Jump to content

I've recently been having memory issues with my laptop.

BlackTunicLink
 Share Followers 2

Recommended Posts

Kevin Zoll

Kevin Zoll 309

Posted
Posted

Hello,

Please run FRST from an account that has administrative privileges. From what is reported in the log, malware is present on this system.

Unless FRST is run from an account with administrative privileges any fix I give you will not be complete and will not run properly.

Link to post
Share on other sites
Kevin Zoll

Kevin Zoll 309

Posted
Posted

Please run FRST again. Next, select and copy the following text, including the words Start:: and End::. Switch back to the FRST program window, and click the Fix button. It should read the fix directly from the clipboard and run the fix. When it is finished, please attach the fixlog.txt file it created in the same folder the FRST program is in.

Start::
    HKLM\...\RunOnce: [00D24A500D012BC425D6] => "C:\program files (x86)\microsoft visual studio\installer\vs_installershell.exe" resume --installPath "C:\Program Files (x86)\Microsoft Visual Studio\2017\Community" --runOnce --installSessionId fdbdd (the data entry has 31 more characters).
    HKU\S-1-5-21-386915118-960498976-1513988707-1001\...\Run: [appnhost] => C:\Users\Aaron\AppData\Local\Mixesoft\AppNHost\appnhost.exe
    HKU\S-1-5-21-386915118-960498976-1513988707-1001\...\RunOnce: [Application Restart #0] => C:\Windows\SysWOW64\mshta.exe "C:\Users\AARON_~1\AppData\Local\Temp\HYD6AAB.tmp.1478775789\HTA\index.hta?bittorrent"  "C:\Users\aaron_000\Downloads\BitTorrent.exe" /LOG "C:\Users\AARON_~1\AppData\Loca (the data entry has 395 more characters). <==== ATTENTION
    HKU\S-1-5-21-386915118-960498976-1513988707-1001\...\RunOnce: [Application Restart #1] => C:\Windows\SysWOW64\mshta.exe [12800 2014-10-30] (Microsoft Corporation) <==== ATTENTION
    HKU\S-1-5-21-386915118-960498976-1513988707-1005\...\MountPoints2: {4627194d-806b-11e7-82c7-00262dadf1f7} - "D:\windows\AutoRun.exe"
    HKU\S-1-5-21-386915118-960498976-1513988707-1005\...\MountPoints2: {749587d2-9105-11e7-82d8-00262dadf1f7} - "D:\windows\AutoRun.exe"
    HKU\S-1-5-21-386915118-960498976-1513988707-1005\...\MountPoints2: {b0644a5b-bb3b-11e7-831b-00262dadf1f7} - "D:\windows\AutoRun.exe"
    GroupPolicy: Restriction ? <==== ATTENTION
    CHR StartupUrls: Default -> "hxxp://www.trovi.com/?gd=&ctid=CT3331316&octid=EB_ORIGINAL_CTID&ISID=MFC26B4C7-4019-4D3B-A8AD-3476BA762A83&SearchSource=55&CUI=&UM=6&UP=SPBA857B00-7EBC-4C5B-A577-84AFA9126E93&SSPV=","hxxp://www.msn.com/?pc=AV01","hxxp://www.trovi.com/?gd=&ctid=CT3331316&octid=EB_ORIGINAL_CTID&ISID=MFC26B4C7-4019-4D3B-A8AD-3476BA762A83&SearchSource=55&CUI=&UM=6&UP=SPBA857B00-7EBC-4C5B-A577-84AFA9126E93&SSPV=SE4BROWGB_sp_ch","hxxp://www.google.com","hxxp://mail.ru/cnt/10445?gp=818406"
    R2 ReimageRealTimeProtector; C:\Program Files\Reimage\Reimage Protector\ReiGuard.exe [9037680 2018-04-25] (Reimage®)
    2018-06-17 18:28 - 2018-06-20 18:48 - 000000000 ____D C:\ProgramData\Reimage Protector
    2018-06-17 18:28 - 2018-06-17 18:52 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Reimage Repair
    2018-06-17 18:28 - 2018-06-17 18:28 - 000004268 _____ C:\Windows\System32\Tasks\ReimageUpdater
    2018-06-17 18:27 - 2018-06-17 18:35 - 000000000 ____D C:\rei
    2018-06-17 18:27 - 2018-06-17 18:28 - 000000000 ____D C:\Program Files\Reimage
    2018-06-17 18:25 - 2018-06-17 18:50 - 000000140 _____ C:\Windows\Reimage.ini
    C:\Windows\SysWOW64\mshta.exe
    2017-07-27 19:37 - 2017-07-10 11:53 - 000819256 _____ (BlueStack Systems, Inc.) C:\Users\Aaron\AppData\Local\Temp\BlueStacksClientUninstaller.exe
    2017-12-02 07:53 - 2017-12-02 07:53 - 000290304 _____ (Microsoft Corporation) C:\Users\Aaron\AppData\Local\Temp\CakeTubeSdk.Windows.Service.subinacl.exe
    2017-07-27 19:37 - 2017-07-10 11:53 - 000421400 _____ (CodeTitans) C:\Users\Aaron\AppData\Local\Temp\JSON.dll
    2018-06-17 18:26 - 2018-06-17 18:27 - 015208160 _____ (Reimage) C:\Users\Aaron\AppData\Local\Temp\ReimagePackage.exe
    2017-02-19 13:40 - 2017-09-18 15:16 - 000134704 _____ (mIRC Co. Ltd.) C:\Users\Aaron\AppData\Local\Temp\Uninstall.exe
    2017-01-29 19:24 - 2017-01-29 19:24 - 000739904 _____ (Oracle Corporation) C:\Users\aaron_000\AppData\Local\Temp\jre-8u121-windows-au.exe
    2017-04-28 08:28 - 2017-04-28 08:28 - 000739904 _____ (Oracle Corporation) C:\Users\aaron_000\AppData\Local\Temp\jre-8u131-windows-au.exe
    2017-08-29 12:50 - 2017-08-29 12:50 - 000740416 _____ (Oracle Corporation) C:\Users\aaron_000\AppData\Local\Temp\jre-8u144-windows-au.exe
    2017-10-27 18:58 - 2017-10-27 18:59 - 001856576 _____ (Oracle Corporation) C:\Users\aaron_000\AppData\Local\Temp\jre-8u151-windows-au.exe
    2018-05-05 20:51 - 2018-05-05 20:51 - 001884616 _____ (Oracle Corporation) C:\Users\aaron_000\AppData\Local\Temp\jre-8u171-windows-au.exe
    2017-10-03 13:28 - 2017-10-03 13:29 - 058881488 _____ (Skype Technologies S.A.) C:\Users\aaron_000\AppData\Local\Temp\SkypeSetup.exe
    Task: {1FF5C61D-DA9E-43EF-8CB0-60C3E4AFE0FF} - System32\Tasks\ReimageUpdater => C:\Program Files\Reimage\Reimage Protector\ReiGuard.exe [2018-04-25] (Reimage®) <==== ATTENTION
End:

Link to post
Share on other sites
Kevin Zoll

Kevin Zoll 309

Posted
Posted

This one line:

C:\Program Files\KMSpico\KMSELDI.exe     detected: Application.Hacktool.KMSActivator.N (B) [krnl.xmd]

Tells me that this copy of Windows is not porperly activated.

I cannot provide further assistance until this copy of Windows is properly licensed and activated.

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Followers 2
Go to topic listing

  • Recently Browsing   0 members

    No registered users viewing this page.

Products & Services

Ransomware/Malware Removal

Partners

Resources

Company

© 2003-2021 Emsisoft - 02/27/2021 - Legal Notice - Terms - Bug Bounty - System Status - Privacy Policy

×
×
  • Create New...