[nuclearfenix]

Looks like I got something bad. I'm unable to run any of those programs, right clicking on a desktop icon will cause windows explorer to crash.
I've tried every variant of Rkill and exehelper (or whatever it's called). 

Edit: Log Removed

 

Edited by nuclearfenix, 02 November 2015 - 07:06 PM.

[Advertisements]

Could you please save the logs in notepad as removing the line numbers increases the time to create the fix and can lead to errors

[Essexboy]

Could you please save the logs in notepad as removing the line numbers increases the time to create the fix and can lead to errors

[nuclearfenix]

I attached it as a .txt file.

Edit: accidentally attached 2 of the same file.

Edited by nuclearfenix, 02 November 2015 - 07:06 PM.

[Essexboy]

Be advised I have tried to repair three of these and have so far failed

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:
 

CreateRestorePoint:
HKLM\...\Run: [K2EmZbhwD2FA] => regsvr32.exe /s "C:\PROGRA~3\K2EmZbhwD2FA.dll"
HKLM-x32\...\Run: [] => [X]
HKLM-x32\...\Run: [vProt] => C:\Program Files (x86)\AVG Secure Search\vprot.exe [2567568 2015-09-14] ()
HKLM-x32\...\Run: [Chrome] => C:\PROGRA~3\taskhost.exe
HKU\S-1-5-21-873290855-3091303886-2872953217-1000\...\Run: [1994346424] => regsvr32.exe "C:\ProgramData\Derham\PoyMidb.dll"
HKU\S-1-5-21-873290855-3091303886-2872953217-1000\...\Run: [BackUp742466069] => C:\Users\Kyle\AppData\Roaming\BackUp742466069.exe
HKU\S-1-5-21-873290855-3091303886-2872953217-1000\...\Run: [Chrome] => C:\PROGRA~3\taskhost.exe
HKU\S-1-5-21-873290855-3091303886-2872953217-1000\...\Policies\Explorer: [NoRealMode] 0
HKU\S-1-5-18\...\Run: [Chrome] => C:\PROGRA~3\taskhost.exe
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-873290855-3091303886-2872953217-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
SearchScopes: HKLM-x32 -> DefaultScope {afdbddaa-5d3f-42ee-b79c-185a7020515b} URL = hxxp://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT2475029
SearchScopes: HKLM-x32 -> {afdbddaa-5d3f-42ee-b79c-185a7020515b} URL = hxxp://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT2475029
SearchScopes: HKU\S-1-5-21-873290855-3091303886-2872953217-1000 -> {672363B6-76AD-4FEE-8D33-92AFFA686D2B} URL = hxxp://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT3220468
BHO-x32: No Name -> {0817A182-CB97-4FB1-A523-D7801636D9Ab} -> No File
Toolbar: HKU\.DEFAULT -> No Name - {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
Toolbar: HKU\.DEFAULT -> No Name - {88C7F2AA-F93F-432C-8F0E-B7D85967A527} - No File
Toolbar: HKU\.DEFAULT -> No Name - {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
Toolbar: HKU\S-1-5-21-873290855-3091303886-2872953217-1000 -> No Name - {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
Toolbar: HKU\S-1-5-21-873290855-3091303886-2872953217-1000 -> No Name - {E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - No File
FF NewTab: hxxp://search.conduit.com/?gd=&ctid=CT3324790&octid=EB_ORIGINAL_CTID&ISID=MC6FF9A83-B0F5-4349-BE24-68EAD8DF1FAA&SearchSource=69&CUI=&SSPV=&Lay=1&UM=5&UP=SP9415AD67-FB27-4E82-AC9C-B0A55F328E94
FF DefaultSearchEngine: MyAshampoo Customized Web Search
FF SearchEngineOrder.1: Ask.com
FF SelectedSearchEngine: Conduit Search
FF Homepage: about:home
FF Keyword.URL: hxxp://trovi.com/ResultsExt.aspx?ctid=CT2475029&SearchSource=2&CUI=UN59920429494782115&UM=4&q=
FF Plugin-x32: @thrixxx.com/WebLaunch -> C:\Program Files (x86)\thriXXX\WebLaunch\Binaries\npWebLaunch.dll [No File]
FF SearchPlugin: C:\Users\Kyle\AppData\Roaming\Mozilla\Firefox\Profiles\gnf8goa4.default\searchplugins\conduit-search.xml [2014-05-02]
FF SearchPlugin: C:\Users\Kyle\AppData\Roaming\Mozilla\Firefox\Profiles\gnf8goa4.default\searchplugins\myashampoo-customized-web-search.xml [2013-12-26]
FF SearchPlugin: C:\Users\Kyle\AppData\Roaming\Mozilla\Firefox\Profiles\gnf8goa4.default\searchplugins\MyStart Search.xml [2014-01-02]
FF SearchPlugin: C:\Users\Kyle\AppData\Roaming\Mozilla\Firefox\Profiles\gnf8goa4.default\searchplugins\search-defender.xml [2012-07-27]
FF SearchPlugin: C:\Program Files (x86)\mozilla firefox\searchplugins\answers.xml [2010-04-01]
FF SearchPlugin: C:\Program Files (x86)\mozilla firefox\searchplugins\avg-secure-search.xml [2015-09-14]
FF SearchPlugin: C:\Program Files (x86)\mozilla firefox\searchplugins\creativecommons.xml [2010-04-01]
FF SearchPlugin: C:\Program Files (x86)\mozilla firefox\browser\searchplugins\avg-secure-search.xml [2015-09-14]
FF Extension: Conduit Engine - C:\Users\Kyle\AppData\Roaming\Mozilla\Firefox\Profiles\gnf8goa4.default\Extensions\[email protected] [2012-08-23] [not signed]
FF Extension: Firesheep - C:\Users\Kyle\AppData\Roaming\Mozilla\Firefox\Profiles\gnf8goa4.default\Extensions\[email protected] [2011-05-06] [not signed]
FF Extension: No Name - C:\Users\Kyle\AppData\Roaming\Mozilla\Firefox\Profiles\gnf8goa4.default\Extensions\[email protected] [2015-04-19] [not signed]
FF Extension: Nero Toolbar - C:\Users\Kyle\AppData\Roaming\Mozilla\Firefox\Profiles\gnf8goa4.default\Extensions\[email protected] [2011-05-13] [not signed]
FF Extension: Performance Cache - C:\Users\Kyle\AppData\Roaming\Mozilla\Firefox\Profiles\gnf8goa4.default\Extensions\[email protected] [2012-07-27] [not signed]
FF Extension: No Name - C:\Users\Kyle\AppData\Roaming\Mozilla\Firefox\Profiles\gnf8goa4.default\Extensions\{5911488E-9D1E-40ec-8CBB-06B231CC153F} [2015-04-19] [not signed]
FF Extension: MyAshampoo - C:\Users\Kyle\AppData\Roaming\Mozilla\Firefox\Profiles\gnf8goa4.default\Extensions\{a1e75a0e-4397-4ba8-bb50-e19fb66890f4} [2015-02-08] [not signed]
FF Extension: Free YouTube Download (Free Studio) Menu - C:\Users\Kyle\AppData\Roaming\Mozilla\Firefox\Profiles\gnf8goa4.default\Extensions\{ACAA314B-EEBA-48e4-AD47-84E31C44796C} [2011-10-20] [not signed]
FF Extension: No Name - C:\Users\Kyle\AppData\Roaming\Mozilla\Firefox\Profiles\gnf8goa4.default\Extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} [2015-07-12] [not signed]
FF Extension: No Name - C:\Users\Kyle\AppData\Roaming\Mozilla\Firefox\Profiles\gnf8goa4.default\Extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781} [2015-04-19] [not signed]
FF Extension: Yontoo - C:\Users\Kyle\AppData\Roaming\Mozilla\Firefox\Profiles\gnf8goa4.default\Extensions\[email protected] [2013-12-26] [not signed]
FF ExtraCheck: C:\Program Files (x86)\mozilla firefox\firefox.cfg [2013-10-17] <==== ATTENTION
S2 Updater Service for StartNow Toolbar; C:\Program Files (x86)\StartNow Toolbar\ToolbarUpdaterService.exe [X]
S3 76251561; no ImagePath
S3 BS742466069; \??\C:\Users\Kyle\AppData\Local\Temp\NTFS.sys [X]
2015-10-31 07:40 - 2015-10-31 07:40 - 00000000 ___HD C:\ProgramData\{9A88E103-A20A-4EA5-8636-C73B709A5BF8}
2015-10-31 20:19 - 2014-05-02 01:06 - 00000000 ____D C:\Program Files (x86)\MyPC Backup
2015-10-31 20:19 - 2013-10-17 01:50 - 00000000 ____D C:\Windows\system32\ljkb
2011-09-16 01:42 - 2011-09-16 01:42 - 0001272 ___SH () C:\ProgramData\5b5s8f0nhi1
2011-11-12 20:56 - 2011-11-12 20:58 - 0000456 _____ () C:\ProgramData\aBEWbxTnc1G2OW
2011-11-17 12:12 - 2011-11-17 12:14 - 0000456 _____ () C:\ProgramData\k7wHOKf9bJkeS5
2011-11-11 20:40 - 2011-11-11 20:40 - 0000336 _____ () C:\ProgramData\nit1x7kK3IL0id
2011-11-17 11:32 - 2011-11-17 11:34 - 0000456 _____ () C:\ProgramData\t3scuboPLW6vZC
2011-11-12 20:56 - 2011-11-12 20:56 - 0000296 _____ () C:\ProgramData\~aBEWbxTnc1G2OW
2011-11-12 20:56 - 2011-11-12 20:56 - 0000224 _____ () C:\ProgramData\~aBEWbxTnc1G2OWr
2011-11-17 12:12 - 2011-11-17 12:12 - 0000288 _____ () C:\ProgramData\~k7wHOKf9bJkeS5
2011-11-17 12:12 - 2011-11-17 12:12 - 0000216 _____ () C:\ProgramData\~k7wHOKf9bJkeS5r
2011-11-11 20:40 - 2011-11-11 20:40 - 0000296 _____ () C:\ProgramData\~nit1x7kK3IL0id
2011-11-11 20:40 - 2011-11-11 20:40 - 0000232 _____ () C:\ProgramData\~nit1x7kK3IL0idr
2011-11-17 11:33 - 2011-11-17 11:33 - 0000288 _____ () C:\ProgramData\~t3scuboPLW6vZC
2011-11-17 11:33 - 2011-11-17 11:33 - 0000216 _____ () C:\ProgramData\~t3scuboPLW6vZCr
C:\Windows\assembly\tmp
C:\Windows\assembly\tmp\@
C:\Windows\assembly\tmp\cfg.ini
C:\Users\Kyle\Stick RPG 2 Director's Cut V 1.0.exe
C:\Users\Kyle\The_Escapists_v0.759_setup.exe
C:\Users\Kyle\Timber_and_Stone_v0.1.5b_setup.exe
C:\Users\Kyle\Timber_and_Stone_v1.51_setup.exe
C:\Users\Kyle\WindowsActivator.exe
C:\PROGRA~3\taskhost.exe
C:\Users\Kyle\AppData\Roaming\BackUp742466069.exe
C:\ProgramData\Derham\Poy
C:\Program Files (x86)\StartNow Toolbar
C:\Users\Kyle\AppData\Local\Temp\NTFS.sys
Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
RemoveProxy:
EmptyTemp:
CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe

Run FRST and press Fix
On completion a log will be generated please post that

THEN

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

• Double click on ComboFix.exe & follow the prompts.
• Accept the disclaimer and allow to update if it asks
  
  http://img.photobuck...claimer_ENG.png
  
  
  • When finished, it shall produce a log for you.
  • Please include the C:\ComboFix.txt in your next reply.
  Notes:
  1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
  2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
  3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.
  
  
  Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

[nuclearfenix]

Should I do this in stardard startup, Safe mode, or safemode with networking. 

And is there anything I can do about the 3 that were unable to be fixed?

[Essexboy]

Safe mode with networking if possible, basically the other three windows system files were damaged and an upgrade to windows 10 cured it

[nuclearfenix]

So I did the FRST and it finished, and said it was gonna restart. But I decided to download and run combofix and i'm not sure if combofix finished or not because my computer automatically restarted and there is no combofix log on my Desktop or in C:.

Should I rerun combofix?

Also should I run it from standard or Safemode w/ networking again?

EDIT: Log removed

 

Edited by nuclearfenix, 02 November 2015 - 07:07 PM.

[nuclearfenix]

Just an update, I used Hirens to be able to scan my computer. I immediately ran Malwarebytes. Got rid of what I could. I am now able to start up in standard and run anti virus and anti malware. But now it seems like the malware caused a bit of damage.

Whenever I right click windows Explorer crashes. And now I can only access the Internet in Safe mode with Networking.
In standard it says no Internet access. Computer is hardwired.


Update: I've fixed the right click issue, but my Internet is still knocked out. My original setup was bridged and worked perfectly. Now when it's bridged it gives me the yellow marker. Disabling the bridge and the bridged connection allows for "Internet access" but just trying to get too Google will time me out. Ipv4 Shows a connection. Ipv6 no longer shows access.

Edited by nuclearfenix, 02 November 2015 - 04:52 AM.

[Essexboy]

What did MBAM remove ?

Running additional programmes means I have no idea what has happened .. Has your AV started again ?

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

File::
c:\windows\system32\drivers\mxaeotnt.sys
c:\windows\SYSNATIVE\drivers\mxaeotnt.sys
c:\windows\system32\drivers\tcjuzisz.sys
c:\windows\SYSNATIVE\drivers\tcjuzisz.sys

Driver::
mxaeotnt
tcjuzis

Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

THEN

Re-install Chrome

Unless you did this yourself, malware has changed your Chrome version into the Development Build. Among other things this allows malware to install any extension it wants. We need to resolve this.

1. If you have bookmarks, let's save them by exporting them - Export Bookmarks
2. Then I need you to go Google Sync and sign into your account
3. Scroll down until you see the "Stop and Clear" button and click on the button. At the prompt click on "Ok"
4. Now we need to uninstall chrome.
Note: When asked about user data or settings you must remove this also so please check the box.
5. Restart the computer and reinstall chrome, You can download The latest version from here - Google Chrome
6. Import your bookmarks back into Chrome
7. Sign back in to your Chrome browser so that your bookmarks sync with your online account.

[nuclearfenix]

While I was going through the steps, I found I couldn't close out BitDefender, so I started going through the options and turning them off.
Then my computer froze for a second or 2 and I noticed a DropBox pop up in the bottom. I know that the pop up only happens when i'm connected to the internet, So I opened up my browser and typed in random sites and my internet is fully working. So BitDefender is interfering with my connection. This has never happened before.

To be more specific the option under firewall called Block Internet Connection Sharing is what is killing my internet.

Should I uninstall it and reinstall it? Or get rid of it completely?

Edited by nuclearfenix, 02 November 2015 - 01:36 PM.

[Essexboy]

Yes uninstall bitdefender if you can then run the CFscript and uninstall chrome

Then run a fresh FRST scan

[nuclearfenix]

Ok, I'll do that and post it here. My compter is also still running very slow.

[Essexboy]

I hope it will be a bit faster when you carry out the two fixes

[nuclearfenix]

Here are the logs

Attached Files

•  CF Log.txt   43.33KB   578 downloads
•  FRST 2.txt   100.53KB   619 downloads

[Essexboy]

Is panda working now ?

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

CreateRestorePoint:
HKU\S-1-5-18\...\Run: [ctfmon.exe] => C:\WINDOWS\system32\ctfmon.exe [9728 2009-07-13] (Microsoft Corporation)
S1 tcjuzisz; \??\C:\Windows\system32\drivers\tcjuzisz.sys [X]
C:\Windows\system32\drivers\tcjuzisz.sys
Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
RemoveProxy:
CMD: netsh advfirewall reset
CMD: netsh advfirewall set allprofiles state ON
CMD: ipconfig /flushdns
CMD: netsh winsock reset catalog
CMD: netsh int ip reset c:\resetlog.txt
CMD: ipconfig /release
CMD: ipconfig /renew
CMD: netsh int ipv4 reset
CMD: netsh int ipv6 reset
EmptyTemp:
CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe

Run FRST and press Fix
On completion a log will be generated please post that

THEN

Download aswMBR.exe ( 4.5mb ) to your desktop.
Double click the aswMBR.exe to run it.
You may be offered the option of using virtualisation, accept that
When it offers to download the virus database allow that as well
Click the "Scan" button to start scan




On completion of the scan click save log, save it to your desktop and post in your next reply