Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Can not install DDA - or run RKILL or COMBO FIX


  • This topic is locked This topic is locked
63 replies to this topic

#1 joe11757

joe11757

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:07 AM

Posted 06 September 2017 - 09:39 AM

Please see attached logs and pics....PLEASE help me as I need this computer for school :(

Attached Files


Edited by hamluis, 06 September 2017 - 09:45 AM.
Moved from Crashes/BSODs to Malware Removal Logs - Hamluis.


BC AdBot (Login to Remove)

 


#2 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,661 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:07 AM

Posted 06 September 2017 - 06:16 PM

Hi joe11757 :)

My name is Aura and I'll be assisting you with your malware issue. Since we'll be working together, you can call me Aura or Yoan, which is my real name, it's up to you! Now that we've broke the ice, I'll just ask you a few things during the time we'll be working together to clean your system and get it back to an operational state.
  • As you'll notice, the logs we are asking for here are quite lenghty, so it's normal for me to not reply exactly after you post them. This is because I need some time to analyse them and then act accordingly. However, I'll always reply within 24 hours, 48 hours at most if something unexpected happens
  • As long as I'm assisting you on BleepingComputer, in this thread, I'll ask you to not seek assistance anywhere else for any issue related to the system we are working on. If you have an issue, question, etc. about your computer, please ask it in this thread and I'll assist you
  • The same principle applies to any modifications you make to your system, I would like you to ask me before you do any manipulations that aren't in the instructions I posted. This is to ensure that we are operating in sync and I know exactly what's happening on your system
  • If you aren't sure about an instruction I'm giving you, ask me about it. This is to ensure that the clean-up process goes without any issue. I'll answer you and even give you more precise instructions/explanations if you need. There's no shame in asking questions here, better be safe than sorry!
  • If you don't reply to your thread within 3 days, I'll bump this thread to let you know that I'm waiting for you. If you don't reply after 5 days, it'll be closed. If you return after that period, you can send me a PM to get it unlocked and we'll continue where we left off
  • Since malware can work quickly, we want to get rid of them as fast as we can, before they make unknown changes to the system. This being said, I would appreciate if you could reply to this thread within 24 hours of me posting. This way, we'll have a good clean-up rhythm and the chances of complications will be reduced
  • I'm against any form of pirated, illegal and counterfeit software and material. So if you have any installed on your system, I'll ask you to uninstall them right now. You don't have to tell me if you indeed had some or not, I'll give you the benefit of the doubt. Plus, this would be against BleepingComputer's rules
  • In the end, you are the one asking for assistance here. So if you wish to go a different way during the clean-up, like format and reinstall Windows, you are free to do so. I would appreciate you to let me know about it first, and if you need, I can also assist you in the process
  • I would appreciate if you were to stay with me until the end, which means, until I declare your system clean. Just because your system isn't behaving weirdly anymore, or is running better than before, it doesn't mean that the infection is completely gone
    This being said, I have a full time job so sometimes it'll take longer for me to reply to you. Don't worry, you'll be my first priority as soon as I get home and have time to look at your thread
This being said, it's time to clean-up some malware, so let's get started, shall we? :)

Follow the instructions in the thread below. Make sure to download the MBAR version linked in it. Let me know if you're not able to launch it and run a scan.

https://forums.malwarebytes.com/topic/198907-requested-resource-is-in-use-error-unable-to-start-malwarebytes/

If you manage to run a scan, delete everything it finds, and then copy/paste the content of the "mbar-log-DATE-(TIME).txt" log that is located in the MBAR folder here after.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#3 joe11757

joe11757
  • Topic Starter

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:07 AM

Posted 06 September 2017 - 07:14 PM

Hi joe11757 :)

My name is Aura and I'll be assisting you with your malware issue. Since we'll be working together, you can call me Aura or Yoan, which is my real name, it's up to you! Now that we've broke the ice, I'll just ask you a few things during the time we'll be working together to clean your system and get it back to an operational state.

  • As you'll notice, the logs we are asking for here are quite lenghty, so it's normal for me to not reply exactly after you post them. This is because I need some time to analyse them and then act accordingly. However, I'll always reply within 24 hours, 48 hours at most if something unexpected happens
  • As long as I'm assisting you on BleepingComputer, in this thread, I'll ask you to not seek assistance anywhere else for any issue related to the system we are working on. If you have an issue, question, etc. about your computer, please ask it in this thread and I'll assist you
  • The same principle applies to any modifications you make to your system, I would like you to ask me before you do any manipulations that aren't in the instructions I posted. This is to ensure that we are operating in sync and I know exactly what's happening on your system
  • If you aren't sure about an instruction I'm giving you, ask me about it. This is to ensure that the clean-up process goes without any issue. I'll answer you and even give you more precise instructions/explanations if you need. There's no shame in asking questions here, better be safe than sorry!
  • If you don't reply to your thread within 3 days, I'll bump this thread to let you know that I'm waiting for you. If you don't reply after 5 days, it'll be closed. If you return after that period, you can send me a PM to get it unlocked and we'll continue where we left off
  • Since malware can work quickly, we want to get rid of them as fast as we can, before they make unknown changes to the system. This being said, I would appreciate if you could reply to this thread within 24 hours of me posting. This way, we'll have a good clean-up rhythm and the chances of complications will be reduced
  • I'm against any form of pirated, illegal and counterfeit software and material. So if you have any installed on your system, I'll ask you to uninstall them right now. You don't have to tell me if you indeed had some or not, I'll give you the benefit of the doubt. Plus, this would be against BleepingComputer's rules
  • In the end, you are the one asking for assistance here. So if you wish to go a different way during the clean-up, like format and reinstall Windows, you are free to do so. I would appreciate you to let me know about it first, and if you need, I can also assist you in the process
  • I would appreciate if you were to stay with me until the end, which means, until I declare your system clean. Just because your system isn't behaving weirdly anymore, or is running better than before, it doesn't mean that the infection is completely gone
    This being said, I have a full time job so sometimes it'll take longer for me to reply to you. Don't worry, you'll be my first priority as soon as I get home and have time to look at your thread
This being said, it's time to clean-up some malware, so let's get started, shall we? :)

Follow the instructions in the thread below. Make sure to download the MBAR version linked in it. Let me know if you're not able to launch it and run a scan.

https://forums.malwarebytes.com/topic/198907-requested-resource-is-in-use-error-unable-to-start-malwarebytes/

If you manage to run a scan, delete everything it finds, and then copy/paste the content of the "mbar-log-DATE-(TIME).txt" log that is located in the MBAR folder here after.

 

 

I ran it and it would not work and I can not update it. See attached pics.

Attached Files



#4 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,661 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:07 AM

Posted 06 September 2017 - 07:16 PM

As expected.

Do you have a USB Flash Drive? If so, how big is it?

Also, follow the instructions below.

iO3R662.pngFarbar Recovery Scan Tool (FRST) - Fix mode
Follow the instructions below to execute a fix on your system using FRST, and provide the log in your next reply.
  • Download the attached fixlist.txt file, and save it on your Desktop (or wherever your FRST.exe/FRST64.exe executable is located)
  • Right-click on the FRST executable and select Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users)
  • Click on the Fix button
    NYA5Cbr.png
  • On completion, a message will come up saying that the fix has been completed and it'll open a log in Notepad
  • Copy and paste its content in your next reply

Attached Files


unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#5 joe11757

joe11757
  • Topic Starter

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:07 AM

Posted 06 September 2017 - 07:27 PM

Fix result of Farbar Recovery Scan Tool (x64) Version: 20-08-2017
Ran by Joseph DeRosa (06-09-2017 20:26:51) Run:1
Running from C:\Users\Joseph DeRosa\Desktop
Loaded Profiles: Joseph DeRosa (Available Profiles: Joseph DeRosa & Guest)
Boot Mode: Normal
==============================================
 
fixlist content:
*****************
CMD: bcdedit.exe /set {default} recoveryenabled yes
CMD: dir C:\Windows\
CMD: dir C:\Windows\system32\drivers
*****************
 
 
========= bcdedit.exe /set {default} recoveryenabled yes =========
 
The operation completed successfully.
 
========= End of CMD: =========
 
 
========= dir C:\Windows\ =========
 
 Volume in drive C has no label.
 Volume Serial Number is C243-3832
 
 Directory of C:\Windows
 
09/06/2017  05:13 PM    <DIR>          .
09/06/2017  05:13 PM    <DIR>          ..
10/17/2013  02:52 PM           815,104 adb.exe
10/17/2013  02:52 PM            96,256 AdbWinApi.dll
10/17/2013  02:52 PM            60,928 AdbWinUsbApi.dll
09/06/2017  01:09 PM    <DIR>          addins
04/18/2015  01:01 AM    <DIR>          AppCompat
08/09/2017  09:22 AM    <DIR>          AppPatch
09/05/2017  10:01 PM                20 b24782956
11/20/2010  11:24 PM            71,168 bfsvc.exe
07/14/2009  01:32 AM    <DIR>          Boot
08/08/2014  04:55 PM    <DIR>          Branding
11/11/2016  05:05 PM    <DIR>          CheckSur
07/14/2009  01:32 AM    <DIR>          Cursors
08/24/2017  03:25 PM    <DIR>          debug
07/14/2009  01:32 AM    <DIR>          diagnostics
07/14/2009  01:37 AM    <DIR>          DigitalLocker
09/25/2016  02:20 PM    <DIR>          Downloaded Program Files
08/21/2016  07:49 PM    <DIR>          ehome
07/15/2014  05:39 PM    <DIR>          en
09/25/2016  11:48 AM    <DIR>          en-US
11/30/2016  06:29 PM             1,945 epplauncher.mif
01/06/2014  09:46 AM    <DIR>          erdnt
08/29/2016  11:04 AM         3,229,696 explorer.exe
10/17/2013  02:52 PM           157,184 fastboot.exe
07/13/2009  09:39 PM            15,360 fveupdate.exe
04/12/2011  04:30 AM    <DIR>          Globalization
08/27/2009  03:04 AM           207,400 GSetup.exe
04/11/2013  04:33 PM                10 GSetup.ini
07/07/2017  10:09 AM    <DIR>          Help
06/02/2017  04:10 AM           733,696 HelpPane.exe
07/13/2009  09:39 PM            16,896 hh.exe
06/10/2009  04:30 PM            48,265 HomePremium.xml
09/05/2017  02:20 PM             1,228 IE11_main.log
07/14/2009  01:37 AM    <DIR>          IME
09/06/2017  03:37 PM    <DIR>          inf
10/29/1998  04:45 PM           306,688 IsUninst.exe
07/14/2009  01:32 AM    <DIR>          L2Schemas
07/13/2009  10:34 PM    <DIR>          LiveKernelReports
09/25/2016  11:50 AM    <DIR>          Logs
07/13/2009  07:06 PM            43,131 mib.bin
09/05/2017  02:49 PM    <DIR>          Microsoft.NET
03/17/2015  09:06 PM    <DIR>          Migration
03/12/2017  08:12 PM    <DIR>          Minidump
07/13/2009  10:34 PM    <DIR>          ModemLogs
06/10/2009  04:36 PM             1,405 msdfmap.ini
07/09/2015  01:57 PM           193,536 notepad.exe
09/06/2017  08:57 AM           377,682 ntbtlog.txt
07/18/2017  06:54 PM             1,951 NvContainerRecovery.bat
07/14/2009  01:32 AM    <DIR>          Offline Web Pages
09/05/2017  02:31 AM            12,288 outnumber.exe
12/06/2013  06:32 PM    <DIR>          Panther
01/25/2016  06:17 PM    <DIR>          PCHEALTH
07/14/2009  01:32 AM    <DIR>          Performance
09/06/2017  03:16 PM         1,388,314 PFRO.log
07/13/2009  11:20 PM    <DIR>          PLA
05/12/2017  03:48 PM    <DIR>          PolicyDefinitions
04/16/2013  08:06 PM    <DIR>          Prefetch
09/06/2017  12:44 PM    <DIR>          pss
07/01/2013  09:39 AM               126 QUICKEN.INI
07/13/2009  09:39 PM           427,008 regedit.exe
08/01/2017  01:28 PM    <DIR>          registration
08/09/2017  12:07 PM    <DIR>          rescache
07/14/2009  01:32 AM    <DIR>          Resources
12/12/2011  11:01 PM         1,698,408 RtlExUpd.dll
03/31/2009  02:31 PM           380,928 RtlUI2.exe
01/05/2009  08:31 PM               901 RtlUI2.exe.manifest
12/12/2014  05:24 PM            44,760 runSW.exe
09/06/2017  08:06 PM            16,444 runSW.log
07/13/2009  10:35 PM    <DIR>          SchCache
11/16/2014  01:21 PM    <DIR>          schemas
07/13/2009  11:20 PM    <DIR>          security
03/03/2015  05:09 PM    <DIR>          ServiceProfiles
04/12/2011  04:17 AM    <DIR>          servicing
06/16/2014  03:39 PM    <DIR>          Setup
09/06/2017  08:06 PM               952 setupact.log
09/03/2017  11:54 PM                 0 setuperr.log
01/25/2016  06:17 PM    <DIR>          ShellNew
07/15/2015  03:00 PM    <DIR>          SoftwareDistribution
04/12/2011  04:17 AM    <DIR>          Speech
02/11/2012  02:36 AM            67,072 splwow64.exe
06/10/2009  04:31 PM            48,201 Starter.xml
03/03/2015  12:32 PM           456,560 SwUSB.exe
07/13/2009  10:36 PM    <DIR>          system
01/06/2014  09:45 AM               215 system.ini
09/06/2017  03:37 PM    <DIR>          System32
09/06/2017  10:00 AM    <DIR>          SysWOW64
07/14/2009  12:57 AM    <DIR>          TAPI
08/01/2017  01:28 PM    <DIR>          Tasks
09/06/2017  08:26 PM    <DIR>          temp
05/15/2015  09:22 AM    <DIR>          TempE416C53E-C9FB-C41F-F38B-643F40FF6DBB-Signatures
03/21/2015  08:14 AM    <DIR>          tracing
06/10/2009  05:41 PM            94,784 twain.dll
12/24/2016  12:57 PM    <DIR>          twain_32
11/20/2010  11:25 PM            51,200 twain_32.dll
06/10/2009  05:41 PM            49,680 twunk_16.exe
07/13/2009  09:14 PM            31,232 twunk_32.exe
07/13/2009  11:20 PM    <DIR>          Vss
07/14/2009  01:32 AM    <DIR>          Web
08/01/2017  09:31 AM               478 win.ini
09/06/2017  03:39 PM         1,131,631 WindowsUpdate.log
07/13/2009  09:14 PM             9,728 winhlp32.exe
09/05/2017  05:31 PM    <DIR>          winsxs
03/31/2014  09:34 PM           322,248 WLXPGSS.SCR
06/10/2009  04:52 PM           316,640 WMSysPr9.prx
07/13/2009  09:39 PM            10,240 write.exe
07/15/2014  05:39 PM                20 ¸ø7
              47 File(s)     12,939,607 bytes
              60 Dir(s)   5,577,125,888 bytes free
 
========= End of CMD: =========
 
 
========= dir C:\Windows\system32\drivers =========
 
 Volume in drive C has no label.
 Volume Serial Number is C243-3832
 
 Directory of C:\Windows\system32\drivers
 
09/06/2017  08:11 PM    <DIR>          .
09/06/2017  08:11 PM    <DIR>          ..
07/13/2009  08:06 PM            68,096 1394bus.sys
11/20/2010  11:23 PM           229,888 1394ohci.sys
11/20/2010  11:23 PM           334,208 acpi.sys
11/20/2010  11:23 PM            12,800 acpipmi.sys
07/13/2009  09:52 PM           491,088 adp94xx.sys
07/13/2009  09:52 PM           339,536 adpahci.sys
07/13/2009  09:52 PM           182,864 adpu320.sys
04/11/2013  10:09 PM           367,200 afcdp.sys
04/04/2017  10:53 AM           496,128 afd.sys
07/13/2009  08:10 PM            60,416 agilevpn.sys
07/13/2009  09:52 PM            61,008 AGP440.sys
07/13/2009  09:52 PM            15,440 aliide.sys
07/13/2009  09:52 PM            15,440 amdide.sys
07/13/2009  07:19 PM            64,512 amdk8.sys
07/13/2009  07:19 PM            60,928 amdppm.sys
03/11/2011  02:41 AM           107,904 amdsata.sys
07/13/2009  09:52 PM           194,128 amdsbs.sys
03/11/2011  02:41 AM            27,008 amdxata.sys
11/02/2009  06:16 AM            33,736 ANDROIDUSB.sys
07/07/2017  11:01 AM            62,464 appid.sys
01/10/2011  06:16 PM            21,104 AppleCharger.sys
07/13/2009  09:52 PM            87,632 arc.sys
07/13/2009  09:52 PM            97,856 arcsas.sys
07/13/2009  08:10 PM            23,040 asyncmac.sys
07/13/2009  09:52 PM            24,128 atapi.sys
08/04/2013  10:25 PM           155,584 ataport.sys
06/10/2009  04:34 PM           270,848 b57nd60a.sys
07/13/2009  09:52 PM            28,240 battc.sys
07/13/2009  08:00 PM             6,656 beep.sys
07/13/2009  07:35 PM            45,056 blbdrive.sys
10/05/2016  10:54 AM            90,112 bowser.sys
06/10/2009  04:41 PM            18,432 BrFiltLo.sys
06/10/2009  04:41 PM             8,704 BrFiltUp.sys
07/13/2009  09:01 PM            95,232 bridge.sys
07/13/2009  09:19 PM           286,720 BrSerId.sys
06/10/2009  04:41 PM            47,104 BrSerWdm.sys
06/10/2009  04:41 PM            14,976 BrUsbMdm.sys
06/10/2009  04:41 PM            14,720 BrUsbSer.sys
07/13/2009  08:06 PM            72,192 bthmodem.sys
06/10/2009  04:34 PM           468,480 bxvbda.sys
07/13/2009  07:19 PM            92,160 cdfs.sys
11/20/2010  11:23 PM           147,456 cdrom.sys
07/13/2009  08:06 PM            45,568 circlass.sys
11/20/2010  11:24 PM           179,072 Classpnp.sys
07/13/2009  07:31 PM            17,664 CmBatt.sys
07/13/2009  09:52 PM            17,488 cmdide.sys
11/20/2016  10:07 AM           467,392 cng.sys
07/13/2009  09:52 PM            21,584 compbatt.sys
11/20/2010  11:23 PM            38,912 CompositeBus.sys
07/13/2009  09:47 PM            39,504 crashdmp.sys
07/13/2009  09:47 PM            24,144 crcdisk.sys
09/08/2016  10:55 AM           106,496 dfsc.sys
07/13/2009  07:37 PM            40,448 discache.sys
01/20/2016  08:51 PM            73,664 disk.sys
02/03/2014  10:35 PM            27,584 Diskdump.sys
12/08/2015  02:54 PM           116,736 drmk.sys
12/08/2015  02:11 PM             5,632 drmkaud.sys
07/13/2009  09:47 PM            28,736 Dumpata.sys
07/13/2009  09:43 PM            55,128 dumpfve.sys
07/13/2009  07:38 PM            16,896 dxapi.sys
07/13/2009  07:38 PM            98,816 dxg.sys
05/16/2017  11:35 AM           986,856 dxgkrnl.sys
05/16/2017  11:35 AM           265,448 dxgmms1.sys
07/13/2009  09:47 PM           530,496 elxstor.sys
09/25/2016  11:48 AM    <DIR>          en-US
07/13/2009  07:31 PM             9,728 errdev.sys
04/27/2016  02:27 PM    <DIR>          etc
01/06/2012  04:59 AM            59,392 EtronHub3.sys
01/06/2012  04:59 AM            84,608 EtronXHCI.sys
06/10/2009  04:34 PM         3,286,016 evbda.sys
03/10/2017  11:55 AM           195,584 exfat.sys
03/10/2017  11:55 AM           205,312 fastfat.sys
07/13/2009  08:00 PM            29,696 fdc.sys
07/13/2009  09:47 PM            70,224 fileinfo.sys
07/13/2009  07:25 PM            34,304 filetrace.sys
07/13/2009  08:00 PM            24,576 flpydisk.sys
11/20/2010  11:24 PM           289,664 fltMgr.sys
04/11/2013  10:09 PM           108,832 fltsrv.sys
07/13/2009  09:47 PM            55,376 fsdepends.sys
03/01/2012  02:46 AM            23,408 fs_rec.sys
01/24/2013  02:01 AM           223,752 fvevol.sys
05/30/2017  12:56 AM           287,976 FWPKCLNT.SYS
07/13/2009  09:47 PM            65,088 GAGP30KX.SYS
06/10/2009  04:30 PM         3,440,660 gm.dls
06/10/2009  04:30 PM               646 gmreadme.txt
06/10/2009  04:31 PM            31,232 hcw85cir.sys
11/20/2010  11:23 PM           122,368 hdaudbus.sys
11/20/2010  11:23 PM           350,208 HdAudio.sys
11/10/2011  01:04 AM            60,184 HECIx64.sys
07/13/2009  07:31 PM            26,624 hidbatt.sys
07/13/2009  08:06 PM           100,864 hidbth.sys
07/03/2013  12:05 AM            76,800 hidclass.sys
07/13/2009  08:06 PM            46,592 hidir.sys
07/03/2013  12:05 AM            32,896 hidparse.sys
11/20/2010  11:23 PM            30,208 hidusb.sys
11/20/2010  11:23 PM            78,720 HpSAMD.sys
12/07/2012  06:27 PM            36,928 htcnprot.sys
03/09/2010  04:08 AM           121,800 HtcVComV64.sys
06/15/2017  04:23 PM           753,664 http.sys
11/20/2010  11:24 PM            14,720 hwpolicy.sys
07/13/2009  07:19 PM           105,472 i8042prt.sys
03/11/2011  02:41 AM           410,496 iaStorV.sys
11/02/2016  08:15 AM            38,680 ICCWDT.sys
11/07/2013  02:52 AM         5,363,200 igdkmd64.sys
07/13/2009  09:48 PM            44,112 iirsp.sys
07/13/2009  09:48 PM            16,960 intelide.sys
12/16/2011  10:40 AM            15,128 IntelMEFWVer.dll
07/13/2009  07:19 PM            62,464 intelppm.sys
11/20/2010  11:24 PM            82,944 ipfltdrv.sys
11/20/2010  11:23 PM            78,848 IPMIDrv.sys
07/13/2009  08:10 PM           116,224 ipnat.sys
07/13/2009  08:09 PM           120,320 irda.sys
07/13/2009  08:08 PM            17,920 irenum.sys
07/13/2009  09:48 PM            20,544 isapnp.sys
07/13/2009  09:48 PM            50,768 kbdclass.sys
11/20/2010  11:23 PM            33,280 kbdhid.sys
11/20/2010  11:24 PM           243,712 ks.sys
07/07/2017  11:33 AM            95,464 ksecdd.sys
07/07/2017  11:33 AM           154,856 ksecpkg.sys
07/13/2009  08:00 PM            20,992 ksthunk.sys
07/13/2009  08:08 PM            60,928 lltdio.sys
07/13/2009  09:48 PM           114,752 lsi_fc.sys
07/13/2009  09:48 PM           106,560 lsi_sas.sys
07/13/2009  09:48 PM            65,600 lsi_sas2.sys
07/13/2009  09:48 PM           115,776 lsi_scsi.sys
07/13/2009  07:26 PM           113,152 luafv.sys
01/18/2012  07:23 AM           266,828 LVAFT.cfg
09/21/2012  03:04 PM            24,608 lvbflt64.sys
09/21/2012  03:04 PM           351,520 lvrs64.sys
09/21/2012  03:04 PM         4,763,680 LVUVC64.sys
09/06/2017  08:10 PM           109,272 mbamchameleon.sys
09/06/2017  08:11 PM           194,776 MBAMSwissArmy.sys
07/13/2009  08:01 PM            22,016 mcd.sys
07/13/2009  09:48 PM            35,392 megasas.sys
07/13/2009  09:48 PM           284,736 MegaSR.sys
07/13/2009  08:10 PM            40,448 modem.sys
07/13/2009  07:38 PM            30,208 monitor.sys
07/13/2009  09:48 PM            49,216 mouclass.sys
07/13/2009  08:00 PM            31,232 mouhid.sys
05/07/2017  11:33 AM            94,440 mountmgr.sys
08/25/2016  10:46 AM           295,000 MpFilter.sys
11/20/2010  11:23 PM           155,008 mpio.sys
07/13/2009  08:08 PM            77,312 mpsdrv.sys
09/08/2016  10:55 AM           142,336 mrxdav.sys
07/07/2017  10:54 AM           159,744 mrxsmb.sys
07/07/2017  10:54 AM           291,328 mrxsmb10.sys
07/07/2017  10:54 AM           129,536 mrxsmb20.sys
11/20/2010  11:23 PM            31,104 msahci.sys
11/20/2010  11:23 PM           140,672 msdsm.sys
07/13/2009  07:19 PM            26,112 msfs.sys
06/02/2012  10:35 AM                 3 MsftWdf_Kernel_01011_Inbox_Critical.Wdf
06/02/2012  10:57 AM                 3 MsftWdf_User_01_11_00_Inbox_Critical.Wdf
07/13/2009  08:06 PM             8,192 mshidkmdf.sys
07/13/2009  09:48 PM            15,424 msisadrv.sys
02/03/2014  10:35 PM           274,880 msiscsi.sys
07/13/2009  08:00 PM            11,136 mskssrv.sys
07/13/2009  08:00 PM             7,168 mspclock.sys
07/13/2009  08:00 PM             6,784 mspqm.sys
11/20/2010  11:24 PM           366,976 msrpc.sys
07/13/2009  09:48 PM            32,320 mssmbios.sys
07/13/2009  08:00 PM             8,064 mstee.sys
07/13/2009  08:02 PM            15,360 MTConfig.sys
07/13/2009  09:48 PM            60,496 mup.sys
09/06/2017  03:31 PM           115,024 ndinquxa.sys
10/13/2015  12:57 AM           950,720 ndis.sys
07/13/2009  08:08 PM            35,328 ndiscap.sys
07/13/2009  08:10 PM            24,064 ndistapi.sys
11/20/2010  11:24 PM            56,832 ndisuio.sys
11/20/2010  11:24 PM           164,352 ndiswan.sys
11/20/2010  11:24 PM            57,856 ndproxy.sys
12/20/2016  01:16 PM            29,744 neo_vpn.sys
07/13/2009  08:09 PM            44,544 netbios.sys
05/11/2016  10:58 AM           262,144 netbt.sys
05/30/2017  12:56 AM           377,576 netio.sys
07/13/2009  09:48 PM            51,264 nfrd960.sys
08/25/2016  10:46 AM           135,928 NisDrvWFP.sys
07/13/2009  07:19 PM            44,032 npfs.sys
07/13/2009  07:21 PM            24,576 nsiproxy.sys
06/09/2017  11:33 AM         1,680,616 ntfs.sys
07/13/2009  07:19 PM             6,144 null.sys
08/03/2017  04:00 PM           227,416 nvhda64v.sys
08/03/2017  04:00 PM        15,491,192 nvlddmkm.sys
03/11/2011  02:41 AM           148,352 nvraid.sys
03/11/2011  02:41 AM           166,272 nvstor.sys
07/13/2009  09:48 PM           122,960 NV_AGP.SYS
07/13/2009  08:07 PM           318,976 nwifi.sys
07/13/2009  08:06 PM            72,832 ohci1394.sys
11/20/2010  11:24 PM           131,584 pacer.sys
07/13/2009  08:00 PM            97,280 parport.sys
03/17/2012  03:58 AM            75,120 partmgr.sys
11/20/2010  11:23 PM           184,704 pci.sys
07/13/2009  09:45 PM            12,352 pciide.sys
07/13/2009  09:45 PM            48,720 pciidex.sys
07/13/2009  09:45 PM           220,752 pcmcia.sys
07/13/2009  09:45 PM            50,768 pcw.sys
06/14/2016  01:11 PM           663,552 PEAuth.sys
12/08/2015  02:12 PM           230,400 portcls.sys
07/13/2009  07:19 PM            60,416 processr.sys
07/13/2009  09:45 PM         1,524,816 ql2300.sys
07/13/2009  09:45 PM           128,592 ql40xx.sys
07/13/2009  08:09 PM            46,592 qwavedrv.sys
07/13/2009  08:10 PM            14,848 rasacd.sys
11/20/2010  11:24 PM           129,536 rasl2tp.sys
07/13/2009  08:10 PM            92,672 raspppoe.sys
11/20/2010  11:24 PM           111,104 raspptp.sys
07/13/2009  08:10 PM            83,968 rassstp.sys
11/20/2010  11:24 PM           309,248 rdbss.sys
07/13/2009  08:17 PM            24,064 rdpbus.sys
07/13/2009  08:16 PM             7,680 RDPCDD.sys
07/13/2009  08:16 PM             7,680 RDPENCDD.sys
07/13/2009  08:16 PM             8,192 RDPREFMP.sys
08/23/2012  10:10 AM            19,456 rdpvideominiport.sys
07/16/2014  09:21 PM           212,480 rdpwd.sys
11/20/2010  11:24 PM           213,888 rdyboost.sys
11/05/2015  05:53 AM           146,944 rmcast.sys
07/04/2012  04:26 PM            41,472 RNDISMP.sys
07/13/2009  08:10 PM            11,264 rootmdm.sys
09/06/2017  10:00 AM            79,064 rsngoiw.sys
07/13/2009  08:08 PM            76,800 rspndr.sys
09/29/2011  05:30 AM           646,248 Rt64win7.sys
12/11/2014  03:15 PM         1,489,244 RTAIODAT.DAT
12/11/2014  03:15 PM         4,351,960 RTKVHD64.sys
12/16/2014  06:09 AM         3,664,600 rtwlanu.sys
08/27/2012  08:50 PM           114,568 rusb3hub.sys
08/27/2012  08:51 PM           230,280 rusb3xhc.sys
11/20/2010  11:23 PM           103,808 sbp2port.sys
11/20/2010  11:24 PM            29,696 scfilter.sys
11/20/2010  11:24 PM           171,392 scsiport.sys
06/10/2009  04:37 PM            23,040 secdrv.sys
07/13/2009  08:00 PM            23,552 serenum.sys
07/13/2009  08:00 PM            94,208 serial.sys
07/13/2009  08:00 PM            26,624 sermouse.sys
07/13/2009  08:01 PM            14,336 sffdisk.sys
07/13/2009  08:01 PM            13,824 sffp_mmc.sys
11/20/2010  11:23 PM            14,336 sffp_sd.sys
07/13/2009  08:01 PM            16,896 sfloppy.sys
07/13/2009  09:45 PM            43,584 sisraid2.sys
07/13/2009  09:45 PM            80,464 sisraid4.sys
07/13/2009  08:09 PM            93,184 smb.sys
07/13/2009  08:00 PM            20,992 smclib.sys
04/11/2013  10:09 PM           233,760 snapman.sys
07/13/2009  09:45 PM            19,008 spldr.sys
06/10/2009  04:48 PM           426,496 spsys.sys
04/05/2017  10:55 AM           460,800 srv.sys
04/05/2017  10:55 AM           405,504 srv2.sys
04/05/2017  10:55 AM           168,960 srvnet.sys
06/16/2014  02:01 AM           110,336 ssudbus.sys
06/16/2014  02:01 AM           206,080 ssudmdm.sys
07/13/2009  09:45 PM            24,656 stexstor.sys
02/03/2014  10:35 PM           190,912 storport.sys
04/10/2015  11:19 PM            69,888 stream.sys
07/13/2009  09:45 PM            12,496 swenum.sys
12/20/2016  01:16 PM            39,040 tap0901.sys
07/13/2009  08:01 PM            29,184 tape.sys
05/30/2017  12:56 AM         1,895,656 tcpip.sys
07/07/2016  11:08 AM            46,080 tcpipreg.sys
11/20/2010  11:24 PM            26,624 tdi.sys
07/13/2009  08:16 PM            15,872 tdpipe.sys
04/11/2013  10:09 PM         1,462,560 tdrpman.sys
02/17/2012  12:57 AM            23,552 tdtcp.sys
07/29/2017  10:56 AM           117,248 tdx.sys
11/20/2010  11:23 PM            63,360 termdd.sys
04/11/2013  10:09 PM         1,120,032 tib.sys
07/19/2015  08:05 PM           248,648 tib_mounter.sys
09/06/2017  03:55 PM            28,272 TrueSight.sys
08/05/2015  01:06 PM            39,936 tssecsrv.sys
10/01/2013  10:22 PM            56,832 TsUsbFlt.sys
08/23/2012  10:08 AM            30,208 TsUsbGD.sys
11/20/2010  11:24 PM           125,440 tunnel.sys
07/13/2009  09:45 PM            64,080 UAGP35.SYS
11/20/2010  11:23 PM           328,192 udfs.sys
07/13/2009  09:45 PM            64,592 ULIAGPKX.SYS
11/20/2010  11:23 PM            48,640 umbus.sys
05/15/2015  10:21 AM    <DIR>          UMDF
07/13/2009  08:06 PM             9,728 umpass.sys
02/12/2013  12:12 AM            19,968 usb8023.sys
03/28/2016  12:41 PM            54,784 usbaapl64.sys
07/12/2013  06:40 AM           109,824 USBAUDIO.sys
11/20/2010  11:24 PM            32,896 USBCAMD2.sys
08/16/2016  04:40 PM            99,840 usbccgp.sys
07/12/2013  06:41 AM           100,864 usbcir.sys
08/16/2016  04:40 PM             7,808 usbd.sys
08/16/2016  04:40 PM            56,320 usbehci.sys
08/16/2016  04:40 PM           343,552 usbhub.sys
08/16/2016  04:40 PM            25,600 usbohci.sys
08/16/2016  04:40 PM           327,168 usbport.sys
07/13/2009  08:38 PM            25,088 usbprint.sys
11/20/2010  11:24 PM            31,744 usbrpm.sys
07/03/2013  12:40 AM            42,496 usbscan.sys
02/03/2016  02:07 PM            91,648 USBSTOR.SYS
08/16/2016  04:40 PM            30,720 usbuhci.sys
07/12/2013  06:41 AM           185,344 usbvideo.sys
07/13/2009  09:45 PM            36,432 vdrvroot.sys
07/13/2009  07:38 PM            29,184 vga.sys
07/13/2009  07:38 PM            29,184 vgapnp.sys
11/20/2010  11:23 PM           215,936 vhdmp.sys
07/13/2009  09:45 PM            17,488 viaide.sys
07/13/2009  07:38 PM           129,024 videoprt.sys
04/11/2013  10:09 PM           161,568 vididr.sys
04/11/2013  10:09 PM           117,024 vidsflt.sys
11/20/2010  11:23 PM            71,552 volmgr.sys
07/07/2017  11:33 AM           363,752 volmgrx.sys
11/20/2010  11:23 PM           295,808 volsnap.sys
07/13/2009  09:45 PM           161,872 vsmraid.sys
12/17/2007  11:25 AM            47,616 vuhub.sys
07/13/2009  08:07 PM            24,576 vwifibus.sys
07/13/2009  08:07 PM            59,904 vwififlt.sys
07/13/2009  08:07 PM            17,920 vwifimp.sys
07/13/2009  08:02 PM            27,776 wacompen.sys
11/20/2010  11:24 PM            88,576 wanarp.sys
07/13/2009  07:37 PM            42,496 watchdog.sys
07/13/2009  09:45 PM            21,056 wd.sys
06/25/2013  06:55 PM           785,624 Wdf01000.sys
07/26/2012  12:55 AM            54,376 WdfLdr.sys
07/13/2009  08:09 PM            12,800 wfplwf.sys
07/13/2009  09:45 PM            22,096 wimmount.sys
11/20/2010  11:23 PM            41,984 winusb.sys
07/13/2009  07:31 PM            14,336 wmiacpi.sys
07/13/2009  09:45 PM            16,464 wmilib.sys
07/13/2009  08:10 PM            21,504 ws2ifsl.sys
07/13/2009  08:39 PM            23,040 WSDPrint.sys
07/13/2009  08:35 PM            25,088 WSDScan.sys
07/25/2012  10:26 PM            87,040 WUDFPf.sys
07/25/2012  10:26 PM           198,656 WUDFRd.sys
             321 File(s)     85,148,296 bytes
               5 Dir(s)   5,577,093,120 bytes free
 
========= End of CMD: =========
 
 
==== End of Fixlog 20:26:57 ====


#6 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,661 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:07 AM

Posted 06 September 2017 - 07:47 PM

Now for the fun part.

iO3R662.pngFarbar Recovery Scan Tool (FRST) - Recovery Environment Scan
Follow the instructions below to download and execute a scan on your system with FRST from the Recovery Environment, and provide the logs in your next reply.

Item(s) required:
  • USB Flash Drive (size depend on if you have to create a USB Recovery or Installation media)
  • CD/DVD (optional: only needed if you need to create a Recovery or Installation media and your USB Flash Drive is too small)
  • Another computer (optional: only needed if you cannot work from the infected computer directly)
Preparing the USB Flash Drive
  • Download the right version of FRST for your system:
  • Move the executable (FRST.exe or FRST64.exe) on your USB Flash Drive
  • Download the attached fixlist.txt, and move it on your USB Flash Drive as well
Boot in the Recovery Environment
  • Plug your USB Flash Drive in the infected computer
  • To enter the Recovery Environment with Windows Vista and Windows 7, follow the instructions below:
    • Restart the computer
    • Once you've seen your BIOS splashscreen (the computer manufacturer logo), tap the F8 key repeatedly until the Advanced Boot Options menu appears
    • Use the arrow keys to select Repair your computer, and press on Enter
    • Select your keyboard layout (US, French, etc.) and click on Next
    • Click on Command Prompt to open the command prompt
      Note: If you can't access the Recovery Environment using the F8 method above, you'll need to create a Windows installation or repair media. It can be made on the computer itself or another one running the same version of Windows as the one you plan to use it on. For more information, check out this tutorial on SevenForums.
  • To enter the Recovery Environment with Windows 8 or Windows 8.1, follow the instructions in this tutorial on EightForums
    Note: If you can't access the Recovery Environment using the method above, you'll need to create a Windows installation or repair media. It can be made on the computer itself or another one running the same version of Windows as the one you plan to use it on. For more information, check out this tutorial.
  • To enter the Recovery Environment with Windows 10, follow the instructions in this tutorial on TenForums
    Note: If you can't access the Recovery Environment using the method above, you'll need to create a Windows installation or repair media. It can be made on the computer itself or another one running the same version of Windows as the one you plan to use it on. For more information, check out this tutorial on TenForums.
Once in the command prompt
  • In the command prompt, type notepad and press on Enter
  • Notepad will open. Click on the File menu and select Open
  • Click on Computer/This PC, find the letter for your USB Flash Drive, then close the window and Notepad
  • In the command prompt, type e:\frst.exe (for the x64 version, type e:\frst64.exe and press on Enter
  • Note: Replace the letter e with the drive letter of your USB Flash Drive
  • FRST will open
  • Click on Yes to accept the disclaimer
  • Click on the Fix button and wait for the scan to complete
  • A log called fixlog.txt will be saved on your USB Flash Drive. Attach it in your next reply

Attached Files


unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#7 joe11757

joe11757
  • Topic Starter

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:07 AM

Posted 06 September 2017 - 08:28 PM

Fix result of Farbar Recovery Scan Tool (x64) Version: 20-08-2017
Ran by SYSTEM (06-09-2017 21:25:36) Run:2
Running from g:\
Boot Mode: Recovery
==============================================
 
fixlist content:
*****************
R2 apexpsvc; C:\Users\Joseph DeRosa\AppData\Local\Temp\lvf\apexpsvc.exe [245760 2017-09-03] (apexpsvc Inc.) [File not signed] <==== ATTENTION
 
C:\Program Files (x86)\maharajahsaa
C:\Program Files (x86)\Censoring
C:\Program Files (x86)\Goodridge
C:\Program Files (x86)\palms
C:\Users\Joseph DeRosa\AppData\Local\vgacifo
C:\Users\Joseph DeRosa\AppData\Local\wudzzkh
C:\Users\Joseph DeRosa\AppData\Local\barrymore.exe
C:\Users\Joseph DeRosa\AppData\Local\Temp\lvf
C:\Users\Joseph DeRosa\AppData\Roaming\AGData
C:\Users\Joseph DeRosa\AppData\Roaming\et
C:\Users\Joseph DeRosa\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mysterious.lnk
C:\Windows\b24782956
C:\Windows\outnumber.exe
C:\Windows\system32\nisplgl
C:\Windows\System32\drivers\ndinquxa.sys
C:\Windows\System32\drivers\rsngoiw.sys
C:\Windows\SysWOW64\iriwdao
C:\Windows\SysWOW64\nisplgl
C:\Windows\temp\mstkpwisrv.exe
*****************
 
HKLM\System\ControlSet001\Services\apexpsvc => key removed successfully
apexpsvc => service removed successfully
"C:\Program Files (x86)\maharajahsaa" => not found.
C:\Program Files (x86)\Censoring => moved successfully
C:\Program Files (x86)\Goodridge => moved successfully
C:\Program Files (x86)\palms => moved successfully
C:\Users\Joseph DeRosa\AppData\Local\vgacifo => moved successfully
C:\Users\Joseph DeRosa\AppData\Local\wudzzkh => moved successfully
"C:\Users\Joseph DeRosa\AppData\Local\barrymore.exe" => not found.
C:\Users\Joseph DeRosa\AppData\Local\Temp\lvf => moved successfully
"C:\Users\Joseph DeRosa\AppData\Roaming\AGData" => not found.
C:\Users\Joseph DeRosa\AppData\Roaming\et => moved successfully
"C:\Users\Joseph DeRosa\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mysterious.lnk" => not found.
C:\Windows\b24782956 => moved successfully
C:\Windows\outnumber.exe => moved successfully
C:\Windows\system32\nisplgl => moved successfully
"C:\Windows\System32\drivers\ndinquxa.sys" => not found.
C:\Windows\System32\drivers\rsngoiw.sys => moved successfully
C:\Windows\SysWOW64\iriwdao => moved successfully
C:\Windows\SysWOW64\nisplgl => moved successfully
C:\Windows\temp\mstkpwisrv.exe => moved successfully
 
==== End of Fixlog 21:25:41 ====


#8 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,661 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:07 AM

Posted 06 September 2017 - 08:29 PM

Awesome :) Now, if you restart your computer you should be able to run a scan with Malwarebytes.

j1Bynr2.pngMalwarebytes - Clean Mode
  • Download and install the free version of Malwarebytes
    Note: If you have Malwarebytes already installed, you don't need to install it again. Simply start from the next bullet point
  • Once Malwarebytes is installed, launch it and let it update his database. You might have to click on the little arrow by Scan Status in the middle right pane for it to do so
  • Once the database update is complete, click on the Scan tab, then select the Threat Scan button and click on Start Scan
  • Let the scan run, the time required to complete the scan depends of your system and computer specs
  • Once the scan is complete, make sure that the first checkbox at the top is checked (which will automatically check every detected item), then click on the Quarantine Selected button
    • If it asks you to restart your computer to complete the removal, do so
  • Click on Export Summary after the deletion (in the bottom-left corner) and select Copy to Clipboard. Paste the content in your next reply

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#9 joe11757

joe11757
  • Topic Starter

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:07 AM

Posted 06 September 2017 - 08:47 PM

Again, same issue. See attached

Attached Files

  • Attached File  MWB.JPG   25.09KB   0 downloads

Edited by joe11757, 06 September 2017 - 08:47 PM.


#10 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,661 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:07 AM

Posted 06 September 2017 - 08:49 PM

Say yes, and restart your computer. This time it should go through. If it doesn't, disable the Rootkit scan in Malwarebytes.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#11 joe11757

joe11757
  • Topic Starter

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:07 AM

Posted 06 September 2017 - 08:51 PM

Say yes, and restart your computer. This time it should go through. If it doesn't, disable the Rootkit scan in Malwarebytes.

 

Scanning now, give me a moment....



#12 joe11757

joe11757
  • Topic Starter

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:07 AM

Posted 06 September 2017 - 09:04 PM

Malwarebytes
www.malwarebytes.com
 
-Log Details-
Scan Date: 9/6/17
Scan Time: 9:50 PM
Log File: de0c2384-936e-11e7-b1b8-00ff19efdd67.json
Administrator: Yes
 
-Software Information-
Version: 3.2.2.2018
Components Version: 1.0.186
Update Package Version: 1.0.2741
License: Trial
 
-System Information-
OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: System
 
-Scan Summary-
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 382430
Threats Detected: 2
Threats Quarantined: 0
(No malicious items detected)
Time Elapsed: 10 min, 50 sec
 
-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Detect
PUM: Detect
 
-Scan Details-
Process: 0
(No malicious items detected)
 
Module: 0
(No malicious items detected)
 
Registry Key: 0
(No malicious items detected)
 
Registry Value: 0
(No malicious items detected)
 
Registry Data: 0
(No malicious items detected)
 
Data Stream: 0
(No malicious items detected)
 
Folder: 0
(No malicious items detected)
 
File: 2
PUP.Optional.SpyHunter, C:\USERS\JOSEPH DEROSA\APPDATA\ROAMING\ENIGMA SOFTWARE GROUP\SH_INSTALLER.EXE, Removal Failed, [926], [345850],1.0.2741
RiskWare.IStealer, C:\USERS\JOSEPH DEROSA\DESKTOP\MICROSOFT OFFICE PROFESSIONAL PLUS 2013 -32-64 BIT(ACTIVATOR)[RAREABYSS]\KMSPICO.EXE, Removal Failed, [9561], [147616],1.0.2741
 
Physical Sector: 0
(No malicious items detected)
 
 
(end)


#13 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,661 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:07 AM

Posted 06 September 2017 - 09:07 PM

The removal of these two items failed, but we'll remove them at the end with FRST, so it's fine. Now, let's do a sweep with RogueKiller and AdwCleaner.

RQKuhw1.pngRogueKiller
  • Download the right version of RogueKiller for your Windows version (32 or 64-bit)
  • Once done, move the executable file to your Desktop, right-click on it and select Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users)
  • Click on the Start Scan button in the right panel, which will bring you to another tab, and click on it again (this time it'll be in the bottom right corner)
  • Wait for the scan to complete
  • On completion, the results will be displayed
  • Check every single entry (threat found), and click on the Remove Selected button
  • On completion, the results will be displayed. Click on the Open Report button in the bottom left corner, followed by the Open TXT button (also in the bottom left corner)
  • This will open the report in Notepad. Copy/paste its content in your next reply
zcMPezJ.pngAdwCleaner - Fix Mode
  • Download AdwCleaner and move it to your Desktop
  • Right-click on AdwCleaner.exe and select Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users)
  • Accept the EULA (I accept), then click on Scan
  • Let the scan complete. Once it's done, make sure that every item listed in the different tabs is checked and click on the Clean button. This will kill all active processes
    V7SD4El.png
  • Once the cleaning process is complete, AdwCleaner will ask to restart your computer, do it
  • After the restart, a log will open when logging in. Please copy/paste the content of that log in your next reply
Your next reply(ies) should therefore contain:
  • Copy/pasted RogueKiller clean log
  • Copy/pasted AdwCleaner clean log

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#14 joe11757

joe11757
  • Topic Starter

  • Members
  • 58 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:07 AM

Posted 06 September 2017 - 10:04 PM

ADW Cleaner below, it restarted computer and deleted 2 items.

 

I am running RogueKiller now, will have it in the morning.

 

# AdwCleaner 7.0.2.1 - Logfile created on Thu Sep 07 02:59:42 2017
# Updated on 2017/29/08 by Malwarebytes 
# Running on Windows 7 Home Premium (X64)
# Mode: clean
 
***** [ Services ] *****
 
No malicious services deleted.
 
***** [ Folders ] *****
 
Deleted: C:\Program Files\Enigma Software Group
Deleted: C:\Users\Joseph DeRosa\AppData\Roaming\Enigma Software Group
Deleted: C:\sh4ldr
 
 
***** [ Files ] *****
 
Deleted: C:\Users\Joseph DeRosa\daemonprocess.txt
Deleted: C:\sh4_service.log
 
 
***** [ DLL ] *****
 
No malicious DLLs cleaned.
 
***** [ WMI ] *****
 
No malicious WMI cleaned.
 
***** [ Shortcuts ] *****
 
No malicious shortcuts cleaned.
 
***** [ Tasks ] *****
 
Deleted: LaunchApp
 
 
***** [ Registry ] *****
 
Deleted: [Key] - HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\chatango.com
Deleted: [Key] - HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\cloudfront.net
Deleted: [Key] - HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\cloudfront.net
Deleted: [Key] - HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\d23716qn9q7omq.cloudfront.net
Deleted: [Key] - HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\d23716qn9q7omq.cloudfront.net
Deleted: [Key] - HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\st.chatango.com
Deleted: [Key] - HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\st.chatango.com
Deleted: [Key] - HKLM\SOFTWARE\ParetoLogic
Deleted: [Key] - HKU\S-1-5-21-3217352631-2468836085-358765157-1000\Software\ParetoLogic
Deleted: [Key] - HKCU\Software\ParetoLogic
Deleted: [Key] - HKLM\SOFTWARE\Classes\CLSID\{18A88C48-BC7B-35B3-BD38-74DED875FB28}
Deleted: [Key] - HKLM\SOFTWARE\Classes\CLSID\{2097A1B6-E86A-4072-A32D-2249A3ECBC5A}
Deleted: [Value] - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved|{2097A1B6-E86A-4072-A32D-2249A3ECBC5A}
Deleted: [Key] - HKLM\SOFTWARE\Classes\CLSID\{270BE80F-7D12-3199-A5A6-C26956DC9B85}
Deleted: [Key] - HKLM\SOFTWARE\Classes\CLSID\{284BB344-E9D0-39E1-B44B-6D98A16E9B71}
Deleted: [Key] - HKLM\SOFTWARE\Classes\CLSID\{3070CF0C-F396-3DCA-87D6-9DBF3D77B610}
Deleted: [Key] - HKLM\SOFTWARE\Classes\CLSID\{36906F02-A2B9-3047-9D5C-E05AF3E469E5}
Deleted: [Key] - HKLM\SOFTWARE\Classes\CLSID\{420E2C2E-80D9-3012-A43C-42241FB36D42}
Deleted: [Key] - HKLM\SOFTWARE\Classes\CLSID\{4529EB14-6B38-3CC4-9504-6EAB6C9E1255}
Deleted: [Key] - HKLM\SOFTWARE\Classes\CLSID\{93ABB6F7-F27A-3431-88ED-6939B451FF0D}
Deleted: [Key] - HKLM\SOFTWARE\Classes\CLSID\{AFF295ED-76F5-3BAC-81AE-74CD223F2F5C}
Deleted: [Key] - HKLM\SOFTWARE\Classes\CLSID\{B59B2B9A-B0FD-32F2-AA3A-927ADA01CD81}
Deleted: [Key] - HKLM\SOFTWARE\Classes\CLSID\{BEEA930F-CD8A-341E-B6B5-5BAF659685D5}
Deleted: [Key] - HKLM\SOFTWARE\Classes\CLSID\{E89856E4-1085-3BDF-87AA-8A81E422767E}
Deleted: [Key] - HKLM\SOFTWARE\Classes\CLSID\{EBC25CF6-9120-4283-B972-0E5520D00004}
Deleted: [Key] - HKLM\SOFTWARE\Classes\CLSID\{EBC25CF6-9120-4283-B972-0E5520D00005}
Deleted: [Key] - HKLM\SOFTWARE\Classes\CLSID\{EBC25CF6-9120-4283-B972-0E5520D00006}
Deleted: [Key] - HKLM\SOFTWARE\Classes\CLSID\{EBC25CF6-9120-4283-B972-0E5520D00007}
Deleted: [Key] - HKLM\SOFTWARE\Classes\CLSID\{EBC25CF6-9120-4283-B972-0E5520D00008}
Deleted: [Key] - HKLM\SOFTWARE\Classes\CLSID\{EBC25CF6-9120-4283-B972-0E5520D00009}
Deleted: [Key] - HKLM\SOFTWARE\Classes\CLSID\{EBC25CF6-9120-4283-B972-0E5520D0000A}
Deleted: [Key] - HKLM\SOFTWARE\Classes\CLSID\{EBC25CF6-9120-4283-B972-0E5520D0000B}
Deleted: [Key] - HKLM\SOFTWARE\Classes\CLSID\{EBC25CF6-9120-4283-B972-0E5520D0000C}
Deleted: [Key] - HKLM\SOFTWARE\Classes\CLSID\{EBC25CF6-9120-4283-B972-0E5520D0000D}
Deleted: [Key] - HKLM\SOFTWARE\Classes\CLSID\{EBC25CF6-9120-4283-B972-0E5520D0000E}
Deleted: [Key] - HKLM\SOFTWARE\Classes\CLSID\{EBC25CF6-9120-4283-B972-0E5520D0000F}
Deleted: [Key] - HKLM\SOFTWARE\Classes\CLSID\{F03955F1-309E-34E9-A021-1399C3532273}
Deleted: [Key] - HKLM\SOFTWARE\Classes\CLSID\{F8739A44-6C91-39E8-AA09-45DEF03E6C4C}
Deleted: [Key] - HKLM\SOFTWARE\Classes\Interface\{3F607E46-0D3C-4442-B1DE-DE7FA4768F5C}
Deleted: [Key] - HKLM\SOFTWARE\Classes\TypeLib\{93E3D79C-0786-48FF-9329-93BC9F6DC2B3}
Deleted: [Key] - HKLM\SOFTWARE\Classes\Interface\{FE0273D1-99DF-4AC0-87D5-1371C6271785}
Deleted: [Key] - HKLM\SOFTWARE\Classes\Record\{05660A04-00F1-3A04-AB3B-BC1074B84D67}
Deleted: [Key] - HKLM\SOFTWARE\Classes\Record\{07430FF5-B7A6-3D5A-9F9B-2D7C57183B3B}
Deleted: [Key] - HKLM\SOFTWARE\Classes\Record\{0B764022-3741-345E-AB39-0A2A8577C5E0}
Deleted: [Key] - HKLM\SOFTWARE\Classes\Record\{37AC0F3B-749F-3B22-811B-5A019EED2E85}
Deleted: [Key] - HKLM\SOFTWARE\Classes\Record\{3B96B73A-292C-31BF-A2D3-34DF54CBDB55}
Deleted: [Key] - HKLM\SOFTWARE\Classes\Record\{4392A6CC-7940-310E-8E16-799A8D93A438}
Deleted: [Key] - HKLM\SOFTWARE\Classes\Record\{66DF7821-ED6D-3534-893C-0E89E74B0F91}
Deleted: [Key] - HKLM\SOFTWARE\Classes\Record\{755CAFCC-F016-3B06-8F22-945EAA3AD10D}
Deleted: [Key] - HKLM\SOFTWARE\Classes\Record\{76552F88-640C-314D-82B6-0D8A740907F7}
Deleted: [Key] - HKLM\SOFTWARE\Classes\Record\{903F9872-E87F-3B74-83B0-DBE10073B29D}
Deleted: [Key] - HKLM\SOFTWARE\Classes\Record\{9558EEB4-CDA6-3778-B53B-98076F0A1E90}
Deleted: [Key] - HKLM\SOFTWARE\Classes\Record\{A865D884-9B93-377B-A24D-12BF02DFF6D3}
Deleted: [Key] - HKLM\SOFTWARE\Classes\Record\{B0EBAFE9-ED42-34D1-B7D7-CBBE39A467CF}
Deleted: [Key] - HKLM\SOFTWARE\Classes\Record\{B25AA9BA-FD52-3E5E-BFE3-9B106779DA6E}
Deleted: [Key] - HKLM\SOFTWARE\Classes\Record\{C852CF9F-37DC-35AC-926A-7E6CFFF7C501}
Deleted: [Key] - HKLM\SOFTWARE\Classes\Record\{C9777796-4378-3C90-B52D-7238FFFC2A5C}
Deleted: [Key] - HKLM\SOFTWARE\Classes\Record\{DB1BC8B2-FDBF-30E7-BE1C-AFF9160059E6}
Deleted: [Key] - HKLM\SOFTWARE\Classes\Record\{DE64992E-A184-3DA6-927A-DA3906A77D7B}
Deleted: [Key] - HKLM\SOFTWARE\Classes\Record\{F3D5729C-7DEB-3850-A026-D0E323ECFEF5}
Deleted: [Key] - HKLM\SOFTWARE\Classes\Record\{F489A9AA-4924-32DF-AB6C-6EEE3A3C0A99}
Deleted: [Key] - HKLM\SOFTWARE\Classes\Record\{F5C7BCD8-0F63-34D0-BA9C-906545CD4020}
Deleted: [Key] - HKLM\SOFTWARE\Classes\Record\{FEC70973-CB8B-351C-8047-CAE1274CE249}
Deleted: [Key] - HKLM\SOFTWARE\Classes\Folder\ShellEx\ContextMenuHandlers\MPCBContextMenu
Deleted: [Key] - HKLM\SOFTWARE\EnigmaSoftwareGroup
 
 
***** [ Firefox (and derivatives) ] *****
 
No malicious Firefox entries deleted.
 
***** [ Chromium (and derivatives) ] *****
 
No malicious Chromium entries deleted.
 
*************************
 
::Tracing keys deleted
::Winsock settings cleared
::Additional Actions: 0
 
 
 
*************************
 
C:/AdwCleaner/AdwCleaner[S0].txt - [7568 B] - [2017/9/7 2:58:34]
 
 
########## EOF - C:\AdwCleaner\AdwCleaner[C0].txt ##########


#15 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,661 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:07 AM

Posted 07 September 2017 - 07:00 AM

Alright, I'll be waiting :)

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users