Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

PC infected.


  • This topic is locked This topic is locked
8 replies to this topic

#1 ika

ika

  • Members
  • 69 posts
  • OFFLINE
  •  
  • Local time:01:47 PM

Posted 20 March 2018 - 07:31 AM

Hello, I have the infected PC, I hope someone can help me. Thank you very much in advance. Best regards.Attached File  Addition.txt   63.59KB   1 downloadsAttached File  FRST.txt   106.07KB   2 downloads



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 40,476 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:47 AM

Posted 20 March 2018 - 08:59 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Press the Windows key + r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.

Please copy the entire contents of the code box below to a new file.
 
Start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

HKLM\SOFTWARE\Policies\Microsoft\Windows Defender: Restriction <==== ATTENTION
GroupPolicy: Restriction <==== ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Restriction <==== ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings: [ProxySettingsPerUser] 1 <==== ATTENTION (Restriction - ProxySettings)
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <==== ATTENTION
BHO-x32: No Name -> {C0E8AE32-0758-4C8D-AB71-23B361FE8964} -> No File
FF Extension: (Malwarebytes) - C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\0m9sd6pn.default\Extensions\{242af0bb-db11-4734-b7a0-61cb8a9b20fb}.xpi [2018-03-15]
FF Extension: (Disable WebRTC) - C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\0m9sd6pn.default\Extensions\{64f73088-5156-43ae-94db-5a4701089ba3}.xpi [2017-11-25]
FF Extension: (__MSG_extName__) - C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\0m9sd6pn.default\Extensions\{aecec67f-0d10-4fa7-b7c7-609a2db280cf}.xpi [2018-03-15]
FF Extension: (Referer Control) - C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\0m9sd6pn.default\Extensions\{cde47992-8aa7-4206-9e98-680a2d20f798}.xpi [2018-03-10]
U3 iswSvc; no ImagePath
S3 RimUsb; \SystemRoot\System32\Drivers\RimUsb_AMD64.sys [X]
U3 tmeevw; no ImagePath
S1 ZAM; \??\C:\WINDOWS\System32\drivers\zam64.sys [X]

ShellIconOverlayIdentifiers: [00asw] -> {472083B0-C522-11CF-8763-00608CC02F24} =>  -> No File
ContextMenuHandlers4: [EncryptionMenu] -> {A470F8CF-A1E8-4f65-8335-227475AA5C46} =>  -> No File
ContextMenuHandlers5: [igfxcui] -> {3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} =>  -> No File
ContextMenuHandlers6: [BriefcaseMenu] -> {85BBD920-42A0-1069-A2E4-08002B30309D} =>  -> No File
Task: {6422A277-2809-4B4C-93DE-09A0EA33AD11} - no filepath

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.

Please let me know what problem persists with this computer.

#3 ika

ika
  • Topic Starter

  • Members
  • 69 posts
  • OFFLINE
  •  
  • Local time:01:47 PM

Posted 20 March 2018 - 09:24 AM

Attached File  Fixlog.txt   5.74KB   1 downloads

 

I have a strange user WDAGUtilityAccount. Is this normal? And I do not receive Windows updates long ago. Thank you so much for the help. Best regards.



#4 ika

ika
  • Topic Starter

  • Members
  • 69 posts
  • OFFLINE
  •  
  • Local time:01:47 PM

Posted 20 March 2018 - 10:12 AM

After applied the fix chrome will not let me see some pictures



#5 nasdaq

nasdaq

  • Malware Response Team
  • 40,476 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:47 AM

Posted 20 March 2018 - 12:38 PM

Hi,
 

I have a strange user WDAGUtilityAccount. Is this normal?


Yes, read about it.
https://blogs.technet.microsoft.com/drew/2017/07/15/wdagutilityaccount/
<<<>>>

I do not receive Windows updates long ago

Download Farbar's Service Scanner utility
http://www.bleepingcomputer.com/download/farbar-service-scanner/dl/62/
and Save to your Desktop.
If using Windows 7 or above, Right-Click on fss.exe and select Run As Administrator.
If using XP, double-click to start.
Answer Yes to ok when prompted.
If your firewall then puts out a prompt, again, allow it to run.
Once FSS is on-screen, be sure the following items are checkmarked:
Internet Services
Security Center/Action Center
Windows Update


Click on "Scan".
It will create a log (FSS.txt) in the same directory the tool is run.
Copy & Paste contents of FSS.txt into your reply.
===
 

After applied the fix chrome will not let me see some pictures

Restart the computer normally.

If the problem persist let me know what pictures you are not seeing.
By any chance was these pictutes in a temporary folder?

#6 ika

ika
  • Topic Starter

  • Members
  • 69 posts
  • OFFLINE
  •  
  • Local time:01:47 PM

Posted 20 March 2018 - 12:52 PM

Thanks a lot! Chrome fixed.

 

 

Farbar Service Scanner Version: 27-01-2016
Ran by Emanuel (administrator) on 20-03-2018 at 14:49:10
Running from "C:\Users\user\Desktop"
Microsoft Windows 10 Pro  (X64)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Attempt to access Local Host IP returned error: Localhost is blocked: Destination is unreachable
LAN connected.
Attempt to access Google IP returned error. Google IP is unreachable
Attempt to access Google.com returned error: Google.com is unreachable
Attempt to access Yahoo.com returned error: Yahoo.com is unreachable


Security Center:
============


Windows Update:
============
wuauserv Service is not running. Checking service configuration:
The start type of wuauserv service is OK.
The ImagePath of wuauserv service is OK.
The ServiceDll of wuauserv service is OK.


Windows Autoupdate Disabled Policy:
============================


Other Services:
==============


File Check:
========
C:\Windows\System32\nsisvc.dll => File is digitally signed
C:\Windows\System32\drivers\nsiproxy.sys => File is digitally signed
C:\Windows\System32\drivers\afd.sys => File is digitally signed
C:\Windows\System32\drivers\tdx.sys => File is digitally signed
C:\Windows\System32\Drivers\tcpip.sys => File is digitally signed
C:\Windows\System32\dnsrslvr.dll => File is digitally signed
C:\Windows\System32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\System32\wscsvc.dll => File is digitally signed
C:\Windows\System32\wbem\WMIsvc.dll => File is digitally signed
C:\Windows\System32\wuaueng.dll => File is digitally signed
C:\Windows\System32\qmgr.dll => File is digitally signed
C:\Windows\System32\es.dll => File is digitally signed
C:\Windows\System32\cryptsvc.dll => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed


**** End of log ****

Attached Files

  • Attached File  FSS.txt   2.03KB   1 downloads

Edited by ika, 20 March 2018 - 12:58 PM.


#7 nasdaq

nasdaq

  • Malware Response Team
  • 40,476 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:47 AM

Posted 20 March 2018 - 01:36 PM

Hi

Press the Windows key + r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.
 
start

CreateRestorePoint:
CloseProcesses:

cmd: ipconfig /flushdns
cmd: IPCONFIG /release
cmd: IPCONFIG /renew

Reboot:

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

How is it now?

#8 ika

ika
  • Topic Starter

  • Members
  • 69 posts
  • OFFLINE
  •  
  • Local time:01:47 PM

Posted 20 March 2018 - 01:44 PM

Attached File  Windows Update.jpg   94.02KB   0 downloadsAttached File  Fixlog.txt   2.04KB   2 downloads



#9 ika

ika
  • Topic Starter

  • Members
  • 69 posts
  • OFFLINE
  •  
  • Local time:01:47 PM

Posted 20 March 2018 - 03:18 PM

Please check this topic as a solved. Thanks a lot for your help!!!!






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users