Jump to content


  • Posts

  • Joined

  • Last visited

Everything posted by redgt00

  1. My PC was recently infected with a nasty rootkit virus. After trying everything I could find online to no avail, I came across these forums and decided to create my own thread to try and get some help. Aura was extremely patient and helpful in the removal of the malware that was on my system. The step by step instructions were very easy to follow and made getting rid of the virus a breeze (at least on my end ) It's really great to see a community like this with dedicated members who are more than willing to help those unfortunate enough to become infected with malware. Thanks again Aura, for all your help! Keep up the good work
  2. DelFix.txt Here's the DelFix log. Thank you again so much for your help! I read the guide above and plan to up my security a bit here. I'm not sure what I would have done without you! One last thing before you close the thread - Is there anywhere on the forums or elsewhere that I can leave some feedback pertaining to you removing the malware from my system?
  3. Uninstalled Razer Synapse and now it works...gotta love Razer. Looks like all is well. Let me know if there's anything else we need to run.
  4. The only weird thing is that my Razer Naga mouse isn't working correctly. I probably need to update the drivers or something. It'll work for a second if you unplug it, but then it won't track. I'm able to use another mouse just fine though.
  5. Seems to be running great. Task manager opens and closes normally. Also, a pop up kept appearing every now and then and it's stopped. Fixlog.txt
  6. # AdwCleaner - Logfile created on Tue Aug 15 13:49:11 2017 # Updated on 2017/05/08 by Malwarebytes # Running on Windows 10 Pro (X64) # Mode: clean # Support: https://www.malwarebytes.com/support ***** [ Services ] ***** Deleted: AdAppMgrSvc ***** [ Folders ] ***** No malicious folders deleted. ***** [ Files ] ***** No malicious files deleted. ***** [ DLL ] ***** No malicious DLLs cleaned. ***** [ WMI ] ***** No malicious WMI cleaned. ***** [ Shortcuts ] ***** No malicious shortcuts cleaned. ***** [ Tasks ] ***** No malicious tasks deleted. ***** [ Registry ] ***** Deleted: [Key] - HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\cmptch.com Deleted: [Key] - HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\static.cmptch.com Deleted: [Key] - HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\cmptch.com Deleted: [Key] - HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\static.cmptch.com ***** [ Firefox (and derivatives) ] ***** No malicious Firefox entries deleted. ***** [ Chromium (and derivatives) ] ***** No malicious Chromium entries deleted. ************************* ::Tracing keys deleted ::Winsock settings cleared ::Additional Actions: 0 ************************* C:/AdwCleaner/AdwCleaner[S0].txt - [3085 B] - [2014/8/28 14:26:2] C:/AdwCleaner/AdwCleaner[S1].txt - [918 B] - [2014/8/28 18:56:25] C:/AdwCleaner/AdwCleaner[S2].txt - [1252 B] - [2014/8/28 19:56:54] C:/AdwCleaner/AdwCleaner[S3].txt - [2021 B] - [2017/8/15 13:48:46] ########## EOF - C:\AdwCleaner\AdwCleaner[C0].txt ########## ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Junkware Removal Tool (JRT) by Malwarebytes Version: 8.1.4 (07.09.2017) Operating System: Windows 10 Pro x64 Ran by Michael (Administrator) on Tue 08/15/2017 at 9:52:02.52 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ File System: 4 Successfully deleted: C:\Users\Michael\AppData\Local\{B5F70934-5E12-42d2-882D-62D42EA1FA67} (Empty Folder) Successfully deleted: C:\WINDOWS\system32\Tasks\update-sys (Task) Successfully deleted: C:\WINDOWS\Tasks\update-S-1-5-21-1747559312-1166520656-3094945707-1158.job (Task) Successfully deleted: C:\WINDOWS\Tasks\update-sys.job (Task) Registry: 1 Successfully deleted: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\\GoogleChromeAutoLaunch_1D7305B07635F8E0A4CF4B02D1C53C4D (Registry Value) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Scan was completed on Tue 08/15/2017 at 9:53:08.28 End of JRT log ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  7. I think this was the first scan I did. I didn't export right away when I first ran it. Malwarebytes quarantined a bunch of items though. I restarted, then deleted them. Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 8/15/17 Scan Time: 9:32 AM Log File: Administrator: Yes -Software Information- Version: Components Version: 1.0.160 Update Package Version: 1.0.2591 License: Free -System Information- OS: Windows 10 (Build 15063.540) CPU: x64 File System: NTFS User: MICHAEL\Michael -Scan Summary- Scan Type: Threat Scan Result: Completed Objects Scanned: 429438 Threats Detected: 48 Threats Quarantined: 48 Time Elapsed: 0 min, 52 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Enabled PUM: Enabled -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 20 RiskWare.HeuristicsReservedWordExploit, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\EXPLORER.EXE, Quarantined, [14314], [293543],1.0.2591 RiskWare.HeuristicsReservedWordExploit, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\EXPLORER.EXE, Quarantined, [14314], [293543],1.0.2591 Adware.DotDo.DotPrx, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\NLASVC\PARAMETERS\INTERNET\MANUALPROXIES, Quarantined, [8184], [-1],0.0.0 Adware.DotDo.DotPrx, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\12120012, Quarantined, [8184], [397745],1.0.2591 Adware.DotDo.DotPrx, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\36556502, Quarantined, [8184], [397745],1.0.2591 Adware.DotDo.DotPrx, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\38266672, Quarantined, [8184], [397745],1.0.2591 Adware.Agent.Generic, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\k36556502, Quarantined, [1396], [402167],1.0.2591 Adware.DotDo.DotPrx, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\ts1212001212120012, Quarantined, [8184], [409656],1.0.2591 Adware.DotDo.DotPrx, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\ts3655650236556502, Quarantined, [8184], [409656],1.0.2591 Adware.DotDo.DotPrx, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\ts3826667238266672, Quarantined, [8184], [409656],1.0.2591 Adware.DotDo.DotPrx, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\tsk36556502k36556502, Quarantined, [8184], [397782],1.0.2591 Adware.RunBooster, HKLM\SOFTWARE\RunBooster, Quarantined, [1849], [368690],1.0.2591 Adware.DotDo.DotPrx, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{1A70C4B9-BA14-4F76-A67E-707419B1BF3A}, Quarantined, [8184], [409657],1.0.2591 Adware.DotDo.DotPrx, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{442E8B2C-0659-460E-9FEE-878276FEE26D}, Quarantined, [8184], [397783],1.0.2591 Adware.DotDo.DotPrx, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{5F461F21-99F7-4B51-AFA2-7FF3F62ACB01}, Quarantined, [8184], [409657],1.0.2591 Adware.Agent.Generic, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{BEBCFF10-860C-47E8-9E6F-A717CDA4589E}, Quarantined, [1396], [402166],1.0.2591 Adware.DotDo.DotPrx, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{CC4BF669-D840-44BC-B0B8-7BC9694DBD4A}, Quarantined, [8184], [407483],1.0.2591 Adware.DotDo.DotPrx, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{E632E518-04C1-4CD3-BD7A-C6D6A3B054AA}, Quarantined, [8184], [407483],1.0.2591 Adware.DotDo.DotPrx, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{E7291D11-282E-42FE-BA03-4F92A9E6203D}, Quarantined, [8184], [407483],1.0.2591 Adware.DotDo.DotPrx, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{F422851C-75B0-4A6F-B906-D128A3C1F85F}, Quarantined, [8184], [409657],1.0.2591 Registry Value: 12 Adware.DotDo.DotPrx, HKU\S-1-5-18\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS|PROXYENABLE, Quarantined, [8184], [-1],0.0.0 Adware.DotDo.DotPrx, HKU\S-1-5-21-1747559312-1166520656-3094945707-1158\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS|PROXYENABLE, Quarantined, [8184], [-1],0.0.0 Adware.DotDo.DotPrx, HKU\S-1-5-21-1747559312-1166520656-3094945707-1158\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS|PROXYOVERRIDE, Quarantined, [8184], [-1],0.0.0 Adware.DotDo.DotPrx, HKU\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS|PROXYENABLE, Quarantined, [8184], [-1],0.0.0 Adware.DotDo.DotPrx, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{1A70C4B9-BA14-4F76-A67E-707419B1BF3A}|PATH, Quarantined, [8184], [409657],1.0.2591 Adware.DotDo.DotPrx, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{442E8B2C-0659-460E-9FEE-878276FEE26D}|PATH, Quarantined, [8184], [397783],1.0.2591 Adware.DotDo.DotPrx, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{5F461F21-99F7-4B51-AFA2-7FF3F62ACB01}|PATH, Quarantined, [8184], [409657],1.0.2591 Adware.Agent.Generic, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{BEBCFF10-860C-47E8-9E6F-A717CDA4589E}|PATH, Quarantined, [1396], [402166],1.0.2591 Adware.DotDo.DotPrx, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{CC4BF669-D840-44BC-B0B8-7BC9694DBD4A}|PATH, Quarantined, [8184], [407483],1.0.2591 Adware.DotDo.DotPrx, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{E632E518-04C1-4CD3-BD7A-C6D6A3B054AA}|PATH, Quarantined, [8184], [407483],1.0.2591 Adware.DotDo.DotPrx, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{E7291D11-282E-42FE-BA03-4F92A9E6203D}|PATH, Quarantined, [8184], [407483],1.0.2591 Adware.DotDo.DotPrx, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{F422851C-75B0-4A6F-B906-D128A3C1F85F}|PATH, Quarantined, [8184], [409657],1.0.2591 Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 0 (No malicious items detected) File: 16 HackTool.FilePatch, C:\$RECYCLE.BIN\S-1-5-21-1747559312-1166520656-3094945707-1158\$R2H4TMJ.EXE, Quarantined, [7440], [281135],1.0.2591 RiskWare.HeuristicsReservedWordExploit, C:\USERS\MICHAEL\DESKTOP\EXPLORER.EXE, Quarantined, [14314], [293543],1.0.2591 Adware.Yelloader, C:\USERS\MICHAEL\APPDATA\LOCAL\TEMP\1502733990\S5-20170325.ZIP, Quarantined, [1351], [425787],1.0.2591 Trojan.Clicker, C:\USERS\MICHAEL\APPDATA\LOCAL\TEMP\1502733990\S5M_INSTALL_325.ZIP, Quarantined, [21], [387412],1.0.2591 Adware.Yelloader, C:\USERS\MICHAEL\APPDATA\LOCAL\TEMP\460303562\IC-0.E1E2FB11073BA.EXE, Quarantined, [1351], [421829],1.0.2591 Adware.Yelloader, C:\USERS\MICHAEL\APPDATA\LOCAL\TEMP\1502733990\S5-20170325.EXE, Quarantined, [1351], [425787],1.0.2591 Adware.Yelloader, C:\USERS\MICHAEL\APPDATA\LOCAL\TEMP\460064906\IC-0.AE6FEC9CD148D.EXE, Quarantined, [1351], [421829],1.0.2591 Trojan.Clicker, C:\USERS\MICHAEL\APPDATA\LOCAL\TEMP\1502733990\S5M_INSTALL_325.EXE, Quarantined, [21], [387412],1.0.2591 Adware.DotDo.DotPrx, C:\WINDOWS\SYSTEM32\TASKS\12120012, Quarantined, [8184], [410000],1.0.2591 Adware.DotDo.DotPrx, C:\WINDOWS\SYSTEM32\TASKS\36556502, Quarantined, [8184], [410000],1.0.2591 Adware.DotDo.DotPrx, C:\WINDOWS\SYSTEM32\TASKS\38266672, Quarantined, [8184], [410000],1.0.2591 Adware.DotDo.DotPrx, C:\WINDOWS\SYSTEM32\TASKS\ts1212001212120012, Quarantined, [8184], [409999],1.0.2591 Adware.DotDo.DotPrx, C:\WINDOWS\SYSTEM32\TASKS\ts3655650236556502, Quarantined, [8184], [409999],1.0.2591 Adware.DotDo.DotPrx, C:\WINDOWS\SYSTEM32\TASKS\ts3826667238266672, Quarantined, [8184], [409999],1.0.2591 Adware.DotDo.DotPrx, C:\WINDOWS\SYSTEM32\TASKS\tsk36556502k36556502, Quarantined, [8184], [397781],1.0.2591 Adware.Agent.Generic, C:\WINDOWS\SYSTEM32\TASKS\k36556502, Quarantined, [1396], [402165],1.0.2591 Physical Sector: 0 (No malicious items detected) (end)
  8. Ok, I've got the installation media created. I'll boot form it tomorrow and run a scan with FRST. Do I need to install FRST on the same USB drive as the recovery media?
  9. I'm just not having any luck with it :/ I'm gonna head home and will bring the 8GB stick back to the office in the morning. Let me know what the next step is when you get a chance. I could maybe create the recovery media at home so it's ready to go when I get to work. I've read a lot of post and it seems that it's gotten harder and harder to get rid of. I really do appreciate you taking the time to help me out here.
  10. Maybe I'm just doing it wrong? Seems straight forward. Power off, then turn it right back on a few times
  11. Yea, the computer boot menu. It lets me select which drive to boot from or enter into bios settings
  12. Same thing. Goes right to lock screen and boots normally. I am able to get into the boot menu by hitting F11. I didn't see anyway to get into recovery mode from there though.
  13. No, it doesn't ask me anything. It restarts and goes straight to the log in screen
  14. Microsoft Windows [Version 10.0.15063] (c) 2017 Microsoft Corporation. All rights reserved. C:\WINDOWS\system32>bcdedit Windows Boot Manager -------------------- identifier {bootmgr} device partition=\Device\HarddiskVolume2 description Windows Boot Manager locale en-US inherit {globalsettings} default {current} resumeobject {6cae4a1a-767d-11e7-8356-a4a36db125b3} displayorder {current} toolsdisplayorder {memdiag} timeout 0 displaybootmenu Yes Windows Boot Loader ------------------- identifier {current} device partition=C: path \WINDOWS\system32\winload.exe description Windows 10 locale en-US inherit {bootloadersettings} recoverysequence {9674cd71-767d-11e7-8356-a4a36db125b3} displaymessageoverride Recovery recoveryenabled Yes allowedinmemorysettings 0x15000075 osdevice partition=C: systemroot \WINDOWS resumeobject {6cae4a1a-767d-11e7-8356-a4a36db125b3} nx OptIn bootmenupolicy Standard C:\WINDOWS\system32>
  15. hmmm, when I do that it just reboots my PC normally. Aren't I supposed to get a blue recovery screen with options?
  16. What's the easiest way to get into recovery mode? Having some trouble here. Everything just restarts my PC
  17. Fix result of Farbar Recovery Scan Tool (x64) Version: 12-08-2017 Ran by Michael (14-08-2017 19:51:26) Run:2 Running from C:\Users\Michael\Desktop Loaded Profiles: Michael (Available Profiles: Michael) Boot Mode: Normal ============================================== fixlist content: ***************** CMD: bcdedit.exe /set {bootmgr} displaybootmenu yes CMD: bcdedit.exe /set {default} recoveryenabled yes ***************** ========= bcdedit.exe /set {bootmgr} displaybootmenu yes ========= The operation completed successfully. ========= End of CMD: ========= ========= bcdedit.exe /set {default} recoveryenabled yes ========= The operation completed successfully. ========= End of CMD: ========= ==== End of Fixlog 19:51:26 ====
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.