Weird popup on startup

As above, when I start windows and login, I get this message "The module c:/windows/system32/config/system...../pdevhelper.dll" failed to load. Its regsvr32.
Can anyone Identify this issue please?
I did google searches and got almost no results. Only something about java oracle. Thanks in advanced.

Hello and welcome to Bleeping Computer! My nickname is Pystryker , and I will be helping you with your issue today.


Before we get started, I have a few things I need to go over with you

• If you are receiving help for this issue at another forum, please let me know so I can close this thread.
• Please download to and run all requested tools from your Desktop.
• Please do not install any new software during the cleaning process other than the tools I provide for you. This can hinder the cleaning process.
• At the top of your post, please click on the "Follow this topic" button and make sure that the "Received notification" box is checked and set to "Instantly" This will send an email to you as soon as I reply to your topic, allowing us to solve your problem faster.
• If any of your security programs give you a warning about any tool I ask you to use, please do not worry. All the links and tools I provide to you will be safe.
• Please do not run any tools other than the ones I ask you to, when I ask you to. Some of these tools can be very dangerous if used improperly. Also, if you use a tool that I have not requested you use, it can cause false positives, thereby delaying the complete cleaning of your machine.
• This is a complicated process. It requires several steps, patience, and careful following of my instructions in the order they are given to diagnose your problems to get your machine back in working order.
• Please stay with me until the end of all steps and procedures and I declare your system clean. Just because there is a lack of symptoms does not indicate a clean machine. I promise to do the same for you.
• It is impossible for me to know what interactions may happen between your computer's software and the tools we will use to clean your machine. Therefore, I highly recommend you backup any critical personal files on your machine before we start.
• If you have any questions at all, please don't hesitate to ask. There's no such thing as a stupid question when dealing with malware.
• If you are unsure of an instruction I give you, or if something unexepected occurs, Do NOT proceed! Stop and ask for clarification of the instruction or tell me what occurred.
• Please remember, the fixes are for your machine and your machine ONLY! Do not use these fixes on any other machine, each fix is tailor made for your system only. Using a fix on another machine can and will cause serious damage.
• Once we have cleaned your machine, we'll have some cleanup and prevention steps to go through. We will also provide you with some information about how to reduce your chances of infection and get some protections in place to help defend you against this in the future
• Please be patient while I am analyzing your logs. I know you are probably scared and very frustrated with this problem, but I am a volunteer and sometimes life does get in the way.

Special Note: Please know that I am against piracy in any form. This includes, but not limited to, movies, music, and software. This is also a violation of the Terms of Service you agreed to when you created your account here. If programs such as KMS that are used to activate illegal copies of Microsoft software are found, you will be asked to remove them and submit fresh logs.

Failure to do so will result in assistance being withdrawn.

Now, let's get started, shall we?

Let's get a look at your system and see what's going on.


Scan with Farbar's Recovery Scan Tool (FRST)


Please download Farbar Recovery Scan Tool and save it to your Desktop. All tools must be run from the Desktop.

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

• Right click to run as administrator (XP users click run after receipt of Windows Security Warning - Open File). When the tool opens click Yes to disclaimer.
• Place a check in the box marked Addition.txt
• Press the Scan button.
• It will produce a log called FRST.txt in the same directory the tool is run from.
• Please copy and paste log back here.
• The first time the tool is run it generates another log (Addition.txt - also located in the same directory as FRST.exe/FRST64.exe). Please also paste that along with the FRST.txt into your reply.

Things I need to see in your next post:

Please post each of these logs as a separate reply in this thread.

FRST Log

Addition.txt Log

Hello below is the log. 

 

FRST log: Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 09-08-2017

Addition log:

Hello

I'm analyzing your logs and preparing a fix. Please run the following tool and post the resulting log.


Scan with CKScanner


Download CKScanner from here.

Important: Save it to your desktop.

Doubleclick CKScanner.exe and click Search For Files.(If you have Windows Vista / Windows 7 / Windows 8 please do a Right click on CKScanner.exe and select Run as Administrator.)

After a very short time, when the cursor hourglass disappears, click Save List To File.

A message box will verify that the file is saved.

Double-click the CKFiles.txt icon on your desktop and copy/paste the contents in your next reply.

Things I need to see in your next post:

CKFiles.txt

Hello

I'm analyzing your logs and preparing a fix. Please run the following tool and post the resulting log.


Scan with CKScanner


Download CKScanner from here.

Important: Save it to your desktop.

Doubleclick CKScanner.exe and click Search For Files.(If you have Windows Vista / Windows 7 / Windows 8 please do a Right click on CKScanner.exe and select Run as Administrator.)

After a very short time, when the cursor hourglass disappears, click Save List To File.

A message box will verify that the file is saved.

Double-click the CKFiles.txt icon on your desktop and copy/paste the contents in your next reply.

Things I need to see in your next post:

CKFiles.txt

Attached.

Edit: CKScanner 2.5 - Additional Security Risks - These are not necessarily bad

Edited by sirjoe1, 11 August 2017 - 12:57 AM.

Hello

Step 1: Fix with FRST

Important: Before performing this step, please move FRST64.exe from C:\Users\w7\Downloads to your Desktop or the fix will not work. All tools must be run from the Desktop.

• Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy.
• Right-click in the open notepad and select Paste).
• Save it on the desktop as fixlist.txt

Start
CreateRestorePoint:
CloseProcesses:
HKLM-x32\...\Run: [URPmedia] => C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\config\systemprofile\AppData\Local\Ofics\pdevhelper.dll
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender: Restriction <==== ATTENTION
GroupPolicy: Restriction - Chrome <==== ATTENTION
FF HKLM-x32\...\Firefox\Extensions: [daplinkchecker@speedbit.com] - C:\Program Files (x86)\DAP\daplinkchecker => not found
HKU\.DEFAULT\Software\Classes\b586d: "C:\Windows\system32\mshta.exe" "javascript:McWTU4a5i="TwujZb";N2E=new ActiveXObject("WScript.Shell");s6yGd="2GtCLhxi";QPf6U3=N2E.RegRead("HKCU\\software\\sfcc\\bymfflwgby");DNQ9RS="1OTKLf";eval(QPf6U3);M9MhRI7="LLhwqc";" <==== ATTENTION
Task: {74E7CA0C-4B28-4B51-B431-EAFEEC2EB294} - System32\Tasks\mjg2kyft => C:\Program Files\Common Files\0jkxweer\b2137hepploxh.exe
C:\Program Files\Common Files\0jkxweer
Task: {97CE1122-7664-4679-8B4A-3CA552606766} - System32\Tasks\lar3es1h => C:\Program Files\Common Files\4eubx1r5\c15b9htfdo2ym.exe
C:\Program Files\Common Files\4eubx1r5
Task: {C3A4EAAF-8237-4FAA-9680-EDB028564D41} - System32\Tasks\inyraupuat => C:\Windows\system32\config\systemprofile\AppData\Local\Stimtandax [Argument = /t 1632 2932] <==== ATTENTION
AlternateDataStreams: C:\ProgramData\TEMP:05E9FFE5 [99]
AlternateDataStreams: C:\ProgramData\TEMP:56E2E879 [86]
AlternateDataStreams: C:\ProgramData\TEMP:D5FBE8F9 [336]
AlternateDataStreams: C:\ProgramData\TEMP:DBC416F8 [86]
BHO-x32: SpeedBit Link Verification Helper -> {D5974A72-C81C-4DC3-BE77-A8A7BBC8864E} -> C:\Program Files (x86)\DAP\LinkVerifier.dll => No File
FF Plugin: adobe.com/AdobeAAMDetect -> C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\CCM\Utilities\npAdobeAAMDetect64.dll [No File]
FF Plugin-x32: @cfca.com/SecEditCtl.BOC,version=1.0.0.9 -> C:\Windows\system32\npSecEditCtl.BOC.x86.dll [No File]
FF Plugin-x32: @tiancity.com/NxGame -> \NGM\npNxGameCN.dll [No File]
S3 Tosrfcom; no ImagePath
CMD: bitsadmin /reset /allusers
CMD: netsh advfirewall reset
CMD: netsh advfirewall set allprofiles state on
CMD: ipconfig /flushdns
Emptytemp:
End

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system.


Run FRST and press the Fix button just once and wait. The tool will make a log on the desktop (Fixlog.txt) please post it in your next reply.


Step 2: Junkware Removal Tool

Please download Junkware Removal Tool to your desktop.

• Shut down your protection software now to avoid potential conflicts.
• Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
• The tool will open and start scanning your system.
• Please be patient as this can take a while to complete depending on your system's specifications.
• On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
• Post the contents of JRT.txt into your next message.

Step 3: AdwCleaner

Download AdwCleaner by Xplode to your Desktop from the following link.

Download Link #1
Download Link #2

• Right-click on AdwCleaner.exe and choose Run as administrator;
• Click on Option and put a check mark on everything;
• Click on Scan and let the program run unhindered;
• When done, click on Clean and allow the system to reboot after it is done;
• A log will be opened automatically after the restart. If not, it is located in C:\AdwCleaner\AdwCleaner[CX].txt, where X is replaced with a number;
• Copy and Paste the contents of this log in your reply.

Step 4: Fresh FRST Logs

• Start Farbar's Recovery Scan Tool and press the Scan button.
• FRST will scan your system and produce one log this time. Please post it in your next reply.

Things I need to see in your next post:

Please post each of these logs as a separate reply in this thread.

Fixlog.txt Log

Junkware Removal Tool Log

AdwCleaner Log

Fresh FRST.txt Log

Fresh Addition.txt Log

JRT.txt  JRT.txt   2.83KB   1 downloads

Fixlog   Fixlog.txt   6.77KB   1 downloads

adwcleanerlog

Edited by sirjoe1, 11 August 2017 - 08:59 AM.

addition  Addition.txt   65.66KB   3 downloads

frstlog   FRST.txt   47.64KB   2 downloads

Hello

Please do not attach the logs, but copy and paste them as a reply. It makes them easier to analyze. How is the machine running? Has the pop-up stopped occurring? I will study your logs this evening when I get in from work and post further instructions then. Please let me know if the pop up has stopped.

Please disable your antivirus for the duration of my instructions. Don't forget to re-enable them after you have completed the steps.


Step 1: Scan with Malwarebytes


Start the progamme and select update
Once it has updated select Settings > Detection and Protection
Tick Scan for rootkits
Go back to the Dashboard and select Scan Now
If threats are detected, click the Apply Actions button, MBAM will ask for a reboot.
On completion of the scan (or after the reboot), start MBAM,
Click History, then Application Logs, then check the Select box by the first Scan Log in the list.
Click View, then click Export, select text file and save to the desktop as MBAM.txt and post in your next reply.



Step 2: Scan with ESET Online Scanner

Disable your security programs which includes but not limited to anti-virus, anti-malware, anti-spyware et cetera. Peruse this for additional information.

• Download esetsmartinstaller_enu.exe by clicking here.
• Right-click on the program and choose Run as administrator.
• Accept their terms and condition and proceed.
• Install Add-On/Active X if prompted.
• From the Computer Scan Setting check the following box --

• Enable detection for potentially unwanted programs

• Click on Advanced Setting --

• Check the box beside Remove Found Threats;
• Check the box beside Scan archives
• Check the box beside Scan for potentially unsafe applications
• Check the box beside Enable Anti-Stealth Technology

• Click on Start and wait for the virus signature database to update.
• The online scan will begin automatically and can take several hours.

• Note:

Do not touch either the Mouse or keyboard during the scan. Otherwise it may stall.

• After the Scan finishes --

• If no threats were found:

• Put a checkmark in Uninstall application on close.
• Close the program and report that nothing was found

• If threats were found:

• Open the file located in C:\Program Files\ESET\ESET Online Scanner\log.txt (32-bit) or C:\Program Files (x86)\ESET\ESET Online Scanner\log.txt (64-bit).
• Copy and Paste contents of the log file in your next reply.

Note: Enable your security programs afterwards.

Step 3: SecurityCheck Scan


Download Security Checkby screen317 from here or here.

• Save it to your Desktop.
• Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
• NOTE: If SecurityCheck aborts and you get the following message: UNSUPPORTED OPERATING SYSTEM! ABORTED! try rebooting the system and then run SecurityCheck again.
• A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Things I need to see in your next post:

• ESET Scan Log
• MBAM Log
• SecurityCheck Log

Thanks a bunch, no more popup on startup. Anti virus and malwarebytes all clean.     Oh wait.. malwatebytes detected something:

Edited by sirjoe1, 12 August 2017 - 02:58 AM.