Inactive-A I think my PC infected by notepad virus

Status
Not open for further replies.
Is it possible that the issue has been fixed?
Here's the fixlog
 

Attachments

  • Fixlog.txt
    11.9 KB · Views: 1
It should be. You tell me :)

Fix result of Farbar Recovery Scan Tool (x64) Version: 02.08.2018
Ran by Snir (09-08-2018 22:39:35) Run:1
Running from C:\Users\Snir\Downloads
Loaded Profiles: Snir (Available Profiles: Snir)
Boot Mode: Normal
==============================================

fixlist content:
*****************
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender: Restriction <==== ATTENTION
HKU\S-1-5-21-512801715-1823237362-1597079278-1000\...\Run: [AdobeBridge] => [X]
GroupPolicy: Restriction - Windows Defender <==== ATTENTION
Startup: C:\Users\Snir\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\iHYbYiJXFaNY.lnk [2017-01-07]
ShortcutTarget: iHYbYiJXFaNY.lnk -> C:\Users\Snir\AZazfUzV90bLDL7j\POda.exe (AutoIt Team)
Startup: C:\Users\Snir\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WaCiSORKWbCL.lnk [2016-10-14]
ShortcutTarget: WaCiSORKWbCL.lnk -> C:\Users\Snir\0jx2JCAW2rMXVnPr\QXNN.exe (AutoIt Team)
C:\Users\Snir\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\iHYbYiJXFaNY.lnk
C:\Users\Snir\AZazfUzV90bLDL7j\POda.exe
C:\Users\Snir\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WaCiSORKWbCL.lnk
C:\Users\Snir\0jx2JCAW2rMXVnPr\QXNN.exe
BHO: No Name -> {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} -> No File
BHO-x32: No Name -> {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} -> No File
BHO-x32: Norton Vulnerability Protection -> {6D53EC84-6AAE-4787-AEEE-F4628F01010C} -> C:\Program Files (x86)\Norton Internet Security\Engine\21.7.0.11\IPS\IPSBHO.DLL => No File
S3 gdrv; \??\C:\Windows\gdrv.sys [X]
S3 NAVENG; \??\C:\Program Files (x86)\Norton Internet Security\NortonData\22.5.4.24\Definitions\SDSDefs\20160624.021\ENG64.SYS [X]
S3 NAVEX15; \??\C:\Program Files (x86)\Norton Internet Security\NortonData\22.5.4.24\Definitions\SDSDefs\20160624.021\EX64.SYS [X]
S3 VGPU; System32\drivers\rdvgkmd.sys [X]
S3 xhunter1; \??\C:\Windows\xhunter1.sys [X]
2016-05-27 20:16 - 2018-08-01 09:31 - 000000132 _____ () C:\Users\Snir\AppData\Roaming\Adobe BMP Format CS6 Prefs
2016-07-16 06:35 - 2017-09-28 17:00 - 000000132 _____ () C:\Users\Snir\AppData\Roaming\Adobe GIF Format CS6 Prefs
2016-05-27 20:17 - 2017-11-10 17:04 - 000000132 _____ () C:\Users\Snir\AppData\Roaming\Adobe PNG Format CS6 Prefs
2017-01-07 18:04 - 2017-01-07 18:04 - 001013127 _____ () C:\Users\Snir\AppData\Roaming\bEAGY
2016-10-14 17:27 - 2016-10-14 17:27 - 000829630 _____ () C:\Users\Snir\AppData\Roaming\KCeUL.au3
2017-01-07 18:04 - 2017-01-07 18:04 - 000937776 _____ (AutoIt Team) C:\Users\Snir\AppData\Roaming\POda.exe
2016-10-14 17:27 - 2016-10-14 17:27 - 000937776 _____ (AutoIt Team) C:\Users\Snir\AppData\Roaming\QXNN.exe
2016-12-27 18:01 - 2017-01-05 15:29 - 000884736 _____ () C:\Users\Snir\AppData\Local\app.exe
2018-08-04 10:04 - 2018-08-04 10:04 - 000007605 _____ () C:\Users\Snir\AppData\Local\Resmon.ResmonCfg
2017-12-21 17:41 - 2018-02-04 14:41 - 000000000 _____ () C:\Users\Snir\AppData\Local\Temptable.xml
2018-08-01 12:59 - 2018-06-08 18:22 - 001665344 _____ (Microsoft Corporation) C:\Users\Snir\AppData\Local\Temp\dllnt_dump.dll
2018-07-24 14:25 - 2018-07-24 14:25 - 001906040 _____ (Oracle Corporation) C:\Users\Snir\AppData\Local\Temp\jre-8u181-windows-au.exe
ShellIconOverlayIdentifiers: [ MEGA (Pending)] -> {056D528D-CE28-4194-9BA3-BA2E9197FF8C} => C:\Users\Snir\AppData\Local\MEGAsync\ShellExtX64.dll -> No File
ShellIconOverlayIdentifiers: [ MEGA (Synced)] -> {05B38830-F4E9-4329-978B-1DD28605D202} => C:\Users\Snir\AppData\Local\MEGAsync\ShellExtX64.dll -> No File
ShellIconOverlayIdentifiers: [ MEGA (Syncing)] -> {0596C850-7BDD-4C9D-AFDF-873BE6890637} => C:\Users\Snir\AppData\Local\MEGAsync\ShellExtX64.dll -> No File
ShellIconOverlayIdentifiers: [GDriveSharedOverlay] -> {81539FE6-33C7-4CE7-90C7-1C7B8F2F2D43} => -> No File
ShellIconOverlayIdentifiers-x32: [ MEGA (Pending)] -> {056D528D-CE28-4194-9BA3-BA2E9197FF8C} => C:\Users\Snir\AppData\Local\MEGAsync\ShellExtX64.dll -> No File
ShellIconOverlayIdentifiers-x32: [ MEGA (Synced)] -> {05B38830-F4E9-4329-978B-1DD28605D202} => C:\Users\Snir\AppData\Local\MEGAsync\ShellExtX64.dll -> No File
ShellIconOverlayIdentifiers-x32: [ MEGA (Syncing)] -> {0596C850-7BDD-4C9D-AFDF-873BE6890637} => C:\Users\Snir\AppData\Local\MEGAsync\ShellExtX64.dll -> No File
ContextMenuHandlers1: [MEGA (Context menu)] -> {0229E5E7-09E9-45CF-9228-0228EC7D5F17} => C:\Users\Snir\AppData\Local\MEGAsync\ShellExtX64.dll -> No File
ContextMenuHandlers3: [MEGA (Context menu)] -> {0229E5E7-09E9-45CF-9228-0228EC7D5F17} => C:\Users\Snir\AppData\Local\MEGAsync\ShellExtX64.dll -> No File
ContextMenuHandlers4: [MEGA (Context menu)] -> {0229E5E7-09E9-45CF-9228-0228EC7D5F17} => C:\Users\Snir\AppData\Local\MEGAsync\ShellExtX64.dll -> No File
ContextMenuHandlers5: [igfxcui] -> {3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} => -> No File
Task: {0325A4D7-D4FB-4826-B471-244EC5306CED} - System32\Tasks\30542L36131y60376N77672 => C:\Windows\system32\rundll32.exe "C:\ProgramData\30542L36131y60376N77672\30542L36131y60376N77672.dll",LyNZXgZuPl <==== ATTENTION
C:\ProgramData\30542L36131y60376N77672\30542L36131y60376N77672.dll
Task: {B09129C4-E615-4D1B-98A5-8D1EDA9C355B} - System32\Tasks\98969L26591y45118N17706 => C:\Windows\system32\rundll32.exe "C:\ProgramData\98969L26591y45118N17706\98969L26591y45118N17706.dll",LyNZXgZuPl <==== ATTENTION
C:\ProgramData\98969L26591y45118N17706\98969L26591y45118N17706.dll

*****************

"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" => removed successfully
"HKU\S-1-5-21-512801715-1823237362-1597079278-1000\Software\Microsoft\Windows\CurrentVersion\Run\\AdobeBridge" => removed successfully
C:\Windows\system32\GroupPolicy\Machine => moved successfully
C:\Windows\system32\GroupPolicy\GPT.ini => moved successfully
C:\Users\Snir\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\iHYbYiJXFaNY.lnk => moved successfully
C:\Users\Snir\AZazfUzV90bLDL7j\POda.exe => moved successfully
C:\Users\Snir\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WaCiSORKWbCL.lnk => moved successfully
C:\Users\Snir\0jx2JCAW2rMXVnPr\QXNN.exe => moved successfully
"C:\Users\Snir\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\iHYbYiJXFaNY.lnk" => not found
"C:\Users\Snir\AZazfUzV90bLDL7j\POda.exe" => not found
"C:\Users\Snir\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WaCiSORKWbCL.lnk" => not found
"C:\Users\Snir\0jx2JCAW2rMXVnPr\QXNN.exe" => not found
"HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}" => removed successfully
"HKLM\Software\Classes\CLSID\{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}" => removed successfully
"HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}" => removed successfully
"HKLM\Software\Wow6432Node\Classes\CLSID\{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}" => removed successfully
"HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}" => removed successfully
"HKLM\Software\Wow6432Node\Classes\CLSID\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}" => removed successfully
"HKLM\System\CurrentControlSet\Services\gdrv" => removed successfully
gdrv => service removed successfully
"HKLM\System\CurrentControlSet\Services\NAVENG" => removed successfully
NAVENG => service removed successfully
"HKLM\System\CurrentControlSet\Services\NAVEX15" => removed successfully
NAVEX15 => service removed successfully
"HKLM\System\CurrentControlSet\Services\VGPU" => removed successfully
VGPU => service removed successfully
"HKLM\System\CurrentControlSet\Services\xhunter1" => removed successfully
xhunter1 => service removed successfully
C:\Users\Snir\AppData\Roaming\Adobe BMP Format CS6 Prefs => moved successfully
C:\Users\Snir\AppData\Roaming\Adobe GIF Format CS6 Prefs => moved successfully
C:\Users\Snir\AppData\Roaming\Adobe PNG Format CS6 Prefs => moved successfully
C:\Users\Snir\AppData\Roaming\bEAGY => moved successfully
C:\Users\Snir\AppData\Roaming\KCeUL.au3 => moved successfully
C:\Users\Snir\AppData\Roaming\POda.exe => moved successfully
C:\Users\Snir\AppData\Roaming\QXNN.exe => moved successfully
C:\Users\Snir\AppData\Local\app.exe => moved successfully
C:\Users\Snir\AppData\Local\Resmon.ResmonCfg => moved successfully
C:\Users\Snir\AppData\Local\Temptable.xml => moved successfully
C:\Users\Snir\AppData\Local\Temp\dllnt_dump.dll => moved successfully
C:\Users\Snir\AppData\Local\Temp\jre-8u181-windows-au.exe => moved successfully
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ MEGA (Pending) => invalid subkey removed.
"HKLM\Software\Classes\CLSID\{056D528D-CE28-4194-9BA3-BA2E9197FF8C}" => removed successfully
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ MEGA (Synced) => invalid subkey removed.
"HKLM\Software\Classes\CLSID\{05B38830-F4E9-4329-978B-1DD28605D202}" => removed successfully
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ MEGA (Syncing) => invalid subkey removed.
"HKLM\Software\Classes\CLSID\{0596C850-7BDD-4C9D-AFDF-873BE6890637}" => removed successfully
"HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\GDriveSharedOverlay" => removed successfully
HKLM\Software\Classes\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D43} => not found
HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ MEGA (Pending) => invalid subkey removed.
"HKLM\Software\Wow6432Node\Classes\CLSID\{056D528D-CE28-4194-9BA3-BA2E9197FF8C}" => removed successfully
HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ MEGA (Synced) => invalid subkey removed.
"HKLM\Software\Wow6432Node\Classes\CLSID\{05B38830-F4E9-4329-978B-1DD28605D202}" => removed successfully
HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ MEGA (Syncing) => invalid subkey removed.
"HKLM\Software\Wow6432Node\Classes\CLSID\{0596C850-7BDD-4C9D-AFDF-873BE6890637}" => removed successfully
"HKLM\Software\Classes\*\ShellEx\ContextMenuHandlers\MEGA (Context menu)" => removed successfully
"HKLM\Software\Classes\CLSID\{0229E5E7-09E9-45CF-9228-0228EC7D5F17}" => removed successfully
"HKLM\Software\Classes\AllFileSystemObjects\ShellEx\ContextMenuHandlers\MEGA (Context menu)" => removed successfully
HKLM\Software\Classes\CLSID\{0229E5E7-09E9-45CF-9228-0228EC7D5F17} => not found
"HKLM\Software\Classes\Directory\ShellEx\ContextMenuHandlers\MEGA (Context menu)" => removed successfully
HKLM\Software\Classes\CLSID\{0229E5E7-09E9-45CF-9228-0228EC7D5F17} => not found
"HKLM\Software\Classes\Directory\Background\ShellEx\ContextMenuHandlers\igfxcui" => removed successfully
HKLM\Software\Classes\CLSID\{3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} => not found
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Boot\{0325A4D7-D4FB-4826-B471-244EC5306CED}" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{0325A4D7-D4FB-4826-B471-244EC5306CED}" => removed successfully
C:\Windows\System32\Tasks\30542L36131y60376N77672 => moved successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\30542L36131y60376N77672" => removed successfully
"C:\ProgramData\30542L36131y60376N77672\30542L36131y60376N77672.dll" => not found
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Boot\{B09129C4-E615-4D1B-98A5-8D1EDA9C355B}" => removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{B09129C4-E615-4D1B-98A5-8D1EDA9C355B}" => removed successfully
C:\Windows\System32\Tasks\98969L26591y45118N17706 => moved successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\98969L26591y45118N17706" => removed successfully
"C:\ProgramData\98969L26591y45118N17706\98969L26591y45118N17706.dll" => not found


The system needed a reboot.

==== End of Fixlog 22:39:41 ====
 
Last scans...

redtarget.gif
Download Security Check from here or here and save it to your Desktop.
  • Double-click SecurityCheck.exe
  • Follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

NOTE 1. If one of your security applications (e.g., third-party firewall) requests permission to allow DIG.EXE access the Internet, allow it to do so.
NOTE 2. SecurityCheck may produce some false warning(s), so leave the results reading to me.
NOTE 3. If you receive UNSUPPORTED OPERATING SYSTEM! ABORTED! message restart computer and Security Check should run


redtarget.gif
Please download Farbar Service Scanner (FSS) and run it on the computer with the issue.
Make sure the following options are checked:
  • Internet Services
  • Windows Firewall
  • System Restore
  • Security Center
  • Windows Update
  • Windows Defender
  • Other Services

Press "Scan".
It will create a log (FSS.txt) in the same directory the tool is run.
Please copy and paste the log to your reply.


redtarget.gif
Download Temp File Cleaner (TFC)
Alternate download: http://www.itxassociates.com/OT-Tools/TFC.exe
  • Double click on TFC.exe to run the program.
  • Click on Start button to begin cleaning process.
  • TFC will close all running programs, and it may ask you to restart computer.


redtarget.gif
Download Sophos Free Virus Removal Tool and save it to your desktop.
  • Double click the icon and select Run
  • Click Next
  • Select I accept the terms in this license agreement, then click Next twice
  • Click Install
  • Click Finish to launch the program
  • Once the virus database has been updated click Start Scanning
  • If any threats are found click Details, then View log file... (bottom left hand corner)
  • Copy and paste the results in your reply
  • Close the Notepad document, close the Threat Details screen, then click Start cleanup
  • Click Exit to close the program
 
So far things works fine, thank you very much.

This is the security check log:

Results of screen317's Security Check version 1.014 --- 12/23/15
Windows 7 Service Pack 1 x64 (UAC is enabled)
Internet Explorer 11
``````````````Antivirus/Firewall Check:``````````````
Windows Firewall Enabled!
[size=1]WMI entry may not exist for antivirus; attempting automatic update.[/size]
`````````Anti-malware/Other Utilities Check:`````````
Java 8 Update 181
Java version 32-bit out of Date!
Adobe Flash Player 30.0.0.134
````````Process Check: objlist.exe by Laurent````````
Malwarebytes Anti-Malware mbamservice.exe
Malwarebytes Anti-Malware mbamgui.exe
Malwarebytes' Anti-Malware mbamscheduler.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C: 24% Defragment your hard drive soon! (Do NOT defrag if SSD!)
````````````````````End of Log``````````````````````


FSS log:

Farbar Service Scanner Version: 27-01-2016
Ran by Snir (administrator) on 10-08-2018 at 09:52:03
Running from "C:\Users\Snir\Downloads"
Microsoft Windows 7 Ultimate Service Pack 1 (X64)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo.com is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============

System Restore Policy:
========================


Action Center:
============


Windows Update:
============

Windows Autoupdate Disabled Policy:
============================


Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
The start type of WinDefend service is set to Demand. The default start type is Auto.
The ImagePath of WinDefend service is OK.
The ServiceDll of WinDefend service is OK.


Windows Defender Disabled Policy:
==========================
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
"DisableAntiSpyware"=DWORD:1


Other Services:
==============


File Check:
========
C:\Windows\System32\nsisvc.dll => File is digitally signed
C:\Windows\System32\drivers\nsiproxy.sys => File is digitally signed
C:\Windows\System32\dhcpcore.dll => File is digitally signed
C:\Windows\System32\drivers\afd.sys => File is digitally signed
C:\Windows\System32\drivers\tdx.sys => File is digitally signed
C:\Windows\System32\Drivers\tcpip.sys => File is digitally signed
C:\Windows\System32\dnsrslvr.dll => File is digitally signed
C:\Windows\System32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\System32\mpssvc.dll => File is digitally signed
C:\Windows\System32\bfe.dll => File is digitally signed
C:\Windows\System32\drivers\mpsdrv.sys => File is digitally signed
C:\Windows\System32\SDRSVC.dll => File is digitally signed
C:\Windows\System32\vssvc.exe => File is digitally signed
C:\Windows\System32\wscsvc.dll => File is digitally signed
C:\Windows\System32\wbem\WMIsvc.dll => File is digitally signed
C:\Windows\System32\wuaueng.dll => File is digitally signed
C:\Windows\System32\qmgr.dll => File is digitally signed
C:\Windows\System32\es.dll => File is digitally signed
C:\Windows\System32\cryptsvc.dll => File is digitally signed
C:\Program Files\Windows Defender\MpSvc.dll => File is digitally signed
C:\Windows\System32\ipnathlp.dll => File is digitally signed
C:\Windows\System32\iphlpsvc.dll => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed


**** End of log ****
 
This topic is marked as abandoned and closed due to inactivity.

This member will NOT be eligible to receive any more help in malware removal forum.
 
Status
Not open for further replies.

Similar threads

hdeveci
Sound comes 1 sec delayed in the beginnig
Replies
2
Views
134
hdeveci
hdeveci
L
Solved Unknown spyware/ Monitoring/ Hijacking of my devices
Replies
15
Views
3K
Broni
Broni
midian182
Fire Ants live up to their name by invading PC and eating thermal paste, raising system...
Replies
6
Views
218
Hotlynx16
H

Latest posts

Back