i dont trust the other guide fuery bcl bs help

[desejsbn]

so l ike

i was on the Internet™ recently and did some stupid junk

and now my cpu is in the death grips of win32 Fuery bcl trojan

i dont have mwb or anything i just have crippling anxiety and a fear of credit fraud

i am way too young to die and also too young to be competent with most computer things 

i dont know what to Do i have unplugged my whole pc and am looking at it from across the room like satan possesses it which it probably does 

a t some point i turned off my wifi but it turned itswlf back on and used my location which is freaking me out i am terrified please help i need a really comprehensive guide for my poor ass 

everywhere online is the same guide and due to my Fear  im too much a smallbitch to follow it, and im irked by the idea of returning to a point on my cpu for some reason idk i feel like that will not fix the trojan 

sorry if im not following whatever rules or if its against the forumlaw to post about something thats already resolved (albeit in another way) i just need prompt answers or ill maybe just change my name run away and chainsaw off an arm to become a bandit in the state of ohio like my parents always wanted 

 

edit// adtee my initial paickinf ;lol)) i realized that im supposed to have downloaded a thing and then paste a log here, but,, like. im legitimately horrified by the idea of turning my computer back on. much less downloading something. iv e heard tha t this particular trojan can rek me super quick if i do anything but also if i dont do anything AAAAHHH

 

 

Edited March 22, 2017 by desejsbn

[kevinf80]

Hello desejsbn and welcome to Malwarebytes, My screen name is kevinf80, i`m here to help clean up your system. Make sure to run all scans from accounts with Administrator status, continue as follows please: Anyone other than the original starter of this thread please DO NOT follow the instructions and advice posted as replies here, my help and advice is NOT related to your system and will probably cause more harm than good... Change the download folder setting in the Default Browser only. so all of the tools we may use are saved to the Desktop: Google Chrome - Click the "Customize and control Google Chrome" button in the upper right-corner of the browser. Choose Settings. at the bottom of the screen click the "Show advanced settings..." link. Scroll down to find the Downloads section and click the Change... button. Select your desktop and click OK. Mozilla Firefox - Click the "Open Menu" button in the upper right-corner of the browser. Choose Options. In the downloads section, click the Browse button, click on the Desktop folder and the click the "Select Folder" button. Click OK to get out of the Options menu. Internet Explorer - Click the Tools menu in the upper right-corner of the browser. Select View downloads. Select the Options link in the lower left of the window. Click Browse and select the Desktop and then choose the Select Folder button. Click OK to get out of the download options screen and then click Close to get out of the View Downloads screen. NOTE: IE8 Does not support changing download locations in this manner. You will need to download the tool(s) to the default folder, usually Downloads, then copy them to the desktop. Change default download folder location in Edge -Boot to a user account with admin status, select start > file explorer > right click on "Downloads" folder and select "Properties" In the new window select "Location" tab > clear the text field box and type in or copy/paste %userprofile%\Desktop > select "Apply" then "OK" Be aware you are not changing the Browser download folder location, you are changing the user’s download directory location..... Next, Follow the instructions in the following link to show hidden files: http://www.howtogeek.com/howto/windows-vista/show-hidden-files-and-folders-in-windows-vista/ Next, Download Farbar Recovery Scan Tool and save it to your desktop. Alternative download option: http://www.techspot.com/downloads/6731-farbar-recovery-scan-tool.html Note: You need to run the version compatible with your system (32 bit or 64 bit). If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version. If your security alerts to FRST either, accept the alert or turn your security off to allow FRST to run. It is not malicious or infected in any way... Be aware FRST must be run from an account with Administrator status...   Double-click to run it. When the tool opens click Yes to disclaimer.(Windows 8/10 users will be prompted about Windows SmartScreen protection - click More information and Run.) Make sure Addition.txt is checkmarked under "Optional scans" Press Scan button to run the tool.... It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply. The tool will also make a log named (Addition.txt) Please attach that log to your reply. Next, Download and save RogueKiller to your Desktop from this link: https://www.fosshub.com/RogueKiller.html/setup.exe Right click setup.exe and select Run as Administrator to start installing RogueKiller. At the next window Checkmark "Install 32 and 64 bit versions, then select "Next" In the next window skip Licence I.D. and Licence Key, select "Next" In the next window make no changes and select "Next" In the next window leave both "Additional Shortcuts" checkmarked, then select "Next" In the next window make no changes and select "Install" RogueKiller will extract and complete installation, in the new window leave "Launch Roguekiller" checkmarked, then select finish. RogueKiller will launch. Accept UAC, then read and accept "User Agreements" In the new window the "Home" tab should already be selected, Change by selecting "Scan" tab, then select "Start Scan" When the scan completes select "Open Report" In the new Window select "Export text" name that file RK.txt, save to your Desktop and attach to your reply Let me see those logs... Thank you, Kevin..

[desejsbn]

Alright, I've finally gotten over my horrible fear (a little bit) and am following your instructions. Apologies for the catastrophically written first post, I was a mess. 

Here is the frst.txt that you asked for: 

Spoiler

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 15-03-2017
Ran by barre (administrator) on DESKTOP-A9V7IQ9 (22-03-2017 17:06:24)
Running from C:\Users\barre\Desktop
Loaded Profiles: barre (Available Profiles: defaultuser0 & barre)
Platform: Windows 10 Pro Version 1607 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: Chrome)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Intel Corporation) C:\Windows\System32\igfxCUIService.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
(Microsoft Corporation) C:\Windows\System32\wlanext.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\MsMpEng.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\NisSrv.exe
(Google Inc.) C:\Program Files (x86)\Google\Update\1.3.32.7\GoogleCrashHandler.exe
(Google Inc.) C:\Program Files (x86)\Google\Update\1.3.32.7\GoogleCrashHandler64.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\MpCmdRun.exe
(Intel Corporation) C:\Windows\System32\igfxEM.exe
(Intel Corporation) C:\Windows\System32\igfxHK.exe
(Microsoft Corporation) C:\Windows\System32\InstallAgent.exe
(Microsoft Corporation) C:\Windows\System32\InstallAgentUserBroker.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\MSASCuiL.exe
(Graphic Tablet Company Shenzhen) C:\PenTabletDriver\TabletDriver.exe
(Valve Corporation) C:\Program Files (x86)\Steam\Steam.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Corporation) C:\Windows\System32\SettingSyncHost.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

==================== Registry (Whitelisted) ====================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [WindowsDefender] => C:\Program Files\Windows Defender\MSASCuiL.exe [631808 2016-09-24] (Microsoft Corporation)
HKLM\...\Run: [Logitech Download Assistant] => C:\Windows\system32\rundll32.exe C:\Windows\System32\LogiLDA.dll,LogiFetch
HKLM\...\Run: [TabletDriver] => C:\PenTabletDriver\TabletDriver.exe [634240 2016-05-27] (Graphic Tablet Company Shenzhen)
HKU\S-1-5-21-2284778045-644900841-3920990327-1001\...\Run: [Steam] => C:\Program Files (x86)\Steam\steam.exe [3019552 2017-03-13] (Valve Corporation)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Tcpip\Parameters: [DhcpNameServer] 192.168.1.254
Tcpip\..\Interfaces\{bfbe138d-2de5-479d-bef1-f8a53c657913}: [DhcpNameServer] 192.168.1.254

Internet Explorer:
==================

FireFox:
========
FF DefaultProfile: u4c37f85.default
FF ProfilePath: C:\Users\barre\AppData\Roaming\Mozilla\Firefox\Profiles\u4c37f85.default [2017-03-10]
FF Extension: (uBlock Origin) - C:\Users\barre\AppData\Roaming\Mozilla\Firefox\Profiles\u4c37f85.default\Extensions\uBlock0@raymondhill.net.xpi [2017-02-21]
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.32.7\npGoogleUpdate3.dll [2017-02-04] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.32.7\npGoogleUpdate3.dll [2017-02-04] (Google Inc.)
FF Plugin HKU\S-1-5-21-2284778045-644900841-3920990327-1001: @unity3d.com/UnityPlayer,version=1.0 -> C:\Users\barre\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll [2016-10-26] (Unity Technologies ApS)

Chrome: 
=======
CHR Profile: C:\Users\barre\AppData\Local\Google\Chrome\User Data\Default [2017-03-22]
CHR Extension: (Google Slides) - C:\Users\barre\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2017-02-04]
CHR Extension: (Google Docs) - C:\Users\barre\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2017-02-04]
CHR Extension: (Google Drive) - C:\Users\barre\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2017-02-04]
CHR Extension: (YouTube) - C:\Users\barre\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2017-02-04]
CHR Extension: (Google Sheets) - C:\Users\barre\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2017-02-04]
CHR Extension: (Google Docs Offline) - C:\Users\barre\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2017-02-05]
CHR Extension: (Chrome Web Store Payments) - C:\Users\barre\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2017-03-09]
CHR Extension: (Gmail) - C:\Users\barre\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2017-02-04]
CHR Extension: (Chrome Media Router) - C:\Users\barre\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2017-02-04]

==================== Services (Whitelisted) ====================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 igfxCUIService2.0.0.0; C:\WINDOWS\system32\igfxCUIService.exe [368544 2016-06-23] (Intel Corporation)
R2 RtkAudioService; C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe [316152 2016-06-23] (Realtek Semiconductor)
S3 Sense; C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe [2889896 2016-09-15] (Microsoft Corporation)
R3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [347328 2016-07-16] (Microsoft Corporation)
R2 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [103720 2016-07-16] (Microsoft Corporation)

===================== Drivers (Whitelisted) ======================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R3 igfxLP; C:\WINDOWS\system32\DRIVERS\igdkmd64lp.sys [5763512 2016-06-23] (Intel Corporation)
S3 NetAdapterCx; C:\WINDOWS\System32\drivers\NetAdapterCx.sys [90624 2016-07-16] ()
R3 RSP2STOR; C:\WINDOWS\system32\DRIVERS\RtsP2Stor.sys [310528 2016-09-24] (Realtek Semiconductor Corp.)
R3 rt640x64; C:\WINDOWS\System32\drivers\rt640x64.sys [896768 2016-06-23] (Realtek                                            )
R3 RTWlanE; C:\WINDOWS\System32\drivers\rtwlane.sys [6294016 2017-02-01] (Realtek Semiconductor Corporation                           )
R3 TXEIx64; C:\WINDOWS\System32\drivers\TXEIx64.sys [146232 2015-06-26] (Intel Corporation)
R3 vmulti; C:\WINDOWS\System32\drivers\vmulti.sys [19504 2016-01-13] (Windows (R) Win 7 DDK provider)
S0 WdBoot; C:\WINDOWS\System32\drivers\WdBoot.sys [44056 2016-07-16] (Microsoft Corporation)
R0 WdFilter; C:\WINDOWS\System32\drivers\WdFilter.sys [290144 2016-07-16] (Microsoft Corporation)
R3 WdNisDrv; C:\WINDOWS\System32\Drivers\WdNisDrv.sys [123232 2016-07-16] (Microsoft Corporation)

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2017-03-22 16:45 - 2017-03-22 17:06 - 00008090 _____ C:\Users\barre\Desktop\FRST.txt
2017-03-22 16:44 - 2017-03-22 17:06 - 00000000 ____D C:\FRST
2017-03-22 16:42 - 2017-03-22 16:44 - 02424832 _____ (Farbar) C:\Users\barre\Desktop\FRST64.exe
2017-03-21 17:59 - 2017-03-21 17:59 - 00000214 _____ C:\WINDOWS\Tasks\CreateExplorerShellUnelevatedTask.job
2017-03-20 21:20 - 2017-03-20 21:20 - 24387584 _____ C:\Users\barre\Desktop\rtrtey.sai
2017-03-19 22:22 - 2017-03-19 22:22 - 00215148 _____ C:\Users\barre\Desktop\zhedst.jpeg
2017-03-19 20:57 - 2017-03-19 20:57 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Drawpile
2017-03-19 04:17 - 2017-03-19 04:17 - 00209693 _____ C:\Users\barre\Desktop\wegrewhg.jpeg
2017-03-19 00:46 - 2017-03-19 00:46 - 05304320 _____ C:\Users\barre\Desktop\egrwer.sai
2017-03-18 17:30 - 2017-03-18 17:31 - 00000000 ____D C:\Users\barre\Desktop\Drawpile-1.0.6
2017-03-18 04:45 - 2017-03-18 16:59 - 05976064 _____ C:\Users\barre\Desktop\ergtw.sai
2017-03-18 04:42 - 2017-03-19 04:17 - 01398541 _____ C:\Users\barre\Desktop\ewgr.mdp
2017-03-17 23:35 - 2017-03-18 04:45 - 00001466 _____ C:\Users\barre\Desktop\wegrgew.txt
2017-03-17 19:17 - 2017-03-17 19:17 - 03670016 _____ C:\Users\barre\Desktop\ar6ycdues.sai
2017-03-17 19:16 - 2017-03-17 19:16 - 05607424 _____ C:\Users\barre\Desktop\ret.sai
2017-03-17 19:16 - 2017-03-17 19:16 - 05607424 _____ C:\Users\barre\Desktop\New Canvas.sai
2017-03-14 22:27 - 2017-03-14 22:27 - 00014968 _____ C:\Users\barre\Desktop\yhewgrb .jpeg
2017-03-14 20:13 - 2017-03-14 20:13 - 01724416 _____ C:\Users\barre\Desktop\jt.sai
2017-03-14 20:13 - 2017-03-14 20:13 - 00746182 _____ C:\Users\barre\Desktop\srut56.ora
2017-03-13 19:07 - 2017-03-13 19:07 - 13500416 _____ C:\Users\barre\Desktop\q6ytgb  cdsgft.sai
2017-03-12 12:13 - 2017-03-12 12:13 - 02118464 _____ C:\Users\barre\Desktop\u8iyh.ora
2017-03-12 01:07 - 2017-03-12 01:07 - 00000000 ____D C:\Users\barre\AppData\LocalLow\TheMeatly Games
2017-03-11 05:07 - 2017-03-11 05:07 - 00243488 _____ C:\Users\barre\Desktop\fw.jpeg
2017-03-10 21:15 - 2017-03-10 22:03 - 02318950 _____ C:\Users\barre\Desktop\5gh34qe.mdp
2017-03-08 23:39 - 2017-03-08 23:39 - 03276800 _____ C:\Users\barre\Desktop\wfe.sai
2017-03-07 17:39 - 2017-03-07 17:39 - 03211264 _____ C:\Users\barre\Desktop\gewr.sai
2017-03-07 15:15 - 2017-03-07 15:17 - 00411172 _____ C:\WINDOWS\Minidump\030717-18328-01.dmp
2017-03-07 15:15 - 2017-03-07 15:15 - 590364884 _____ C:\WINDOWS\MEMORY.DMP
2017-03-07 15:15 - 2017-03-07 15:15 - 00000000 ____D C:\WINDOWS\Minidump
2017-03-05 17:39 - 2017-03-05 17:55 - 00000000 ____D C:\Users\barre\AppData\Local\UNDERTALE
2017-03-04 09:05 - 2017-03-04 09:05 - 00479920 _____ C:\Users\barre\Desktop\qrgt.mdp
2017-03-04 09:03 - 2017-03-04 09:04 - 00344784 _____ C:\Users\barre\Desktop\iygcv.jpeg
2017-03-04 09:02 - 2017-03-05 04:18 - 04558848 _____ C:\Users\barre\Desktop\gyvtu dods.sai
2017-03-03 07:26 - 2017-03-04 09:05 - 01025830 _____ C:\Users\barre\Desktop\ergbvf.mdp
2017-03-03 05:50 - 2017-03-03 05:50 - 00210605 _____ C:\Users\barre\Desktop\regy5.mdp
2017-03-03 04:06 - 2017-03-03 04:06 - 00178229 _____ C:\Users\barre\Desktop\er4ty5r.jpeg
2017-03-02 05:28 - 2017-03-02 05:28 - 00139735 _____ C:\Users\barre\Desktop\wfe.mdp
2017-03-02 05:28 - 2017-03-02 05:28 - 00089165 _____ C:\Users\barre\Desktop\wegr.mdp
2017-03-02 05:27 - 2017-03-04 09:05 - 00100900 _____ C:\Users\barre\Desktop\qvrweg.mdp
2017-03-01 02:04 - 2017-03-01 02:04 - 00001263 _____ C:\Users\Public\Desktop\FireAlpaca.lnk
2017-03-01 02:04 - 2017-03-01 02:04 - 00000000 ____D C:\Users\barre\AppData\Local\FireAlpaca
2017-03-01 02:04 - 2017-03-01 02:04 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\FireAlpaca
2017-03-01 02:04 - 2017-03-01 02:04 - 00000000 ____D C:\Program Files (x86)\FireAlpaca
2017-03-01 02:04 - 2016-08-19 18:51 - 00689664 _____ C:\WINDOWS\system32\MdpThumb64.dll
2017-02-26 03:53 - 2017-02-28 01:31 - 31801344 _____ C:\Users\barre\Desktop\SUNGE REDRAW WIP!.sai
2017-02-26 03:53 - 2017-02-26 03:53 - 00145998 _____ C:\Users\barre\Desktop\EEGR.jpeg
2017-02-25 11:08 - 2017-02-25 11:08 - 27000054 _____ C:\Users\barre\Desktop\ddfg.bmp
2017-02-24 05:19 - 2017-02-24 05:19 - 02723840 _____ C:\Users\barre\Desktop\ytfr.sai
2017-02-24 05:19 - 2017-02-24 05:19 - 00163906 _____ C:\Users\barre\Desktop\rth.jpeg
2017-02-23 02:58 - 2017-02-23 02:58 - 00207554 _____ C:\Users\barre\Desktop\q4w3t.jpeg
2017-02-23 02:58 - 2017-02-23 02:58 - 00003751 _____ C:\Users\barre\Desktop\w6rt.txt
2017-02-23 02:57 - 2017-02-23 02:57 - 01138688 _____ C:\Users\barre\Desktop\qegr.sai
2017-02-23 00:41 - 2017-02-23 03:00 - 00000389 _____ C:\Users\barre\Desktop\New Text Document.txt
2017-02-22 01:09 - 2017-02-22 01:09 - 10694656 _____ C:\Users\barre\Desktop\shinya.sai
2017-02-22 01:08 - 2017-02-22 01:08 - 00196084 _____ C:\Users\barre\Desktop\doodl.jpeg
2017-02-20 22:06 - 2017-02-20 22:06 - 01327104 _____ C:\Users\barre\Desktop\jtde.sai
2017-02-20 22:06 - 2017-02-20 22:06 - 00223559 _____ C:\Users\barre\Desktop\zrt.jpeg
2017-02-20 18:47 - 2017-02-20 18:47 - 01072437 _____ C:\Users\barre\Desktop\rf.ora
2017-02-20 00:52 - 2017-03-22 16:58 - 00000000 ____D C:\Users\barre\Desktop\pics
2017-02-20 00:51 - 2017-02-20 00:51 - 00196800 _____ C:\Users\barre\Desktop\wef.jpeg

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2017-03-22 16:58 - 2017-02-04 13:18 - 00000000 ____D C:\WINDOWS\CbsTemp
2017-03-22 16:37 - 2017-02-04 13:42 - 00000000 ____D C:\WINDOWS\AppReadiness
2017-03-22 16:35 - 2017-02-04 23:42 - 00000180 _____ C:\WINDOWS\system32\{A6D608F0-0BDE-491A-97AE-5C4B05D86E01}.bat
2017-03-22 16:35 - 2017-02-04 22:28 - 00000000 ____D C:\Program Files (x86)\Steam
2017-03-22 16:35 - 2017-02-04 22:05 - 00000000 __SHD C:\Users\barre\IntelGraphicsProfiles
2017-03-22 16:29 - 2017-02-04 23:53 - 01485166 _____ C:\WINDOWS\system32\PerfStringBackup.INI
2017-03-22 16:25 - 2017-02-04 23:33 - 00000006 ____H C:\WINDOWS\Tasks\SA.DAT
2017-03-22 16:25 - 2017-02-04 14:53 - 00000000 ____D C:\WINDOWS\system32\SleepStudy
2017-03-21 17:56 - 2017-02-04 13:11 - 00262144 _____ C:\WINDOWS\system32\config\BBI
2017-03-21 17:23 - 2017-02-04 22:04 - 00000000 ____D C:\Users\barre
2017-03-20 21:20 - 2017-02-06 16:50 - 00000000 ____D C:\Users\barre\Desktop\Sai 1.1.0
2017-03-19 20:57 - 2017-02-10 11:53 - 00000000 ____D C:\Program Files (x86)\Drawpile
2017-03-18 17:17 - 2017-02-05 13:20 - 00000000 ____D C:\Users\barre\Desktop\Wolf
2017-03-17 19:18 - 2017-02-04 13:42 - 00000000 ____D C:\WINDOWS\LiveKernelReports
2017-03-14 20:32 - 2017-02-04 13:42 - 00000000 ___HD C:\Program Files\WindowsApps
2017-03-10 00:28 - 2017-02-05 20:00 - 00000000 ____D C:\Users\barre\AppData\LocalLow\Mozilla
2017-03-05 17:37 - 2017-02-04 23:21 - 00000000 ____D C:\Users\barre\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Steam
2017-02-27 20:20 - 2017-02-05 17:15 - 00000000 ____D C:\WINDOWS\system32\MRT
2017-02-27 20:18 - 2017-02-05 17:15 - 138020592 ____C (Microsoft Corporation) C:\WINDOWS\system32\MRT.exe
2017-02-25 16:45 - 2017-02-04 22:07 - 00000000 ____D C:\Users\Default\AppData\Local\NetworkTiles
2017-02-25 16:45 - 2017-02-04 22:07 - 00000000 ____D C:\Users\Default User\AppData\Local\NetworkTiles
2017-02-21 17:26 - 2017-02-04 22:12 - 00003290 _____ C:\WINDOWS\System32\Tasks\OneDrive Standalone Update Task v2
2017-02-21 17:26 - 2017-02-04 22:09 - 00002363 _____ C:\Users\barre\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\OneDrive.lnk
2017-02-21 17:26 - 2017-02-04 22:09 - 00000000 ___RD C:\Users\barre\OneDrive
2017-02-20 01:21 - 2017-02-18 04:37 - 04349952 _____ C:\Users\barre\Desktop\ert.sai

==================== Bamital & volsnap ======================

(There is no automatic fix for files that do not pass verification.)

C:\WINDOWS\system32\winlogon.exe => File is digitally signed
C:\WINDOWS\system32\wininit.exe => File is digitally signed
C:\WINDOWS\explorer.exe => File is digitally signed
C:\WINDOWS\SysWOW64\explorer.exe => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\SysWOW64\svchost.exe => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll => File is digitally signed
C:\WINDOWS\SysWOW64\User32.dll => File is digitally signed
C:\WINDOWS\system32\userinit.exe => File is digitally signed
C:\WINDOWS\SysWOW64\userinit.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\dnsapi.dll => File is digitally signed
C:\WINDOWS\SysWOW64\dnsapi.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2017-03-14 15:22

==================== End of FRST.txt ============================

Addition.txt and RK.txt are also attached. 

The scan from RogueKiller completed after 40 minutes and found five threats. None of them were the Fuery b!cl that I'm 99% sure is on my computer since it was shown by Windows Defender  twice and then mysteriously disappeared as the function of the machine slowly went downhill.

All in all, I feel like the worst problem was completely missed... For now, I'll let rk try to delete the two registry PUPs and the three (??? I don't know what they are) and wait for further response.

 

 

Addition.txt

RK.txt

[kevinf80]

Thanks for those logs, can tell me what the numerous entries listed to your Desktop are, do you know and trust them. A sample of the entries follows..

2017-03-04 09:05 - 2017-03-04 09:05 - 00479920 _____ C:\Users\barre\Desktop\qrgt.mdp
2017-03-04 09:03 - 2017-03-04 09:04 - 00344784 _____ C:\Users\barre\Desktop\iygcv.jpeg
2017-03-04 09:02 - 2017-03-05 04:18 - 04558848 _____ C:\Users\barre\Desktop\gyvtu dods.sai
2017-03-03 07:26 - 2017-03-04 09:05 - 01025830 _____ C:\Users\barre\Desktop\ergbvf.mdp
2017-03-03 05:50 - 2017-03-03 05:50 - 00210605 _____ C:\Users\barre\Desktop\regy5.mdp
2017-03-03 04:06 - 2017-03-03 04:06 - 00178229 _____ C:\Users\barre\Desktop\er4ty5r.jpeg
2017-03-02 05:28 - 2017-03-02 05:28 - 00139735 _____ C:\Users\barre\Desktop\wfe.mdp
2017-03-02 05:28 - 2017-03-02 05:28 - 00089165 _____ C:\Users\barre\Desktop\wegr.mdp
2017-03-02 05:27 - 2017-03-04 09:05 - 00100900 _____ C:\Users\barre\Desktop\qvrweg.mdp
2017-03-01 02:04 - 2017-03-01 02:04 - 00001263 _____ C:\Users\Public\Desktop\FireAlpaca.lnk
2017-03-01 02:04 - 2017-03-01 02:04 - 00000000 ____D C:\Users\barre\AppData\Local\FireAlpaca

Thank you,

Kevin..

[desejsbn]

They are known and trusted files, the .jpeg, .mdp, .sai and .png listings littering my desktop are all just poorly named. I put them there, sorry if they caused confusion. 

Edit// FireAlpaca is also a trusted program.

Edited March 23, 2017 by desejsbn

[kevinf80]

Thanks for the update, I do not see any obvious Malware/Infection in your logs.... Continue with the following:

Download Malwarebytes version 3 from the following link: https://www.malwarebytes.com/mwb-download/thankyou/ Double click on the installer and follow the prompts. If necessary select the Blue Help tab for video instructions.... When the install completes and is updated do the following: Open Malwarebytes, select > "settings" > "protection tab" Scroll down to "Scan Options" ensure Scan for Rootkits and Scan within Archives are both on.... Go back to "DashBoard" select the Blue "Scan Now" tab...... When the scan completes deal with any found entries... Then select "Export Summary" then "Text File (*.txt)" name that log and save , you can copy or attach that to your reply... Next, Download AdwCleaner by Xplode onto your Desktop.   Double click on Adwcleaner.exe to run the tool. Click on the Scan in the Actions box Please wait fot the scan to finish.. When "Waiting for action.Please uncheck elements you want to keep" shows in top line.. Click on the Cleaning box. Next click OK on the "Closing Programs" pop up box. Click OK on the Information box & again OK to allow the necessary reboot After restart the AdwCleaner(C*)-Notepad log will appear, please copy/paste it in your next reply. Where * is the number relative to list of scans completed... Next, Go here and click 'SCAN NOW' under 'ESET Online Scanner' save to your Desktop. Turn off the real-time scanner of any existing antivirus program before performing the online scan. Here's how Right click on and select "Run as Administrator" In the new Window accept the terms of service In the new Window select "Enable detection of potentially unwanted applictions" then expand "Advanced Settings" In the new Window checkmark (tick) the entries as shown, make sure "Clean threats automatically" is not checkmarked. Now select "Scan" In the new Window new virus database signatures will download, Do Not Select Stop The Window will progress showing the scan in action.... In the new Window if no threats are found, select "Delete applications data on close" then select "Finish" no log is produced, confirm that in your reply... If threats are found the following Window will open: Click on "Select All" then "Save to Text file" name and save that file, attach to your reply. Now select "Do not clean" and then close out.... Let me see those logs in your reply... Thank you, Kevin...

 

[desejsbn]

I got home and upon trying to log into the computer, I got 'something went wrong, this service is not available', redirected me to a page that made me verify my Windows10 account by reentering my password, then logged me in on a temporary account. I signed out and when I tried to log in again it worked fine so not sure what that was about

Yesterday I downloaded MWB and ran it ahead of time, it found 2 adware things and several other stuffs, the install.monster thing it found was the file that gave me the initial fuery infection notifications, and mwb deleted it as far as I can tell. The scan is attached as mwbscan.txt

Ran another scan with rootkit search enabled and it didn't find anything so it isn't attached.

ADWCleaner didn't find anything... 

Neither did ESET scan

 

 

 

 

mwbscan.txt

[kevinf80]

The issue you experienced at log on could possibly have been down to a clash with Loaded Profiles: barre  has admin status, there is also this Profile defaultuser0

That second user profile is possibly related to "Windows Insider" program, are you registered with Microsoft for that program...?

Have a read at the following link: https://www.kapilarya.com/what-is-defaultuser0-account-in-windows-10-and-how-to-remove-it Use the instruction available at that link to remove that user profile....

Let me know if you have any remaining issues or concerns, if non we can clean up as follows....

Uninstall RogueKiller http://www.askvg.com/how-to-completely-uninstall-remove-a-software-program-in-windows-without-using-3rd-party-software/ Next, Download "Delfix by Xplode" and save it to your desktop. Or use the following if first link is down: "Delfix link mirror" If your security program alerts to Delfix either, accept the alert or turn your security off. Double Click to start the program. If you are using Vista or higher, please right-click and choose run as administrator Make Sure the following items are checked:   Remove disinfection tools <----- this will remove tools we have used. Purge System Restore <--- this will remove all previous and possibly exploited restore points, a new point relative to system status at present will be created. Reset system settings <--- this will reset any system settings back to default that were changed either by us during cleansing or malware/infection Now click on "Run" and wait patiently until the tool has completed. The tool will create a log when it has completed. We don't need you to post this. Any remnant files/logs from tools we have used can be deleted… Next, Read the following links to fully understand PC Security and Best Practices, you may find them useful.... Answers to Common Security Questions and best Practices Do I need a Registry Cleaner? Take care and surf safe Kevin...

[desejsbn]

Followed the steps to remove defaultuser0, but no, as far as I know I am not registered with any windows insider thing

It still seems I have some sort of infection or unwanted services running on the computer?? Back when this whole issue first started, I had a hidden Microsoft Edge open up, and though it sounds strange, what it did was have certain songs play- some covers of things from musicals I've listened to, and a cover of a cartoon theme that I have never heard before. It was odd, I could only turn off the music in the MSE window through task manager

Right after I finished deleting defaultuser, I restarted the computer, and lo and behold, the mysterious mse playing cartoon music immediately on startup has returned. Additionally, three outbound connections to a website were blocked by malwarebytes, and then I was alerted to my realtime protection layers being off even though I turned them back on after running the online scan that required me to disable them

I remember in safemode while deleting defaultuser i got a popup  from windows that said "This app can't open: Get Started can't be opened using the Built-in Administrator account. Sign in with a different account and try again." I ignored it since it was most likely irrelevant but im including that detail anyway

I also tried to run windows defender as it was and still is turned off, and it said that it couldnt run for whatever reason. Not sure if thats simply because of safemode though. Malwarebytes worked fine 

I have attached one of the reports for the outbound connections

I don't think it's a good idea for me to get rid of the antimalware apps just yet, I want to be 100% sure that my computer is clean, even though it looks from the outside as if there is probably not much going on.

websiteblocked.txt

[kevinf80]

Please download Gmer from Here by clicking on the "Download EXE" Button.   Double click on the randomly named GMER.exe. If asked to allow gmer.sys driver to load, please consent. If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO. In the right panel, you will see several boxes that have been checked. Uncheck the following ... Sections IAT/EAT Show All ( should be unchecked by default )   Leave everything else as it is. Close all other running Programs as well as your Browsers. Click the Scan button & wait for it to finish. Once done click on the Save.. button, and in the File name area, type in "ark.txt" or it will save as a .log file which cannot be uploaded to your post. Save it where you can easily find it, such as your desktop. Please post the content of the ark.txt here. **Caution** Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries **If GMER crashes** Follow the instructions here and disable your security temporarily… Let me see that log...

 

[desejsbn]

Thanks for all the help so far. Here's the log you asked for: 

ark.txt

[kevinf80]

Make a registry back up as follows:

Tweaking.com Registry Backup   Download Tweaking.com Registry Backup from here, and save tweaking.com_registry_backup_portable.zip to your desktop. Now we need to create a new folder to extract the zipped contents into. Right click on the zipped folder you just downloaded and select "Extract All". Click the "Browse" button and from the list, expand "Computer", then expand "Windows (C:)", and click the "Make New Folder" button. Call this folder something you will remember...like "RegBackup" then click "Ok", and then click "Extract". From the newly extracted files, right click on and select Run as Administrator (XP users just double click) to start Tweaking.com Registry Backup.(Windows Vista/7/8/10 users: Accept UAC warning if it is enabled.) A screen like this should appear:   Type a custom name in Backup Name if you want, then choose Backup Now. If backup is successful, a message will appear at the lower half of the screen with an option to view logs. The registry backup will be created in %WindowsDrive%\RegBackup by default. You can customize the path in Settings. Close Tweaking.com Registry Backup when done. Next,

I`ve attached kill.zip to this reply, download and unzip to your Desktop so you have kill.bat

Right click on kill.bat select "Run as Administrator" When complete your system should re-boot....

Run GMER again as you did previously and post a fresh log

Thank you,

Kevin...

kill.zip

[desejsbn]

Made the reg backup and did everything with the bat file, when I went to run it first windows stopped me to 'protect my device from something from an unknown publisher' but it was for the file so i ran anyway- a cmd flashed on my screen for a second, and then went away. Nothing else happened. Safe to run again to see if it works? 

[kevinf80]

Can you post fresh GMER log...

[desejsbn]

Here it is, but my computer didn't reboot after the .bat. 

ark2.txt

[kevinf80]

Not sure why no re-boot but malicious entries are definitely gone... Is your PC responding OK, any issues or concerns...?

[desejsbn]

PC is responding fine, rebooted myself and no odd apps opened on startup and my windows defender was working as it should

[kevinf80]

Excellent, you can delete Tweaking tool from your Desktop, also delete the folder created to C:\ drive, after that use DelFix as previously described... After that you should be good to go....

Regards,

Kevin...

[desejsbn]

Aaaaghh- after following the instruction to delete the tweaking tool and run delfix, I was using chrome as usual when Firefox, a browser I have downloaded but not used in ages, opened itself and claimed to be having trouble 'restoring a previous session' consisting of 'window 1'. My pc has been on for several hours now so I'm not sure why this would be showing up at this point. Is this cause for concern, or should I simply ignore it? Otherwise, your help has been greatly appreciated, and you can close the topic if you'd like.

[kevinf80]

I`m not sure why Firefox should respond like that if you`re not using it as a default Browser, probably worth going for a clean install to ensure no hijackers are lurking....

Use the following link for instructions how to back up your bookmarks, same link can be used to import saved Bookmarks: https://support.mozilla.org/en-US/kb/export-firefox-bookmarks-to-backup-or-transfer Next, Go here: http://www.mozilla.org/en-US/ download save the latest version of Firefox.. We will install this later... Next, Lets totally remove Firefox and start over. Go here: https://support.mozilla.org/en-US/kb/uninstall-firefox-from-your-computer and follow those instructions... Ensure when the uninstall completes to navigate to and delete the firefox installation folder (if present): (32-bit Windows) C:\Program Files\Mozilla Firefox (64-bit Windows) C:\Program Files (x86)\Mozilla Firefox It is essential the installation folder is removed. Re-boot your system when that is completed.... Next, To remove all remaining data and profile information... Press "Windows key + R" to open the Run box In the Run box, type in or copy and paste %APPDATA% Click OK. A Windows Explorer window will appear. In this window, choose/open in succession Mozilla > Firefox > Profiles. Select Delete on each entry in reverse, eg Profiles > Delete. Firefox > Delete. Mozilla > Delete. Re-boot your system when complete! Next, Use the Mozilla Firefox installer to reinstall your Browser.... When Firefox is installed and open select these keys together :- Ctrl - Shift - A that will access Addons manger, this gives access to find addons/extensions, use, start, stop or disable those features etc.... Ensure to use search to find and install AdBlock plus, Flashblock and DrWeb Anti-Virus Link Checker plus any other addons you normally use.... Now try surfing, see what happens...   Let me know if any issues or concerns remain...   Thank you,   Kevin

[desejsbn]

As I turned my computer on and tried to log in I got the issue with the service not being available and it logged me into the temporary account again. Like before signing out and back in let me get to my computer

Also ive noticed that my cpu takes an oddly long time loading on "preparing windows" when i log in compared to how fast it usually takes 

I reinstalled firefox like you said. Anything I should do regarding windows edge? 

I was also using my normal apps just now and got a sudden BSOD...

I attached an img of the screen that makes me reenter my password when I start the cpu right before it puts me on temp acc

[desejsbn]

sorry for double posting but i also just realized that my usage stats look like this even tho its not running any apps rn, compared to someone elses usage stats that i asked for, mine are really high..?

[kevinf80]

Run the following scan please:

1.Download Malwarebytes Anti-Rootkit from this link: http://www.malwarebytes.org/products/mbar/ 2. Unzip the File to a convenient location. (Recommend the Desktop) 3. Open the folder where the contents were unzipped to run mbar.exe 4. Double-click on the mbar.exe file, you may receive a User Account Control prompt asking if you are sure you wish to allow the program to run. Please allow the program to run and MBAR will now start to install any necessary drivers that are required for the program to operate correctly. If a rootkit is interfering with the installation of the drivers you will see a message that states that the DDA driver was not installed and that you should reboot your computer to install it. You will see this image: 5. If you receive this message, please click on the Yes button and Malwarebytes Anti-Rootkit will now restart your computer. Once the computer is rebooted and you login, MBAR will automatically start and you will now be at the start screen. (If no Rootkit warning you will go from step 4 to 6.) 6. The following image opens, select Next. 7. The following image opens, select Update 8. When the update completes select Next. 9. In the following window ensure "Targets" are ticked. Then select "Scan" 10. If an infection is found select the "Cleanup Button" to remove threats, Reboot if prompted. Wait while the system shuts down and the cleanup process is performed. 11. Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click "Cleanup Button" once more and repeat the process. 12. If no threats were found you will see the following image, Select Exit: 13. Verify that your system is now running normally, making sure that the following items are functional:   Internet access Windows Update Windows Firewall 14. If there are additional problems with your system, such as any of those listed above or other system issues, then run the 'fixdamage' tool included within Malwarebytes Anti-Rootkit folder. 15. Select "Y" from your Keyboard, tap Enter. 16. The fix will be applied, select any key to Exit. 17. Let me know how your system now responds. Copy and paste the two following logs from the mbar folder: System - log Mbar - log Date and time of scan will also be shown Thanks, Kevin...