Zeus Virus Alert

Discussion in 'Malware Removal' started by quartet-man, Oct 10, 2017.

  1. quartet-man

    quartet-man Saved by grace

    Joined:
    Sep 13, 2002
    Messages:
    2,458
    Location:
    Indiana
    I did a Google search about a new actress on a show I watch. I was reading an article about her and I had a window pop up in a Firefox tab that was read out in computer voice saying I was infected. I didn't have to use the tech manager and just closed the tab.

    I took a screenshot of the warning. The text of the warning was: RDN/Yahlover.worm!055BCCAC9FEC Infection **Zeus Virus Dectected - YOUR COMPUTER HAS BEEN BLOCKED ** Error: Virus - Trojan Backdoor Hijack #365838d7f8a4fa5 Then lists my IP address and browser and then says: Please do not ignore this safety alert. Your Microsoft Has been compromised. If you call this page before calling us, your computer access will be disabled to prevent further damage and your data from being stolen.

    I updated Avast and Malwarebytes and am doing a full Avast scan, but it is stuck on 0% right now. I downloaded FRST and will do that scan when or if the Avast scan runs. BTW, I tried doing the scan in Safe Mode and the GUI wouldn't open up.
     
  2. Broni

    Broni Malware Annihilator Staff Member

    Joined:
    Jan 20, 2015
    Messages:
    651
    Location:
    Daly City, CA
    Go ahead with FRST.

    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running any tools, fixes or applying any changes to your computer other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.
     
  3. quartet-man

    quartet-man Saved by grace

    Joined:
    Sep 13, 2002
    Messages:
    2,458
    Location:
    Indiana
    The full Avast came up clean.
     

    Attached Files:

  4. Broni

    Broni Malware Annihilator Staff Member

    Joined:
    Jan 20, 2015
    Messages:
    651
    Location:
    Daly City, CA
    You need to re-run FRST.
    It has to be done from administrative account.

     
  5. quartet-man

    quartet-man Saved by grace

    Joined:
    Sep 13, 2002
    Messages:
    2,458
    Location:
    Indiana
    I just change my surf profile to Admin, I had to reboot to get one of the 2 to show up as admin
     

    Attached Files:

  6. Broni

    Broni Malware Annihilator Staff Member

    Joined:
    Jan 20, 2015
    Messages:
    651
    Location:
    Daly City, CA
    Both logs look pretty clean so I'm assuming it was just fake warning but let's run couple more checks to make sure.

    [​IMG] Download RogueKiller from one of the following links and save it to your Desktop:

    Link 1
    Link 2
    • Close all the running programs
    • Double click on downloaded setup.exe file to install the program.
    • Click on Start Scan button.
    • Click on another Start Scan button.
    • Wait until the Status box shows Scan Finished
    • Click on Remove Selected.
    • Wait until the Status box shows Deleting Finished.
    • Click on Report and copy/paste the content of the Notepad into your next reply.
    • RKreport.txt could also be found on your desktop.
    • If more than one log is produced post all logs.
    [​IMG] Please download Malwarebytes to your desktop.
    • Double-click mb3-setup-consumer-{version}.exe and follow the prompts to install the program.
    • Then click Finish.
    • Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu.
    • If another update of the definitions is available, it will be implemented before the rest of the scanning procedure.
    • When the scan is complete, make sure that all Threats are selected, and click Remove Selected.
    • Restart your computer when prompted to do so.
    • The Scan log is available throughout History ->Application logs. Please post it contents in your next reply.
    [​IMG] Please download AdwCleaner by Xplode and save to your Desktop.
    • Double click on AdwCleaner.exe to run the tool.
      Vista/Windows 7/8/10 users right-click and select Run As Administrator
    • The tool will start to update the database if one is required.
    • Click on the Scan button.
    • AdwCleaner will begin...be patient as the scan may take some time to complete.
    • After the scan has finished, click on the Logfile button.
    • A window will open which lists the logs of your scans.
    • Click on the Scan tab.
    • Double-click the most recent scan which will be at the top of the list....the log will appear.
    • Review the results...see note below
    • After reviewing the log, click on the Clean button.
    • Press OK when asked to close all programs and follow the onscreen prompts.
    • Press OK again to allow AdwCleaner to restart the computer and complete the removal process.
    • After rebooting, a logfile report (AdwCleaner[CX].txt) will open automatically (where the largest value of X represents the most recent report).
    • To open a Cleaning log, launch AdwareClearer, click on the Logfile button, click on the Cleaning tab and double-click the log at the top of the list.
    • Copy and paste the contents of AdwCleaner[CX].txt in your next reply.
    • A copy of all logfiles are saved to C:\AdwCleaner.
    -- Note: The contents of the AdwCleaner log file may be confusing. Unless you see a program name or entry that you recognize and know should not be removed, don't worry about it. If you see an entry you want to keep, return to AdwCleaner before cleaning...all detected items will be listed (and checked) in each tab. Click on and uncheck any items you want to keep.


    [​IMG] Please download Junkware Removal Tool to your desktop.
    • Shut down your protection software now to avoid potential conflicts.
    • Run the tool by double-clicking it. If you are using Windows Vista or Seven, right-mouse click it and select Run as Administrator.
    • The tool will open and start scanning your system.
    • Please be patient as this can take a while to complete depending on your system's specifications.
    • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
    • Post the contents of JRT.txt into your next message.
     
  7. quartet-man

    quartet-man Saved by grace

    Joined:
    Sep 13, 2002
    Messages:
    2,458
    Location:
    Indiana
    I will try to attach the logs later, but I ran Rogue Killer, my paid version of Malwarebytes, and AdWCleaner. I didn't realize the last was going to remove an entire folder and contents. I tried doing a few system restores to retrieve and it didn't help since it was in a documents folder (was a sub folder). But I have since found the presumed previous contents of the folder in quarantine. I don't really see a lot of those (if any) being accurate as I originated some of them. Does it delete a folder and then quarantine the contents of that previous folder? Would I be wrong to make a new folder and take them out (restore)? Even if I had to put them on an external (which I was probably going to do anyhow). But, that raises the question in how to know if they are infected, or if there is a way to clean? I would have to look more closely, but some might have been from online, but I would have likely scanned with AV and Malwarebytes when I got them.
    I haven't proceeded with the JRT yet until I see what to do first about the above.
     
  8. Broni

    Broni Malware Annihilator Staff Member

    Joined:
    Jan 20, 2015
    Messages:
    651
    Location:
    Daly City, CA
    System restore will never restore files.
    You can however restore deleted files from quarantine folder.
    Security programs will always make some mistakes, so it's always a good idea to have fresh backup.
    If you're sure some of those files are safe moved them to some other location like external hard drive.
    If some others you're not sure about you can always upload them here: VirusTotal for an additional check.
     
    quartet-man likes this.
  9. quartet-man

    quartet-man Saved by grace

    Joined:
    Sep 13, 2002
    Messages:
    2,458
    Location:
    Indiana
    I intend on getting a Jump Drive exclusively for those files and try to process them as I can. There are several (some transferred from a phone, web pages, pics, documents, music etc.) I went ahead and did the JRT scan. I had unplugged my cat5 cable because of the AV and Malwarebytes real protection being off, but noticed after that it had looked for an update. I plugged the cable back in and scanned again and it found nothing else. I am going to put the scans I had already completed and those here.


    RogueKiller V12.11.19.0 (x64) [Oct 9 2017] (Free) by Adlice Software
    mail : Contact - Adlice Software
    Feedback : Adlice forum - Home
    Website : RogueKiller Anti-Malware Free Download - Official Website
    Blog : Adlice Software - The Best Security Software, for FREE

    Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
    Started in : Normal mode
    User : Surf [Administrator]
    Started from : C:\Program Files\RogueKiller\RogueKiller64.exe
    Mode : Delete -- Date : 10/11/2017 23:47:49 (Duration : 00:47:19)
    Switches : -refid

    ¤¤¤ Processes : 0 ¤¤¤

    ¤¤¤ Registry : 5 ¤¤¤
    [PUP.Gen0] (X64) HKEY_CLASSES_ROOT\CLSID\{83FF80F4-8C74-4b80-B5BA-C8DDD434E5C4} (C:\ProgramData\Partner\Partner64.dll) -> Deleted
    [PUP.Gen0] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{83FF80F4-8C74-4b80-B5BA-C8DDD434E5C4} (C:\ProgramData\Partner\Partner64.dll) -> Deleted
    [PUP.Gen0] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{83FF80F4-8C74-4b80-B5BA-C8DDD434E5C4} (C:\ProgramData\Partner\Partner64.dll) -> Deleted
    [PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-145765864-2241906376-2109070276-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0 -> Replaced (1)
    [PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-145765864-2241906376-2109070276-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0 -> Replaced (1)

    ¤¤¤ Tasks : 0 ¤¤¤

    ¤¤¤ Files : 3 ¤¤¤
    [PUP.Gen1][Folder] C:\ProgramData\Partner -> Deleted
    [PUP.Gen1][File] C:\ProgramData\Partner\debug.log -> Deleted
    [PUP.Gen1][File] C:\ProgramData\Partner\Partner.dll -> Deleted
    [PUP.Gen1][File] C:\ProgramData\Partner\Partner.exe -> Deleted
    [PUP.Gen1][File] C:\ProgramData\Partner\Partner64.dll -> Deleted
    [PUP.Gen1][Folder] C:\ProgramData\Partner -> ERROR [3]
    [PUP.PCCleaner][Folder] C:\Program Files (x86)\Pro PC Cleaner -> Deleted
    [PUP.PCCleaner][File] C:\Program Files (x86)\Pro PC Cleaner\Microsoft.Deployment.WindowsInstaller.xml -> Deleted
    [PUP.PCCleaner][File] C:\Program Files (x86)\Pro PC Cleaner\Microsoft.Win32.TaskScheduler.xml -> Deleted

    ¤¤¤ WMI : 0 ¤¤¤

    ¤¤¤ Hosts File : 0 ¤¤¤

    ¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤

    ¤¤¤ Web browsers : 1 ¤¤¤
    [PUM.HomePage][Chrome:Config] Default [SecurePrefs] : session.startup_urls [Google] -> Deleted

    ¤¤¤ MBR Check : ¤¤¤
    +++++ PhysicalDrive0: ST320LT020-9YG142 +++++
    --- User ---
    [MBR] 1c4af7885096d64c1036aa54fed96636
    [BSP] 41e372c24d48de58343f6a93832eb803 : Lenovo|VT.Unknown MBR Code
    Partition table:
    0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 1500 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
    1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 3074048 | Size: 285743 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
    2 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 588275712 | Size: 18000 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
    User = LL1 ... OK
    User = LL2 ... OK




    Malwarebytes
    www.malwarebytes.com

    -Log Details-
    Scan Date: 10/12/17
    Scan Time: 12:46 AM
    Log File: 4a1196fe-af08-11e7-b9cb-5cf370852bd8.json
    Administrator: Yes

    -Software Information-
    Version: 3.2.2.2029
    Components Version: 1.0.212
    Update Package Version: 1.0.2996
    License: Premium

    -System Information-
    OS: Windows 7 Service Pack 1
    CPU: x64
    File System: NTFS
    User: Terry-THINK\Surf

    -Scan Summary-
    Scan Type: Threat Scan
    Result: Completed
    Objects Scanned: 389078
    Threats Detected: 0
    (No malicious items detected)
    Threats Quarantined: 0
    (No malicious items detected)
    Time Elapsed: 24 min, 52 sec

    -Scan Options-
    Memory: Enabled
    Startup: Enabled
    Filesystem: Enabled
    Archives: Enabled
    Rootkits: Enabled
    Heuristics: Enabled
    PUP: Warn
    PUM: Detect

    -Scan Details-
    Process: 0
    (No malicious items detected)

    Module: 0
    (No malicious items detected)

    Registry Key: 0
    (No malicious items detected)

    Registry Value: 0
    (No malicious items detected)

    Registry Data: 0
    (No malicious items detected)

    Data Stream: 0
    (No malicious items detected)

    Folder: 0
    (No malicious items detected)

    File: 0
    (No malicious items detected)

    Physical Sector: 0
    (No malicious items detected)


    (end)

    I'm not sure if the System restore attempts (kept failing until I went into safe mode) did something to the logs or if they do this now, but there are two, but neither with X.

    # AdwCleaner 7.0.3.1 - Logfile created on Thu Oct 12 11:26:40 2017
    # Updated on 2017/29/09 by Malwarebytes
    # Database: 10-11-2017.2
    # Running on Windows 7 Professional (X64)
    # Mode: scan
    # Support: Customer Support & Help Center

    ***** [ Services ] *****

    PUP.Optional.Legacy, Partner Service


    ***** [ Folders ] *****

    Trojan.Bayrob, C:\Users\Surf\Documents\Transfer


    ***** [ Files ] *****

    No malicious files found.

    ***** [ DLL ] *****

    No malicious DLLs found.

    ***** [ WMI ] *****

    No malicious WMI found.

    ***** [ Shortcuts ] *****

    No malicious shortcuts found.

    ***** [ Tasks ] *****

    No malicious tasks found.

    ***** [ Registry ] *****

    PUP.Optional.Legacy, [Key] - HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\azlyrics.com
    PUP.Optional.Legacy, [Key] - HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\cloudfront.net
    PUP.Optional.Legacy, [Key] - HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\d23716qn9q7omq.cloudfront.net
    PUP.Optional.Legacy, [Key] - HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\d3l3lkinz3f56t.cloudfront.net
    PUP.Optional.Legacy, [Key] - HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\www.azlyrics.com
    PUP.Optional.Legacy, [Key] - HKLM\SOFTWARE\Classes\CLSID\{83FF80F4-8C74-4B80-B5BA-C8DDD434E5C4}
    PUP.Optional.Legacy, [Key] - HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{83FF80F4-8C74-4B80-B5BA-C8DDD434E5C4}
    PUP.Optional.Legacy, [Key] - HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{83FF80F4-8C74-4B80-B5BA-C8DDD434E5C4}
    PUP.Optional.Legacy, [Key] - HKLM\SOFTWARE\Classes\AppID\{28A88B70-D874-4F73-BBBA-9B2B222FB7D6}
    PUP.Optional.Legacy, [Key] - HKLM\SOFTWARE\Classes\TypeLib\{86676E13-D6D8-4652-9FCF-F2047F1FB000}
    PUP.Optional.Legacy, [Key] - HKLM\SOFTWARE\Classes\AppID\kt_bho_dll.dll


    ***** [ Firefox (and derivatives) ] *****

    No malicious Firefox entries.

    ***** [ Chromium (and derivatives) ] *****

    No malicious Chromium entries.

    *************************



    ########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt ##########



    # AdwCleaner 7.0.3.1 - Logfile created on Thu Oct 12 11:43:18 2017
    # Updated on 2017/29/09 by Malwarebytes
    # Running on Windows 7 Professional (X64)
    # Mode: clean
    # Support: Customer Support & Help Center

    ***** [ Services ] *****

    Deleted: Partner Service


    ***** [ Folders ] *****

    Deleted: C:\Users\Surf\Documents\Transfer


    ***** [ Files ] *****

    No malicious files deleted.

    ***** [ DLL ] *****

    No malicious DLLs cleaned.

    ***** [ WMI ] *****

    No malicious WMI cleaned.

    ***** [ Shortcuts ] *****

    No malicious shortcuts cleaned.

    ***** [ Tasks ] *****

    No malicious tasks deleted.

    ***** [ Registry ] *****

    Deleted: [Key] - HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\azlyrics.com
    Deleted: [Key] - HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\cloudfront.net
    Deleted: [Key] - HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\d23716qn9q7omq.cloudfront.net
    Deleted: [Key] - HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\d3l3lkinz3f56t.cloudfront.net
    Deleted: [Key] - HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\www.azlyrics.com
    Deleted: [Key] - HKLM\SOFTWARE\Classes\CLSID\{83FF80F4-8C74-4B80-B5BA-C8DDD434E5C4}
    Deleted: [Key] - HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{83FF80F4-8C74-4B80-B5BA-C8DDD434E5C4}
    Deleted: [Key] - HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{83FF80F4-8C74-4B80-B5BA-C8DDD434E5C4}
    Deleted: [Key] - HKLM\SOFTWARE\Classes\AppID\{28A88B70-D874-4F73-BBBA-9B2B222FB7D6}
    Deleted: [Key] - HKLM\SOFTWARE\Classes\TypeLib\{86676E13-D6D8-4652-9FCF-F2047F1FB000}
    Deleted: [Key] - HKLM\SOFTWARE\Classes\AppID\kt_bho_dll.dll


    ***** [ Firefox (and derivatives) ] *****

    No malicious Firefox entries deleted.

    ***** [ Chromium (and derivatives) ] *****

    No malicious Chromium entries deleted.

    *************************

    ::Tracing keys deleted
    ::Winsock settings cleared
    ::Additional Actions: 0



    *************************

    C:/AdwCleaner/AdwCleaner[S0].txt - [2149 B] - [2017/10/12 11:26:40]


    ########## EOF - C:\AdwCleaner\AdwCleaner[C0].txt ##########


    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    Junkware Removal Tool (JRT) by Malwarebytes
    Version: 8.1.4 (07.09.2017)
    Operating System: Windows 7 Professional x64
    Ran by Surf (Administrator) on Fri 10/13/2017 at 16:48:25.71
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




    File System: 53

    Successfully deleted: C:\Users\Surf\AppData\Local\{0D9949A1-B558-4811-B4C0-CC8AB62E82A8} (Empty Folder)
    Successfully deleted: C:\Users\Surf\AppData\Local\{16EA595C-82AC-4B1B-BAB6-2C76F13231D9} (Empty Folder)
    Successfully deleted: C:\Users\Surf\AppData\Local\{19F957B4-B237-4555-A5A7-1B2D911BFAC7} (Empty Folder)
    Successfully deleted: C:\Users\Surf\AppData\Local\{1E84778C-31C1-40BF-954F-ECA7EF208C22} (Empty Folder)
    Successfully deleted: C:\Users\Surf\AppData\Local\{20A613D6-6A18-42EC-A608-E902804B4E72} (Empty Folder)
    Successfully deleted: C:\Users\Surf\AppData\Local\{225C6122-A707-48E9-B2C8-5C823981B4DA} (Empty Folder)
    Successfully deleted: C:\Users\Surf\AppData\Local\{27BD8CB6-A5B9-486A-8509-B64D54EB9568} (Empty Folder)
    Successfully deleted: C:\Users\Surf\AppData\Local\{2B413E67-7520-4261-961E-FF4CC8ECB8CB} (Empty Folder)
    Successfully deleted: C:\Users\Surf\AppData\Local\{34240BD4-EB4C-4D5C-A5E5-0B6965D7181A} (Empty Folder)
    Successfully deleted: C:\Users\Surf\AppData\Local\{40168941-7A0D-4B40-AB69-660075F649D9} (Empty Folder)
    Successfully deleted: C:\Users\Surf\AppData\Local\{4D4CE095-3D42-42E8-A361-250A3915682F} (Empty Folder)
    Successfully deleted: C:\Users\Surf\AppData\Local\{5022C539-388C-4B61-ACB4-A44C20657087} (Empty Folder)
    Successfully deleted: C:\Users\Surf\AppData\Local\{59A157B5-86D7-47ED-906C-F4F97E5AC225} (Empty Folder)
    Successfully deleted: C:\Users\Surf\AppData\Local\{5F27E0BC-21F6-44FD-B398-3DEEDA8F3401} (Empty Folder)
    Successfully deleted: C:\Users\Surf\AppData\Local\{64843C53-4322-47D3-AA55-10A7C5EAA1C6} (Empty Folder)
    Successfully deleted: C:\Users\Surf\AppData\Local\{72E1D1AB-DFA3-40D5-8B20-B1560517D1F8} (Empty Folder)
    Successfully deleted: C:\Users\Surf\AppData\Local\{7359CBD4-73C9-4B25-8500-2139427B886F} (Empty Folder)
    Successfully deleted: C:\Users\Surf\AppData\Local\{7E2EB233-68A0-43B8-8002-E1F7701A81B1} (Empty Folder)
    Successfully deleted: C:\Users\Surf\AppData\Local\{83B4F539-D0CB-4196-BCCA-0F93225CE9F8} (Empty Folder)
    Successfully deleted: C:\Users\Surf\AppData\Local\{85D7C6FF-FAD9-4576-8778-5347DDAC0DA3} (Empty Folder)
    Successfully deleted: C:\Users\Surf\AppData\Local\{875DA582-0484-4C41-AEF2-7B6FF6D13583} (Empty Folder)
    Successfully deleted: C:\Users\Surf\AppData\Local\{8D048836-B10D-4C18-9D59-89B4CCC727D8} (Empty Folder)
    Successfully deleted: C:\Users\Surf\AppData\Local\{9598F163-4F16-4535-9456-4515F2B98739} (Empty Folder)
    Successfully deleted: C:\Users\Surf\AppData\Local\{99238363-A1FC-4AC1-A499-FB1E9BE6ABB0} (Empty Folder)
    Successfully deleted: C:\Users\Surf\AppData\Local\{9D15AB46-92C6-4F8E-9058-2CFB17ECF34A} (Empty Folder)
    Successfully deleted: C:\Users\Surf\AppData\Local\{A23F8A57-7CEF-49A4-AF93-A906087582B8} (Empty Folder)
    Successfully deleted: C:\Users\Surf\AppData\Local\{AAFC0A9A-A24F-4FE6-8208-38478977A25F} (Empty Folder)
    Successfully deleted: C:\Users\Surf\AppData\Local\{B7255E5C-ADE3-4025-A75E-E4AE8ABB2A35} (Empty Folder)
    Successfully deleted: C:\Users\Surf\AppData\Local\{C111AA5A-46ED-4158-952D-8970D4A1B3FE} (Empty Folder)
    Successfully deleted: C:\Users\Surf\AppData\Local\{C1C92875-3E6D-451C-B6C0-F581019CF9F8} (Empty Folder)
    Successfully deleted: C:\Users\Surf\AppData\Local\{C47085B9-904B-4F15-B5AE-BCC0BD8E614E} (Empty Folder)
    Successfully deleted: C:\Users\Surf\AppData\Local\{C5FAAD9F-E699-444E-B554-746248F8EC3C} (Empty Folder)
    Successfully deleted: C:\Users\Surf\AppData\Local\{C73A8DB6-A577-4326-8F41-AEF2E797D1C7} (Empty Folder)
    Successfully deleted: C:\Users\Surf\AppData\Local\{CFEF19A9-61A6-43CC-BC46-3ED690D25CDA} (Empty Folder)
    Successfully deleted: C:\Users\Surf\AppData\Local\{D9AC2F3D-4426-4C28-B5B4-82CDA149BDAB} (Empty Folder)
    Successfully deleted: C:\Users\Surf\AppData\Local\{DC957DFA-1B2C-49F3-9AED-CADD55ABD592} (Empty Folder)
    Successfully deleted: C:\Users\Surf\AppData\Local\{E7FE53F8-5FA9-4697-90AC-A717A16D1CC8} (Empty Folder)
    Successfully deleted: C:\Users\Surf\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0PS72R2M (Temporary Internet Files Folder)
    Successfully deleted: C:\Users\Surf\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\62AXOPQ5 (Temporary Internet Files Folder)
    Successfully deleted: C:\Users\Surf\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9T9K97JT (Temporary Internet Files Folder)
    Successfully deleted: C:\Users\Surf\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FZG8CKJ5 (Temporary Internet Files Folder)
    Successfully deleted: C:\Users\Surf\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JLEEXCUE (Temporary Internet Files Folder)
    Successfully deleted: C:\Users\Surf\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LIXMVQOA (Temporary Internet Files Folder)
    Successfully deleted: C:\Users\Surf\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\M1H2U2VI (Temporary Internet Files Folder)
    Successfully deleted: C:\Users\Surf\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\QMNCYMW0 (Temporary Internet Files Folder)
    Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0PS72R2M (Temporary Internet Files Folder)
    Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\62AXOPQ5 (Temporary Internet Files Folder)
    Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9T9K97JT (Temporary Internet Files Folder)
    Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FZG8CKJ5 (Temporary Internet Files Folder)
    Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JLEEXCUE (Temporary Internet Files Folder)
    Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LIXMVQOA (Temporary Internet Files Folder)
    Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\M1H2U2VI (Temporary Internet Files Folder)
    Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\QMNCYMW0 (Temporary Internet Files Folder)



    Registry: 2

    Successfully deleted: HKLM\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} (Registry Key)
    Successfully deleted: HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} (Registry Key)




    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    Scan was completed on Fri 10/13/2017 at 16:52:28.32
    End of JRT log
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    Junkware Removal Tool (JRT) by Malwarebytes
    Version: 8.1.4 (07.09.2017)
    Operating System: Windows 7 Professional x64
    Ran by Surf (Administrator) on Fri 10/13/2017 at 16:53:39.97
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




    File System: 0




    Registry: 0





    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    Scan was completed on Fri 10/13/2017 at 16:57:50.63
    End of JRT log
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


    My plan is to do as I said above with the files (hopefully get them out of quarantine and onto a jump drive tomorrow to start the process unless I can keep them in quarantine and weed through them there before putting on jump drive) and most likely get rid of the log files and programs manually (if I choose not to keep them) since I already have paid Malwarebytes installed and the stuff in quarantine.
     
  10. Broni

    Broni Malware Annihilator Staff Member

    Joined:
    Jan 20, 2015
    Messages:
    651
    Location:
    Daly City, CA
    Re-run Farbar Recovery Scan Tool (FRST/FRST64) you ran at the very beginning of this topic.

    • Double click to run it.
    • Make sure you checkmark Addition.txt box.
    • Press Scan button.
    • Scan will create two logs, FRST.txt and Addition.txt in the same directory the tool is run. Please copy and paste them to your reply.
     
    quartet-man likes this.
  11. quartet-man

    quartet-man Saved by grace

    Joined:
    Sep 13, 2002
    Messages:
    2,458
    Location:
    Indiana
    Had to zip again.
     

    Attached Files:

  12. Broni

    Broni Malware Annihilator Staff Member

    Joined:
    Jan 20, 2015
    Messages:
    651
    Location:
    Daly City, CA
    Download attached fixlist.txt file and save it to the Desktop.
    NOTE. It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

    NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

    Run FRST(FRST64) and press the Fix button just once and wait.
    The tool will make a log on the Desktop (Fixlog.txt). Please post it to your reply.
     

    Attached Files:

  13. quartet-man

    quartet-man Saved by grace

    Joined:
    Sep 13, 2002
    Messages:
    2,458
    Location:
    Indiana
    Fix result of Farbar Recovery Scan Tool (x64) Version: 11-10-2017
    Ran by Surf (14-10-2017 01:33:47) Run:1
    Running from C:\Users\Surf\Desktop
    Loaded Profiles: Surf (Available Profiles: Terry & Surf)
    Boot Mode: Normal
    ==============================================

    fixlist content:
    *****************
    HKLM\...\Run: [] => [X]
    HKLM\SOFTWARE\Policies\Microsoft\Windows Defender: Restriction <==== ATTENTION
    S3 AthBTPort; system32\DRIVERS\btath_flt.sys [X]
    S3 BTATH_A2DP; system32\drivers\btath_a2dp.sys [X]
    S3 BTATH_BUS; system32\DRIVERS\btath_bus.sys [X]
    S3 BTATH_HCRP; system32\DRIVERS\btath_hcrp.sys [X]
    S3 BTATH_LWFLT; system32\DRIVERS\btath_lwflt.sys [X]
    S3 BTATH_RCP; system32\DRIVERS\btath_rcp.sys [X]
    S3 BtFilter; system32\DRIVERS\btfilter.sys [X]
    2015-06-13 20:27 - 2016-11-12 17:34 - 000005632 _____ () C:\Users\Surf\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
    2017-06-16 10:11 - 2017-06-16 10:11 - 000000893 _____ () C:\Users\Surf\AppData\Local\recently-used.xbel
    2014-01-30 10:57 - 2016-12-17 13:07 - 000000952 ___SH () C:\ProgramData\KGyGaAvL.sys
    C:\Users\Surf\sessionstore.js
    2015-01-05 14:14 - 2015-01-05 14:14 - 000000000 _____ () C:\Users\Surf\AppData\Local\Temp\2ijwi_s2.dll
    2017-10-11 23:42 - 2017-08-11 02:36 - 001732864 _____ (Microsoft Corporation) C:\Users\Surf\AppData\Local\Temp\dllnt_dump.dll
    2015-11-27 02:20 - 2016-01-28 21:04 - 017253867 _____ () C:\Users\Surf\AppData\Local\Temp\handbrake-setup.exe
    2014-07-29 16:43 - 2014-07-29 16:45 - 024743106 _____ () C:\Users\Surf\AppData\Local\Temp\vlc-2.1.5-win32.exe
    2015-05-14 17:34 - 2015-05-14 17:36 - 028849904 _____ () C:\Users\Surf\AppData\Local\Temp\vlc-2.2.1-win32.exe
    2016-06-27 19:57 - 2016-06-27 20:00 - 030533688 _____ () C:\Users\Surf\AppData\Local\Temp\vlc-2.2.4-win32.exe
    2017-06-17 15:58 - 2017-06-17 16:00 - 030950664 _____ () C:\Users\Surf\AppData\Local\Temp\vlc-2.2.6-win32.exe
    2016-09-03 20:35 - 2014-02-11 13:38 - 000038056 _____ (Irfan Skiljan, IrfanView) C:\Users\Terry\AppData\Local\Temp\iv_uninstall.exe
    2017-09-12 14:37 - 2017-09-12 14:37 - 000552568 _____ (Logitech) C:\Users\Terry\AppData\Local\Temp\LDeviceInstaller.exe
    2017-10-09 21:19 - 2017-08-30 18:01 - 000058344 _____ (Logitech Inc.) C:\Users\Terry\AppData\Local\Temp\LogiOptionsfileUninstaller.exe
    2017-10-09 21:19 - 2017-08-30 18:11 - 000258920 _____ (Logitech Inc.) C:\Users\Terry\AppData\Local\Temp\LogiOptionsUninstaller.exe
    2017-09-12 14:39 - 2017-09-12 14:39 - 004238456 _____ (Logitech, Inc.) C:\Users\Terry\AppData\Local\Temp\PlugInInstallerUtility.exe
    ContextMenuHandlers1: [Atheros] -> {B8952421-0E55-400B-94A6-FA858FC0A39F} => -> No File
    AlternateDataStreams: C:\Windows:nlsPreferences [0]

    *****************

    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\ => value removed successfully
    HKLM\SOFTWARE\Policies\Microsoft\Windows Defender => key removed successfully
    HKLM\System\CurrentControlSet\Services\AthBTPort => key removed successfully
    AthBTPort => service removed successfully
    HKLM\System\CurrentControlSet\Services\BTATH_A2DP => key removed successfuAlly
    BTATH_A2DP => service removed successfully
    HKLM\System\CurrentControlSet\Services\BTATH_BUS => key removed successfully
    BTATH_BUS => service removed successfully
    HKLM\System\CurrentControlSet\Services\BTATH_HCRP => key removed successfully
    BTATH_HCRP => service removed successfully
    HKLM\System\CurrentControlSet\Services\BTATH_LWFLT => key removed successfully
    BTATH_LWFLT => service removed successfully
    HKLM\System\CurrentControlSet\Services\BTATH_RCP => key removed successfully
    BTATH_RCP => service removed successfully
    HKLM\System\CurrentControlSet\Services\BtFilter => key removed successfully
    BtFilter => service removed successfully
    C:\Users\Surf\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini => moved successfully
    C:\Users\Surf\AppData\Local\recently-used.xbel => moved successfully
    C:\ProgramData\KGyGaAvL.sys => moved successfully
    C:\Users\Surf\sessionstore.js => moved successfully
    C:\Users\Surf\AppData\Local\Temp\2ijwi_s2.dll => moved successfully
    C:\Users\Surf\AppData\Local\Temp\dllnt_dump.dll => moved successfully
    C:\Users\Surf\AppData\Local\Temp\handbrake-setup.exe => moved successfully
    C:\Users\Surf\AppData\Local\Temp\vlc-2.1.5-win32.exe => moved successfully
    C:\Users\Surf\AppData\Local\Temp\vlc-2.2.1-win32.exe => moved successfully
    C:\Users\Surf\AppData\Local\Temp\vlc-2.2.4-win32.exe => moved successfully
    C:\Users\Surf\AppData\Local\Temp\vlc-2.2.6-win32.exe => moved successfully
    C:\Users\Terry\AppData\Local\Temp\iv_uninstall.exe => moved successfully
    C:\Users\Terry\AppData\Local\Temp\LDeviceInstaller.exe => moved successfully
    C:\Users\Terry\AppData\Local\Temp\LogiOptionsfileUninstaller.exe => moved successfully
    C:\Users\Terry\AppData\Local\Temp\LogiOptionsUninstaller.exe => moved successfully
    C:\Users\Terry\AppData\Local\Temp\PlugInInstallerUtility.exe => moved successfully
    HKLM\Software\Classes\*\ShellEx\ContextMenuHandlers\Atheros => key removed successfully
    HKLM\Software\Classes\CLSID\{B8952421-0E55-400B-94A6-FA858FC0A39F} => key not found.
    C:\Windows => ":nlsPreferences" ADS removed successfully.

    ==== End of Fixlog 01:33:56 ====

    I would like to ask how messed up was it? As far as the script, what type of things needed to be fixed or corrected? I'm wondering if some of this was from the most recent thing, or if some have been here for some time. Hopefully nothing has been compromised. My Malwarebytes recently was stopping outgoing things, but I wasn't sure from what or if a false positive.
     
  14. Broni

    Broni Malware Annihilator Staff Member

    Joined:
    Jan 20, 2015
    Messages:
    651
    Location:
    Daly City, CA
    Nothing really bad there. In your initial FRST logs I didn't see much but I wanted to make sure.

    Last scans...

    [​IMG] Download Security Check from here or here and save it to your Desktop.
    • Double-click SecurityCheck.exe
    • Follow the onscreen instructions inside of the black box.
    • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

    NOTE 1. If one of your security applications (e.g., third-party firewall) requests permission to allow DIG.EXE access the Internet, allow it to do so.
    NOTE 2. SecurityCheck may produce some false warning(s), so leave the results reading to me.
    NOTE 3. If you receive UNSUPPORTED OPERATING SYSTEM! ABORTED! message restart computer and Security Check should run


    [​IMG] Please download Farbar Service Scanner (FSS) and run it on the computer with the issue.
    Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center
    • Windows Update
    • Windows Defender
    • Other Services

    Press "Scan".
    It will create a log (FSS.txt) in the same directory the tool is run.
    Please copy and paste the log to your reply.


    [​IMG] Download Temp File Cleaner (TFC)
    Alternate download: http://www.itxassociates.com/OT-Tools/TFC.exe
    • Double click on TFC.exe to run the program.
    • Click on Start button to begin cleaning process.
    • TFC will close all running programs, and it may ask you to restart computer.


    [​IMG] Download Sophos Free Virus Removal Tool and save it to your desktop.
    • Double click the icon and select Run
    • Click Next
    • Select I accept the terms in this license agreement, then click Next twice
    • Click Install
    • Click Finish to launch the program
    • Once the virus database has been updated click Start Scanning
    • If any threats are found click Details, then View log file... (bottom left hand corner)
    • Copy and paste the results in your reply
    • Close the Notepad document, close the Threat Details screen, then click Start cleanup
    • Click Exit to close the program
     
  15. quartet-man

    quartet-man Saved by grace

    Joined:
    Sep 13, 2002
    Messages:
    2,458
    Location:
    Indiana
    All done.

    Results of screen317's Security Check version 1.014 --- 12/23/15
    Windows 7 Service Pack 1 x64 (UAC is enabled)
    Internet Explorer 11
    ``````````````Antivirus/Firewall Check:``````````````
    Windows Firewall Enabled!
    Avast Antivirus
    Malwarebytes
    Antivirus up to date!
    `````````Anti-malware/Other Utilities Check:`````````
    Adobe Flash Player 27.0.0.159
    Mozilla Firefox (56.0)
    Mozilla Thunderbird (52.3.0)
    Google Chrome (61.0.3163.100)
    Google Chrome (SetupMetrics...)
    ````````Process Check: objlist.exe by Laurent````````
    Malwarebytes Anti-Malware mbamservice.exe
    Malwarebytes Anti-Malware mbamtray.exe
    Intel Intel(R) Small Business Advantage UI IntelSmallBusinessAdvantage.exe
    Intel Intel(R) Small Business Advantage Service Intel.SmallBusinessAdvantage.WindowsService.exe
    AVAST Software Avast AvastSvc.exe
    AVAST Software Avast x64 aswidsagenta.exe
    AVAST Software Avast AvastUI.exe
    `````````````````System Health check`````````````````
    Total Fragmentation on Drive C: 6%
    ````````````````````End of Log``````````````````````

    Farbar Service Scanner Version: 27-01-2016
    Ran by Surf (administrator) on 14-10-2017 at 22:47:29
    Running from "C:\Users\Surf\Desktop"
    Microsoft Windows 7 Professional Service Pack 1 (X64)
    Boot Mode: Normal
    ****************************************************************

    Internet Services:
    ============

    Connection Status:
    ==============
    Localhost is accessible.
    LAN connected.
    Google IP is accessible.
    Google.com is accessible.
    Yahoo.com is accessible.


    Windows Firewall:
    =============

    Firewall Disabled Policy:
    ==================


    System Restore:
    ============

    System Restore Policy:
    ========================


    Action Center:
    ============


    Windows Update:
    ============

    Windows Autoupdate Disabled Policy:
    ============================


    Windows Defender:
    ==============
    WinDefend Service is not running. Checking service configuration:
    The start type of WinDefend service is set to Demand. The default start type is Auto.
    The ImagePath of WinDefend service is OK.
    The ServiceDll of WinDefend service is OK.


    Windows Defender Disabled Policy:
    ==========================
    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender]
    "DisableAntiSpyware"=DWORD:1


    Other Services:
    ==============


    File Check:
    ========
    C:\Windows\System32\nsisvc.dll => File is digitally signed
    C:\Windows\System32\drivers\nsiproxy.sys => File is digitally signed
    C:\Windows\System32\dhcpcore.dll => File is digitally signed
    C:\Windows\System32\drivers\afd.sys => File is digitally signed
    C:\Windows\System32\drivers\tdx.sys => File is digitally signed
    C:\Windows\System32\Drivers\tcpip.sys => File is digitally signed
    C:\Windows\System32\dnsrslvr.dll => File is digitally signed
    C:\Windows\System32\dnsapi.dll => File is digitally signed
    C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
    C:\Windows\System32\mpssvc.dll => File is digitally signed
    C:\Windows\System32\bfe.dll => File is digitally signed
    C:\Windows\System32\drivers\mpsdrv.sys => File is digitally signed
    C:\Windows\System32\SDRSVC.dll => File is digitally signed
    C:\Windows\System32\vssvc.exe => File is digitally signed
    C:\Windows\System32\wscsvc.dll => File is digitally signed
    C:\Windows\System32\wbem\WMIsvc.dll => File is digitally signed
    C:\Windows\System32\wuaueng.dll => File is digitally signed
    C:\Windows\System32\qmgr.dll => File is digitally signed
    C:\Windows\System32\es.dll => File is digitally signed
    C:\Windows\System32\cryptsvc.dll => File is digitally signed
    C:\Program Files\Windows Defender\MpSvc.dll => File is digitally signed
    C:\Windows\System32\ipnathlp.dll => File is digitally signed
    C:\Windows\System32\iphlpsvc.dll => File is digitally signed
    C:\Windows\System32\svchost.exe => File is digitally signed
    C:\Windows\System32\rpcss.dll => File is digitally signed


    **** End of log ****


    Farbar Service Scanner Version: 27-01-2016
    Ran by Surf (administrator) on 14-10-2017 at 22:47:29
    Running from "C:\Users\Surf\Desktop"
    Microsoft Windows 7 Professional Service Pack 1 (X64)
    Boot Mode: Normal
    ****************************************************************

    Internet Services:
    ============

    Connection Status:
    ==============
    Localhost is accessible.
    LAN connected.
    Google IP is accessible.
    Google.com is accessible.
    Yahoo.com is accessible.


    Windows Firewall:
    =============

    Firewall Disabled Policy:
    ==================


    System Restore:
    ============

    System Restore Policy:
    ========================


    Action Center:
    ============


    Windows Update:
    ============

    Windows Autoupdate Disabled Policy:
    ============================


    Windows Defender:
    ==============
    WinDefend Service is not running. Checking service configuration:
    The start type of WinDefend service is set to Demand. The default start type is Auto.
    The ImagePath of WinDefend service is OK.
    The ServiceDll of WinDefend service is OK.


    Windows Defender Disabled Policy:
    ==========================
    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender]
    "DisableAntiSpyware"=DWORD:1


    Other Services:
    ==============


    File Check:
    ========
    C:\Windows\System32\nsisvc.dll => File is digitally signed
    C:\Windows\System32\drivers\nsiproxy.sys => File is digitally signed
    C:\Windows\System32\dhcpcore.dll => File is digitally signed
    C:\Windows\System32\drivers\afd.sys => File is digitally signed
    C:\Windows\System32\drivers\tdx.sys => File is digitally signed
    C:\Windows\System32\Drivers\tcpip.sys => File is digitally signed
    C:\Windows\System32\dnsrslvr.dll => File is digitally signed
    C:\Windows\System32\dnsapi.dll => File is digitally signed
    C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
    C:\Windows\System32\mpssvc.dll => File is digitally signed
    C:\Windows\System32\bfe.dll => File is digitally signed
    C:\Windows\System32\drivers\mpsdrv.sys => File is digitally signed
    C:\Windows\System32\SDRSVC.dll => File is digitally signed
    C:\Windows\System32\vssvc.exe => File is digitally signed
    C:\Windows\System32\wscsvc.dll => File is digitally signed
    C:\Windows\System32\wbem\WMIsvc.dll => File is digitally signed
    C:\Windows\System32\wuaueng.dll => File is digitally signed
    C:\Windows\System32\qmgr.dll => File is digitally signed
    C:\Windows\System32\es.dll => File is digitally signed
    C:\Windows\System32\cryptsvc.dll => File is digitally signed
    C:\Program Files\Windows Defender\MpSvc.dll => File is digitally signed
    C:\Windows\System32\ipnathlp.dll => File is digitally signed
    C:\Windows\System32\iphlpsvc.dll => File is digitally signed
    C:\Windows\System32\svchost.exe => File is digitally signed
    C:\Windows\System32\rpcss.dll => File is digitally signed


    **** End of log ****

    No viruses found.
     
  16. Broni

    Broni Malware Annihilator Staff Member

    Joined:
    Jan 20, 2015
    Messages:
    651
    Location:
    Daly City, CA
    Your computer is clean [​IMG]

    1. This step will remove all cleaning tools we used, it'll reset restore points (so you won't get reinfected by accidentally using some older restore point) and it'll make some other minor adjustments...
    This is a very crucial step so make sure you don't skip it.
    Download [​IMG]DelFix by Xplode to your desktop. Delfix will delete all the used tools and logfiles.

    Double-click Delfix.exe to start the tool.
    Make sure the following items are checked:
    • Activate UAC (optional; some users prefer to keep it off)
    • Remove disinfection tools
    • Create registry backup
    • Purge System Restore
    • Reset system settings
    Now click "Run" and wait patiently.
    Once finished a logfile will be created. You don't have to attach it to your next reply.

    2. Make sure Windows Updates are current.

    3. If any trojans, rootkits or bootkits were listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

    4. Check if your browser plugins are up to date.
    Firefox - More browser features, fewer plugin updates | Firefox
    other browsers: Qualys BrowserCheck (click on "Scan without installing plugin" and then on "Scan now")

    5. Run Malwarebytes "Quick scan" once in a while to assure safety of your computer.

    6. Run Temporary File Cleaner (TFC), AdwCleaner and Junkware Removal Tool (JRT) weekly (you need to redownload these tools since they were removed by DelFix).

    7. Download and install Secunia Personal Software Inspector (PSI): Personal Software Inspector. The Secunia PSI is a FREE security tool designed to detect vulnerable and out-dated programs and plug-ins which expose your PC to attacks. Run it weekly.

    8. (optional) If you want to keep all your programs up to date, download and install FileHippo Update Checker.
    The Update Checker will scan your computer for installed software, check the versions and then send this information to FileHippo.com to see if there are any newer releases.

    9. When installing\updating ANY program, make sure you always select "Custom " installation, so you can UN-check any possible "drive-by-install" (foistware), like toolbars etc., which may try to install along with the legitimate program. Do NOT click "Next" button without looking at any given page.

    10. Read:
    How did I get infected?, With steps so it does not happen again!: How did I get infected? - Anti-Virus, Anti-Malware, and Privacy Software
    Simple and easy ways to keep your computer safe and secure on the Internet: Simple and easy ways to keep your computer safe and secure on the Internet
    About those Toolbars and Add-ons - Potentially Unwanted Programs (PUPs) which change your browser settings: Answers to common security questions - Best Practices - Anti-Virus, Anti-Malware, and Privacy Software

    11. Please, let me know, how your computer is doing.
     
  17. quartet-man

    quartet-man Saved by grace

    Joined:
    Sep 13, 2002
    Messages:
    2,458
    Location:
    Indiana
    Thanks. I always smile when I see the Mr. Clean pic. I want to leave my Malwarebytes professional on and there was something with a recent upgrade that said about being careful in deactivating the lifetime license I have, I know how to manually flush out System restore and unistall the programs and can do a registry backup in CCleaner I just don't now how to "reset system settings" and need to know how to remove the FRST since it isn't an installed program (do I just delete)? I presume I could just check reset settings or just uncheck the disnfection tools one and do the rest manually.
     
  18. Broni

    Broni Malware Annihilator Staff Member

    Joined:
    Jan 20, 2015
    Messages:
    651
    Location:
    Daly City, CA
    Yes...and FRST doesn't install so you can just delete it manually.
     
    quartet-man likes this.