Pleasehelp0234

No more questions, just going to fully re-read everything you just sent.

Well, thank you Aura for all the help you've given me with this. I will try to decide what to do. I don't have any credit cards saved on this so that's good.

So if you're saying I have a backdoor trojan, should I just re-format the system disk and start from scratch then?

FRST.txt Addition.txt

1. The icon is no longer there. 2. I have uninstalled the program you listed above. 3. Fixlog.txt pasted : Fix result of Farbar Recovery Scan Tool (x64) Version: 03-03-2017 Ran by Owner (03-03-2017 21:27:28) Run:3 Running from C:\Users\Owner\Desktop Loaded Profiles: Owner & plubby (Available Profiles: Owner & plubby & DefaultAppPool) Boot Mode: Normal ============================================== fixlist content: ***************** CloseProcesses: CreateRestorePoint: HKLM-x32\...\Run: [vProt] => C:\Program Files (x86)\AVG SafeGuard toolbar\vprot.exe [1707080 2016-08-21] () HKU\S-1-5-21-1415500892-1382036065-4136962848-1000\...\Run: [AVG-Secure-Search-Update_0215tb] => C:\Program Files (x86)\AVG SafeGuard toolbar\AVG-Secure-Search-Update_0215tb.exe [2794520 2015-03-01] () Startup: C:\Users\Owner\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AutoMoparscape.lnk [2017-02-27] ShortcutTarget: AutoMoparscape.lnk -> C:\Users\Owner\MoparScape\AutoMoparscape.jar (No File) Handler-x32: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - C:\Program Files (x86)\Common Files\AVG Secure Search\ViProtocolInstaller\19.5.0\ViProtocol.dll [2016-08-21] (AVG Secure Search) FF Plugin-x32: @avg.com/AVG SiteSafety plugin,version=11.0.0.1,application/x-avg-sitesafety-plugin -> C:\Program Files (x86)\Common Files\AVG Secure Search\SiteSafetyInstaller\19.5.0\\npsitesafety.dll [No File] CHR StartupUrls: Profile 1 -> "hxxp://www.google.com","hxxp://www.searchnu.com/406" CHR DefaultSearchURL: Profile 1 -> hxxp://srch.bar/{searchTerms} CHR DefaultSuggestURL: Profile 1 -> hxxp://srch.bar/?s={searchTerms} R2 vToolbarUpdater19.5.0; C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\19.5.0\ToolbarUpdater.exe [1277512 2016-08-21] (AVG Secure Search) Task: {1985ABCD-23BA-412E-9D71-F7D72F10ACAF} - \Microsoft\Windows\Setup\GWXTriggers\Logon-5d -> No File <==== ATTENTION Task: {25CEC8F0-3DC3-4F84-93B3-9C918DE7621B} - System32\Tasks\{1B93A4A3-CFF6-4276-ACA5-EA4B9C48C7BD} => pcalua.exe -a C:\Users\Owner\AppData\Local\Roblox\Versions\version-982400cd257443c7\RobloxPlayerLauncher.exe -c -uninstall Task: {27B2350B-7A76-4139-9D6F-7EA8EA7F2703} - \Microsoft\Windows\Setup\GWXTriggers\MachineUnlock-5d -> No File <==== ATTENTION Task: {3439573D-55BE-4A2B-B294-D43DEE9B5ABF} - \Microsoft\Windows\Setup\GWXTriggers\OutOfIdle-5d -> No File <==== ATTENTION Task: {40B4ED5F-2494-4652-A136-3F1895C503AA} - \Microsoft\Windows\Setup\GWXTriggers\OutOfSleep-5d -> No File <==== ATTENTION Task: {45E576AB-4F64-473E-8DAA-0119B2F1FAE3} - System32\Tasks\{CFEFDAA2-A034-4352-97C3-C12285FBC0F0} => pcalua.exe -a C:\Users\Owner\AppData\Local\{450D7351-61A5-1FE9-0C3D-3A012855C699}\uninst.exe -c -FN="C:\Users\Owner\AppData\Roaming\{455073EB-6002-1E9D-0B34-394FD7E6C471}\SyncTask.exe"-P=/Uninstall /s /noun /DelSelfDir Task: {62D3C9ED-5991-4560-9174-87CA6ED9805D} - \Microsoft\Windows\Setup\GWXTriggers\Time-5d -> No File <==== ATTENTION Task: {9C2A9F09-4AB3-4693-A490-7B670AE8DDBB} - \Microsoft\Windows\Setup\GWXTriggers\Telemetry-4xd -> No File <==== ATTENTION Task: {C6839D2F-6761-4229-B729-1E6B679C3E68} - \Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B -> No File <==== ATTENTION Task: {D2134D62-70D6-475C-8E34-AC86553A6A93} - \Microsoft\Windows\Setup\gwx\refreshgwxcontent -> No File <==== ATTENTION Task: {E31DA706-9D3F-4735-AA67-CC041EDDEF91} - \Microsoft\Windows\Setup\gwx\launchtrayprocess -> No File <==== ATTENTION Task: {E587813D-7858-4B9D-89CE-37089A892401} - \Microsoft\Windows\Setup\gwx\refreshgwxconfig -> No File <==== ATTENTION Task: {FD05EA66-07AE-461A-97E1-6FDB70FA05C9} - \Microsoft\Windows\Setup\gwx\refreshgwxconfigandcontent -> No File <==== ATTENTION C:\oaQ5cudonAoaQ5cudonA C:\Program Files (x86)\AVG SafeGuard toolbar C:\Program Files (x86)\Common Files\AVG Secure Search C:\Users\Owner\oaQ5cudonA C:\Users\Owner\AppData\Local\{450D7351-61A5-1FE9-0C3D-3A012855C699} C:\Users\Owner\AppData\Roaming\8AC26A27-F11D-4383-8052-3E6CC4889984 EmptyTemp: ***************** Processes closed successfully. Error: (0) Failed to create a restore point. HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\vProt => value not found. HKU\S-1-5-21-1415500892-1382036065-4136962848-1000\Software\Microsoft\Windows\CurrentVersion\Run\\AVG-Secure-Search-Update_0215tb => value removed successfully C:\Users\Owner\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AutoMoparscape.lnk => moved successfully C:\Users\Owner\MoparScape\AutoMoparscape.jar => not found. HKCR\Wow6432Node\PROTOCOLS\Handler\viprotocol => key not found. HKCR\Wow6432Node\CLSID\{B658800C-F66E-4EF3-AB85-6C0C227862A9} => key not found. HKLM\Software\Wow6432Node\MozillaPlugins\@avg.com/AVG SiteSafety plugin,version=11.0.0.1,application/x-avg-sitesafety-plugin => key not found. Chrome StartupUrls => removed successfully Chrome DefaultSearchURL => removed successfully Chrome DefaultSuggestURL => removed successfully vToolbarUpdater19.5.0 => service not found. HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{1985ABCD-23BA-412E-9D71-F7D72F10ACAF} => key removed successfully HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{1985ABCD-23BA-412E-9D71-F7D72F10ACAF} => key removed successfully HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\Logon-5d => key removed successfully HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{25CEC8F0-3DC3-4F84-93B3-9C918DE7621B} => key removed successfully HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{25CEC8F0-3DC3-4F84-93B3-9C918DE7621B} => key removed successfully C:\WINDOWS\System32\Tasks\{1B93A4A3-CFF6-4276-ACA5-EA4B9C48C7BD} => moved successfully HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\{1B93A4A3-CFF6-4276-ACA5-EA4B9C48C7BD} => key removed successfully HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{27B2350B-7A76-4139-9D6F-7EA8EA7F2703} => key removed successfully HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{27B2350B-7A76-4139-9D6F-7EA8EA7F2703} => key removed successfully HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\MachineUnlock-5d => key removed successfully HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{3439573D-55BE-4A2B-B294-D43DEE9B5ABF} => key removed successfully HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{3439573D-55BE-4A2B-B294-D43DEE9B5ABF} => key removed successfully HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\OutOfIdle-5d => key removed successfully HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{40B4ED5F-2494-4652-A136-3F1895C503AA} => key removed successfully HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{40B4ED5F-2494-4652-A136-3F1895C503AA} => key removed successfully HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\OutOfSleep-5d => key removed successfully HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{45E576AB-4F64-473E-8DAA-0119B2F1FAE3} => key removed successfully HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{45E576AB-4F64-473E-8DAA-0119B2F1FAE3} => key removed successfully C:\WINDOWS\System32\Tasks\{CFEFDAA2-A034-4352-97C3-C12285FBC0F0} => moved successfully HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\{CFEFDAA2-A034-4352-97C3-C12285FBC0F0} => key removed successfully HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{62D3C9ED-5991-4560-9174-87CA6ED9805D} => key removed successfully HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{62D3C9ED-5991-4560-9174-87CA6ED9805D} => key removed successfully HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\Time-5d => key removed successfully HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{9C2A9F09-4AB3-4693-A490-7B670AE8DDBB} => key removed successfully HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{9C2A9F09-4AB3-4693-A490-7B670AE8DDBB} => key removed successfully HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\Telemetry-4xd => key removed successfully HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{C6839D2F-6761-4229-B729-1E6B679C3E68} => key removed successfully HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{C6839D2F-6761-4229-B729-1E6B679C3E68} => key removed successfully HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B => key removed successfully HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{D2134D62-70D6-475C-8E34-AC86553A6A93} => key removed successfully HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{D2134D62-70D6-475C-8E34-AC86553A6A93} => key removed successfully HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\gwx\refreshgwxcontent => key removed successfully HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{E31DA706-9D3F-4735-AA67-CC041EDDEF91} => key removed successfully HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{E31DA706-9D3F-4735-AA67-CC041EDDEF91} => key removed successfully HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\gwx\launchtrayprocess => key removed successfully HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{E587813D-7858-4B9D-89CE-37089A892401} => key removed successfully HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{E587813D-7858-4B9D-89CE-37089A892401} => key removed successfully HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\gwx\refreshgwxconfig => key removed successfully HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{FD05EA66-07AE-461A-97E1-6FDB70FA05C9} => key removed successfully HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{FD05EA66-07AE-461A-97E1-6FDB70FA05C9} => key removed successfully HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\gwx\refreshgwxconfigandcontent => key removed successfully C:\oaQ5cudonAoaQ5cudonA => moved successfully "C:\Program Files (x86)\AVG SafeGuard toolbar" => not found. "C:\Program Files (x86)\Common Files\AVG Secure Search" => not found. C:\Users\Owner\oaQ5cudonA => moved successfully "C:\Users\Owner\AppData\Local\{450D7351-61A5-1FE9-0C3D-3A012855C699}" => not found. C:\Users\Owner\AppData\Roaming\8AC26A27-F11D-4383-8052-3E6CC4889984 => moved successfully =========== EmptyTemp: ========== BITS transfer queue => 0 B DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 11957414 B Java, Flash, Steam htmlcache => 0 B Windows/system/drivers => 17356 B Edge => 0 B Chrome => 459555268 B Firefox => 0 B Opera => 0 B 4. the EEKs clean log: Emsisoft Emergency Kit - Version 2017.2 Quarantine log Date Source Event Detection 3/3/2017 9:53:37 PM C:\Users\Owner\Desktop\fff\asshurt.dll Moved to quarantine Gen:Variant.Graftor.272182 (B)

Malwarebyte Scan.txt Malwarebyte txt1.txt

After clicking on the link you gave me, I used the Malwarebyte Anti-Malware. I then did what you asked and use FRST. Addition.txt FRST.txt

NanoCore client has appeared in my system tray and hides itself as Microsoft .NET Services Installation Tool in task manager. But the clear logo gives it away. I looked at an older post, I ran first and used the txt file the helper gave. On restart Nanocore is still here. Please help me. Fixlog.txt