Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rootkit will not clean - fighting several days now, please help


  • This topic is locked This topic is locked
25 replies to this topic

#1 bobarmstrong

bobarmstrong

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:53 PM

Posted 16 April 2018 - 03:47 PM

Bleeping computer is right.

I got infected with something and despite running a number of things the last few days I cannot get it cleaned.

 

I got all the obvious stuff (program uninstalls) and was able to get spybot, mwb and other things to run in safe mode.  They found some items and said they cleaned them.

 

Rootkit checkers (that I could get to run) did not find anything.  If I get MWB to install in safe mode it will BSOD regular mode.  If I keep windows defender on it BSOD system after 20 minutes or so and blows up SVChost.

 

Also at boot I get a scanning/chkdsk process that runs on a recovery drive every time.

 

GMER log below.  It tells me I have a rootkit but unable to delete or disable it from GMER.  If I try and run full scan in safe mode with GMER it BSOD on me within a minute.

 

GMER 2.2.19882 - http://www.gmer.net
Rootkit scan 2018-04-16 16:08:35
Windows 6.2.9200  x64 \Device\Harddisk0\DR0 -> \Device\0000003d  rev.CC42 1863.01GB
Running: sfvdqpyl.exe; Driver: C:\Users\Jason\AppData\Local\Temp\kxdoapob.sys
 
 
---- Disk sectors - GMER 2.2 ----
 
Disk     \Device\Harddisk0\DR0                            unknown MBR code
 
---- Threads - GMER 2.2 ----
 
Thread   C:\WINDOWS\system32\csrss.exe [724:844]          fffff5958e7d9c20
 
---- Services - GMER 2.2 ----
 
Service  system32\drivers\scbdgjqt.sys (*** hidden *** )  [BOOT] ntkcvdpw    <-- ROOTKIT !!!
 
---- EOF - GMER 2.2 ----
 
 
Also attaching FRST log which has this line
 
HKLM\SYSTEM\CurrentControlSet\Services\ntkcvdpw <==== ATTENTION (Rootkit!)
 
 
Thank you!

Attached Files



BC AdBot (Login to Remove)

 


#2 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,842 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:08:53 PM

Posted 16 April 2018 - 04:57 PM

Hi

Welcome :)

I'll be helping you with your computer.

Please read this post completely before beginning. If there's anything that you do not understand, please don't hesitate to ask before proceeding.

Please take note of the guidelines for this fix:
  • Please note that I am a volunteer. I do have a family, a career, and other endeavors that may prevent immediate responses that meet your schedule. Do note that the differences in time zones could present a problem as well. Your patience and understanding will be greatly appreciated.
  • First of all, the procedures we are about to perform are specific to your problem and should only be used on this specific computer.
  • Do not make any changes to your computer that include installing/uninstalling programs, deleting files, modifying the registry, nor running scanners or tools of any kind unless specifically requested by me.
  • Please read ALL instructions carefully and perform the steps fully and in the order they are written.
  • If things appear to be better, let me know. Just because the symptoms no longer exist as before, does not mean that you are clean.
  • Continue to read and follow my instructions until I tell you that your machine is clean.
  • If you have any questions at all, please do not hesitate to ask before performing the task that I ask of you, and please wait for my reply before you proceed.
  • Scanning with programs and reading the logs do take a fair amount of time. Again, your patience will be necessary. :)
Let's begin... :)
 
 
You will need another computer to download FRST64 to a USB drive, run FRST64 in the Recovery Environment, then back in Normal Mode.

Please download Farbar Recovery Scan Tool in an uninfected computer and save it to a flash drive (Pen Drive).

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version. In your case is FRST64.exe

Please also download the attached file and save it in the same location the FRST64 is saved in the flash drive.

Boot to the Recovery Console's Command prompt in the infected computer.

To enter the Recovery Environment with Windows 10, follow the instructions in this tutorial on TenForums

Note: If you can't access the Recovery Environment using the method above, you'll need to create a Windows installation or repair media. It can be made on the computer itself or another one running the same version of Windows as the one you plan to use it on. For more information, check out this tutorial on TenForums
After any of these actions is performed, all user sessions are signed off and the Boot Options menu is displayed. The PC will restart into the WinRE and the selected feature is launched.

On the boot options, select Troubleshooting > Advanced Options > Command prompt.

Once in the Command Prompt:
  • Insert the USB drive containing FRST64 and the Fixlist
  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\frst64 and press Enter
    Note: Replace letter e with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • First press the Scan button. That will deactivate the rootkit, once the scan is finished, press the Fix button.
  • These actions will make two logs, a Fixlog.txt and a FRST.txt logs in the flash drive. Please copy and paste them in your reply.
Once finished in the Recovery Environment, restart the computer in Normal Mode.

Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version. In your case is FRST64.
  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Make sure that under Optional Scans, there is a checkmark on Addition.txt.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The tool will also produce another log (Addition.txt ). Please attach this to your reply.
I will expect the following reports:

Frst.txt produced in the Recovery Console
Fixlog.txt produced in the Recovery Console
Frst.txt produced in Normal Mode
Addition.txt produced in Normal Mode

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#3 bobarmstrong

bobarmstrong
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:53 PM

Posted 16 April 2018 - 06:40 PM

Awesome!  I ran it as you said and afterwards it booted into normal mode no BSOD.  Avast did kick in (I had tried to install it in safe mode but it always failed) once normal mode did come up.

 

Here are the 4 files you requested.

 

 

Attached Files



#4 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,842 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:08:53 PM

Posted 16 April 2018 - 08:43 PM

Nice job.
 
Follow these steps in Normal Mode.

  • Highlight the entire content of the quote box below.

Start::  
2018-04-16 18:54 - 2018-04-16 18:54 - 000000000 ____D C:\Users\Jason\AppData\Local\dsmvgtl
2018-04-16 18:08 - 2018-04-16 18:08 - 000000000 ____D C:\Users\Jason\AppData\Local\vdhtzck
C:\WINDOWS\system32\Drivers\sevppsou.sys
2018-04-13 12:44 - 2018-04-13 12:44 - 000072816 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\eemlqxbo.sys
2018-04-13 12:42 - 2018-04-13 12:42 - 000072816 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\cgiqucnt.sys
2018-04-13 12:40 - 2018-04-13 12:40 - 000072816 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\rosgkiud.sys
2018-04-13 12:39 - 2018-04-13 12:39 - 000072816 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\qomhcfzq.sys
2018-04-13 12:37 - 2018-04-13 12:37 - 000072816 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\rdawtkpk.sys
2018-04-13 12:35 - 2018-04-13 12:35 - 000072816 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\snjpmioq.sys
2018-04-13 12:33 - 2018-04-13 12:33 - 000072816 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\nxhrdfwk.sys
2018-04-13 12:32 - 2018-04-13 12:32 - 000072816 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\ghqnjyki.sys
2018-04-13 12:28 - 2018-04-13 12:28 - 000072816 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\itapwogf.sys
C:\WINDOWS\system32\ushmgvasvc.exe
C:\WINDOWS\SysWOW64\exrmpbk
2014-01-15 20:54 - 2014-01-15 20:55 - 000000031 _____ () C:\Users\Jason\delbatch.bat
2014-11-19 12:34 - 2014-11-19 13:23 - 000000770 _____ () C:\Program Files\NextStepConfig.xml
1601-01-03 21:33 - 1601-01-03 21:33 - 000059904 _____ (Microsoft Corporation) C:\Program Files (x86)\Common Files\aUEjLFeQ.exe
1601-01-03 21:33 - 1601-01-03 21:33 - 000059904 _____ (Microsoft Corporation) C:\Program Files (x86)\Common Files\IpyubyuDfKyeA.exe
2013-12-02 12:37 - 2013-12-02 12:37 - 013024768 _____ (LastPass) C:\Program Files (x86)\Common Files\lpuninstall.exe
2014-01-09 12:23 - 2014-01-09 12:23 - 000000628 _____ () C:\Users\Jason\AppData\Roaming\AutoGK.ini
2018-03-06 15:35 - 2018-03-06 15:35 - 000000600 _____ () C:\Users\Jason\AppData\Roaming\winscp.rnd
2018-04-13 12:08 - 2018-04-13 12:08 - 000194048 _____ () C:\Users\Jason\AppData\Local\plsxc.dll
2017-04-07 12:30 - 2018-03-06 15:35 - 000000600 _____ () C:\Users\Jason\AppData\Local\PUTTY.RND
2018-04-13 12:08 - 2018-04-13 12:08 - 000003072 _____ () C:\Users\Jason\AppData\Local\setup_NeoNetPlasma.exe
2018-04-13 12:08 - 2018-04-13 12:08 - 000000003 _____ () C:\Users\Jason\AppData\Local\wbem.ini
2018-04-13 12:08 - 2018-04-13 12:08 - 000000000 ____D C:\WINDOWS\system32\exrmpbk
2018-04-13 12:08 - 2018-04-13 12:08 - 000000000 ____D C:\Users\Jason\AppData\Roaming\et
Task: {01659966-0849-4BE0-85C2-58FC25CFA727} - System32\Tasks\{44C2936A-E339-304F-B2AE-E8D746B4B635} => C:\Program Files (x86)\Common Files\aUEjLFeQ.exe [1601-01-03] (Microsoft Corporation)
C:\WINDOWS\System32\Tasks\{44C2936A-E339-304F-B2AE-E8D746B4B635}
Task: {A56DDF8E-E18F-45E1-BB33-A4A43FB1F921} - System32\Tasks\{635BF67A-B5BA-BAD5-46B5-C1114D2EC716} => C:\Program Files (x86)\Common Files\IpyubyuDfKyeA.exe [1601-01-03] (Microsoft Corporation)
C:\WINDOWS\System32\Tasks\{635BF67A-B5BA-BAD5-46B5-C1114D2EC716}
FirewallRules: [{961D33AA-6567-4B09-ABA9-5C7741EE1DA1}] => (Allow) LPort=8888
FirewallRules: [{B99F13CA-3FB8-4DDD-9AFD-150A47FD160E}] => (Allow) LPort=5558
FirewallRules: [{FFD1221C-31EA-4464-9EE9-6BAB23E352D8}] => (Allow) LPort=5556
FirewallRules: [{F19EB2CF-17D0-42DE-965C-42BFAA2F9CB9}] => (Allow) LPort=8888
FirewallRules: [{EE1748BB-5DC2-434B-B426-171601C00A99}] => (Allow) LPort=5978
FirewallRules: [DNS Server Forward Rule - TCP - 9ad910cf-a753-4bd4-84b9-2fad728ff798 - 0] => (Allow) LPort=53
FirewallRules: [DNS Server Forward Rule - UDP - 9ad910cf-a753-4bd4-84b9-2fad728ff798 - 0] => (Allow) LPort=53
FirewallRules: [{DFBA2C33-9FAD-4E94-82FB-99A069A5085D}] => (Allow) LPort=12292
Task: {022E056F-0157-47F4-936D-05AF8749ADCD} - \Microsoft\Windows\Setup\GWXTriggers\ScheduleUpgradeTime -> No File <==== ATTENTION
Task: {04C354DF-DCF7-4955-8D4E-721AE35FEF92} - \Microsoft\Windows\Setup\gwx\refreshgwxconfigandcontent -> No File <==== ATTENTION
Task: {11230D6A-329C-4179-B48B-CE8578C7EDAE} - \Microsoft\Windows\Setup\GWXTriggers\Logon-5d -> No File <==== ATTENTION
Task: {24D35156-2CB2-46C0-A9BB-FE5FD4C4AD93} - \Microsoft\Windows\Setup\gwx\refreshgwxcontent -> No File <==== ATTENTION
Task: {2E7F8709-D117-421D-BD5F-36E10C9033EB} - System32\Tasks\Delete Tempscan folder => C:\Users\Jason\delbatch.bat [2014-01-15] () <==== ATTENTION
Task: {72E5A312-8373-4073-B8B9-994E74A8BD67} - \Microsoft\Windows\Setup\GWXTriggers\OutOfIdle-5d -> No File <==== ATTENTION
Task: {87A19CB9-D3BA-461A-9C68-DD6EFB1C058B} - \Microsoft\Windows\UNP\RunCampaignManager -> No File <==== ATTENTION
Task: {AE1B5BED-2554-4B1F-A3D5-5518900C5700} - \Microsoft\Windows\Setup\gwx\refreshgwxconfig -> No File <==== ATTENTION
Task: {BD8809E0-9FC2-4363-A56A-0C51E786165C} - \Microsoft\Windows\Setup\GWXTriggers\Time-5d -> No File <==== ATTENTION
Task: {C02F63D9-0519-4E98-8E69-8C5D92F19522} - \Microsoft\Windows\Setup\GWXTriggers\ScheduleUpgradeReminderTime -> No File <==== ATTENTION
Task: {CF451464-CB30-4514-B3E3-04C69D6F6D44} - \Microsoft\Windows\Setup\gwx\launchtrayprocess -> No File <==== ATTENTION
Task: {D4E90C51-EC41-4502-92E4-905658877531} - System32\Tasks\CrashPlan => C:\crashplan.bat [2014-10-18] () <==== ATTENTION
Task: {ED2E57B5-086C-4860-8C16-8B95A78232D1} - \Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B -> No File <==== ATTENTION
Task: {ED313BD2-0EB1-478E-9056-448C6D1D3642} - \Microsoft\Windows\Setup\GWXTriggers\MachineUnlock-5d -> No File <==== ATTENTION
Task: {F706334C-1377-415D-8EC0-D2658A903CD4} - \Microsoft\Windows\Setup\GWXTriggers\OutOfSleep-5d -> No File <==== ATTENTION
ContextMenuHandlers3: [STKContextMenu] -> [CC]{90DD7445-E924-4c6e-92AC-01F8C3A7E0C7} =>  -> No File
ContextMenuHandlers4: [MVDShlext] -> {027B567F-6B25-42C1-9C0B-5CE8E04024BD} =>  -> No File
ContextMenuHandlers4: [RecuvaShellExt] -> [CC]{435E5DF5-2510-463C-B223-BDA47006D002} =>  -> No File
ContextMenuHandlers6: [RecuvaShellExt] -> [CC]{435E5DF5-2510-463C-B223-BDA47006D002} =>  -> No File
Task: {2E7F8709-D117-421D-BD5F-36E10C9033EB} - System32\Tasks\Delete Tempscan folder => C:\Users\Jason\delbatch.bat [2014-01-15] () <==== ATTENTION
CMD: BCDEDIT /ENUM ALL
HOSTS:
Removeproxy:
CMD: netsh advfirewall reset
CMD: netsh advfirewall set allprofiles state ON
CMD: ipconfig /flushdns
CMD: netsh winsock reset catalog
CMD: netsh int ip reset C:\resettcpip.txt
CMD: FOR /F "usebackq delims==" %i IN (`wevtutil el`) DO wevtutil cl "%i"
CMD: Bitsadmin /Reset /Allusers
EMPTYTEMP:
Reboot:
End::

  • Right click on the highlighted text and select Copy.
  • Start FRST (FRST64) with Administrator privileges
  • Press the Fix button. FRST will process the lines copied above from the clipboard.
  • When finished, a log file (Fixlog.txt) will pop up and saved in the same location the tool was ran from.

Please copy and paste its contents in your next reply.
 

RQKuhw1.pngRogueKiller

  • Download the right version of RogueKiller for your Windows version (32 or 64-bit)
  • Once done, move the executable file to your Desktop, right-click on it and select Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users)
  • Click on the Start Scan button in the right panel, which will bring you to another tab, and click on it again (this time it'll be in the bottom right corner)
  • Wait for the scan to complete
  • On completion, the results will be displayed
  • Check every single entry (threat found), and click on the Remove Selected button
  • On completion, the results will be displayed. Click on the Open Report button in the bottom left corner, followed by the Open TXT button (also in the bottom left corner)
  • This will open the report in Notepad. Copy/paste its content in your next reply

zcMPezJ.pngAdwCleaner - Fix Mode

  • Download AdwCleaner and move it to your Desktop
  • Right-click on AdwCleaner.exe and select Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users)
  • Accept the EULA (I accept), then click on Scan
  • Let the scan complete. Once it's done, make sure that every item listed in the different tabs is checked and click on the Clean button. This will kill all active processes
    5ace519a6ff4a_Dashboard-firstrun.png.567
  • Once the cleaning process is complete, AdwCleaner will ask to restart your computer, do it
  • After the restart, a log will open when logging in. Please copy/paste the content of that log in your next reply

Your next reply(ies) should therefore contain:

  • Copy/pasted Fixlog.txt
  • Copy/pasted RogueKiller clean log
  • Copy/pasted AdwCleaner clean log

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#5 bobarmstrong

bobarmstrong
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:53 PM

Posted 17 April 2018 - 12:56 PM

Ok thanks, things looking better every time.

 

Here are the files.

 

So note when I ran FRST64 in normal mode with the fix file it BSOD the computer after about a minute.

 

I reran it in safe mode fine and that log is attached.  After that I booted back to normal mode and reran FRST64 again with the same fix it file and this time it ran fine.

 

Also ran RK and ADW fine and those logs attached (and no BSOD during these scans which seemed to be happening regularly before).

 

Thanks

Attached Files



#6 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,842 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:08:53 PM

Posted 17 April 2018 - 01:53 PM

How is the computer doing?


No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#7 bobarmstrong

bobarmstrong
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:53 PM

Posted 17 April 2018 - 02:51 PM

Pretty good.

 

Defender activated an no BSOD.

Running for over an hour normal mode no BSOD.

SVChost not blowing up.

No infection detections.

 

Strange things

 

Chrome popping up with a DNS Probe issue? every now and then.  Need to refresh page and it goes away.  No issues in firefox.

On boot it is still running a chkdsk on drive   //?/Volume{...guid   every time.

Event viewer system giving me lots of Dcom type errors       The server {9E175B6D-F52A-11D8-B9A5-505054503030} did not register with DCOM within the required timeout.

 

None of those appear to be major things.  But I am looking into them.  If you have any thoughts I would love it, but I think the rootkit is no more!!!

 

Thank you



#8 bobarmstrong

bobarmstrong
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:53 PM

Posted 17 April 2018 - 02:54 PM

Oh one more thing.  File explorer view menu options are all greyed out.  Cannot change type to view icons/details/ect.  Also Options is greyed out.  Preview pane does not work and thumbnails won't come up.



#9 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,842 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:08:53 PM

Posted 17 April 2018 - 03:20 PM

Lets take one thing at a time.

 

Which of the following volumes is running CHKDSK at startup?

\\?\Volume{065d26ef-459a-4a42-a6e2-c9d532a9975d}
\\?\Volume{b33b9c21-52a8-4a5c-8106-c9edd2185296}
\\?\Volume{3886bc17-c161-4420-836d-71d063f15c9b}
\\?\Volume{2aa195c9-5e6d-4c40-b3e7-4115d7bac5a0}

 

Make sure the numbers are right.


No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#10 bobarmstrong

bobarmstrong
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:53 PM

Posted 17 April 2018 - 03:40 PM

\\?\Volume{2aa195c9-5e6d-4c40-b3e7-4115d7bac5a0}



#11 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,842 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:08:53 PM

Posted 17 April 2018 - 03:46 PM

Open an Administrator Command prompt. At the promppt copy and paste the following and press Enter:

 

chkdsk /r "\\?\Volume{2aa195c9-5e6d-4c40-b3e7-4115d7bac5a0}"

 

Once completed, restart.

 

Let me know if it still running chkdsk at startup.

 

In regard to the DCOM errors, it may be due to permissions.

 

Tweaking.com - Windows Repair All-In-One (Portable)

- Download Windows Repair All-In-One (Portable Version) from here

- Extract tweaking.com_windows_repair_aio.zip to your Desktop.

- Disable all your antivirus and antimalware software - see how to do that from here

- Right click on QfBzvq1.png and select Run as Administrator (XP users just double click) to start Windows Repair All-In-One.
(Windows Vista/7/8 users: Accept UAC warning if it is enabled.)

- A window will appear. Click Step 2.
2f8o60N.png

- Click the Open Pre-Scan button, then click Start Scan. Wait for Windows Repair to finish scanning.

- Depending on which error Windows Repair found, click Repair, Repair Reparse Point or Repair Environment Variable accordingly. When the button changes to "Done!", click the close button to return to Windows Repair.

- Go to Step 3, then click Check in the See If Check Disk Is Needed.
Ymy7crZ.png

- If Windows Repair stated that errors are found, click Open Check Disk At Next Boot. Choose (/R) Fixes errors on the disk also locate bad sectors and recovers readable information, then click Add To Next Boot. Reboot the computer to let Windows check the disk. https://i.imgur.com/Ymy7crZ.png

- Go to Step 4, then click Do It.
zDtdN75.png

- Go to Step 5. Under System Restore click Create.
f7lEe1N.png

- Go to Repairs and click Open Repairs. Leave all checkmarks as they are, then click Start Repairs.
PGv2vtD.png

- By default Windows Repair All-In-One will create a "Logs" folder in its folder on the Desktop. Please post the contents of the log in your next reply.


No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#12 bobarmstrong

bobarmstrong
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:53 PM

Posted 18 April 2018 - 02:16 PM

Ok ran the chkdsk and that seemed to clear up that issue.

 

Tried another admin login I had on the computer and realized logged in as that user I did not have any of the problems I see with my main user.

 

Ran all the tweaking stuff and did not see any changes on main user.

 

Updated by NIC driver and I think that has fixed the Chrome Probe issue.

Disabled the Intel Rapid Storage Technology Service and that filed all my File Explorer issues (saw this tip on another forum, however it did all work fine with that service on and another user account).

 

Still getting dcom errors in log., but overall running real nice again.



#13 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,842 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:08:53 PM

Posted 18 April 2018 - 07:34 PM

Let me see a new set of frst.txt and addition.txt logs

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#14 bobarmstrong

bobarmstrong
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:53 PM

Posted 19 April 2018 - 09:28 AM

Sure.

Attached Files



#15 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,842 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:08:53 PM

Posted 19 April 2018 - 03:35 PM

Lets check the permissions of those keys:

 

  • Highlight the entire content of the quote box below.

Start::  
FirewallRules: [{2688C543-E6EB-43B9-AEC8-0C185FF6C439}] => (Allow) LPort=8888
Task: {D569FF4F-C8E5-404F-84E7-323D9C60EE7A} - \AdobeUpdaten -> No File <==== ATTENTION
ContextMenuHandlers4: [ FileSyncEx] -> {CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B} =>  -> No File
ContextMenuHandlers4: [EncryptionMenu] -> {A470F8CF-A1E8-4f65-8335-227475AA5C46} =>  -> No File
ContextMenuHandlers5: [ FileSyncEx] -> {CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B} =>  -> No File
ContextMenuHandlers6: [BriefcaseMenu] -> {85BBD920-42A0-1069-A2E4-08002B30309D} =>  -> No File
Reg: Reg query HKEY_CLASSES_ROOT\CLSID\{9E175B6D-F52A-11D8-B9A5-505054503030} /s
Reg: Reg query HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9E175B6D-F52A-11D8-B9A5-505054503030} /s
Reg: Reg query HKEY_CLASSES_ROOT\CLSID\{7D096C5F-AC08-4F1F-BEB7-5C22C517CE39} /s
Reg: Reg query HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7D096C5F-AC08-4F1F-BEB7-5C22C517CE39} /s
ListPermissions: HKEY_CLASSES_ROOT\CLSID\{9E175B6D-F52A-11D8-B9A5-505054503030}
ListPermissions: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9E175B6D-F52A-11D8-B9A5-505054503030}
ListPermissions: HKEY_CLASSES_ROOT\CLSID\{7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}
ListPermissions: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}
End::

  • Right click on the highlighted text and select Copy.
  • Start FRST (FRST64) with Administrator privileges
  • Press the Fix button. FRST will process the lines copied above from the clipboard.
  • When finished, a log file (Fixlog.txt) will pop up and saved in the same location the tool was ran from.

Please copy and paste its contents in your next reply.
 

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users