Go Back   Cyber Tech Help Support Forums > Software > Malware Removal
Reload this Page Panda viewer
Register FAQ Calendar Search Today's Active Topics Mark Forums Read

Notices

Reply
Page 2 of 3 1 2 3
 
Topic Tools
  #16  
Old April 15th, 2018, 11:29 PM
luzchurch luzchurch is offline
Senior Member
  
Join Date: Nov 2004
Posts: 343
I tried FRST again. It goes through the process normally but the process encounters a problem when I try the Fix button. How do I proceed?
Reply With Quote


  #17  
Old April 16th, 2018, 04:56 PM
luzchurch luzchurch is offline
Senior Member
  
Join Date: Nov 2004
Posts: 343
This morning I tried again and it did finish the test. Here is the log file:

Fix result of Farbar Recovery Scan Tool (x86) Version: 15.04.2018
Ran by owner (16-04-2018 11:33:31) Run:4
Running from C:\Documents and Settings\owner\My Documents\Downloads
Loaded Profiles: owner & (Available Profiles: owner & Administrator)
Boot Mode: Normal

==============================================

fixlist content:
*****************
CreateRestorePoint:
CloseProcesses:
HKU\S-1-5-21-507921405-1284227242-1417001333-1003\...\Run: [*rrzwvnyvrr<*>] => "C:\Documents and Settings\owner\Local Settings\Application Data\f003ad\9595f3.bat" <==== ATTENTION (Value Name with invalid characters)
HKU\S-1-5-21-507921405-1284227242-1417001333-1003\...\Run: [Adobe Reader Synchronizer] => C:\Program Files\.0\Reader\AdobeCollabSync.exe [746376 2014-05-08] (Adobe Systems Incorporated)
HKU\S-1-5-21-507921405-1284227242-1417001333-1003\...\MountPoints2: H - H:\LaunchU3.exe -a
HKU\S-1-5-21-507921405-1284227242-1417001333-1003\...\MountPoints2: {01048412-a396-11e2-999b-001d72aca64d} - H:\LaunchU3.exe -a
HKU\S-1-5-21-507921405-1284227242-1417001333-1003-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-04122018063543796\...\Run: [*rrzwvnyvrr<*>] => "C:\Documents and Settings\owner\Local Settings\Application Data\f003ad\9595f3.bat" <==== ATTENTION (Value Name with invalid characters)
HKU\S-1-5-21-507921405-1284227242-1417001333-1003-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-04122018063543796\...\Run: [Adobe Reader Synchronizer] => C:\Program Files\Adobe\Reader 11.0\Reader\AdobeCollabSync.exe [746376 2014-05-08] (Adobe Systems Incorporated)
HKU\S-1-5-21-507921405-1284227242-1417001333-1003-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-04122018063543796\...\MountPoints2: H - H:\LaunchU3.exe -a
HKU\S-1-5-21-507921405-1284227242-1417001333-1003-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-04122018063543796\...\MountPoints2: {01048412-a396-11e2-999b-001d72aca64d} - H:\LaunchU3.exe -a
HKU\S-1-5-21-507921405-1284227242-1417001333-1003-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-04122018063638609\...\Run: [*rrzwvnyvrr<*>] => "C:\Documents and Settings\owner\Local Settings\Application Data\f003ad\9595f3.bat" <==== ATTENTION (Value Name with invalid characters)
HKU\S-1-5-21-507921405-1284227242-1417001333-1003-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-04122018063638609\...\Run: [Adobe Reader Synchronizer] => C:\Program Files\Adobe\Reader 11.0\Reader\AdobeCollabSync.exe [746376 2014-05-08] (Adobe Systems Incorporated)
HKU\S-1-5-21-507921405-1284227242-1417001333-1003-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-04122018063638609\...\MountPoints2: H - H:\LaunchU3.exe -a
HKU\S-1-5-21-507921405-1284227242-1417001333-1003-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-04122018063638609\...\MountPoints2: {01048412-a396-11e2-999b-001d72aca64d} - H:\LaunchU3.exe -a
URLSearchHook: [S-1-5-21-507921405-1284227242-1417001333-500-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-04122018063621187] ATTENTION => Default URLSearchHook is missing
URLSearchHook: [S-1-5-21-507921405-1284227242-1417001333-500-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-04122018063652656] ATTENTION => Default URLSearchHook is missing
SearchScopes: HKU\S-1-5-21-507921405-1284227242-1417001333-1003 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-507921405-1284227242-1417001333-1003 -> {2f23ab71-4ac6-41f2-a955-ea576e553146} URL =
SearchScopes: HKU\S-1-5-21-507921405-1284227242-1417001333-1003-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-04122018063543796 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-507921405-1284227242-1417001333-1003-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-04122018063543796 -> {2f23ab71-4ac6-41f2-a955-ea576e553146} URL =
SearchScopes: HKU\S-1-5-21-507921405-1284227242-1417001333-1003-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-04122018063638609 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-507921405-1284227242-1417001333-1003-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-04122018063638609 -> {2f23ab71-4ac6-41f2-a955-ea576e553146} URL =
BHO: Java(tm) Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre1.8.0_131\bin\ssv.dll [2017-05-14] (Oracle Corporation)
FF ProfilePath: C:\Documents and Settings\owner\Application Data\Mozilla\Firefox\Profiles\l0eutqyb.default-1494803957500 [not found] <==== ATTENTION
FF Plugin: Adobe Reader -> C:\Program Files\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll [2014-08-05] (Adobe Systems Inc.)
CHR HKLM\...\Chrome\Extension: [eofcbnmajmjmplflapaojjnihcjkigck] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM\...\Chrome\Extension: [gomekmidlodglbbmalcneegieacbdmki] - hxxps://clients2.google.com/service/update2/crx
CustomCLSID: HKU\S-1-5-21-507921405-1284227242-1417001333-1003-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-04122018063543796_Classes\CLSID\{004B49B7-11B9-5058-AA22-08DD0A3ADC4B}\InprocServer32 -> {1874A415-9468-D082-4334-05E985889A47} => No File
CustomCLSID: HKU\S-1-5-21-507921405-1284227242-1417001333-1003-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-04122018063543796_Classes\CLSID\{DD0822AA-3A0A-4BDC-B749-4B00B9115850}\InprocServer32 -> {55F8EFAD-9468-D082-FB7F-89A485889A47} => No File
CustomCLSID: HKU\S-1-5-21-507921405-1284227242-1417001333-1003-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-04122018063638609_Classes\CLSID\{004B49B7-11B9-5058-AA22-08DD0A3ADC4B}\InprocServer32 -> {1874A415-9468-D082-4334-05E985889A47} => No File
CustomCLSID: HKU\S-1-5-21-507921405-1284227242-1417001333-1003-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-04122018063638609_Classes\CLSID\{DD0822AA-3A0A-4BDC-B749-4B00B9115850}\InprocServer32 -> {55F8EFAD-9468-D082-FB7F-89A485889A47} => No File
CustomCLSID: HKU\S-1-5-21-507921405-1284227242-1417001333-1003_Classes\CLSID\{004B49B7-11B9-5058-AA22-08DD0A3ADC4B}\InprocServer32 -> {1874A415-9468-D082-4334-05E985889A47} => No File
CustomCLSID: HKU\S-1-5-21-507921405-1284227242-1417001333-1003_Classes\CLSID\{DD0822AA-3A0A-4BDC-B749-4B00B9115850}\InprocServer32 -> {55F8EFAD-9468-D082-FB7F-89A485889A47} => No File
2018-04-09 17:24 - 2018-04-09 17:24 - 000503208 _____ (Piriform Ltd) C:\Documents and Settings\owner\Local Settings\Temp\ccupdate.exe
2018-04-09 09:49 - 2016-03-09 01:00 - 000718336 _____ (Microsoft Corporation) C:\Documents and Settings\owner\Local Settings\Temp\dllnt_dump.dll
2018-04-07 07:00 - 2018-04-07 06:59 - 000457016 _____ () C:\Documents and Settings\owner\Local Settings\Temp\DoubleClick.exe
2018-04-07 06:59 - 2018-04-07 07:00 - 002158592 _____ () C:\Documents and Settings\owner\Local Settings\Temp\installer_mi.exe
2018-04-07 06:58 - 2018-04-07 06:59 - 000860523 _____ ( ) C:\Documents and Settings\owner\Local Settings\Temp\setup.exe
2015-08-14 08:29 - 2015-07-29 16:08 - 000681097 _____ (SQLite Development Team) C:\Documents and Settings\owner\Local Settings\Temp\sqlite3.dll
2018-04-07 07:00 - 2018-04-07 07:00 - 004450288 _____ ( ) C:\Documents and Settings\owner\Local Settings\Temp\SystemHealer.exe
2018-04-07 06:59 - 2018-04-07 06:59 - 000457016 _____ () C:\Documents and Settings\owner\Local Settings\Temp\zdj.exe
C:\Documents and Settings\owner\Local Settings\Temp\dllnt_dump.dll
AlternateDataStreams: C:\Documents and Settings\All Users\Application Data\TEMPDCCB2FA [306]
HKU\S-1-5-19-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-04122018063528750\Control Panel\Desktop\\Wallpaper -> (None)
HKU\S-1-5-19-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-04122018063637687\Control Panel\Desktop\\Wallpaper -> (None)
HKU\S-1-5-20-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-04122018063539718\Control Panel\Desktop\\Wallpaper -> (None)
HKU\S-1-5-20-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-04122018063638125\Control Panel\Desktop\\Wallpaper -> (None)
HKU\S-1-5-19-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-04122018063528750\Control Panel\Desktop\\Wallpaper -> (None)
HKU\S-1-5-19-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-04122018063637687\Control Panel\Desktop\\Wallpaper -> (None)
HKU\S-1-5-20-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-04122018063539718\Control Panel\Desktop\\Wallpaper -> (None)
HKU\S-1-5-20-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-04122018063638125\Control Panel\Desktop\\Wallpaper -> (None)
HKU\S-1-5-21-507921405-1284227242-1417001333-1003\Control Panel\Desktop\\Wallpaper -> C:\WINDOWS\web\wallpaper\Bliss.bmp
HKU\S-1-5-21-507921405-1284227242-1417001333-1003-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-04122018063543796\Control Panel\Desktop\\Wallpaper -> C:\WINDOWS\web\wallpaper\Bliss.bmp
HKU\S-1-5-21-507921405-1284227242-1417001333-1003-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-04122018063638609\Control Panel\Desktop\\Wallpaper -> C:\WINDOWS\web\wallpaper\Bliss.bmp
HKU\S-1-5-21-507921405-1284227242-1417001333-500-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-04122018063621187\Control Panel\Desktop\\Wallpaper -> (None)
HKU\S-1-5-21-507921405-1284227242-1417001333-500-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-04122018063652656\Control Panel\Desktop\\Wallpaper -> (None)
HKLM\...\regfile\shell\open\command: C:\WINDOWS\REGEDIT.EXE /M "%L" <==== ATTENTION
HKLM\...\batfile\shell\open\command: C:\WINDOWS\system32\CMD.EXE /C Call "%L" %* <==== ATTENTION
HKLM\...\cmdfile\shell\open\command: C:\WINDOWS\system32\CMD.EXE /C Call "%L" %* <==== ATTENTION
2018-04-07 07:36 - 2018-04-09 15:39 - 003072054 _____ C:\Documents and Settings\owner\.bmp
2018-04-07 07:36 - 2018-04-09 15:39 - 000000000 _____ C:\Documents and Settings\owner\mp
2018-04-07 07:04 - 2018-04-07 07:49 - 003072054 _____ C:\Documents and Settings\owner\Local Settings\Application Data\.bmp
2018-04-07 07:04 - 2018-04-07 07:49 - 000000000 _____ C:\Documents and Settings\owner\Local Settings\Application Data\mp
C:\Documents and Settings\owner\Local Settings\Application Data\.bmp
C:\Documents and Settings\owner\Local Settings\Application Data\mp
2018-03-30 16:38 - 2018-03-30 16:38 - 000276578 _____ C:\Documents and Settings\owner\My Documents\hamsanada.bmp
2018-03-30 16:33 - 2018-03-30 16:33 - 000115390 _____ C:\Documents and Settings\owner\My Documents\skandamanorama.bmp
1618-10-21 21:05 - 1618-10-21 21:05 - 000096256 ____N (Microsoft Corporation) C:\Program Files\NYqasgsZY.exe
CMD: ipconfig /flushdns
EMPTYTEMP:
*****************

Restore point was successfully created.
Processes closed successfully.
"HKU\S-1-5-21-507921405-1284227242-1417001333-1003\Software\Microsoft\Windows\CurrentVersion\Run \\*rrzwvnyvrr<*>" => not found
"HKU\S-1-5-21-507921405-1284227242-1417001333-1003\Software\Microsoft\Windows\CurrentVersion\Run \\Adobe Reader Synchronizer" => not found
HKU\S-1-5-21-507921405-1284227242-1417001333-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Exp lorer\MountPoints2\H => not found
HKU\S-1-5-21-507921405-1284227242-1417001333-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Exp lorer\MountPoints2\{01048412-a396-11e2-999b-001d72aca64d} => not found
HKLM\Software\Classes\CLSID\{01048412-a396-11e2-999b-001d72aca64d} => not found
HKU\S-1-5-21-507921405-1284227242-1417001333-1003-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-04122018063543796\...\Run: [*rrzwvnyvrr<*>] => "C:\Documents and Settings\owner\Local Settings\Application Data\f003ad\9595f3.bat" <==== ATTENTION (Value Name with invalid characters) => Error: No automatic fix found for this entry.
HKU\S-1-5-21-507921405-1284227242-1417001333-1003-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-04122018063543796\...\Run: [Adobe Reader Synchronizer] => C:\Program Files\Adobe\Reader 11.0\Reader\AdobeCollabSync.exe [746376 2014-05-08] (Adobe Systems Incorporated) => Error: No automatic fix found for this entry.
HKU\S-1-5-21-507921405-1284227242-1417001333-1003-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-04122018063543796\...\MountPoints2: H - H:\LaunchU3.exe -a => Error: No automatic fix found for this entry.
HKU\S-1-5-21-507921405-1284227242-1417001333-1003-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-04122018063543796\...\MountPoints2: {01048412-a396-11e2-999b-001d72aca64d} - H:\LaunchU3.exe -a => Error: No automatic fix found for this entry.
HKU\S-1-5-21-507921405-1284227242-1417001333-1003-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-04122018063638609\...\Run: [*rrzwvnyvrr<*>] => "C:\Documents and Settings\owner\Local Settings\Application Data\f003ad\9595f3.bat" <==== ATTENTION (Value Name with invalid characters) => Error: No automatic fix found for this entry.
HKU\S-1-5-21-507921405-1284227242-1417001333-1003-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-04122018063638609\...\Run: [Adobe Reader Synchronizer] => C:\Program Files\Adobe\Reader 11.0\Reader\AdobeCollabSync.exe [746376 2014-05-08] (Adobe Systems Incorporated) => Error: No automatic fix found for this entry.
HKU\S-1-5-21-507921405-1284227242-1417001333-1003-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-04122018063638609\...\MountPoints2: H - H:\LaunchU3.exe -a => Error: No automatic fix found for this entry.
HKU\S-1-5-21-507921405-1284227242-1417001333-1003-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-04122018063638609\...\MountPoints2: {01048412-a396-11e2-999b-001d72aca64d} - H:\LaunchU3.exe -a => Error: No automatic fix found for this entry.
URLSearchHook: [S-1-5-21-507921405-1284227242-1417001333-500-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-04122018063621187] ATTENTION => Default URLSearchHook is missing => Error: No automatic fix found for this entry.
URLSearchHook: [S-1-5-21-507921405-1284227242-1417001333-500-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-04122018063652656] ATTENTION => Default URLSearchHook is missing => Error: No automatic fix found for this entry.
"HKU\S-1-5-21-507921405-1284227242-1417001333-1003\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope" => not found
HKU\S-1-5-21-507921405-1284227242-1417001333-1003\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{2f23ab71-4ac6-41f2-a955-ea576e553146} => not found
HKLM\Software\Classes\CLSID\{2f23ab71-4ac6-41f2-a955-ea576e553146} => not found
SearchScopes: HKU\S-1-5-21-507921405-1284227242-1417001333-1003-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-04122018063543796 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = => Error: No automatic fix found for this entry.
SearchScopes: HKU\S-1-5-21-507921405-1284227242-1417001333-1003-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-04122018063543796 -> {2f23ab71-4ac6-41f2-a955-ea576e553146} URL = => Error: No automatic fix found for this entry.
SearchScopes: HKU\S-1-5-21-507921405-1284227242-1417001333-1003-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-04122018063638609 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = => Error: No automatic fix found for this entry.
SearchScopes: HKU\S-1-5-21-507921405-1284227242-1417001333-1003-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-04122018063638609 -> {2f23ab71-4ac6-41f2-a955-ea576e553146} URL = => Error: No automatic fix found for this entry.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} => not found
HKLM\Software\Classes\CLSID\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} => not found
HKLM\Software\MozillaPlugins\Adobe Reader => not found
"C:\Program Files\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll" => not found
HKLM\SOFTWARE\Google\Chrome\Extensions\eofcbnmajmj mplflapaojjnihcjkigck => not found
HKLM\SOFTWARE\Google\Chrome\Extensions\gomekmidlod glbbmalcneegieacbdmki => not found
CustomCLSID: HKU\S-1-5-21-507921405-1284227242-1417001333-1003-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-04122018063543796_Classes\CLSID\{004B49B7-11B9-5058-AA22-08DD0A3ADC4B}\InprocServer32 -> {1874A415-9468-D082-4334-05E985889A47} => No File => Error: No automatic fix found for this entry.
CustomCLSID: HKU\S-1-5-21-507921405-1284227242-1417001333-1003-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-04122018063543796_Classes\CLSID\{DD0822AA-3A0A-4BDC-B749-4B00B9115850}\InprocServer32 -> {55F8EFAD-9468-D082-FB7F-89A485889A47} => No File => Error: No automatic fix found for this entry.
CustomCLSID: HKU\S-1-5-21-507921405-1284227242-1417001333-1003-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-04122018063638609_Classes\CLSID\{004B49B7-11B9-5058-AA22-08DD0A3ADC4B}\InprocServer32 -> {1874A415-9468-D082-4334-05E985889A47} => No File => Error: No automatic fix found for this entry.
CustomCLSID: HKU\S-1-5-21-507921405-1284227242-1417001333-1003-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-04122018063638609_Classes\CLSID\{DD0822AA-3A0A-4BDC-B749-4B00B9115850}\InprocServer32 -> {55F8EFAD-9468-D082-FB7F-89A485889A47} => No File => Error: No automatic fix found for this entry.
HKU\S-1-5-21-507921405-1284227242-1417001333-1003_Classes\CLSID\{004B49B7-11B9-5058-AA22-08DD0A3ADC4B} => not found
HKU\S-1-5-21-507921405-1284227242-1417001333-1003_Classes\CLSID\{DD0822AA-3A0A-4BDC-B749-4B00B9115850} => not found
"C:\Documents and Settings\owner\Local Settings\Temp\ccupdate.exe" => not found
"C:\Documents and Settings\owner\Local Settings\Temp\dllnt_dump.dll" => not found
"C:\Documents and Settings\owner\Local Settings\Temp\DoubleClick.exe" => not found
"C:\Documents and Settings\owner\Local Settings\Temp\installer_mi.exe" => not found
"C:\Documents and Settings\owner\Local Settings\Temp\setup.exe" => not found
"C:\Documents and Settings\owner\Local Settings\Temp\sqlite3.dll" => not found
"C:\Documents and Settings\owner\Local Settings\Temp\SystemHealer.exe" => not found
"C:\Documents and Settings\owner\Local Settings\Temp\zdj.exe" => not found
"C:\Documents and Settings\owner\Local Settings\Temp\dllnt_dump.dll" => not found
"AlternateDataStreams: C:\Documents and Settings\All Users\Application Data\TEMPDCCB2FA [306]" => "AlternateDataStreams: C:\Documents and Settings\All Users\Application Data\TEMPDCCB2FA [306]" ADS not found.
HKU\S-1-5-19-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-04122018063528750\Control Panel\Desktop\\Wallpaper -> (None) => Error: No automatic fix found for this entry.
HKU\S-1-5-19-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-04122018063637687\Control Panel\Desktop\\Wallpaper -> (None) => Error: No automatic fix found for this entry.
HKU\S-1-5-20-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-04122018063539718\Control Panel\Desktop\\Wallpaper -> (None) => Error: No automatic fix found for this entry.
HKU\S-1-5-20-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-04122018063638125\Control Panel\Desktop\\Wallpaper -> (None) => Error: No automatic fix found for this entry.
HKU\S-1-5-19-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-04122018063528750\Control Panel\Desktop\\Wallpaper -> (None) => Error: No automatic fix found for this entry.
HKU\S-1-5-19-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-04122018063637687\Control Panel\Desktop\\Wallpaper -> (None) => Error: No automatic fix found for this entry.
HKU\S-1-5-20-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-04122018063539718\Control Panel\Desktop\\Wallpaper -> (None) => Error: No automatic fix found for this entry.
HKU\S-1-5-20-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-04122018063638125\Control Panel\Desktop\\Wallpaper -> (None) => Error: No automatic fix found for this entry.
HKU\S-1-5-21-507921405-1284227242-1417001333-1003\Control Panel\Desktop\\Wallpaper -> C:\WINDOWS\web\wallpaper\Bliss.bmp => Error: No automatic fix found for this entry.
HKU\S-1-5-21-507921405-1284227242-1417001333-1003-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-04122018063543796\Control Panel\Desktop\\Wallpaper -> C:\WINDOWS\web\wallpaper\Bliss.bmp => Error: No automatic fix found for this entry.
HKU\S-1-5-21-507921405-1284227242-1417001333-1003-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-04122018063638609\Control Panel\Desktop\\Wallpaper -> C:\WINDOWS\web\wallpaper\Bliss.bmp => Error: No automatic fix found for this entry.
HKU\S-1-5-21-507921405-1284227242-1417001333-500-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-04122018063621187\Control Panel\Desktop\\Wallpaper -> (None) => Error: No automatic fix found for this entry.
HKU\S-1-5-21-507921405-1284227242-1417001333-500-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-04122018063652656\Control Panel\Desktop\\Wallpaper -> (None) => Error: No automatic fix found for this entry.
HKLM\Software\Classes\regfile\shell\open\command\\ Default => value restored successfully
HKLM\Software\Classes\batfile\shell\open\command\\ Default => value restored successfully
HKLM\Software\Classes\cmdfile\shell\open\command\\ Default => value restored successfully
"C:\Documents and Settings\owner\.bmp" => not found
"C:\Documents and Settings\owner\mp" => not found
"C:\Documents and Settings\owner\Local Settings\Application Data\.bmp" => not found
"C:\Documents and Settings\owner\Local Settings\Application Data\mp" => not found
"C:\Documents and Settings\owner\Local Settings\Application Data\.bmp" => not found
"C:\Documents and Settings\owner\Local Settings\Application Data\mp" => not found
"C:\Documents and Settings\owner\My Documents\hamsanada.bmp" => not found
"C:\Documents and Settings\owner\My Documents\skandamanorama.bmp" => not found
"C:\Program Files\NYqasgsZY.exe" => not found

========= ipconfig /flushdns =========



Windows IP Configuration



Successfully flushed the DNS Resolver Cache.


========= End of CMD: =========


=========== EmptyTemp: ==========

BITS transfer queue => 9773 B
DOMStoree, IE Recovery, AppCache, Feeds Cache, Thumbcache => 0 B
Java, Flash, Steam htmlcache => 1066 B
Windows/system/dllcache/drivers => 15216 B
Edge => 0 B
Chrome => 0 B
Firefox => 91825611 B
Opera => 0 B

Temp, IE cache, history, cookies, recent:
Documents and Settings => 0 B
Default User => 0 B
All Users => 0 B
systemprofile => 0 B
LocalService => 424 B
NetworkService => 648154 B
owner => 74746139 B
Administrator => 66228 B

RecycleBin => 220898 B
EmptyTemp: => 159.8 MB temporary data Removed.

================================


The system needed a reboot.

==== End of Fixlog 11:40:03 ====
Reply With Quote
  #18  
Old April 16th, 2018, 07:19 PM
olgun52's Avatar
olgun52 olgun52 is offline
Malware Removal Team
  
Join Date: Feb 2014
O/S: Windows 10 Pro
Location: Europa
Posts: 2,029
Okay.

Please now do this following.

Step1:
Please download AdwCleaner by Xplode onto your desktop.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Scan, then Clean.
  • A logfile will automatically open after the scan has finished.
  • Please post the contents of that logfile with your next reply.
  • You can find the logfile at C:\AdwCleaner[S1].txt as well.
Step2:
Please download Malwarebytes Anti-Malware from here
  • Right-click on the MBAM icon and select Run as administrator to run the tool.
  • Click Yes to accept any security warnings that may appear.
  • Once the MBAM dashboard opens, on the right detail pane click on the word "Current" under the Scan Status to update the tool database.
  • On the left menu pane click the Settings tab, and then select the Protection tab on the top.
  • Under the Scan Options, turn on the button Scan for rootkits and Scan within archives.
  • Click the Scan tab on the right detail pane, select Threat Scan and click the Start Scan button
  • Note: The scan may take some time to finish, so please be patient.
  • If potential threats are detected, ensure to checkmark all the listed items, and click the Quarantine Selected button.
  • While still on the Scan tab, click the View Report button, and in the window that opens click the Export button, select Text file (*.txt), and save the log to your Desktop.
  • The log can also be viewed by clicking the log to select it, then clicking the View Report button.
Please post the log for my review.

If asked to restart the computer, please do so immediately.
Reply With Quote
  #19  
Old April 19th, 2018, 03:43 PM
luzchurch luzchurch is offline
Senior Member
  
Join Date: Nov 2004
Posts: 343
I ran into problems here. The malwarebytes program worked OK and but found no infected files. As such no report was generated.
When I tried to run the adware cleaner, it asked for some missing dll file which I found in my laptop and pasted it in the same folder. Then this message appeared in the dialog box:
The procedure entry point_except_handler4_common could not be located in the dynamic link library mvcrt.dll
Any suggestions? Thanks.
Reply With Quote
  #20  
Old April 20th, 2018, 11:03 AM
olgun52's Avatar
olgun52 olgun52 is offline
Malware Removal Team
  
Join Date: Feb 2014
O/S: Windows 10 Pro
Location: Europa
Posts: 2,029
Quote:
Originally Posted by luzchurch View Post
I ran into problems here. The malwarebytes program worked OK and but found no infected files. As such no report was generated.
When I tried to run the adware cleaner, it asked for some missing dll file which I found in my laptop and pasted it in the same folder. Then this message appeared in the dialog box:
The procedure entry point_except_handler4_common could not be located in the dynamic link library mvcrt.dll
Any suggestions? Thanks.
The main reason for these errors are:Software problem. Runtime components of Visual C++ Libraries are missing.

Your platform: Microsoft Windows XP Professional Service Pack 3 (X86)

Your operating system is now very long time, not supported by windows.

I would suggest you try the steps provided below and see if it helps. Check if the issue gets fixed.


Please download and install. Make operations as administrator.

Microsoft Visual C++ 2008 Redistributable Package (x86)

https://www.microsoft.com/en-us/down...ylang=en&id=29
Reply With Quote
  #21  
Old April 23rd, 2018, 03:35 PM
luzchurch luzchurch is offline
Senior Member
  
Join Date: Nov 2004
Posts: 343
I did download the Visual C program but it did not make any difference. I still get the same message.
But I found out something. The tiff or bmp files, that got corrupted with the Panda viewer designation, can be saved as jpg files and the problem disappears. Myabe this will give you a clue as to the problem. Thanks.
Reply With Quote
  #22  
Old April 23rd, 2018, 08:11 PM
olgun52's Avatar
olgun52 olgun52 is offline
Malware Removal Team
  
Join Date: Feb 2014
O/S: Windows 10 Pro
Location: Europa
Posts: 2,029
Thanks.

Please do this;

Please download Malwarebytes Anti-Rootkit and save it to your desktop.
  • Be sure to print out and follow the instructions provided on that same page.
  • Caution: This is a beta version so please be sure to read the disclaimer and back up all your data before using.
  • Double click on downloaded file. OK self extracting prompt.
  • MBAR will start. Click in the introduction screen "next" to continue.
  • Click in the following screen "Update" to obtain the latest malware definitions.
  • Once the update is complete select "Next" and click "Scan".
With some infections, you may see two messages boxes.
  • 'Could not load protection driver'. Click 'OK'.
  • 'Could not load DDA driver'. Click 'Yes' to this message, to allow the driver to load after a restart. Allow the computer to restart. Continue with the rest of these instructions.
  • If malware is found - do not press the Clean up button, please go to the MBAR folder and then copy/paste the contents of the MBAR-log-***.txt file to your next reply.
  • If there is no malware found, please let me know as well.
------------------------------------------------------------------


Run RogueKiller

IMPORTANT: Please remove any usb or external drives from the computer before you run this scan!

Close all running programs.

Download RogueKiller to your desktop
  • close all running programs
  • for Windows Vista/Seven, right click -> run as administrator, for XP simply double-click on RogueKiller.exe
  • when the pre-scan is finished, click on Scan
  • click on Report and copy/paste the content in your next post
  • NOTE: DO NOT attempt to remove anything that the scan detects –everything that is reported is not necessarily bad
If the program is blocked, continue to try it several times. If it still doesn’t work, (it could happen), rename it to winlogon.exe.

Please post the contents of the RKreport.txt in your next reply.
Reply With Quote
  #23  
Old April 23rd, 2018, 11:15 PM
luzchurch luzchurch is offline
Senior Member
  
Join Date: Nov 2004
Posts: 343
After downloading the Rootkit program and starting it I got the following message.
Registry value "appinit_dlls" has been found , which may be caused by rootkit activity.
Note: Press "No" button if you are not sure.If the tool crashes or terminates unexpectedly
during a system scan , restart the tool and press "yes" should the message appear again.
Do you want to remove this value and and restart this tool?
Please let me know how to proceed. Thanks.
Reply With Quote
  #24  
Old April 24th, 2018, 06:50 PM
olgun52's Avatar
olgun52 olgun52 is offline
Malware Removal Team
  
Join Date: Feb 2014
O/S: Windows 10 Pro
Location: Europa
Posts: 2,029
It may be due to your operating system. Please try running the RogueKiller software.

Thanks.
Reply With Quote
  #25  
Old April 25th, 2018, 11:34 PM
luzchurch luzchurch is offline
Senior Member
  
Join Date: Nov 2004
Posts: 343
I managed to run the mbr rootkit program. It did not detect any malware and thus no log was generated.
I tried to run Roguekiller but it crashed partway. I am trying it again right now. Will post results if successful. Thanks.
Reply With Quote
  #26  
Old April 26th, 2018, 08:10 PM
olgun52's Avatar
olgun52 olgun52 is offline
Malware Removal Team
  
Join Date: Feb 2014
O/S: Windows 10 Pro
Location: Europa
Posts: 2,029
Okay, I'm waiting.
Reply With Quote
  #27  
Old April 30th, 2018, 02:09 AM
luzchurch luzchurch is offline
Senior Member
  
Join Date: Nov 2004
Posts: 343
After several unsuccessful tries in the normal mode, I finally decided to try it in the Safe mode and it completed the scan and here is the report:

RogueKiller V12.12.14.0 [Apr 23 2018] (Free) by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : https://forum.adlice.com
Website : http://www.adlice.com/download/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Safe mode with network support
User : owner [Administrator]
Started from : C:\Program Files\RogueKiller\RogueKiller.exe
Mode : Scan -- Date : 04/29/2018 18:09:19 (Duration : 00:50:58)

¤¤¤ Processes : 0 ¤¤¤

¤¤¤ Registry : 0 ¤¤¤

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ WMI : 0 ¤¤¤

¤¤¤ Hosts File : 0 ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Not loaded [0x10000]) ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: Maxtor 6 L200M0 SCSI Disk Device +++++
--- User ---
[MBR] 8bf10940d76a4e4ec9dbd46d93a4b504
[BSP] 7d81f1c13b9fa0a2d72c1b5127fa4100 : Windows XP|VT.Unknown MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 63 | Size: 190779 MB [Windows XP Bootstrap | Windows XP Bootloader]
User = LL1 ... OK
Error reading LL2 MBR! ([1] Incorrect function. )

+++++ PhysicalDrive1: WD My Passport 0748 USB Device +++++
--- User ---
[MBR] 776e87a203aeefe2d86d56a47a088720
[BSP] 2ba562e10e5e74c74a8429d4055f38e2 : Empty|VT.Unknown MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 1430766 MB [Windows XP Bootstrap | Windows XP Bootloader]
User = LL1 ... OK
Error reading LL2 MBR! ([32] The request is not supported. )

+++++ PhysicalDrive2: Generic- Multi-Card USB Device +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] The request is not supported. )
Reply With Quote
  #28  
Old May 1st, 2018, 05:03 PM
olgun52's Avatar
olgun52 olgun52 is offline
Malware Removal Team
  
Join Date: Feb 2014
O/S: Windows 10 Pro
Location: Europa
Posts: 2,029
Thanks.

Please now, do this;

Please run rkill and ComboFix in Safe Mod.
  • Now download RKill.exe (or RKill renamed as iExplore.exe if the first one doesn't work properly) and save it to your desktop
  • Restart your computer in Safe Mode
  • Double click the icon on RKill (or iExplore).
  • A black DOS screen should flash and disappear. If not, try to launch the program with the second file. If neither works please stop and let me know
  • When RKill is finished running you will be presented with a text file and a copy will be saved on your desktop. Copy and paste the contents of this report in your reply
  • Do not reboot your computer
----------

Next, download ComboFix Save to the Desktop
  • Get help here
  • Now, close all open windows
  • Double-click combofix.exe to run the program
  • Follow the prompts.
  • If the option is offered, it is in your best interest to allow the download and install of the Recovery Console when prompted.
  • When told that the RC is installed correctly, press YES to continue scanning for malware.
  • ComboFix will run. Please don't click on the window while the program is running, it may cause your system to stall.
  • CF may reboot the computer and resume running when it restarts.
  • When finished, a log, ComboFix.txt, is produced.
Please provide the contents of the ComboFix report in your reply.

In your next post I need the following
  • Reports from Combofix and rkill.
Sincerely
Reply With Quote
  #29  
Old May 2nd, 2018, 01:19 AM
luzchurch luzchurch is offline
Senior Member
  
Join Date: Nov 2004
Posts: 343
Report from rkill scan:

Rkill 2.9.1 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2018 BleepingComputer.com
More Information about Rkill can be found at this link:
http://www.bleepingcomputer.com/forums/topic308364.html

Program started at: 05/01/2018 06:16:00 PM in x86 mode.
Windows Version: Microsoft Windows XP Service Pack 3

Checking for Windows services to stop:

* No malware services found to stop.

Checking for processes to terminate:

* Schedule Stopped. [PUP/GEN]

1 service stopped!

Checking for processes to terminate:

* C:\WINDOWS\system32\dxconfig.exe (PID: 2068) [WD-HEUR]
* C:\WINDOWS\system32\dxconfig.exe (PID: 2420) [WD-HEUR]

2 proccesses terminated!

Checking Registry for malware related settings:

* No issues found in the Registry.

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks:

* No issues found.

Searching for Missing Digital Signatures:

* No issues found.

Checking HOSTS File:

* HOSTS file entries found:

127.0.0.1 localhost

Program finished at: 05/01/2018 06:20:49 PM
Execution time: 0 hours(s), 4 minute(s), and 53 seconds(s)
Reply With Quote
  #30  
Old May 2nd, 2018, 05:00 PM
luzchurch luzchurch is offline
Senior Member
  
Join Date: Nov 2004
Posts: 343
When I try to run the Combofix program, partway through I get the message saying I have two virus programs (Security Essentials and Avast) running. But in one of your previous posts you had advised me to delete all anti virus programs except one and I did delete Avast. I looked in the Control panel but Avast is not listed. I did a search of Avast but nothing showed up. The why is this message asking me to disable Avast? The message also warns that I am taking a risk if I continue without disabling the anti virus. Please advise. Thanks.
Reply With Quote
Reply
Page 2 of 3 1 2 3

Bookmarks

« Previous Topic | Next Topic »
Topic Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump




All times are GMT +1. The time now is 08:00 AM.

Forum Archive RSS Cyber Tech Help Forums RSS