Author Topic: LNK:Cantix-A [Trj] again (Read 7347 times)

Sass Drake · « **Reply #30 on:** August 26, 2017, 09:17:19 PM »

Open Notepad (click Start button -> type notepad.exe -> press Enter)
Copy text from code block below and paste it into Notepad

HKU\S-1-5-21-4187682787-4126112381-4106933064-1000\...\Run: [Df5serv] => Wscript.exe //e:VBScript "C:\Users\DELL\Documents\df5srvc.bfe"
HKU\S-1-5-21-4187682787-4126112381-4106933064-1000\...\Run: [Explorer] => Wscript.exe //e:VBScript "C:\Users\DELL\AppData\Local\Microsoft\CD Burning\dekstop.ini" <==== ATTENTION
HKU\S-1-5-21-4187682787-4126112381-4106933064-1000\...\MountPoints2: E - E:\AutoRun.exe
HKU\S-1-5-21-4187682787-4126112381-4106933064-1000\...\MountPoints2: {738e0b00-414f-11e7-8000-4ceb4201d780} - E:\Setup.exe /s
HKU\S-1-5-21-4187682787-4126112381-4106933064-1000\...\MountPoints2: {8e36c47b-68fa-11e7-958f-4ceb4201d780} - E:\AutoRun.exe
HKU\S-1-5-21-4187682787-4126112381-4106933064-1000\...\MountPoints2: {8e36c492-68fa-11e7-958f-4ceb4201d780} - E:\AutoRun.exe
C:\Users\DELL\Documents\df5srvc.bfe
C:\Users\DELL\AppData\Local\Microsoft\CD Burning\dekstop.ini
C:\Users\Public\trz*.tmp
C:\ProgramData\trz*.tmp
C:\Windows\Tasks\trz*.tmp
C:\Users\DELL\trz*.tmp
C:\Users\Public\Documents\trz*.tmp

Go to File -> Save As
Make sure that UTF-8 is selected as Encoding (left side of Save button)
Save it as fixlist.txt on Desktop
Open again FRST and click on button Fix
Wait until FRST finishes
fixlog.txt should be genereted and opened. Attach it your post and wait further instructions.

REDACTED · « **Reply #31 on:** August 27, 2017, 04:02:06 AM »

Good day! Here is the fixlog! Thanks for the help, I will wait for your further instructions.

Sass Drake · « **Reply #32 on:** August 27, 2017, 01:25:14 PM »

Does "LNK: Cantix-A" message still pops out?

REDACTED · « **Reply #33 on:** August 27, 2017, 04:28:05 PM »

Yes.

It didn't stop yet.

Sass Drake · « **Reply #34 on:** August 27, 2017, 09:02:29 PM »

Please psot new FRST logs and please make a screenshot of Avast popup.

REDACTED · « **Reply #35 on:** August 28, 2017, 06:07:21 AM »

I'm sorry, I just checked it again and the Avast popup was already gone. Thank you! Is the virus gone? and will it stop making shortcuts? By the way, here is the frst log.

Sass Drake · « **Reply #36 on:** August 28, 2017, 09:22:37 AM »

Open Notepad (click Start button -> type notepad.exe -> press Enter)
Copy text from code block below and paste it into Notepad

Code: [Select]

CloseProcesses:
HKU\S-1-5-21-4187682787-4126112381-4106933064-1000\...\Run: [Df5serv] => Wscript.exe //e:VBScript "C:\Users\DELL\Documents\df5srvc.bfe"
HKU\S-1-5-21-4187682787-4126112381-4106933064-1000\...\Run: [Explorer] => Wscript.exe //e:VBScript "C:\Users\DELL\AppData\Local\Microsoft\CD Burning\dekstop.ini" <==== ATTENTION
C:\Users\DELL\Documents\df5srvc.bfe
C:\Users\DELL\AppData\Local\Microsoft\CD Burning\dekstop.ini
2017-08-27 10:02 - 2017-08-27 10:02 - 000000734 _____ C:\Windows\Tasks\trzC185.tmp
2017-08-27 10:01 - 2017-08-27 10:01 - 000000756 _____ C:\Users\Public\trz39EE.tmp
2017-08-27 10:01 - 2017-08-27 10:01 - 000000756 _____ C:\Users\Public\trz3970.tmp
2017-08-27 10:01 - 2017-08-27 10:01 - 000000756 _____ C:\Users\Public\trz3921.tmp
2017-08-27 10:01 - 2017-08-27 10:01 - 000000756 _____ C:\Users\Public\trz38A3.tmp
2017-08-27 10:01 - 2017-08-27 10:01 - 000000756 _____ C:\Users\Public\trz3671.tmp
2017-08-27 10:01 - 2017-08-27 10:01 - 000000756 _____ C:\Users\Public\Documents\trzF84C.tmp
2017-08-27 10:01 - 2017-08-27 10:01 - 000000756 _____ C:\Users\DELL\trz32B8.tmp
2017-08-27 10:01 - 2017-08-27 10:01 - 000000603 _____ C:\ProgramData\trz2983.tmp
2017-08-27 10:01 - 2017-08-27 10:01 - 000000597 _____ C:\ProgramData\trzCABE.tmp
2017-08-27 09:54 - 2017-08-27 09:54 - 000000762 _____ C:\Users\DELL\Documents\trzE770.tmp
2017-08-27 09:54 - 2017-08-27 09:54 - 000000762 _____ C:\Users\DELL\Documents\trzE5F8.tmp
2017-08-27 09:54 - 2017-08-27 09:54 - 000000762 _____ C:\Users\DELL\Documents\trzDC66.tmp

Go to File -> Save As
Make sure that UTF-8 is selected as Encoding (left side of Save button)
Save it as fixlist.txt on Desktop
Open again FRST and click on button Fix
Wait until FRST finishes
fixlog.txt should be genereted and opened. Attach it your post and wait further instructions.

REDACTED · « **Reply #37 on:** August 28, 2017, 10:03:12 AM »

Hello! the shortcuts are still there. Is it connected with the avast pop up?

REDACTED · « **Reply #38 on:** August 28, 2017, 10:07:42 AM »

It popped up again.

Sass Drake · « **Reply #39 on:** August 28, 2017, 10:13:39 AM »

Scan D: and C: with Avast and after that post me new FRST logs.

REDACTED · « **Reply #40 on:** August 28, 2017, 12:31:39 PM »

Here is the new frst log after I scanned C and D.

Sass Drake · « **Reply #41 on:** August 28, 2017, 09:53:00 PM »

Download fresh copy of FRST from
https://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/81/

and Save it to Desktop.
Make sure it is on desktop and that version you will use from now on.

Second, don't access D: partition.

Now you will run this fix with fresh version of FRST:

Open Notepad (click Start button -> type notepad.exe -> press Enter)
Copy text from code block below and paste it into Notepad

Code: [Select]

cmd: Taskkill /IM wscript.exe /f
HKU\S-1-5-21-4187682787-4126112381-4106933064-1000\...\Run: [Explorer] => Wscript.exe //e:VBScript "C:\Users\DELL\AppData\Local\Microsoft\CD Burning\dekstop.ini" <==== ATTENTION
HKU\S-1-5-21-4187682787-4126112381-4106933064-1000\...\Run: [Df5serv] => Wscript.exe //e:VBScript "C:\Users\DELL\Documents\df5srvc.bfe"
2017-08-28 17:25 - 2017-08-28 17:25 - 000000762 _____ C:\Users\DELL\Documents\trzD008.tmp
2017-08-28 17:25 - 2017-08-28 17:25 - 000000762 _____ C:\Users\DELL\Documents\trzA32D.tmp
2017-08-28 17:21 - 2017-08-28 17:21 - 000000581 _____ C:\Windows\Tasks\trzADAE.tmp
C:\Users\DELL\Documents\df5srvc.bfe
C:\Users\DELL\AppData\Local\Microsoft\CD Burning\dekstop.ini

Go to File -> Save As
Make sure that UTF-8 is selected as Encoding (left side of Save button)
Save it as fixlist.txt on Desktop
Open again FRST and click on button Fix
Wait until FRST finishes
fixlog.txt should be genereted and opened. Attach it your post and wait further instructions.

After this, you will run fresh FRST from your Desktop, enable Addition.txt option, click on Scan and post me new FRST.txt and Addition.txt reports.

REDACTED · « **Reply #42 on:** August 29, 2017, 12:31:21 AM »

Should I post the fixlog also?

Sass Drake · « **Reply #43 on:** August 29, 2017, 01:48:32 AM »

You should post it but now it doesn't matter. Now you should run scan of all drives from Avast interface.

REDACTED · « **Reply #44 on:** August 29, 2017, 01:01:12 PM »

I'm done scanning the full system. There were threats detected. However, the avast pop up was gone as well as the shortcuts. What should I do next? Is it safe to insert other USB in my laptop?

Author Topic: LNK:Cantix-A [Trj] again (Read 7347 times)

Sass Drake

Re: LNK:Cantix-A [Trj] again

REDACTED

Re: LNK:Cantix-A [Trj] again

Sass Drake

Re: LNK:Cantix-A [Trj] again

REDACTED

Re: LNK:Cantix-A [Trj] again

Sass Drake

Re: LNK:Cantix-A [Trj] again

REDACTED

Re: LNK:Cantix-A [Trj] again

Sass Drake

Re: LNK:Cantix-A [Trj] again

REDACTED

Re: LNK:Cantix-A [Trj] again

REDACTED

Re: LNK:Cantix-A [Trj] again

Sass Drake

Re: LNK:Cantix-A [Trj] again

REDACTED

Re: LNK:Cantix-A [Trj] again

Sass Drake

Re: LNK:Cantix-A [Trj] again

REDACTED

Re: LNK:Cantix-A [Trj] again

Sass Drake

Re: LNK:Cantix-A [Trj] again

REDACTED

Re: LNK:Cantix-A [Trj] again