GeekPolice Tech TutorialsLog in

 

[INACTIVE] NetUtils2016: PC badly affected after installing program

Share

descriptionRe: [INACTIVE] NetUtils2016: PC badly affected after installing program

more_horiz
Hi,
Thanks for the advice on removing previous messages. 

I have carried out fresh scans using  Farbar Recovery Scan Tool and I have attached the fixlog.

I have run CKScanner again and the log is attached.

I have run Junkware Removal Tool and that log is attached.

Finally,I have just run Adw Cleaner and that log is attached. 

I look forward to your reply.

 thanks
Attachments
Fixlog.txt

You don't have permission to download attachments.

(7 Kb) Downloaded 1 times

ckfiles.txt

You don't have permission to download attachments.

(292 Kb) Downloaded 2 times

JRT.txt

You don't have permission to download attachments.

(1 Kb) Downloaded 2 times

AdwCleaner[S3].txt

You don't have permission to download attachments.

(2 Kb) Downloaded 3 times

descriptionRe: [INACTIVE] NetUtils2016: PC badly affected after installing program

more_horiz
Looks like we're wrapping things up...  Awesome (sparkly)

Fix with Farbar Recovery Scan Tool

Note to outside visitors: This fix was created for this user for use on that particular machine. Running it on another one may cause damage and render the system unstable.


Download attached fixlist.txt file and save it to the Desktop:

Both files, FRST and fixlist.txt have to be in the same location or the fix will not work!


  • Right-click on FRST icon and select Run as Administrator to start the tool.
  • Press the Fix button just once and wait.
  • If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
  • When finished FRST will generate a log on the Desktop, called Fixlog.txt.


Please post it to your reply.




Remove the Adware

  • Please close all open programs and internet browsers.
  • Double click on adwcleaner_xxxx.exe to run the tool.
  • Press Scan, wait for it to finish.
  • Ensure to only check the following items (uncheck all others):
    Chrome pref Found:  [C:\Users\paull\AppData\Local\Google\Chrome\User Data\Default\Web data] - uk.ask.com
    Chrome pref Found:  [C:\Users\paull\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences ] - hxxp://uk.search.yahoo.com?type=512435&fr=spigot-yhp-ch.
  • Then hit the Clean button.
  • Your computer will be rebooted automatically. If it does not, please reboot the computer manually.
  • Re-run AdwCleaner as before and post a new log please.





Re-running FRST to search for any leftovers:

Please re-run Farbar Recovery Scan Tool to give me a fresh look at your system.

  • Right-click on FRST icon and select Run as Administrator to start the tool.
  • Make sure that Addition option is checked.
  • Press Scan button and wait.
  • The tool will produce two logfiles on your desktop: FRST.txt and Addition.txt.

Please include their content into your next reply.

  • Once it is restarted and you're back in Windows, double-click adwcleaner_xxxx.exe, hit "Logfile." On the Cleaning tab, double-click the latest logfile, copy the contents, and paste it into your next reply.
  • You can find the logfile at C:\AdwCleaner[Sx].txt as well.





In your next reply, please include these logs:


  1. Fixlog.txt from FRST
  2. Fresh AdwCleaner log
  3. Fresh FRST scan log
  4. Also, let me know how your device is doing. Thanks for your patience also, this has been a challenge worth my youth!


Last edited by Dr Jay on 11th February 2017, 10:02 pm; edited 1 time in total
Attachments
fixlist.txt

You don't have permission to download attachments.

(1 Kb) Downloaded 4 times

descriptionRe: [INACTIVE] NetUtils2016: PC badly affected after installing program

more_horiz
Hello,
 I cannot see any attachment for fixlog.txt with your last message, or am i to use a previous one?
thanks

descriptionRe: [INACTIVE] NetUtils2016: PC badly affected after installing program

more_horiz
Sorry, I just fixed the download hub system, as we added new functions to the forums...

This should work or click on the attachment above I just created: http://www.geekpolice.net/download.forum?id=533

descriptionRe: [INACTIVE] NetUtils2016: PC badly affected after installing program

more_horiz
Hello Again,
I have carried out the FRST scan and I have attached the Fixlog.txt

I have also run adwcleaner,scanned the pc and followed your instructions relating to only checking those 2 items. My problem was that i could not see those two items in the scan. The scan found 5 items, as below.
Under Services it found NetUtils2016.
 Files It found C:\WINDOWS\SysNative\NetUtils2016.dll
 Files it found C:\WINDOWS\SysNative\drivers\NetUtils2016.sys
 Registry it found HKLM64\SOFTWARE\HDWallpaper
 Chrome it found C;\Users\paull\AppData\Local\Google\Chrome\User Data\Default
I made the assumption that the last item was the one you referred to and have checked it  and  hit the clean button.
I have attached the adwcleaner log also.

I have re-run FRST again and have attached the log as well

I have found my pc to be still having problems with Google Chrome,it freezes which causes me to use Task Manager to close it, and i am finding Chrome not opening after clicking on the desktop icon.

I have installed Opera which appears to be running better.

With reference to NetUtils, it seems to be the cause of problems using Chrome as i am finding it opening pages as well as getting 'reimage plus' opening regularly.

I have found Avast notifying me of potential malware that they have stopped when i have been carrying out adwclweaner scans too.

I hope i make sense with all this info.

I look forward to your reply
Thank you so much.
Attachments
Fixlog - 12-02-2017 - 08.42.txt

You don't have permission to download attachments.

(2 Kb) Downloaded 2 times

FRST -12-02-2017 - 17.09.txt

You don't have permission to download attachments.

(48 Kb) Downloaded 4 times

Addition - 12-02-2017 -17.09.txt

You don't have permission to download attachments.

(40 Kb) Downloaded 2 times

AdwCleaner- 12-02-2017-16.59.txt

You don't have permission to download attachments.

(2 Kb) Downloaded 3 times

descriptionRe: [INACTIVE] NetUtils2016: PC badly affected after installing program

more_horiz
Please download and run the Google Chrome Software Cleaner .



CCleaner Temporary Files Cleaning

NOTE: If you already have this installed, you don't have to reinstall it.

Please download CCleaner

When the file has been saved, go to your Desktop and double-click on ccsetupxxx_slim.exe
Follow the prompts to install the program.


  • Double-click the CCleaner shortcut on the desktop to start the program.
  • A prompt will ask you if you want CCleaner to do a check to see what cookies it needs to keep. Allow that operation.
  • On the Cleaner tab, click on Run Cleaner on the bottom-right to run the program.
  • Important: Make sure that ALL browser windows are closed before selecting Run Cleaner, or it will ask if you want the program to close them for you (when you do this, all unsaved data may be lost in the browser).


Caution: Only use the Registry feature if you are very familiar with the registry.
Always back up your registry before making any changes. Exit CCleaner after it has completed it's process.

SystemLook
Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:

    Code:


    :filefind
    *netutils*


  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

descriptionRe: [INACTIVE] NetUtils2016: PC badly affected after installing program

more_horiz
Hi,
I have run CC Cleaner as requested 
I have also run System Look and that log is attached.
thank you.
Attachments
SystemLook.txt

You don't have permission to download attachments.

(4 Kb) Downloaded 2 times

descriptionRe: [INACTIVE] NetUtils2016: PC badly affected after installing program

more_horiz
Well, I'm now made well aware that the infection on your PC is simply a rare one. I am going to change the name of your topic slightly, as it will make it useful for visitors to find helpful information. You see, one file that was missed in the fixes by me kept reinstalling the other malicious system file, which made the machine reinfect. It may be the cause of it reappearing. Smile...

Fix with Farbar Recovery Scan Tool

Note to outside visitors: This fix was created for this user for use on that particular machine. Running it on another one may cause damage and render the system unstable.


Download attached fixlist.txt file and save it to the Desktop:

Both files, FRST and fixlist.txt have to be in the same location or the fix will not work!


  • Right-click on FRST icon and select Run as Administrator to start the tool.
  • Press the Fix button just once and wait.
  • If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
  • When finished FRST will generate a log on the Desktop, called Fixlog.txt.


Please post it to your reply. Also, please run SystemLook as we did above, and let's see a new log. Right On!
Attachments
fixlist.txt

You don't have permission to download attachments.

(1 Kb) Downloaded 3 times

descriptionRe: [INACTIVE] NetUtils2016: PC badly affected after installing program

more_horiz
Hi,
I have carried out the FRST as you instructed and the fixlog is attached
thanks
Attachments
Fixlog.txt

You don't have permission to download attachments.

(1 Kb) Downloaded 2 times

descriptionRe: [INACTIVE] NetUtils2016: PC badly affected after installing program

more_horiz
Please do this part now:
Also, please run SystemLook as we did above, and let's see a new log.

descriptionRe: [INACTIVE] NetUtils2016: PC badly affected after installing program

more_horiz
Please find a fresh scan of SystemLook attached
thank you
Attachments
SystemLook.txt

You don't have permission to download attachments.

(4 Kb) Downloaded 1 times

descriptionRe: [INACTIVE] NetUtils2016: PC badly affected after installing program

more_horiz
Persistent lot, isn't it?
Look at this: C:\Windows\System32\drivers\NetUtils2016.sys    --a---- 909944 bytes    [19:00 13/02/2017]    [19:00 13/02/2017] 9EE21F7D46BD2B0F128E0907BABC7D28




Let's target it a bit more... We need a different approach... Bear with me here. Smile...

Fix with Farbar Recovery Scan Tool

Note to outside visitors: This fix was created for this user for use on that particular machine. Running it on another one may cause damage and render the system unstable.


Download attached fixlist.txt file and save it to the Desktop:

Both files, FRST and fixlist.txt have to be in the same location or the fix will not work!


  • Right-click on FRST icon and select Run as Administrator to start the tool.
  • Press the Fix button just once and wait.
  • If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
  • When finished FRST will generate a log on the Desktop, called Fixlog.txt.


Please post it to your reply. Also, attach MBRDUMP.txt to your next reply, which will be located within the same area of FRST.




Avast Browser Cleanup Tool


  1. Please download this free tool and save it to your desktop.
  2. Install the program by double-clicking on avast-browser-cleanup-sfx.exe.
  3. This cleanup tool will search and list if unwanted entries were found. If found, it will display a button ‘Remove all add-ons listed below and cleanup browser.’ You may remove all or delete one entry at a time.
  4. Avast Browser Cleanup will confirm before it permanently deletes the add-on. Please click Yes to proceed with removal of bad add-ons on the affected browser.





Re-running FRST to search for any leftovers:

Please re-run Farbar Recovery Scan Tool to give me a fresh look at your system.

  • Right-click on FRST icon and select Run as Administrator to start the tool.
  • Make sure that Addition option is checked.
  • Press Scan button and wait.
  • The tool will produce two logfiles on your desktop: FRST.txt and Addition.txt.

Please include their content into your next reply.




In your next reply, please include the following:

  • Fixlog.txt for FRST fix
  • MBRDUMP.txt
  • FRST.txt and Addition.txt for the re-run of FRST.
Attachments
fixlist.txt

You don't have permission to download attachments.

(1 Kb) Downloaded 1 times

descriptionRe: [INACTIVE] NetUtils2016: PC badly affected after installing program

more_horiz
Hi,
Please find attached the logs as you requested,
The MBRDUMP log is empty and as such I have been unable to send it.
thanks
Attachments
Fixlog.txt

You don't have permission to download attachments.

(2 Kb) Downloaded 3 times

FRST.txt

You don't have permission to download attachments.

(48 Kb) Downloaded 2 times

Addition.txt

You don't have permission to download attachments.

(41 Kb) Downloaded 1 times

descriptionRe: [INACTIVE] NetUtils2016: PC badly affected after installing program

more_horiz
Couple of questions... Did you make these restrictions on the OS:

GroupPolicy: Restriction - Chrome <======= ATTENTION
HKLM\...\Policies\Explorer: [NoLowDiskSpaceChecks] 1
HKLM\...\Policies\Explorer: [NoResolveSearch] 1
HKLM\...\Policies\Explorer: [LinkResolveIgnoreLinkInfo] 1
HKLM\...\Policies\Explorer: [NoInternetOpenWith] 1
HKU\S-1-5-21-2138326613-2610238322-1334748225-1001\...\Policies\Explorer: [NolowDiskSpaceChecks] 1
HKU\S-1-5-21-2138326613-2610238322-1334748225-1001\...\Policies\Explorer: [NoResolveSearch] 1
HKU\S-1-5-21-2138326613-2610238322-1334748225-1001\...\Policies\Explorer: [LinkResolveIgnoreLinkInfo] 1
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION


Second question... Did you install or want these Google Chrome extensions:
CHR Extension: (Google Translate) - C:\Users\paull\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapbdbdomjkkjkaonfhkkikfgjllcleb [2017-02-09]
CHR Extension: (Nimbus Screenshot App) - C:\Users\paull\AppData\Local\Google\Chrome\User Data\Default\Extensions\aecjogkncpbkjfobfnoaiepipllcadhe [2017-02-09]
CHR Extension: (File Converter) - C:\Users\paull\AppData\Local\Google\Chrome\User Data\Default\Extensions\alblmaecejifbilchdofkdanifpmnmfk [2017-02-09]
CHR Extension: (BeFunky Photo Editor) - C:\Users\paull\AppData\Local\Google\Chrome\User Data\Default\Extensions\apfkepiiddolifkgjmfdgpnipgnfejab [2017-02-09]
CHR Extension: (TV) - C:\Users\paull\AppData\Local\Google\Chrome\User Data\Default\Extensions\beobeededemalmllhkmnkinmfembdimh [2017-02-09]
CHR Extension: (Nimbus Screenshot and Screencast) - C:\Users\paull\AppData\Local\Google\Chrome\User Data\Default\Extensions\bpconcjcammlapcogcnnelfmaeghhagj [2017-02-09]
CHR Extension: (Replace New Tab Page) - C:\Users\paull\AppData\Local\Google\Chrome\User Data\Default\Extensions\cnkhddihkmmiiclaipbaaelfojkmlkja [2017-02-09]
CHR Extension: (Pixlr-o-matic) - C:\Users\paull\AppData\Local\Google\Chrome\User Data\Default\Extensions\ehcibdjmpjlekgjhepbfmenfppliikcj [2017-02-09]
CHR Extension: (Tetriz Challenge) - C:\Users\paull\AppData\Local\Google\Chrome\User Data\Default\Extensions\emidddocikgklceeeifefomdnbkldhng [2017-02-09]
CHR Extension: (AudioRecorder) - C:\Users\paull\AppData\Local\Google\Chrome\User Data\Default\Extensions\enhfkjkjfhhdibpgjmiamdcdgmcjpplk [2017-02-09]
CHR Extension: (Audio Downloader Prime) - C:\Users\paull\AppData\Local\Google\Chrome\User Data\Default\Extensions\flainkeonkoanoijnkojmiiihnfdhipd [2017-02-09]
CHR Extension: (Trevx - Music Downloader) - C:\Users\paull\AppData\Local\Google\Chrome\User Data\Default\Extensions\fpmaepaboafhefdejcbiciklgjogoghf [2017-02-09]
CHR Extension: (AdBlock) - C:\Users\paull\AppData\Local\Google\Chrome\User Data\Default\Extensions\gighmmpiobklfepjocnamgkkbiglidom [2017-02-09]
CHR Extension: (A Journey through Middle-earth) - C:\Users\paull\AppData\Local\Google\Chrome\User Data\Default\Extensions\gjgkjeheegjnnmheaflhdocglkiegoni [2017-02-09]
CHR Extension: (Where Am I? - VPN Checker) - C:\Users\paull\AppData\Local\Google\Chrome\User Data\Default\Extensions\hbgdaefcalonegdjkhfaeabgodpahimo [2017-02-09]
CHR Extension: (Blocky Minecraft Sniper 3D) - C:\Users\paull\AppData\Local\Google\Chrome\User Data\Default\Extensions\hclgbbaloijjnkpigapgmocdpoblnlec [2017-02-09]
CHR Extension: (Tate Art Slideshow) - C:\Users\paull\AppData\Local\Google\Chrome\User Data\Default\Extensions\hgfbniacchiboaeoaoaejhggfepbbmkj [2017-02-09]
CHR Extension: (New Tab Redirect) - C:\Users\paull\AppData\Local\Google\Chrome\User Data\Default\Extensions\icpgjfneehieebagbmdbhnlpiopdcmna [2017-02-11]
CHR Extension: (The Weather Channel for Chrome) - C:\Users\paull\AppData\Local\Google\Chrome\User Data\Default\Extensions\iflpcokdamgefbghpdipcibmhlkdopop [2017-02-09]
CHR Extension: (90`s Games) - C:\Users\paull\AppData\Local\Google\Chrome\User Data\Default\Extensions\illbbfoihflomkbpcaaakhijinbnejom [2017-02-09]
CHR Extension: (iPiccy Photo Editor) - C:\Users\paull\AppData\Local\Google\Chrome\User Data\Default\Extensions\imokeandodnlammaoenbgcnbhigjbpjh [2017-02-09]
CHR Extension: (Pixect) - C:\Users\paull\AppData\Local\Google\Chrome\User Data\Default\Extensions\jgdeoagndhabdnoenpdcagbkkmjeibmh [2017-02-09]
CHR Extension: (Webcam Toy) - C:\Users\paull\AppData\Local\Google\Chrome\User Data\Default\Extensions\lfbgimoladefibpklnfmkpknadbklade [2017-02-09]
CHR Extension: (Google Maps) - C:\Users\paull\AppData\Local\Google\Chrome\User Data\Default\Extensions\lneaknkopdijkpnocmklfnjbeapigfbh [2017-02-09]
CHR Extension: (Screencastify (Screen Video Recorder)) - C:\Users\paull\AppData\Local\Google\Chrome\User Data\Default\Extensions\mmeijimgabbpbgpdklnllpncmdofkcpn [2017-02-09]
CHR Extension: (Chrome Web Store Payments) - C:\Users\paull\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2017-02-07]
CHR Extension: (New Tab Changer) - C:\Users\paull\AppData\Local\Google\Chrome\User Data\Default\Extensions\occbjkhimchkolibngmcefpjlbknggfh [2017-02-09]
CHR Extension: (SetupVPN - Lifetime Free VPN) - C:\Users\paull\AppData\Local\Google\Chrome\User Data\Default\Extensions\oofgbpoabipfcfjapgnbbjjaenockbdp [2017-02-08]
CHR Extension: (Rollip - Photo Effects) - C:\Users\paull\AppData\Local\Google\Chrome\User Data\Default\Extensions\ooikhmcdpofogemaldinihdhidaokcmp [2017-02-09]
CHR Extension: (Pop Art Studio Online) - C:\Users\paull\AppData\Local\Google\Chrome\User Data\Default\Extensions\oompiimecpnflklhlnmdpddcjdmiibkf [2017-02-09]
CHR Extension: (Chrome Media Router) - C:\Users\paull\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2017-02-07]



With that aside, we're going to have to take a bit more extreme measures, because with all that fix, the malware came right back.

Let's do the following first please...

GMER

Note about this tool:

  • This program may freeze. Do not reboot the computer, unless it has been frozen for over 30 minutes.
  • This program may cause a blue screen of death. If it does, do not scan, and then reply to let me know.
  • No matter what is in the log, please post all the information/contents of the log.
  • These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT"


Please download the GMER Rootkit Scanner . Unzip it to your Desktop.

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

Double-click gmer.exe. The program will begin to run.

If possible rootkit activity is found, you will be asked if you would like to perform a full scan.

  • Click NO
  • In the right panel, you will see a bunch of boxes that have been checked ... leave everything checked and ensure the Show all box is un-checked.
  • Now click the Scan button.
    Once the scan is complete, you may receive another notice about rootkit activity.
  • Click OK.
  • GMER will produce a log. Click on the [Save..] button, and in the File name area, type in "GMER.txt"
  • Save it where you can easily find it, such as your desktop.

Post the contents of GMER.txt in your next reply.

descriptionRe: [INACTIVE] NetUtils2016: PC badly affected after installing program

more_horiz
Hi,
Thanks again for your help.
In answer to your first question: No, I haven't made any restrictions or changes to the OS.  My knowledge of pc's is basic and I wouldn't know where to start.
In answer to what seems to be a large amount of extensions in Google Chrome, I have installed some of those from the Google Chrome Store,like  Adblock,Google Translate,Nimbus, Where am i VPN Checker, SetUp VPN and New tab redirect.  There seems to be an awful lot that I have no knowledge of having acquired however there are a few i may have had and removed from the Chrome page. The ones I mentioned, I regularly use but I am happy to remove the remainder.
Please find attached,the results of the GMER.txt
thanks
Attachments
GMER.txt

You don't have permission to download attachments.

(15 Kb) Downloaded 2 times

Permissions in this forum:
You cannot reply to topics in this forum