Recommended Posts

I am using Windows 10 in my new laptop bought less than a month ago. I try to be careful when it comes to malware. I use a bunch of anti malware software & run scans once a week. Everything seemed ok until 2 days back.
 
2 days back, I had a college presentation & had to plug in my friend's USB drive which had lots of viruses. I did not want to, but had to click on the shortcut virus to open her files since i was standing in front of the whole class & i had to give the presentation. It also had an autorun virus along with others. I could not unplug the USB drive until i finished with my presentation.
 
Can someone please help me on what to do to get rid of all of them which may have infected my OS while I plugged the drive in my laptop?
 
I have tried scanning again & again, till all the scan results were clean. But still i fear some may be left out. what should i do? ( Certain websites wont load no matter whatever i do. Does this have something to do with Malware? If i use proxy, they load. But on my own connection, certain websites never load. I dont use router. I use internet via 4G provider )
 
I use zemana antimalware, emergency kit scanner from emsisoft, Kaspersky Virus Removal Tool, Security Scan & TDSS Killer from kaspersky, ESET online scanner, Norton security scan, aswmbr from avast, Malwarebytes 3.0, adwcleaner & JRT from malwarebytes, superantispyware to run on-demand scans. I ran all of these again & again till all of them came up with clean results. I tried running all of these in safe mode as well, but got clean results again.
 
( I use avira free antivirus as my main antivirus. )
 
what should i do now? How can i find out if my laptop is clean or not? Someone please help me out on this. Would be highly thankful if someone could come up with a solution to ensure my laptop is 100% clean.
 
I have attached all the three logs below. Thanks.
 

FRST.txt

Addition.txt

scan_170411-155012.txt

Share this post


Link to post
Share on other sites

Do the following:

Copy the below code to Notepad; Save As fixlist.txt to your Desktop.

HKU\S-1-5-21-2453292216-1992557863-264388339-1001\...\MountPoints2: {afe88079-13d4-11e7-a743-b88a60a163c7} - "G:\Windows/AutoRun.exe" /autoinstall
HKU\S-1-5-21-2453292216-1992557863-264388339-1001\...\MountPoints2: {f03f99c8-e9f6-11e6-a737-704d7b495897} - "F:\Setup.exe" 
HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = 
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Search Page = 
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = 
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = 
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = 
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL = 
HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = 
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Local Page = 
SearchScopes: HKU\S-1-5-21-2453292216-1992557863-264388339-1001 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
FF Plugin-x32: @foxitsoftware.com/Foxit PhantomPDF Plugin,version=1.0,application/vnd.xdp -> C:\Program Files (x86)\Foxit PhantomPDF\plugins\npFoxitPhantomPDFPlugin.dll [No File]
FF Plugin-x32: @foxitsoftware.com/Foxit PhantomPDF Plugin,version=1.0,application/vnd.xfdf -> C:\Program Files (x86)\Foxit PhantomPDF\plugins\npFoxitPhantomPDFPlugin.dll [No File]
U3 aswMBR; C:\Users\Rebecca Valentine\AppData\Local\Temp\aswMBR.sys [62728 2017-04-10] () [File not signed] <==== ATTENTION
U3 aswVmm; C:\Users\Rebecca Valentine\AppData\Local\Temp\aswVmm.sys [224896 2017-04-10] () <==== ATTENTION
2017-04-10 22:56 - 2017-04-10 22:57 - 10606960 _____ (Symantec Corporation) C:\Users\Rebecca Valentine\AppData\Local\Temp\nssSetup.exe
Task: {D6E39F92-1A12-47DA-9784-4D7AFBE2F5DD} - System32\Tasks\AVAST Software\Avast settings backup => C:\Program Files\Common Files\AV\avast! Antivirus\backup.exe 

Close Notepad.

NOTE: It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST64 and press the Fix button just once and wait.

If the tool needed a restart please make sure you let the system restart normally and let the tool complete its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Attach it to your reply.

Note: If the tool warns you about an outdated version please download and run the updated version.

Share this post


Link to post
Share on other sites

Let's take a fresh look.

Run fresh scans with Emsisoft Emergency Kit (EEK) and FRST, attach the new EEK and FRST scans to your reply.

Be sure to let me know how things are running.

Share this post


Link to post
Share on other sites

Thank you so much. 

I have attached FRST & EEK logs below.

About this "Be sure to let me know how things are running" : I dont know. I cant see any difference. Thanks! :) 

( Except for one thing. Ever since i was infected, some websites seem to have stopped working for me. They dont load in my system. Whereas they load properly when i use proxy or use my ipad with the same network. Does this have anything to do with malware? )

FRST.txt

Addition.txt

scan_170414-131502.txt

Share this post


Link to post
Share on other sites

Copy the below code to Notepad; Save As fixlist.txt to your Desktop.

CloseProcesses:
Hosts:
(Dashlane, Inc.) C:\Users\Rebecca Valentine\AppData\Roaming\Dashlane\Dashlane.exe
() C:\Users\Rebecca Valentine\AppData\Roaming\Dashlane\DashlanePlugin.exe
HKU\S-1-5-21-2453292216-1992557863-264388339-1001\...\Run: [Dashlane] => C:\Users\Rebecca Valentine\AppData\Roaming\Dashlane\Dashlane.exe [486352 2017-03-17] (Dashlane, Inc.)
HKU\S-1-5-21-2453292216-1992557863-264388339-1001\...\Run: [DashlanePlugin] => C:\Users\Rebecca Valentine\AppData\Roaming\Dashlane\DashlanePlugin.exe [544208 2017-03-17] ()
HKU\S-1-5-21-2453292216-1992557863-264388339-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-04112017170234550\...\Run: [Dashlane] => C:\Users\Rebecca Valentine\AppData\Roaming\Dashlane\Dashlane.exe [486352 2017-03-17] (Dashlane, Inc.)
HKU\S-1-5-21-2453292216-1992557863-264388339-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-04112017170234550\...\Run: [DashlanePlugin] => C:\Users\Rebecca Valentine\AppData\Roaming\Dashlane\DashlanePlugin.exe [544208 2017-03-17] ()
HKU\S-1-5-21-2453292216-1992557863-264388339-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-04112017170234550\...\MountPoints2: {afe88079-13d4-11e7-a743-b88a60a163c7} - "G:\Windows/AutoRun.exe" /autoinstall
HKU\S-1-5-21-2453292216-1992557863-264388339-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-04112017170234550\...\MountPoints2: {f03f99c8-e9f6-11e6-a737-704d7b495897} - "F:\Setup.exe" 
HKU\S-1-5-21-2453292216-1992557863-264388339-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-04112017171916849\...\Run: [Dashlane] => C:\Users\Rebecca Valentine\AppData\Roaming\Dashlane\Dashlane.exe [486352 2017-03-17] (Dashlane, Inc.)
HKU\S-1-5-21-2453292216-1992557863-264388339-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-04112017171916849\...\Run: [DashlanePlugin] => C:\Users\Rebecca Valentine\AppData\Roaming\Dashlane\DashlanePlugin.exe [544208 2017-03-17] ()
HKU\S-1-5-21-2453292216-1992557863-264388339-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-04112017171916849\...\MountPoints2: {afe88079-13d4-11e7-a743-b88a60a163c7} - "G:\Windows/AutoRun.exe" /autoinstall
HKU\S-1-5-21-2453292216-1992557863-264388339-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-04112017171916849\...\MountPoints2: {f03f99c8-e9f6-11e6-a737-704d7b495897} - "F:\Setup.exe" 
SearchScopes: HKU\S-1-5-21-2453292216-1992557863-264388339-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-04112017170234550 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-21-2453292216-1992557863-264388339-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-04112017171916849 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
CHR NewTab: Profile 1 ->  Active:"chrome-extension://ncdfeghkpohnalmpblddmnppfooljekh/core/newpage-pop.html"
CHR Extension: (Dashlane Secure Password Manager) - C:\Users\Rebecca Valentine\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\fdjamakpfbbddfjaooikfcpapjohcfmg [2017-04-11]
CHR Extension: (Incredible StartPage - Productive Start Page) - C:\Users\Rebecca Valentine\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\ncdfeghkpohnalmpblddmnppfooljekh [2017-01-18]
R1 ZAM; C:\WINDOWS\System32\drivers\zam64.sys [203680 2017-01-20] (Zemana Ltd.)
R1 ZAM_Guard; C:\WINDOWS\System32\drivers\zamguard64.sys [203680 2017-01-20] (Zemana Ltd.)
2017-04-10 02:22 - 2017-04-14 13:39 - 00719048 _____ C:\WINDOWS\ZAM.krnl.trace
2017-04-10 02:22 - 2017-04-14 13:39 - 00560977 _____ C:\WINDOWS\ZAM_Guard.krnl.trace
Reboot:

Close Notepad.

NOTE: It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST64 and press the Fix button just once and wait.

If the tool needed a restart please make sure you let the system restart normally and let the tool complete its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Attach it to your reply.

Note: If the tool warns you about an outdated version please download and run the updated version.

Share this post


Link to post
Share on other sites

Rebecca,

Most of our staff do not work on the weekends.

Changing tools.

Download RogueKiller from one of the following links and save it to your desktop:

  • Link 1
  • Link 2
    • Close all programs and disconnect any USB or external drives before running the tool.
    • Double-click RogueKiller.exe to run the tool (Vista/7/8/10 users: Right-click and select Run As Administrator).
    • Once the Prescan has finished, click Scan.
    • Once the Status box shows "Scan Finished", just close the program. <--Don't fix anything!
    • Attach the RogueKiller report to your next reply.
      • The log can also be found on your desktop labeled (RKreport[X]_S_xxdatexx_xtimex)
      • The highest number of [X], is the most recent Scan




Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.