|
Post by nanadeb on Jan 19, 2015 17:51:58 GMT -8
|
|
Quads
Malware Removalists
In New Zealand
Posts: 9,387
|
Post by Quads on Jan 19, 2015 18:16:42 GMT -8
hahahahahahaha
Your "Safe Mode" is Not what we call Safe Mode, and is Not what Windows calls Safe Mode either. A user account called Safe Mode is not Safe Mode when a user is asked to load into Safe Mode or when you said " Have tried this in safe mode"
Your Safe Mode is running in Normal Mode.
Quads
|
|
|
Post by nanadeb on Jan 20, 2015 4:37:30 GMT -8
Seriously Quads? I know that! I created an additional admin account and called it Safe Mode as the NAME. I know how to restart into safe mode and believe me, I have tried that. I suppose I should have told you about that when I first posted too - sorry for any confusion it may have caused.
|
|
Quads
Malware Removalists
In New Zealand
Posts: 9,387
|
Post by Quads on Jan 20, 2015 8:39:51 GMT -8
Press the + R Keys on your keyboard at the same time. Type notepad and click OK. Copy the entire content of the codebox below and paste into the notepad (Including start and end) start HKLM\...\Run: [kjsdbk] => C:\ProgramData\kjsdbk.exe [101487 2015-01-13] () C:\ProgramData\kjsdbk.exe HKLM-x32\...\Run: [] => [X] HKLM Group Policy restriction on software: C:\Documents and Settings\All Users\Application Data\Malwarebytes <====== ATTENTION HKLM Group Policy restriction on software: C:\Program Files\Malwarebytes' Anti-Malware <====== ATTENTION HKLM Group Policy restriction on software: C:\Documents and Settings\All Users\Application Data\PC Tools <====== ATTENTION HKLM Group Policy restriction on software: C:\Program Files\Symantec <====== ATTENTION HKLM Group Policy restriction on software: C:\Program Files\Common Files\Symantec Shared <====== ATTENTION HKLM Group Policy restriction on software: C:\Documents and Settings\All Users\Application Data\McAfee <====== ATTENTION HKLM Group Policy restriction on software: C:\Documents and Settings\All Users\Application Data\Symantec <====== ATTENTION HKLM\...\Policies\Explorer\Run: [{d0b70d37-e9f4-42f4-b7a3-7e76c997d560}] => "C:\ProgramData\Microsoft\{d0b70d37-e9f4-42f4-b7a3-7e76c997d560}\{d0b70d37-e9f4-42f4-b7a3-7e76c997d560}.exe" No File C:\ProgramData\Microsoft\{d0b70d37-e9f4-42f4-b7a3-7e76c997d560} HKLM\Software\Policies\Microsoft\Windows NT\SystemRestore: [DisableSR/DisableConfig] <===== ATTENTION HKU\S-1-5-18\...\RunOnce: [adaware] => reg.exe delete "HKCU\Software\AppDataLow\Software\adaware" /f HKU\S-1-5-18\...\RunOnce: [adaware_XP] => reg.exe delete "HKCU\Software\adaware" /f SearchScopes: HKLM -> {18F38342-86A6-439C-82E8-74C0EAA3AE59} URL = www.ask.com/web?q={searchterms}&l=dis&o=ushpd SearchScopes: HKLM-x32 -> {18F38342-86A6-439C-82E8-74C0EAA3AE59} URL = www.ask.com/web?q={searchterms}&l=dis&o=ushpd S3 BS518785833; \??\C:\Users\Deb\AppData\Local\Temp\NTFS.sys [X] 2015-01-16 23:55 - 2015-01-17 16:58 - 00003616 _____ () C:\Windows\System32\Tasks\Ad-Aware Update (Weekly) 2015-01-13 08:50 - 2015-01-13 08:50 - 00101487 _____ () C:\ProgramData\kjsdbk.exe end Remembering for the below your FRST is named explorer.exe Click File, Save As and type fixlist (.txt may be seen on the end depending on the system setup) as the File Name. Both files, FRST and fixlist.txt have to be in the same location or the fix will not work!
Right-click on icon and select Run as Administrator to start FRST. (XP users click run after receipt of Windows Security Warning - Open File). Press the button just once and wait. If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run. When finished FRST will generate a log on the Desktop, called Fixlog.txt. To paste or attach back here Quads
|
|
|
Post by nanadeb on Jan 20, 2015 9:08:28 GMT -8
Completed.
Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 19-01-2015 Ran by Safe Mode at 2015-01-20 12:06:26 Run:1 Running from C:\Users\Safe Mode\Desktop Loaded Profiles: Safe Mode (Available profiles: Deb & Safe Mode) Boot Mode: Normal ==============================================
Content of fixlist: ***************** start HKLM\...\Run: [kjsdbk] => C:\ProgramData\kjsdbk.exe [101487 2015-01-13] () C:\ProgramData\kjsdbk.exe HKLM-x32\...\Run: [] => [X] HKLM Group Policy restriction on software: C:\Documents and Settings\All Users\Application Data\Malwarebytes <====== ATTENTION HKLM Group Policy restriction on software: C:\Program Files\Malwarebytes' Anti-Malware <====== ATTENTION HKLM Group Policy restriction on software: C:\Documents and Settings\All Users\Application Data\PC Tools <====== ATTENTION HKLM Group Policy restriction on software: C:\Program Files\Symantec <====== ATTENTION HKLM Group Policy restriction on software: C:\Program Files\Common Files\Symantec Shared <====== ATTENTION HKLM Group Policy restriction on software: C:\Documents and Settings\All Users\Application Data\McAfee <====== ATTENTION HKLM Group Policy restriction on software: C:\Documents and Settings\All Users\Application Data\Symantec <====== ATTENTION HKLM\...\Policies\Explorer\Run: [{d0b70d37-e9f4-42f4-b7a3-7e76c997d560}] => "C:\ProgramData\Microsoft\{d0b70d37-e9f4-42f4-b7a3-7e76c997d560}\{d0b70d37-e9f4-42f4-b7a3-7e76c997d560}.exe" No File C:\ProgramData\Microsoft\{d0b70d37-e9f4-42f4-b7a3-7e76c997d560} HKLM\Software\Policies\Microsoft\Windows NT\SystemRestore: [DisableSR/DisableConfig] <===== ATTENTION HKU\S-1-5-18\...\RunOnce: [adaware] => reg.exe delete "HKCU\Software\AppDataLow\Software\adaware" /f HKU\S-1-5-18\...\RunOnce: [adaware_XP] => reg.exe delete "HKCU\Software\adaware" /f SearchScopes: HKLM -> {18F38342-86A6-439C-82E8-74C0EAA3AE59} URL = www.ask.com/web?q={searchterms}&l=dis&o=ushpd SearchScopes: HKLM-x32 -> {18F38342-86A6-439C-82E8-74C0EAA3AE59} URL = www.ask.com/web?q={searchterms}&l=dis&o=ushpd S3 BS518785833; \??\C:\Users\Deb\AppData\Local\Temp\NTFS.sys [X] 2015-01-16 23:55 - 2015-01-17 16:58 - 00003616 _____ () C:\Windows\System32\Tasks\Ad-Aware Update (Weekly) 2015-01-13 08:50 - 2015-01-13 08:50 - 00101487 _____ () C:\ProgramData\kjsdbk.exe end *****************
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\kjsdbk => value deleted successfully. C:\ProgramData\kjsdbk.exe => Moved successfully. HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\ => value deleted successfully. HKLM => Group Policy Restriction on software restored successfully. HKLM => Group Policy Restriction on software restored successfully. HKLM => Group Policy Restriction on software restored successfully. HKLM => Group Policy Restriction on software restored successfully. HKLM => Group Policy Restriction on software restored successfully. HKLM => Group Policy Restriction on software restored successfully. HKLM => Group Policy Restriction on software restored successfully. HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\\{d0b70d37-e9f4-42f4-b7a3-7e76c997d560} => value deleted successfully. C:\ProgramData\Microsoft\{d0b70d37-e9f4-42f4-b7a3-7e76c997d560} => Moved successfully. "HKLM\Software\Policies\Microsoft\Windows NT\SystemRestore" => Key deleted successfully. HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\RunOnce\\adaware => value deleted successfully. HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\RunOnce\\adaware_XP => value deleted successfully. "HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{18F38342-86A6-439C-82E8-74C0EAA3AE59}" => Key deleted successfully. HKCR\CLSID\{18F38342-86A6-439C-82E8-74C0EAA3AE59} => Key not found. "HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{18F38342-86A6-439C-82E8-74C0EAA3AE59}" => Key deleted successfully. HKCR\Wow6432Node\CLSID\{18F38342-86A6-439C-82E8-74C0EAA3AE59} => Key not found. BS518785833 => Service deleted successfully. C:\Windows\System32\Tasks\Ad-Aware Update (Weekly) => Moved successfully. "C:\ProgramData\kjsdbk.exe" => File/Directory not found.
==== End of Fixlog 12:06:27 ====
|
|
Quads
Malware Removalists
In New Zealand
Posts: 9,387
|
Post by Quads on Jan 20, 2015 9:15:50 GMT -8
Now (especially after a restart for the changes to take effect) the malware has be broken apart of what was found and SRP's Windows were using removed to unblock Security Software. Download Malwarebytes Anti-Rootkit to your Desktop. Double-click "mbar.exe" to start the tool. Warning! Malwarebytes Anti-Rootkit needs to be run from an account with administrator rights.Click in the introduction screen "next" to continue. Click in the following screen "Update" to obtain the latest malware definitions. Once the update is complete select "Next" and click "Scan".When the scan is finished and no malware has been found select "Exit".Open the MBAR folder and paste or attach the content of the following files in your next reply: "mbar-log-{date} (xx-xx-xx).txt" "system-log.txt"
The below screenshot includes step 4 (cleanup) don't do that one yet Quads
|
|
|
Post by nanadeb on Jan 20, 2015 9:27:20 GMT -8
Unfortunately I was able to download the exe but when I click to "Run as administrator" or double click the icon on my desktop (which is named mbar-1.08.3.1004) nothing happens - nothing opens.
|
|
Quads
Malware Removalists
In New Zealand
Posts: 9,387
|
Post by Quads on Jan 20, 2015 9:34:26 GMT -8
Delete your copy of addition.txt then Start FRST, and run a scan to create 2 new logs
Quads
|
|
|
Post by nanadeb on Jan 20, 2015 11:06:13 GMT -8
|
|
Quads
Malware Removalists
In New Zealand
Posts: 9,387
|
Post by Quads on Jan 20, 2015 13:28:29 GMT -8
what about when you rename mbar-1.08.3.1004 to explorer.exe first??
Quads
|
|