Jump to content

Rhisk

Members
  • Posts

    4
  • Joined

  • Last visited

Everything posted by Rhisk

  1. FRST did not reboot my computer during the fix only promted me to do so. I wasn't sure if I should but I have done it now. There was no cmd on startup anymore and I scanned again with malwarebytes which showed no threats. I can now also open my own cmd which I couldn't do before but the hijacked key is still in the quarantine so it might be that. Can I delete it from there now?
  2. Thank you for helping me, you are the best! Should I rebbot or not seeing as that is where it might break again? Fix result of Farbar Recovery Scan Tool (x64) Version: 29-11-2017 Ran by Richard (29-11-2017 17:02:10) Run:1 Running from C:\Users\Richard\Downloads Loaded Profiles: Richard (Available Profiles: defaultuser0 & Richard) Boot Mode: Normal ============================================== fixlist content: ***************** CloseProcesses: CreateRestorePoint: HKU\S-1-5-21-406179256-1937463932-1247465908-1001\...\Winlogon: [Shell] C:\Windows\System32\cmd.exe [272896 2017-09-29] (Microsoft Corporation) <==== ATTENTION GroupPolicyUsers\S-1-5-21-406179256-1937463932-1247465908-1001\User: Restriction <==== ATTENTION Task: {27D3B2AA-1288-4AF6-9C6E-8E97FF5B2688} - \ThunderMaster -> No File <==== ATTENTION Task: {BEF6100E-7F70-4C5F-8FA3-744B0AACC337} - \Microsoft\Windows\UNP\RunCampaignManager -> No File <==== ATTENTION FirewallRules: [UDP Query User{A2BA608F-E26E-4141-8D84-2674BE2E59AF}C:\users\richard\appdata\local\temp\i1505837427\windows\resource\jre\bin\javaw.exe] => (Allow) C:\users\richard\appdata\local\temp\i1505837427\windows\resource\jre\bin\javaw.exe FirewallRules: [TCP Query User{2889C72F-6B72-4845-A4C4-40E0BCC294D8}C:\users\richard\appdata\local\temp\i1505837427\windows\resource\jre\bin\javaw.exe] => (Allow) C:\users\richard\appdata\local\temp\i1505837427\windows\resource\jre\bin\javaw.exe FirewallRules: [TCP Query User{41E1112E-341F-4FC8-ACDB-C39AEBB28E30}C:\users\richard\appdata\local\temp\netease-tianyu.exe] => (Allow) C:\users\richard\appdata\local\temp\netease-tianyu.exe FirewallRules: [UDP Query User{A18CE93C-7482-40D4-9D4F-15FEC185A0FB}C:\users\richard\appdata\local\temp\netease-tianyu.exe] => (Allow) C:\users\richard\appdata\local\temp\netease-tianyu.exe FirewallRules: [TCP Query User{8C6F3F92-9FFE-4DA5-918C-2FD6289626A6}C:\users\richard\appdata\local\temp\i1477330015\windows\resource\jre\bin\javaw.exe] => (Allow) C:\users\richard\appdata\local\temp\i1477330015\windows\resource\jre\bin\javaw.exe FirewallRules: [UDP Query User{48DA146F-9033-4458-A020-CBD282913A56}C:\users\richard\appdata\local\temp\i1477330015\windows\resource\jre\bin\javaw.exe] => (Allow) C:\users\richard\appdata\local\temp\i1477330015\windows\resource\jre\bin\javaw.exe FirewallRules: [TCP Query User{51E8C798-3706-4B7F-B4D5-E4A8CC536597}C:\users\richard\appdata\local\temp\i1479238435\windows\resource\jre\bin\javaw.exe] => (Allow) C:\users\richard\appdata\local\temp\i1479238435\windows\resource\jre\bin\javaw.exe FirewallRules: [UDP Query User{485BC9C2-4330-41C8-9467-ECBEF26FEE4C}C:\users\richard\appdata\local\temp\i1479238435\windows\resource\jre\bin\javaw.exe] => (Allow) C:\users\richard\appdata\local\temp\i1479238435\windows\resource\jre\bin\javaw.exe FirewallRules: [TCP Query User{4FDB2B14-DA48-4E0A-B1E2-6A85D2673C10}C:\users\richard\appdata\local\temp\i1480275127\windows\resource\jre\bin\javaw.exe] => (Allow) C:\users\richard\appdata\local\temp\i1480275127\windows\resource\jre\bin\javaw.exe FirewallRules: [UDP Query User{376CCD2A-E709-49F5-8C35-917F9BF552F1}C:\users\richard\appdata\local\temp\i1480275127\windows\resource\jre\bin\javaw.exe] => (Allow) C:\users\richard\appdata\local\temp\i1480275127\windows\resource\jre\bin\javaw.exe FirewallRules: [TCP Query User{120FE2FA-182D-4384-88B5-EED7F00A1C55}C:\users\richard\appdata\local\temp\i1485964418\windows\resource\jre\bin\javaw.exe] => (Allow) C:\users\richard\appdata\local\temp\i1485964418\windows\resource\jre\bin\javaw.exe FirewallRules: [UDP Query User{9AD8A5A4-718C-4906-962A-94C21C977106}C:\users\richard\appdata\local\temp\i1485964418\windows\resource\jre\bin\javaw.exe] => (Allow) C:\users\richard\appdata\local\temp\i1485964418\windows\resource\jre\bin\javaw.exe C:\Users\Richard\AppData\Local\updater.log C:\Users\Richard\AppData\Local\UserProducts.xml C:\Users\Richard\AppData\Roaming\Microsoft\SoundMixer EmptyTemp: ***************** Processes closed successfully. Restore point was successfully created. HKU\S-1-5-21-406179256-1937463932-1247465908-1001\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell => value removed successfully C:\WINDOWS\system32\GroupPolicyUsers\S-1-5-21-406179256-1937463932-1247465908-1001\User => moved successfully HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{27D3B2AA-1288-4AF6-9C6E-8E97FF5B2688} => key removed successfully HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{27D3B2AA-1288-4AF6-9C6E-8E97FF5B2688} => key removed successfully HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\ThunderMaster => key not found HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{BEF6100E-7F70-4C5F-8FA3-744B0AACC337} => key removed successfully HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{BEF6100E-7F70-4C5F-8FA3-744B0AACC337} => key removed successfully HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\UNP\RunCampaignManager => key not found HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\UDP Query User{A2BA608F-E26E-4141-8D84-2674BE2E59AF}C:\users\richard\appdata\local\temp\i1505837427\windows\resource\jre\bin\javaw.exe => value removed successfully HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\TCP Query User{2889C72F-6B72-4845-A4C4-40E0BCC294D8}C:\users\richard\appdata\local\temp\i1505837427\windows\resource\jre\bin\javaw.exe => value removed successfully HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\TCP Query User{41E1112E-341F-4FC8-ACDB-C39AEBB28E30}C:\users\richard\appdata\local\temp\netease-tianyu.exe => value removed successfully HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\UDP Query User{A18CE93C-7482-40D4-9D4F-15FEC185A0FB}C:\users\richard\appdata\local\temp\netease-tianyu.exe => value removed successfully HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\TCP Query User{8C6F3F92-9FFE-4DA5-918C-2FD6289626A6}C:\users\richard\appdata\local\temp\i1477330015\windows\resource\jre\bin\javaw.exe => value removed successfully HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\UDP Query User{48DA146F-9033-4458-A020-CBD282913A56}C:\users\richard\appdata\local\temp\i1477330015\windows\resource\jre\bin\javaw.exe => value removed successfully HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\TCP Query User{51E8C798-3706-4B7F-B4D5-E4A8CC536597}C:\users\richard\appdata\local\temp\i1479238435\windows\resource\jre\bin\javaw.exe => value removed successfully HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\UDP Query User{485BC9C2-4330-41C8-9467-ECBEF26FEE4C}C:\users\richard\appdata\local\temp\i1479238435\windows\resource\jre\bin\javaw.exe => value removed successfully HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\TCP Query User{4FDB2B14-DA48-4E0A-B1E2-6A85D2673C10}C:\users\richard\appdata\local\temp\i1480275127\windows\resource\jre\bin\javaw.exe => value removed successfully HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\UDP Query User{376CCD2A-E709-49F5-8C35-917F9BF552F1}C:\users\richard\appdata\local\temp\i1480275127\windows\resource\jre\bin\javaw.exe => value removed successfully HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\TCP Query User{120FE2FA-182D-4384-88B5-EED7F00A1C55}C:\users\richard\appdata\local\temp\i1485964418\windows\resource\jre\bin\javaw.exe => value removed successfully HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\UDP Query User{9AD8A5A4-718C-4906-962A-94C21C977106}C:\users\richard\appdata\local\temp\i1485964418\windows\resource\jre\bin\javaw.exe => value removed successfully C:\Users\Richard\AppData\Local\updater.log => moved successfully C:\Users\Richard\AppData\Local\UserProducts.xml => moved successfully C:\Users\Richard\AppData\Roaming\Microsoft\SoundMixer => moved successfully =========== EmptyTemp: ========== BITS transfer queue => 7888896 B DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 20439688 B Java, Flash, Steam htmlcache => 366048434 B Windows/system/drivers => 3065448 B Edge => 1659567 B Chrome => 619463717 B Firefox => 420441627 B Opera => 0 B Temp, IE cache, history, cookies, recent: Default => 0 B Users => 0 B ProgramData => 0 B Public => 0 B systemprofile => 0 B systemprofile32 => 302 B LocalService => 0 B NetworkService => 28518 B defaultuser0 => 0 B Richard => 342804995 B RecycleBin => 0 B EmptyTemp: => 1.7 GB temporary data Removed. ================================ The system needed a reboot. ==== End of Fixlog 17:02:30 ====
  3. Greetings, I had and a problem where the cmd opened on startup and couldn't be open by me after it closed automatically. I dowloaded Malwarebytes and it found to no ones suprise a threat. I quarantined it and removed it with the program. After that I can still boot the computer but when I try to log into my account there is only a cmd in system 32 and a blackscreen behind it. How do i safely remove the infected file? I have restored my computer to a previous working version and quarantined the file again. FRST.txt Addition.txt MalwarebytesReport.txt
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.