This topic is lockedSorry for the SNAFU this morning. I did a registry restore and should be in better shape!
WE'RE SURE THAT YOU'LL LOVE US!
Hey there! 
Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. 
Join 93099 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.
Try What the Tech -- It's free!
101 replies to this topic
#61
Top
-
- Authentic Member
-
- 73 posts
Authentic Member
Posted 30 July 2016 - 09:31 AM
Top
US Army, Retired
Register to Remove
#62
Top
-
- Authentic Member
-
- 73 posts
Authentic Member
Posted 30 July 2016 - 09:38 AM
Here is the log from SystemLook
SystemLook 30.07.11 by jpshortstuff
Log created at 10:30 on 30/07/2016 by Bud Parker
Administrator - Elevation successful
========== folderfind ==========
Searching for "Ronzafind"
C:\Users\Bud Parker\AppData\Roaming\Ronzafind d------ [18:14 26/07/2016]
========== filefind ==========
Searching for "Ronzafind"
No files found.
========== regfind ==========
Searching for "Ronzafind"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths]
"url1"="C:\Users\Bud Parker\AppData\Roaming\Ronzafind"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\Debug]
"StoreLocation"="C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_Ronzafind.exe_1685ced56bd577e9963a53ff94cdebbe23ab7c_0406d662"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Ronzafind]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Ronzafind]
"ImagePath"="C:\Users\Bud Parker\AppData\Roaming\Ronzafind\Ronzafind.exe olbXgpnzyP/q/cJaoSzH4ks20/gtM/4xfwvL8jEEDT8="
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Ronzafind]
"DisplayName"="Ronzafind Service"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\Ronzafind]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\Ronzafind]
"ImagePath"="C:\Users\Bud Parker\AppData\Roaming\Ronzafind\Ronzafind.exe olbXgpnzyP/q/cJaoSzH4ks20/gtM/4xfwvL8jEEDT8="
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\Ronzafind]
"DisplayName"="Ronzafind Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Ronzafind]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Ronzafind]
"ImagePath"="C:\Users\Bud Parker\AppData\Roaming\Ronzafind\Ronzafind.exe olbXgpnzyP/q/cJaoSzH4ks20/gtM/4xfwvL8jEEDT8="
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Ronzafind]
"DisplayName"="Ronzafind Service"
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Windows Error Reporting\Debug]
"StoreLocation"="C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Ronzafind.exe_1685ced56bd577e9963a53ff94cdebbe23ab7c_061ed00b"
[HKEY_USERS\S-1-5-21-2712942507-1312882600-3786330889-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths]
"url1"="C:\Users\Bud Parker\AppData\Roaming\Ronzafind"
[HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\Windows Error Reporting\Debug]
"StoreLocation"="C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Ronzafind.exe_1685ced56bd577e9963a53ff94cdebbe23ab7c_061ed00b"
-= EOF =-
Top
US Army, Retired
#63
ken545
-
- Retired Classroom Teacher
-
- 23,225 posts
Forum God
- Interests:Fighting Malware and cooking some great Italian and TexMex food
-
Posted 30 July 2016 - 09:57 AM
Great,
Now plug this into SystemLook
:folderfind
Lamzap
Lamzaps
:filefind
Lamzap
Lamzaps
:regfind
Lamzap
Lamzaps
The forum is staffed by volunteers who donate their time and expertise.
If you feel you have been helped, please consider a donation.
Find us on Facebook
Please LIKE and SHARE
Just a reminder that threads will be closed if no reply in 3 days.
#64
Top
-
- Authentic Member
-
- 73 posts
Authentic Member
Posted 30 July 2016 - 10:07 AM
SystemLook 30.07.11 by jpshortstuff
Log created at 11:02 on 30/07/2016 by Bud Parker
Administrator - Elevation successful
========== folderfind ==========
Searching for "Lamzap"
C:\FRST\Quarantine\C\ProgramData\Lamzap d------ [19:29 28/07/2016]
C:\ProgramData\Lamzap d------ [19:31 29/07/2016]
C:\Users\All Users\Lamzap d------ [19:31 29/07/2016]
Searching for "Lamzaps"
C:\FRST\Quarantine\C\ProgramData\Lamzaps d------ [19:29 28/07/2016]
========== filefind ==========
Searching for "Lamzap"
No files found.
Searching for "Lamzaps"
No files found.
========== regfind ==========
Searching for "Lamzap"
[HKEY_CURRENT_USER\Environment]
"SNF"="C:\ProgramData\Lamzaps\snp.sc"
[HKEY_CURRENT_USER\Software\Greatis\Regrun2\Black\Files\C:PROGRAMDATALAMZAP]
[HKEY_CURRENT_USER\Software\Greatis\Regrun2\Black\Files\C:PROGRAMDATALAMZAP]
@="C:\PROGRAMDATA\LAMZAP\"
[HKEY_CURRENT_USER\Software\Greatis\Regrun2\Black\Files\C:PROGRAMDATALAMZAPDONTIP.DLL]
[HKEY_CURRENT_USER\Software\Greatis\Regrun2\Black\Files\C:PROGRAMDATALAMZAPDONTIP.DLL]
@="C:\PROGRAMDATA\LAMZAP\DONTIP.DLL"
[HKEY_CURRENT_USER\Software\Greatis\Regrun2\Black\Files\C:PROGRAMDATALAMZAPGREENTIP.DLL]
[HKEY_CURRENT_USER\Software\Greatis\Regrun2\Black\Files\C:PROGRAMDATALAMZAPGREENTIP.DLL]
@="C:\PROGRAMDATA\LAMZAP\GREENTIP.DLL"
[HKEY_CURRENT_USER\Software\Greatis\Regrun2\Black\Files\C:PROGRAMDATALAMZAPJOBQUOTOUCH.DLL]
[HKEY_CURRENT_USER\Software\Greatis\Regrun2\Black\Files\C:PROGRAMDATALAMZAPJOBQUOTOUCH.DLL]
@="C:\PROGRAMDATA\LAMZAP\JOBQUOTOUCH.DLL"
[HKEY_CURRENT_USER\Software\Greatis\Regrun2\Black\Files\C:PROGRAMDATALAMZAPLAMZAP.EXE]
[HKEY_CURRENT_USER\Software\Greatis\Regrun2\Black\Files\C:PROGRAMDATALAMZAPLAMZAP.EXE]
@="C:\PROGRAMDATA\LAMZAP\LAMZAP.EXE"
[HKEY_CURRENT_USER\Software\Greatis\Regrun2\Black\Files\C:PROGRAMDATALAMZAPMED-LAX.DLL]
[HKEY_CURRENT_USER\Software\Greatis\Regrun2\Black\Files\C:PROGRAMDATALAMZAPMED-LAX.DLL]
@="C:\PROGRAMDATA\LAMZAP\MED-LAX.DLL"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Applets\Paint\Recent File List]
"File3"="C:\Users\Bud Parker\Desktop\Lamzap photo.png"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Applets\Paint\Recent File List]
"File4"="C:\Users\Bud Parker\Desktop\Lamzap photo.jpg"
[HKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache]
"C:\ProgramData\Lamzap\Lamzap.exe"="Lamzap"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Lamzap.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"="C:\ProgramData\Lamzap\SilIng.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\Lamzap_RASAPI32]
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\Lamzap_RASMANCS]
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ApprovedByRegRun2\AntiRepl\0]
"Target"="\??\C:\PROGRAMDATA\LAMZAPS"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ApprovedByRegRun2\AntiRepl\13]
"Target"="\??\C:\PROGRAMDATA\LAMZAPS"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ApprovedByRegRun2\AntiRepl\14]
"Target"="\??\C:\PROGRAMDATA\LAMZAPS"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ApprovedByRegRun2\AntiRepl\15]
"Target"="C:\PROGRAMDATA\LAMZAP"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\Lamzap.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\Lamzap.exe]
"MonitorProcess"="C:\ProgramData\Windows Monitor\Monitor.exe %i deviceId=e5295532-cfef-2cfc-b916-e5ddde5765fe channelId=3 distributer=APSFClickMeIn processName=Lamzap.exe statsAddress=http://stats.ijnewhb.../JSON/LogEvent"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"="C:\ProgramData\Lamzap\Funity.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Lamzap.exe]
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\mtLamzap]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\Lamzap]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\Lamzap]
"ImagePath"="C:\ProgramData\\Lamzap\\Lamzap.exe shuz -f "C:\ProgramData\\Lamzap\\Lamzap.dat" -l -a"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\Lamzap]
"DisplayName"="Lamzap"
[HKEY_USERS\S-1-5-21-2712942507-1312882600-3786330889-1001\Environment]
"SNF"="C:\ProgramData\Lamzaps\snp.sc"
[HKEY_USERS\S-1-5-21-2712942507-1312882600-3786330889-1001\Software\Greatis\Regrun2\Black\Files\C:PROGRAMDATALAMZAP]
[HKEY_USERS\S-1-5-21-2712942507-1312882600-3786330889-1001\Software\Greatis\Regrun2\Black\Files\C:PROGRAMDATALAMZAP]
@="C:\PROGRAMDATA\LAMZAP\"
[HKEY_USERS\S-1-5-21-2712942507-1312882600-3786330889-1001\Software\Greatis\Regrun2\Black\Files\C:PROGRAMDATALAMZAPDONTIP.DLL]
[HKEY_USERS\S-1-5-21-2712942507-1312882600-3786330889-1001\Software\Greatis\Regrun2\Black\Files\C:PROGRAMDATALAMZAPDONTIP.DLL]
@="C:\PROGRAMDATA\LAMZAP\DONTIP.DLL"
[HKEY_USERS\S-1-5-21-2712942507-1312882600-3786330889-1001\Software\Greatis\Regrun2\Black\Files\C:PROGRAMDATALAMZAPGREENTIP.DLL]
[HKEY_USERS\S-1-5-21-2712942507-1312882600-3786330889-1001\Software\Greatis\Regrun2\Black\Files\C:PROGRAMDATALAMZAPGREENTIP.DLL]
@="C:\PROGRAMDATA\LAMZAP\GREENTIP.DLL"
[HKEY_USERS\S-1-5-21-2712942507-1312882600-3786330889-1001\Software\Greatis\Regrun2\Black\Files\C:PROGRAMDATALAMZAPJOBQUOTOUCH.DLL]
[HKEY_USERS\S-1-5-21-2712942507-1312882600-3786330889-1001\Software\Greatis\Regrun2\Black\Files\C:PROGRAMDATALAMZAPJOBQUOTOUCH.DLL]
@="C:\PROGRAMDATA\LAMZAP\JOBQUOTOUCH.DLL"
[HKEY_USERS\S-1-5-21-2712942507-1312882600-3786330889-1001\Software\Greatis\Regrun2\Black\Files\C:PROGRAMDATALAMZAPLAMZAP.EXE]
[HKEY_USERS\S-1-5-21-2712942507-1312882600-3786330889-1001\Software\Greatis\Regrun2\Black\Files\C:PROGRAMDATALAMZAPLAMZAP.EXE]
@="C:\PROGRAMDATA\LAMZAP\LAMZAP.EXE"
[HKEY_USERS\S-1-5-21-2712942507-1312882600-3786330889-1001\Software\Greatis\Regrun2\Black\Files\C:PROGRAMDATALAMZAPMED-LAX.DLL]
[HKEY_USERS\S-1-5-21-2712942507-1312882600-3786330889-1001\Software\Greatis\Regrun2\Black\Files\C:PROGRAMDATALAMZAPMED-LAX.DLL]
@="C:\PROGRAMDATA\LAMZAP\MED-LAX.DLL"
[HKEY_USERS\S-1-5-21-2712942507-1312882600-3786330889-1001\Software\Microsoft\Windows\CurrentVersion\Applets\Paint\Recent File List]
"File3"="C:\Users\Bud Parker\Desktop\Lamzap photo.png"
[HKEY_USERS\S-1-5-21-2712942507-1312882600-3786330889-1001\Software\Microsoft\Windows\CurrentVersion\Applets\Paint\Recent File List]
"File4"="C:\Users\Bud Parker\Desktop\Lamzap photo.jpg"
[HKEY_USERS\S-1-5-21-2712942507-1312882600-3786330889-1001\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache]
"C:\ProgramData\Lamzap\Lamzap.exe"="Lamzap"
[HKEY_USERS\S-1-5-21-2712942507-1312882600-3786330889-1001_Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache]
"C:\ProgramData\Lamzap\Lamzap.exe"="Lamzap"
Searching for "Lamzaps"
[HKEY_CURRENT_USER\Environment]
"SNF"="C:\ProgramData\Lamzaps\snp.sc"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ApprovedByRegRun2\AntiRepl\0]
"Target"="\??\C:\PROGRAMDATA\LAMZAPS"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ApprovedByRegRun2\AntiRepl\13]
"Target"="\??\C:\PROGRAMDATA\LAMZAPS"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ApprovedByRegRun2\AntiRepl\14]
"Target"="\??\C:\PROGRAMDATA\LAMZAPS"
[HKEY_USERS\S-1-5-21-2712942507-1312882600-3786330889-1001\Environment]
"SNF"="C:\ProgramData\Lamzaps\snp.sc"
-= EOF =-
Top
US Army, Retired
#65
ken545
-
- Retired Classroom Teacher
-
- 23,225 posts
Forum God
- Interests:Fighting Malware and cooking some great Italian and TexMex food
-
Posted 30 July 2016 - 10:22 AM
OK, we are going to attack this a differently, its going to take me some time to work up a fix, we are going to make some changes to your registry, I am not interested in what ever else you use, but download and run this one to back up your registry so if the fix causes any issues you can restore it
Be back soon
Backup the Registry:
Modifying the Registry can create unforeseen problems, so it always wise to create a backup before doing so.
- Right-click on tweaking.com_registry_backup_setup.exe and select Run as Administrator >> Follow the prompts for a default installation
- Ensure the option Open "Tweaking.com - Registry Backup" When Install Completes is selected >> Next > >> Finish
- Once the GUI(graphical user interface) has appeared/loaded:-
- Click on Backup Now >> once the process is complete the below will be displayed in the GUI:-
- Close Tweaking.com - Registry Backup
Note: There will now be a folder at the root of the Hard-Drive named C:\RegBackup, do not delete this as it is the actual backup just created.
A tutorial for Registry Backup explaining the various features be viewed HERE
The forum is staffed by volunteers who donate their time and expertise.
If you feel you have been helped, please consider a donation.
Find us on Facebook
Please LIKE and SHARE
Just a reminder that threads will be closed if no reply in 3 days.
#66
ken545
-
- Retired Classroom Teacher
-
- 23,225 posts
Forum God
- Interests:Fighting Malware and cooking some great Italian and TexMex food
-
Posted 30 July 2016 - 11:47 AM
Where going to run a fix with FRST and also a registry fix. Copy these files to Notepad and name the file FIXLIST, save it to your desktop....BUT DONT RUN THE FIX YET
C:\ProgramData\Lamzaps
C:\ProgramData\Lamzap
C:\Users\All Users\Lamzap
c:\users\Bud Parker\AppData\Roaming\Ronzafind
C:\FRST\Quarantine\C\ProgramData\Lamzap
C:\FRST\Quarantine\C\ProgramData\Lamzaps
Then do this
If you have problems running any of these then stop and move on to the next one
Open Task Manager (Ctrl Alt Del) and kill all "Lamzap" and "Ronzafind" related processes.
Go to Start> Run and type in services.msc , when it opens look for any Lamzap and Ronzafind services , hightlight them and on the top left there is an option to Stop Service, then exit services
Go to Start> Run and type in taskschd.msc when it loads stop any of Lamzap and Ronzafind scheduled tasks.
====================================================================
Then run the reg fix but before you do make sure that you backed up your registry with Tweeking reg backup or I wont be responsible for any errors
REGEDIT4[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths]"url1"=""[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\Debug]"StoreLocation"=""[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Ronzafind][-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Ronzafind][-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Ronzafind][-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\Ronzafind][-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\Ronzafind][-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\Ronzafind][-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Ronzafind][-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Ronzafind][-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Ronzafind][HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Windows Error Reporting\Debug]"StoreLocation"=""[HKEY_USERS\S-1-5-21-2712942507-1312882600-3786330889-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths]"url1"=""[HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\Windows Error Reporting\Debug]"StoreLocation"=""[HKEY_CURRENT_USER\Environment]"SNF"=""[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ApprovedByRegRun2\AntiRepl\0]"Target"=""[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ApprovedByRegRun2\AntiRepl\13]"Target"=""[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ApprovedByRegRun2\AntiRepl\14]"Target"=""[HKEY_USERS\S-1-5-21-2712942507-1312882600-3786330889-1001\Environment]"SNF"=""[HKEY_CURRENT_USER\Environment]"SNF"=""[-HKEY_CURRENT_USER\Software\Greatis\Regrun2\Black\Files\C:PROGRAMDATALAMZAP][-HKEY_CURRENT_USER\Software\Greatis\Regrun2\Black\Files\C:PROGRAMDATALAMZAPDONTIP.DLL][-HKEY_CURRENT_USER\Software\Greatis\Regrun2\Black\Files\C:PROGRAMDATALAMZAPGREENTIP.DLL][-HKEY_CURRENT_USER\Software\Greatis\Regrun2\Black\Files\C:PROGRAMDATALAMZAPJOBQUOTOUCH.DLL][-HKEY_CURRENT_USER\Software\Greatis\Regrun2\Black\Files\C:PROGRAMDATALAMZAPLAMZAP.EXE][-HKEY_CURRENT_USER\Software\Greatis\Regrun2\Black\Files\C:PROGRAMDATALAMZAPMED-LAX.DLL][HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Applets\Paint\Recent File List]"File3"=""[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Applets\Paint\Recent File List]"File4"=""[HKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache]"C:\ProgramData\Lamzap\Lamzap.exe"="Lamzap"=-[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Lamzap.exe][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]"AppInit_DLLs"=""[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\Lamzap_RASAPI32][-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\Lamzap_RASMANCS][HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ApprovedByRegRun2\AntiRepl\0]"Target"=""[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ApprovedByRegRun2\AntiRepl\13]"Target"=""[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ApprovedByRegRun2\AntiRepl\14]"Target"=""[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ApprovedByRegRun2\AntiRepl\15]"Target"=""[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\Lamzap.exe][HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows]"AppInit_DLLs"=""[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Lamzap.exe][-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\mtLamzap][-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\Lamzap][HKEY_USERS\S-1-5-21-2712942507-1312882600-3786330889-1001\Environment]"SNF"=""[-HKEY_USERS\S-1-5-21-2712942507-1312882600-3786330889-1001\Software\Greatis\Regrun2\Black\Files\C:PROGRAMDATALAMZAP][-HKEY_USERS\S-1-5-21-2712942507-1312882600-3786330889-1001\Software\Greatis\Regrun2\Black\Files\C:PROGRAMDATALAMZAPDONTIP.DLL][-HKEY_USERS\S-1-5-21-2712942507-1312882600-3786330889-1001\Software\Greatis\Regrun2\Black\Files\C:PROGRAMDATALAMZAPGREENTIP.DLL][-HKEY_USERS\S-1-5-21-2712942507-1312882600-3786330889-1001\Software\Greatis\Regrun2\Black\Files\C:PROGRAMDATALAMZAPJOBQUOTOUCH.DLL][-HKEY_USERS\S-1-5-21-2712942507-1312882600-3786330889-1001\Software\Greatis\Regrun2\Black\Files\C:PROGRAMDATALAMZAPLAMZAP.EXE][-HKEY_USERS\S-1-5-21-2712942507-1312882600-3786330889-1001\Software\Greatis\Regrun2\Black\Files\C:PROGRAMDATALAMZAPMED-LAX.DLL][HKEY_USERS\S-1-5-21-2712942507-1312882600-3786330889-1001\Software\Microsoft\Windows\CurrentVersion\Applets\Paint\Recent File List]"File3"=""[HKEY_USERS\S-1-5-21-2712942507-1312882600-3786330889-1001\Software\Microsoft\Windows\CurrentVersion\Applets\Paint\Recent File List]"File4"=""[HKEY_USERS\S-1-5-21-2712942507-1312882600-3786330889-1001\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache]"C:\ProgramData\Lamzap\Lamzap.exe"="Lamzap"=-[HKEY_USERS\S-1-5-21-2712942507-1312882600-3786330889-1001_Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache]"C:\ProgramData\Lamzap\Lamzap.exe"="Lamzap"=-
Copy the entire contents inside the Quote box and Paste it into Notepad ( this will only work with Notepad ) name the file Regfix.reg and in the drop down box, save it as All Files. Save it to your desktop. Then Rightclick on the Regfix.reg file and click on Merge, when it asks you to merge with the Registry, say yes.
If you saved the file correctly it should look like this 
Then open FRST64 by right clicking on it and select RUN AS ADMINISTRATOR , when it opens click FIX (Not Scan) Post the Fixlog and let me know how things are running now
The forum is staffed by volunteers who donate their time and expertise.
If you feel you have been helped, please consider a donation.
Find us on Facebook
Please LIKE and SHARE
Just a reminder that threads will be closed if no reply in 3 days.
#67
Top
-
- Authentic Member
-
- 73 posts
Authentic Member
Posted 30 July 2016 - 12:13 PM
1. Lamzap not found in Task Manager under Processes or Services. Ronzafind listed in Services but I could not stop it.
2. Ronzafind listed in "Services" but the option "Stop" is ghosted out and will not allow me to stop it.
3. Task Scheduler. When I ran it an error window appeared which said, "Task PvrSchedule Task: The task image is corrupt or has been tampered with." There is an selection block titled OK. When I click it the same error window pops up again. I can't "X" out of that error window either.
4. I saved the registry file with the program you told me to, also a program I use. I should have two copies of the registry I am now running if we need to go back.
5. I saved both files using Notepad and titled them correctly. I will now run FRST64 and will run the Fixlog...
Top
US Army, Retired
#68
Top
-
- Authentic Member
-
- 73 posts
Authentic Member
Posted 30 July 2016 - 12:14 PM
By the way, let me say "Thank You" for all your help.
Top
US Army, Retired
#69
Top
-
- Authentic Member
-
- 73 posts
Authentic Member
Posted 30 July 2016 - 12:30 PM
Fix result of Farbar Recovery Scan Tool (x64) Version: 27-07-2016
Ran by Bud Parker (2016-07-30 13:30:06) Run:2
Running from C:\Users\Bud Parker\Desktop
Loaded Profiles: Bud Parker (Available Profiles: Bud Parker)
Boot Mode: Normal
==============================================
fixlist content:
*****************
C:\ProgramData\Lamzaps
C:\ProgramData\Lamzap
C:\Users\All Users\Lamzap
c:\users\Bud Parker\AppData\Roaming\Ronzafind
C:\FRST\Quarantine\C\ProgramData\Lamzap
C:\FRST\Quarantine\C\ProgramData\Lamzaps
*****************
"C:\ProgramData\Lamzaps" => not found.
C:\ProgramData\Lamzap => moved successfully
"C:\Users\All Users\Lamzap" => not found.
c:\users\Bud Parker\AppData\Roaming\Ronzafind => moved successfully
C:\FRST\Quarantine\C\ProgramData\Lamzap => moved successfully
C:\FRST\Quarantine\C\ProgramData\Lamzaps => moved successfully
==== End of Fixlog 13:30:06 ====
Top
US Army, Retired
#70
ken545
-
- Retired Classroom Teacher
-
- 23,225 posts
Forum God
- Interests:Fighting Malware and cooking some great Italian and TexMex food
-
Posted 30 July 2016 - 12:38 PM
And you ran the reg fix with no problems ?? Any sign of Lamzap ?
The forum is staffed by volunteers who donate their time and expertise.
If you feel you have been helped, please consider a donation.
Find us on Facebook
Please LIKE and SHARE
Just a reminder that threads will be closed if no reply in 3 days.
Register to Remove
#71
Top
-
- Authentic Member
-
- 73 posts
Authentic Member
Posted 30 July 2016 - 01:07 PM
Here is the fix log again.
Fix result of Farbar Recovery Scan Tool (x64) Version: 27-07-2016
Ran by Bud Parker (2016-07-30 13:53:10) Run:3
Running from C:\Users\Bud Parker\Desktop
Loaded Profiles: Bud Parker (Available Profiles: Bud Parker)
Boot Mode: Normal
==============================================
fixlist content:
*****************
C:\ProgramData\Lamzaps
C:\ProgramData\Lamzap
C:\Users\All Users\Lamzap
c:\users\Bud Parker\AppData\Roaming\Ronzafind
C:\FRST\Quarantine\C\ProgramData\Lamzap
C:\FRST\Quarantine\C\ProgramData\Lamzaps
*****************
C:\ProgramData\Lamzaps => moved successfully
"C:\ProgramData\Lamzap" folder move:
Could not move "C:\ProgramData\Lamzap" => Scheduled to move on reboot.
"C:\Users\All Users\Lamzap" folder move:
Could not move "C:\Users\All Users\Lamzap" => Scheduled to move on reboot.
c:\users\Bud Parker\AppData\Roaming\Ronzafind => moved successfully
"C:\FRST\Quarantine\C\ProgramData\Lamzap" => not found.
C:\FRST\Quarantine\C\ProgramData\Lamzaps => moved successfully
Result of scheduled files to move (Boot Mode: Normal) (Date&Time: 2016-07-30 13:58:27)
"C:\ProgramData\Lamzap" => Could not move
"C:\Users\All Users\Lamzap" => Could not move
==== End of Fixlog 13:58:32 ====
Also, see photo of directory...
Attached Thumbnails
Top
US Army, Retired
#72
Top
-
- Authentic Member
-
- 73 posts
Authentic Member
Posted 30 July 2016 - 01:09 PM
The first Lamzap directory is what we just fixed. The other one with green arrow was done previously.
Lamzaps reappeared. I will open it and post another picture.
Top
US Army, Retired
#73
Top
-
- Authentic Member
-
- 73 posts
Authentic Member
Posted 30 July 2016 - 01:12 PM
This is the contents of Lamzaps directory. I think this is what posts to the browser to force it to their search page. I'll try it and see.
Attached Thumbnails
Top
US Army, Retired
#74
Top
-
- Authentic Member
-
- 73 posts
Authentic Member
Posted 30 July 2016 - 01:17 PM
When the %SNF% is appended to the end of the Shortcut address it takes you to the hijacked search page. This photo is the properties of the Firefox shortcut on my desktop.
Top
US Army, Retired
#75
ken545
-
- Retired Classroom Teacher
-
- 23,225 posts
Forum God
- Interests:Fighting Malware and cooking some great Italian and TexMex food
-
Posted 30 July 2016 - 01:19 PM
Not sure what those files are ???
Open up FRST, besure to checkmark Additions and run a new Scan and post both new logs please
The forum is staffed by volunteers who donate their time and expertise.
If you feel you have been helped, please consider a donation.
Find us on Facebook
Please LIKE and SHARE
Just a reminder that threads will be closed if no reply in 3 days.
Also tagged with one or more of these keywords: Malware, Virus, Lamzap
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users
