Jump to content

I Need Help My PC Is Infected


Recommended Posts

Hello,

I'll assist you with this issue. The good news is that no malware is present, but there are some policies that likely undo the changes. The script below should take care of those.

Please press Windows key + R, type notepad in the Run box and press enter. This will open Notepad. Copy/paste the following text into Notepad and save it as fixlist.txt in the same location as FRST64.exe (in your case that is on the desktop):

HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-2668118144-2190799640-2794573429-1001\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
Now rerun FRST and click the Fix button. A log (fixlog.txt) will be created. Restart the computer, rescan with Emsisoft and see if the entry returns after removing it now.

Please let me also know if you have any other question or problem.

Link to post
Share on other sites

I had more then that threat that always found by EMSISOFT and would keep coming back but the threats have not been found lately. Well today EMSISOFT found them again and I deleted them and everything. Few hours later I did a scan and found the same threats. I have not done anything you told me to do in your post I made a NEW system report so maybe you want to look at the new one first. Attached is the new report.

 

 

 

Thank you  

Addition(NEW).txt

FRST(NEW).txt

Scan Report-NEW.txt

Link to post
Share on other sites

Copy the below code to Notepad; Save As fixlist.txt to your Desktop.

HKU\S-1-5-21-2668118144-2190799640-2794573429-1001\...\Policies\Explorer: [NoInternetIcon] 0
HKU\S-1-5-21-2668118144-2190799640-2794573429-1001\...\MountPoints2: {631d23a4-e509-11e5-96f8-f0bf9702ec32} - "C:\WINDOWS\system32\RunDLL32.EXE" Shell32.DLL,ShellExec_RunDLL F:\Start.exe
2016-04-12 22:32 - 2016-04-12 22:32 - 00000000 ____D C:\ProgramData\{BE2ACE5C-32B7-4777-9BDF-ECF87CDAB705}
C:\ProgramData\fontcacheev1.dat
Task: {3B87542E-7281-4B9E-BD35-99C4371745A6} - System32\Tasks\SecureBrowserProtectTask => C:\Program Files (x86)\Safer Technologies\Secure Browser\Application\49.0.2623.198\SecureBrowserProtector.exe <==== ATTENTION
AlternateDataStreams: C:\ProgramData\TEMP:792D4CF1 [129]
HKU\S-1-5-21-2668118144-2190799640-2794573429-1001\Software\Classes\exefile:  <===== ATTENTION
Reg: reg delete "HKEY_USERS\S-1-5-21-2668118144-2190799640-2794573429-1001\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4}" /f
Reg: reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{DE9028D0-5FFA-4E69-94E3-89EE8741F468}" /f
Reg: reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\CLSID\{DE9028D0-5FFA-4E69-94E3-89EE8741F468}" /f
Close Notepad.

NOTE: It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST64 and press the Fix button just once and wait.

If the tool needed a restart please make sure you let the system restart normally and let the tool complete its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Attach it to your reply.

Note: If the tool warns you about an outdated version please download and run the updated version.

Link to post
Share on other sites

Let's take a fresh look.

Run fresh scans with Emsisoft Emergency Kit (EEK) and FRST, attach the new EEK and FRST scans to your reply.

Be sure to let me know how things are running.

Link to post
Share on other sites

Emsisoft still finds it and the file is in Quarantine List in Emsisoft Anti-Malware still get found. As with my pc everything is running good but my IE would download anything a pages stop or wont load but I think that has something different to do with this. Do we know what program this registry key has anything to do with and came from? Lastly since it is not really a risk and other software is not finding it as a risk. Do you think it is just okay to ignore it in Emsisoft Anti-Malware or report it has false alert?

 

 

Thanks

Addition(64BIT).txt

Emsisoft.txt

FRST(64BIT).txt

Quarantine.txt

Link to post
Share on other sites

Do the following:

Download AdwCleaner and save it on your desktop.

  • Close all open programs and Internet browsers (you may want to print our or write down these instructions first).
  • Double click on adwcleaner.exe to run the tool.
  • Click on the Scan button.
  • After the scan has finished, click on the Clean button.
  • Confirm each time with OK.
  • You will be prompted to restart your computer. A text file will open in Notepad after the restart (this is the log of what was removed), which you can save on your desktop.
  • Attach that log file to your reply by clicking the More Reply Options button to the lower-right of where you type in your reply.

    NOTE: If you lose that log file for any reason, you can find it at C:\AdwCleaner on your computer.

Download Junkware Removal Tool and save it on your desktop.
  • Run the tool by double-clicking it.
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log is saved to your desktop and will automatically open.
  • Attach the JRT log file to a reply by clicking the More Reply Options button to the lower-right of where you type in your reply.
Copy the below code to Notepad; Save As fixlist.txt to your Desktop.
HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = 
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Local Page = 
SearchScopes: HKU\S-1-5-21-2668118144-2190799640-2794573429-1001 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-21-2668118144-2190799640-2794573429-1001 -> {AFBCB7E0-F91A-4951-9F31-58FEE57A25C4} URL = hxxps://nortonsafe.search.ask.com/web?q={searchTerms}&o=APN11913&l=dis&prt=NS&chn=retail&geo=US&ver=22&locale=en_US&gct=kwd&qsrc=2869
2016-05-08 22:33 - 2016-05-08 22:33 - 00000000 _____ C:\WINDOWS\System32\Tasks\CIS_{81EFDD93-DBBE-415B-BE6E-49B9664E3E82}
2016-05-08 21:36 - 2016-05-08 21:36 - 00000000 ____D C:\WINDOWS\System32\Tasks\COMODO
2016-05-08 02:30 - 2016-05-08 20:59 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Lavasoft
2016-05-08 02:30 - 2016-05-08 02:30 - 00425744 _____ (Lavasoft Limited) C:\WINDOWS\system32\LavasoftTcpService64.dll
2016-05-08 02:30 - 2016-05-08 02:30 - 00345360 _____ (Lavasoft Limited) C:\WINDOWS\SysWOW64\LavasoftTcpService.dll
2016-05-08 02:30 - 2016-05-08 02:30 - 00002824 _____ C:\WINDOWS\SysWOW64\LavasoftTcpServiceOff.ini
2016-05-08 02:30 - 2016-05-08 02:30 - 00002824 _____ C:\WINDOWS\system32\LavasoftTcpServiceOff.ini
2016-05-07 01:11 - 2016-05-07 01:11 - 00000000 _SHDC C:\$360Section
2016-05-07 01:05 - 2016-05-07 01:11 - 00000000 ____D C:\ProgramData\360Quarant
2016-05-07 00:55 - 2016-04-27 06:07 - 00370768 _____ (360.cn) C:\WINDOWS\system32\Drivers\360FsFlt.sys.345
2016-05-07 00:55 - 2016-04-27 06:07 - 00319568 _____ (360.cn) C:\WINDOWS\system32\Drivers\360Box64.sys.330
2016-05-07 00:55 - 2016-04-27 06:07 - 00181328 _____ (360.cn) C:\WINDOWS\system32\Drivers\BAPIDRV64.SYS.upd
2016-05-07 00:55 - 2016-04-27 06:07 - 00137808 _____ (360.cn) C:\WINDOWS\system32\Drivers\360AntiHacker64.removed
2016-05-07 00:55 - 2016-04-27 06:07 - 00077904 _____ (360.cn) C:\WINDOWS\SysWOW64\Drivers\360AvFlt.sys
2016-05-07 00:55 - 2016-04-27 06:07 - 00077904 _____ (360.cn) C:\WINDOWS\system32\Drivers\360AvFlt.sys.000
2016-05-07 00:54 - 2016-05-07 02:15 - 00000000 ____D C:\Program Files (x86)\360
2016-05-07 00:25 - 2015-01-29 19:21 - 00050320 _____ (Panda Security, S.L.) C:\WINDOWS\system32\Drivers\PSKMAD.sys
2016-05-07 00:24 - 2016-05-07 00:24 - 00000000 ____D C:\Program Files (x86)\Panda Security
2016-05-04 21:26 - 2016-05-07 00:16 - 00000000 ____D C:\Users\Eric Schwab\AppData\Local\F-Secure
2016-04-23 23:55 - 2016-04-23 23:55 - 00000000 ____D C:\Program Files\McAfee
2016-04-22 23:46 - 2016-04-22 23:46 - 00000000 ____D C:\Users\Eric Schwab\AppData\Roaming\Bitdefender
2016-04-22 19:32 - 2016-05-07 00:20 - 00000000 ____D C:\ProgramData\F-Secure
2016-04-22 02:29 - 2016-04-22 02:29 - 00000000 ____D C:\ProgramData\Bitdefender Agent
2016-04-16 00:49 - 2016-04-23 22:39 - 00000000 ____D C:\WINDOWS\98E8F5CD4D074C66992B4BD3547C86AF.TMP
2016-04-14 00:50 - 2016-04-14 00:50 - 00000000 ____D C:\WINDOWS\System32\Tasks\Safer-Networking
2016-04-10 00:45 - 2016-05-07 17:03 - 00000000 ____D C:\ProgramData\SUPERAntiSpyware.com
2016-04-10 00:45 - 2016-02-29 05:00 - 00000000 ____D C:\ProgramData\STOPzilla!
2016-03-01 01:49 - 2016-03-01 01:49 - 0000055 _____ () C:\Users\Eric Schwab\AppData\Roaming\MouseServer.ini
2016-05-06 23:04 - 2016-05-06 23:04 - 0000260 _____ () C:\ProgramData\fontcacheev1.dat
2016-03-03 05:21 - 2016-03-03 05:21 - 0000411 _____ () C:\ProgramData\WebTranslator.ini
Task: {58A40FA0-8A93-45F7-B895-49FD66369252} - System32\Tasks\COMODO\COMODO Signature Update {B9D5C6F9-17D2-4917-8BD0-614BAA1C6A59} => C:\Program Files\COMODO\COMODO Internet Security\cfpconfg.exe
Task: {A27CA94B-B92D-4A2A-AD0C-77E37A5EFCF9} - System32\Tasks\COMODO\COMODO Autostart {D5EFF3B3-E126-4AF6-BCE9-852A72129E10} => C:\Program Files\COMODO\COMODO Internet Security\cistray.exe
Task: {EC5FF335-6C47-474C-88BD-A612CD3935E9} - System32\Tasks\COMODO\COMODO Update {A6D52E4F-569B-4756-B3D8-DF217313DA85} => C:\Program Files\COMODO\COMODO Internet Security\cfpconfg.exe
Task: {EF3EB171-4BC9-4AB9-883C-A582798D401C} - System32\Tasks\COMODO\COMODO Scan {F140D794-60B6-4F00-9235-D6457AA25B22} => C:\Program Files\COMODO\COMODO Internet Security\cfpconfg.exe
Task: {F391E748-2CE2-49B1-A6E2-D4F84D8BF314} - System32\Tasks\COMODO\COMODO Cache Builder {0FB77674-7905-4F34-A362-C5A9A26F8CF9} => C:\Program Files\COMODO\COMODO Internet Security\cfpconfg.exe
Reg: reg delete "HKEY_USERS\S-1-5-21-2668118144-2190799640-2794573429-1001\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4}" /f
Close Notepad.

NOTE: It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST64 and press the Fix button just once and wait.

If the tool needed a restart please make sure you let the system restart normally and let the tool complete its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Attach it to your reply.

Note: If the tool warns you about an outdated version please download and run the updated version.

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...