Mikey1 Posted September 17, 2017 Author ID:1164413 Share Posted September 17, 2017 (edited) Sorry thought you meant this one, you asked if the FRST worked to move driver and I replied yes and then you said to do the Malicious software removal tool scan which is above I had the scan reults from RKiller still open on desktop so deleted them from there. but running RKiller again. Edited September 17, 2017 by Mikey1 missed something Link to post Share on other sites More sharing options...
kevinf80 Posted September 17, 2017 ID:1164414 Share Posted September 17, 2017 OK Mike, just post fresh RK log.... Link to post Share on other sites More sharing options...
Mikey1 Posted September 17, 2017 Author ID:1164416 Share Posted September 17, 2017 Fix result of Farbar Recovery Scan Tool (x64) Version: 16-09-2017 Ran by Micke (17-09-2017 14:58:33) Run:6 Running from F:\Data\Desktop\New folder Loaded Profiles: Micke (Available Profiles: defaultuser0 & Micke) Boot Mode: Normal ============================================== fixlist content: ***************** Start CloseProcesses: CreateRestorePoint: FF user.js: detected! => C:\Users\Micke\AppData\Roaming\Mozilla\Firefox\Profiles\0knd2vyl.default\user.js [2017-09-08] S3 dbx; system32\DRIVERS\dbx.sys [X] C:\Windows\system32\drivers\rdpxaxnt.sys C:\Windows\system32\Drivers\B331E1EE.sys CMD: ipconfig /flushdns EmptyTemp: end ***************** Processes closed successfully. Restore point was successfully created. C:\Users\Micke\AppData\Roaming\Mozilla\Firefox\Profiles\0knd2vyl.default\user.js => moved successfully HKLM\System\CurrentControlSet\Services\dbx => key removed successfully dbx => service removed successfully Could not move "C:\Windows\system32\drivers\rdpxaxnt.sys" => Scheduled to move on reboot. C:\Windows\system32\Drivers\B331E1EE.sys => moved successfully ========= ipconfig /flushdns ========= Windows IP Configuration Successfully flushed the DNS Resolver Cache. ========= End of CMD: ========= =========== EmptyTemp: ========== BITS transfer queue => 32768 B DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 74877845 B Java, Flash, Steam htmlcache => 379 B Windows/system/drivers => 15867103 B Edge => 0 B Chrome => 0 B Firefox => 264752228 B Opera => 0 B Temp, IE cache, history, cookies, recent: Default => 0 B Users => 0 B ProgramData => 0 B Public => 0 B systemprofile => 128 B systemprofile32 => 128 B LocalService => 80754 B NetworkService => 0 B defaultuser0 => 0 B Micke => 240059795 B RecycleBin => 0 B EmptyTemp: => 568.1 MB temporary data Removed. ================================ Result of scheduled files to move (Boot Mode: Normal) (Date&Time: 17-09-2017 14:59:53) "C:\Windows\system32\drivers\rdpxaxnt.sys" => Could not move ==== End of Fixlog 14:59:53 ==== Link to post Share on other sites More sharing options...
Mikey1 Posted September 17, 2017 Author ID:1164417 Share Posted September 17, 2017 Kevin I just did the Rogue Killer scan again and it didn't give me a log but I went into history and there were 35 virus's inc yellowloader all Quarantined so I deleted them all Link to post Share on other sites More sharing options...
Mikey1 Posted September 17, 2017 Author ID:1164419 Share Posted September 17, 2017 I was able to run Adwcleaner and this is the log I also have been able to download and run Malwarebytes and that is scanning at the moment # AdwCleaner 7.0.2.1 - Logfile created on Sun Sep 17 17:10:53 2017 # Updated on 2017/29/08 by Malwarebytes # Database: 09-15-2017.1 # Running on Windows 10 Pro (X64) # Mode: scan # Support: https://www.malwarebytes.com/support ***** [ Services ] ***** No malicious services found. ***** [ Folders ] ***** PUP.Optional.AdvancedSystemCare, C:\ProgramData\IObit\Advanced SystemCare PUP.Optional.AdvancedSystemCare, C:\Windows\System32\config\systemprofile\AppData\Roaming\IObit\Advanced SystemCare PUP.Optional.AdvancedSystemCare, C:\Program Files (x86)\Common Files\IObit\Advanced SystemCare PUP.Optional.AdvancedSystemCare, C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\IObit\Advanced SystemCare PUP.Optional.AdvancedSystemCare, C:\Users\All Users\IObit\Advanced SystemCare PUP.Optional.AdvancedSystemCare, C:\Users\Micke\AppData\LocalLow\IObit\Advanced SystemCare PUP.Optional.AdvancedSystemCare, C:\Users\Micke\AppData\Roaming\IObit\Advanced SystemCare PUP.Optional.Legacy, C:\ProgramData\IObit\ASCDownloader PUP.Optional.Legacy, C:\Users\All Users\IObit\ASCDownloader ***** [ Files ] ***** No malicious files found. ***** [ DLL ] ***** No malicious DLLs found. ***** [ WMI ] ***** No malicious WMI found. ***** [ Shortcuts ] ***** No malicious shortcuts found. ***** [ Tasks ] ***** No malicious tasks found. ***** [ Registry ] ***** PUP.Optional.AdvancedSystemCare, [Key] - HKLM\SOFTWARE\IOBIT\ASC PUP.Optional.AdvancedSystemCare, [Key] - HKLM\SOFTWARE\CLASSES\DIRECTORY\SHELLEX\CONTEXTMENUHANDLERS\Advanced SystemCare PUP.Optional.AdvancedSystemCare, [Key] - HKLM\SOFTWARE\CLASSES\DRIVE\SHELLEX\CONTEXTMENUHANDLERS\Advanced SystemCare PUP.Optional.AdvancedSystemCare, [Key] - HKLM\SOFTWARE\CLASSES\LNKFILE\SHELLEX\CONTEXTMENUHANDLERS\Advanced SystemCare PUP.Optional.AdvancedSystemCare, [Key] - HKLM\SOFTWARE\Google\Chrome\NativeMessagingHosts\com.ascplugin.protect PUP.Optional.Legacy, [Key] - HKU\RK_USUARIO_ON_L_6FF9\Software\UpgSvr PUP.Optional.Legacy, [Key] - HKU\RK_USUARIO_ON_L_6FF9\Software\PopWnd PUP.Optional.Legacy, [Key] - HKU\RK_USUARIO_ON_L_6FF9\Software\Yahoo\Companion PUP.Optional.Legacy, [Key] - HKU\RK_USUARIO_ON_L_6FF9\Software\AppDataLow\Software\Yahoo\Companion PUP.Optional.Legacy, [Key] - HKU\RK_USUARIO_ON_L_6FF9\Software\fitlr PUP.Optional.Legacy, [Key] - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\s5m PUP.Optional.Legacy, [Key] - HKU\S-1-5-21-1683162545-4236984137-2836460707-1001\Software\Microsoft\Windows\CurrentVersion\Uninstall\CloudExtender PUP.Optional.Legacy, [Key] - HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\CloudExtender PUP.Optional.Legacy, [Key] - HKLM\SOFTWARE\Classes\CLSID\{BA0C978D-D909-49B6-AFE2-8BDE245DC7E6} PUP.Optional.Legacy, [Key] - HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{BA0C978D-D909-49B6-AFE2-8BDE245DC7E6} PUP.Optional.Legacy, [Value] - HKU\S-1-5-21-1683162545-4236984137-2836460707-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run | Advanced SystemCare 10 PUP.Optional.Wajam, [Key] - HKLM\SOFTWARE\CLASSES\APPID\56BF5154-0B48-4ADB-902A-6C8B12E270D9 PUP.Optional.WindowService, [Key] - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MeOptimum_x86 PUP.Optional.SwytShop, [Key] - HKU\S-1-5-21-1683162545-4236984137-2836460707-1001\Software\Microsoft\Windows\CurrentVersion\Uninstall\SwytShop_Pkg2_is1 PUP.Optional.SwytShop, [Key] - HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\SwytShop_Pkg2_is1 PUP.Optional.Downloader, [Key] - HKU\RK_USUARIO_ON_L_6FF9\Software\dlr PUP.Optional.DragonBranch, [Key] - HKU\S-1-5-21-1683162545-4236984137-2836460707-1001\Software\Microsoft\Windows\CurrentVersion\Uninstall\119 PUP.Optional.DragonBranch, [Key] - HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\119 PUP.Optional.WeatherAlerts, [Key] - HKU\RK_USUARIO_ON_L_6FF9\Software\Microsoft\{cc6eb6d8-85b7-435p-8b86-51e4d16ea76d} ***** [ Firefox (and derivatives) ] ***** PUP.Optional.Legacy, Plugin found: SwytShop - SwytShop ***** [ Chromium (and derivatives) ] ***** No malicious Chromium entries. ************************* ########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt ########## Link to post Share on other sites More sharing options...
kevinf80 Posted September 17, 2017 ID:1164420 Share Posted September 17, 2017 Looks like we are finally making progress, post malwarebytes log whenever you`re ready... Link to post Share on other sites More sharing options...
Mikey1 Posted September 17, 2017 Author ID:1164422 Share Posted September 17, 2017 Malwarebytes www.malwarebytes.com -Log Details- Scan Date: 9/17/17 Scan Time: 7:11 PM Log File: 4c71bd7a-9bcb-11e7-ac12-bc5ff49cca3a.json Administrator: Yes -Software Information- Version: 3.2.2.2029 Components Version: 1.0.188 Update Package Version: 1.0.2826 License: Trial -System Information- OS: Windows 10 (Build 14393.1715) CPU: x64 File System: NTFS User: DESKTOP-BLBF82Q\Micke -Scan Summary- Scan Type: Threat Scan Result: Completed Objects Scanned: 395275 Threats Detected: 17 Threats Quarantined: 17 Time Elapsed: 3 min, 47 sec -Scan Options- Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Detect PUM: Detect -Scan Details- Process: 0 (No malicious items detected) Module: 0 (No malicious items detected) Registry Key: 7 Adware.REOptimizer, HKU\S-1-5-21-1683162545-4236984137-2836460707-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\CloudExtender, Quarantined, [7013], [412223],1.0.2826 PUP.Optional.SwytShop, HKU\S-1-5-21-1683162545-4236984137-2836460707-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\SwytShop_Pkg2_is1, Quarantined, [2872], [375414],1.0.2826 Adware.REOptimizer, HKU\S-1-5-21-1683162545-4236984137-2836460707-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\119, Quarantined, [7013], [417947],1.0.2826 PUP.Optional.Wajam, HKLM\SOFTWARE\CLASSES\WOW6432NODE\APPID\56BF5154-0B48-4ADB-902A-6C8B12E270D9, Quarantined, [83], [170024],1.0.2826 PUP.Optional.Wajam, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\NLASVC\PARAMETERS\INTERNET\MANUALPROXIES, Quarantined, [83], [-1],0.0.0 PUP.Optional.Wajam, HKLM\SOFTWARE\CLASSES\APPID\56BF5154-0B48-4ADB-902A-6C8B12E270D9, Quarantined, [83], [170024],1.0.2826 PUP.Optional.Wajam, HKLM\SOFTWARE\WOW6432NODE\CLASSES\APPID\56BF5154-0B48-4ADB-902A-6C8B12E270D9, Quarantined, [83], [170024],1.0.2826 Registry Value: 5 Adware.REOptimizer, HKU\S-1-5-21-1683162545-4236984137-2836460707-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\119|DISPLAYNAME, Quarantined, [7013], [417947],1.0.2826 PUP.Optional.Wajam, HKU\S-1-5-18\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS|PROXYENABLE, Quarantined, [83], [-1],0.0.0 PUP.Optional.Wajam, HKU\S-1-5-21-1683162545-4236984137-2836460707-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS|PROXYENABLE, Quarantined, [83], [-1],0.0.0 PUP.Optional.Wajam, HKU\S-1-5-21-1683162545-4236984137-2836460707-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS|PROXYOVERRIDE, Quarantined, [83], [-1],0.0.0 PUP.Optional.Wajam, HKU\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS|PROXYENABLE, Quarantined, [83], [-1],0.0.0 Registry Data: 0 (No malicious items detected) Data Stream: 0 (No malicious items detected) Folder: 2 PUP.Optional.SwytShop, C:\Users\Micke\AppData\Roaming\Mozilla\Firefox\Profiles\0knd2vyl.default\jetpack\323D625D490FE8DD@ext.u\simple-storage, Quarantined, [2872], [375413],1.0.2826 PUP.Optional.SwytShop, C:\USERS\MICKE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\0KND2VYL.DEFAULT\JETPACK\323D625D490FE8DD@ext.u, Quarantined, [2872], [375413],1.0.2826 File: 3 PUP.Optional.OnlineIO, C:\WINDOWS\INSTALLER\SOURCEHASH{5266F634-7B7D-4537-BDDC-98DD6CFCBAA1}, Quarantined, [551], [391431],1.0.2826 PUP.Optional.SwytShop, C:\USERS\MICKE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\0KND2VYL.DEFAULT\EXTENSIONS\323D625D490FE8DD@ext.u.xpi, Quarantined, [2872], [375412],1.0.2826 PUP.Optional.SwytShop, C:\Users\Micke\AppData\Roaming\Mozilla\Firefox\Profiles\0knd2vyl.default\jetpack\323D625D490FE8DD@ext.u\simple-storage\store.json, Quarantined, [2872], [375413],1.0.2826 Physical Sector: 0 (No malicious items detected) (end) Looks like we've (you've)cracked it windows defender is also running now. Link to post Share on other sites More sharing options...
Mikey1 Posted September 17, 2017 Author ID:1164425 Share Posted September 17, 2017 I am also going to upgrade my tempory free premium Antimalwarebytes to a full sub Link to post Share on other sites More sharing options...
kevinf80 Posted September 17, 2017 ID:1164426 Share Posted September 17, 2017 Lets run another scan with FRST, see what a fresh set of logs show: Run FRST one more time, ensure all boxes are checkmarked under "Whitelist" but only Addition.txt under "Optional scan" Select scan, when done post the new logs. "FRST.txt" and "Addition.txt" Link to post Share on other sites More sharing options...
Mikey1 Posted September 17, 2017 Author ID:1164427 Share Posted September 17, 2017 FRST.txt Addition.txt Link to post Share on other sites More sharing options...
kevinf80 Posted September 17, 2017 ID:1164434 Share Posted September 17, 2017 Thanks for those logs Mike, continue as follows: Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into. "Do not open that file" NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work. Open FRST and press the Fix button just once and wait. The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply. Let me see that log, also tell me if there are any remaining issues or concerns.. Thanks, Kevin.... fixlist.txt Link to post Share on other sites More sharing options...
Mikey1 Posted September 17, 2017 Author ID:1164436 Share Posted September 17, 2017 Hi Kevin I think everything is looking good mate Thanks so much for all your help and time. Fixlog.txt Link to post Share on other sites More sharing options...
kevinf80 Posted September 17, 2017 ID:1164437 Share Posted September 17, 2017 You`re very welcome Mike, run the following to clean up: Download "Delfix by Xplode" and save it to your desktop. Or use the following if first link is down:"Delfix link mirror" If your security program alerts to Delfix either, accept the alert or turn your security off. Double Click to start the program. If you are using Vista or higher, please right-click and choose run as administrator Make Sure the following items are checked: Remove disinfection tools <----- this will remove tools we may have used. Purge System Restore <--- this will remove all previous and possibly exploited restore points, a new point relative to system status at present will be created. Reset system settings <--- this will reset any system settings back to default that were changed either by us during cleansing or malware/infection Now click on "Run" and wait patiently until the tool has completed. The tool will create a log when it has completed. We don't need you to post this. Any remnant files/logs from tools we have used can be deleted… Next, Read the following links to fully understand PC Security and Best Practices, you may find them useful....Answers to Common Security Questions and best PracticesDo I need a Registry Cleaner? Take care and surf safe Kevin... Link to post Share on other sites More sharing options...
kevinf80 Posted September 19, 2017 ID:1164973 Share Posted September 19, 2017 Glad we could help. :)If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.Other members who need assistance please start your own topic in a new thread. Thanks! Link to post Share on other sites More sharing options...
Recommended Posts