST in the Recovery Environment all you need to do is type utilman.exe in the Search Box then click Search Files. A Search.txt file should be created on your USB device. Copy and paste that information in your reply.

searchfile.jpg


Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#30 ecar65

ecar65
  • Topic Starter

  • Members
  • 78 posts
  • OFFLINE
  •  
  • Local time:01:07 PM

Posted 17 August 2017 - 03:02 PM

Gary,

 

I cannot recall that I set up a MS account.   I used to have one a long time ago but stopped working so I set up a new account about a month ago.

 

here is a copy of the search.txt document

 

Farbar Recovery Scan Tool (x64) Version: 12-08-2017
Ran by SYSTEM (17-08-2017 21:53:47)
Running from H:\
Boot Mode: Recovery
 
================== Search Files: "utilman.exe" =============
 
C:\Windows\WinSxS\x86_microsoft-windows-utilman_31bf3856ad364e35_10.0.14393.0_none_d3ff7fe68f928203\Utilman.exe
[2016-07-16 12:42][2016-07-16 12:42] 000074752 _____ (Microsoft Corporation) BE7F3D92E756F29B5FFD07220B82F685
 
C:\Windows\WinSxS\amd64_microsoft-windows-utilman_31bf3856ad364e35_10.0.14393.0_none_301e1b6a47eff339\Utilman.exe
[2016-07-16 12:42][2016-07-16 12:42] 000089600 _____ (Microsoft Corporation) AA765332ACD18BCCB031A55FA64D5957
 
C:\Windows\SysWOW64\Utilman.exe
[2016-07-16 12:42][2016-07-16 12:42] 000074752 _____ (Microsoft Corporation) BE7F3D92E756F29B5FFD07220B82F685
 
C:\Windows\System32\Utilman.exe
[2016-07-16 12:42][2016-07-16 12:42] 000089600 _____ (Microsoft Corporation) AA765332ACD18BCCB031A55FA64D5957
 
====== End of Search ======µ
 
Hope this can be of some use to you.
 
ecar65





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users