BlackTunicLink

CLOSED I've recently been having memory issues with my laptop.

By BlackTunicLink, in Help, my PC is infected!

Recommended Posts

Kevin Zoll    279

Kevin Zoll
Posted

Hello,

Please run FRST from an account that has administrative privileges. From what is reported in the log, malware is present on this system.

Unless FRST is run from an account with administrative privileges any fix I give you will not be complete and will not run properly.

Share this post

Link to post
Share on other sites

Kevin Zoll    279

Kevin Zoll
Posted

Please run FRST again. Next, select and copy the following text, including the words Start:: and End::. Switch back to the FRST program window, and click the Fix button. It should read the fix directly from the clipboard and run the fix. When it is finished, please attach the fixlog.txt file it created in the same folder the FRST program is in.

Start::
    HKLM\...\RunOnce: [00D24A500D012BC425D6] => "C:\program files (x86)\microsoft visual studio\installer\vs_installershell.exe" resume --installPath "C:\Program Files (x86)\Microsoft Visual Studio\2017\Community" --runOnce --installSessionId fdbdd (the data entry has 31 more characters).
    HKU\S-1-5-21-386915118-960498976-1513988707-1001\...\Run: [appnhost] => C:\Users\Aaron\AppData\Local\Mixesoft\AppNHost\appnhost.exe
    HKU\S-1-5-21-386915118-960498976-1513988707-1001\...\RunOnce: [Application Restart #0] => C:\Windows\SysWOW64\mshta.exe "C:\Users\AARON_~1\AppData\Local\Temp\HYD6AAB.tmp.1478775789\HTA\index.hta?bittorrent"  "C:\Users\aaron_000\Downloads\BitTorrent.exe" /LOG "C:\Users\AARON_~1\AppData\Loca (the data entry has 395 more characters). <==== ATTENTION
    HKU\S-1-5-21-386915118-960498976-1513988707-1001\...\RunOnce: [Application Restart #1] => C:\Windows\SysWOW64\mshta.exe [12800 2014-10-30] (Microsoft Corporation) <==== ATTENTION
    HKU\S-1-5-21-386915118-960498976-1513988707-1005\...\MountPoints2: {4627194d-806b-11e7-82c7-00262dadf1f7} - "D:\windows\AutoRun.exe"
    HKU\S-1-5-21-386915118-960498976-1513988707-1005\...\MountPoints2: {749587d2-9105-11e7-82d8-00262dadf1f7} - "D:\windows\AutoRun.exe"
    HKU\S-1-5-21-386915118-960498976-1513988707-1005\...\MountPoints2: {b0644a5b-bb3b-11e7-831b-00262dadf1f7} - "D:\windows\AutoRun.exe"
    GroupPolicy: Restriction ? <==== ATTENTION
    CHR StartupUrls: Default -> "hxxp://www.trovi.com/?gd=&ctid=CT3331316&octid=EB_ORIGINAL_CTID&ISID=MFC26B4C7-4019-4D3B-A8AD-3476BA762A83&SearchSource=55&CUI=&UM=6&UP=SPBA857B00-7EBC-4C5B-A577-84AFA9126E93&SSPV=","hxxp://www.msn.com/?pc=AV01","hxxp://www.trovi.com/?gd=&ctid=CT3331316&octid=EB_ORIGINAL_CTID&ISID=MFC26B4C7-4019-4D3B-A8AD-3476BA762A83&SearchSource=55&CUI=&UM=6&UP=SPBA857B00-7EBC-4C5B-A577-84AFA9126E93&SSPV=SE4BROWGB_sp_ch","hxxp://www.google.com","hxxp://mail.ru/cnt/10445?gp=818406"
    R2 ReimageRealTimeProtector; C:\Program Files\Reimage\Reimage Protector\ReiGuard.exe [9037680 2018-04-25] (Reimage®)
    2018-06-17 18:28 - 2018-06-20 18:48 - 000000000 ____D C:\ProgramData\Reimage Protector
    2018-06-17 18:28 - 2018-06-17 18:52 - 000000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Reimage Repair
    2018-06-17 18:28 - 2018-06-17 18:28 - 000004268 _____ C:\Windows\System32\Tasks\ReimageUpdater
    2018-06-17 18:27 - 2018-06-17 18:35 - 000000000 ____D C:\rei
    2018-06-17 18:27 - 2018-06-17 18:28 - 000000000 ____D C:\Program Files\Reimage
    2018-06-17 18:25 - 2018-06-17 18:50 - 000000140 _____ C:\Windows\Reimage.ini
    C:\Windows\SysWOW64\mshta.exe
    2017-07-27 19:37 - 2017-07-10 11:53 - 000819256 _____ (BlueStack Systems, Inc.) C:\Users\Aaron\AppData\Local\Temp\BlueStacksClientUninstaller.exe
    2017-12-02 07:53 - 2017-12-02 07:53 - 000290304 _____ (Microsoft Corporation) C:\Users\Aaron\AppData\Local\Temp\CakeTubeSdk.Windows.Service.subinacl.exe
    2017-07-27 19:37 - 2017-07-10 11:53 - 000421400 _____ (CodeTitans) C:\Users\Aaron\AppData\Local\Temp\JSON.dll
    2018-06-17 18:26 - 2018-06-17 18:27 - 015208160 _____ (Reimage) C:\Users\Aaron\AppData\Local\Temp\ReimagePackage.exe
    2017-02-19 13:40 - 2017-09-18 15:16 - 000134704 _____ (mIRC Co. Ltd.) C:\Users\Aaron\AppData\Local\Temp\Uninstall.exe
    2017-01-29 19:24 - 2017-01-29 19:24 - 000739904 _____ (Oracle Corporation) C:\Users\aaron_000\AppData\Local\Temp\jre-8u121-windows-au.exe
    2017-04-28 08:28 - 2017-04-28 08:28 - 000739904 _____ (Oracle Corporation) C:\Users\aaron_000\AppData\Local\Temp\jre-8u131-windows-au.exe
    2017-08-29 12:50 - 2017-08-29 12:50 - 000740416 _____ (Oracle Corporation) C:\Users\aaron_000\AppData\Local\Temp\jre-8u144-windows-au.exe
    2017-10-27 18:58 - 2017-10-27 18:59 - 001856576 _____ (Oracle Corporation) C:\Users\aaron_000\AppData\Local\Temp\jre-8u151-windows-au.exe
    2018-05-05 20:51 - 2018-05-05 20:51 - 001884616 _____ (Oracle Corporation) C:\Users\aaron_000\AppData\Local\Temp\jre-8u171-windows-au.exe
    2017-10-03 13:28 - 2017-10-03 13:29 - 058881488 _____ (Skype Technologies S.A.) C:\Users\aaron_000\AppData\Local\Temp\SkypeSetup.exe
    Task: {1FF5C61D-DA9E-43EF-8CB0-60C3E4AFE0FF} - System32\Tasks\ReimageUpdater => C:\Program Files\Reimage\Reimage Protector\ReiGuard.exe [2018-04-25] (Reimage®) <==== ATTENTION
End:

Share this post

Link to post
Share on other sites

Kevin Zoll    279

Kevin Zoll
Posted

Let's take a fresh look.

Run fresh scans with Emsisoft Emergency Kit (EEK) and FRST, attach the new EEK and FRST scans to your reply.

Be sure to let me know how things are running.

Share this post

Link to post
Share on other sites

Kevin Zoll    279

Kevin Zoll
Posted

This one line:

C:\Program Files\KMSpico\KMSELDI.exe     detected: Application.Hacktool.KMSActivator.N (B) [krnl.xmd]

Tells me that this copy of Windows is not porperly activated.

I cannot provide further assistance until this copy of Windows is properly licensed and activated.

Share this post

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Go To Topic Listing

  • Recently Browsing   0 members

    No registered users viewing this page.