Jump to content

HELP! COMPUTER INFECTED WITH Trojan:Win64/patched.az.gen!dll


Recommended Posts

I AM USING WINDOWS 10. I TRIED REMOVING WITH MALWAREBYTES, AVG, AND WINDOWS DEFENDER. STILL NO LUCK. BELOW IS THE FRST AND ADDITIONAL INFO TXT.
 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:10-01-2015 01
Ran by Andre Allen (administrator) on DESKTOP-EHK0A8M (12-01-2016 02:19:18)
Running from C:\Users\Andre Allen\Downloads
Loaded Profiles: Andre Allen (Available Profiles: Andre Allen)
Platform: Windows 10 Home Version 1511 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: Chrome)
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\Av\avgrsa.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\Av\avgcsrva.exe
(Intel Corporation) C:\Windows\System32\igfxCUIService.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe
(Cisco Systems, Inc.) C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpnagent.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
(Andrea Electronics Corporation) C:\Program Files\Realtek\Audio\HDA\AERTSr64.exe
(Apple Inc.) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\Av\avgidsagent.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\Av\avgwdsvcx.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\Framework\Common\avgsvca.exe
(Splashtop Inc.) C:\Program Files (x86)\Splashtop\Splashtop Software Updater\SSUService.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPEnhService.exe
(Popcorn Time) C:\Program Files (x86)\Popcorn Time\Updater.exe
(Rosetta Stone Ltd.) C:\Program Files (x86)\RosettaStoneLtdServices\RosettaStoneDaemon.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\Av\avgnsa.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\Av\avgemca.exe
(Microsoft Corporation) C:\Windows\System32\wscript.exe
(Enigma Software Group USA, LLC.) C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter4.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe
(Intel Corporation) C:\Windows\System32\igfxEM.exe
(Intel Corporation) C:\Windows\System32\igfxHK.exe
() C:\Windows\System32\igfxTray.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
(Apple Inc.) C:\Program Files\iTunes\iTunesHelper.exe
(Skype Technologies S.A.) C:\Program Files (x86)\Skype\Phone\Skype.exe
(Cisco Systems, Inc.) C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpnui.exe
(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\Framework\Common\avguix.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\Av\avgui.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\Framework\Common\avguix.exe
(Microsoft Corporation) C:\Windows\System32\cmd.exe
() C:\ProgramData\SsiRecord\goloaderstart.exe
(Microsoft Corporation) C:\Windows\System32\wbem\WMIADAP.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
 
 
==================== Registry (Whitelisted) ===========================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [RTHDVCPL] => C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe [8505088 2015-09-10] (Realtek Semiconductor)
HKLM\...\Run: [RtHDVBg] => C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe [1402624 2015-09-10] (Realtek Semiconductor)
HKLM\...\Run: [synTPEnh] => C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [3944136 2015-07-17] (Synaptics Incorporated)
HKLM\...\Run: [iTunesHelper] => C:\Program Files\iTunes\iTunesHelper.exe [170256 2015-12-17] (Apple Inc.)
HKLM-x32\...\Run: [] => [X]
HKLM-x32\...\Run: [Mirroring360] => C:\Program Files (x86)\Mirroring360\Mirroring360.exe [22577112 2015-11-03] (Splashtop Inc.)
HKLM-x32\...\Run: [Cisco AnyConnect Secure Mobility Agent for Windows] => C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpnui.exe [975248 2015-11-27] (Cisco Systems, Inc.)
HKLM-x32\...\Run: [AvgUi] => C:\Program Files (x86)\AVG\Framework\Common\avguix.exe [1139112 2015-12-08] (AVG Technologies CZ, s.r.o.)
HKLM-x32\...\Run: [AVG_UI] => C:\Program Files (x86)\AVG\Av\avgui.exe [3874216 2015-12-16] (AVG Technologies CZ, s.r.o.)
HKU\S-1-5-21-2096938433-3674504870-3931817872-1001\...\Run: [Remote Mouse] => C:\Program Files (x86)\Remote Mouse\RemoteMouse.exe [837632 2015-11-18] (RemoteMouse.net)
HKU\S-1-5-21-2096938433-3674504870-3931817872-1001\...\Run: [skype] => C:\Program Files (x86)\Skype\Phone\Skype.exe [50755200 2015-12-08] (Skype Technologies S.A.)
HKU\S-1-5-21-2096938433-3674504870-3931817872-1001\...\Run: [spark] => C:\Program Files (x86)\Spark\Spark.exe [434176 2007-11-14] (Jive Software)
HKU\S-1-5-21-2096938433-3674504870-3931817872-1001\...\Run: [Google Update] => C:\Users\Andre Allen\AppData\Local\Google\Update\GoogleUpdate.exe [144200 2016-01-11] (Google Inc.)
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
Tcpip\Parameters: [DhcpNameServer] 75.75.75.75 75.75.76.76
Tcpip\..\Interfaces\{e56f82bd-0415-4321-8f3c-dab63bcdfb47}: [DhcpNameServer] 75.75.75.75 75.75.76.76
Tcpip\..\Interfaces\{fe6be47b-0472-4c23-a3d7-7c069696c969}: [DhcpNameServer] 75.75.75.75 75.75.76.76
 
Internet Explorer:
==================
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-2096938433-3674504870-3931817872-1001\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
 
FireFox:
========
FF ProfilePath: C:\Users\Andre Allen\AppData\Roaming\Mozilla\Firefox\Profiles\cppnqppa.default
FF Plugin: @adobe.com/FlashPlayer -> C:\WINDOWS\system32\Macromed\Flash\NPSWF64_19_0_0_245.dll [2015-12-03] ()
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\WINDOWS\SysWOW64\Macromed\Flash\NPSWF32_19_0_0_245.dll [2015-12-03] ()
FF Plugin-x32: @Apple.com/iTunes,version=1.0 -> C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll [2015-10-14] ()
FF Plugin-x32: @microsoft.com/WLPG,version=16.4.3528.0331 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [2014-03-31] (Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.29.1\npGoogleUpdate3.dll [2015-12-02] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.29.1\npGoogleUpdate3.dll [2015-12-02] (Google Inc.)
FF Plugin HKU\S-1-5-21-2096938433-3674504870-3931817872-1001: @talk.google.com/GoogleTalkPlugin -> C:\Users\Andre Allen\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll [2015-12-08] (Google)
FF Plugin HKU\S-1-5-21-2096938433-3674504870-3931817872-1001: @talk.google.com/O1DPlugin -> C:\Users\Andre Allen\AppData\Roaming\Mozilla\plugins\npo1d.dll [2015-12-08] (Google)
FF Plugin HKU\S-1-5-21-2096938433-3674504870-3931817872-1001: @tools.google.com/Google Update;version=3 -> C:\Users\Andre Allen\AppData\Local\Google\Update\1.3.29.1\npGoogleUpdate3.dll [2016-01-11] (Google Inc.)
FF Plugin HKU\S-1-5-21-2096938433-3674504870-3931817872-1001: @tools.google.com/Google Update;version=9 -> C:\Users\Andre Allen\AppData\Local\Google\Update\1.3.29.1\npGoogleUpdate3.dll [2016-01-11] (Google Inc.)
FF Plugin ProgramFiles/Appdata: C:\Users\Andre Allen\AppData\Roaming\mozilla\plugins\npgoogletalk.dll [2015-12-08] (Google)
FF Plugin ProgramFiles/Appdata: C:\Users\Andre Allen\AppData\Roaming\mozilla\plugins\npo1d.dll [2015-12-08] (Google)
FF Extension: Adblock Plus - C:\Users\Andre Allen\AppData\Roaming\Mozilla\Firefox\Profiles\cppnqppa.default\Extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2016-01-10]
 
Chrome: 
=======
CHR Profile: C:\Users\Andre Allen\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Slides) - C:\Users\Andre Allen\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2015-09-10]
CHR Extension: (Google Docs) - C:\Users\Andre Allen\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2015-09-10]
CHR Extension: (Google Drive) - C:\Users\Andre Allen\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2015-10-27]
CHR Extension: (YouTube) - C:\Users\Andre Allen\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2015-09-28]
CHR Extension: (Google Cast) - C:\Users\Andre Allen\AppData\Local\Google\Chrome\User Data\Default\Extensions\boadgeojelhgndaghljhdicfkmllpafd [2015-12-13]
CHR Extension: (Google Search) - C:\Users\Andre Allen\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2015-10-27]
CHR Extension: (MightyText - SMS from PC & Text from Computer) - C:\Users\Andre Allen\AppData\Local\Google\Chrome\User Data\Default\Extensions\dkfhfaphfkopdgpbfkebjfcblcafcmpi [2016-01-06]
CHR Extension: (Google Sheets) - C:\Users\Andre Allen\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2015-09-10]
CHR Extension: (Google Docs Offline) - C:\Users\Andre Allen\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2015-11-20]
CHR Extension: (AdBlock) - C:\Users\Andre Allen\AppData\Local\Google\Chrome\User Data\Default\Extensions\gighmmpiobklfepjocnamgkkbiglidom [2016-01-10]
CHR Extension: (GetThemAll Video Downloader) - C:\Users\Andre Allen\AppData\Local\Google\Chrome\User Data\Default\Extensions\nbkekaeindpfpcoldfckljplboolgkfm [2015-12-22]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Andre Allen\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2015-09-10]
CHR Extension: (WebRTC Block) - C:\Users\Andre Allen\AppData\Local\Google\Chrome\User Data\Default\Extensions\nphkkbaidamjmhfanlpblblcadhfbkdm [2016-01-01]
CHR Extension: (Gmail) - C:\Users\Andre Allen\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2015-09-10]
 
==================== Services (Whitelisted) ========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 Apple Mobile Device Service; C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe [77104 2015-10-07] (Apple Inc.)
S3 AvgAMPS; C:\Program Files (x86)\AVG\Av\avgamps.exe [627544 2015-12-16] (AVG Technologies CZ, s.r.o.)
R2 AVGIDSAgent; C:\Program Files (x86)\AVG\Av\avgidsagent.exe [3902984 2015-12-16] (AVG Technologies CZ, s.r.o.)
R2 avgsvc; C:\Program Files (x86)\AVG\Framework\Common\avgsvca.exe [1049000 2015-12-08] (AVG Technologies CZ, s.r.o.)
R2 avgwd; C:\Program Files (x86)\AVG\Av\avgwdsvcx.exe [583936 2015-12-16] (AVG Technologies CZ, s.r.o.)
R2 igfxCUIService2.0.0.0; C:\Windows\system32\igfxCUIService.exe [373160 2015-12-30] (Intel Corporation)
S2 MBAMService; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [1135416 2015-10-05] (Malwarebytes)
R2 Net Driver HPZ12; C:\Windows\System32\HPZinw12.dll [50688 2013-05-16] (Hewlett-Packard) [File not signed]
R2 Pml Driver HPZ12; C:\Windows\System32\HPZipm12.dll [66048 2013-05-16] (Hewlett-Packard) [File not signed]
R2 RtkAudioService; C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe [303360 2015-09-10] (Realtek Semiconductor)
S2 SpyHunter 4 Service; C:\Program Files\Enigma Software Group\SpyHunter\SH4Service.exe [1045376 2016-01-11] (Enigma Software Group USA, LLC.)
R2 SynTPEnhService; C:\Program Files\Synaptics\SynTP\SynTPEnhService.exe [246472 2015-07-17] (Synaptics Incorporated)
R2 Update service; C:\Program Files (x86)\Popcorn Time\Updater.exe [339968 2015-10-19] (Popcorn Time) [File not signed]
S3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [364464 2015-10-30] (Microsoft Corporation)
S3 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [24864 2015-10-30] (Microsoft Corporation)
S2 Dytey; "C:\Users\Andre Allen\AppData\Roaming\JalsoXaohcec\Coakydh.exe" -cms [X]
 
===================== Drivers (Whitelisted) ==========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
S0 Avgboota; C:\Windows\System32\DRIVERS\avgboota.sys [23152 2015-09-09] (AVG Technologies CZ, s.r.o.)
R1 Avgdiska; C:\Windows\System32\DRIVERS\avgdiska.sys [184240 2015-11-06] (AVG Technologies CZ, s.r.o.)
R1 AVGIDSDriver; C:\Windows\System32\DRIVERS\avgidsdrivera.sys [315312 2015-12-04] (AVG Technologies CZ, s.r.o.)
R0 AVGIDSHA; C:\Windows\System32\DRIVERS\avgidsha.sys [298416 2015-08-20] (AVG Technologies CZ, s.r.o.)
R1 Avgldx64; C:\Windows\System32\DRIVERS\avgldx64.sys [284080 2015-10-21] (AVG Technologies CZ, s.r.o.)
R0 Avgloga; C:\Windows\System32\DRIVERS\avgloga.sys [398256 2015-08-14] (AVG Technologies CZ, s.r.o.)
R0 Avgmfx64; C:\Windows\System32\DRIVERS\avgmfx64.sys [258480 2015-12-04] (AVG Technologies CZ, s.r.o.)
R0 Avgrkx64; C:\Windows\System32\DRIVERS\avgrkx64.sys [42416 2015-12-04] (AVG Technologies CZ, s.r.o.)
R1 Avgwfpa; C:\Windows\system32\DRIVERS\avgwfpa.sys [315840 2015-12-16] (AVG Technologies CZ, s.r.o.)
S3 EsgScanner; C:\Windows\System32\DRIVERS\EsgScanner.sys [22704 2016-01-11] ()
R3 MBAMProtector; C:\WINDOWS\system32\drivers\mbam.sys [25816 2015-10-05] (Malwarebytes)
S3 MBAMSwissArmy; C:\WINDOWS\system32\drivers\MBAMSwissArmy.sys [192216 2016-01-12] (Malwarebytes)
S3 MBAMWebAccessControl; C:\WINDOWS\system32\drivers\mwac.sys [64216 2015-10-05] (Malwarebytes Corporation)
R3 MEIx64; C:\Windows\system32\DRIVERS\TeeDriverx64.sys [99288 2013-12-20] (Intel Corporation)
S3 RSP2STOR; C:\Windows\system32\DRIVERS\RtsP2Stor.sys [310528 2015-06-05] (Realtek Semiconductor Corp.)
R3 RTWlanE; C:\Windows\system32\DRIVERS\rtwlane.sys [4629744 2015-09-17] (Realtek Semiconductor Corporation                           )
R3 SmbDrvI; C:\Windows\system32\DRIVERS\Smb_driver_Intel.sys [42696 2015-07-17] (Synaptics Incorporated)
R3 torguardtap0901; C:\Windows\System32\drivers\torguardtap0901.sys [39840 2015-11-10] (The OpenVPN Project)
S3 vpnva; C:\Windows\System32\drivers\vpnva64-6.sys [52592 2015-11-27] (Cisco Systems, Inc.)
S3 WdBoot; C:\Windows\system32\drivers\WdBoot.sys [44568 2015-10-30] (Microsoft Corporation)
S3 WdFilter; C:\Windows\system32\drivers\WdFilter.sys [293216 2015-10-30] (Microsoft Corporation)
S3 WdNisDrv; C:\Windows\System32\Drivers\WdNisDrv.sys [118112 2015-10-30] (Microsoft Corporation)
R3 WirelessButtonDriver64; C:\Windows\System32\drivers\WirelessButtonDriver64.sys [30544 2015-09-10] (HP)
 
==================== NetSvcs (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== One Month Created files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2016-01-12 02:19 - 2016-01-12 02:19 - 00016277 _____ C:\Users\Andre Allen\Downloads\FRST.txt
2016-01-12 02:19 - 2016-01-12 02:19 - 00000000 ____D C:\FRST
2016-01-12 02:18 - 2016-01-12 02:18 - 02370560 _____ (Farbar) C:\Users\Andre Allen\Downloads\FRST64.exe
2016-01-11 17:42 - 2016-01-11 17:42 - 00927824 _____ (Google Inc.) C:\Users\Andre Allen\Downloads\GoogleVoiceAndVideoSetup (2).exe
2016-01-11 17:41 - 2016-01-11 17:46 - 00000964 _____ C:\WINDOWS\Tasks\GoogleUpdateTaskUserS-1-5-21-2096938433-3674504870-3931817872-1001UA.job
2016-01-11 17:41 - 2016-01-11 17:46 - 00000912 _____ C:\WINDOWS\Tasks\GoogleUpdateTaskUserS-1-5-21-2096938433-3674504870-3931817872-1001Core.job
2016-01-11 17:41 - 2016-01-11 17:41 - 00927824 _____ (Google Inc.) C:\Users\Andre Allen\Downloads\GoogleVoiceAndVideoSetup.exe
2016-01-11 17:41 - 2016-01-11 17:41 - 00927824 _____ (Google Inc.) C:\Users\Andre 
 
FULL INFO ATTACHED

Addition.txt

FRST.txt

Link to post
Share on other sites

Hello and :welcome:
If you've not already done so please start here and post back the 2 log files FRST.txt and Addition.txt

P2P/Piracy Warning:
 

 

If you're using Peer 2 Peer software such as uTorrent, BitTorrent or similar you must either fully uninstall them or completely disable them from running while being assisted here.
Failure to remove or disable such software will result in your topic being closed and no further assistance being provided.
If you have illegal/cracked software, cracks, keygens etc. on the system, please remove or uninstall them now and read the policy on Piracy.

 



Before we proceed further, please read all of the following instructions carefully.
If there is anything that you do not understand kindly ask before proceeding.
If needed please print out these instructions.

  • Please do not post logs using CODE, QUOTE, or FONT tags. Just paste them as direct text.
  • If the log is too large then you can use attachments by clicking on the More Reply Options button.
  • Please enable your system to show hidden files: How to see hidden files in Windows
  • Make sure you're subscribed to this topic:
    • Click on the Follow This Topic Button (at the top right of this page), make sure that the Receive notification box is checked and that it is set to Instantly
  • Removing malware can be unpredictable...It is unlikely but things can go very wrong! Please make sure you Backup all files that cannot be replaced if something were to happen. You can copy them to a CD/DVD, external drive or a pen drive
  • Please don't run any other scans, download, install or uninstall any programs unless requested by me while I'm working with you.
  • The removal of malware is not instantaneous, please be patient. Often we are also on a different Time Zone.
  • Perform everything in the correct order. Sometimes one step requires the previous one.
  • If you have any problems while following my instructions, Stop there and tell me the exact nature of the issue.
  • When we are done, I'll give you instructions on how to cleanup all the tools and logs
  • Please stick with me until I give you the "all clear" and Please don't waste my time by leaving before that.
  • Your topic will be closed if you haven't replied within 3 days
  • (If I have not responded within 24 hours, please send me a Private Message as a reminder)

 

 

Please move the FRST64.exe file from your Downloads folder to your Desktop.

Download the attached fixlist.txt file and save it to the Desktop.  Fixlist.txt

NOTE. It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST64 by right clicking on the FRST64.exe file, selecting "Run as Administrator..".  The User Account Control may open up; if it does, select Yes to continue to let FRST open and load.  

The tool will check for an updated version of itself every time it loads; please allow it to do this and the program will either inform you it is downloading an updated copy (and to wait until it is safe to continue) or show that it is ready to use (meaning there is no update found) and you can continue on.  Press the Fix button just once and wait.  The tool will create a restore point, process the script and ask for a restart of your system.

Press%20the%20FIX%20button_zpsdd5zi3mt.p

If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.

When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post the log in your next reply.
 

Link to post
Share on other sites

THANKS I HAVE COMPLETED THE PREVIOUS STEP. THE FIXLOG IS PASTED BELOW.
 

Fix result of Farbar Recovery Scan Tool (x64) Version:10-01-2015 01
Ran by Andre Allen (2016-01-12 07:49:52) Run:1
Running from C:\Users\Andre Allen\Desktop
Loaded Profiles: Andre Allen (Available Profiles: Andre Allen)
Boot Mode: Normal
==============================================
 
fixlist content:
*****************
Start
CreateRestorePoint:
CloseProcesses:
HKLM-x32\...\Run: [] => [X]
HKLM-x32\...\Run: [Mirroring360] => C:\Program Files (x86)\Mirroring360\Mirroring360.exe [22577112 2015-11-03] (Splashtop Inc.)
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-2096938433-3674504870-3931817872-1001\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
CHR Extension: (Google Drive) - C:\Users\Andre Allen\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2015-10-27]
CHR Extension: (Google Search) - C:\Users\Andre Allen\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2015-10-27]
S2 Dytey; "C:\Users\Andre Allen\AppData\Roaming\JalsoXaohcec\Coakydh.exe" -cms [X]
C:\Users\Andre Allen\AppData\Roaming\JalsoXaohcec
2016-01-10 23:38 - 2016-01-10 23:38 - 00003426 _____ C:\WINDOWS\System32\Tasks\Rutem
2016-01-10 23:36 - 2016-01-10 23:36 - 00002560 _____ C:\Users\Andre Allen\AppData\Local\uninstall.exe
2016-01-10 23:35 - 2016-01-10 23:41 - 00004800 _____ C:\WINDOWS\SysWOW64\Lhnahl.ini
2016-01-10 23:35 - 2016-01-10 23:41 - 00002520 _____ C:\WINDOWS\SysWOW64\LhnahlOff.ini
2016-01-10 23:35 - 2016-01-10 23:41 - 00002520 _____ C:\WINDOWS\system32\LhnahlOff.ini
2016-01-10 23:35 - 2016-01-10 20:59 - 00768368 _____ C:\WINDOWS\system32\Lhnahl64.dll
2016-01-10 23:34 - 2016-01-11 00:15 - 00000000 ____D C:\Users\Andre Allen\AppData\LocalLow\Company
2016-01-10 23:34 - 2016-01-10 23:35 - 00000000 ____D C:\Users\Andre Allen\AppData\Local\Tempfolder
2016-01-10 23:34 - 2016-01-10 23:34 - 00003432 _____ C:\WINDOWS\System32\Tasks\Godpuaiz
2016-01-10 23:34 - 2016-01-10 23:34 - 00000000 ____D C:\ProgramData\19a87fa1ec024bbcbb41931263354405
2016-01-10 23:36 - 2016-01-10 23:36 - 0002560 _____ () C:\Users\Andre Allen\AppData\Local\uninstall.exe
C:\Users\Andre Allen\AppData\Local\Temp\i4jdel0.exe
C:\Users\Andre Allen\AppData\Local\Temp\SpOrder.dll
C:\Program Files (x86)\Splashtop
C:\Program Files (x86)\Mirroring360
Task: {06EF4043-BBD2-4A33-8943-4021637FC274} - \amiupdaterExd -> No File <==== ATTENTION
Task: {34437D86-3BCD-4E55-89E8-5351B44C700C} - \SwiftSearch Auto Updater 1.10.0.25 Pending Update -> No File <==== ATTENTION
Task: {41D8009A-9678-4710-9270-D7B9105AE85A} - \CIMT_daily_S-1-5-21-2096938433-3674504870-3931817872-1001 -> No File <==== ATTENTION
Task: {46A96B58-2072-42DD-8A3F-F9B482924C96} - System32\Tasks\Godpuaiz => C:\PROGRA~1\SHOPPE~1\Mipca.bat
Task: {50500551-E089-4659-91A4-9C45153E7C16} - \SwiftSearch Auto Updater 1.10.0.25 Core -> No File <==== ATTENTION
C:\PROGRA~1\SHOPPE~1
Task: {6F9F65FE-1510-4F13-933C-0DD8E7B34236} - \Inst_Rep -> No File <==== ATTENTION
Task: {82A98FC5-0717-4E0A-ACD3-FAD536C0CC4B} - \ConsumerInputUpdateTaskMachineCore -> No File <==== ATTENTION
Task: {9D0E1C1A-8EBD-44C7-A197-6AD032969D00} - \amiupdaterExi -> No File <==== ATTENTION
Task: {A6A851DC-9ED0-48E9-9186-515CE2D21A23} - \ConsumerInputUpdateTaskMachineUA -> No File <==== ATTENTION
Task: {FA34C840-4A55-430E-BD08-825323A7AA19} - \CIMT_S-1-5-21-2096938433-3674504870-3931817872-1001 -> No File <==== ATTENTION
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Lhnahl => ""="service"
cmd: ipconfig /flushdns
cmd: netsh advfirewall reset
cmd: netsh advfirewall set allprofiles state on
Reg: Reg Delete "HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg" /F
Reg: Reg Add "HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg" /F
Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
CMD: bitsadmin /reset /allusers
RemoveProxy:
EmptyTemp:
Reboot:
end
 
*****************
 
Restore point was successfully created.
Processes closed successfully.
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\ => value removed successfully
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\Mirroring360 => value removed successfully
"HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer" => key removed successfully
"HKU\S-1-5-21-2096938433-3674504870-3931817872-1001\SOFTWARE\Policies\Microsoft\Internet Explorer" => key removed successfully
C:\Users\Andre Allen\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf => moved successfully
C:\Users\Andre Allen\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf => moved successfully
Dytey => service removed successfully
"C:\Users\Andre Allen\AppData\Roaming\JalsoXaohcec" => not found.
C:\WINDOWS\System32\Tasks\Rutem => moved successfully
C:\Users\Andre Allen\AppData\Local\uninstall.exe => moved successfully
C:\WINDOWS\SysWOW64\Lhnahl.ini => moved successfully
C:\WINDOWS\SysWOW64\LhnahlOff.ini => moved successfully
C:\WINDOWS\system32\LhnahlOff.ini => moved successfully
C:\WINDOWS\system32\Lhnahl64.dll => moved successfully
C:\Users\Andre Allen\AppData\LocalLow\Company => moved successfully
C:\Users\Andre Allen\AppData\Local\Tempfolder => moved successfully
C:\WINDOWS\System32\Tasks\Godpuaiz => moved successfully
C:\ProgramData\19a87fa1ec024bbcbb41931263354405 => moved successfully
"C:\Users\Andre Allen\AppData\Local\uninstall.exe" => not found.
C:\Users\Andre Allen\AppData\Local\Temp\i4jdel0.exe => moved successfully
C:\Users\Andre Allen\AppData\Local\Temp\SpOrder.dll => moved successfully
C:\Program Files (x86)\Splashtop => moved successfully
C:\Program Files (x86)\Mirroring360 => moved successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{06EF4043-BBD2-4A33-8943-4021637FC274}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{06EF4043-BBD2-4A33-8943-4021637FC274}" => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\amiupdaterExd => key not found. 
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{34437D86-3BCD-4E55-89E8-5351B44C700C}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{34437D86-3BCD-4E55-89E8-5351B44C700C}" => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\SwiftSearch Auto Updater 1.10.0.25 Pending Update => key not found. 
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{41D8009A-9678-4710-9270-D7B9105AE85A}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{41D8009A-9678-4710-9270-D7B9105AE85A}" => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\CIMT_daily_S-1-5-21-2096938433-3674504870-3931817872-1001 => key not found. 
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{46A96B58-2072-42DD-8A3F-F9B482924C96}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{46A96B58-2072-42DD-8A3F-F9B482924C96}" => key removed successfully
C:\WINDOWS\System32\Tasks\Godpuaiz => not found.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Godpuaiz" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{50500551-E089-4659-91A4-9C45153E7C16}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{50500551-E089-4659-91A4-9C45153E7C16}" => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\SwiftSearch Auto Updater 1.10.0.25 Core => key not found. 
"C:\PROGRA~1\SHOPPE~1" => not found.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{6F9F65FE-1510-4F13-933C-0DD8E7B34236}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{6F9F65FE-1510-4F13-933C-0DD8E7B34236}" => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Inst_Rep => key not found. 
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{82A98FC5-0717-4E0A-ACD3-FAD536C0CC4B}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{82A98FC5-0717-4E0A-ACD3-FAD536C0CC4B}" => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\ConsumerInputUpdateTaskMachineCore => key not found. 
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{9D0E1C1A-8EBD-44C7-A197-6AD032969D00}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{9D0E1C1A-8EBD-44C7-A197-6AD032969D00}" => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\amiupdaterExi => key not found. 
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{A6A851DC-9ED0-48E9-9186-515CE2D21A23}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{A6A851DC-9ED0-48E9-9186-515CE2D21A23}" => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\ConsumerInputUpdateTaskMachineUA => key not found. 
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{FA34C840-4A55-430E-BD08-825323A7AA19}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{FA34C840-4A55-430E-BD08-825323A7AA19}" => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\CIMT_S-1-5-21-2096938433-3674504870-3931817872-1001 => key not found. 
"HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Lhnahl" => key removed successfully
 
=========  ipconfig /flushdns =========
 
 
Windows IP Configuration
 
Successfully flushed the DNS Resolver Cache.
 
========= End of CMD: =========
 
 
=========  netsh advfirewall reset =========
 
Ok.
 
 
========= End of CMD: =========
 
 
=========  netsh advfirewall set allprofiles state on =========
 
Ok.
 
 
========= End of CMD: =========
 
 
========= Reg Delete "HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg" /F =========
 
ERROR: The system was unable to find the specified registry key or value.
 
 
========= End of Reg: =========
 
 
========= Reg Add "HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg" /F =========
 
The operation completed successfully.
 
 
 
========= End of Reg: =========
 
 
========= reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f =========
 
The operation completed successfully.
 
 
 
========= End of Reg: =========
 
 
========= reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f =========
 
The operation completed successfully.
 
 
 
========= End of Reg: =========
 
 
=========  bitsadmin /reset /allusers =========
 
 
BITSADMIN version 3.0 [ 7.8.10586 ]
BITS administration utility.
© Copyright 2000-2006 Microsoft Corp.
 
BITSAdmin is deprecated and is not guaranteed to be available in future versions of Windows.
Administrative tools for the BITS service are now provided by BITS PowerShell cmdlets.
 
Unable to cancel {F015870C-2EA0-40EF-B88C-1C818617FEC1}.
0 out of 1 jobs canceled.
 
========= End of CMD: =========
 
 
========= RemoveProxy: =========
 
HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\DefaultConnectionSettings => value removed successfully
HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\SavedLegacySettings => value removed successfully
HKU\S-1-5-21-2096938433-3674504870-3931817872-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\DefaultConnectionSettings => value removed successfully
HKU\S-1-5-21-2096938433-3674504870-3931817872-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\SavedLegacySettings => value removed successfully
 
 
========= End of RemoveProxy: =========
 
EmptyTemp: => 352.7 MB temporary data Removed.
 
 
The system needed a reboot.
 
==== End of Fixlog 07:50:30 ====
Link to post
Share on other sites

How is your system running now?


FIRST >>>>

Junkware Removal Tool
Please download JRT from here to your desktop.

Note: Temporarily disable/shut down your protection software now to avoid potential conflicts, how to do so can be read here.

Double click the JRT.exe file to run the application.

The application will open an Command Prompt window and run from there (this is normal for this program, so not to be alarmed).

When it is asked, press any key to allow the program to continue / run.

This will create a log on the desktop; please copy and paste the JRT.txt log text in your next post.

Note: After the log file is created, please enable your protection software / reboot your system and verify your protection software is enabled.


SECOND >>>>

AdwCleaner by Xplode

Download AdwCleaner from here or from here. Save the file to the desktop.

NOTE: If you are using IE 8 or above you may get a warning that stops the program from downloading. Just click on the warning and allow the download to complete.

Close all open windows and browsers.

  • Vista/7/8 users: Right click the AdwCleaner icon on the desktop, click Run as administrator and accept the UAC prompt to run AdwCleaner.
    You will see the following console:

    AdwCleaner_v5016_zpsf8ln0fea.png
  • Click the Scan button and wait for the scan to finish.
  • After the Scan has finished the window may or may not show what it found and above, in the progress bar, you will see: Pending. Please uncheck elements you don't want to remove.
  • Click the Clean button.
  • Everything checked will be deleted.
  • When the program has finished cleaning a report appears.
  • Once done it may ask to reboot (depending on what it found to remove): please allow this

    adwcleaner_delete_restart.jpg
  • On reboot a log will be produced please copy / paste that in your next reply. This report is also saved to C:\AdwCleaner\AdwCleaner[C#].txt

Optional:

NOTE: If you see AVG Secure Search being targeted for deletion, Here's Why and Here. You can always Reinstall it.
 

 

Link to post
Share on other sites

This is the result. The computer seems to be running better. But I want to make sure 100% the virus is gone. Do you think it is after these steps? The ADW did not find any malware so I do not have that txt. 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Junkware Removal Tool (JRT) by Malwarebytes

Version: 8.0.2 (01.06.2016)

Operating System: Windows 10 Home x64 

Ran by Andre Allen (Administrator) on Tue 01/12/2016 at 13:03:19.32

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

 

 

 

File System: 1 

 

Successfully deleted: C:\Users\Andre Allen\AppData\Local\installer (Folder) 

 

 

 

Registry: 0 

 

 

 

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Scan was completed on Tue 01/12/2016 at 13:09:01.40

End of JRT log

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Link to post
Share on other sites

If Malwarebytes scan come back clean then you should be better off.
 
One thing to look at is that the FRST scan shows that AVG is disabled and out-of-date.  Can you check to see that AVG loads properly when you boot the system and that it updates?
 
Also, as a final check on the system overall security, please run the following:

  • Download SecurityCheck by glax24 here and save utility on your Desktop
  • Double-click it (For Windows XP users) or right-click and choose Run As Administrator (For Windows Vista/7 users)
  • Do not block the utility by your Firewall warnings (if any).
  • Wait for the end of scan. Log SecurityCheck.txt will be open in the Notepad;
  • In case you close the Notepad you can find a log in the system root folder named  SecurityCheck,  for example C:\SecurityCheck\SecurityCheck.txt
  • Copy its contents to your next post.
Link to post
Share on other sites

THE AVG SEEMS TO BE WORKING FINE. WHAT ANTIVIRUS PROGRAM DO YOU RECOMMEND THAT OFFERS THE BEST PROTECTION AND THE RESULTS ARE POSTED BELOW. PLEASE LET ME KNOW IF I AM IN GOOD SHAPE.
 

SecurityCheck by glax24 v.1.4.0.32 [01.11.15]
WebSite: www.safezone.cc
DateLog: 12.01.2016 19:00:46
Path starting: C:\Users\Andre Allen\AppData\Local\Temp\SecurityCheck\SecurityCheck.exe
Log directory: C:\SecurityCheck\
IsAdmin: True
User: Andre Allen
VersionXML: 2.27is-12.01.2016
___________________________________________________________________________
 
Windows 10(6.3.10586) (x64) Core Lang: English(0409)
Installation date OS: 01.01.2016 04:38:03
LicenseStatus: Windows®, Core edition The machine is permanently activated.
Boot Mode: Normal
Default Browser: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
SystemDrive: C: FS: [NTFS] Capacity: [442.9 Gb] Used: [68.8 Gb] Free: [374.1 Gb]
------------------------------- [ Windows ] -------------------------------
Internet Explorer 11.20.10586.0
User Account Control enabled
Automatic download and scheduled installation
Windows Update (wuauserv) - The service is running
Security Center (wscsvc) - The service is running
Remote Registry (RemoteRegistry) - The service has stopped
---------------------------- [ Antivirus_WMI ] ----------------------------
Windows Defender (disabled and up to date)
AVG AntiVirus Free Edition (enabled and up to date)
--------------------------- [ FirewallWindows ] ---------------------------
Windows Firewall (MpsSvc) - The service is running
--------------------------- [ AntiSpyware_WMI ] ---------------------------
Windows Defender (disabled and up to date)
AVG AntiVirus Free Edition (enabled and up to date)
---------------------- [ AntiVirusFirewallInstall ] -----------------------
AVG Protection v.2016.31.7356
AVG v.1.31.1.48846
AVG 2016 v.16.0.4489
AVG Zen v.1.31.9
-------------------------- [ SecurityUtilities ] --------------------------
Malwarebytes Anti-Malware version 2.2.0.1024 v.2.2.0.1024
--------------------------- [ OtherUtilities ] ----------------------------
WinRAR 5.30 (64-bit) v.5.30.0
VLC media player v.2.2.1
--------------------------------- [ IM ] ----------------------------------
Skype™ 7.16 v.7.16.102 Warning! Download Update
^Optional update.^
--------------------------- [ AppleProduction ] ---------------------------
Bonjour v.3.1.0.1
iTunes v.12.3.2.35
Bonjour Service (Bonjour Service) - The service is running
--------------------------- [ AdobeProduction ] ---------------------------
Adobe Flash Player 19 NPAPI v.19.0.0.245 Warning! Download Update
------------------------------- [ Browser ] -------------------------------
Google Chrome v.47.0.2526.106
Mozilla Firefox 40.0.3 (x86 en-US) v.40.0.3 Warning! Download Update
--------------------------- [ RunningProcess ] ----------------------------
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe v.47.0.2526.106
c:\PROGRA~2\AVG\Av\avgrsa.exe v.16.31.0.7356
C:\Program Files (x86)\AVG\Av\avgcsrva.exe v.16.31.0.7356
avgidsagent.exe
C:\Program Files (x86)\AVG\Av\avgnsa.exe v.16.31.0.7356
C:\Program Files (x86)\AVG\Av\avgemca.exe v.16.31.0.7356
C:\Program Files (x86)\AVG\Av\avgui.exe v.16.31.0.7356
----------------------------- [ End of Log ] ------------------------------
Link to post
Share on other sites

I have just ran a threat scan on Malwarebytes and two items were found. Should I go ahead and remove them or are there more necessary steps?
 

Malwarebytes Anti-Malware
www.malwarebytes.org
 
Scan Date: 1/12/2016
Scan Time: 7:03 PM
Logfile: Malwarebytes.txt
Administrator: Yes
 
Version: 2.2.0.1024
Malware Database: v2016.01.12.07
Rootkit Database: v2016.01.09.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled
 
OS: Windows 10
CPU: x64
File System: NTFS
User: Andre Allen
 
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 347200
Time Elapsed: 36 min, 5 sec
 
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled
 
Processes: 0
(No malicious items detected)
 
Modules: 0
(No malicious items detected)
 
Registry Keys: 0
(No malicious items detected)
 
Registry Values: 0
(No malicious items detected)
 
Registry Data: 0
(No malicious items detected)
 
Folders: 0
(No malicious items detected)
 
Files: 2
PUP.Optional.AllPCOptimizer, C:\Windows\Allpcoptimizer.exe, , [a324201853462115095bcb077889d927], 
PUP.Optional.AllPCOptimizer, C:\Windows\Installer\4a764dc.msi, , [6f58e157ebae05310a5adff324dd03fd], 
 
Physical Sectors: 0
(No malicious items detected)
 
 
(end)
Link to post
Share on other sites

As to the Malwarebytes findings, please have MBAM remove those files.  I would believe these are old files left after run entries were removed by a scanner some time ago.

 

As to a AV, we usually recommend Microsoft Security Essentials (or Windows Defender [in the case of Win 10]) or Avast! Free AntiVirus.

 


 

Actually, since this old malware showed up now we need one more thorough scan ....

 

This next step may take a while (just to warn you) .....

ESET Online does not work with IE 11 (Internet Explorer) at the moment (a few weeks ago anyway) so if you have IE 11, Chrome or Firefox has to be used instead.  ESET Online does work with IE 10 and earlier.

You can leave Norton Enabled even though ESET may warn about it. just makes the scan take longer. The pictures below showing what to click may be blue instead of green on the ESET website now, but the procedure is still the same

Please read carefully and Slowly, Notice all the settings listed below to check before starting the scan. Stop and ask if you have any questions.

Take note of the NO tick in the Remove found threats setting below at it needs to have the tick removed.

-------------------------------------------------------------------------------------------------------------------

Hold down Control key and click on the following link to open ESET OnlineScan in a new window.

Link =>> ESET Online Scanner  <<

Click the Run ESET Online Scanner located on the left side of the page (not the free trial).

abfacb96-0c99-4b59-b9e9-9298aa0ee3ec_zps

For browsers other than Internet Explorer only: (Microsoft Internet Explorer users can skip this step)
Click on the esetsmartinstaller link in the popup window that opens. Save it to your desktop.

Getinstallerpopup2_zps65f446a6.png

Double click on the icon on your desktop.

desktopfile_zps98a1ee89.png

Check (accept) the Terms of Use.

TOU_zps4ecd3406.png

Click the START button.
Accept any security warnings from your browser.

Now in the Computer scan settings window that appears:-
Make sure that the option Enable detection of potentially unwanted applications is selected.
Now click on Advanced Settings and configure the options as follows:

Remove found threats is Not checked
Scan archives is checked
Scan for potentially unsafe applications is checked
Enable Anti-Stealth Technology is checked


Now click on: Start
Loadsettings_2014-08-23_zps3f2d0c88.png



ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.

Downloadingsignatures_zps36c38587.png


Scanningdisplay_zpsec3aac14.png

When the scan is finished, if any threats are found you will see the screen below.  Click to view the found threats.

Threatsfound_zpsfe95fb4e.png

At the bottom of the listed threats, there is an option to save the results to a text file.  Please do this so you can attach the results here for review and removal of the items that are not false positives (these will be scripted out so do not worry).

Exporttotextfile_zps16cb487f.png

Once the log text file is saved, return to the Scan Finished screen by clicking "<<Back", then click on the uninstall button and click Finish.

UninstallcheckedandFinish_zps6fb26ad8.pn

Attach the saved log file in your next reply please.  Thanks.
 

Link to post
Share on other sites

STILL QUITE A FEW INFECTED FILES. HOW CAN WE GET THESE REMOVED?
 

C:\AdwCleaner\Quarantine\C\Users\Andre Allen\AppData\Local\Installer\Install_12012\nsq4BB3.tmp.vir a variant of Win32/SpeedBit.T potentially unwanted application
C:\AdwCleaner\Quarantine\C\Users\Andre Allen\AppData\Local\Installer\Install_18958\nsq4BB3.tmp.vir a variant of Win32/SpeedBit.T potentially unwanted application
C:\AdwCleaner\Quarantine\C\Users\Andre Allen\AppData\Local\Temp\task.vbs.vir VBS/TrojanDownloader.Agent.NSW trojan
C:\FRST\Quarantine\C\WINDOWS\System32\Lhnahl64.dll.xBAD a variant of Win64/Riskware.Komodia.E application
C:\Users\Andre Allen\AppData\Local\Microsoft\Windows\INetCache\IE\AGIOK37N\braieftp_ftpbl_inst[1].exe a variant of Win32/SpeedBit.T potentially unwanted application
C:\Users\Andre Allen\AppData\Local\Microsoft\Windows\INetCache\IE\AGIOK37N\ciwr[1].exe a variant of Win32/Adware.ConvertAd.AER.gen application
C:\Users\Andre Allen\AppData\Local\Microsoft\Windows\INetCache\IE\KD2O1NB0\setup_gmsd_us[1].exe a variant of Win32/Adware.EoRezo.BD application
C:\Users\Andre Allen\AppData\Local\Microsoft\Windows\INetCache\IE\KD2O1NB0\setup_ospd_us[1].exe a variant of Win32/Adware.EoRezo.BD application
C:\Users\Andre Allen\AppData\Local\Microsoft\Windows\INetCache\IE\KD2O1NB0\sunnyday[1].exe a variant of Win32/Adware.EoRezo.BD application
C:\Users\Andre Allen\AppData\Local\Microsoft\Windows\INetCache\IE\SBAO99T0\BubbleDock20150217[1].exe Win32/BubbleDock.A potentially unwanted application
C:\Users\Andre Allen\AppData\Local\Microsoft\Windows\INetCache\IE\SBAO99T0\SFSetup[1].exe a variant of Win32/Adware.ConvertAd.AER.gen application
C:\Users\Andre Allen\AppData\Local\Microsoft\Windows\INetCache\IE\SBAO99T0\tiwr[1].exe a variant of Win32/Adware.ConvertAd.ADS.gen application
C:\Users\Andre Allen\AppData\Local\Microsoft\Windows\INetCache\IE\SBAO99T0\VuuPC_VO2_8907[1].exe Win32/InstallMonetizer.BJ potentially unwanted application
C:\Users\Andre Allen\AppData\Local\Microsoft\Windows\INetCache\IE\Y9RUN8UX\pcspeedup[1].exe a variant of Win32/Speedchecker.C potentially unwanted application
C:\Users\Andre Allen\AppData\Local\Microsoft\Windows\INetCache\IE\Y9RUN8UX\sci[1].exe a variant of Win32/Compete.F potentially unwanted application
 

ESET Online Scanner.txt

Link to post
Share on other sites

We get rid of them by running this Fixlist.txt script.

Download the attached fixlist.txt file and save it to the Desktop.   Fixlist.txt

NOTE. It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST64 by right clicking on the FRST64.exe file, selecting "Run as Administrator..".  The User Account Control may open up; if it does, select Yes to continue to let FRST open and load.  

The tool will check for an updated version of itself every time it loads; please allow it to do this and the program will either inform you it is downloading an updated copy (and to wait until it is safe to continue) or show that it is ready to use (meaning there is no update found) and you can continue on.  Press the Fix button just once and wait.  The tool will create a restore point, process the script and ask for a restart of your system.

Press%20the%20FIX%20button_zpsdd5zi3mt.p

If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.

When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post the log in your next reply.
 

Link to post
Share on other sites

Fix result of Farbar Recovery Scan Tool (x64) Version:10-01-2015 01

Ran by Andre Allen (2016-01-13 22:10:28) Run:2

Running from C:\Users\Andre Allen\Desktop

Loaded Profiles: Andre Allen (Available Profiles: Andre Allen)

Boot Mode: Normal

==============================================

 

fixlist content:

*****************

Start

CreateRestorePoint:

CloseProcesses:

C:\Windows\Allpcoptimizer.exe

C:\Windows\Installer\4a764dc.msi 

C:\Users\Andre Allen\AppData\Local\Microsoft\Windows\INetCache\IE\AGIOK37N\braieftp_ftpbl_inst[1].exe

C:\Users\Andre Allen\AppData\Local\Microsoft\Windows\INetCache\IE\AGIOK37N\ciwr[1].exe

C:\Users\Andre Allen\AppData\Local\Microsoft\Windows\INetCache\IE\KD2O1NB0\setup_gmsd_us[1].exe

C:\Users\Andre Allen\AppData\Local\Microsoft\Windows\INetCache\IE\KD2O1NB0\setup_ospd_us[1].exe

C:\Users\Andre Allen\AppData\Local\Microsoft\Windows\INetCache\IE\KD2O1NB0\sunnyday[1].exe

C:\Users\Andre Allen\AppData\Local\Microsoft\Windows\INetCache\IE\SBAO99T0\BubbleDock20150217[1].exe

C:\Users\Andre Allen\AppData\Local\Microsoft\Windows\INetCache\IE\SBAO99T0\SFSetup[1].exe

C:\Users\Andre Allen\AppData\Local\Microsoft\Windows\INetCache\IE\SBAO99T0\tiwr[1].exe

C:\Users\Andre Allen\AppData\Local\Microsoft\Windows\INetCache\IE\SBAO99T0\VuuPC_VO2_8907[1].exe

C:\Users\Andre Allen\AppData\Local\Microsoft\Windows\INetCache\IE\Y9RUN8UX\pcspeedup[1].exe

C:\Users\Andre Allen\AppData\Local\Microsoft\Windows\INetCache\IE\Y9RUN8UX\sci[1].exe

RemoveProxy:

EmptyTemp:

Reboot:

end

 

*****************

 

Restore point was successfully created.

Processes closed successfully.

C:\Windows\Allpcoptimizer.exe => moved successfully

"C:\Windows\Installer\4a764dc.msi " => not found.

C:\Users\Andre Allen\AppData\Local\Microsoft\Windows\INetCache\IE\AGIOK37N\braieftp_ftpbl_inst[1].exe => moved successfully

C:\Users\Andre Allen\AppData\Local\Microsoft\Windows\INetCache\IE\AGIOK37N\ciwr[1].exe => moved successfully

C:\Users\Andre Allen\AppData\Local\Microsoft\Windows\INetCache\IE\KD2O1NB0\setup_gmsd_us[1].exe => moved successfully

C:\Users\Andre Allen\AppData\Local\Microsoft\Windows\INetCache\IE\KD2O1NB0\setup_ospd_us[1].exe => moved successfully

C:\Users\Andre Allen\AppData\Local\Microsoft\Windows\INetCache\IE\KD2O1NB0\sunnyday[1].exe => moved successfully

C:\Users\Andre Allen\AppData\Local\Microsoft\Windows\INetCache\IE\SBAO99T0\BubbleDock20150217[1].exe => moved successfully

C:\Users\Andre Allen\AppData\Local\Microsoft\Windows\INetCache\IE\SBAO99T0\SFSetup[1].exe => moved successfully

C:\Users\Andre Allen\AppData\Local\Microsoft\Windows\INetCache\IE\SBAO99T0\tiwr[1].exe => moved successfully

C:\Users\Andre Allen\AppData\Local\Microsoft\Windows\INetCache\IE\SBAO99T0\VuuPC_VO2_8907[1].exe => moved successfully

C:\Users\Andre Allen\AppData\Local\Microsoft\Windows\INetCache\IE\Y9RUN8UX\pcspeedup[1].exe => moved successfully

C:\Users\Andre Allen\AppData\Local\Microsoft\Windows\INetCache\IE\Y9RUN8UX\sci[1].exe => moved successfully

 

========= RemoveProxy: =========

 

HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\DefaultConnectionSettings => value removed successfully

HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\SavedLegacySettings => value removed successfully

HKU\S-1-5-21-2096938433-3674504870-3931817872-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\DefaultConnectionSettings => value removed successfully

HKU\S-1-5-21-2096938433-3674504870-3931817872-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\SavedLegacySettings => value removed successfully

 

 

========= End of RemoveProxy: =========

 

EmptyTemp: => 552.5 MB temporary data Removed.

 

 

The system needed a reboot.

 

==== End of Fixlog 22:11:00 ====

Fixlog.txt

Link to post
Share on other sites

THERE IS STILL ONE MORE THING COMING UP ON MALWAREBYTES
 

Malwarebytes Anti-Malware
www.malwarebytes.org
 
Scan Date: 1/15/2016
Scan Time: 9:39 AM
Logfile: MALWAREBYTES.txt
Administrator: Yes
 
Version: 2.2.0.1024
Malware Database: v2016.01.15.04
Rootkit Database: v2016.01.09.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled
 
OS: Windows 10
CPU: x64
File System: NTFS
User: Andre Allen
 
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 346791
Time Elapsed: 37 min, 2 sec
 
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled
 
Processes: 0
(No malicious items detected)
 
Modules: 0
(No malicious items detected)
 
Registry Keys: 0
(No malicious items detected)
 
Registry Values: 0
(No malicious items detected)
 
Registry Data: 0
(No malicious items detected)
 
Folders: 0
(No malicious items detected)
 
Files: 1
PUP.Optional.AllPCOptimizer, C:\Windows\Installer\4a764dc.msi, , [7f713306a1f884b204d814be45bce020], 
 
Physical Sectors: 0
(No malicious items detected)
 
 
(end)
Link to post
Share on other sites

Download the attached fixlist.txt file and save it to the Desktop.  Fixlist.txt

NOTE. It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST64 by right clicking on the FRST64.exe file, selecting "Run as Administrator..".  The User Account Control may open up; if it does, select Yes to continue to let FRST open and load.  

The tool will check for an updated version of itself every time it loads; please allow it to do this and the program will either inform you it is downloading an updated copy (and to wait until it is safe to continue) or show that it is ready to use (meaning there is no update found) and you can continue on.  Press the Fix button just once and wait.  The tool will create a restore point, process the script and ask for a restart of your system.

Press%20the%20FIX%20button_zpsdd5zi3mt.p

If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.

When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post the log in your next reply.
 

Link to post
Share on other sites

OK THAT IS DONE. SHOULD I CHANGE MY PASSWORDS FOR WEBSITES THAT I LOGGED IN WITH?
 

Fix result of Farbar Recovery Scan Tool (x64) Version:10-01-2015 01
Ran by Andre Allen (2016-01-15 12:03:11) Run:3
Running from C:\Users\Andre Allen\Desktop
Loaded Profiles: Andre Allen (Available Profiles: Andre Allen)
Boot Mode: Normal
==============================================
 
fixlist content:
*****************
 
Start
CreateRestorePoint:
CloseProcesses:
Unlock: C:\Windows\Installer\4a764dc.msi
C:\Windows\Installer\4a764dc.msi
CMD: bitsadmin /reset /allusers
EmptyTemp:
Reboot:
end
 
*****************
 
Restore point was successfully created.
Processes closed successfully.
"C:\Windows\Installer\4a764dc.msi" => was unlocked
C:\Windows\Installer\4a764dc.msi => moved successfully
 
=========  bitsadmin /reset /allusers =========
 
 
BITSADMIN version 3.0 [ 7.8.10586 ]
BITS administration utility.
© Copyright 2000-2006 Microsoft Corp.
 
BITSAdmin is deprecated and is not guaranteed to be available in future versions of Windows.
Administrative tools for the BITS service are now provided by BITS PowerShell cmdlets.
 
0 out of 0 jobs canceled.
 
========= End of CMD: =========
 
EmptyTemp: => 142.3 MB temporary data Removed.
 
 
The system needed a reboot.
 
==== End of Fixlog 12:04:22 ====
Link to post
Share on other sites

It didn't bring up anything am I good now?

Anti-Malware
www.malwarebytes.org
 
Scan Date: 1/15/2016
Scan Time: 9:14 PM
Logfile: MalwareBytes.txt
Administrator: Yes
 
Version: 2.2.0.1024
Malware Database: v2016.01.15.08
Rootkit Database: v2016.01.09.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled
 
OS: Windows 10
CPU: x64
File System: NTFS
User: Andre Allen
 
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 346275
Time Elapsed: 35 min, 41 sec
 
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled
 
Processes: 0
(No malicious items detected)
 
Modules: 0
(No malicious items detected)
 
Registry Keys: 0
(No malicious items detected)
 
Registry Values: 0
(No malicious items detected)
 
Registry Data: 0
(No malicious items detected)
 
Folders: 0
(No malicious items detected)
 
Files: 0
(No malicious items detected)
 
Physical Sectors: 0
(No malicious items detected)
 
 
(end)
Link to post
Share on other sites

All right!! :D Your logs are clean and you're good to go now!! :lol: We've got some final steps left to do to clean up our tools and get your system in good running condition and then you are on your way.  :) Just run through the steps from the Cleanup of Tools to the Program Update Checker. That's it. Thanks. :cool:


Clean up of Malware Removal Tools
Now that we are through using these tools, let's clean them off your system so that should you ever need to have malware removed again (we hope not) fresh, updated copies will be downloaded.

  • Download Delfix from here to your desktop and double click it to start the program
  • Ensure Remove disinfection tools is ticked
    Also tick:
  • Activate UAC
  • Create registry backup
  • Purge system restore
  • Reset system settings
  • DelFixSelectall_zps0f04cec4.png
  • Click Run
  • The program will run for a few moments and then notepad will open with a log. Please paste the log in your next reply.

You can delete any log files left on your desktop as these are no longer needed.

Consider a program that will check for out-of-date programs on your system
Some programs don't have update checks built in or make you run the application to start the check for updates process. An easier way to stay on top of the current versions of your installed programs is to use a version checking program like Heimdal Free from Heimdal Security (you can get the software from here and read more about it on the same page).


You are now done! :D :D :D :D

Now some information on programs to help keep you safe:

Along with Malwarebytes Antimalware, use the following as a base level security:

First, an Antivirus program. You NEED one; free is just as good as paid-for as long as you keep them updated. ONLY use one at a time as having more than that will cause system problems. Here are some free ones to check out:
Microsoft Security Essentials
Avast! Free Antivirus

Next, a firewall is a must have now-a-days. The built in firewall in Windows 7 is fine (just make sure it is turned on (Start > Control Panel > Windows Firewall)). Or, if you like, you could choose one of the free ones listed here:
Zone Alarm Free Firewall - installer includes foistware so read the options very carefully

=== options ====
Unchecky is a small service that runs in the background to help keep those "extra toolbars" and tag along search engines from automatically installing. By automatically directing you to a custom install with all the options unchecked, only what you manually choose and confirm gets installed.

CryptoPrevent is a free program that prevents CryptoLocker / ransomware from infecting your PC by locking down the OS so the malware can not get a grip on your system. You can read the details about this program here.

Lastly, if you use Firefox as your main web browser, consider adding the NoScript and AdBlockPlus add-ons to the browser to block scripting hijacks and remove unwanted ads from the pages you view.

You may also find some information and tips at this thread:
How did I get infected in the first place?
and
COMPUTER SECURITY - a short quide to staying safer online

_____________________________________________________________________

Please come back and paste the DelFix.txt log when you can. After that, if you have no more questions, you are good to go. Surf safe, my friend!!
 

 

Link to post
Share on other sites

I JUST RAN THE ESET SCANNER AND IT IS BRINGING UP MORE VIRUSES. CAN WE GET THESE ERASED
 

C:\AdwCleaner\Quarantine\C\Users\Andre Allen\AppData\Local\Installer\Install_12012\nsq4BB3.tmp.vir a variant of Win32/SpeedBit.T potentially unwanted application
C:\AdwCleaner\Quarantine\C\Users\Andre Allen\AppData\Local\Installer\Install_18958\nsq4BB3.tmp.vir a variant of Win32/SpeedBit.T potentially unwanted application
C:\AdwCleaner\Quarantine\C\Users\Andre Allen\AppData\Local\Temp\task.vbs.vir VBS/TrojanDownloader.Agent.NSW trojan
C:\FRST\Quarantine\C\Users\Andre Allen\AppData\Local\Microsoft\Windows\INetCache\IE\AGIOK37N\braieftp_ftpbl_inst[1].exe.xBAD a variant of Win32/SpeedBit.T potentially unwanted application
C:\FRST\Quarantine\C\Users\Andre Allen\AppData\Local\Microsoft\Windows\INetCache\IE\AGIOK37N\ciwr[1].exe.xBAD a variant of Win32/Adware.ConvertAd.AER.gen application
C:\FRST\Quarantine\C\Users\Andre Allen\AppData\Local\Microsoft\Windows\INetCache\IE\KD2O1NB0\setup_gmsd_us[1].exe.xBAD a variant of Win32/Adware.EoRezo.BD application
C:\FRST\Quarantine\C\Users\Andre Allen\AppData\Local\Microsoft\Windows\INetCache\IE\KD2O1NB0\setup_ospd_us[1].exe.xBAD a variant of Win32/Adware.EoRezo.BD application
C:\FRST\Quarantine\C\Users\Andre Allen\AppData\Local\Microsoft\Windows\INetCache\IE\KD2O1NB0\sunnyday[1].exe.xBAD a variant of Win32/Adware.EoRezo.BD application
C:\FRST\Quarantine\C\Users\Andre Allen\AppData\Local\Microsoft\Windows\INetCache\IE\SBAO99T0\BubbleDock20150217[1].exe.xBAD Win32/BubbleDock.A potentially unwanted application
C:\FRST\Quarantine\C\Users\Andre Allen\AppData\Local\Microsoft\Windows\INetCache\IE\SBAO99T0\SFSetup[1].exe.xBAD a variant of Win32/Adware.ConvertAd.AER.gen application
C:\FRST\Quarantine\C\Users\Andre Allen\AppData\Local\Microsoft\Windows\INetCache\IE\SBAO99T0\tiwr[1].exe.xBAD a variant of Win32/Adware.ConvertAd.ADS.gen application
C:\FRST\Quarantine\C\Users\Andre Allen\AppData\Local\Microsoft\Windows\INetCache\IE\SBAO99T0\VuuPC_VO2_8907[1].exe.xBAD Win32/InstallMonetizer.BJ potentially unwanted application
C:\FRST\Quarantine\C\Users\Andre Allen\AppData\Local\Microsoft\Windows\INetCache\IE\Y9RUN8UX\pcspeedup[1].exe.xBAD a variant of Win32/Speedchecker.C potentially unwanted application
C:\FRST\Quarantine\C\Users\Andre Allen\AppData\Local\Microsoft\Windows\INetCache\IE\Y9RUN8UX\sci[1].exe.xBAD a variant of Win32/Compete.F potentially unwanted application
C:\FRST\Quarantine\C\WINDOWS\System32\Lhnahl64.dll.xBAD a variant of Win64/Riskware.Komodia.E application
 

ESET Online Scanner.txt

Link to post
Share on other sites

All of those files are in one of the scanner tools' Quarantine folder.  The malware has already been removed and is either in C:\AdwCleaner\Quarantine or C:\FRST\Quarantine folders.  The DelFix utility cleans the tools and their Quarantine folders off your system when you run DelFix. 

 

I did not have you do all this work to clean the system just to leave things half done.  It was good of you to check your system once again but please do the instructions in my previous post and you will be fine.

Link to post
Share on other sites

COOL I DID THAT HERE IS THE TXT
 

# DelFix v1.011 - Logfile created 20/01/2016 at 09:19:56
# Updated 18/08/2015 by Xplode
# Username : Andre Allen - DESKTOP-EHK0A8M
# Operating System : Windows 10 Home  (64 bits)
 
~ Activating UAC ... OK
 
~ Removing disinfection tools ...
 
Deleted : C:\FRST
Deleted : C:\AdwCleaner
Deleted : C:\SecurityCheck
Deleted : C:\Users\Andre Allen\Desktop\FRST64.exe
Deleted : C:\Users\Andre Allen\Downloads\esetsmartinstaller_enu (1).exe
Deleted : C:\Users\Andre Allen\Downloads\esetsmartinstaller_enu.exe
Deleted : HKLM\SOFTWARE\AdwCleaner
 
~ Creating registry backup ... OK
 
~ Cleaning system restore ...
 
Deleted : RP #8 [Restore Point Created by FRST | 01/15/2016 17:03:16]
 
New restore point created !
 
~ Resetting system settings ... OK
 
########## - EOF - ##########
Link to post
Share on other sites

  • Root Admin

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.