# Closed .MERRY still causing problems, but scan not finding it

## Recommended Posts

Got .MERRY approx 2 weeks ago.

Caught it part-way through it's process, and deleted the .exe files which had propagated 11,000+ times.

Your software (and a couple of others) did not find the virus any more.

Your decrypter saved MONTHS of work, and decrypted the files.  THANK YOU THANK YOU THANK YOU.

Since then, MSWord had been having some problems when it tried to locate a .dot file (for example when I wanted to insert page numbers).  I was trying to find time to re-install MSWord.

Also, approximately 1x/day, computer would restart with "Blue Screen of Death" (I'm sorry, I don't know what to call that in non-tech-speak"

2 days ago, restart happened more and more.

Yesterday, approximately every 10 minutes.

Then I discovered that it did not shut down as long as I didn't open MSWord or File Explorer.

Then, this morning, started up computer and got an error I've never seen before:

When I signed into Windows, I got an error that said something like: "Group Policy Identifier failed to sign in" and then Blue Screen of Death (that's all I was able to remember from what it said before the error message went away and the computer restarted itself.

Next time, it logged me into Windows ok.

That's where I'm at.

Thank you for the help...

FRST.txt

scan_170129-084758.txt

##### Share on other sites

Do the following:

Copy the below code to Notepad; Save As fixlist.txt to your Desktop.

```HKLM\...\Run: [] => [X]
HKLM-x32\...\Run: [] => [X]
HKLM\...\RunOnce: [128_1848253229422] => C:\Users\rebyitzi\AppData\Local\LMIR0001.tmp_r.bat [366 2017-01-28] ()
S3 Trufos; C:\WINDOWS\System32\DRIVERS\Trufos.sys [485512 2016-04-28] (BitDefender S.R.L.)
2017-01-28 18:48 - 2017-01-28 18:48 - 00000366 _____ C:\Users\rebyitzi\AppData\Local\LMIR0001.tmp_r.bat
2017-01-12 06:59 - 2017-01-12 06:59 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Lavasoft
2017-01-12 06:58 - 2017-01-12 06:58 - 00000000 ____D C:\Program Files\Common Files\Lavasoft
2017-01-12 06:56 - 2017-01-12 06:56 - 02586928 _____ C:\Users\rebyitzi\Desktop\Adaware_Installer.exe
2017-01-25 16:53 - 2016-08-20 00:58 - 00000000 ____D C:\Users\rebyitzi\AppData\Roaming\LavasoftStatistics
2017-01-28 18:48 - 2017-01-28 18:48 - 0000366 _____ () C:\Users\rebyitzi\AppData\Local\LMIR0001.tmp_r.bat
2016-07-25 15:06 - 2016-07-25 15:06 - 0000057 _____ () C:\ProgramData\Ament.ini
2016-07-10 15:41 - 2016-07-10 15:45 - 0000469 _____ () C:\ProgramData\Microsoft.SqlServer.Compact.400.32.bc
C:\Users\rebyitzi\0006-64bit_Win7_Win8_Win81_Win10_R279.exe
C:\Users\rebyitzi\HPPhotoCreations-zf4c49.exe
C:\Users\rebyitzi\sp76061.exe
C:\Users\rebyitzi\spybot-2.4.exe
2016-09-14 15:35 - 2014-07-17 14:23 - 6739008 _____ (Foxit Corporation) C:\Users\rebyitzi\AppData\Local\Temp\Foxit PhantomPDF Updater.exe
Task: {2A9668FA-91FC-4937-9293-C0F4806DC505} - \McAfee\McAfee Idle Detection Task -> No File <==== ATTENTION
Task: {5331CD88-85BD-4527-8602-81CA7FDC8476} - \Microsoft\Windows\Setup\gwx\refreshgwxcontent -> No File <==== ATTENTION
Task: {66DC1520-6F66-4C80-B9E6-9243D895888A} - \Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B -> No File <==== ATTENTION
Task: {85D1E8F9-4842-4E17-9DBF-6662285B9DA3} - \Microsoft\Windows\Setup\gwx\launchtrayprocess -> No File <==== ATTENTION
Task: {D3A4594F-3B63-48D8-9562-3FB7EACDEB4F} - \Microsoft\Windows\Setup\gwx\refreshgwxconfigandcontent -> No File <==== ATTENTION
2016-12-15 13:06 - 2016-12-15 13:06 - 00030968 _____ () C:\Program Files\Lavasoft\Ad-Aware Antivirus\Ad-Aware Antivirus\11.15.1046.10613\boost_system-vc140-mt-1_61.dll
2016-12-15 13:06 - 2016-12-15 13:06 - 00067832 _____ () C:\Program Files\Lavasoft\Ad-Aware Antivirus\Ad-Aware Antivirus\11.15.1046.10613\boost_date_time-vc140-mt-1_61.dll
2016-12-15 13:06 - 2016-12-15 13:06 - 00145144 _____ () C:\Program Files\Lavasoft\Ad-Aware Antivirus\Ad-Aware Antivirus\11.15.1046.10613\boost_filesystem-vc140-mt-1_61.dll
2016-12-15 13:06 - 2016-12-15 13:06 - 00525048 _____ () C:\Program Files\Lavasoft\Ad-Aware Antivirus\Ad-Aware Antivirus\11.15.1046.10613\boost_locale-vc140-mt-1_61.dll
2016-12-15 13:06 - 2016-12-15 13:06 - 00733432 _____ () C:\Program Files\Lavasoft\Ad-Aware Antivirus\Ad-Aware Antivirus\11.15.1046.10613\boost_log-vc140-mt-1_61.dll
2016-12-15 13:06 - 2016-12-15 13:06 - 00039672 _____ () C:\Program Files\Lavasoft\Ad-Aware Antivirus\Ad-Aware Antivirus\11.15.1046.10613\boost_chrono-vc140-mt-1_61.dll
2016-12-15 13:06 - 2016-12-15 13:06 - 03713272 _____ () C:\Program Files\Lavasoft\Ad-Aware Antivirus\Ad-Aware Antivirus\11.15.1046.10613\RCF.dll
2016-12-15 13:06 - 2016-12-15 13:06 - 01001208 _____ () C:\Program Files\Lavasoft\Ad-Aware Antivirus\Ad-Aware Antivirus\11.15.1046.10613\boost_regex-vc140-mt-1_61.dll
2016-12-15 13:06 - 2016-12-15 13:06 - 00039672 _____ () C:\Program Files\Lavasoft\Ad-Aware Antivirus\Ad-Aware Antivirus\11.15.1046.10613\boost_timer-vc140-mt-1_61.dll
2016-12-15 13:06 - 2016-12-15 13:06 - 00073464 _____ () C:\Program Files\Lavasoft\Ad-Aware Antivirus\Ad-Aware Antivirus\11.15.1046.10613\boost_iostreams-vc140-mt-1_61.dll
2016-12-15 13:05 - 2016-12-15 13:05 - 02479864 _____ () C:\Program Files\Lavasoft\Ad-Aware Antivirus\Ad-Aware Antivirus\11.15.1046.10613\HtmlFramework.dll

NOTE: It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST64 and press the Fix button just once and wait.

If the tool needed a restart please make sure you let the system restart normally and let the tool complete its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Attach it to your reply.

##### Share on other sites

Thank you.

I also went ahead and ran a FRST64 scan.

I re-named those files with today's date and am attaching them here, as well as the Fixlog.txt that you requested, just in case you need them.

Fixlog.txt

FRST 17-02-14.txt

##### Share on other sites

Copy the below code to Notepad; Save As fixlist.txt to your Desktop.

```HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL =
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL =
2017-01-17 05:53 - 2015-07-23 03:02 - 14190520 _____ (NVIDIA Corporation) C:\WINDOWS\system32\Drivers\SETF825.tmp
2017-01-17 05:53 - 2015-07-23 03:02 - 14190520 _____ (NVIDIA Corporation) C:\WINDOWS\system32\Drivers\SETF4E6.tmp
2017-01-17 05:53 - 2015-07-23 03:02 - 14190520 _____ (NVIDIA Corporation) C:\WINDOWS\system32\Drivers\SETF1A.tmp
2017-01-17 05:53 - 2015-07-23 03:02 - 14190520 _____ (NVIDIA Corporation) C:\WINDOWS\system32\Drivers\SETE45A.tmp
2017-01-17 05:53 - 2015-07-23 03:02 - 14190520 _____ (NVIDIA Corporation) C:\WINDOWS\system32\Drivers\SETD3C6.tmp
2017-01-17 05:53 - 2015-07-23 03:02 - 14190520 _____ (NVIDIA Corporation) C:\WINDOWS\system32\Drivers\SETD3C5.tmp
2017-01-17 05:53 - 2015-07-23 03:02 - 14190520 _____ (NVIDIA Corporation) C:\WINDOWS\system32\Drivers\SETD249.tmp
2017-01-17 05:53 - 2015-07-23 03:02 - 14190520 _____ (NVIDIA Corporation) C:\WINDOWS\system32\Drivers\SETC2B9.tmp
2017-01-17 05:53 - 2015-07-23 03:02 - 14190520 _____ (NVIDIA Corporation) C:\WINDOWS\system32\Drivers\SETA81F.tmp
2017-01-17 05:53 - 2015-07-23 03:02 - 14190520 _____ (NVIDIA Corporation) C:\WINDOWS\system32\Drivers\SET9E8.tmp
2017-01-17 05:53 - 2015-07-23 03:02 - 14190520 _____ (NVIDIA Corporation) C:\WINDOWS\system32\Drivers\SET93A5.tmp
2017-01-17 05:53 - 2015-07-23 03:02 - 14190520 _____ (NVIDIA Corporation) C:\WINDOWS\system32\Drivers\SET83F9.tmp
2017-01-17 05:53 - 2015-07-23 03:02 - 14190520 _____ (NVIDIA Corporation) C:\WINDOWS\system32\Drivers\SET7B5C.tmp
2017-01-17 05:53 - 2015-07-23 03:02 - 14190520 _____ (NVIDIA Corporation) C:\WINDOWS\system32\Drivers\SET7513.tmp
2017-01-17 05:53 - 2015-07-23 03:02 - 14190520 _____ (NVIDIA Corporation) C:\WINDOWS\system32\Drivers\SET6323.tmp
2017-01-17 05:53 - 2015-07-23 03:02 - 14190520 _____ (NVIDIA Corporation) C:\WINDOWS\system32\Drivers\SET5D14.tmp
2017-01-17 05:53 - 2015-07-23 03:02 - 14190520 _____ (NVIDIA Corporation) C:\WINDOWS\system32\Drivers\SET3E16.tmp
2017-01-17 05:53 - 2015-07-23 03:02 - 14190520 _____ (NVIDIA Corporation) C:\WINDOWS\system32\Drivers\SET38DE.tmp
2017-01-17 05:53 - 2015-07-23 03:02 - 14190520 _____ (NVIDIA Corporation) C:\WINDOWS\system32\Drivers\SET1D70.tmp
2017-01-17 05:53 - 2015-07-23 03:02 - 14190520 _____ (NVIDIA Corporation) C:\WINDOWS\system32\Drivers\SET1AF6.tmp
2017-01-17 05:53 - 2015-07-23 03:02 - 14190520 _____ (NVIDIA Corporation) C:\WINDOWS\system32\Drivers\SET1837.tmp```

NOTE: It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST64 and press the Fix button just once and wait.

If the tool needed a restart please make sure you let the system restart normally and let the tool complete its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Attach it to your reply.

##### Share on other sites

Reason: Lack of Response

PM either Kevin, Elise, or Arthur to have this thread reopened.

All posters requesting Malware Removal assistance are required to follow all procedures in the thread titled START HERE if you don't we are just going to send you back to this thread.