Closed .MERRY still causing problems, but scan not finding it

[YMiller 2]

Got .MERRY approx 2 weeks ago.

Caught it part-way through it's process, and deleted the .exe files which had propagated 11,000+ times.

Your software (and a couple of others) did not find the virus any more.

Your decrypter saved MONTHS of work, and decrypted the files.  THANK YOU THANK YOU THANK YOU.

Since then, MSWord had been having some problems when it tried to locate a .dot file (for example when I wanted to insert page numbers).  I was trying to find time to re-install MSWord.

Also, approximately 1x/day, computer would restart with "Blue Screen of Death" (I'm sorry, I don't know what to call that in non-tech-speak"

2 days ago, restart happened more and more.

Yesterday, approximately every 10 minutes.

Then I discovered that it did not shut down as long as I didn't open MSWord or File Explorer.

Then, this morning, started up computer and got an error I've never seen before:

When I signed into Windows, I got an error that said something like: "Group Policy Identifier failed to sign in" and then Blue Screen of Death (that's all I was able to remember from what it said before the error message went away and the computer restarted itself.

Next time, it logged me into Windows ok.

 

That's where I'm at.

 

Thank you for the help...

FRST.txt

Addition.txt

scan_170129-084758.txt

[Kevin Zoll 309]

Do the following:

Copy the below code to Notepad; Save As fixlist.txt to your Desktop.

HKLM\...\Run: [] => [X]
HKLM\...\Run: [AdAwareTray] => C:\Program Files\Lavasoft\Ad-Aware Antivirus\Ad-Aware Antivirus\11.15.1046.10613\AdAwareTray.exe [9533688 2016-12-15] ()
HKLM-x32\...\Run: [] => [X]
HKLM\...\RunOnce: [128_1848253229422] => C:\Users\rebyitzi\AppData\Local\LMIR0001.tmp_r.bat [366 2017-01-28] ()
R2 LavasoftAdAwareService11; C:\Program Files\Lavasoft\Ad-Aware Antivirus\Ad-Aware Antivirus\11.15.1046.10613\AdAwareService.exe [630976 2016-12-15] ()
S3 Trufos; C:\WINDOWS\System32\DRIVERS\Trufos.sys [485512 2016-04-28] (BitDefender S.R.L.)
2017-01-28 18:48 - 2017-01-28 18:48 - 00000366 _____ C:\Users\rebyitzi\AppData\Local\LMIR0001.tmp_r.bat
2017-01-12 06:59 - 2017-01-12 06:59 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Lavasoft
2017-01-12 06:58 - 2017-01-12 06:58 - 00000000 ____D C:\Program Files\Common Files\Lavasoft
2017-01-12 06:56 - 2017-01-12 06:56 - 02586928 _____ C:\Users\rebyitzi\Desktop\Adaware_Installer.exe
2017-01-25 16:53 - 2016-08-20 00:58 - 00000000 ____D C:\Users\rebyitzi\AppData\Roaming\LavasoftStatistics
2017-01-28 18:48 - 2017-01-28 18:48 - 0000366 _____ () C:\Users\rebyitzi\AppData\Local\LMIR0001.tmp_r.bat
2016-07-25 15:06 - 2016-07-25 15:06 - 0000057 _____ () C:\ProgramData\Ament.ini
2016-07-10 15:41 - 2016-07-10 15:45 - 0000469 _____ () C:\ProgramData\Microsoft.SqlServer.Compact.400.32.bc
C:\Users\rebyitzi\0006-64bit_Win7_Win8_Win81_Win10_R279.exe
C:\Users\rebyitzi\Adaware_Installer.exe
C:\Users\rebyitzi\HPPhotoCreations-zf4c49.exe
C:\Users\rebyitzi\sp76061.exe
C:\Users\rebyitzi\spybot-2.4.exe
2016-09-14 15:35 - 2014-07-17 14:23 - 6739008 _____ (Foxit Corporation) C:\Users\rebyitzi\AppData\Local\Temp\Foxit PhantomPDF Updater.exe
Task: {2A9668FA-91FC-4937-9293-C0F4806DC505} - \McAfee\McAfee Idle Detection Task -> No File <==== ATTENTION
Task: {5331CD88-85BD-4527-8602-81CA7FDC8476} - \Microsoft\Windows\Setup\gwx\refreshgwxcontent -> No File <==== ATTENTION
Task: {66DC1520-6F66-4C80-B9E6-9243D895888A} - \Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B -> No File <==== ATTENTION
Task: {85D1E8F9-4842-4E17-9DBF-6662285B9DA3} - \Microsoft\Windows\Setup\gwx\launchtrayprocess -> No File <==== ATTENTION
Task: {BAA13C4B-9AD6-41F3-91AA-7B2E8D34E6EA} - \Microsoft\Windows\Setup\gwx\refreshgwxconfig -> No File <==== ATTENTION
Task: {D3A4594F-3B63-48D8-9562-3FB7EACDEB4F} - \Microsoft\Windows\Setup\gwx\refreshgwxconfigandcontent -> No File <==== ATTENTION
Task: {D4CC05E5-EC3F-4416-A906-D8B774C36AE2} - \WPD\SqmUpload_S-1-5-21-36700401-2962425373-406613424-1001 -> No File <==== ATTENTION
2016-12-15 13:02 - 2016-12-15 13:02 - 00630976 _____ () C:\Program Files\Lavasoft\Ad-Aware Antivirus\Ad-Aware Antivirus\11.15.1046.10613\AdAwareService.exe
2016-12-15 13:06 - 2016-12-15 13:06 - 00030968 _____ () C:\Program Files\Lavasoft\Ad-Aware Antivirus\Ad-Aware Antivirus\11.15.1046.10613\boost_system-vc140-mt-1_61.dll
2016-12-15 13:06 - 2016-12-15 13:06 - 00067832 _____ () C:\Program Files\Lavasoft\Ad-Aware Antivirus\Ad-Aware Antivirus\11.15.1046.10613\boost_date_time-vc140-mt-1_61.dll
2016-12-15 13:06 - 2016-12-15 13:06 - 00122104 _____ () C:\Program Files\Lavasoft\Ad-Aware Antivirus\Ad-Aware Antivirus\11.15.1046.10613\boost_thread-vc140-mt-1_61.dll
2016-12-15 13:06 - 2016-12-15 13:06 - 00145144 _____ () C:\Program Files\Lavasoft\Ad-Aware Antivirus\Ad-Aware Antivirus\11.15.1046.10613\boost_filesystem-vc140-mt-1_61.dll
2016-12-15 13:06 - 2016-12-15 13:06 - 00525048 _____ () C:\Program Files\Lavasoft\Ad-Aware Antivirus\Ad-Aware Antivirus\11.15.1046.10613\boost_locale-vc140-mt-1_61.dll
2016-12-15 13:06 - 2016-12-15 13:06 - 00733432 _____ () C:\Program Files\Lavasoft\Ad-Aware Antivirus\Ad-Aware Antivirus\11.15.1046.10613\boost_log-vc140-mt-1_61.dll
2016-12-15 13:06 - 2016-12-15 13:06 - 00039672 _____ () C:\Program Files\Lavasoft\Ad-Aware Antivirus\Ad-Aware Antivirus\11.15.1046.10613\boost_chrono-vc140-mt-1_61.dll
2016-12-15 13:05 - 2016-12-15 13:05 - 11504888 _____ () C:\Program Files\Lavasoft\Ad-Aware Antivirus\Ad-Aware Antivirus\11.15.1046.10613\AdAwareServiceKernel.dll
2016-12-15 13:06 - 2016-12-15 13:06 - 03713272 _____ () C:\Program Files\Lavasoft\Ad-Aware Antivirus\Ad-Aware Antivirus\11.15.1046.10613\RCF.dll
2016-12-15 13:06 - 2016-12-15 13:06 - 01001208 _____ () C:\Program Files\Lavasoft\Ad-Aware Antivirus\Ad-Aware Antivirus\11.15.1046.10613\boost_regex-vc140-mt-1_61.dll
2016-12-15 13:05 - 2016-12-15 13:05 - 01061624 _____ () C:\Program Files\Lavasoft\Ad-Aware Antivirus\Ad-Aware Antivirus\11.15.1046.10613\AdAwareActivation.dll
2016-12-15 13:05 - 2016-12-15 13:05 - 00634616 _____ () C:\Program Files\Lavasoft\Ad-Aware Antivirus\Ad-Aware Antivirus\11.15.1046.10613\AdAwareApplicationUpdater.dll
2016-12-15 13:05 - 2016-12-15 13:05 - 00843000 _____ () C:\Program Files\Lavasoft\Ad-Aware Antivirus\Ad-Aware Antivirus\11.15.1046.10613\AdAwareGamingMode.dll
2016-12-15 13:05 - 2016-12-15 13:05 - 00120568 _____ () C:\Program Files\Lavasoft\Ad-Aware Antivirus\Ad-Aware Antivirus\11.15.1046.10613\AdAwareReset.dll
2016-12-15 13:05 - 2016-12-15 13:05 - 00142584 _____ () C:\Program Files\Lavasoft\Ad-Aware Antivirus\Ad-Aware Antivirus\11.15.1046.10613\AdAwareTime.dll
2016-12-15 13:05 - 2016-12-15 13:05 - 01025272 _____ () C:\Program Files\Lavasoft\Ad-Aware Antivirus\Ad-Aware Antivirus\11.15.1046.10613\AdAwareDefinitionsUpdater.dll
2016-12-15 13:05 - 2016-12-15 13:05 - 00904440 _____ () C:\Program Files\Lavasoft\Ad-Aware Antivirus\Ad-Aware Antivirus\11.15.1046.10613\AdAwareDefinitionsUpdaterScheduler.dll
2016-12-15 13:05 - 2016-12-15 13:05 - 01468664 _____ () C:\Program Files\Lavasoft\Ad-Aware Antivirus\Ad-Aware Antivirus\11.15.1046.10613\AdAwareIgnoreList.dll
2016-12-15 13:05 - 2016-12-15 13:05 - 00252664 _____ () C:\Program Files\Lavasoft\Ad-Aware Antivirus\Ad-Aware Antivirus\11.15.1046.10613\AdAwareQuarantine.dll
2016-12-15 13:05 - 2016-12-15 13:05 - 01644280 _____ () C:\Program Files\Lavasoft\Ad-Aware Antivirus\Ad-Aware Antivirus\11.15.1046.10613\AdAwareAntiMalwareEngine.dll
2016-12-15 13:05 - 2016-12-15 13:05 - 00223992 _____ () C:\Program Files\Lavasoft\Ad-Aware Antivirus\Ad-Aware Antivirus\11.15.1046.10613\AdAwareAntiRootkitEngine.dll
2016-12-15 13:05 - 2016-12-15 13:05 - 01192184 _____ () C:\Program Files\Lavasoft\Ad-Aware Antivirus\Ad-Aware Antivirus\11.15.1046.10613\AdAwareScannerHistory.dll
2016-12-15 13:05 - 2016-12-15 13:05 - 01370360 _____ () C:\Program Files\Lavasoft\Ad-Aware Antivirus\Ad-Aware Antivirus\11.15.1046.10613\AdAwareScanner.dll
2016-12-15 13:06 - 2016-12-15 13:06 - 00039672 _____ () C:\Program Files\Lavasoft\Ad-Aware Antivirus\Ad-Aware Antivirus\11.15.1046.10613\boost_timer-vc140-mt-1_61.dll
2016-12-15 13:05 - 2016-12-15 13:05 - 01030904 _____ () C:\Program Files\Lavasoft\Ad-Aware Antivirus\Ad-Aware Antivirus\11.15.1046.10613\AdAwareScannerScheduler.dll
2016-12-15 13:05 - 2016-12-15 13:05 - 01212152 _____ () C:\Program Files\Lavasoft\Ad-Aware Antivirus\Ad-Aware Antivirus\11.15.1046.10613\AdAwareRealTimeProtection.dll
2016-12-15 13:05 - 2016-12-15 13:05 - 02879736 _____ () C:\Program Files\Lavasoft\Ad-Aware Antivirus\Ad-Aware Antivirus\11.15.1046.10613\AdAwareIncompatibles.dll
2016-12-15 13:05 - 2016-12-15 13:05 - 01524472 _____ () C:\Program Files\Lavasoft\Ad-Aware Antivirus\Ad-Aware Antivirus\11.15.1046.10613\AdAwareAntiSpam.dll
2016-12-15 13:05 - 2016-12-15 13:05 - 01456376 _____ () C:\Program Files\Lavasoft\Ad-Aware Antivirus\Ad-Aware Antivirus\11.15.1046.10613\AdAwareAntiPhishing.dll
2016-12-15 13:05 - 2016-12-15 13:05 - 03462904 _____ () C:\Program Files\Lavasoft\Ad-Aware Antivirus\Ad-Aware Antivirus\11.15.1046.10613\AdAwareParentalControl.dll
2016-12-15 13:05 - 2016-12-15 13:05 - 01599224 _____ () C:\Program Files\Lavasoft\Ad-Aware Antivirus\Ad-Aware Antivirus\11.15.1046.10613\AdAwareWebProtection.dll
2016-12-15 13:05 - 2016-12-15 13:05 - 01339640 _____ () C:\Program Files\Lavasoft\Ad-Aware Antivirus\Ad-Aware Antivirus\11.15.1046.10613\AdAwareEmailProtection.dll
2016-12-15 13:06 - 2016-12-15 13:06 - 00073464 _____ () C:\Program Files\Lavasoft\Ad-Aware Antivirus\Ad-Aware Antivirus\11.15.1046.10613\boost_iostreams-vc140-mt-1_61.dll
2016-12-15 13:05 - 2016-12-15 13:05 - 01645816 _____ () C:\Program Files\Lavasoft\Ad-Aware Antivirus\Ad-Aware Antivirus\11.15.1046.10613\AdAwareNetworkProtection.dll
2016-12-15 13:05 - 2016-12-15 13:05 - 01042680 _____ () C:\Program Files\Lavasoft\Ad-Aware Antivirus\Ad-Aware Antivirus\11.15.1046.10613\AdAwarePromo.dll
2016-12-15 13:05 - 2016-12-15 13:05 - 00475384 _____ () C:\Program Files\Lavasoft\Ad-Aware Antivirus\Ad-Aware Antivirus\11.15.1046.10613\AdAwareFeedback.dll
2016-12-15 13:05 - 2016-12-15 13:05 - 03165944 _____ () C:\Program Files\Lavasoft\Ad-Aware Antivirus\Ad-Aware Antivirus\11.15.1046.10613\AdAwareThreatWorkAlliance.dll
2016-12-15 13:05 - 2016-12-15 13:05 - 01325304 _____ () C:\Program Files\Lavasoft\Ad-Aware Antivirus\Ad-Aware Antivirus\11.15.1046.10613\AdAwarePinCode.dll
2016-12-15 13:05 - 2016-12-15 13:05 - 01044216 _____ () C:\Program Files\Lavasoft\Ad-Aware Antivirus\Ad-Aware Antivirus\11.15.1046.10613\AdAwareNotice.dll
2016-12-15 13:05 - 2016-12-15 13:05 - 01597688 _____ () C:\Program Files\Lavasoft\Ad-Aware Antivirus\Ad-Aware Antivirus\11.15.1046.10613\AdAwareAvcEngine.dll
2016-12-15 13:05 - 2016-12-15 13:05 - 01496312 _____ () C:\Program Files\Lavasoft\Ad-Aware Antivirus\Ad-Aware Antivirus\11.15.1046.10613\AdAwareRealTimeProtectionHistory.dll
2016-12-15 13:05 - 2016-12-15 13:05 - 01380088 _____ () C:\Program Files\Lavasoft\Ad-Aware Antivirus\Ad-Aware Antivirus\11.15.1046.10613\AdAwareStatistics.dll
2016-12-15 13:05 - 2016-12-15 13:05 - 09533688 _____ () C:\Program Files\Lavasoft\Ad-Aware Antivirus\Ad-Aware Antivirus\11.15.1046.10613\AdAwareTray.exe
2016-12-15 13:05 - 2016-12-15 13:05 - 02479864 _____ () C:\Program Files\Lavasoft\Ad-Aware Antivirus\Ad-Aware Antivirus\11.15.1046.10613\HtmlFramework.dll
2016-12-15 13:05 - 2016-12-15 13:05 - 00871672 _____ () C:\Program Files\Lavasoft\Ad-Aware Antivirus\Ad-Aware Antivirus\11.15.1046.10613\AdAwareTrayDefaultSkin.dll

Close Notepad.

NOTE: It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST64 and press the Fix button just once and wait.

If the tool needed a restart please make sure you let the system restart normally and let the tool complete its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Attach it to your reply.

Note: If the tool warns you about an outdated version please download and run the updated version.

[YMiller 2]

Thank you.

I also went ahead and ran a FRST64 scan.

I re-named those files with today's date and am attaching them here, as well as the Fixlog.txt that you requested, just in case you need them.

 

Fixlog.txt

Addition 17-02-14.txt

FRST 17-02-14.txt

[Kevin Zoll 309]

Copy the below code to Notepad; Save As fixlist.txt to your Desktop.

HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = 
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = 
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = 
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL = 
2017-01-17 05:53 - 2015-07-23 03:02 - 14190520 _____ (NVIDIA Corporation) C:\WINDOWS\system32\Drivers\SETF825.tmp
2017-01-17 05:53 - 2015-07-23 03:02 - 14190520 _____ (NVIDIA Corporation) C:\WINDOWS\system32\Drivers\SETF4E6.tmp
2017-01-17 05:53 - 2015-07-23 03:02 - 14190520 _____ (NVIDIA Corporation) C:\WINDOWS\system32\Drivers\SETF1A.tmp
2017-01-17 05:53 - 2015-07-23 03:02 - 14190520 _____ (NVIDIA Corporation) C:\WINDOWS\system32\Drivers\SETE45A.tmp
2017-01-17 05:53 - 2015-07-23 03:02 - 14190520 _____ (NVIDIA Corporation) C:\WINDOWS\system32\Drivers\SETD3C6.tmp
2017-01-17 05:53 - 2015-07-23 03:02 - 14190520 _____ (NVIDIA Corporation) C:\WINDOWS\system32\Drivers\SETD3C5.tmp
2017-01-17 05:53 - 2015-07-23 03:02 - 14190520 _____ (NVIDIA Corporation) C:\WINDOWS\system32\Drivers\SETD249.tmp
2017-01-17 05:53 - 2015-07-23 03:02 - 14190520 _____ (NVIDIA Corporation) C:\WINDOWS\system32\Drivers\SETC2B9.tmp
2017-01-17 05:53 - 2015-07-23 03:02 - 14190520 _____ (NVIDIA Corporation) C:\WINDOWS\system32\Drivers\SETA81F.tmp
2017-01-17 05:53 - 2015-07-23 03:02 - 14190520 _____ (NVIDIA Corporation) C:\WINDOWS\system32\Drivers\SET9E8.tmp
2017-01-17 05:53 - 2015-07-23 03:02 - 14190520 _____ (NVIDIA Corporation) C:\WINDOWS\system32\Drivers\SET93A5.tmp
2017-01-17 05:53 - 2015-07-23 03:02 - 14190520 _____ (NVIDIA Corporation) C:\WINDOWS\system32\Drivers\SET83F9.tmp
2017-01-17 05:53 - 2015-07-23 03:02 - 14190520 _____ (NVIDIA Corporation) C:\WINDOWS\system32\Drivers\SET7B5C.tmp
2017-01-17 05:53 - 2015-07-23 03:02 - 14190520 _____ (NVIDIA Corporation) C:\WINDOWS\system32\Drivers\SET7513.tmp
2017-01-17 05:53 - 2015-07-23 03:02 - 14190520 _____ (NVIDIA Corporation) C:\WINDOWS\system32\Drivers\SET6323.tmp
2017-01-17 05:53 - 2015-07-23 03:02 - 14190520 _____ (NVIDIA Corporation) C:\WINDOWS\system32\Drivers\SET5D14.tmp
2017-01-17 05:53 - 2015-07-23 03:02 - 14190520 _____ (NVIDIA Corporation) C:\WINDOWS\system32\Drivers\SET3E16.tmp
2017-01-17 05:53 - 2015-07-23 03:02 - 14190520 _____ (NVIDIA Corporation) C:\WINDOWS\system32\Drivers\SET38DE.tmp
2017-01-17 05:53 - 2015-07-23 03:02 - 14190520 _____ (NVIDIA Corporation) C:\WINDOWS\system32\Drivers\SET1D70.tmp
2017-01-17 05:53 - 2015-07-23 03:02 - 14190520 _____ (NVIDIA Corporation) C:\WINDOWS\system32\Drivers\SET1AF6.tmp
2017-01-17 05:53 - 2015-07-23 03:02 - 14190520 _____ (NVIDIA Corporation) C:\WINDOWS\system32\Drivers\SET1837.tmp

Close Notepad.

NOTE: It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST64 and press the Fix button just once and wait.

If the tool needed a restart please make sure you let the system restart normally and let the tool complete its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Attach it to your reply.

Note: If the tool warns you about an outdated version please download and run the updated version.

[Kevin Zoll 309]

Thread Closed

Reason: Lack of Response

PM either Kevin, Elise, or Arthur to have this thread reopened.

All posters requesting Malware Removal assistance are required to follow all procedures in the thread titled START HERE if you don't we are just going to send you back to this thread.