Solved Should I format all of my drives?

February 1, 2017 at 20:20:41
Specs: Windows 7, Core i3 2.2GHz / 2 gigs
So I'm being infected by a trojan "Project1" or TJprojMain.exe . The thing here is it infects all of my files. Every .exe when I click on Details it always shows up the product name "Project1" and Original Filename "TJprojMain.exe". Can I keep all the .rar and pictures, musics...? (Of course not include all of those .exe files) . Should I format all of my drives? (maybe just 2, I'll put all backup things on one drive)

See More: Should I format all of my drives?

Report •

#1
February 1, 2017 at 21:18:52
The one claims it can remove the trojan. Don't know if it works.

http://www.exterminate-it.com/malpe...


Report •

#2
February 1, 2017 at 21:20:42
✔ Best Answer
Either way, it will take a fair bit of time. One scanner will not be enough.

Here is where I would start.

Run ESET Online Scanner. Copy and Paste the contents of the log in your reply please. This scan may take a very long while, so please be patient. Maybe start it before going to work or bed.
Make sure these options are checked/ticked in Advanced settings.

Remove found threats, Scan archives, Scan for potentially unsafe applications, Enable Anti-Stealth technology.
http://www.eset.com/us/online-scann...
http://www.eset.com/home/products/o...
If your comp is unbootable, or won't let you download, you will have to download ESET from a good computer, put it on a flash/thumb/pen/usb drive & run it from there.
Create a ESET SysRescue CD or USB drive
http://www.eset.com/int/support/sys...
How do I use my ESET SysRescue CD or USB flash drive to scan and clean my system?
http://support.eset.com/kb3509/?loc...
Configure ESET this way & disable your AV.
http://i.imgur.com/wZF1Ppi.gif
How to Temporarily Disable your Anti-virus
http://www.bleepingcomputer.com/for...
http://www.techsupportforum.com/for...
3: Which web browsers are compatible with ESET Online Scanner?
http://support.eset.com/kb405/?loca...
Online Scanner not working
http://support.eset.com/kb403/?loca...
My ESET product detected a threat—what should I do?
http://support.eset.com/kb117/
Once onto a machine, malware can disable antivirus programs, prevent antimalware programs from downloading updates, or prevent a user from running antivirus scans or installing new antivirus software or malware removal tools. At this point even though you are aware the computer is infected, removal is very difficult.
5: Why does the ESET Online Scanner run slowly on my computer?
http://support.eset.com/kb405/?view...
If you have other antivirus, antispyware or anti-malware programs running on your computer, they may intercept the scan being performed by the ESET Online Scanner and hinder performance. You may wish to disable the real-time protection components of your other security software before running the ESET Online Scanner. Remember to turn them back on after you are finished.
17: How can I view the log file from ESET Online Scanner?
http://support.eset.com/kb405/?view...
The ESET Online Scanner saves a log file after running, which can be examined or sent in to ESET for further analysis. The path to the log file is "C:\Program Files\ESET\EsetOnlineScanner\log.txt" (on 64-bit systems this directory will be "C:\Program Files (x86)\ESET\Esetonlinescanner\log.txt"). You can view this file by navigating to the directory and double-clicking it in Windows Explorer, or by copying and pasting the path specification above (including the quotation marks) into the Start > Run dialog box from the Start Menu on the Desktop.
If no threats are found, you will simply see an information window that no threats were found.
http://www.trishtech.com/security/s...


Report •

#3
February 1, 2017 at 21:24:44
If you prefer to go down the format path, delete all the partitions, the format path will then be greyed out.

W7 - Click on > Drive options (advanced) Then highlight each partition & hit > Delete.
Make sure when you reinstall, you delete ALL partitions.
https://www.lifewire.com/how-to-cle...
http://www.sevenforums.com/tutorial...
http://fs5.directupload.net/images/...

Here are some examples of why you delete all partitions.
http://forums.spybot.info/showthrea...
http://forums.whatthetech.com/index...
http://blog.eset.com/2011/10/18/tdl...


Report •

Related Solutions

#4
February 2, 2017 at 05:45:37
Here is my log (I can't just copy paste because there was an error of doing it):
https://drive.google.com/open?id=0B...

Report •

#5
February 2, 2017 at 14:34:08
Your system is loaded. Apparently you're not very careful in the things you do. I see hack tools mentioned in the log too. You can't remove these types of infections while booted into Windows, you will need to boot off a rescue disk & run a deep scan from outside the Windows environment.

https://www.lifewire.com/free-boota...


Report •

#6
February 2, 2017 at 14:43:12
"Here is my log"
Yep, that's the way to do it, when the log is that large.

Next step.

Download ComboFix onto your Desktop & then run. If your default download location is not the Desktop, drag it out of it's location onto the Desktop. Copy & Paste the contents of the log in your next post please. ComboFix's log should be located at C:\COMBOFIX.TXT
http://www.bleepingcomputer.com/dow...
http://download.bleepingcomputer.co...
http://www.forospyware.com/sUBs/Com...
The log can be large, upload it using one of these. No account/registration needed. Give us the links please.
http://www.fileconvoy.com/index.php
http://www.filedropper.com/
https://go4up.com/
A guide and tutorial on using ComboFix
http://www.bleepingcomputer.com/com...
https://www.winhelp.us/combofix.html
Windows XP/Vista/7/8 32-bit program. Can run on both a 32-bit and 64-bit OS.
Manually restoring the Internet connection
http://www.bleepingcomputer.com/com...
There are circumstances ComboFix will hang, crash or stall at various stages due to malware interference, failure to disable other real-time protection tools or the presence of CD Emulators (Daemon Tools, Alchohol 120%, Astroburn, AnyDVD) so that it does not complete successfully. Also, depending on how badly a system is infected, ComboFix may take longer to complete its routine than it normally does or fail to run properly. While that is not normal behavior, it is not unusual"
If you think it's frozen, look at the computer clock.
If it's running, Combofix is still working.
NOTE: Do not mouseclick combofix's window while it is running. That may cause it to stall.
NOTE: ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***
**Please Note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.
The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.
Allow ComboFix to download the Recovery Console.
Accept the End-User License Agreement.
The Recovery Console will be installed.
You will then get this next prompt that asks if you want to continue the malware scan, select yes.
If after running Combofix you discover none of your programs will open up, and you recieve the following error: "Illegal operation attempted on a registry key that has been marked for deletion". Then the answer is to REBOOT the machine, and all will be corrected.
Can't Install an Antivirus - Windows Security Center still detects previous AV
http://www.experts-exchange.com/Vir...
We are almost ready to start ComboFix, but before we do so, we need to take some preventative measures so that there are no conflicts with other programs when running ComboFix. At this point you should do the following:
* Close all open Windows including this one.
* Close or disable all running Antivirus, Antispyware, and Firewall programs as they may interfere with the proper running of ComboFix. Instructions on disabling these type of programs can be found in this topic.
http://www.bleepingcomputer.com/for...
http://www.techsupportforum.com/for...
Once these two steps have been completed, double-click on the ComboFix icon found on your Desktop.
Please Note: Once you start ComboFix you should not click anywhere on the ComboFix window as it can cause the program to stall. In fact, when ComboFix is running, do not touch your computer at all. The scan could take a while, so please be patient.


Report •

#7
February 2, 2017 at 19:01:52
Here is ComboFix's log: http://www.filedropper.com/combofix_1
I appreciate all the time you guys have spent to help me. But I prefer to save my computer as long as it's possible. Of course if it doesn't work, my final option will still be do a clean install on my OS.
And with the bootscan option, I have tried it with Kaspersky Rescue Disk (with the default scan option, but I don't think it's enough). Maybe I will do a full scan with KRD...

Report •

#8
Report •

#9
February 2, 2017 at 19:25:42
You probably got infected from a thumb drive, make sure they are all clean. Best option is to format them.

message edited by Johnw


Report •

#10
February 3, 2017 at 04:15:01
Here is McAfee Stinger log:
McAfee® Labs Stinger™ Version 12.1.0.2244 built on Feb 1 2017 at 23:25:05
Copyright© 2015, McAfee, Inc. All Rights Reserved.

AV Engine version v5900.7784 for Windows.
Virus data file v1000.0 created on Feb 2, 2017
Ready to scan for 10032 viruses, trojans and variants.

Scan initiated on Friday, February 03, 2017 19:03:50

C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\TRANSLAT\ESEN\MSB1ESEN.DLL [MD5:1e540048427ce5fb7f936bae9332cacc] is infected with Artemis!1E540048427C
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\TRANSLAT\ESEN\MSB1ESEN.DLL has been Deleted
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\TRANSLAT\FREN\MSB1FREN.DLL [MD5:736548f973b3e50c92e8600fa9ca8b39] is infected with Artemis!736548F973B3
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\TRANSLAT\FREN\MSB1FREN.DLL has been Deleted

Summary Report on Smart Scan
File(s)
TotalFiles:............ 4566
Clean:................. 4560
Not Scanned:........... 4
Possibly Infected:..... 2

Time: 00:06:32

Scan completed on Friday, February 03, 2017 19:10:22


Report •

#11
February 3, 2017 at 04:19:49
Next step.

Please download Farbar Recovery Scan Tool and save it onto your Desktop. If your default download location is not the Desktop, drag it out of it's location onto the Desktop.
http://www.bleepingcomputer.com/dow...
If we have to run Farbar more than once, refer this SS.
http://i.imgur.com/yUxNw0j.gif
Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) on the Desktop.
The first time the tool is run, it makes also another log (Addition.txt)
The logs are large, upload them using one of these. No account/registration needed. Give us the links please.
http://www.fileconvoy.com/index.php
http://www.filedropper.com/
https://go4up.com/


Report •

#12
Report •

#13
February 3, 2017 at 05:36:50
Test those links to see if you can download, I'm getting the 404 message.

Here is another site to try, test after uploading please.
File Convoy ( no account needed )
http://www.fileconvoy.com/index.php

message edited by Johnw


Report •

#14
February 3, 2017 at 05:58:28
"I have tried it with Kaspersky Rescue Disk (with the default scan option, but I don't think it's enough)"

You should boot off the disk, update the antivirus database, then run a deep scan. KRD 10 is over a year old so it will take time to download the updates.


Report •

#15
February 3, 2017 at 06:17:18
Here is 2 logs from another site ^_^ :
http://www.fileconvoy.com/dfl.php?i...

Report •

#16
February 3, 2017 at 06:28:21
Ok, got them, I will go through them in the morning.
I'm here.
https://www.timeanddate.com/worldcl...

Do you feel there is improvement in the comp?

This is what we are up against.
https://www.microsoft.com/security/...


Report •

#17
February 3, 2017 at 06:56:14
I don't know if the virus has completely disappeared, but I see no more explorer.exe or svchost.exe running in the background. Also McAfee removed all of my infected files, so I think there are nothing left. And all the new files I downloaded (LoL game and my language typing assistant) are all fresh and runable, without being infected or creating more trojans. Well, just check all the logs I have uploaded and thanks for being responsive.
I just have a little question that can I extract all the .rar that have survived through the virus's invasion and antivirus's scanning?

Big thanks and respect for all people who help me. You guys are the best!

message edited by headhunter


Report •

#18
February 3, 2017 at 07:13:10
I've got this part finished, will do the rest in the morning.

"I just have a little question that can I extract all the .rar that have survived through the virus's invasion and antivirus's scanning? "
Wait until I'm finished & give the all clear.

Copy & Paste the text in Blue below & save it into Notepad on your Desktop & name it fixlist.txt
NOTE: It is important that Notepad is used. The fix will not work if Word or some other program is used.
NOTE: It is important that both files, FRST and fixlist.txt are in the same location or the fix will not work.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system.

CreateRestorePoint:
emptytemp:
closeprocesses:
Task: {A7A9E5AD-72A2-4168-BFE2-AFA21A0C9AED} - \svchost -> No File <==== ATTENTION
Task: {BE90FF31-B417-4135-863C-DE4F71836B04} - \svchost -> No File <==== ATTENTION
AlternateDataStreams: C:\ProgramData\TEMP:1CE11B51 [152]
GroupPolicy: Restriction ? <======= ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Restriction <======= ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-4136066922-3396348503-4065548720-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\S-1-5-21-4136066922-3396348503-4065548720-1000\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
BHO: No Name -> {0055C089-8582-441B-A0BF-17B458C2A3A8} -> No File
Handler: bksa - No CLSID Value -
FF HKLM\...\Firefox\Extensions: [bkavsiteadvisor@bkav.com.vn] - C:\Program Files\BkavHomePlus\SiteAdvisor\Firefox => not found
S3 catchme; \??\C:\Users\Ninh\AppData\Local\Temp\catchme.sys [X]
S3 cpuz139; no ImagePath
R3 gkernel; \??\C:\Users\Ninh\AppData\Local\Temp\gkernel.sys [X]
2017-01-28 20:17 - 2017-02-01 19:59 - 00000000 ____D C:\Program Files\Hacknhotq
2017-02-02 18:27 - 2016-12-23 00:19 - 00000000 ____D C:\ProgramData\TEMP
2017-02-03 10:18 - 2017-02-03 10:18 - 0106528 _____ () C:\Users\Ninh\AppData\Local\temp\VN_patch_20170119to20170126.exe

Open FRST and press the Fix button just once and wait.
If for some reason the tool needs a restart, please make sure you let the system restart normally. After that, let the tool complete its run.
When finished FRST will generate a log on the Desktop (Fixlog.txt). Please Copy & Paste the contents into your reply.
Refer these SS if needed.
http://fs5.directupload.net/images/...
http://fs5.directupload.net/images/...
http://fs5.directupload.net/images/...
http://fs5.directupload.net/images/...
http://fs5.directupload.net/images/...
http://fs5.directupload.net/images/...

message edited by Johnw


Report •

#19
February 3, 2017 at 18:45:47
Here is the log:
Fix result of Farbar Recovery Scan Tool (x86) Version: 29-01-2017
Ran by Ninh (04-02-2017 09:40:59) Run:1
Running from C:\Users\Ninh\Desktop
Loaded Profiles: Ninh (Available Profiles: Ninh)
Boot Mode: Normal

==============================================

fixlist content:
*****************
CreateRestorePoint:
emptytemp:
closeprocesses:
Task: {A7A9E5AD-72A2-4168-BFE2-AFA21A0C9AED} - \svchost -> No File <==== ATTENTION
Task: {BE90FF31-B417-4135-863C-DE4F71836B04} - \svchost -> No File <==== ATTENTION
AlternateDataStreams: C:\ProgramData\TEMP:1CE11B51 [152]
GroupPolicy: Restriction ? <======= ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Restriction <======= ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-4136066922-3396348503-4065548720-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\S-1-5-21-4136066922-3396348503-4065548720-1000\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
BHO: No Name -> {0055C089-8582-441B-A0BF-17B458C2A3A8} -> No File
Handler: bksa - No CLSID Value -
FF HKLM\...\Firefox\Extensions: [bkavsiteadvisor@bkav.com.vn] - C:\Program Files\BkavHomePlus\SiteAdvisor\Firefox => not found
S3 catchme; \??\C:\Users\Ninh\AppData\Local\Temp\catchme.sys [X]
S3 cpuz139; no ImagePath
R3 gkernel; \??\C:\Users\Ninh\AppData\Local\Temp\gkernel.sys [X]
2017-01-28 20:17 - 2017-02-01 19:59 - 00000000 ____D C:\Program Files\Hacknhotq
2017-02-02 18:27 - 2016-12-23 00:19 - 00000000 ____D C:\ProgramData\TEMP
2017-02-03 10:18 - 2017-02-03 10:18 - 0106528 _____ () C:\Users\Ninh\AppData\Local\temp\VN_patch_20170119to20170126.exe
*****************

Restore point was successfully created.
Processes closed successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{A7A9E5AD-72A2-4168-BFE2-AFA21A0C9AED} => key removed successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{A7A9E5AD-72A2-4168-BFE2-AFA21A0C9AED} => key removed successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\svchost => key not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{BE90FF31-B417-4135-863C-DE4F71836B04} => key removed successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{BE90FF31-B417-4135-863C-DE4F71836B04} => key removed successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\svchost => key not found.
C:\ProgramData\TEMP => ":1CE11B51" ADS removed successfully..
C:\Windows\system32\GroupPolicy\Machine => moved successfully
C:\Windows\system32\GroupPolicy\GPT.ini => moved successfully
HKLM\SOFTWARE\Policies\Google => key removed successfully.
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer => key removed successfully.
HKU\S-1-5-21-4136066922-3396348503-4065548720-1000\SOFTWARE\Policies\Microsoft\Internet Explorer => key removed successfully.
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main\\Search Page => value removed successfully.
HKU\S-1-5-21-4136066922-3396348503-4065548720-1000\Software\Microsoft\Internet Explorer\Main\\Search Page => value restored successfully
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8} => key removed successfully.
HKCR\CLSID\{0055C089-8582-441B-A0BF-17B458C2A3A8} => key not found.
HKCR\PROTOCOLS\Handler\bksa => key not found.
HKLM\Software\Mozilla\Firefox\Extensions\\bkavsiteadvisor@bkav.com.vn => value removed successfully.
HKLM\System\CurrentControlSet\Services\catchme => key removed successfully.
catchme => service removed successfully.
HKLM\System\CurrentControlSet\Services\cpuz139 => key removed successfully.
cpuz139 => service removed successfully.
gkernel => Unable to stop service.
HKLM\System\CurrentControlSet\Services\gkernel => key removed successfully.
gkernel => service removed successfully.
C:\Program Files\Hacknhotq => moved successfully
C:\ProgramData\TEMP => moved successfully
C:\Users\Ninh\AppData\Local\temp\VN_patch_20170119to20170126.exe => moved successfully

=========== EmptyTemp: ==========

BITS transfer queue => 0 B
DOMStoree, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 8911020 B
Java, Flash, Steam htmlcache => 506 B
Windows/system/drivers => 0 B
Edge => 0 B
Chrome => 286432204 B
Firefox => 0 B
Opera => 0 B

Temp, IE cache, history, cookies, recent:
Users => 0 B
Default => 0 B
Public => 0 B
ProgramData => 0 B
systemprofile => 66392 B
LocalService => 66228 B
NetworkService => 66868 B
Ninh => 444847642 B

RecycleBin => 0 B
EmptyTemp: => 706.1 MB temporary data Removed.

================================


The system needed a reboot.

==== End of Fixlog 09:41:40 ====


Report •

#20
February 3, 2017 at 18:56:14
Thanks, I'm still going through your logs.

What country are you in?


Report •

#21
February 3, 2017 at 19:47:34
I am in Vietnam.

Report •

#22
February 3, 2017 at 20:19:49
Extract from your FRST log.
"Platform: Microsoft Windows 7 Professional Service Pack 1 (X86) Language: English (United States)"

Make sure ALL your Regional and Language Options settings are Ok. They will be something similar to this, the main point being, you should have at least 3 places to make sure you have your country displayed.
Windows 7: Change or Add Another Language or Region to suit your situation, here are mine for Australia.
http://i.imgur.com/QZnXZTA.gif
http://i.imgur.com/MWki04y.gif
http://i.imgur.com/Xas9F3d.gif
http://i.imgur.com/nNa2KLI.gif
http://i.imgur.com/4isl3Yk.gif
http://i.imgur.com/A0feSoa.gif

Here are the next 2 steps after doing the above., more steps may be needed, after I see the results of these logs.

Run them in this order.

Step 1: Run AdwCleaner
http://www.softpedia.com/get/Antivi...
http://www.raymond.cc/blog/adwclean...
http://www.bleepingcomputer.com/dow...
Author's site
http://general-changelog-team.fr/en...
Tutorial
http://general-changelog-team.fr/en...
Close all open programs and internet browsers.
Double click on AdwCleaner.exe to run the tool.
Click Scan
In the results tabs, uncheck anything you don't want to remove.
Click on Cleaning.
Confirm each time with Ok.
Your computer will be rebooted automatically. A text file will open after the restart.
Please Copy & Paste the contents of that logfile with your next answer.
You can find the logfile at C:\AdwCleaner [C1 or later].txt as well.
http://i.imgur.com/r3PoAEG.gif

Step 2: Run Malwarebytes Junkware Removal Tool
http://www.softpedia.com/get/Securi...
http://www.bleepingcomputer.com/dow...
http://thisisudax.org/
http://thisisudax.blogspot.com.au/2...
Download Malwarebytes Junkware Removal Tool onto your Desktop. If your default download location is not the Desktop, drag it out of it's location onto the Desktop.
Warning! Once the scan is complete JRT will shut down your browser with NO warning.
Shut down your protection software now to avoid potential conflicts.
Temporarily disable your antivirus and any antispyware real time protection before performing a scan.
Click this link to see a list of security programs that should be disabled and how to disable them.
http://www.bleepingcomputer.com/for...
http://www.techsupportforum.com/for...
Run the tool by double-clicking it. If you are using Windows Vista or Windows 7/8, right-click JRT and select Run as Administrator.
The tool will open and start scanning your system.
Please be patient as this can take a while to complete depending on your system's specifications.
On completion, a log (JRT.txt) is saved onto your Desktop and will automatically open.
Copy and Paste the contents of the JRT.txt log please.


Report •

#23
February 4, 2017 at 03:10:41
This is the ADwCleaner log:
# AdwCleaner v6.043 - Logfile created 04/02/2017 at 18:04:00
# Updated on 27/01/2017 by Malwarebytes
# Database : 2017-02-03.2 [Server]
# Operating System : Windows 7 Professional Service Pack 1 (X86)
# Username : Ninh - NINH-PC
# Running from : C:\Users\Ninh\Downloads\adwcleaner_6.043.exe
# Mode: Clean
# Support : https://www.malwarebytes.com/support

***** [ Services ] *****

***** [ Folders ] *****

***** [ Files ] *****

***** [ DLL ] *****

***** [ WMI ] *****

***** [ Shortcuts ] *****

***** [ Scheduled Tasks ] *****

***** [ Registry ] *****

***** [ Web browsers ] *****

[-] [C:\Users\Ninh\AppData\Local\Google\Chrome\User Data\Default\Web data] [Search Provider] Deleted: aol.com
[-] [C:\Users\Ninh\AppData\Local\Google\Chrome\User Data\Default\Web data] [Search Provider] Deleted: ask.com


*************************

:: "Tracing" keys deleted
:: Winsock settings cleared

*************************

C:\AdwCleaner\AdwCleaner[C0].txt - [992 Bytes] - [04/02/2017 18:04:00]
C:\AdwCleaner\AdwCleaner[S0].txt - [1316 Bytes] - [04/02/2017 18:03:54]

########## EOF - C:\AdwCleaner\AdwCleaner[C0].txt - [1137 Bytes] ##########


Report •

#24
February 4, 2017 at 03:11:57
And this is JRT log:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Malwarebytes
Version: 8.1.0 (12.05.2016)
Operating System: Windows 7 Professional x86
Ran by Ninh (Administrator) on 04/02/2017 at 18:05:33,11
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


File System: 9

Successfully deleted: C:\ProgramData\productdata (Folder)
Successfully deleted: C:\Users\Ninh\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\K6Q0JCKC (Temporary Internet Files Folder)
Successfully deleted: C:\Users\Ninh\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\MRZUDULC (Temporary Internet Files Folder)
Successfully deleted: C:\Users\Ninh\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\V3GVZ9Y1 (Temporary Internet Files Folder)
Successfully deleted: C:\Users\Ninh\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\YX1YR0IE (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\K6Q0JCKC (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\MRZUDULC (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\V3GVZ9Y1 (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\YX1YR0IE (Temporary Internet Files Folder)

Registry: 1

Successfully deleted: HKLM\Software\Microsoft\Internet Explorer\Search\\SearchAssistant (Registry Value)


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on 04/02/2017 at 18:07:02,74
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

I just noticed that there are many files coming back to my computer (all became hidden files). What should I do with them?


Report •

#25
February 4, 2017 at 03:36:01
Nearly finished.

Run Malwarebytes, Copy & Paste the contents of the log in your next reply.


Report •

#26
February 4, 2017 at 03:40:24
"I just noticed that there are many files coming back to my computer (all became hidden files). What should I do with them?"
Doesn't sound good, lets see what Malwarebytes tells us.

Report •

#27
February 4, 2017 at 19:19:54
Do I have to run a full scan, or a threat scan only?

Report •

#28
February 4, 2017 at 19:48:43
Threat scan.

Click the Settings tab at the top, and then in the left column, select Detections and Protections, and if not already checked place a checkmark in the selection box to Scan for rootkits.
http://i.imgur.com/dZgt1g2.gif


Report •

#29
February 4, 2017 at 21:32:08
OK here is the log:
Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 2/5/17
Scan Time: 12:20 PM
Logfile:
Administrator: Yes

-Software Information-
Version: 3.0.6.1469
Components Version: 1.0.50
Update Package Version: 1.0.1183
License: Free

-System Information-
OS: Windows 7 Service Pack 1
CPU: x86
File System: NTFS
User: Ninh-PC\Ninh

-Scan Summary-
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 275963
Time Elapsed: 7 min, 34 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

-Scan Details-
Process: 0
(No malicious items detected)

Module: 0
(No malicious items detected)

Registry Key: 0
(No malicious items detected)

Registry Value: 0
(No malicious items detected)

Registry Data: 1
Hijack.UserInit, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON|USERINIT, Replace-on-Reboot, [631], [292476],1.0.1183

Data Stream: 0
(No malicious items detected)

Folder: 0
(No malicious items detected)

File: 1
Backdoor.Agent.E, C:\PROGRAM FILES\MICROSOFT\DESKTOPLAYER.EXE, Delete-on-Reboot, [205], [363833],1.0.1183

Physical Sector: 0
(No malicious items detected)


(end)

I have quarantined that DesktopLayer virus for like 3-4 times but now MBAM detected it again... So frustrated


Report •

#30
February 4, 2017 at 21:42:26
"DESKTOPLAYER.EXE"
Have a look in add/remove & Task Manager.
Is it listed there.?

Report •

#31
February 4, 2017 at 22:37:03
It seems not to appear in add/remove and Task Manager.
The only thing that I see suspicious is the iexplore.exe (Internet Explorer) running everytime I start Windows
Here is the list of add/remove and Task Manager if you want to check it again:
http://i.imgur.com/e3RhbnI.png
http://i.imgur.com/WgYNaEL.png
http://i.imgur.com/ALzWTBk.png
http://i.imgur.com/JWVmZKJ.png

Report •

#32
February 4, 2017 at 22:48:43
Thanks..

Please go to http://virscan.org/

Navigate the following file path into the "Suspicious files to scan" box on the top of the page:

C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\svchost.exe

Click on the Upload button.
If a pop-up appears saying the file has been scanned already, please select the ReScan button.
Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
Paste the contents of the Clipboard in your next reply.


Report •

#33
February 5, 2017 at 02:11:53
http://r.virscan.org/report/cc46e51... (explorer.exe)
http://r.virscan.org/report/2888d9b... (lsass.exe)
http://r.virscan.org/report/1903461... (services.exe)
http://r.virscan.org/report/d6d3ee5... (winlogon.exe)
http://r.virscan.org/report/5e8ccfa... (svchost.exe)
I don't know why the box on the top always shows : C:\fakepath\.exe instead of C:\Windows\System32\.exe

Report •

#34
February 5, 2017 at 07:32:14
"C:\fakepath\.exe"
Something is going on, don't know what yet.

If you are still online, let me know, otherwise I'm going to bed soon.
I'm here.
https://www.timeanddate.com/worldcl...

Run Combofix again. This time in Safe Mode. Log please.


After you give me the Combofix log, download Dr.Web CureIt and save it to your desktop.
http://www.freedrweb.com/cureit//?l...
DO NOT perform a scan yet.
Alternate download link
http://download.cnet.com/Dr-Web-Cur...
Note: The file will be randomly named (i.e. 5mkuvc4z.exe).

Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with Dr.Web CureIt as follows:

Double-click on the randomly named file to open the program and click Start. (There is no need to update if you just downloaded the most current version
Read the Virus check by DrWeb scanner prompt and click Ok where asked to Start scan now? Allow the setup.exe to load if asked by any of your security programs.
The Express scan will automatically begin.
(This is a short scan of files currently running in memory, boot sectors, and targeted folders).
If prompted to dowload the Full version Free Trial, ignore and click the X to close the window.
If an infected object is found, you will be prompted to move anything that cannot be cured. Click Yes to All. (This will move any detected files to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if they can't be cured)

After the Express Scan is finished, put a check next to Complete scan to scan all local disks and removable media.
In the top menu, click Settings > Change settings, and uncheck "Heuristic analysis" under the "Scanning" tab, then click Apply, Ok.
Back at the main window, click the green arrow "Start Scanning" button on the right under the Dr.Web logo.
Please be patient as this scan could take a long time to complete.
When the scan has finished, a message will be displayed at the bottom indicating if any viruses were found.
Click Select All, then choose Cure > Move incurable.
In the top menu, click file and choose save report list.
Save the DrWeb.csv report to your desktop.
Exit Dr.Web Cureit when done.
Important! Reboot your computer into normal mode, because it could be possible that files in use will be moved/deleted during reboot.
After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)


Report •

#35
February 5, 2017 at 20:29:08
First it's the ComboFix log. The next task you asked me to do may take me some time because I don't have much time. So generally I will reply you later, sorry for that inconvenience.
ComboFix 17-01-29.01 - Ninh 06/02/2017 11:16:19.5.4 - x86 MINIMAL
Microsoft Windows 7 Professional 6.1.7601.1.1258.84.1033.18.1982.1213 [GMT 7:00]
Running from: c:\users\Ninh\Desktop\ComboFix.exe
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files\Internet Explorer\dmlconf.dat
c:\program files\Microsoft\DesktopLayer.exe
c:\programdata\ntuser.pol
.
.
((((((((((((((((((((((((( Files Created from 2017-01-06 to 2017-02-06 )))))))))))))))))))))))))))))))
.
.
2017-02-06 04:20 . 2017-02-06 04:20 -------- d-----w- c:\users\Ninh\AppData\Local\temp
2017-02-06 04:20 . 2017-02-06 04:20 -------- d-----w- c:\users\Default\AppData\Local\temp
2017-02-04 12:31 . 2017-02-05 06:18 -------- d-----w- c:\programdata\ProductData
2017-02-04 11:02 . 2017-02-04 11:04 -------- d-----w- C:\AdwCleaner
2017-02-03 16:25 . 2017-02-03 16:25 62576 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{5053D286-6267-47D9-B9B4-DFD2A587FAE2}\offreg.528.dll
2017-02-03 13:11 . 2017-02-04 02:43 -------- d-----w- C:\FRST
2017-02-03 12:03 . 2017-02-03 12:03 -------- d-----w- C:\Quarantine
2017-02-03 12:03 . 2017-02-03 12:03 -------- d-----w- c:\program files\McAfee
2017-02-02 11:17 . 2017-02-02 11:17 -------- d-----w- c:\users\Ninh\AppData\Roaming\Curiolab
2017-02-02 04:00 . 2017-02-02 04:02 -------- d-----w- c:\users\Ninh\AppData\Local\chromium
2017-02-02 03:58 . 2017-02-02 11:08 -------- d-----w- c:\users\Ninh\AppData\Local\{8FD4B988-AB7C-D530-C6E4-F0D8E28C0C40}
2017-02-01 17:00 . 2017-02-01 19:54 -------- d---a-w- C:\Kaspersky Rescue Disk 10.0
2017-01-30 04:08 . 2017-01-30 04:28 -------- d-----w- c:\programdata\Malwarebytes' Anti-Malware (portable)
2017-01-29 13:04 . 2017-01-30 04:07 94936 ----a-w- c:\windows\system32\drivers\MBAMChameleon.sys
2017-01-29 13:04 . 2017-01-29 13:04 94656 ----a-w- c:\windows\system32\drivers\farflt.sys
2017-01-29 13:04 . 2017-01-29 13:04 63264 ----a-w- c:\windows\system32\drivers\mwac.sys
2017-01-29 13:04 . 2017-01-29 13:04 39360 ----a-w- c:\windows\system32\drivers\mbam.sys
2017-01-29 13:04 . 2017-02-05 06:18 219584 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys
2017-01-29 13:04 . 2017-01-20 00:47 59976 ----a-w- c:\windows\system32\drivers\mbae.sys
2017-01-29 13:04 . 2017-01-30 04:09 -------- d-----w- c:\programdata\Malwarebytes
2017-01-29 13:04 . 2017-01-29 13:04 -------- d-----w- c:\program files\Malwarebytes
2017-01-28 08:49 . 2017-01-28 08:49 -------- d-----w- c:\users\Ninh\AppData\Local\ESET
2017-01-27 12:55 . 2017-02-02 11:56 -------- d-----w- c:\program files\Cheat Engine 6.6
2017-01-27 03:34 . 2009-09-08 02:38 8192 --sha-r- C:\Hiren.bin
2017-01-27 03:34 . 2009-09-08 02:34 140800 --sha-r- C:\Hiren.sys
2017-01-22 09:44 . 2017-01-22 09:44 -------- d-----w- c:\users\Ninh\AppData\Local\BMExplorer
2017-01-22 08:57 . 2017-01-22 08:57 -------- d-----w- c:\programdata\Steam
2017-01-19 15:33 . 2016-12-30 22:26 9561744 ------w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{5053D286-6267-47D9-B9B4-DFD2A587FAE2}\mpengine.dll
2017-01-18 02:39 . 2017-01-13 13:56 23040 ------w- c:\windows\system32\drivers\tap0901.sys
2017-01-16 14:42 . 2017-01-16 14:42 -------- d-----w- c:\users\Ninh\AppData\Local\Rockstar Games
2017-01-16 13:33 . 2017-01-27 03:43 -------- d-----w- c:\program files\Rockstar Games
2017-01-13 15:55 . 2017-02-03 03:25 -------- d-----w- c:\users\Ninh\AppData\Local\CrashDumps
2017-01-13 02:30 . 2017-01-13 02:30 -------- d-----w- c:\users\Ninh\AppData\Roaming\Atheros
2017-01-12 15:40 . 2017-01-12 15:43 -------- d-----w- c:\program files\Common Files\QCA_Bluetooth
2017-01-12 15:40 . 2017-01-28 07:46 -------- d-----w- c:\program files\Bluetooth Suite
2017-01-12 15:39 . 2017-01-12 15:39 -------- d-----w- c:\program files\Common Files\Atheros
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2017-01-04 03:55 . 2017-01-04 03:55 107888 ------w- c:\windows\system32\CmdLineExt.dll
2017-01-03 13:38 . 2016-12-22 18:34 8107 ------w- c:\windows\w7dsd.reg
2017-01-03 13:38 . 2016-12-22 18:34 8089 ------w- c:\windows\w7dse.reg
2016-12-31 15:48 . 2009-07-14 02:05 157696 ------w- c:\windows\system32\msclmd.dll
2016-12-27 03:14 . 2016-12-27 03:01 112928 ------w- c:\windows\system32\C
2016-12-26 16:31 . 2016-12-26 16:31 28991 ------w- c:\programdata\agent.1482769889.bdinstall.bin
2016-12-26 15:16 . 2016-12-26 15:16 45746 ------w- c:\programdata\agent.1482765376.bdinstall.bin
2016-12-25 13:24 . 2016-12-25 13:21 10811392 ------w- c:\windows\system32\ig4icd32.dll
2016-12-25 13:22 . 2016-12-23 02:17 11245520 ------w- c:\windows\system32\igd10umd32.dll
2016-12-25 13:21 . 2016-12-25 13:21 9728 ------w- c:\windows\system32\IGFXDEVLib.dll
2016-12-25 13:21 . 2016-12-25 13:21 6233192 ------w- c:\windows\system32\GfxUI.exe
2016-12-25 13:21 . 2016-12-25 13:21 175616 ------w- c:\windows\system32\gfxSrvc.dll
2016-12-25 13:20 . 2016-12-25 13:20 435712 ------w- c:\windows\system32\igfxrtrk.lrc
2016-12-25 13:20 . 2016-12-25 13:20 436224 ------w- c:\windows\system32\igfxrhun.lrc
2016-12-25 13:20 . 2016-12-25 13:20 438272 ------w- c:\windows\system32\igfxrell.lrc
2016-12-25 13:20 . 2016-12-25 13:20 436224 ------w- c:\windows\system32\igfxrcsy.lrc
2016-12-25 13:20 . 2016-12-25 13:20 435200 ------w- c:\windows\system32\igfxrtha.lrc
2016-12-25 13:20 . 2016-12-25 13:20 435712 ------w- c:\windows\system32\igfxrsve.lrc
2016-12-25 13:20 . 2016-12-25 13:20 435712 ------w- c:\windows\system32\igfxrslv.lrc
2016-12-25 13:20 . 2016-12-25 13:20 436736 ------w- c:\windows\system32\igfxrsky.lrc
2016-12-25 13:20 . 2016-12-25 13:20 437248 ------w- c:\windows\system32\igfxrrom.lrc
2016-12-25 13:20 . 2016-12-25 13:20 437248 ------w- c:\windows\system32\igfxrrus.lrc
2016-12-25 13:20 . 2016-12-25 13:19 9023488 ------w- c:\windows\system32\igfxress.dll
2016-12-25 13:20 . 2016-12-25 13:19 286208 ------w- c:\windows\system32\igfxTMM.dll
2016-12-25 13:20 . 2016-12-25 13:19 130048 ------w- c:\windows\system32\igfxdo.dll
2016-12-25 13:20 . 2016-12-25 13:19 330752 ------w- c:\windows\system32\igfxdev.dll
2016-12-25 13:20 . 2016-12-25 13:19 313344 ------w- c:\windows\system32\igfxpph.dll
2016-12-25 13:20 . 2016-12-25 13:19 96256 ------w- c:\windows\system32\hccutils.dll
2016-12-25 13:20 . 2016-12-25 13:19 81408 ------w- c:\windows\system32\igdde32.dll
2016-12-25 13:20 . 2016-12-25 13:18 542720 ------w- c:\windows\system32\igfx11cmrt32.dll
2016-12-25 13:20 . 2016-12-25 13:18 94208 ------w- c:\windows\system32\IccLibDll.dll
2016-12-25 13:20 . 2016-12-25 13:18 102400 ------w- c:\windows\system32\igfxCoIn_v4229.dll
2016-12-25 13:20 . 2016-12-25 13:20 436736 ------w- c:\windows\system32\igfxrptg.lrc
2016-12-25 13:20 . 2016-12-25 13:20 435712 ------w- c:\windows\system32\igfxrptb.lrc
2016-12-25 13:20 . 2016-12-25 13:20 436736 ------w- c:\windows\system32\igfxrplk.lrc
2016-12-25 13:20 . 2016-12-25 13:20 435712 ------w- c:\windows\system32\igfxrnor.lrc
2016-12-25 13:20 . 2016-12-25 13:20 436736 ------w- c:\windows\system32\igfxrnld.lrc
2016-12-25 13:20 . 2016-12-25 13:20 429056 ------w- c:\windows\system32\igfxrkor.lrc
2016-12-25 13:20 . 2016-12-25 13:20 430080 ------w- c:\windows\system32\igfxrjpn.lrc
2016-12-25 13:20 . 2016-12-25 13:20 436736 ------w- c:\windows\system32\igfxrita.lrc
2016-12-25 13:20 . 2016-12-25 13:20 436736 ------w- c:\windows\system32\igfxrhrv.lrc
2016-12-25 13:20 . 2016-12-25 13:20 433664 ------w- c:\windows\system32\igfxrheb.lrc
2016-12-25 13:20 . 2016-12-25 13:19 437760 ------w- c:\windows\system32\igfxrfra.lrc
2016-12-25 13:19 . 2016-12-25 13:19 436224 ------w- c:\windows\system32\igfxrfin.lrc
2016-12-25 13:19 . 2016-12-25 13:19 437760 ------w- c:\windows\system32\igfxresn.lrc
2016-12-25 13:19 . 2016-12-25 13:19 284160 ------w- c:\windows\system32\igfxrenu.lrc
2016-12-25 13:19 . 2016-12-25 13:19 436736 ------w- c:\windows\system32\igfxrdeu.lrc
2016-12-25 13:19 . 2016-12-25 13:19 435200 ------w- c:\windows\system32\igfxrdan.lrc
2016-12-25 13:19 . 2016-12-25 13:19 427008 ------w- c:\windows\system32\igfxrcht.lrc
2016-12-25 13:19 . 2016-12-25 13:19 426496 ------w- c:\windows\system32\igfxrchs.lrc
2016-12-25 13:19 . 2016-12-25 13:19 433664 ------w- c:\windows\system32\igfxrara.lrc
2016-12-25 13:19 . 2016-12-25 13:19 28352 ------w- c:\windows\system32\igfxexps.dll
2016-12-25 13:19 . 2016-12-25 13:19 200808 ------w- c:\windows\system32\igfxext.exe
2016-12-25 13:19 . 2016-12-25 13:19 191592 ------w- c:\windows\system32\igfxpers.exe
2016-12-25 13:19 . 2016-12-25 13:19 182888 ------w- c:\windows\system32\hkcmd.exe
2016-12-25 13:19 . 2016-12-25 13:19 147560 ------w- c:\windows\system32\igfxtray.exe
2016-12-25 13:19 . 2016-12-25 13:19 120320 ------w- c:\windows\system32\igfxcpl.cpl
2016-12-25 13:19 . 2016-12-25 13:19 273512 ------w- c:\windows\system32\igfxsrvc.exe
2016-12-25 13:19 . 2016-12-25 13:19 59904 ------w- c:\windows\system32\igfxsrvc.dll
2016-12-25 13:19 . 2016-12-25 13:19 280680 ------w- c:\windows\system32\IntelCpHeciSvc.exe
2016-12-25 13:19 . 2016-12-25 13:19 525800 ------w- c:\windows\system32\iglhsip32.dll
2016-12-25 13:19 . 2016-12-25 13:19 184352 ------w- c:\windows\system32\iglhcp32.dll
2016-12-25 13:18 . 2016-12-25 13:18 3121152 ------w- c:\windows\system32\igfxcmjit32.dll
2016-12-25 13:18 . 2016-12-25 13:18 940360 ------w- c:\windows\system32\igfxcmrt32.dll
2016-12-25 13:18 . 2016-12-23 02:17 11117808 ------w- c:\windows\system32\igdumd32.dll
2016-12-25 13:18 . 2016-12-25 13:17 3780024 ------w- c:\windows\system32\drivers\igdkmd32.sys
2016-12-25 13:17 . 2016-12-25 13:17 3374096 ------w- c:\windows\system32\drivers\athr.sys
2016-12-23 02:34 . 2016-12-23 02:34 802904 ------w- c:\windows\system32\FlashPlayerApp.exe
2016-12-23 02:34 . 2016-12-23 02:34 144472 ------w- c:\windows\system32\FlashPlayerCPLApp.cpl
2016-12-23 02:28 . 2016-12-23 02:28 85616 ------w- c:\windows\system32\RtNicProp32.dll
2016-12-23 02:28 . 2016-12-23 02:28 777736 ------w- c:\windows\system32\drivers\Rt86win7.sys
2016-12-23 02:28 . 2016-12-22 17:35 109648 ------w- c:\windows\system32\RTNUninst32.dll
2016-12-23 02:27 . 2016-12-23 02:27 47504 ------w- c:\windows\system32\drivers\btcusb.sys
2016-12-23 02:27 . 2016-12-23 02:27 21496 ------w- c:\windows\system32\btinstall.dll
2016-12-23 02:27 . 2016-12-23 02:27 411232 ------w- c:\windows\system32\rsnp2uvc.dll
2016-12-23 02:27 . 2016-12-23 02:27 35432 ------w- c:\windows\snuvcdsm.exe
2016-12-23 02:27 . 2016-12-23 02:27 319072 ------w- c:\windows\system32\vsnp2uvc.dll
2016-12-23 02:27 . 2016-12-23 02:27 2462048 ------w- c:\windows\system32\drivers\snp2uvc.sys
2016-12-23 02:27 . 2016-12-23 02:27 228960 ------w- c:\windows\system32\csnp2uvc.dll
2016-12-23 02:25 . 2016-12-23 02:25 368912 ----a-w- c:\windows\system32\drivers\IntcDAud.sys
2016-12-23 02:19 . 2016-12-23 02:19 851176 ------w- c:\windows\system32\WinUSBCoInstaller2.dll
2016-12-23 02:19 . 2016-12-23 02:19 1629040 ------w- c:\windows\system32\WdfCoInstaller01011.dll
2016-12-23 02:18 . 2016-12-23 02:18 148720 ------w- c:\windows\system32\drivers\jmcr.sys
2016-12-23 02:17 . 2016-12-23 02:17 102400 ------w- c:\windows\system32\igfxCoIn_v2963.dll
2016-12-23 02:15 . 2016-12-23 02:15 452096 ------w- c:\windows\system32\drivers\stwrt.sys
2016-12-23 02:15 . 2016-12-23 01:18 1667164 ------w- c:\windows\sttray.exe
2016-12-23 02:15 . 2016-12-23 02:15 548352 ------w- c:\windows\system32\stapi32.dll
2016-12-23 02:15 . 2016-12-23 02:15 454656 ------w- c:\windows\system32\stcplx.dll
2016-12-23 02:15 . 2016-12-23 02:15 211968 ------w- c:\windows\system32\st326433.dll
2016-12-23 02:15 . 2016-12-23 02:15 1459712 ------w- c:\windows\system32\stapo.dll
2016-12-23 02:15 . 2016-12-23 01:18 8013312 ------w- c:\windows\system32\IDTNHP.dll
2016-12-23 02:15 . 2016-12-23 01:18 253952 ------w- c:\windows\system32\IDTNJ.exe
2016-12-23 02:15 . 2016-12-23 01:18 2216448 ------w- c:\windows\system32\IDTNX.dll
2016-12-23 02:15 . 2016-12-23 01:18 8003072 ------w- c:\windows\system32\IDTNGUI.exe
2016-12-23 02:15 . 2016-12-23 01:18 6111232 ------w- c:\windows\system32\stlang.dll
2016-12-23 02:15 . 2016-12-23 01:18 1785344 ------w- c:\windows\system32\IDTNCPL.cpl
2016-12-23 02:15 . 2016-12-23 01:18 68192 ------w- c:\windows\system32\aestaren.dll
2016-12-23 02:15 . 2016-12-23 01:18 380928 ------w- c:\windows\system32\aestecap.dll
2016-12-23 02:15 . 2016-12-23 01:18 175104 ------w- c:\windows\system32\HPToneCtrls32.dll
2016-12-23 02:15 . 2016-12-23 01:18 174688 ------w- c:\windows\system32\aestacap.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\ IDM Shell Extension]
@="{CDC95B92-E27C-4745-A8C5-64A52A78855D}"
[HKEY_CLASSES_ROOT\CLSID\{CDC95B92-E27C-4745-A8C5-64A52A78855D}]
2015-08-14 14:52 23520 ------w- c:\program files\Internet Download Manager\IDMShellExt.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UniKey"="c:\users\Ninh\Downloads\UniKey\UniKeyNT.exe" [2006-04-18 217088]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"RealProtect"="c:\program files\McAfee\Real Protect\RealProtect.exe" [2017-02-03 5496992]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
"DisableCAD"= 1 (0x1)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSimpleNetIDList"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0SmartDefragBootTime.exe
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37.sys]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MBAMService]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Advanced SystemCare 10]
2016-12-17 01:05 2913568 ------w- c:\program files\IObit\Advanced SystemCare\ASCTray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BCSSync]
2010-03-13 22:54 91520 ------w- c:\program files\Microsoft Office\Office14\BCSSync.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GarenaPlus]
2016-12-21 17:47 9136168 ----a-w- d:\lienminhhuyenthoai\GameData\GarenaMessenger.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2016-12-25 13:19 182888 ------w- c:\windows\System32\hkcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IDMan]
2016-12-15 11:50 4001848 ------w- c:\program files\Internet Download Manager\IDMan.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2016-12-25 13:19 147560 ------w- c:\windows\System32\igfxtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2016-12-25 13:19 191592 ------w- c:\windows\System32\igfxpers.exe
.
R1 HWiNFO32;HWiNFO32/64 Kernel Driver;c:\windows\system32\drivers\HWiNFO32.SYS [2016-12-23 23840]
R2 DiagTrack;Diagnostics Tracking Service;c:\windows\System32\svchost.exe [2016-03-25 21504]
R2 IDMWFP;IDMWFP;c:\windows\system32\DRIVERS\idmwfp.sys [2016-10-17 147120]
R2 SynTPEnhService;SynTPEnh Caller Service;c:\program files\Synaptics\SynTP\SynTPEnhService.exe [2016-01-08 217192]
R3 AtherosSvc;AtherosSvc;c:\program files\Bluetooth Suite\adminservice.exe [2013-10-29 274560]
R3 dg_ssudbus;SAMSUNG Mobile USB Composite Device Driver (DEVGURU Ver.);c:\windows\system32\DRIVERS\ssudbus.sys [2016-07-22 107648]
R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [2010-11-20 62464]
R3 IntcDAud;Intel(R) Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys [2016-12-23 368912]
R3 JMCR;JMCR;c:\windows\system32\DRIVERS\jmcr.sys [2016-12-23 148720]
R3 MBAMService;Malwarebytes Service;c:\program files\Malwarebytes\Anti-Malware\mbamservice.exe [2017-01-20 3303888]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [2016-12-23 777736]
R3 ss_conn_service;SAMSUNG Mobile Connectivity Service;c:\program files\Samsung\USB Drivers\27_ssconn\conn\ss_conn_service.exe [2016-07-22 754784]
R3 ssudmdm;SAMSUNG Mobile USB Modem Drivers (DEVGURU Ver.);c:\windows\system32\DRIVERS\ssudmdm.sys [2016-07-22 146048]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 52224]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2010-11-20 27264]
R3 WiaRpc;Still Image Acquisition Events;c:\windows\system32\svchost.exe [2016-03-25 21504]
R4 AdvancedSystemCareService10;Advanced SystemCare Service 10;c:\program files\IObit\Advanced SystemCare\ASCService.exe [2016-12-12 462624]
R4 hpsrv;HP Service;c:\windows\system32\Hpservice.exe [2016-12-23 27968]
R4 vcsFPService;Validity VCS Fingerprint Service;c:\windows\system32\vcsFPService.exe [2013-09-11 2741648]
S0 SmartDefragDriver;SmartDefragDriver;c:\windows\System32\Drivers\SmartDefragDriver.sys [2016-03-22 18800]
S3 BTATH_BUS;Qualcomm Atheros Bluetooth Bus;c:\windows\system32\DRIVERS\btath_bus.sys [2013-10-29 27976]
S3 MEI;Intel(R) Management Engine Interface ;c:\windows\system32\DRIVERS\TeeDriver.sys [2016-03-28 157752]
S3 nusb3hub;Renesas Electronics USB 3.0 Hub Driver;c:\windows\system32\DRIVERS\nusb3hub.sys [2012-05-10 76800]
S3 nusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver;c:\windows\system32\DRIVERS\nusb3xhc.sys [2016-12-23 169472]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ SSDPSRV upnphost SCardSvr FontCache fdrespub AppIDSvc QWAVE wcncsvc Mcx2Svc SensrSvc
utcsvc REG_MULTI_SZ DiagTrack
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - LocalSystemNetworkRestricted
WiaRpc
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2016-12-22 16:53 1384792 ------w- c:\program files\Google\Chrome\Application\55.0.2883.87\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2017-02-06 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2016-12-23 02:34]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
mStart Page = about:blank
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = 70.248.28.23:800
IE: Download all links with IDM - c:\program files\Internet Download Manager\IEGetAll.htm
IE: Download with IDM - c:\program files\Internet Download Manager\IEExt.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\MICROS~2\Office14\ONBttnIE.dll/105
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{C433AD85-A549-4FD9-8BAC-6A7FA5510E95}: NameServer = 8.8.8.8,8.8.4.4
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-4136066922-3396348503-4065548720-1000\Software\SecuROM\License information*]
"datasecu"=hex:d0,ce,0f,32,26,40,86,16,8c,ba,26,81,1f,12,2f,50,86,fa,d1,29,13,
8a,f5,fc,56,e4,e0,eb,d4,1a,8c,2a,3b,92,89,f7,30,54,4d,ea,14,0f,0f,0d,6b,f1,\
"rkeysecu"=hex:33,fd,0d,c3,5f,00,af,1b,d8,53,c2,ff,17,15,38,a8
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_24_0_0_186_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil32_24_0_0_186_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}]
@Denied: (A 2) (Everyone)
@="IFlashBroker6"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2017-02-06 11:22:01
ComboFix-quarantined-files.txt 2017-02-06 04:22
ComboFix2.txt 2017-02-03 02:55
.
Pre-Run: 46.239.416.320 bytes free
Post-Run: 45.885.071.360 bytes free
.
- - End Of File - - 50E60E9B34E0639E16D91229877ED6A5
A36C5E4F47E84449FF07ED3517B43A31

Report •

#36
February 5, 2017 at 20:55:42
"I don't have much time"
No problem, everybody seems to be in the same boat.

Report •

#37
February 6, 2017 at 07:55:34
Wait up am I supposed to run DrWeb in Normal Mode or Safe Mode?

Report •

#38
February 6, 2017 at 14:44:21
Safe, as per previous instructions.

"download Dr.Web CureIt and save it to your desktop.
http://www.freedrweb.com/cureit//?l...
DO NOT perform a scan yet.
Alternate download link
http://download.cnet.com/Dr-Web-Cur...
Note: The file will be randomly named (i.e. 5mkuvc4z.exe).

Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with Dr.Web CureIt as follows:"


Report •

#39
February 6, 2017 at 20:16:55
Here is the log, it's even bigger than the first log of ESET: http://www.fileconvoy.com/dfl.php?i...
During the scanning time, I made a mistake by click the taskbar. It disappeared and so were all the icons. All I had left were the scanning progress and a black screen. So, after I had finished scanned, I couldn't turn off my computer. I couldn't open Task Manager with the combination Ctrl + Alt + Delete or Ctrl + Alt + Esc . So generally I couldn't do anything with the keyboard to get the computer shut down. So I had to force it. Don't know if it affects anything...
Anyways, please check out the log.

Report •

#40
February 7, 2017 at 00:12:57
"Don't know if it affects anything..."
Me either.

What issues are you having now?
We may have more layers to uncover.


Report •

#41
February 7, 2017 at 04:45:30
Thanks for asking. My only issue is the viruses. After seeing your question, I did a quick threat scan with MBAM, and the result was good : No virus was found, even the DesktopLayer.exe. Now the only think I have to do is reinstall something that has been removed because they were infected. So if you think there are still viruses on my computer, give me a solution :)

Report •

#42
February 7, 2017 at 04:55:16
"So if you think there are still viruses on my computer, give me a solution :)"
To make sure you are not, I think it will be best to run a couple more tests.

Run Dr.Web CureIt in Safe mode again.

Log please.

message edited by Johnw


Report •

#43
February 8, 2017 at 04:25:40
I did a full scan, and here is the log: http://www.fileconvoy.com/dfl.php?i...
It's good to see "No threat was found" after a long hard time...

Report •

#44
February 8, 2017 at 04:46:03
The Ramnit virus is one of the hardest to remove, it keeps reinfecting after removal. Leave one little file & it starts over.

What is "D" drive?
What is "E" drive?
A partition, a backup drive, thumb drive or other.


Report •

#45
February 8, 2017 at 20:18:39
They are all partition... I don't know if it's correct, but when I bought this computer, it had already had three partition like that... I just use it

Report •

#46
February 8, 2017 at 20:27:59
"They are all partition"

They are both still infected. I would right click on "D" & "E" drive ( Using Windows Explorer ) & select Format, you will lose everything.

Run Dr.Web CureIt again in Safe mode. Log please.

Total 136616736764 bytes in 131495 files scanned (202816 objects)
Total 130420 files (201718 objects) are clean
Total 1016 files are infected
Total 79 files are raised error condition
Scan time is 00:56:41.284

Total 136616736764 bytes in 131495 files scanned (202816 objects)
Total 130420 files (201718 objects) are clean
Total 1016 files are infected
Total 1015 files are neutralized
Total 80 files (79 objects) are raised error condition
Scan time is 00:56:41.284

message edited by Johnw


Report •

#47
February 10, 2017 at 05:06:23
Here is the log: http://www.fileconvoy.com/dfl.php?i...
If there is no other way, I'm willing to format D: and E: :)
The only problems I have now is all the hidden files. They seems to be files that were quarantined and then came back as hidden system files. There seems to be a lot of them, so I can't manually delete all of them...

Report •

#48
February 10, 2017 at 06:01:43
"I'm willing to format D: and E: :)"
Do it please, then do a new log & then we can deal with the hidden files.

Report •

#49
February 10, 2017 at 19:52:59
Do I have to do Full Format or Quick Format? And if the answer is Full Format please give me an instruction.

Report •

#50
February 10, 2017 at 20:05:30
Because of the severity of the infection, do a Full format.
Choose the NTFS file system.

Report •

#51
February 11, 2017 at 20:43:44
OK. I have formatted D: and E: . I still have to keep some of my files for backup, incl. GTAIV.rar (4,5 rar) , pictures and LoL. Don't know if they are infected or not, but in my view they seems all fine. So what should I do next?

Report •

#52
February 11, 2017 at 20:59:00
Run Dr.Web CureIt again in Safe mode. Log please.

Report •

#53
February 11, 2017 at 22:30:14
Okay here's the log: http://www.fileconvoy.com/dfl.php?i...

Report •

#54
February 12, 2017 at 02:32:24
"Okay here's the log:"
That log is clean.

Run DelFix. Copy & Paste the contents of the log please.
https://toolslib.net/downloads/view...
DelFix is designed to delete all removal tools used during a disinfection.
Indeed, these tools are often updated. It's recommended not to have and use outdated versions on computer.
Run the tool by right click on the DelFix icon and Run as administrator option.
Make sure that these are checked:
Activate UAC (optional; some users prefer to keep it off)
Remove disinfection tools
Create registry backup
Purge system restore
Reset system settings
Click Run and wait until the tool completes it's work.
Tool will create an report for you (C:\DelFix.txt)

Run both of these, in this order.
Run Wise Disk Cleaner ( Run the 1st three tabs, left to right. I use default settings, leave boxes that are unchecked, unchecked ) Reboot when finished.
http://www.softpedia.com/get/System...
http://www.freewarefiles.com/Wise-D...
http://www.freewarefiles.com/screen...
http://www.wisecleaner.com/download...
http://i.imgur.com/Jecnfvb.gif
http://i.imgur.com/0xHwdom.gif
http://fs5.directupload.net/images/...
http://i.imgur.com/JZLYOLf.gif
http://i.imgur.com/4kfaeGW.gif

Run Wise Registry Cleaner ( Only use Registry Cleaner & with default settings. Don't use System Tuneup, that is for Experts, you really have to know what you are doing ) Reboot when finished.
http://www.softpedia.com/get/Tweak/...
http://www.freewarefiles.com/Wise-R...
http://www.freewarefiles.com/screen...
http://www.wisecleaner.com/wiseregi...
http://i.imgur.com/Qy7HWcA.gif
http://fs1.directupload.net/images/...
http://fs1.directupload.net/images/...
http://fs1.directupload.net/images/...


Report •

#55
February 12, 2017 at 02:52:58
DelFix's log:
# DelFix v1.013 - Logfile created 12/02/2017 at 17:38:47
# Updated 17/04/2016 by Xplode
# Username : Ninh - NINH-PC
# Operating System : Windows 7 Professional Service Pack 1 (32 bits)

~ Activating UAC ... OK

~ Removing disinfection tools ...

Deleted : C:\Qoobox
Deleted : C:\FRST
Deleted : C:\AdwCleaner
Deleted : C:\ComboFix.txt
Deleted : C:\Users\Ninh\Desktop\Addition.txt
Deleted : C:\Users\Ninh\Desktop\ComboFix.exe
Deleted : C:\Users\Ninh\Desktop\Fixlog.txt
Deleted : C:\Users\Ninh\Desktop\FRST.txt
Deleted : C:\Users\Ninh\Desktop\JRT.exe
Deleted : C:\Users\Ninh\Desktop\JRT.txt
Deleted : C:\Users\Ninh\Downloads\adwcleaner_6.043.exe
Deleted : C:\Windows\grep.exe
Deleted : C:\Windows\PEV.exe
Deleted : C:\Windows\NIRCMD.exe
Deleted : C:\Windows\MBR.exe
Deleted : C:\Windows\SED.exe
Deleted : C:\Windows\SWREG.exe
Deleted : C:\Windows\SWSC.exe
Deleted : C:\Windows\SWXCACLS.exe
Deleted : C:\Windows\Zip.exe
Deleted : HKLM\SOFTWARE\Swearware
Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\combofix.exe

~ Creating registry backup ... OK

~ Cleaning system restore ...


New restore point created !

~ Resetting system settings ... OK

########## - EOF - ##########


Report •

#56
February 12, 2017 at 03:15:29
Extracts from the Addition log.

"AS: Windows Defender (Enabled - Out of date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}"
Update.

"Error: (02/02/2017 10:49:46 AM) (Source: Microsoft-Windows-Kernel-Power) (EventID: 88) (User: NT AUTHORITY)
Description: The system was hibernated due to a critical thermal event."
Start by cleaning out the dust, it causes overheating.
I think you have an laptop.
Curing Laptop/Notebook Overheating
https://www.youtube.com/watch?v=74a...
http://is.gd/ck0tXA
http://is.gd/SKlNjg
http://is.gd/vkq6Iz
http://is.gd/cNfZzK
http://is.gd/N8ZLiY
Cleaning a Laptop/Notebook Computer
http://www.instructables.com/id/Ext...
http://www.techradar.com/news/mobil...

"I just have a little question that can I extract all the .rar that have survived through the virus's invasion and antivirus's scanning?"
To doublecheck, right click on the file & run all the cleaners that are available in the drop down menu.

If they come up clean, you should be now Ok & we are finished.

message edited by Johnw


Report •

#57
February 12, 2017 at 03:27:53
Yeah, sometimes my computer hibernated itself, but I noticed that this only happens when I'm running game that takes more than 1GB RAM. Then I discovered that somehow I enabled the Windows Update. You know my laptop has only 2GB RAM, and maybe having the game and Windows Update both run will cause the ram usage more than 2GB and the system hibernates.

Can't believe that we have finished going through a long way. Absolute thanks for your time spending to help me and I'll try to be safer in the future so that all these problems won't happen again.


Report •

#58
February 12, 2017 at 03:36:55
"You know my laptop has only 2GB RAM"
Yep.

"I'll try to be safer in the future"
This will help.

Use Unchecky to help prevent these third party installs. Nothing is perfect, the badies are always ahead of the goodies, so be vigilant.
http://www.softpedia.com/get/System...
http://www.freewarefiles.com/Unchec...
http://unchecky.com/
A reliable application that aims to protect your computer against third-party components often offered during software installations.


Report •

#59
February 23, 2017 at 20:18:31
I've got the same problem and seek for a solution from this discussion.

Report •

#60
March 13, 2017 at 04:48:17
I think it's very effective. Hope you will get rid of that annoying virus soon!

Report •

#61
March 13, 2017 at 06:00:26
"I've got the same problem and seek for a solution from this discussion"
Get back here with logs, if more help is needed.


Report •

Ask Question