dsledge325

Please! Help!

Recommended Posts

My computer has a virus. I am not sure where it came from but one night I started noticing the computer was moving slower. I immediately began uninstalling programs that were not being used or not recognized. After a couple programs were deleted, no real difference in performance; I then noticed that the computer had Malwarebytes on it so I tried to run the program and an error popped up saying it was a text file only. I then tried to unistall the program and a dialogue box popped up and said that the unistall file was missing, so I downloaded a couple of programs trying to delete and scan my computer for resgistry errors, optimization, etc. still nothing. I figured it may be a virus so I just downloaded Avast and scanned my computer and of course it found issues and suggested that a boot-time scan was ran. I did that and then oddly I couldnt find the report file. I ran it again and watched it through the process to see numerous files that were corrupted and a couple of files that could not be deleted for some reason I did not record. I attempted to find the files couldnt locate them. Tried to run safe mode could not do that either. Pc Settings would not let me restart computer and see bios setups. Internet connection but no matter the browser, I could not get onto the internet and now avast was frequently blocking threats originating from win32:Patched-Awl. I located the file name it said it was attached from (sorry I did not write down that entire file name but it ended in dnsapil). I ran the Emsisoft Anti Malware program and it found multiple issues to which I quarantined but it would not automatically correct two files in fear of crashing operating system and directed me to support. 

I read the directions after all of this took place so my apologies for not having the very first log with no quaratine but I did follow the directions step by step from the time I read the correct way to present my problem and have attached everything as directed. 

Hopefully you can help and thank you. 

scan_161228-091142.txt

FRST.txt

Addition.txt

Share this post


Link to post
Share on other sites

Do the following:

Download AdwCleaner and save it on your desktop.

  1. Close all open programs and Internet browsers (you may want to print our or write down these instructions first).
  2. Double click on adwcleaner.exe to run the tool.
  3. Click on the Scan button.
  4. After the scan has finished, click on the Clean button.
  5. Confirm each time with OK.
  6. You will be prompted to restart your computer. A text file will open in Notepad after the restart (this is the log of what was removed), which you can save on your desktop.
  7. Attach that log file to your reply by clicking the More Reply Options button to the lower-right of where you type in your reply.
    NOTE: If you lose that log file for any reason, you can find it at C:\AdwCleaner on your computer.


Download Junkware Removal Tool and save it on your desktop.

  1. Run the tool by double-clicking it.
  2. The tool will open and start scanning your system.
  3. Please be patient as this can take a while to complete depending on your system's specifications.
  4. On completion, a log is saved to your desktop and will automatically open.
  5. Attach the JRT log file to a reply by clicking the More Reply Options button to the lower-right of where you type in your reply.

Copy the below code to Notepad; Save As fixlist.txt to your Desktop.

CloseProcesses:
EmptyTemp:
() C:\Windows\Temp\gA353.tmp.exe
(                                                            ) C:\s37s..exe
() C:\Windows\Temp\is-MH4U1.tmp\s37s..tmp
HKLM-x32\...\Run: [msrtn32] => C:\Program Files (x86)\msrtn32\msrtn32.exe [1141760 2016-04-18] () <===== ATTENTION
HKU\S-1-5-21-2211295966-2184594192-1170708169-1001\...\Run: [R6MMMEDXV9] => "C:\Program Files (x86)\BestCleaner\RP1NB4Z82X.exe" <===== ATTENTION
HKU\S-1-5-21-2211295966-2184594192-1170708169-1001\...\Run: [NowUSeeIt Player] => "C:\Program Files (x86)\NowUSeeItPlayer\NowUSeeItPlayer.exe" /autostart=1 <===== ATTENTION
HKU\S-1-5-21-2211295966-2184594192-1170708169-1001\...\Run: [Itibiti.exe] => C:\Program Files (x86)\Itibiti Soft Phone\Itibiti.exe <===== ATTENTION
HKU\S-1-5-21-2211295966-2184594192-1170708169-1001\...\Run: [GTQREWS3WA] => "C:\Program Files (x86)\BestCleaner\VJH02T6IRT.exe" <===== ATTENTION
HKU\S-1-5-18\...\Run: [] => 0
ShellIconOverlayIdentifiers: [ SkyDrive1] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} =>  -> No File
ShellIconOverlayIdentifiers: [ SkyDrive2] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} =>  -> No File
ShellIconOverlayIdentifiers: [ SkyDrive3] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} =>  -> No File
ShellIconOverlayIdentifiers-x32: [ SkyDrive1] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} =>  -> No File
ShellIconOverlayIdentifiers-x32: [ SkyDrive2] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} =>  -> No File
ShellIconOverlayIdentifiers-x32: [ SkyDrive3] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} =>  -> No File
GroupPolicy: Restriction - Chrome <======= ATTENTION
GroupPolicy\User: Restriction <======= ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-2211295966-2184594192-1170708169-1001\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-2211295966-2184594192-1170708169-1001\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://%66%65%65%64.%73%6F%6E%69%63-%73%65%61%72%63%68.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGIjVkxlyIP4NYe17aVLWvsniqknnm6GRBDLoXKgh-YxzOHtnUrrLcuInBeWSPxFtO_JcPec0kV4zwugalx5TXjEM9qK3UegeXDKZlKvOfl_7pchNGnYNpcJDN3P7IBAbYYu0OjWi4nc1UhB_ZgWJOTn34LA8zMS1ET51wPD6bPTEQLaWtxaTx1jFFlkI&q={searchTerms}
SearchScopes: HKLM-x32 -> DefaultScope {ielnksrch} URL = 
SearchScopes: HKLM-x32 -> ielnksrch URL = hxxp://%66%65%65%64.%73%6F%6E%69%63-%73%65%61%72%63%68.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGIjVkxlyIP4NYe17aVLWvsniqknnm6GRBDLoXKgh-YxzOHtnUrrLcuInBeWSPxFtO_JcPec0kV4zwugalx5TXjEM9qK3UegeXDKZlKvOfl_7pchNGnYNpcJDN3P7IBAbYYu0OjWi4nc1UhB_ZgWJOTn34LA8zMS1ET51wPD6bPTEQLaWtxaTx1jFFlkI&q={searchTerms}
SearchScopes: HKU\S-1-5-21-2211295966-2184594192-1170708169-1001 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-21-2211295966-2184594192-1170708169-1001 -> {08464538-AA06-4265-A1D0-FE92B1DD06EC} URL = hxxp://www.search.ask.com/web?tpid=ORJ-ST-SPE&o=APN11460&pf=V7&p2=^BE6^OSJ000^YY^US&gct=&itbv=12.23.0.16&apn_uid=65D83ED6-2C93-4987-B3B9-E8A98FFAE6E9&apn_ptnrs=BE6&apn_dtid=^OSJ000^YY^US&apn_dbr=ie_11.0.9600.17416&doi=2015-02-02&trgb=IE&q={searchTerms}&psv=&pt=tb
SearchScopes: HKU\S-1-5-21-2211295966-2184594192-1170708169-1001 -> {4C70F9FF-771B-4BCB-9181-FC862D1DE2C4} URL = hxxp://www-searching.com/s.ashx?prd=opensearch&q={searchTerms}&s=GCHzftpbl0cshmoAU,df1d0d24-5ba1-4aae-be5b-efcdb951c260,
SearchScopes: HKU\S-1-5-21-2211295966-2184594192-1170708169-1001 -> {D5C68DAA-3F48-418A-A529-FE8C7B31E198} URL = hxxp://www.better-search.net/?src=6&q={searchTerms}&barid=1523565705151609718&crg=&ppd=,,,,,,,,,www.smilebox.com&st=23&i=998&did=10874
SearchScopes: HKU\S-1-5-21-2211295966-2184594192-1170708169-1001 -> {ielnksrch} URL = hxxp://%66%65%65%64.%73%6F%6E%69%63-%73%65%61%72%63%68.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGIjVkxlyIP4NYe17aVLWvsniqknnm6GRBDLoXKgh-YxzOHtnUrrLcuInBeWSPxFtO_JcPec0kV4zwugalx5TXjEM9qK3UegeXDKZlKvOfl_7pchNGnYNpcJDN3P7IBAbYYu0OjWi4nc1UhB_ZgWJOTn34LA8zMS1ET51wPD6bPTEQLaWtxaTx1jFFlkI&q={searchTerms}
R2 Dataup; C:\Program Files (x86)\dataup\dataup.exe [77824 2016-09-22] () [File not signed] <==== ATTENTION
S2 Ilaaugca; "C:\Users\thea\AppData\Roaming\JucdiJhnoz\Rawei.exe" -cms [X]
2016-12-27 22:00 - 2016-12-27 22:00 - 00044071 _____ C:\Users\thea\Downloads\5120161227005059.zip
2016-12-27 21:17 - 2016-12-27 21:17 - 00016704 _____ C:\WINDOWS\System32\Tasks\655q906c809g38
2016-12-27 21:17 - 2016-12-27 21:17 - 00000000 ___HD C:\ProgramData\655q906c809g38
2016-12-27 21:13 - 2016-12-27 21:13 - 01311344 _____ ( ) C:\s37s..exe
2016-12-27 21:01 - 2016-12-27 21:01 - 01311344 _____ ( ) C:\s448..exe
2016-12-27 21:01 - 2016-12-27 21:01 - 00016704 _____ C:\WINDOWS\System32\Tasks\717q52c925g678
2016-12-27 21:01 - 2016-12-27 21:01 - 00000000 ___HD C:\ProgramData\717q52c925g678
2016-12-24 21:23 - 2016-12-24 21:23 - 00003216 _____ C:\WINDOWS\System32\Tasks\{B3833317-7CAB-4561-B642-2915417CA19E}
2016-12-16 22:50 - 2016-12-16 22:50 - 00003112 _____ C:\WINDOWS\System32\Tasks\{3461BFC9-F194-454A-9D9A-A53F08B0DD68}
2016-12-16 22:48 - 2016-12-16 22:48 - 00003116 _____ C:\WINDOWS\System32\Tasks\{358ABAE8-7B19-41D2-93AE-DD318FECBB0F}
2016-12-16 21:56 - 2016-12-24 22:00 - 00000000 ___HD C:\ProgramData\938352875d75t5109914
2016-12-16 21:56 - 2016-12-16 21:56 - 00000000 ____D C:\ProgramData\e374834d-7ad7-0
2016-12-16 21:56 - 2016-12-16 21:56 - 00000000 ____D C:\ProgramData\e374834d-0495-1
2016-12-13 12:08 - 2016-12-13 12:10 - 00000000 ____D C:\Program Files (x86)\S5
2016-12-13 12:08 - 2016-12-13 12:08 - 00000000 ____D C:\Users\thea\AppData\Roaming\c
2016-12-13 12:08 - 2016-12-13 12:08 - 00000000 ____D C:\ProgramData\1481652483
C:\Program Files (x86)\msrtn32\msrtn32.exe
CustomCLSID: HKU\S-1-5-21-2211295966-2184594192-1170708169-1001_Classes\CLSID\{0F22A205-CFB0-4679-8499-A6F44A80A208}\InprocServer32 -> C:\Users\thea\AppData\Local\Google\Update\1.3.25.5\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-2211295966-2184594192-1170708169-1001_Classes\CLSID\{1423F872-3F7F-4E57-B621-8B1A9D49B448}\InprocServer32 -> C:\Users\thea\AppData\Local\Google\Update\1.3.27.5\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-2211295966-2184594192-1170708169-1001_Classes\CLSID\{1BF42E4C-4AF4-4CFD-A1A0-CF2960B8F63E}\InprocServer32 -> C:\Users\thea\AppData\Local\Microsoft\OneDrive\17.3.6720.1207\amd64\FileSyncShell64.dll => No File
CustomCLSID: HKU\S-1-5-21-2211295966-2184594192-1170708169-1001_Classes\CLSID\{355EC88A-02E2-4547-9DEE-F87426484BD1}\InprocServer32 -> C:\Users\thea\AppData\Local\Google\Update\1.3.23.9\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-2211295966-2184594192-1170708169-1001_Classes\CLSID\{59B55F04-DE14-4BB8-92FF-C4A22EF2E5F4}\InprocServer32 -> C:\Users\thea\AppData\Local\Google\Update\1.3.31.5\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-2211295966-2184594192-1170708169-1001_Classes\CLSID\{5C8C2A98-6133-4EBA-BBCC-34D9EA01FC2E}\InprocServer32 -> C:\Users\thea\AppData\Local\Google\Update\1.3.28.1\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-2211295966-2184594192-1170708169-1001_Classes\CLSID\{78550997-5DEF-4A8A-BAF9-D5774E87AC98}\InprocServer32 -> C:\Users\thea\AppData\Local\Google\Update\1.3.28.13\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-2211295966-2184594192-1170708169-1001_Classes\CLSID\{793EE463-1304-471C-ADF1-68C2FFB01247}\InprocServer32 -> C:\Users\thea\AppData\Local\Google\Update\1.3.29.5\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-2211295966-2184594192-1170708169-1001_Classes\CLSID\{7AFDFDDB-F914-11E4-8377-6C3BE50D980C}\InprocServer32 -> C:\Users\thea\AppData\Local\Microsoft\OneDrive\17.3.6720.1207\amd64\FileSyncShell64.dll => No File
CustomCLSID: HKU\S-1-5-21-2211295966-2184594192-1170708169-1001_Classes\CLSID\{82CA8DE3-01AD-4CEA-9D75-BE4C51810A9E}\InprocServer32 -> C:\Users\thea\AppData\Local\Microsoft\OneDrive\17.3.6720.1207\amd64\FileSyncShell64.dll => No File
CustomCLSID: HKU\S-1-5-21-2211295966-2184594192-1170708169-1001_Classes\CLSID\{90B3DFBF-AF6A-4EA0-8899-F332194690F8}\InprocServer32 -> C:\Users\thea\AppData\Local\Google\Update\1.3.24.15\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-2211295966-2184594192-1170708169-1001_Classes\CLSID\{C3BC25C0-FCD3-4F01-AFDD-41373F017C9A}\InprocServer32 -> C:\Users\thea\AppData\Local\Google\Update\1.3.26.9\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-2211295966-2184594192-1170708169-1001_Classes\CLSID\{CC182BE1-84CE-4A57-B85C-FD4BBDF78CB2}\InprocServer32 -> C:\Users\thea\AppData\Local\Google\Update\1.3.29.1\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-2211295966-2184594192-1170708169-1001_Classes\CLSID\{D0336C0B-7919-4C04-8CCE-2EBAE2ECE8C9}\InprocServer32 -> C:\Users\thea\AppData\Local\Google\Update\1.3.25.11\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-2211295966-2184594192-1170708169-1001_Classes\CLSID\{D1EDC4F5-7F4D-4B12-906A-614ECF66DDAF}\InprocServer32 -> C:\Users\thea\AppData\Local\Google\Update\1.3.28.15\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-2211295966-2184594192-1170708169-1001_Classes\CLSID\{FE498BAB-CB4C-4F88-AC3F-3641AAAF5E9E}\InprocServer32 -> C:\Users\thea\AppData\Local\Google\Update\1.3.24.7\psuser_64.dll => No File
Task: {1E07D50C-88B3-41FC-A99A-6E0940DADC11} - System32\Tasks\psv_Finfax => /c regedit.exe /s "C:\ProgramData\Ronzap\Domsantech.reg" &amp; del "C:\ProgramData\Ronzap\Domsantech.reg" &amp; SCHTASKS /Delete /TN "psv_Finfax" /F <==== ATTENTION
Task: {3BA4FAC7-2EB7-4E13-A561-41A5BB018ECC} - System32\Tasks\655q906c809g38 => Rundll32.exe "C:\ProgramData\655q906c809g38\655q906c809g38.dll",hcsopx <==== ATTENTION
Task: {8634DE7E-FA85-40FE-AE37-A79CD075CFD6} - System32\Tasks\{6EDED029-3D53-4BCD-8023-FC4AA73ECEED} => pcalua.exe -a C:\Windows\SysWOW64\WNLT\Installation\Uninstall\UninstallerLauncher.exe
Task: {9D46E706-4EE0-4FD1-AC30-8B36B1B12BE0} - System32\Tasks\psv_Redtough => /c regedit.exe /s "C:\ProgramData\Ronzap\Touchtax.reg" &amp; del "C:\ProgramData\Ronzap\Touchtax.reg" &amp; SCHTASKS /Delete /TN "psv_Redtough" /F <==== ATTENTION
Task: {A08242DF-579E-4B45-9B89-27E50147B608} - System32\Tasks\717q52c925g678 => Rundll32.exe "C:\ProgramData\717q52c925g678\717q52c925g678.dll",hcsopx <==== ATTENTION
Task: {A2341722-19C8-48DA-9003-9628C36ECC43} - System32\Tasks\{358ABAE8-7B19-41D2-93AE-DD318FECBB0F} => pcalua.exe -a "C:\Program Files (x86)\CleanBrowser\uninstall.exe" -c /uninstall
Task: {CD1E64B8-36D8-436E-863F-03AB267E656B} - System32\Tasks\psv_Inchzap => /c regedit.exe /s "C:\ProgramData\Ronzap\X-eco.reg" &amp; del "C:\ProgramData\Ronzap\X-eco.reg" &amp; SCHTASKS /Delete /TN "psv_Inchzap" /F <==== ATTENTION
2016-12-27 21:01 - 2014-03-22 19:53 - 02843648 _____ () C:\ProgramData\717q52c925g678\717q52c925g678.dll
C:\ProgramData\717q52c925g678
2016-12-22 20:09 - 2016-12-27 21:12 - 00252416 _____ () C:\WINDOWS\TEMP\gA353.tmp.exe
2016-12-27 21:14 - 2016-12-27 21:14 - 00713728 _____ () C:\WINDOWS\TEMP\is-MH4U1.tmp\s37s..tmp
C:\WINDOWS\TEMP\is-MH4U1.tmp

Close Notepad.

NOTE: It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST64 and press the Fix button just once and wait.

If the tool needed a restart please make sure you let the system restart normally and let the tool complete its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Attach it to your reply.

Note: If the tool warns you about an outdated version please download and run the updated version.

Share this post


Link to post
Share on other sites

Thread Closed

Reason: Lack of Response

PM either Kevin, Elise, or Arthur to have this thread reopened.

All posters requesting Malware Removal assistance are required to follow all procedures in the thread titled START HERE if you don't we are just going to send you back to this thread.
 

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.