LiquidTension

Hi Sean, Those logs are clean. Have you ensured all Windows Updates are installed? Some of the main infection vectors (methods of becoming infected) include the following: Browsing the Internet without an active Anti-Virus and Firewall. Leaving vulnerable Internet-facing software unpatched/outdated (Windows, Adobe software, Java, etc). Participating in the usage of P2P filesharing.Participating in the usage of cracked/warez software. Aimlessly clicking unknown links/email attachments. Rushing through the installation of new software without reading each page. Inserting USB drives or other removal media that you do not own. Social engineering. Visiting a compromised website. You were infected by Poweliks, an infection with rootkit-like capabilities that opens a backdoor on the compromised machine. Unfortunately, it isn't possible to determine the exact cause of infection - it could be one of many possibilities. I have compiled below a list of resources you may find useful. The articles document information on computer security, common infection vectors and how you can stay safe on the Internet. Answers to common security questions - Best Practices by quietman7, MVPHow Malware Spreads - How did I get infected? by quietman7, MVPSimple and easy ways to keep your computer safe and secure on the Internet by Lawrence Abrams, MVPHow to Prevent Malware by miekiemoes, MVPHow to backup and restore your data using Cobian Backup by YourHighnessSlow Computer/browser? It May Not Be Malware by quietman7, MVP The following programmes come highly recommended in the security community. AdBlock is a browser add-on that blocks annoying banners, pop-ups and video ads. Emsisoft Antimalware (free) acts as an additional on-demand scanner, and can be used in conjunction with your Anti-Virus. Malwarebytes Anti-Exploit (MBAE) is designed to prevent zero-day malware from exploiting vulnerable software. Malwarebytes Anti-Malware Premium (MBAM) incorporates real-time protection and is designed to run alongside your Anti-Virus. NoScript is a Firefox add-on that blocks the actions of malicious scripts by using whitelisting and other technology. Sandboxie isolates programmes of your choice, preventing files from writing to your HDD unless you approve the file. Secuina PSI will scan your computer for vulnerable software that is outdated, and automatically find the latest update for you. SpywareBlaster is a form of passive protection, designed to block the actions of malicious websites and tracking cookies. Unchecky automatically removes checkmarks for additional software in programme installers, helping you avoid adware and PUPs. Web of Trust (WOT) is a browser add-on designed to alert the user before interacting with a potentially malicious website. Please let me know if you have any further questions.

Hello, The safest way to backup and transfer your files from your infected PC to your clean PC is by doing the following: STEP 1 Panda USB Vaccine Using a clean PC, please download Panda USB Vaccine and save the file to your Desktop.Double-click USBVaccineSetup.exe to install the programme.Read and accept the license agreement, then click Next.Upon completion of the setup, ensure Launch Panda USB Vaccine is checked and click Finish.Click the Vaccinate Computer button. It should now show a green checkmark and confirm Computer vaccinated. Hold down the Shift key on your keyboard and insert your USB flash/external drive.When the name of the drive appears in the Panda USB Vaccine dialog box, click the Vaccinate USB drive(s) button.Exit the programme when done.-- Computer Vaccination will prevent any AutoRun file from running, regardless of whether the removable device is infected or not. USB Vaccination disables the autorun file so it cannot be read, modified or replaced and creates an AUTORUN_.INF as protection against malicious code. The Panda Resarch Blog advises that once USB drives have been vaccinated, they cannot be reversed except with a format. If you do this, be sure to back up your data files first or they will be lost during the formatting process. Remove the USB drive from your clean PC. Hold the shift key of your infected PC and insert your USB drive. STEP 2 Backup Data The safest practice is not to backup any executable (.exe), screensavers (.scr), dynamic link library (.dll), autorun (.ini) or script (.php,.asp, .htm, .html, .xml) files because they may be infected by malware. You should also avoid backing up compressed (.zip, .cab, .rar) files that have executables inside as some types of malware can penetrate compressed files and infect the .exe files within them. Other types of malware may disguise itself by hiding a file extension or by adding double file extensions and/or space(s) in the file's name to hide the real extension, so be sure you look closely at the full file name. Backing up documents, image, music and video files is fine.To repeat, do not backup up files with the following extensions:.exe, .scr, .bat, .com, .cmd, .msi, .pif, .ini, .htm, .html, .hta, .php, .asp, .xml, .zip, .rar, .cabOnce you have decided which files you wish to backup, copy the files over to the USB drive. STEP 3 MCShield Using your clean PC, please download the MCShield setup file. Double-click MCShield-Setup.exe and follow the prompts to install the programme. Launch the programme and wait for updates to download.Hold the shift key and insert your USB drive. MCShield will scan your USB drive, and notify you if the drive is clean or not.Click the Logs tab to view a report. Confirm no malware was found. Run a scan with your Anti-Virus. Ensure you select the option to scan external drives. Confirm no malware was found. Move your files from your USB drive to your clean PC's HDD.

Can you attach the files in your post?

Good job. I need to see a fresh set of FRST logs. Open FRST. Place a checkmark next to Addition.txt. Click Scan. Attach FRST.txt and Addition.txt. If this is not possible, please copy/paste the contents directly into your post.

Hello, It doesn't look as if the TDSSKiller log attached. Please try attaching in a new post, or uploading the file to my channel. http://www.bleepingcomputer.com/submit-malware.php?channel=174

Unfortunately, your computer is infected with a rootkit. As such, I must issue the following warning. Please let me know how you wish to proceed.

OK, you're welcome. Good luck with reformatting. This topic will be marked for closure.

Good job. Lets check for remnants. STEP 1 AdwCleaner Please download AdwCleaner and save the file to your Desktop.Right-Click AdwCleaner.exe and select Run as administrator to run the programme.Follow the prompts. Click Scan. Upon completion, click Report. A log (AdwCleaner[R0].txt) will open. Briefly check the log for anything you know to be legitimate. Ensure anything you know to be legitimate does not have a checkmark, and click Clean. Follow the prompts and allow your computer to reboot. After rebooting, a log (AdwCleaner[s0].txt) will open. Copy the contents of the log and paste in your next reply.-- File and registry key backups are made for anything removed using this tool. Should a legitimate entry be removed (otherwise known as a 'false-positive'), simple steps can be taken to restore the entry. Please do not overly concern yourself with the contents of AdwCleaner[R0].txt. STEP 2 Update/Remove Java Download the latest version of Java from here (watch out for "Optional Offers" during the update process).Press the Windows Key + r on your keyboard at the same time. Type appwiz.cpl and click OK.Search for the following programmes, right-click and click Uninstall one at a time.Note: The programmes below may not be present. If this is the case, please skip to the next step.Java 7 Update 67​Follow the prompts, and reboot if necessary. STEP 3 Malwarebytes Anti-Malware (MBAM) Please download the updated Malwarebytes Anti-Malware Free to your Desktop.Double-click mbam-setup.x.x.xxxx.exe (x represents the version #) and follow the prompts to install the programme. Launch the programme and click Update.Once updated, click the Settings tab, followed by Detection and Protection and tick Scan for rootkits.Click the Scan tab, ensure Threat Scan is checked and click Scan Now.Note: You may see the following message, "Could not load DDA driver". Click Yes, allow your PC to reboot and continue afterwards. If threats are detected, click the Apply Actions button. You will now be prompted to reboot. Click Yes.Upon completion of the scan (or after the reboot), click the History tab.Click Application Logs and double-click the Scan Log.Click Copy to Clipboard and paste the log in your next reply. STEP 4 ESET Online Scan Note: This scan may take a long time to complete. Please do not browse the Internet whilst your Anti-Virus is disabled. Please download ESET Online Scan and save the file to your Desktop.Temporarily disable your anti-virus software. For instructions, please refer to the following link.Double-click esetsmartinstaller_enu.exe to run the programme. Agree to the EULA by placing a checkmark next to Yes, I accept the Terms of Use. Then click Start.Agree to the Terms of Use once more and click Start. Allow components to download.Place a checkmark next to Enable detection of potentially unwanted applications.Click Hide advanced settings. Place a checkmark next to:Scan archivesScan for potentially unsafe applicationsEnable Anti-Stealth technologyEnsure Remove found threats is unchecked.Click Start.Wait for the scan to finish. Please be patient as this can take some time.Upon completion, click . If no threats were found, skip the next two bullet points. Click and save the file to your Desktop, naming it something unique such as MyEsetScan.Push the Back button.Place a checkmark next to and click .Re-enable your anti-virus software.Copy the contents of the log and paste in your next reply. ====================================================== STEP 5 Logs In your next reply please include the following logs. Please be sure to copy and paste the requested logs, as well as provide information on any questions I may have asked. Did Java update/remove successfully? MBAM Scan logESET Online Scan log

Hello Daryl, Yes, we can remove the identified infection now. STEP 1 ComboFix Note: Please read through these instructions before running ComboFix. Please download ComboFix and save the file to your Desktop. << Important!Temporarily disable your anti-virus software. For instructions, please refer to the following link.Right-Click ComboFix.exe and select Run as administrator to run the programme.Follow the prompts. Allow ComboFix to complete it's removal routine (please refer to Important Notes:).Upon completion, a log (ComboFix.txt) will be created in the root directory (C:\). Copy the contents of the log and paste in your next reply.Re-enable your anti-virus software. Important Notes: Do NOT mouse click ComboFix's window whilst it is running. This may cause the programme to stall.Do NOT use your computer whilst ComboFix is running.Your Desktop/taskbar may disappear whilst ComboFix is running; this is normal. If you get the message Illegal operation attempted on registry key that has been marked for deletion please reboot your computer.ComboFix will disconnect your machine from the Internet as soon as it starts.Please do not attempt to re-connect your machine back to the Internet until ComboFix has completely finished.If you are unable to access the Internet after running ComboFix, please reboot your computer. STEP 2 TDSSKiller Scan Please download TDSSKiller and save the file to your Desktop.Right-Click TDSSKiller.exe and select Run as administrator to run the programme.Click Change parameters. Place a checkmark next to:Loaded ModulesDetect TDLFS file systemVerify file digital signaturesNote: If you receive the following message: Extended Monitoring Driver is required, click Reboot now, and continue from here following the reboot.​Click Start Scan. Do not use the computer during the scan.If objects are found, change the action to skip.Click Continue and close the window.A log will be created and saved to the root directory (usually C:\). Attach the log in your next reply.====================================================== STEP 3 Logs In your next reply please include the following logs. Please be sure to copy and paste the requested logs, as well as provide information on any questions I may have asked. ComboFix.txtTDSSKiller log (attached)

Hi Jake, Please do the following. STEP 1 Uninstall Software Press the Windows Key + r on your keyboard at the same time. Type appwiz.cpl and click OK.Search for the following programmes, right-click and click Uninstall.WSE_AstromendaFollow the prompts.Reboot if necessary. STEP 2 Farbar Recovery Scan Tool (FRST) Script Press the Windows Key + r on your keyboard at the same time. Type Notepad and click OK.Copy the entire contents of the codebox below and paste into the Notepad document. startHKU\S-1-5-21-1528785283-3719672176-3250808924-1001\...A8F59079A8D5}\localserver32: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf>ktds (the data entry has 239 more characters). <==== Poweliks!AppInit_DLLs: C:\PROGRA~3\PERFOR~1\PERFOR~2.DLL => C:\ProgramData\Performance Optimizer\PerformanceOptimizer_x64.dll [4303360 2014-09-22] ()C:\ProgramData\Performance OptimizerShellIconOverlayIdentifiers: [ SkyDrive1] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} => No FileShellIconOverlayIdentifiers: [ SkyDrive2] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} => No FileShellIconOverlayIdentifiers: [ SkyDrive3] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} => No FileShellIconOverlayIdentifiers-x32: [ SkyDrive1] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} => No FileShellIconOverlayIdentifiers-x32: [ SkyDrive2] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} => No FileShellIconOverlayIdentifiers-x32: [ SkyDrive3] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} => No FileCHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTIONSearchScopes: HKLM - DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://astromenda.com/results.php?f=4&q={searchTerms}&a=ast_omxmedia_14_34_ie&cd=2XzuyEtN2Y1L1Qzuzy0C0DtBtC0EtB0CyE0CyB0C0A0EyDtDtN0D0Tzu0SzyyCtBtN1L2XzutBtFtBtCtFtCzztFyBtN1L1CzutCyEtBzytDyD1V1TtN1L1G1B1V1N2Y1L1Qzu2StBtBtCtD0EtByBzytGyB0D0C0DtG0EyD0FzztGtDyC0AzztGyC0A0AtAyE0E0E0EyB0A0B0F2QtN1M1F1B2Z1V1N2Y1L1Qzu2StAtBtAtByD0F0CtDtG0E0C0B0DtG0FyD0A0FtG0BtB0ByBtGyB0DyByC0DzyyEyDyBtAtC0C2Q&cr=2013088633&ir=SearchScopes: HKLM - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://astromenda.com/results.php?f=4&q={searchTerms}&a=ast_omxmedia_14_34_ie&cd=2XzuyEtN2Y1L1Qzuzy0C0DtBtC0EtB0CyE0CyB0C0A0EyDtDtN0D0Tzu0SzyyCtBtN1L2XzutBtFtBtCtFtCzztFyBtN1L1CzutCyEtBzytDyD1V1TtN1L1G1B1V1N2Y1L1Qzu2StBtBtCtD0EtByBzytGyB0D0C0DtG0EyD0FzztGtDyC0AzztGyC0A0AtAyE0E0E0EyB0A0B0F2QtN1M1F1B2Z1V1N2Y1L1Qzu2StAtBtAtByD0F0CtDtG0E0C0B0DtG0FyD0A0FtG0BtB0ByBtGyB0DyByC0DzyyEyDyBtAtC0C2Q&cr=2013088633&ir=SearchScopes: HKCU - DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://astromenda.com/results.php?f=4&q={searchTerms}&a=ast_omxmedia_14_34_ie&cd=2XzuyEtN2Y1L1Qzuzy0C0DtBtC0EtB0CyE0CyB0C0A0EyDtDtN0D0Tzu0SzyyCtBtN1L2XzutBtFtBtCtFtCzztFyBtN1L1CzutCyEtBzytDyD1V1TtN1L1G1B1V1N2Y1L1Qzu2StBtBtCtD0EtByBzytGyB0D0C0DtG0EyD0FzztGtDyC0AzztGyC0A0AtAyE0E0E0EyB0A0B0F2QtN1M1F1B2Z1V1N2Y1L1Qzu2StAtBtAtByD0F0CtDtG0E0C0B0DtG0FyD0A0FtG0BtB0ByBtGyB0DyByC0DzyyEyDyBtAtC0C2Q&cr=2013088633&ir=SearchScopes: HKCU - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://astromenda.com/results.php?f=4&q={searchTerms}&a=ast_omxmedia_14_34_ie&cd=2XzuyEtN2Y1L1Qzuzy0C0DtBtC0EtB0CyE0CyB0C0A0EyDtDtN0D0Tzu0SzyyCtBtN1L2XzutBtFtBtCtFtCzztFyBtN1L1CzutCyEtBzytDyD1V1TtN1L1G1B1V1N2Y1L1Qzu2StBtBtCtD0EtByBzytGyB0D0C0DtG0EyD0FzztGtDyC0AzztGyC0A0AtAyE0E0E0EyB0A0B0F2QtN1M1F1B2Z1V1N2Y1L1Qzu2StAtBtAtByD0F0CtDtG0E0C0B0DtG0FyD0A0FtG0BtB0ByBtGyB0DyByC0DzyyEyDyBtAtC0C2Q&cr=2013088633&ir=SearchScopes: HKCU - {2E00D31D-D171-423D-836D-1A4D7EA7F1A9} URL = S2 892cc6a3; c:\ProgramData\Performance Optimizer\PerformanceOptimizerSvc.dll [186192 2014-09-22] () [File not signed]C:\ProgramData\SetStretch.exeC:\ProgramData\SetStretch.VBSCustomCLSID: HKU\S-1-5-21-1528785283-3719672176-3250808924-1001_Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\localserver32 -> rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf>ktds (the data entry has 247 more characters). <==== Poweliks?Task: {454788C5-1F9C-4CF2-98ED-048522940A65} - System32\Tasks\Optimizer Pro Schedule => C:\Program Files (x86)\Optimizer Pro\OptProLauncher.exe <==== ATTENTIONTask: {B3B929EF-2352-4991-AA11-36876C1B43FA} - System32\Tasks\LaunchSignup => C:\Program Files (x86)\MyPC Backup\Signup Wizard.exe <==== ATTENTIONC:\Program Files (x86)\Optimizer ProC:\Program Files (x86)\MyPC BackupFolder: C:\sourcesFolder: C:\ProgramData\f25cb3e6521ce1d6CMD: ipconfig /flushdnsCMD: netsh winsock reset allCMD: bitsadmin /reset /allusersHosts:EmptyTemp:endClick File, Save As and type fixlist.txt as the File Name. Important: The file must be saved in the same location as FRST64.exe. NOTICE: This script is intended for use on this particular machine. Do not use this script on any other machine; doing so may cause damage to your Operating System. Right-Click FRST64.exe and select Run as administrator to run the programme.Click Fix.A log (Fixlog.txt) will open on your desktop. Copy the contents of the log and paste in your next reply. STEP 3 VirusTotal Upload Please go to VirusTotal.com.Click Choose File and locate the following file:C:\Users\kingawesomeeye15\AppData\Roaming\sp_data.sys​Click Scan it!.If you receive the following notification: File already analysed click Reanalyse.Once the file has been analyzed, copy the page URL at the top of the window and paste in your next reply. ====================================================== STEP 4 Logs In your next reply please include the following logs. Please be sure to copy and paste the requested logs, as well as provide information on any questions I may have asked. Did the programme uninstall OK?Fixlog.txtVirusTotal results

Hello, Lets confirm what's on your system first. Please boot into Safe Mode, and attempt to run FRST there. Boot into Safe Mode Restart your PC.As soon as the BIOS is loaded, begin repeatedly tapping the F8 key until the Advanced Options menu appears. Using the arrow keys, select Safe Mode. Press the Enter key.

Hello Sean, Go ahead and download FRST. I will confirm the logs are clean. We can talk more about infection vectors and how you may have contracted this afterwards.

Hello deanorolls, welcome to Malwarebytes' Malware Removal forum! My username is LiquidTension, but you can call me Adam. I will be assisting you with your malware-related problems. If you would allow me to call you by your first name I would prefer that. General P2P/Piracy Notice: ====================================================== Please read through the points below to ensure this process moves as quickly and efficiently as possible. Please read through my instructions thoroughly, and ensure you carry out each step in the order specified.Please do not post logs using the CODE, QUOTE or ATTACHMENT format. Logs should be posted directly in plain text. If you receive an error whilst posting, please break the log in half and use multiple posts.Please do not run any tools or take any steps other than those I provide for you. Independent efforts may make matters worse, and will affect my ability in ascertaining the current situation & providing the best set of instructions for you.Please backup important documents before proceeding with my instructions.If you come across any issues whilst following my instructions, please stop and inform me of the issue in as much detail as possible. Please do not hesitate to ask before you run anything.Topics are locked if no response is made after 4 days. Please inform me if you will require additional time to complete my instructions.Ensure you are following this topic. Click at the top of the page. ====================================================== What is your Operating System and bit-type?

Hello Pratski6872, welcome to Malwarebytes' Malware Removal forum! My username is LiquidTension, but you can call me Adam. I will be assisting you with your malware-related problems. If you would allow me to call you by your first name I would prefer that. General P2P/Piracy Notice: ====================================================== Please read through the points below to ensure this process moves as quickly and efficiently as possible. Please read through my instructions thoroughly, and ensure you carry out each step in the order specified.Please do not post logs using the CODE, QUOTE or ATTACHMENT format. Logs should be posted directly in plain text. If you receive an error whilst posting, please break the log in half and use multiple posts.Please do not run any tools or take any steps other than those I provide for you. Independent efforts may make matters worse, and will affect my ability in ascertaining the current situation & providing the best set of instructions for you.Please backup important documents before proceeding with my instructions.If you come across any issues whilst following my instructions, please stop and inform me of the issue in as much detail as possible. Please do not hesitate to ask before you run anything.Topics are locked if no response is made after 4 days. Please inform me if you will require additional time to complete my instructions.Ensure you are following this topic. Click at the top of the page.====================================================== Unfortunately, your computer is infected with a rootkit. As such, I must issue the following warning. Please let me know how you wish to proceed.

OK. Nothing we've done thus far would be the cause of this issue. We've removed folders related to the ransomware/temp files and replaced the System File patched by the malware. It's possible the malware has caused issues not visible in your latest logs (which are clean), or there are issues unrelated to malware at hand. Lets start with the following, and see if these checks run. STEP 1 CHKDSK Note: If you have a Solid State Drive (SSD), do not run CHKDSK. Skip STEP 1, and proceed with STEP 2.Press the Windows Key + r on your keyboard at the same time. Type Notepad and click OK.Copy the entire contents of the codebox below and paste into the Notepad document.@echo offcmd /c chkdsk c: |find /v "percent" >> "%userprofile%\desktop\chkdskquery.txt"notepad %userprofile%\Desktop\chkdskquery.txtdel %0Click Format. Ensure Wordwrap is unchecked. Click File, Save As and name the file chkdsk.bat. Select All Files as the Save as type.Save the file to your Desktop. Locate chkdsk.bat (W8/7/Vista) on your Desktop. Right-click the icon and click Run as administrator.CHKDSK may take up to an hour to complete. Allow the programme to run uninterrupted, and do not use your computer during the process. Upon completion, a log (chkdskquery.txt) will open on your Desktop. Please copy the contents of the log and paste in your next reply. STEP 2 System File Checker (SFC) Press the Windows Key + r on your keyboard at the same time. Type Notepad and click OK.Copy the entire contents of the codebox below and paste into the Notepad document.sfc /scannowfindstr /c:"[SR]" %windir%\Logs\CBS\CBS.log >"%userprofile%\Desktop\sfcresults.txt"notepad %userprofile%\Desktop\sfcresults.txtdel %0Click Format. Ensure Wordwrap is unchecked. Click File, Save As and name the file querysfc.bat. Select All Files as the Save as type.Save the file to your Desktop. Locate querysfc.bat (W8/7/Vista) on your Desktop. Right-click the icon and click Run as administrator.Upon completion, a log (sfcresults.txt) will open on your Desktop. Copy the contents of the log and paste in your next reply. ====================================================== STEP 3 Logs In your next reply please include the following logs. Please be sure to copy and paste the requested logs, as well as provide information on any questions I may have asked. chkdskquery.txtsfcresults.txt

Hello dbouma, welcome to Malwarebytes' Malware Removal forum! My username is LiquidTension, but you can call me Adam. I will be assisting you with your malware-related problems. If you would allow me to call you by your first name I would prefer that. General P2P/Piracy Notice: ====================================================== Please read through the points below to ensure this process moves as quickly and efficiently as possible. Please read through my instructions thoroughly, and ensure you carry out each step in the order specified.Please do not post logs using the CODE, QUOTE or ATTACHMENT format. Logs should be posted directly in plain text. If you receive an error whilst posting, please break the log in half and use multiple posts.Please do not run any tools or take any steps other than those I provide for you. Independent efforts may make matters worse, and will affect my ability in ascertaining the current situation & providing the best set of instructions for you.Please backup important documents before proceeding with my instructions.If you come across any issues whilst following my instructions, please stop and inform me of the issue in as much detail as possible. Please do not hesitate to ask before you run anything.Topics are locked if no response is made after 4 days. Please inform me if you will require additional time to complete my instructions.Ensure you are following this topic. Click at the top of the page.====================================================== Unfortunately, your computer is infected with a rootkit. As such, I must issue the following warning. Please let me know how you wish to proceed.

Please reboot your computer, and list any issues.

Hello, Your FRST RE log indicates those programmes are damaged. I need to see a complete set of logs, so please do the following. Farbar Recovery Scan Tool (FRST) Scan Please download Farbar Recovery Scan Tool (x64) and save the file to your Desktop.Right-Click FRST64.exe and select Run as administrator to run the programme.Click Yes to the disclaimer.Ensure the Addition.txt box is checked.Click the Scan button and let the programme run.Upon completion, click OK, then OK on the Addition.txt pop up screen.Two logs (FRST.txt & Addition.txt) will now be open on your Desktop. Copy the contents of both logs and paste in your next reply.

Hello PostHEX, welcome to Malwarebytes' Malware Removal forum! My username is LiquidTension, but you can call me Adam. I will be assisting you with your malware-related problems. If you would allow me to call you by your first name I would prefer that. General P2P/Piracy Notice: ====================================================== Please read through the points below to ensure this process moves as quickly and efficiently as possible. Please read through my instructions thoroughly, and ensure you carry out each step in the order specified.Please do not post logs using the CODE, QUOTE or ATTACHMENT format. Logs should be posted directly in plain text. If you receive an error whilst posting, please break the log in half and use multiple posts.Please do not run any tools or take any steps other than those I provide for you. Independent efforts may make matters worse, and will affect my ability in ascertaining the current situation & providing the best set of instructions for you.Please backup important documents before proceeding with my instructions.If you come across any issues whilst following my instructions, please stop and inform me of the issue in as much detail as possible. Please do not hesitate to ask before you run anything.Topics are locked if no response is made after 4 days. Please inform me if you will require additional time to complete my instructions.Ensure you are following this topic. Click at the top of the page.====================================================== Unfortunately, your computer is badly infected. As such, I must issue the following warning. Please let me know how you wish to proceed.

Hi Jim, Download and run the Adobe Reader uninstaller: http://labs.adobe.com/downloads/acrobatcleaner.html Download and run JavaRa: Please download JavaRa and save the file to your Desktop.Right-click the folder and click Extra All.Close any open windows. Right-Click JavaRa.exe and select Run as administrator to run the programme.Select your language and click Select.Once opened, click Remove Older Versions.Click Yes when prompted. Upon completion, click OK.Please reboot your computer. Confirm both programmes removed from your computer. If you require both programmes, click the relevant links in my previous post to download and install the updated versions. Please be aware that Java should only be installed if you have particular need for the programme. Otherwise, best not to install as the programme is extremely susceptible to malicious exploits.

Thank you for the logs. We will get to addressing the 'non-genuine' message in due course. ComboFix did a good job dealing with Poweliks and ZeroAccess. I need to see a fresh set of FRST logs, so please do the following. Farbar Recovery Scan Tool (FRST) Scan Right-Click FRST64.exe and select Run as administrator to run the programme.Click Yes to the disclaimer.Ensure the Addition.txt box is checked.Click the Scan button and let the programme run.Upon completion, click OK, then OK on the Addition.txt pop up screen.Two logs (FRST.txt & Addition.txt) will now be open on your Desktop. Copy the contents of both logs and paste in your next reply.

Hello Reggie, Unfortunately, your computer is infected with a rootkit. As such, I must issue the following warning. Please let me know how you wish to proceed.

Hello Alan, Please do the following, and attempt to boot into Windows normally once done. FRST Recovery Environment Script Using your clean PC, press the Windows Key + r on your keyboard at the same time. Type Notepad and click OK.Copy the entire contents of the codebox below and paste into the Notepad document. start2014-10-17 12:19 - 2014-10-17 12:19 - 00000000 ____D () C:\Users\Alan\AppData\Roaming\217692014-09-26 19:30 - 2014-09-26 19:30 - 00000000 ____D () C:\Users\Alan\AppData\Roaming\138412014-09-26 19:28 - 2014-09-26 19:28 - 00000000 ____D () C:\Users\Alan\AppData\Roaming\13452C:\Users\Alan\AppData\Local\Temp\AskSLib.dllC:\Users\Alan\AppData\Local\Temp\Checkupdate.exeC:\Users\Alan\AppData\Local\Temp\COMAP.EXEC:\Users\Alan\AppData\Local\Temp\DivXSetup.exeC:\Users\Alan\AppData\Local\Temp\dllnt_dump.dllC:\Users\Alan\AppData\Local\Temp\Foxit Reader Updater.exeC:\Users\Alan\AppData\Local\Temp\Foxit Updater.exeC:\Users\Alan\AppData\Local\Temp\gcapi_dll.dllC:\Users\Alan\AppData\Local\Temp\gtapi_signed.dllC:\Users\Alan\AppData\Local\Temp\jre-7u51-windows-i586-iftw.exeC:\Users\Alan\AppData\Local\Temp\jre-7u55-windows-i586-iftw.exeC:\Users\Alan\AppData\Local\Temp\jre-7u65-windows-i586-iftw.exeC:\Users\Alan\AppData\Local\Temp\jre-7u67-windows-i586-iftw.exeC:\Users\Alan\AppData\Local\Temp\MouseKeyboardCenterx64_1033.exeC:\Users\Alan\AppData\Local\Temp\mpegc.dllC:\Users\Alan\AppData\Local\Temp\nsbB49.tmp.exeC:\Users\Alan\AppData\Local\Temp\nso4B26.tmp.exeC:\Users\Alan\AppData\Local\Temp\ose00000.exeC:\Users\Alan\AppData\Local\Temp\safeguard.exeC:\Users\Alan\AppData\Local\Temp\tmp2589.exeC:\Users\Alan\AppData\Local\Temp\vlc-2.1.2-win64.exeC:\Users\Alan\AppData\Local\Temp\_isA581.exeC:\Users\Alan\AppData\Local\Temp\_isC985.exeFolder: C:\Users\Public\Documents\ReportReplace: C:\Windows\winsxs\amd64_microsoft-windows-user32_31bf3856ad364e35_6.1.7601.17514_none_2b5e71b083fc0973\user32.dll C:\Windows\SysWOW64\User32.dllendClick File, Save As and type fixlist.txt as the File Name.Save the file to your USB drive.NOTICE: This script is intended for use on this particular machine. Do not use this script on any other machine; doing so may cause damage to your Operating System. Enter the Recovery Environment just as you did before.Run FRST just as you did before.Click the Fix button once.A log (Fixlog.txt) will be created on your USB drive.Attempt to boot normally into Windows. Does the PC boot normally?Copy the contents of Fixlog.txt and paste in your next reply (either using the infected PC or clean PC).

No problem, Sean. Keep me informed.

Please upload the log to my channel. Do you experience issues with just the ComputerAdministator profile? What about your other two profile?