Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unable to access the internet in normal mode after malware removal/ safe mode is


  • This topic is locked This topic is locked
30 replies to this topic

#1 jawj909

jawj909

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:06:39 PM

Posted 17 October 2017 - 03:59 AM

Hello, 

 

I found a root kit on my computer a few days ago, although I've been removing viruses and spyware for a few weeks. I kept  getting multiple instances of excomdp.exe and exbmczu.exe in my prcoesses window. I couldn't close them. I found where they were on the computer, but was unable to open the folders. Avast and Super-Anti-Spyware recognized them, fixed them only for them to come right back. After running Spybot and Zamena it said it was a rootkit and it removed it. At first the process were gone everything was fine, this morning I rebooted the computer upon restarting Avast finally recognized it as a rootkit and requested a boot scan . It completed, it showed the rootkits and said was removed only to request another boot scan. this time after it completed (stating it was removed) Computer runs nice, but no internet.

 

Avast Premier - currently installed.

Zamena - uninstalled 

Super-Anti-Spyware - (purchased) uninstalled ( had to be removed with Microsoft Program_Install_and_Uninstall)

 

Farbar Scan tool - scanned but i didn't select to fix anything.

AswMBR - was ran, processes were found. Fix was selected, then it ran another scan completed - FIXMBR was selected.

Malwarebytes is installed , but it won't allow me to run it as an Admin. 

TDSSkiller - unable to install.

Sargui - unable to install.

GMR - unable to install. 

 

I can access the internet in safe mode.

I've done as much as i can think of short of reinstalling. If there's any assistance someone can give, it would be greatly appreciated.

 

I have attached all the information I have... Hope this helps out.

 

 

P.S.

drivers have been uninstalled and reinstalled.

Tried all of the Netsh commands as well as the file checker from the command prompt.

Attached Files


Edited by jawj909, 17 October 2017 - 04:05 AM.


BC AdBot (Login to Remove)

 


#2 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,556 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:10:39 PM

Posted 18 October 2017 - 07:34 PM

Hi

Welcome :)

I'll be helping you with your computer.

Please read this post completely before beginning. If there's anything that you do not understand, please don't hesitate to ask before proceeding.

Please take note of the guidelines for this fix:
  • Please note that I am a volunteer. I do have a family, a career, and other endeavors that may prevent immediate responses that meet your schedule. Do note that the differences in time zones could present a problem as well. Your patience and understanding will be greatly appreciated.
  • First of all, the procedures we are about to perform are specific to your problem and should only be used on this specific computer.
  • Do not make any changes to your computer that include installing/uninstalling programs, deleting files, modifying the registry, nor running scanners or tools of any kind unless specifically requested by me.
  • Please read ALL instructions carefully and perform the steps fully and in the order they are written.
  • If things appear to be better, let me know. Just because the symptoms no longer exist as before, does not mean that you are clean.
  • Continue to read and follow my instructions until I tell you that your machine is clean.
  • If you have any questions at all, please do not hesitate to ask before performing the task that I ask of you, and please wait for my reply before you proceed.
  • Scanning with programs and reading the logs do take a fair amount of time. Again, your patience will be necessary. :)
Let's begin... :)
  • Highlight the entire content of the quote box below.

Start::
HKLM-x32\...\Run: [NextSTART] => [X]
HKLM-x32\...\Run: [Workshelf] => [X]
S2 !SASCORE; "C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE" [X]
S2 gupdate; "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /svc [X]
S3 gupdatem; "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /medsvc [X]
S3 MozillaMaintenance; "C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe" [X]
S2 Winstep Xtreme Service; C:\Program Files (x86)\Winstep\WsxService [X]
S3 aswVmm; \??\C:\Users\Sci-Fi\AppData\Local\Temp\aswVmm.sys [X] <==== ATTENTION
S3 cpuz138; \??\C:\Users\Sci-Fi\AppData\Local\Temp\cpuz138\cpuz138_x64.sys [X] <==== ATTENTION
S3 SANDRA; \??\C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2016.SP1\WNt600x64\Sandra.sys [X]
S1 ZAM; \??\C:\Windows\System32\drivers\zam64.sys [X]
S1 ZAM_Guard; \??\C:\Windows\System32\drivers\zamguard64.sys [X]
FirewallRules: [{C0D5C3FA-665C-47AD-9483-822E55C7F83F}] => (Allow) LPort=2869
FirewallRules: [{7136F861-D815-4F9D-AC4C-E2093A1BA60F}] => (Allow) LPort=1900
HKLM\ DisallowedCertificates: 03D22C9C66915D58C88912B64C1F984B8344EF09 (Comodo Security Solutions) <==== ATTENTION
HKLM\ DisallowedCertificates: 0F684EC1163281085C6AF20528878103ACEFCAAB (F-Secure Corporation) <==== ATTENTION
HKLM\ DisallowedCertificates: 1667908C9E22EFBD0590E088715CC74BE4C60884 (FRISK Software International/F-Prot) <==== ATTENTION
HKLM\ DisallowedCertificates: 18DEA4EFA93B06AE997D234411F3FD72A677EECE (Bitdefender SRL) <==== ATTENTION
HKLM\ DisallowedCertificates: 2026D13756EB0DB753DF26CB3B7EEBE3E70BB2CF (G DATA Software AG) <==== ATTENTION
HKLM\ DisallowedCertificates: 249BDA38A611CD746A132FA2AF995A2D3C941264 (Malwarebytes Corporation) <==== ATTENTION
HKLM\ DisallowedCertificates: 31AC96A6C17C425222C46D55C3CCA6BA12E54DAF (Symantec Corporation) <==== ATTENTION
HKLM\ DisallowedCertificates: 331E2046A1CCA7BFEF766724394BE6112B4CA3F7 (Trend Micro) <==== ATTENTION
HKLM\ DisallowedCertificates: 3353EA609334A9F23A701B9159E30CB6C22D4C59 (Webroot Inc.) <==== ATTENTION
HKLM\ DisallowedCertificates: 373C33726722D3A5D1EDD1F1585D5D25B39BEA1A (SUPERAntiSpyware.com) <==== ATTENTION
HKLM\ DisallowedCertificates: 3D496FA682E65FC122351EC29B55AB94F3BB03FC (AVG Technologies CZ) <==== ATTENTION
HKLM\ DisallowedCertificates: 4243A03DB4C3C15149CEA8B38EEA1DA4F26BD159 (PC Tools) <==== ATTENTION
HKLM\ DisallowedCertificates: 42727E052C0C2E1B35AB53E1005FD9EDC9DE8F01 (K7 Computing Pvt Ltd) <==== ATTENTION
HKLM\ DisallowedCertificates: 4420C99742DF11DD0795BC15B7B0ABF090DC84DF (Doctor Web Ltd.) <==== ATTENTION
HKLM\ DisallowedCertificates: 4C0AF5719009B7C9D85C5EAEDFA3B7F090FE5FFF (Emsisoft Ltd) <==== ATTENTION
HKLM\ DisallowedCertificates: 5240AB5B05D11B37900AC7712A3C6AE42F377C8C (Check Point Software Technologies Ltd.) <==== ATTENTION
HKLM\ DisallowedCertificates: 5DD3D41810F28B2A13E9A004E6412061E28FA48D (Emsisoft Ltd) <==== ATTENTION
HKLM\ DisallowedCertificates: 7457A3793086DBB58B3858D6476889E3311E550E (K7 Computing Pvt Ltd) <==== ATTENTION
HKLM\ DisallowedCertificates: 76A9295EF4343E12DFC5FE05DC57227C1AB00D29 (BullGuard Ltd) <==== ATTENTION
HKLM\ DisallowedCertificates: 775B373B33B9D15B58BC02B184704332B97C3CAF (McAfee) <==== ATTENTION
HKLM\ DisallowedCertificates: 872CD334B7E7B3C3D1C6114CD6B221026D505EAB (Comodo Security Solutions) <==== ATTENTION
HKLM\ DisallowedCertificates: 88AD5DFE24126872B33175D1778687B642323ACF (McAfee) <==== ATTENTION
HKLM\ DisallowedCertificates: 9132E8B079D080E01D52631690BE18EBC2347C1E (Adaware Software) <==== ATTENTION
HKLM\ DisallowedCertificates: 982D98951CF3C0CA2A02814D474A976CBFF6BDB1 (Safer Networking Ltd.) <==== ATTENTION
HKLM\ DisallowedCertificates: 9A08641F7C5F2CCA0888388BE3E5DBDDAAA3B361 (Webroot Inc.) <==== ATTENTION
HKLM\ DisallowedCertificates: 9C43F665E690AB4D486D4717B456C5554D4BCEB5 (ThreatTrack Security) <==== ATTENTION
HKLM\ DisallowedCertificates: 9E3F95577B37C74CA2F70C1E1859E798B7FC6B13 (CURIOLAB S.M.B.A.) <==== ATTENTION
HKLM\ DisallowedCertificates: A1F8DCB086E461E2ABB4B46ADCFA0B48C58B6E99 (Avira Operations GmbH & Co. KG) <==== ATTENTION
HKLM\ DisallowedCertificates: A5341949ABE1407DD7BF7DFE75460D9608FBC309 (BullGuard Ltd) <==== ATTENTION
HKLM\ DisallowedCertificates: A59CC32724DD07A6FC33F7806945481A2D13CA2F (ESET) <==== ATTENTION
HKLM\ DisallowedCertificates: AD96BB64BA36379D2E354660780C2067B81DA2E0 (Symantec Corporation) <==== ATTENTION
HKLM\ DisallowedCertificates: B8EBF0E696AF77F51C96DB4D044586E2F4F8FD84 (Malwarebytes Corporation) <==== ATTENTION
HKLM\ DisallowedCertificates: CDC37C22FE9272D8F2610206AD397A45040326B8 (Trend Micro) <==== ATTENTION
HKLM\ DisallowedCertificates: DB303C9B61282DE525DC754A535CA2D6A9BD3D87 (ThreatTrack Security) <==== ATTENTION
HKLM\ DisallowedCertificates: E22240E837B52E691C71DF248F12D27F96441C00 (Total Defense, Inc.) <==== ATTENTION
HKLM\ DisallowedCertificates: ED841A61C0F76025598421BC1B00E24189E68D54 (Bitdefender SRL) <==== ATTENTION
HKLM\ DisallowedCertificates: F83099622B4A9F72CB5081F742164AD1B8D048C9 (ESET) <==== ATTENTION
HKLM\ DisallowedCertificates: FBB42F089AF2D570F2BF6F493D107A3255A9BB1A (Panda Security S.L) <==== ATTENTION
HKLM\ DisallowedCertificates: FFFA650F2CB2ABC0D80527B524DD3F9FC172C138 (Doctor Web Ltd.) <==== ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender: Restriction <==== ATTENTION
GroupPolicy: Restriction - Chrome <==== ATTENTION
GroupPolicy\User: Restriction <==== ATTENTION
S3 aswVmm; \??\C:\Users\Sci-Fi\AppData\Local\Temp\aswVmm.sys [X] <==== ATTENTION
S3 cpuz138; \??\C:\Users\Sci-Fi\AppData\Local\Temp\cpuz138\cpuz138_x64.sys [X] <==== ATTENTION
Task: {9673B071-0729-400B-BFD3-BB703578E1C0} - \{0A797E47-0C05-0D0D-7E11-0E7A7D7A110D} -> No File <==== ATTENTION
Task: {C3524241-3B7E-4289-B7F0-05E970C8FF93} - \Bond Quality GUI -> No File <==== ATTENTION
Task: {CD19CC9C-120A-429A-901E-B5CAC2BA8022} - \jJKowXmxzIFxIuj2 -> No File <==== ATTENTION
Task: {EF9BDF0F-6387-44C0-AA6C-AC7C21A66E74} - \jJKowXmxzIFxIuj -> No File <==== ATTENTION
Task: {F30ED01E-3E73-418A-B684-7A79DB8B6B21} - System32\Tasks\IBUpd2 => C:\Users\Sci-Fi\AppData\Local\BrowserAir\48.0.0.0\updater.exe <==== ATTENTION
HKU\S-1-5-21-2912925513-3060498541-3240713490-1000\Software\Classes\regfile: regedit.exe "%1" <==== ATTENTION
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.33.5\npGoogleUpdate3.dll [No File]
Task: {9673B071-0729-400B-BFD3-BB703578E1C0} - \{0A797E47-0C05-0D0D-7E11-0E7A7D7A110D} -> No File <==== ATTENTION
Task: {C3524241-3B7E-4289-B7F0-05E970C8FF93} - \Bond Quality GUI -> No File <==== ATTENTION
Task: {CD19CC9C-120A-429A-901E-B5CAC2BA8022} - \jJKowXmxzIFxIuj2 -> No File <==== ATTENTION
Task: {EF9BDF0F-6387-44C0-AA6C-AC7C21A66E74} - \jJKowXmxzIFxIuj -> No File <==== ATTENTION
S3 aswVmm; \??\C:\Users\Sci-Fi\AppData\Local\Temp\aswVmm.sys [X] <==== ATTENTION
S3 cpuz138; \??\C:\Users\Sci-Fi\AppData\Local\Temp\cpuz138\cpuz138_x64.sys [X] <==== ATTENTION
2017-10-04 14:21 - 2017-08-26 13:12 - 000556152 _____ (AVAST Software) C:\Windows\system32\Drivers\aswb39472fd5f73d332.tmp
2017-10-17 00:41 - 2017-10-17 00:41 - 000116560 ____N C:\Windows\system32\Drivers\vdaruxbe.sys
C:\Users\Sci-Fi\AppData\Local\exbmczu
C:\Windows\System32\config\systemprofile\AppData\Local\exbmczu
2017-10-07 23:30 - 2017-07-04 16:40 - 037612976 ____N () C:\Users\Sci-Fi\Downloads\Serato Sample 1.0.exe
2017-09-22 20:35 - 2017-10-17 00:16 - 002797056 ____N C:\Windows\system32\atdshzgsvc.exe
HOSTS:
Removeproxy:
CMD: netsh advfirewall reset
CMD: netsh advfirewall set allprofiles state ON
CMD: ipconfig /flushdns
CMD: netsh winsock reset catalog
CMD: netsh int ip reset C:\resettcpip.txt
CMD: FOR /F "usebackq delims==" %i IN (`wevtutil el`) DO wevtutil cl "%i"
CMD: Bitsadmin /Reset /Allusers
EMPTYTEMP:
Reboot:
End::

  • Right click on the highlighted text and select Copy.
  • Start FRST (FRST64) with Administrator privileges
  • Press the Fix button. FRST will process the lines copied above from the clipboard.
  • When finished, a log file (Fixlog.txt) will pop up and saved in the same location the tool was ran from.
Please copy and paste its contents in your next reply.

Please download Junkware Removal Tool to your Desktop.
  • Please close your security software to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista or 7, right-mouse click it and select Run as administrator.
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete, depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your Desktop and will automatically open.
  • Please post the contents of JRT.txt into your reply.
Download AdwCleaner from here. Save the file to the desktop.

NOTE: If you are using IE 8 or above you may get a warning that stops the program from downloading. Just click on the warning and allow the download to complete.

Close all open windows and browsers.
  • XP users: Double click the AdwCleaner icon to start the program.
  • Vista/7/8/10 users: Right click the AdwCleaner icon on the desktop, click Run as administrator and accept the UAC prompt to run AdwCleaner.
    You will see the following console:
65MBhLLb.png
  • Click the Scan button and wait for the scan to finish.
  • After the Scan has finished the window may or may not show what it found and above, in the progress bar, you will see: Pending. Please uncheck elements you don't want to remove.
  • Click the Clean button.
  • Everything checked will be moved to Quarantine.
  • When the program has finished cleaning a report appears.Once done it will ask to reboot, allow this
adwcleaner_delete_restart.jpg
  • On reboot a log will be produced please copy / paste that in your next reply. This report is also saved to C:\AdwCleaner\AdwCleaner[C0].txt

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#3 jawj909

jawj909
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:06:39 PM

Posted 19 October 2017 - 02:07 AM

Hi, 

Thanks for your response.  I really needed to get back on my PC, so i reinstalled Win 7 Pro. Not a clean install. Everything went well. Upon completion, the spyware seemed to still be there. I was able to install TDSSkiller , It came back clean.  Malwarebytes would not load. But I was able to get Spyware Hunter 4 installed ( purchased). i ran the scan and it found alot!. It found a Trojan virus as well. upon completion it rebooted and the scan was ran again. This time nothing showed up. I have not ran Avast yet.  All windows updates are installed. Seems to be running fine, The rootkits excomdp.exe and exbmczu.exe have not appeared or any others, so I'm not sure if they are still around. I will hold off from any other scans or the instructions above until I hear from you. Sorry I was impatient, but I had work to do on my computer. I really do appreciate the response and time to you took to assist me. I look forward to hearing from you soon.

 

Thank you.



#4 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,556 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:10:39 PM

Posted 19 October 2017 - 03:27 PM

Lets review the system:

Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.
  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Make sure that under Optional Scans, there is a checkmark on Addition.txt.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The tool will also produce another log (Addition.txt ). Please attach this to your reply.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#5 jawj909

jawj909
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:06:39 PM

Posted 19 October 2017 - 05:25 PM

I just completed the scan. Here are the logs.

 

Attached Files



#6 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,556 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:10:39 PM

Posted 19 October 2017 - 06:18 PM

Almost the same findings.

 

 

  • Highlight the entire content of the quote box below.

Start::  
HKLM-x32\...\Run: [NextSTART] => [X]
HKLM-x32\...\Run: [Workshelf] => [X]
FirewallRules: [{7136F861-D815-4F9D-AC4C-E2093A1BA60F}] => (Allow) LPort=1900
FirewallRules: [{C0D5C3FA-665C-47AD-9483-822E55C7F83F}] => (Allow) LPort=2869
HKLM\ DisallowedCertificates: 03D22C9C66915D58C88912B64C1F984B8344EF09 (Comodo Security Solutions) <==== ATTENTION
HKLM\ DisallowedCertificates: 0F684EC1163281085C6AF20528878103ACEFCAAB (F-Secure Corporation) <==== ATTENTION
HKLM\ DisallowedCertificates: 1667908C9E22EFBD0590E088715CC74BE4C60884 (FRISK Software International/F-Prot) <==== ATTENTION
HKLM\ DisallowedCertificates: 18DEA4EFA93B06AE997D234411F3FD72A677EECE (Bitdefender SRL) <==== ATTENTION
HKLM\ DisallowedCertificates: 2026D13756EB0DB753DF26CB3B7EEBE3E70BB2CF (G DATA Software AG) <==== ATTENTION
HKLM\ DisallowedCertificates: 249BDA38A611CD746A132FA2AF995A2D3C941264 (Malwarebytes Corporation) <==== ATTENTION
HKLM\ DisallowedCertificates: 31AC96A6C17C425222C46D55C3CCA6BA12E54DAF (Symantec Corporation) <==== ATTENTION
HKLM\ DisallowedCertificates: 331E2046A1CCA7BFEF766724394BE6112B4CA3F7 (Trend Micro) <==== ATTENTION
HKLM\ DisallowedCertificates: 3353EA609334A9F23A701B9159E30CB6C22D4C59 (Webroot Inc.) <==== ATTENTION
HKLM\ DisallowedCertificates: 373C33726722D3A5D1EDD1F1585D5D25B39BEA1A (SUPERAntiSpyware.com) <==== ATTENTION
HKLM\ DisallowedCertificates: 3D496FA682E65FC122351EC29B55AB94F3BB03FC (AVG Technologies CZ) <==== ATTENTION
HKLM\ DisallowedCertificates: 4243A03DB4C3C15149CEA8B38EEA1DA4F26BD159 (PC Tools) <==== ATTENTION
HKLM\ DisallowedCertificates: 42727E052C0C2E1B35AB53E1005FD9EDC9DE8F01 (K7 Computing Pvt Ltd) <==== ATTENTION
HKLM\ DisallowedCertificates: 4420C99742DF11DD0795BC15B7B0ABF090DC84DF (Doctor Web Ltd.) <==== ATTENTION
HKLM\ DisallowedCertificates: 4C0AF5719009B7C9D85C5EAEDFA3B7F090FE5FFF (Emsisoft Ltd) <==== ATTENTION
HKLM\ DisallowedCertificates: 5240AB5B05D11B37900AC7712A3C6AE42F377C8C (Check Point Software Technologies Ltd.) <==== ATTENTION
HKLM\ DisallowedCertificates: 5DD3D41810F28B2A13E9A004E6412061E28FA48D (Emsisoft Ltd) <==== ATTENTION
HKLM\ DisallowedCertificates: 7457A3793086DBB58B3858D6476889E3311E550E (K7 Computing Pvt Ltd) <==== ATTENTION
HKLM\ DisallowedCertificates: 76A9295EF4343E12DFC5FE05DC57227C1AB00D29 (BullGuard Ltd) <==== ATTENTION
HKLM\ DisallowedCertificates: 775B373B33B9D15B58BC02B184704332B97C3CAF (McAfee) <==== ATTENTION
HKLM\ DisallowedCertificates: 872CD334B7E7B3C3D1C6114CD6B221026D505EAB (Comodo Security Solutions) <==== ATTENTION
HKLM\ DisallowedCertificates: 88AD5DFE24126872B33175D1778687B642323ACF (McAfee) <==== ATTENTION
HKLM\ DisallowedCertificates: 9132E8B079D080E01D52631690BE18EBC2347C1E (Adaware Software) <==== ATTENTION
HKLM\ DisallowedCertificates: 982D98951CF3C0CA2A02814D474A976CBFF6BDB1 (Safer Networking Ltd.) <==== ATTENTION
HKLM\ DisallowedCertificates: 9A08641F7C5F2CCA0888388BE3E5DBDDAAA3B361 (Webroot Inc.) <==== ATTENTION
HKLM\ DisallowedCertificates: 9C43F665E690AB4D486D4717B456C5554D4BCEB5 (ThreatTrack Security) <==== ATTENTION
HKLM\ DisallowedCertificates: 9E3F95577B37C74CA2F70C1E1859E798B7FC6B13 (CURIOLAB S.M.B.A.) <==== ATTENTION
HKLM\ DisallowedCertificates: A1F8DCB086E461E2ABB4B46ADCFA0B48C58B6E99 (Avira Operations GmbH & Co. KG) <==== ATTENTION
HKLM\ DisallowedCertificates: A5341949ABE1407DD7BF7DFE75460D9608FBC309 (BullGuard Ltd) <==== ATTENTION
HKLM\ DisallowedCertificates: A59CC32724DD07A6FC33F7806945481A2D13CA2F (ESET) <==== ATTENTION
HKLM\ DisallowedCertificates: AD96BB64BA36379D2E354660780C2067B81DA2E0 (Symantec Corporation) <==== ATTENTION
HKLM\ DisallowedCertificates: B8EBF0E696AF77F51C96DB4D044586E2F4F8FD84 (Malwarebytes Corporation) <==== ATTENTION
HKLM\ DisallowedCertificates: CDC37C22FE9272D8F2610206AD397A45040326B8 (Trend Micro) <==== ATTENTION
HKLM\ DisallowedCertificates: DB303C9B61282DE525DC754A535CA2D6A9BD3D87 (ThreatTrack Security) <==== ATTENTION
HKLM\ DisallowedCertificates: E22240E837B52E691C71DF248F12D27F96441C00 (Total Defense, Inc.) <==== ATTENTION
HKLM\ DisallowedCertificates: ED841A61C0F76025598421BC1B00E24189E68D54 (Bitdefender SRL) <==== ATTENTION
HKLM\ DisallowedCertificates: F83099622B4A9F72CB5081F742164AD1B8D048C9 (ESET) <==== ATTENTION
HKLM\ DisallowedCertificates: FBB42F089AF2D570F2BF6F493D107A3255A9BB1A (Panda Security S.L) <==== ATTENTION
HKLM\ DisallowedCertificates: FFFA650F2CB2ABC0D80527B524DD3F9FC172C138 (Doctor Web Ltd.) <==== ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender: Restriction <==== ATTENTION
GroupPolicy: Restriction - Chrome <==== ATTENTION
GroupPolicy\User: Restriction <==== ATTENTION
Task: {9673B071-0729-400B-BFD3-BB703578E1C0} - \{0A797E47-0C05-0D0D-7E11-0E7A7D7A110D} -> No File <==== ATTENTION
Task: {99459670-4765-49BA-A880-53E80832DA47} - \Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser -> No File <==== ATTENTION
Task: {C3524241-3B7E-4289-B7F0-05E970C8FF93} - \Bond Quality GUI -> No File <==== ATTENTION
Task: {CD19CC9C-120A-429A-901E-B5CAC2BA8022} - \jJKowXmxzIFxIuj2 -> No File <==== ATTENTION
Task: {EF9BDF0F-6387-44C0-AA6C-AC7C21A66E74} - \jJKowXmxzIFxIuj -> No File <==== ATTENTION
Task: {F30ED01E-3E73-418A-B684-7A79DB8B6B21} - \IBUpd2 -> No File <==== ATTENTION
HKU\S-1-5-21-2912925513-3060498541-3240713490-1000\Software\Classes\regfile: regedit.exe "%1" <==== ATTENTION
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.33.5\npGoogleUpdate3.dll [No File]
Task: {9673B071-0729-400B-BFD3-BB703578E1C0} - \{0A797E47-0C05-0D0D-7E11-0E7A7D7A110D} -> No File <==== ATTENTION
Task: {99459670-4765-49BA-A880-53E80832DA47} - \Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser -> No File <==== ATTENTION
Task: {C3524241-3B7E-4289-B7F0-05E970C8FF93} - \Bond Quality GUI -> No File <==== ATTENTION
Task: {CD19CC9C-120A-429A-901E-B5CAC2BA8022} - \jJKowXmxzIFxIuj2 -> No File <==== ATTENTION
Task: {EF9BDF0F-6387-44C0-AA6C-AC7C21A66E74} - \jJKowXmxzIFxIuj -> No File <==== ATTENTION
Task: {F30ED01E-3E73-418A-B684-7A79DB8B6B21} - \IBUpd2 -> No File <==== ATTENTION
2017-10-14 13:40 - 2017-10-14 13:41 - 130442024 ____N (Kaspersky Lab ZAO) C:\Users\Sci-Fi\Downloads\KVRT.exe

HKLM-x32\...\Run: [NextSTART] => [X]
HKLM-x32\...\Run: [Workshelf] => [X]
S2 !SASCORE; "C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE" [X]
S2 gupdate; "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /svc [X]
S3 gupdatem; "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /medsvc [X]
S3 MozillaMaintenance; "C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe" [X]
S2 Winstep Xtreme Service; C:\Program Files (x86)\Winstep\WsxService [X]
S3 aswVmm; \??\C:\Users\Sci-Fi\AppData\Local\Temp\aswVmm.sys [X] <==== ATTENTION
S3 cpuz138; \??\C:\Users\Sci-Fi\AppData\Local\Temp\cpuz138\cpuz138_x64.sys [X] <==== ATTENTION
S3 SANDRA; \??\C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2016.SP1\WNt600x64\Sandra.sys [X]
S1 ZAM; \??\C:\Windows\System32\drivers\zam64.sys [X]
S1 ZAM_Guard; \??\C:\Windows\System32\drivers\zamguard64.sys [X]
FirewallRules: [{C0D5C3FA-665C-47AD-9483-822E55C7F83F}] => (Allow) LPort=2869
FirewallRules: [{7136F861-D815-4F9D-AC4C-E2093A1BA60F}] => (Allow) LPort=1900
HKLM\ DisallowedCertificates: 03D22C9C66915D58C88912B64C1F984B8344EF09 (Comodo Security Solutions) <==== ATTENTION
HKLM\ DisallowedCertificates: 0F684EC1163281085C6AF20528878103ACEFCAAB (F-Secure Corporation) <==== ATTENTION
HKLM\ DisallowedCertificates: 1667908C9E22EFBD0590E088715CC74BE4C60884 (FRISK Software International/F-Prot) <==== ATTENTION
HKLM\ DisallowedCertificates: 18DEA4EFA93B06AE997D234411F3FD72A677EECE (Bitdefender SRL) <==== ATTENTION
HKLM\ DisallowedCertificates: 2026D13756EB0DB753DF26CB3B7EEBE3E70BB2CF (G DATA Software AG) <==== ATTENTION
HKLM\ DisallowedCertificates: 249BDA38A611CD746A132FA2AF995A2D3C941264 (Malwarebytes Corporation) <==== ATTENTION
HKLM\ DisallowedCertificates: 31AC96A6C17C425222C46D55C3CCA6BA12E54DAF (Symantec Corporation) <==== ATTENTION
HKLM\ DisallowedCertificates: 331E2046A1CCA7BFEF766724394BE6112B4CA3F7 (Trend Micro) <==== ATTENTION
HKLM\ DisallowedCertificates: 3353EA609334A9F23A701B9159E30CB6C22D4C59 (Webroot Inc.) <==== ATTENTION
HKLM\ DisallowedCertificates: 373C33726722D3A5D1EDD1F1585D5D25B39BEA1A (SUPERAntiSpyware.com) <==== ATTENTION
HKLM\ DisallowedCertificates: 3D496FA682E65FC122351EC29B55AB94F3BB03FC (AVG Technologies CZ) <==== ATTENTION
HKLM\ DisallowedCertificates: 4243A03DB4C3C15149CEA8B38EEA1DA4F26BD159 (PC Tools) <==== ATTENTION
HKLM\ DisallowedCertificates: 42727E052C0C2E1B35AB53E1005FD9EDC9DE8F01 (K7 Computing Pvt Ltd) <==== ATTENTION
HKLM\ DisallowedCertificates: 4420C99742DF11DD0795BC15B7B0ABF090DC84DF (Doctor Web Ltd.) <==== ATTENTION
HKLM\ DisallowedCertificates: 4C0AF5719009B7C9D85C5EAEDFA3B7F090FE5FFF (Emsisoft Ltd) <==== ATTENTION
HKLM\ DisallowedCertificates: 5240AB5B05D11B37900AC7712A3C6AE42F377C8C (Check Point Software Technologies Ltd.) <==== ATTENTION
HKLM\ DisallowedCertificates: 5DD3D41810F28B2A13E9A004E6412061E28FA48D (Emsisoft Ltd) <==== ATTENTION
HKLM\ DisallowedCertificates: 7457A3793086DBB58B3858D6476889E3311E550E (K7 Computing Pvt Ltd) <==== ATTENTION
HKLM\ DisallowedCertificates: 76A9295EF4343E12DFC5FE05DC57227C1AB00D29 (BullGuard Ltd) <==== ATTENTION
HKLM\ DisallowedCertificates: 775B373B33B9D15B58BC02B184704332B97C3CAF (McAfee) <==== ATTENTION
HKLM\ DisallowedCertificates: 872CD334B7E7B3C3D1C6114CD6B221026D505EAB (Comodo Security Solutions) <==== ATTENTION
HKLM\ DisallowedCertificates: 88AD5DFE24126872B33175D1778687B642323ACF (McAfee) <==== ATTENTION
HKLM\ DisallowedCertificates: 9132E8B079D080E01D52631690BE18EBC2347C1E (Adaware Software) <==== ATTENTION
HKLM\ DisallowedCertificates: 982D98951CF3C0CA2A02814D474A976CBFF6BDB1 (Safer Networking Ltd.) <==== ATTENTION
HKLM\ DisallowedCertificates: 9A08641F7C5F2CCA0888388BE3E5DBDDAAA3B361 (Webroot Inc.) <==== ATTENTION
HKLM\ DisallowedCertificates: 9C43F665E690AB4D486D4717B456C5554D4BCEB5 (ThreatTrack Security) <==== ATTENTION
HKLM\ DisallowedCertificates: 9E3F95577B37C74CA2F70C1E1859E798B7FC6B13 (CURIOLAB S.M.B.A.) <==== ATTENTION
HKLM\ DisallowedCertificates: A1F8DCB086E461E2ABB4B46ADCFA0B48C58B6E99 (Avira Operations GmbH & Co. KG) <==== ATTENTION
HKLM\ DisallowedCertificates: A5341949ABE1407DD7BF7DFE75460D9608FBC309 (BullGuard Ltd) <==== ATTENTION
HKLM\ DisallowedCertificates: A59CC32724DD07A6FC33F7806945481A2D13CA2F (ESET) <==== ATTENTION
HKLM\ DisallowedCertificates: AD96BB64BA36379D2E354660780C2067B81DA2E0 (Symantec Corporation) <==== ATTENTION
HKLM\ DisallowedCertificates: B8EBF0E696AF77F51C96DB4D044586E2F4F8FD84 (Malwarebytes Corporation) <==== ATTENTION
HKLM\ DisallowedCertificates: CDC37C22FE9272D8F2610206AD397A45040326B8 (Trend Micro) <==== ATTENTION
HKLM\ DisallowedCertificates: DB303C9B61282DE525DC754A535CA2D6A9BD3D87 (ThreatTrack Security) <==== ATTENTION
HKLM\ DisallowedCertificates: E22240E837B52E691C71DF248F12D27F96441C00 (Total Defense, Inc.) <==== ATTENTION
HKLM\ DisallowedCertificates: ED841A61C0F76025598421BC1B00E24189E68D54 (Bitdefender SRL) <==== ATTENTION
HKLM\ DisallowedCertificates: F83099622B4A9F72CB5081F742164AD1B8D048C9 (ESET) <==== ATTENTION
HKLM\ DisallowedCertificates: FBB42F089AF2D570F2BF6F493D107A3255A9BB1A (Panda Security S.L) <==== ATTENTION
HKLM\ DisallowedCertificates: FFFA650F2CB2ABC0D80527B524DD3F9FC172C138 (Doctor Web Ltd.) <==== ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender: Restriction <==== ATTENTION
GroupPolicy: Restriction - Chrome <==== ATTENTION
GroupPolicy\User: Restriction <==== ATTENTION
S3 aswVmm; \??\C:\Users\Sci-Fi\AppData\Local\Temp\aswVmm.sys [X] <==== ATTENTION
S3 cpuz138; \??\C:\Users\Sci-Fi\AppData\Local\Temp\cpuz138\cpuz138_x64.sys [X] <==== ATTENTION
Task: {9673B071-0729-400B-BFD3-BB703578E1C0} - \{0A797E47-0C05-0D0D-7E11-0E7A7D7A110D} -> No File <==== ATTENTION
Task: {C3524241-3B7E-4289-B7F0-05E970C8FF93} - \Bond Quality GUI -> No File <==== ATTENTION
Task: {CD19CC9C-120A-429A-901E-B5CAC2BA8022} - \jJKowXmxzIFxIuj2 -> No File <==== ATTENTION
Task: {EF9BDF0F-6387-44C0-AA6C-AC7C21A66E74} - \jJKowXmxzIFxIuj -> No File <==== ATTENTION
Task: {F30ED01E-3E73-418A-B684-7A79DB8B6B21} - System32\Tasks\IBUpd2 => C:\Users\Sci-Fi\AppData\Local\BrowserAir\48.0.0.0\updater.exe <==== ATTENTION
HKU\S-1-5-21-2912925513-3060498541-3240713490-1000\Software\Classes\regfile: regedit.exe "%1" <==== ATTENTION
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.33.5\npGoogleUpdate3.dll [No File]
Task: {9673B071-0729-400B-BFD3-BB703578E1C0} - \{0A797E47-0C05-0D0D-7E11-0E7A7D7A110D} -> No File <==== ATTENTION
Task: {C3524241-3B7E-4289-B7F0-05E970C8FF93} - \Bond Quality GUI -> No File <==== ATTENTION
Task: {CD19CC9C-120A-429A-901E-B5CAC2BA8022} - \jJKowXmxzIFxIuj2 -> No File <==== ATTENTION
Task: {EF9BDF0F-6387-44C0-AA6C-AC7C21A66E74} - \jJKowXmxzIFxIuj -> No File <==== ATTENTION
S3 aswVmm; \??\C:\Users\Sci-Fi\AppData\Local\Temp\aswVmm.sys [X] <==== ATTENTION
S3 cpuz138; \??\C:\Users\Sci-Fi\AppData\Local\Temp\cpuz138\cpuz138_x64.sys [X] <==== ATTENTION
2017-10-04 14:21 - 2017-08-26 13:12 - 000556152 _____ (AVAST Software) C:\Windows\system32\Drivers\aswb39472fd5f73d332.tmp
2017-10-17 00:41 - 2017-10-17 00:41 - 000116560 ____N C:\Windows\system32\Drivers\vdaruxbe.sys
C:\Users\Sci-Fi\AppData\Local\exbmczu
C:\Windows\System32\config\systemprofile\AppData\Local\exbmczu
2017-10-07 23:30 - 2017-07-04 16:40 - 037612976 ____N () C:\Users\Sci-Fi\Downloads\Serato Sample 1.0.exe
2017-09-22 20:35 - 2017-10-17 00:16 - 002797056 ____N C:\Windows\system32\atdshzgsvc.exe
HOSTS:
Removeproxy:
CMD: netsh advfirewall reset
CMD: netsh advfirewall set allprofiles state ON
CMD: ipconfig /flushdns
CMD: netsh winsock reset catalog
CMD: netsh int ip reset C:\resettcpip.txt
CMD: FOR /F "usebackq delims==" %i IN (`wevtutil el`) DO wevtutil cl "%i"
CMD: Bitsadmin /Reset /Allusers
EMPTYTEMP:
Reboot:
End::

  • Right click on the highlighted text and select Copy.
  • Start FRST (FRST64) with Administrator privileges
  • Press the Fix button. FRST will process the lines copied above from the clipboard.
  • When finished, a log file (Fixlog.txt) will pop up and saved in the same location the tool was ran from.

Please copy and paste its contents in your next reply.

Please download Junkware Removal Tool to your Desktop.

  • Please close your security software to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista or 7, right-mouse click it and select Run as administrator.
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete, depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your Desktop and will automatically open.
  • Please post the contents of JRT.txt into your reply.

Download AdwCleaner from here. Save the file to the desktop.

NOTE: If you are using IE 8 or above you may get a warning that stops the program from downloading. Just click on the warning and allow the download to complete.

Close all open windows and browsers.

  • XP users: Double click the AdwCleaner icon to start the program.
  • Vista/7/8/10 users: Right click the AdwCleaner icon on the desktop, click Run as administrator and accept the UAC prompt to run AdwCleaner.
    You will see the following console:

65MBhLLb.png


  • Click the Scan button and wait for the scan to finish.
  • After the Scan has finished the window may or may not show what it found and above, in the progress bar, you will see: Pending. Please uncheck elements you don't want to remove.
  • Click the Clean button.
  • Everything checked will be moved to Quarantine.
  • When the program has finished cleaning a report appears.Once done it will ask to reboot, allow this

adwcleaner_delete_restart.jpg


  • On reboot a log will be produced please copy / paste that in your next reply. This report is also saved to C:\AdwCleaner\AdwCleaner[C0].txt

 


No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#7 jawj909

jawj909
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:06:39 PM

Posted 19 October 2017 - 09:35 PM

Ok i just completed the scans, yes it found more spyware. After JRT completed and rebooted, The MBR was missing. I put in mt startup disk and and repaired the startup files,  it seems to be alright. But here are the logs.

 

Attached Files



#8 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,556 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:10:39 PM

Posted 20 October 2017 - 01:17 PM

favicon-32x32.png Please run Malwarebytes Antimalware, which I see installed in your programs.

  • Update the program  and proceed with the Scan. Select "Threat Scan".
  • The Scan Pane is the introduction to scan-related options in the program. When you click Scan in the Menu Pane, you will see the screen shown below.

02-malwarebytes-premium-scan-methods.jpg


  • After a scan has been executed, scan results are displayed.
  • Put a checkmark on all detected and click on "Quarantine Selected"
  • Selected reports may be viewed on screen, or exported to a text file for later viewing. Please note that only manual (on demand) scans are available for users of the free version of Malwarebytes.

You may export to your clipboard or to a text (TXT) file. Export to a .txt file and post its contents.

 

How is the computer doing?

 


No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#9 jawj909

jawj909
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:06:39 PM

Posted 20 October 2017 - 02:14 PM

Ok i'll do that. It seems to be ok. I haven't tried alot of programs yet to see if they work or not.



#10 jawj909

jawj909
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:06:39 PM

Posted 20 October 2017 - 03:00 PM

i completed the scan, no detections at this time.  Should I delete what was quarantined yesterday?

Attached Files



#11 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,556 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:10:39 PM

Posted 20 October 2017 - 05:13 PM

I believe your computer is clear, congratulations. :)

 

Use this application to remove various of the programs we used and their quarantine. You should remove the Malwarebytes Antimalware quarantine.

 

Please download DelFix by Xplode and save to your Desktop.

  • Double-click on delfix.exe to run the tool.
    Vista/Windows 7/8/10 users right-click and select Run As Administrator.
  • Put a check mark next to these items:
    - Remove disinfection tools
    - Create registry backup
    delfix.jpg
    .
  • Click the "Run" button.
  • When the tool has finished, it will create and open a log report (DelFix.txt)

 

 

Always keep your antivirus active and updated.

 

Best regards. :)


No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#12 jawj909

jawj909
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:06:39 PM

Posted 20 October 2017 - 06:19 PM

Hey thanks for you assistance and prompt responses. Very much appreciated. I'll go ahead and take care of those tools as well.

 

Thanks again !



#13 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,556 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:10:39 PM

Posted 20 October 2017 - 09:29 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#14 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,556 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:10:39 PM

Posted 21 October 2017 - 01:38 PM

This topic has been re-opened at the request of the person who originally posted.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#15 jawj909

jawj909
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:06:39 PM

Posted 21 October 2017 - 03:33 PM

 i'm running the scan now, here ya go!

Attached Files






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users