Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Win32/Virtumonde & Reinfecting Friends


  • Please log in to reply
78 replies to this topic

#1 Caramello222

Caramello222

  • Members
  • 145 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:06:14 AM

Posted 27 October 2015 - 09:15 PM

Attached File  Addition.txt   29.9KB   6 downloadsComputer: HP Pavilion 20-b313w
Original OS: Windows 8,   Current OS: Windows 8.1,   With Windows 10 ready to install and running in background
Browser: Internet Explorer 11 with desktop and immersive view being used
If more specs needed let me know
   Why do I think I'm infected with Win32/Virtumonde & friends? Microsoft Malware Protection Center's Malware Encyclopedia. Their threat behavior technical information and what I've been experiencing sound similar. Threat behavior: Win32/Virtumonde is a multiple-component family of programs that deliver 'out of context' pop-up advertisements.  When I search for mold clean up info, the site I choose had multiple banner ads on every page displaying 'MOLD REMOVAL' with an arrow indicating to click the ad to go to a website about mold removal. I also see them on this site bleeping computer, when I'm not logged in there are multiple banner ads for malware & virus removal. The ads are now in my game app. When they got into the app they would open IE in immersive view beside the app with blank pages for feed.click net and to other taps opened to shopping and news websites I've heard of or visited. Now the ads are so aggressive Microsoft's ads for the app store no longer show, it's always ads for games, malware removal, you need to install flash to see this, and you have a message with flashing and shaking. I stopped playing the game because the ads give me nausea. They may also download and execute arbitrary files. On 10/22/15 my computer was disconnected from the modem and my computer created and modified over 300 files of nothing. Ex., path C:\users

\myname\appdata\roaming\microsoft\crypto\rsa\S-1-5-21-2468009334-3132239489-2760357183-1001\31880c1a1bba16b03aa252cb192b1f59-17dd77cb-4ffe-4ba1-90ac-435db504aa72, was created 10/16/15, the details tab for the file at the end showed; file type: system file, date modified: 10/22/15, that day there was no size but today 10/27/15 it shows 56bytes (as in pic supplied). Also the folder name (S-1-5-21... as above) is an account unknown, with full control, as a group user in permissions for all folders and files in path C:\user\myname\appdata\local\packages. That is the same path Super Anti-Spyware keeps finding the same tracking cookies everyday and they come right back everyday. Virtumonde is often distributed as a DLL file and installed on an affected machine as a Browser Helper Object (BHO) without a user's consent. I was told that I shouldn't put to much thought into strange behavior in Task Manager, but I can't help feeling that what I'm seeing is not normal or glitches, it's malware. There are 2 Com Surrogate background processes that every time I open Task Manager disappear in 2 seconds along with high cpu usage in the 90's or 80's and immediately drops to 0-2% usage when Com S disappears. That behavior started late 2014 I think but definitely all of 2015 so far. I received this computer 11/2013 (as a new computer fresh out the box) and I'm 100% sure that my computer didn't always do that, not even after I upgraded to Windows 8.1. Along with other strange & new behavior is, duplicate Realtek Aduio, after the second popped-up I've been having sound issues and the double never goes away. Flashplayer icon changed from red to burgundy and the letters look slightly italicized and it's copyright symbol I also have a windows installer that pops up from time to time that looks exactly like that odd flash player and not like the windows installer and windows installer module that I always see during updates ect. Most important every time I close IE it drops from apps to background processes where 3 (blank)unknown rundll32 processes pop-up use high resources as they one by one quickly disappear and IE disappears with the last one. This month something new started, under Windows Processes

there is a Windows Console Host that is always running. I don't know if it's relevant to malware or if it's there because in an attempt to block those tracking cookies I adding them to my hosts file (ex. 0.0.0.0 www lax1 ib adnxs com), it didn't work but maybe that is why the console is now open.? That's all for Task Manager. Browser Helper Objects: I downloaded and installed ABP (ad blocker plus) through IE's add-on gallery but for some strange reason it's properties showed French as the language but everything was in English. It worked but I deleted it anyway. And an ESET free online scan found Win32\Bundled.Google.Toolbar.D, I never downloaded a google toolbar. I did download a google opt-out plugin to stop the tracking ads I was seeing on the internet. That didn't work, I still see 'out of context' ads by googleads.g.doubleclick net and googleadservices. Also that opt-out plugin as an update installer in int's folder. This family uses advanced defensive and stealth techniques to escape detection and to hinder removal. This malware has me blocked from Microsoft's Safety Scan page, when i try to lad the page the loading circle spins like a skipping record but I was able to access the page by using my computers search charm and from those results the page loaded but the scan didn't find anything. That's because this malware doesn't really go out of it's way to block or give me phony error messages and when it does I'm always able at some to download and run the scan. Deep scans take over three hours and only once Microsoft' Malware Removal Tool found 1 infected file during it's scan but towards the end of it suddenly 3 console host windows popped up in Task Manager and the green progress bar quickly zipped to the end of the scan and the scan showed as complete and the 1 file it collected during the scan was gone. That happens with all of Microsoft's scans the only difference now is none of them show anything infected. Here is a list of scans I've run (not in the order they appear) and found nothing. Windows Defender, Windows Defender Offline, Microsoft

Safety Scan, Microsoft Malware Removal Tool, AdwCleaner, Junkware Cleaner, MalwareBytes Anti-malware free & separate Rootkit Scan, Eset Poweliks, Emsisoft Emergency Kit Scan, Kaspersky Lab TdssKiller & a separate Anti-Virus scan, RKill, Zemana Anti-malware, and Sophos Virus Removal Tool, I think that's it. Now scans that had results.
Hitman Pro: Computer name . . . . : CORNBREAD          Scan date . . . . . . : 2015-10-14 18:18:56             Threats . . . . . . . : 0
   Windows . . . . . . . : 6.3.0.9600.X64/2            Scan mode . . . . . . : Normal                          Traces  . . . . . . . : 8
   User name . . . . . . : CORNBREAD\myname            Scan duration . . . . : 4m 14s                          Objects scanned . . . : 1,368,209
   UAC . . . . . . . . . : Enabled                     Disk access mode  . . : Direct disk access (SRB)        Files scanned . . . . : 30,384
   License . . . . . . . : Free                        Cloud . . . . . . . . : Internet                        Remnants scanned  . . : 337,529 files / 1,000,296 keys
                                                       Reboot  . . . . . . . : No
Cookies: C:\Users\myname\AppData\Roaming\Mozilla\Firefox\Profiles\p66try1r.default\cookies.sqlite:adnxs com. Also found in the same path: doubleclick net, imrworldwide com, krxd net, rlcdn com, scorecardresearch com, vizu com, w55c net.

SUPERAntiSpyware Scan Log                     Generated 10/14/2015 at 11:46 PM      Scan type       : Complete Scan     Memory items scanned      : 731
http //www superantispyware com               Application Version : 6.0.1206        Total Scan Time : 00:26:08          Memory threats detected   : 0
Operating System Information                  Database Version : 12127                                                  Registry items scanned    : 45952
Windows 8.1 Home 64-bit (Build 6.03.9600)                                                                               Registry threats detected : 0
UAC On - Limited User                                                                                                   File items scanned        : 28626
                                                                                                                        File threats detected     : 388
These results are from one of a couple logs from Super Anti-spyware and it's always the same tracking cookies with the same path.
Adware.Tracking Cookie
ib.mookie1 com/.ibkukiuno [ C:\USERS\myname\APPDATA\LOCAL\PACKAGES\MICROSOFT.MICROSOFTMAHJONG_8WEKYB3D8BBWE\AC\INETCOOKIES\2TMX12EQ.TXT ], and tidaltv com, dpm.demdex net, serving-sys com,

ad.360yield com, testdata.de.coremetrics com/.CoreID6, and many more in 30451163.log.optimizely com/.bucket_map [ C:\USERS\myname\APPDATA\LOCAL\PACKAGES\XIMADINC.MAGICPUZZLES_NP8FJ6AKX2CZY\AC

\INETCOOKIES\0CM3QKBG.TXT ].
Eset On Demand Online Scanner: Found Win32\Bundled.Google.Toolbar.D

RogueKiller V10.11.2.0 [Oct 20 2015] by Adlice Software    Operating System : Windows 8.1 (6.3.9600) 64 bits version    
mail : http // www adlice com/contact/                      Started in : Normal mode
Feedback : http // forum adlice com                         User : myname [Administrator]
Website : http / /www adlice com/software/roguekiller/      Started from : C:\Users\Floretta\Desktop\RogueKiller.exe
Blog : http // www adlice com                               Mode : Scan -- Date : 10/21/2015 17:33:34
¤¤¤ Processes : 0 ¤¤¤
¤¤¤ Registry : 4 ¤¤¤
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-2468009334-3132239489-2760357183-1001\Software\Microsoft\Internet Explorer\Main | Start Page : https // soundcloud com/you/sets  -> Found
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-2468009334-3132239489-2760357183-1001\Software\Microsoft\Internet Explorer\Main | Start Page : https // soundcloud com/you/sets  -> Found
[PUM.SearchPage] (X64) HKEY_USERS\S-1-5-21-2468009334-3132239489-2760357183-1001\Software\Microsoft\Internet Explorer\Main | Search Bar : Preserve  -> Found
[PUM.SearchPage] (X86) HKEY_USERS\S-1-5-21-2468009334-3132239489-2760357183-1001\Software\Microsoft\Internet Explorer\Main | Search Bar : Preserve  -> Found
¤¤¤ Tasks : 0 ¤¤¤
¤¤¤ Files : 0 ¤¤¤
¤¤¤ Hosts File : 0 [Too big!] ¤¤¤
¤¤¤ Antirootkit : 0 (Driver: Not loaded [0xc000036b]) ¤¤¤
¤¤¤ Web browsers : 0 ¤¤¤
¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: ST500DM002-1BD142 +++++
--- User ---
[MBR] c2a85036c14f4420a8e0e40215c5f9f2
[BSP] 5bef15c36d8798fe98372410787d35b1 : Empty|VT.Unknown MBR Code
Partition table:
0 - [SYSTEM][MAN-MOUNT] Basic data partition | Offset (sectors): 2048 | Size: 1023 MB
1 - [MAN-MOUNT] EFI system partition | Offset (sectors): 2097152 | Size: 360 MB
2 - [MAN-MOUNT] Microsoft reserved partition | Offset (sectors): 2834432 | Size: 128 MB
3 - Basic data partition | Offset (sectors): 3096576 | Size: 456483 MB
4 - [SYSTEM][MAN-MOUNT]  | Offset (sectors): 937973760 | Size: 450 MB
5 - [SYSTEM][MAN-MOUNT]  | Offset (sectors): 938895360 | Size: 350 MB
6 - [SYSTEM] Basic data partition | Offset (sectors): 939612160 | Size: 18140 MB
User = LL1 ... OK
User = LL2 ... OK
 I click delete and the HKEYs where replaced.
Second scan with Rogue Killer, Mode : Scan -- Date : 10/22/2015 12:30:34
¤¤¤ Processes : 0 ¤¤¤
¤¤¤ Registry : 4 ¤¤¤
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters | DhcpNameServer : 65.32.5.111 65.32.5.112 ([X][X])  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters | DhcpNameServer : 65.32.5.111 65.32.5.112 ([X][X])  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{CF6EE126-57FB-47C6-B8F1-5E071B153152} | DhcpNameServer : 65.32.5.111 65.32.5.112 ([X][X])  ->

Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{CF6EE126-57FB-47C6-B8F1-5E071B153152} | DhcpNameServer : 65.32.5.111 65.32.5.112 ([X][X])  -> Found
¤¤¤ Tasks : 0 ¤¤¤
¤¤¤ Files : 0 ¤¤¤
¤¤¤ Hosts File : 0 [Too big!] ¤¤¤
¤¤¤ Antirootkit : 0 (Driver: Not loaded [0x20]) ¤¤¤
¤¤¤ Web browsers : 0 ¤¤¤
¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: ST500DM002-1BD142 +++++
--- User ---
[MBR] c2a85036c14f4420a8e0e40215c5f9f2
[BSP] 5bef15c36d8798fe98372410787d35b1 : Empty MBR Code
Partition table:
0 - [SYSTEM][MAN-MOUNT] Basic data partition | Offset (sectors): 2048 | Size: 1023 MB
1 - [MAN-MOUNT] EFI system partition | Offset (sectors): 2097152 | Size: 360 MB
2 - [MAN-MOUNT] Microsoft reserved partition | Offset (sectors): 2834432 | Size: 128 MB
3 - Basic data partition | Offset (sectors): 3096576 | Size: 456483 MB
4 - [SYSTEM][MAN-MOUNT]  | Offset (sectors): 937973760 | Size: 450 MB
5 - [SYSTEM][MAN-MOUNT]  | Offset (sectors): 938895360 | Size: 350 MB
6 - [SYSTEM] Basic data partition | Offset (sectors): 939612160 | Size: 18140 MB
User = LL1 ... OK
User = LL2 ... OK
 The findings of in this scan were not able to be deleted or replaced.
Kaspersky Security Scan did not find malware but before it started it's scanning it found 10 security issues that I did not click Find Solution because I have no knowledge of these issues and

was afraid I would make matters worse. So please let me know if I should go ahead and click Find Solution in Kaspersky Security Scan. Here are the problems.
1) Service Termination Timeout Is Out Of Admissible Values.
2) Autorun From Hard Drives Is Allowed.
3) Autorun From Network Drivers Is Enabled.
4) CD/DVD Autorun Is Enabled.
5) Removable Media Autorun Is Enabled.
6) Microsoft Internet Explorer: Caching Data Received VIA Protected Channel Is Enabled.
7) Microsoft Internet Explorer: Settings Error Reports Is Enabled.
8) Microsoft Internet Explorer: Some Websites Are Added To The List Of Trusted Websites.
9) Microsoft Internet Explorer: Cache Auto Cleanup Is Disabled On Browser Exit.
10) Microsoft Internet Explorer: Home Page Reset
 What should I do?
 
I have also noticed something strange when I access system32, I see files then there is a quick flash then I see folders as the start of that section. I've read that rootkits do that so you can't see that it's replaced system files with it's malicious files. Also task scheduler now starts after only 4 minutes of being idle. It was never like that and it's also very annoying to have tasks always starting and stopping because as soon as I move the mouse the task stops (after a few seconds), it's a pain when reading long articles. This might be nothing but I have blank files that start at C_037.NLS - C_28605.NLS that show they were created 8/22/13 and modified 6/18/13, how can a file be modified before it was created? I did try to fix my computer because I thought it could be glitches I was seeing especially in task manager along with slow and sometimes choppy performance that is always worse after my computer has been idle, after it's been asleep if I had an app open it will crash when the computer comes out of sleep mode, sound issues etc.. So I started with a full reset, but found out that the system saved files somewhere especially my internet information IE kept the full list of my favorites. Then from there I fully updated Windows 8 then upgrade again to Windows 8.1 and fully updated that. I ran an app and app store troubleshooter, and internet troubleshooter (I keep having connection problems on and off). I was assisted by Microsoft Community and followed their troubleshooting methods: Method 1: Run the System Maintenance troubleshooter. Method 2: Update the drivers. Method 3: Optimize the hard disk and see if it works. Perform Disk Cleanup and see if it helps. None of that helped so then another assistant said: Method 1: Check in safe mode and clean boot mode of the computer. Step 2: Perform Clean Boot. Method 2: Run Microsoft safety scanner this is when I had trouble getting to the scan, but I got it and ran it nothing. Method 3: Perform SFC scan. That scan found corrupted files and couldn't fix them. 2015-10-09 17:48:22, Info     

            CSI    00000596 [SR] Cannot repair member file [l:36{18}]"Amd64\CNBJ2530.DPB" of prncacla.inf, Version = 6.3.9600.17415, pA = PROCESSOR_ARCHITECTURE_AMD64 (9), Culture neutral,

VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, Type = [l:24{12}]"driverUpdate", TypeName neutral, PublicKey neutral in the store, hash mismatch
 2015-10-09 17:48:27, Info                  CSI    00000598 [SR] Cannot repair member file [l:36{18}]"Amd64\CNBJ2530.DPB" of prncacla.inf, Version = 6.3.9600.17415, pA =

PROCESSOR_ARCHITECTURE_AMD64 (9), Culture neutral, VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, Type = [l:24{12}]"driverUpdate", TypeName neutral, PublicKey neutral in the

store, hash mismatch
 2015-10-09 17:48:27, Info                  CSI    00000599 [SR] This component was referenced by [l:166{83}]"Package_2709_for_KB3000850~31bf3856ad364e35~amd64~~6.3.1.8.3000850-6825_neutral_GDR"
 2015-10-09

2015-10-09 18:00:58, Info                  CSI    000008ee [SR] Repairing 1 components
 2015-10-09 18:00:58, Info                  CSI    000008ef [SR] Beginning Verify and Repair transaction
 2015-10-09 18:00:59, Info                  CSI    000008f1 [SR] Cannot repair member file [l:36{18}]"Amd64\CNBJ2530.DPB" of prncacla.inf, Version = 6.3.9600.17415, pA =

PROCESSOR_ARCHITECTURE_AMD64 (9), Culture neutral, VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, Type = [l:24{12}]"driverUpdate", TypeName neutral, PublicKey neutral in the

store, hash mismatch
 2015-10-09 18:00:59, Info                  CSI    000008f3 [SR] Cannot repair member file [l:36{18}]"Amd64\CNBJ2530.DPB" of prncacla.inf, Version = 6.3.9600.17415, pA =

PROCESSOR_ARCHITECTURE_AMD64 (9), Culture neutral, VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, Type = [l:24{12}]"driverUpdate", TypeName neutral, PublicKey neutral in the

store, hash mismatch
 2015-10-09 18:00:59, Info                  CSI    000008f4 [SR] This component was referenced by [l:166{83}]"Package_2709_for_KB3000850~31bf3856ad364e35~amd64~~6.3.1.8.3000850-6825_neutral_GDR"
 2015-10-09 18:01:00, Info                  CSI    000008f5 [SR] Repair complete
 2015-10-09 18:01:00, Info                  CSI    000008f6 [SR] Committing transaction
 2015-10-09 18:01:00, Info                  CSI    000008fb [SR] Verify and Repair Transaction completed. All files and registry keys listed in this transaction  have been successfully repaired.

The next person told me to run a DISM scan to get those files corrected and it worked. The improved performance of my computer was short lived and it was after that I downloaded Super Anti-spyware and found all of those tracking cookies and system32 started to flash when I accessed it. Since then I've been trying to get rid of this malware on my own, then I realized I can't do this by myself and I need help. But I didn't want to ask for help and have no information to support the fact that I have a rootkit problem and the tracking cookies are merely a diversion while the rootkit hooks deeper into my system and collects more of my personal information (I had a .pdf of my EBT application on my computer) and I think it's also bit coining or something like that because now my computer is using more memory. Task manager's showing of memory usage use to be 19-23% sometimes 25%, but now it's 30% and the longer my computer stays on the higher it gets 50-53%. File explorer shows C:\ drive as having 399GB free of 445GB and sometimes 402GB free of 445GB. Today it's 400GB free, but the C:\ drive memory issues just started this month of Oct and also the 50-53% in task manager but it did sometimes reach the 40's in previous months. I hope the information above is helpful and not confusing I really did try to keep it relevant, short, and to he point. If more info is needed I'll supply it, I do have helpful tools on my computer Speccy, Autorun and AutorunSc. Thank you for your time.

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:25-10-2015 02
Ran by myname (administrator) on CORNBREAD (27-10-2015 21:33:32)
Running from C:\Users\myname\Desktop
Loaded Profiles: myname (Available Profiles: myname)
Platform: Windows 8.1 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: IE)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http // www geekstogo com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(AMD) C:\Windows\System32\atiesrxx.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe
(SUPERAntiSpyware.com) C:\Program Files\SUPERAntiSpyware\SASCore64.exe
(Andrea Electronics Corporation) C:\Program Files\Realtek\Audio\HDA\AERTSr64.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae-svc.exe
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae64.exe
(RaMMicHaeL) C:\Program Files\Unchecky\bin\unchecky_svc.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\MsMpEng.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\NisSrv.exe
(Hewlett-Packard Company) C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\HPSupportSolutionsFrameworkService.exe
(Hewlett-Packard Company) C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe
(Kaspersky Lab ZAO) C:\Program Files (x86)\Kaspersky Lab\Kaspersky Security Scan\kss.exe
(AMD) C:\Windows\System32\atieclxx.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe
(RaMMicHaeL) C:\Program Files\Unchecky\bin\unchecky_bg.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe
(Advanced Micro Devices Inc.) C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
(Malwarebytes Corporation) C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.exe
(ATI Technologies Inc.) C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
(Microsoft Corporation) C:\Windows\System32\GWX\GWX.exe
(CyberLink) C:\Program Files (x86)\CyberLink\Power2Go8\CLMLSvc_P2G8.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Windows\System32\SettingSyncHost.exe
(Microsoft Corporation) C:\Windows\System32\SkyDrive.exe
(Microsoft Corporation) C:\Windows\System32\Taskmgr.exe
(Microsoft Corporation) C:\Program Files\Windows Defender\MSASCui.exe

==================== Registry (Whitelisted) ===========================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [RTHDVCPL] => C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe [7198424 2013-08-29] (Realtek Semiconductor)
HKLM-x32\...\Run: [StartCCC] => C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\amd64\CLIStart.exe [766208 2013-09-11] (Advanced Micro Devices, Inc.)
HKLM-x32\...\Run: [Malwarebytes Anti-Exploit] => C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.exe [2620728 2015-07-22] (Malwarebytes Corporation)
HKU\S-1-5-21-2468009334-3132239489-2760357183-1001\...\Run: [Skype] => C:\Program Files (x86)\Skype\Phone\Skype.exe [53760128 2015-07-18] (Skype Technologies S.A.)
HKU\S-1-5-18\...\Run: [KSS] => C:\Program Files (x86)\Kaspersky Lab\Kaspersky Security Scan\kss.exe [919296 2015-06-03] (Kaspersky Lab ZAO)
ShellIconOverlayIdentifiers: [ SkyDrive1] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} =>  No File
ShellIconOverlayIdentifiers: [ SkyDrive2] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} =>  No File
ShellIconOverlayIdentifiers: [ SkyDrive3] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} =>  No File
ShellIconOverlayIdentifiers-x32: [ SkyDrive1] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} =>  No File
ShellIconOverlayIdentifiers-x32: [ SkyDrive2] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} =>  No File
ShellIconOverlayIdentifiers-x32: [ SkyDrive3] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} =>  No File

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Tcpip\Parameters: [DhcpNameServer] 65.32.5.111 65.32.5.112
Tcpip\..\Interfaces\{CF6EE126-57FB-47C6-B8F1-5E071B153152}: [DhcpNameServer] 65.32.5.111 65.32.5.112

Internet Explorer:
==================
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://g.msn.com/HPDSK13/1
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://g.msn.com/HPDSK13/1
HKU\S-1-5-21-2468009334-3132239489-2760357183-1001\Software\Microsoft\Internet Explorer\Main,Search Bar = hxxp://search.msn.com/spbasic.htm
HKU\S-1-5-21-2468009334-3132239489-2760357183-1001\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://windows.microsoft.com/en-US/windows/antivirus-partners#AVtabs=win81
HKU\S-1-5-21-2468009334-3132239489-2760357183-1001\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://www.msn.com/?ocid=iehp
SearchScopes: HKLM -> {D944BB61-2E34-4DBF-A683-47E505C587DC} URL = hxxp://rover.ebay.com/rover/1/711-154371-11896-2/4 ?mpre=http%3A%2F%2Fwww.ebay.com%2Fsch%2F%3F_nkw%3D{searchTerms}&keyword={searchTerms}
SearchScopes: HKLM-x32 -> {D944BB61-2E34-4DBF-A683-47E505C587DC} URL = hxxp://rover.ebay.com/rover/1/711-154371-11896-2/4 ?mpre=http%3A%2F%2Fwww.ebay.com%2Fsch%2F%3F_nkw%3D{searchTerms}&keyword={searchTerms}
SearchScopes: HKU\S-1-5-21-2468009334-3132239489-2760357183-1001 -> {D944BB61-2E34-4DBF-A683-47E505C587DC} URL =
BHO: Advertising Cookie Opt-out -> {8E425EB4-ADBD-4816-B1E8-49BB9DECF034} -> C:\Program Files\Google\Advertising Cookie Opt-out\opt_out.dll [2013-01-10] (Google Inc)
BHO: HP Network Check Helper -> {E76FD755-C1BA-4DCB-9F13-99BD91223ADE} -> C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPNetworkCheck\HPNetworkCheckPluginx64.dll [2013-08-28] (Hewlett-Packard)
BHO-x32: Advertising Cookie Opt-out -> {8E425EB4-ADBD-4816-B1E8-49BB9DECF034} -> C:\Program Files (x86)\Google\Advertising Cookie Opt-out\opt_out.dll => No File
BHO-x32: HP Network Check Helper -> {E76FD755-C1BA-4DCB-9F13-99BD91223ADE} -> C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPNetworkCheck\HPNetworkCheckPlugin.dll [2015-05-06] (Hewlett-Packard)
DPF: HKLM-x32 {7530BFB8-7293-4D34-9923-61A11451AFC5} hxxp://download.eset.com/special/eos/OnlineScanner.cab

FireFox:
========
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.40728.0\npctrl.dll [2015-07-28] ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=16.4.3505.0912 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [2012-09-12] (Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.28.15\npGoogleUpdate3.dll [No File]
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.28.15\npGoogleUpdate3.dll [No File]

==================== Services (Whitelisted) ========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 !SASCORE; C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE [172344 2014-07-22] (SUPERAntiSpyware.com)
S2 CLHNServiceForPowerDVD12; c:\Program Files (x86)\CyberLink\PowerDVD12\Kernel\DMP\CLHNServer\CLHNServiceForPowerDVD12.exe [89864 2013-06-09] (CyberLink Corp.)
S2 CyberLink PowerDVD 12 Media Server Monitor Service; c:\Program Files (x86)\CyberLink\PowerDVD12\Kernel\DMS\CLMSMonitorServicePDVD12.exe [77576 2013-06-09] (CyberLink)
S2 CyberLink PowerDVD 12 Media Server Service; c:\Program Files (x86)\CyberLink\PowerDVD12\Kernel\DMS\CLMSServerPDVD12.exe [294664 2013-06-09] (CyberLink)
R2 HPSupportSolutionsFrameworkService; C:\Program Files (x86)\Hewlett-Packard\HP Support Solutions\HPSupportSolutionsFrameworkService.exe [25800 2015-09-28] (Hewlett-Packard Company)
R2 kss; C:\Program Files (x86)\Kaspersky Lab\Kaspersky Security Scan\kss.exe [919296 2015-06-03] (Kaspersky Lab ZAO)
R2 MbaeSvc; C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae-svc.exe [713016 2015-07-22] (Malwarebytes Corporation)
S2 MBAMService; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [1135416 2015-10-05] (Malwarebytes)
R2 RtkAudioService; C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe [289496 2013-08-29] (Realtek Semiconductor)
R2 Unchecky; C:\Program Files\Unchecky\bin\Unchecky_svc.exe [241400 2015-10-16] (RaMMicHaeL)
S3 w3logsvc; C:\Windows\system32\inetsrv\w3logsvc.dll [76800 2015-07-22] (Microsoft Corporation)
R3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [366552 2015-07-07] (Microsoft Corporation)
R2 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [23824 2015-07-07] (Microsoft Corporation)
S2 gupdate; "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /svc [X]
S3 gupdatem; "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /medsvc [X]

===================== Drivers (Whitelisted) ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R3 athr; C:\Windows\system32\DRIVERS\athwbx.sys [4265984 2014-12-22] (Qualcomm Atheros Communications, Inc.)
R1 CLVirtualDrive; C:\Windows\system32\DRIVERS\CLVirtualDrive.sys [91712 2013-03-15] (CyberLink)
S0 ebdrv; C:\Windows\System32\drivers\evbda.sys [3357024 2013-08-22] (Broadcom Corporation)
R1 ESProtectionDriver; C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae64.sys [63064 2015-07-22] ()
R3 MBAMProtector; C:\WINDOWS\system32\drivers\mbam.sys [25816 2015-10-05] (Malwarebytes)
S3 MBAMWebAccessControl; C:\WINDOWS\system32\drivers\mwac.sys [64216 2015-10-05] (Malwarebytes Corporation)
R2 ntk_PowerDVD12; c:\Program Files (x86)\CyberLink\PowerDVD12\Kernel\DMP\CLHNServer\ntk_PowerDVD12_64.sys [84168 2013-03-12] (Cyberlink Corp.)
R3 RSP2STOR; C:\Windows\system32\DRIVERS\RtsP2Stor.sys [290008 2013-07-08] (Realtek Semiconductor Corp.)
R1 SASDIFSV; C:\Program Files\SUPERAntiSpyware\SASDIFSV64.SYS [14928 2011-07-22] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
R1 SASKUTIL; C:\Program Files\SUPERAntiSpyware\SASKUTIL64.SYS [12368 2011-07-12] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
U3 TrueSight; C:\Windows\System32\drivers\TrueSight.sys [35064 2015-10-22] ()
S0 WdBoot; C:\Windows\System32\drivers\WdBoot.sys [44560 2015-07-07] (Microsoft Corporation)
R0 WdFilter; C:\Windows\System32\drivers\WdFilter.sys [270168 2015-07-07] (Microsoft Corporation)
R2 WdNisDrv; C:\Windows\System32\Drivers\WdNisDrv.sys [114520 2015-07-07] (Microsoft Corporation)
S1 ZAM; \??\C:\WINDOWS\System32\drivers\zam64.sys [X]
S1 ZAM_Guard; \??\C:\WINDOWS\System32\drivers\zamguard64.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-10-25 22:07 - 2015-10-27 21:33 - 00019977 _____ C:\Users\Floretta\Desktop\malwaretips.txt
2015-10-25 15:22 - 2015-10-25 15:22 - 00001305 _____ C:\Users\Floretta\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Kaspersky Security Scan.lnk
2015-10-25 15:21 - 2015-10-25 15:21 - 00001078 _____ C:\Users\Public\Desktop\Kaspersky Security Scan.lnk
2015-10-25 15:20 - 2015-10-25 15:21 - 00000000 ____D C:\ProgramData\Kaspersky Lab
2015-10-25 15:20 - 2015-10-25 15:20 - 00000000 ____D C:\Program Files (x86)\Kaspersky Lab
2015-10-25 15:17 - 2015-10-25 15:17 - 02172800 _____ (Kaspersky Lab) C:\Users\Floretta\Desktop\kss15.0.0.740en_es_fr_pt_8648.exe
2015-10-25 12:58 - 2015-10-25 12:59 - 00031157 _____ C:\Users\Floretta\Desktop\Addition.txt
2015-10-25 12:56 - 2015-10-27 21:33 - 00011417 _____ C:\Users\Floretta\Desktop\FRST.txt
2015-10-25 12:52 - 2015-10-25 12:52 - 02197504 _____ (Farbar) C:\Users\Floretta\Desktop\FRST64.exe
2015-10-25 12:49 - 2015-10-25 12:49 - 00004625 _____ C:\Users\Floretta\Desktop\Past Fixs.txt
2015-10-24 23:59 - 2015-10-24 23:59 - 00000000 ____D C:\Users\Floretta\AppData\Local\CrashDumps
2015-10-24 23:50 - 2015-09-29 08:24 - 00155480 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\tpm.sys
2015-10-24 23:50 - 2015-09-15 10:29 - 04176384 _____ (Microsoft Corporation) C:\WINDOWS\system32\win32k.sys
2015-10-24 23:50 - 2015-09-12 09:47 - 00414559 _____ C:\WINDOWS\system32\ApnDatabase.xml
2015-10-24 23:50 - 2015-09-07 12:22 - 00477184 _____ (Microsoft Corporation) C:\WINDOWS\system32\puiobj.dll
2015-10-24 23:50 - 2015-09-07 11:54 - 00367104 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\puiobj.dll
2015-10-24 23:50 - 2015-09-07 11:30 - 01091584 _____ (Microsoft Corporation) C:\WINDOWS\system32\localspl.dll
2015-10-24 23:50 - 2015-09-04 15:24 - 00154112 _____ (Microsoft Corporation) C:\WINDOWS\system32\Drivers\tunnel.sys
2015-10-24 23:50 - 2015-08-28 18:20 - 00183368 _____ (Microsoft Corporation) C:\WINDOWS\system32\AuthHost.exe
2015-10-24 23:50 - 2015-08-20 16:45 - 01380048 _____ (Microsoft Corporation) C:\WINDOWS\system32\gdi32.dll
2015-10-24 23:50 - 2015-08-20 13:48 - 01096704 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\gdi32.dll
2015-10-24 17:59 - 2015-10-24 18:00 - 00000000 ____D C:\ProgramData\Sophos
2015-10-24 17:56 - 2015-10-24 17:56 - 00002775 _____ C:\Users\Public\Desktop\Sophos Virus Removal Tool.lnk
2015-10-24 17:56 - 2015-10-24 17:56 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Sophos
2015-10-24 17:56 - 2015-10-24 17:56 - 00000000 ____D C:\Program Files (x86)\Sophos
2015-10-24 17:52 - 2015-10-24 17:53 - 136356888 _____ (Sophos Limited) C:\Users\Floretta\Desktop\Sophos Virus Removal Tool.exe
2015-10-24 16:05 - 2015-10-24 16:06 - 126785304 _____ (Microsoft Corporation) C:\Users\Floretta\Desktop\mpam-fe.exe
2015-10-24 15:15 - 2015-10-24 15:15 - 00000762 _____ C:\Users\Floretta\Desktop\Start Emsisoft Emergency Kit.lnk
2015-10-24 15:14 - 2015-10-24 15:19 - 00000000 ____D C:\EEK
2015-10-23 13:43 - 2015-10-23 15:21 - 00001500 _____ C:\Users\Floretta\Desktop\mal-hunt10-23.txt
2015-10-22 16:04 - 2015-10-22 16:04 - 00002158 _____ C:\Users\Floretta\Desktop\datemodifiedtoday.search-ms
2015-10-22 12:39 - 2015-10-22 12:39 - 00004260 _____ C:\Users\Floretta\Desktop\rk_7808.tmp.txt
2015-10-21 19:19 - 2015-10-22 20:54 - 00000000 ____D C:\Program Files (x86)\Zemana AntiMalware
2015-10-21 19:18 - 2015-10-21 19:18 - 00000000 ____D C:\Users\Floretta\AppData\Local\Zemana
2015-10-21 18:25 - 2015-10-21 18:25 - 00003468 _____ C:\Users\Floretta\Desktop\Rkill.txt2.txt
2015-10-21 17:52 - 2015-10-21 18:21 - 00000000 ____D C:\ProgramData\Malwarebytes' Anti-Malware (portable)
2015-10-21 17:47 - 2015-10-21 17:48 - 16563352 _____ (Malwarebytes Corp.) C:\Users\Floretta\Desktop\mbar-1.09.3.1001.exe
2015-10-21 17:38 - 2015-10-21 17:38 - 00004266 _____ C:\Users\Floretta\Desktop\rk_5180.tmp.txt
2015-10-21 17:27 - 2015-10-22 21:49 - 00035064 _____ C:\WINDOWS\system32\Drivers\TrueSight.sys
2015-10-21 17:27 - 2015-10-21 17:44 - 00000000 ____D C:\ProgramData\RogueKiller
2015-10-21 17:26 - 2015-10-21 17:26 - 18838088 _____ C:\Users\Floretta\Desktop\RogueKiller.exe
2015-10-21 14:38 - 2015-10-21 14:40 - 00000000 ____D C:\KVRT_Data
2015-10-18 13:36 - 2015-10-18 14:44 - 00004183 _____ C:\Users\Floretta\Desktop\mal-hunt10-18.txt
2015-10-18 11:07 - 2015-10-18 11:07 - 00020131 _____ C:\Users\Floretta\Desktop\SUPERAntiSpyware Scan Log - 10-18-2015 - 11-01-50.log
2015-10-17 20:20 - 2015-10-17 20:20 - 00000605 _____ C:\Users\Floretta\Desktop\JRT.txt
2015-10-17 15:01 - 2015-10-17 15:01 - 00000000 ____D C:\SUPERDelete
2015-10-17 14:55 - 2015-10-25 10:14 - 00000000 ____D C:\Program Files\SUPERAntiSpyware
2015-10-17 14:55 - 2015-10-17 21:17 - 00001984 _____ C:\Users\Public\Desktop\SUPERAntiSpyware Free Edition.lnk
2015-10-17 14:55 - 2015-10-17 14:55 - 00000000 ____D C:\Users\Floretta\AppData\Roaming\SUPERAntiSpyware.com
2015-10-17 14:55 - 2015-10-17 14:55 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SUPERAntiSpyware
2015-10-16 14:55 - 2015-10-16 14:55 - 00040342 _____ C:\Users\Floretta\Desktop\bookmark.htm
2015-10-16 14:19 - 2015-10-16 14:19 - 00000855 _____ C:\Users\Public\Desktop\Unchecky.lnk
2015-10-16 14:19 - 2015-10-16 14:19 - 00000000 ____D C:\ProgramData\Unchecky
2015-10-16 14:19 - 2015-10-16 14:19 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Unchecky
2015-10-16 14:19 - 2015-10-16 14:19 - 00000000 ____D C:\Program Files\Unchecky
2015-10-16 14:16 - 2015-10-16 14:16 - 01196352 _____ (RaMMicHaeL) C:\Users\Floretta\Desktop\unchecky_setup.exe
2015-10-15 15:56 - 2015-09-29 19:42 - 01658536 _____ (Microsoft Corporation) C:\WINDOWS\system32\winload.efi
2015-10-15 15:56 - 2015-09-29 19:42 - 01519584 _____ (Microsoft Corporation) C:\WINDOWS\system32\winload.exe
2015-10-15 15:56 - 2015-09-29 19:42 - 01487008 _____ (Microsoft Corporation) C:\WINDOWS\system32\winresume.efi
2015-10-15 15:56 - 2015-09-29 19:42 - 01355848 _____ (Microsoft Corporation) C:\WINDOWS\system32\winresume.exe
2015-10-15 10:05 - 2015-10-15 10:05 - 00052939 _____ C:\Users\Floretta\Desktop\SS Scan Log - 10-14-2015 - 23-46-20.log
2015-10-14 23:14 - 2015-10-14 23:14 - 00000000 ____D C:\ProgramData\SUPERAntiSpyware.com
2015-10-14 23:09 - 2015-10-14 23:09 - 23662168 _____ (SUPERAntiSpyware) C:\Users\Floretta\Desktop\SUPERAntiSpyware.exe
2015-10-14 22:03 - 2015-10-27 17:45 - 00000000 ____D C:\ProgramData\Malwarebytes Anti-Exploit
2015-10-14 22:03 - 2015-10-14 22:03 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Exploit
2015-10-14 22:03 - 2015-10-14 22:03 - 00000000 ____D C:\Program Files (x86)\Malwarebytes Anti-Exploit
2015-10-14 22:01 - 2015-10-14 22:01 - 02865192 _____ (Malwarebytes ) C:\Users\Floretta\Desktop\mbae-setup-1.07.1.1015.exe
2015-10-14 18:24 - 2015-10-14 18:24 - 00003290 _____ C:\Users\Floretta\Desktop\HitmanPro_20151014_1824.log
2015-10-14 18:18 - 2015-10-14 18:18 - 00001916 _____ C:\Users\Public\Desktop\HitmanPro.lnk
2015-10-14 18:18 - 2015-10-14 18:18 - 00000000 ____D C:\Program Files\HitmanPro
2015-10-14 18:15 - 2015-10-14 18:25 - 00000000 ____D C:\ProgramData\HitmanPro
2015-10-14 17:43 - 2015-10-22 13:14 - 00192216 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\MBAMSwissArmy.sys
2015-10-14 17:42 - 2015-10-21 17:51 - 00109272 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\mbamchameleon.sys
2015-10-14 17:42 - 2015-10-21 17:50 - 00000000 ____D C:\Program Files (x86)\Malwarebytes Anti-Malware
2015-10-14 17:42 - 2015-10-14 17:47 - 00001125 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2015-10-14 17:42 - 2015-10-14 17:47 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2015-10-14 17:42 - 2015-10-05 09:50 - 00064216 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\mwac.sys
2015-10-14 17:42 - 2015-10-05 09:50 - 00025816 _____ (Malwarebytes) C:\WINDOWS\system32\Drivers\mbam.sys
2015-10-14 16:07 - 2015-10-14 16:08 - 11336600 _____ (SurfRight B.V.) C:\Users\Floretta\Desktop\HitmanPro_x64.exe
2015-10-14 16:06 - 2015-10-14 16:06 - 01801288 _____ (Malwarebytes) C:\Users\Floretta\Desktop\JRT.exe
2015-10-13 17:00 - 2015-09-29 08:31 - 07457624 _____ (Microsoft Corporation) C:\WINDOWS\system32\ntoskrnl.exe
2015-10-13 17:00 - 2015-09-24 12:42 - 00348672 _____ (Microsoft Corporation) C:\WINDOWS\system32\bdesvc.dll
2015-10-13 17:00 - 2015-09-24 12:40 - 00737280 _____ (Microsoft Corporation) C:\WINDOWS\system32\fveapi.dll
2015-10-13 17:00 - 2015-08-26 22:43 - 22372152 _____ (Microsoft Corporation) C:\WINDOWS\system32\shell32.dll
2015-10-13 17:00 - 2015-08-26 22:42 - 19795904 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\shell32.dll
2015-10-13 16:59 - 2015-09-10 14:02 - 25851392 _____ (Microsoft Corporation) C:\WINDOWS\system32\mshtml.dll
2015-10-13 16:59 - 2015-09-10 13:19 - 00585728 _____ (Microsoft Corporation) C:\WINDOWS\system32\vbscript.dll
2015-10-13 16:59 - 2015-09-10 13:18 - 02886656 _____ (Microsoft Corporation) C:\WINDOWS\system32\iertutil.dll
2015-10-13 16:59 - 2015-09-10 13:18 - 00088064 _____ (Microsoft Corporation) C:\WINDOWS\system32\MshtmlDac.dll
2015-10-13 16:59 - 2015-09-10 13:14 - 05990400 _____ (Microsoft Corporation) C:\WINDOWS\system32\jscript9.dll
2015-10-13 16:59 - 2015-09-10 13:09 - 20358144 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\mshtml.dll
2015-10-13 16:59 - 2015-09-10 13:06 - 00616960 _____ (Microsoft Corporation) C:\WINDOWS\system32\ieui.dll
2015-10-13 16:59 - 2015-09-10 13:04 - 00817664 _____ (Microsoft Corporation) C:\WINDOWS\system32\jscript.dll
2015-10-13 16:59 - 2015-09-10 12:51 - 00489984 _____ (Microsoft Corporation) C:\WINDOWS\system32\dxtmsft.dll
2015-10-13 16:59 - 2015-09-10 12:39 - 00504832 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\vbscript.dll
2015-10-13 16:59 - 2015-09-10 12:37 - 00092160 _____ (Microsoft Corporation) C:\WINDOWS\system32\mshtmled.dll
2015-10-13 16:59 - 2015-09-10 12:37 - 00064000 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\MshtmlDac.dll
2015-10-13 16:59 - 2015-09-10 12:35 - 00315392 _____ (Microsoft Corporation) C:\WINDOWS\system32\dxtrans.dll
2015-10-13 16:59 - 2015-09-10 12:33 - 02279936 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\iertutil.dll
2015-10-13 16:59 - 2015-09-10 12:28 - 01032704 _____ (Microsoft Corporation) C:\WINDOWS\system32\inetcomm.dll
2015-10-13 16:59 - 2015-09-10 12:28 - 00480256 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\ieui.dll
2015-10-13 16:59 - 2015-09-10 12:27 - 00663552 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\jscript.dll
2015-10-13 16:59 - 2015-09-10 12:24 - 14456832 _____ (Microsoft Corporation) C:\WINDOWS\system32\ieframe.dll
2015-10-13 16:59 - 2015-09-10 12:21 - 00262144 _____ (Microsoft Corporation) C:\WINDOWS\system32\webcheck.dll
2015-10-13 16:59 - 2015-09-10 12:19 - 00801280 _____ (Microsoft Corporation) C:\WINDOWS\system32\msfeeds.dll
2015-10-13 16:59 - 2015-09-10 12:19 - 00720896 _____ (Microsoft Corporation) C:\WINDOWS\system32\ie4uinit.exe
2015-10-13 16:59 - 2015-09-10 12:19 - 00374784 _____ (Microsoft Corporation) C:\WINDOWS\system32\iedkcs32.dll
2015-10-13 16:59 - 2015-09-10 12:17 - 02126336 _____ (Microsoft Corporation) C:\WINDOWS\system32\inetcpl.cpl
2015-10-13 16:59 - 2015-09-10 12:17 - 00416256 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\dxtmsft.dll
2015-10-13 16:59 - 2015-09-10 12:07 - 00076288 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\mshtmled.dll
2015-10-13 16:59 - 2015-09-10 12:05 - 00279040 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\dxtrans.dll
2015-10-13 16:59 - 2015-09-10 12:02 - 04527616 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\jscript9.dll
2015-10-13 16:59 - 2015-09-10 12:01 - 00880128 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\inetcomm.dll
2015-10-13 16:59 - 2015-09-10 12:00 - 12853760 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\ieframe.dll
2015-10-13 16:59 - 2015-09-10 11:57 - 02487808 _____ (Microsoft Corporation) C:\WINDOWS\system32\wininet.dll
2015-10-13 16:59 - 2015-09-10 11:57 - 00230400 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\webcheck.dll
2015-10-13 16:59 - 2015-09-10 11:55 - 02052608 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\inetcpl.cpl
2015-10-13 16:59 - 2015-09-10 11:55 - 00689152 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\msfeeds.dll
2015-10-13 16:59 - 2015-09-10 11:55 - 00327168 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\iedkcs32.dll
2015-10-13 16:59 - 2015-09-10 11:45 - 01546752 _____ (Microsoft Corporation) C:\WINDOWS\system32\urlmon.dll
2015-10-13 16:59 - 2015-09-10 11:34 - 00800768 _____ (Microsoft Corporation) C:\WINDOWS\system32\ieapfltr.dll
2015-10-13 16:59 - 2015-09-10 11:31 - 02011136 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\wininet.dll
2015-10-13 16:59 - 2015-09-10 11:27 - 01311232 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\urlmon.dll
2015-10-13 16:59 - 2015-09-10 11:26 - 00710144 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\ieapfltr.dll
2015-10-13 16:58 - 2015-09-29 08:29 - 00136904 _____ (Microsoft Corporation) C:\WINDOWS\system32\wuauclt.exe
2015-10-13 16:58 - 2015-09-28 14:45 - 03705344 _____ (Microsoft Corporation) C:\WINDOWS\system32\wuaueng.dll
2015-10-13 16:58 - 2015-09-28 14:26 - 00409088 _____ (Microsoft Corporation) C:\WINDOWS\system32\WUSettingsProvider.dll
2015-10-13 16:58 - 2015-09-28 14:25 - 00140288 _____ (Microsoft Corporation) C:\WINDOWS\system32\wuwebv.dll
2015-10-13 16:58 - 2015-09-28 14:25 - 00095744 _____ (Microsoft Corporation) C:\WINDOWS\system32\wudriver.dll
2015-10-13 16:58 - 2015-09-28 14:25 - 00035840 _____ (Microsoft Corporation) C:\WINDOWS\system32\wuapp.exe
2015-10-13 16:58 - 2015-09-28 14:22 - 00124928 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\wuwebv.dll
2015-10-13 16:58 - 2015-09-28 14:22 - 00081920 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\wudriver.dll
2015-10-13 16:58 - 2015-09-28 14:22 - 00029696 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\wuapp.exe
2015-10-13 16:58 - 2015-09-28 14:15 - 02243072 _____ (Microsoft Corporation) C:\WINDOWS\system32\wucltux.dll
2015-10-13 16:58 - 2015-09-28 14:13 - 00891904 _____ (Microsoft Corporation) C:\WINDOWS\system32\wuapi.dll
2015-10-13 16:58 - 2015-09-28 14:12 - 00721920 _____ (Microsoft Corporation) C:\WINDOWS\SysWOW64\wuapi.dll
2015-10-13 14:24 - 2015-09-18 23:18 - 00035384 _____ (Microsoft Corporation) C:\WINDOWS\system32\CompatTelRunner.exe
2015-10-13 14:24 - 2015-09-18 09:42 - 01290752 _____ (Microsoft Corporation) C:\WINDOWS\system32\appraiser.dll
2015-10-13 14:24 - 2015-09-18 09:42 - 01163776 _____ (Microsoft Corporation) C:\WINDOWS\system32\aeinv.dll
2015-10-13 14:24 - 2015-09-18 09:42 - 00766464 _____ (Microsoft Corporation) C:\WINDOWS\system32\generaltel.dll
2015-10-13 14:24 - 2015-09-18 09:42 - 00699904 _____ (Microsoft Corporation) C:\WINDOWS\system32\invagent.dll
2015-10-13 14:24 - 2015-09-18 09:42 - 00503296 _____ (Microsoft Corporation) C:\WINDOWS\system32\devinv.dll
2015-10-13 14:24 - 2015-09-18 09:42 - 00073216 _____ (Microsoft Corporation) C:\WINDOWS\system32\acmigration.dll
2015-10-09 18:37 - 2015-10-09 18:37 - 00070205 _____ C:\Users\Floretta\Desktop\sfcdetails.txt
2015-10-09 12:13 - 2015-10-09 12:14 - 134472984 _____ (Microsoft Corporation) C:\Users\Floretta\Downloads\msert.exe
2015-10-08 19:08 - 2015-10-08 19:08 - 47346280 _____ (Microsoft Corporation) C:\Users\Floretta\Desktop\Windows-KB890830-x64-V5.28.exe
2015-10-07 01:26 - 2015-10-15 10:06 - 00000000 ____D C:\Users\Floretta\AppData\LocalLow\Adblock Plus for IE
2015-10-02 15:11 - 2015-10-02 15:11 - 00000000 ____D C:\Users\Floretta\AppData\LocalLow\Temp
2015-09-28 15:42 - 2015-10-17 20:16 - 00000000 ____D C:\AdwCleaner

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-10-27 21:33 - 2015-09-10 20:22 - 00000926 _____ C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job
2015-10-27 21:33 - 2015-08-15 14:29 - 00000000 ____D C:\FRST
2015-10-27 21:00 - 2013-08-22 11:36 - 00000000 ____D C:\WINDOWS\system32\sru
2015-10-27 20:56 - 2015-07-22 11:47 - 01204735 _____ C:\WINDOWS\WindowsUpdate.log
2015-10-27 18:33 - 2015-09-10 20:22 - 00000922 _____ C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job
2015-10-27 15:02 - 2015-07-22 11:19 - 00065536 _____ C:\WINDOWS\system32\spu_storage.bin
2015-10-27 14:22 - 2015-07-22 11:56 - 00000000 ____D C:\Users\Floretta\OneDrive
2015-10-26 19:31 - 2015-07-21 18:41 - 00003942 _____ C:\WINDOWS\System32\Tasks\User_Feed_Synchronization-{56F87C1B-D0FD-4F82-8326-2B14109CE1E9}
2015-10-25 15:44 - 2015-07-21 18:53 - 00003600 _____ C:\WINDOWS\System32\Tasks\Optimize Start Menu Cache Files-S-1-5-21-2468009334-3132239489-2760357183-1001
2015-10-25 14:24 - 2013-08-22 11:36 - 00000000 ____D C:\WINDOWS\AppReadiness
2015-10-25 14:18 - 2015-07-22 11:53 - 00000000 ____D C:\Users\Floretta\AppData\Local\PackageStaging
2015-10-25 14:18 - 2015-07-21 18:39 - 00000000 ____D C:\Users\Floretta\AppData\Local\Packages
2015-10-25 10:12 - 2014-11-21 04:44 - 00956476 _____ C:\WINDOWS\system32\PerfStringBackup.INI
2015-10-24 23:55 - 2013-08-22 10:46 - 00300686 _____ C:\WINDOWS\setupact.log
2015-10-24 23:55 - 2013-08-22 10:45 - 00000006 ____H C:\WINDOWS\Tasks\SA.DAT
2015-10-24 23:55 - 2013-08-22 10:44 - 00351024 _____ C:\WINDOWS\system32\FNTCACHE.DAT
2015-10-24 23:53 - 2013-08-22 09:25 - 00262144 ___SH C:\WINDOWS\system32\config\BBI
2015-10-24 23:52 - 2013-08-22 11:36 - 00000000 ___RD C:\WINDOWS\ToastData
2015-10-24 23:50 - 2012-07-26 03:59 - 00000000 ____D C:\WINDOWS\CbsTemp
2015-10-24 20:08 - 2015-09-24 21:14 - 00003468 _____ C:\Users\Floretta\Desktop\Rkill.txt
2015-10-22 20:54 - 2014-11-21 04:34 - 00008868 _____ C:\WINDOWS\PFRO.log
2015-10-21 20:47 - 2015-07-23 13:31 - 00000052 _____ C:\WINDOWS\SysWOW64\DOErrors.log
2015-10-19 15:47 - 2015-07-21 21:16 - 00000000 ____D C:\WINDOWS\system32\MRT
2015-10-19 15:43 - 2015-07-21 21:16 - 143481208 _____ (Microsoft Corporation) C:\WINDOWS\system32\MRT.exe
2015-10-18 19:59 - 2013-08-22 11:36 - 00000000 ____D C:\WINDOWS\system32\NDF
2015-10-17 10:04 - 2015-07-22 11:30 - 00000000 ____D C:\Users\Floretta
2015-10-16 00:51 - 2014-11-21 12:03 - 00810488 _____ (Adobe Systems Incorporated) C:\WINDOWS\SysWOW64\FlashPlayerApp.exe
2015-10-16 00:51 - 2014-11-21 12:03 - 00176632 _____ (Adobe Systems Incorporated) C:\WINDOWS\SysWOW64\FlashPlayerCPLApp.cpl
2015-10-14 14:15 - 2013-08-22 11:36 - 00000000 ____D C:\WINDOWS\rescache
2015-10-13 14:24 - 2015-07-22 13:52 - 00000000 ____D C:\WINDOWS\system32\appraiser
2015-10-13 14:24 - 2014-11-21 11:56 - 00000000 ___SD C:\WINDOWS\system32\CompatTel
2015-10-06 23:15 - 2013-04-03 20:17 - 00000000 ____D C:\ProgramData\Package Cache
2015-10-05 20:51 - 2015-07-22 14:52 - 00000000 ___SD C:\WINDOWS\system32\GWX
2015-10-05 16:58 - 2015-07-22 14:52 - 00000000 ___SD C:\WINDOWS\SysWOW64\GWX
2015-10-02 20:36 - 2015-07-23 16:30 - 00003184 _____ C:\WINDOWS\System32\Tasks\HPCeeScheduleForFloretta
2015-10-02 20:36 - 2015-07-23 16:30 - 00000364 _____ C:\WINDOWS\Tasks\HPCeeScheduleForFloretta.job

==================== Bamital & volsnap =================

(There is no automatic fix for files that do not pass verification.)

C:\WINDOWS\system32\winlogon.exe => File is digitally signed
C:\WINDOWS\system32\wininit.exe => File is digitally signed
C:\WINDOWS\explorer.exe => File is digitally signed
C:\WINDOWS\SysWOW64\explorer.exe => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\SysWOW64\svchost.exe => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll => File is digitally signed
C:\WINDOWS\SysWOW64\User32.dll => File is digitally signed
C:\WINDOWS\system32\userinit.exe => File is digitally signed
C:\WINDOWS\SysWOW64\userinit.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\dnsapi.dll => File is digitally signed
C:\WINDOWS\SysWOW64\dnsapi.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2015-10-27 18:09

==================== End of FRST.txt ============================


Edited by Caramello222, 28 October 2015 - 10:42 AM.


BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 40,238 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:14 AM

Posted 31 October 2015 - 10:57 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.


start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

ShellIconOverlayIdentifiers: [ SkyDrive1] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} =>  No File
ShellIconOverlayIdentifiers: [ SkyDrive2] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} =>  No File
ShellIconOverlayIdentifiers: [ SkyDrive3] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} =>  No File
ShellIconOverlayIdentifiers-x32: [ SkyDrive1] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} =>  No File
ShellIconOverlayIdentifiers-x32: [ SkyDrive2] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} =>  No File
ShellIconOverlayIdentifiers-x32: [ SkyDrive3] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} =>  No File
BHO-x32: Advertising Cookie Opt-out -> {8E425EB4-ADBD-4816-B1E8-49BB9DECF034} -> C:\Program Files (x86)\Google\Advertising Cookie Opt-out\opt_out.dll => No File
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.28.15\npGoogleUpdate3.dll [No File]
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.28.15\npGoogleUpdate3.dll [No File]
S2 gupdate; "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /svc [X]
S3 gupdatem; "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /medsvc [X]
S1 ZAM; \??\C:\WINDOWS\System32\drivers\zam64.sys [X]
S1 ZAM_Guard; \??\C:\WINDOWS\System32\drivers\zamguard64.sys [X]

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Please let me know what problem persists.

#3 Caramello222

Caramello222
  • Topic Starter

  • Members
  • 145 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:06:14 AM

Posted 31 October 2015 - 12:41 PM

Thank you for your reply. Just to let you know I have not added anything to my computer or have run any more scans since my post, so everything is still the same. I just have one question about where to save what I copied and pasted in notepad. You have instructed that I save the fixlist.txt to the location stated on the third line of the FRST log above because that is where the tool is running from. When I went to save the fixlist to C:\user\myname\desktop the logs are saved there but I didn't see the actual tool there. The tool is sitting in path C:\FRST\ and there are 3 folders 1) Hives 2)Logs 3) Quarantine. So where do I save it to C:\user\myname\desktop where I only see the logs or C:\FRST\ where I see the actual tool and the 3 folders? Note: When I downloaded the tool I did save it to my desktop so I don't know why it's also sitting in C:\FRST. I also just checked IE to view the download location, but it doesn't show where. In place of location there is the statement 'This program is not commonly downloaded and could harm your computer', with a red warning shield because the publisher couldn't be verified. Just thought you should know in case any of that matters.



#4 nasdaq

nasdaq

  • Malware Response Team
  • 40,238 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:14 AM

Posted 31 October 2015 - 01:38 PM

I suspect the your Virus protection as quarantine the FRST.exe file.

See if you can de-quarantine the file in your Kaspersky program.

The FRST folder is a working folder for the tool. Leave it alone.
Place the FRST.EXE OR FRST64.exe on you Desktop.

p.s.
If you download the file one more time verify what Kaspersky reports.
You may be given an option to accept the file.

#5 Caramello222

Caramello222
  • Topic Starter

  • Members
  • 145 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:06:14 AM

Posted 31 October 2015 - 02:59 PM

Sorry I was wrong before, I wasn't paying attention. When I was saving the fixlist, I forgot that when using 'save as' window doesn't default to the beginning of windows file explorer with all files shown, it always shows the last location I saved a file to and only shows the file type. I followed the path C:\user\myname\desktop using file explorer shortcut on my taskbar and FRST64.exe was there. Sorry for the false alarm. Anyway I saved fixlist, opened FRST64 and it updated then I click fix and here is the report. I haven't gotten a chance yet to look around and see if any problems still remain. I wanted to first let you know what happened and post the log to you. I'll check for remaining issues right after this. Also I don't know if it means anything but after the fix was done and I restarted the pc, another icon and folder was created along with the log text called 'FRST-Old Version'. Was that created because of the update and do I need it?

 

Fix result of Farbar Recovery Scan Tool (x64) Version:31-10-2015
Ran by Floretta (2015-10-31 15:11:52) Run:2
Running from C:\Users\Floretta\Desktop
Loaded Profiles: Floretta (Available Profiles: Floretta)
Boot Mode: Normal
==============================================

fixlist content:
*****************
start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

ShellIconOverlayIdentifiers: [ SkyDrive1] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} =>  No File
ShellIconOverlayIdentifiers: [ SkyDrive2] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} =>  No File
ShellIconOverlayIdentifiers: [ SkyDrive3] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} =>  No File
ShellIconOverlayIdentifiers-x32: [ SkyDrive1] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} =>  No File
ShellIconOverlayIdentifiers-x32: [ SkyDrive2] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} =>  No File
ShellIconOverlayIdentifiers-x32: [ SkyDrive3] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} =>  No File
BHO-x32: Advertising Cookie Opt-out -> {8E425EB4-ADBD-4816-B1E8-49BB9DECF034} -> C:\Program Files (x86)\Google\Advertising Cookie Opt-out\opt_out.dll => No File
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.28.15\npGoogleUpdate3.dll [No File]
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.28.15\npGoogleUpdate3.dll [No File]
S2 gupdate; "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /svc [X]
S3 gupdatem; "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /medsvc [X]
S1 ZAM; \??\C:\WINDOWS\System32\drivers\zam64.sys [X]
S1 ZAM_Guard; \??\C:\WINDOWS\System32\drivers\zamguard64.sys [X]

End
*****************

Restore point was successfully created.
Processes closed successfully.
"HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ SkyDrive1" => key removed successfully
HKCR\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A} => key not found.
"HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ SkyDrive2" => key removed successfully
HKCR\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} => key not found.
"HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ SkyDrive3" => key removed successfully
HKCR\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524} => key not found.
"HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ SkyDrive1" => key removed successfully
HKCR\Wow6432Node\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A} => key not found.
"HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ SkyDrive2" => key removed successfully
HKCR\Wow6432Node\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} => key not found.
"HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ SkyDrive3" => key removed successfully
HKCR\Wow6432Node\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524} => key not found.
"HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8E425EB4-ADBD-4816-B1E8-49BB9DECF034}" => key removed successfully
"HKCR\Wow6432Node\CLSID\{8E425EB4-ADBD-4816-B1E8-49BB9DECF034}" => key removed successfully
"HKLM\Software\Wow6432Node\MozillaPlugins\@tools.google.com/Google Update;version=3" => key removed successfully
"HKLM\Software\Wow6432Node\MozillaPlugins\@tools.google.com/Google Update;version=9" => key removed successfully
gupdate => service removed successfully
gupdatem => service removed successfully
ZAM => service removed successfully
ZAM_Guard => service removed successfully
EmptyTemp: => 827.6 MB temporary data Removed.

The system needed a reboot.

==== End of Fixlog 15:13:54 ====



#6 Caramello222

Caramello222
  • Topic Starter

  • Members
  • 145 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:06:14 AM

Posted 31 October 2015 - 03:56 PM

I still have tracking cookies and their ads in apps especially banner ads in  "Magic Puzzle" by adxns com. Unknown S-1-5-18.... still has full control permissions in local and roaming appdata. IE is still loading slow, some taskbar icon images are still blank but I properly have to run a program to get those back. Those COM Surrogates are still disappearing in task manager along with the cpu dropping suddenly. I don't know things still look the same, maybe I did the fixlist wrong. Sorry if I screwed that up, I put it in desktop and I can see it's icon shortcut on my screen, I did't put the list inside the actual folder for FRST.



#7 Caramello222

Caramello222
  • Topic Starter

  • Members
  • 145 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:06:14 AM

Posted 31 October 2015 - 04:27 PM

I forgot to ask you a very important question. I have a message in Action Center that says I need to 'Verify My Identity On This Computer' and PC settings shows my account as disconnected. To verify and reconnect my account I have to click the verify link in the action center security message that takes me to accounts in PC settings where a window pops up where I enter the last 4 digits of my phone number click  next and an automated service will call me with a code for me to enter in and then I'm reconnected and verified. I don't trust the message because no matter where I log into my Microsoft account, log in at the start of my computer, in my apps that require my Microsoft account, e-mail sign in, I also signed into my account in multiple services on Microsoft's website especially account billing and purchases that require me to log in again to view that sensitive info. But the message still remains, plus I know that message really shouldn't be there because it's for setting up a new computer or a reset computer and the last I reset I did verify my ID and trusted this computer. So what's your opinion, continue to ignore it or go ahead and verify?   

Should I allow Kaspersky Security Scan find solutions to the 11 security problems it found? 1) Service Termination Timeout Is Out Of Admissible Values.
2) Autorun From Hard Drives Is Allowed.
3) Autorun From Network Drivers Is Enabled.
4) CD/DVD Autorun Is Enabled.
5) Removable Media Autorun Is Enabled.
6) Microsoft Internet Explorer: Caching Data Received VIA Protected Channel Is Enabled.
7) Microsoft Internet Explorer: Settings Error Reports Is Enabled.
8) Microsoft Internet Explorer: Some Websites Are Added To The List Of Trusted Websites.
9) Microsoft Internet Explorer: Cache Auto Cleanup Is Disabled On Browser Exit.
10) Microsoft Internet Explorer: Home Page Reset

11) Microsoft Internet Explorer: History of Typed URL's Is Not Empty

I'm asking because I noticed that when scheduled tasks starts every idle 4 mintues and background process in task manager called .NET Runtime Optimization Server starts.


Edited by Caramello222, 31 October 2015 - 05:11 PM.


#8 nasdaq

nasdaq

  • Malware Response Team
  • 40,238 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:14 AM

Posted 01 November 2015 - 08:46 AM

Also I don't know if it means anything but after the fix was done and I restarted the pc, another icon and folder was created along with the log text called 'FRST-Old Version'. Was that created because of the update and do I need it?

No the Icon is just a link to the previous program.
You can delete it when all is well.

===

On the issue of Magic Puzzle, lets look also in the Registry.

Please run the Farbar Recovery Scan Tool. Enter Magic Puzzle in the Search Box.
Click the Search Registry button, post the content of the Search.txt file in your next reply.
===


I have a message in Action Center that says I need to 'Verify My Identity On This Computer' and PC settings shows my account as disconnected.


Check this article. See if you can proceed with the instructions.

Windows 8.1 You need to verify your identity on this pc error
http://www.surfacetablethelp.com/2013/10/windows-8-1-you-need-to-verify-your-identity-on-this-pc-error.html

I do not have A Window 8.1 to verify so if you need additional help on this issue I suggest you start a new topic in the Windowx 8.1 Forum.
An expert will be able to help you better than I can. It's not my forte.
http://www.bleepingcomputer.com/forums/f/209/windows-8-and-windows-81/

===

I'm asking because I noticed that when scheduled tasks starts every idle 4 mintues and background process in task manager called .NET Runtime Optimization Server starts.


This look normal but you can check with the Windows 8 Forum.

I sutmit this topic for your information.

What is mscorsvw.exe and why is it eating up my CPU? What is this new CLR Optimization Service?
http://blogs.msdn.com/b/davidnotario/archive/2005/04/27/412838.aspx

You may wish to use the suggested comment on the article.
If you are really want to get rid of mscorsvw.exe from your task manager, just do:

ngen.exe executequeueditems

Check with the experts first.

#9 Caramello222

Caramello222
  • Topic Starter

  • Members
  • 145 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:06:14 AM

Posted 01 November 2015 - 01:12 PM

Here is the Search Registry Scan for Magic Puzzle. That is not the only app I'm having a problem with cookies being dropped in it, I just used Magic Puzzle as an example because it is the one that I really can't use. It's set up is different from the other games and apps I have from the Windows Store that are free. While putting a puzzle together on the left hand side of the screen that space is designated for banner ads as part of the app being free with an option to pay for their removal. Whatever malware this is has taken over that ad space with ads that are from a variety of unfriendly sources that install more and more crap on my computer and I feel that is why my computer is getting slower losing memory space and cause my computer to have intervals of high cpu, memory, and disk space being used. I also know that everyday Microsoft sends automatic updates but it looks like update over kill because the windows module installer and it's companion are always popping up in task manager installing multiple times a day and a lot of times I can hear it really working my computer or lagging will start and sure enough when I open up task manager there is windows module installer and friend at work. Not only is my computers performance suffering from this malware but it is also affecting my wireless keyboard and mouse. I always keep fresh batteries for them, but that doesn't matter the lights to indicate low battery doesn't come (because the batteries are new) but yet there are times during use that clicks are not registering with the cursor action on the screen or there are times when typing on the keyboard is really lagging or freezes for a couple of words and then suddenly the words will appear. The typing issue is weird because it only happens on the internet, sometimes this site but mainly on Microsoft's website especially in the community forum. There have been times when it was taking way to long for me to type a simple question that I just gave up and closed the tab. I have this page favorite for easy access back to check for replies and every time it seems like it is taking longer for the site to be accessed and loaded and I have the same problem with Microsoft Community website loading, but for some reason my outlook and Microsoft account pages have no problem loading, clicking typing, searching, the windows store and the xbox store all function perfectly. I just think it is really funky how on and off the performance and function of my computer and devices are, especially when and where the off behavior takes place. Also thank for the information on my other concerns I will use it, but I mainly stated that stuff in case you have heard of it being relevant to a specific name or type of malware. But perhaps I'll be more helpful with silence and allow your mind to work without interruption and just answer and provide info when needed. Sorry, I am working on my rambling which I know a lot of times leads to straying from the topic at hand. I can do better promise. 

   

Farbar Recovery Scan Tool (x64) Version:31-10-2015
Ran by Floretta (2015-11-01 12:19:38)
Running from C:\Users\Floretta\Desktop
Boot Mode: Normal

================== Search Registry: "XIMADINC.MAGICPUZZLES_NP8FJ6AKX2CZY" ===========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Search\UninstalledStoreApps\S-1-5-21-2468009334-3132239489-2760357183-1001\XIMADINC.MagicPuzzles_np8fj6akx2czy]
[HKEY_USERS\S-1-5-21-2468009334-3132239489-2760357183-1001\Software\Microsoft\Windows\CurrentVersion\AppSync\Sync\XIMADINC.MagicPuzzles_np8fj6akx2czy]
[HKEY_USERS\S-1-5-21-2468009334-3132239489-2760357183-1001\Software\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\Notifications\BackgroundCapability\S-1-15-2-166147703-3434557569-430813684-24347586-762040324-4165616823-3486463592\App.AppX90drdnt4j9y1pvgs3a4nzeafdb60tmsb.mca]
"AppUserModelId"="XIMADINC.MagicPuzzles_np8fj6akx2czy!App"
[HKEY_USERS\S-1-5-21-2468009334-3132239489-2760357183-1001\Software\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\Notifications\BackgroundCapability\S-1-15-2-166147703-3434557569-430813684-24347586-762040324-4165616823-3486463592\App.AppXyh565pdy2e0byqtgz4fvjt21n22kn66j.mca]
"AppUserModelId"="XIMADINC.MagicPuzzles_np8fj6akx2czy!App"
[HKEY_USERS\S-1-5-21-2468009334-3132239489-2760357183-1001\Software\Microsoft\Windows\CurrentVersion\Lock Screen]
"Details_B"="APPID:XIMADINC.MagicPuzzles_np8fj6akx2czy!App"
[HKEY_USERS\S-1-5-21-2468009334-3132239489-2760357183-1001\Software\Microsoft\Windows\CurrentVersion\Lock Screen]
"Details_C"="APPID:XIMADINC.MagicPuzzles_np8fj6akx2czy!App"
[HKEY_USERS\S-1-5-21-2468009334-3132239489-2760357183-1001\Software\Microsoft\Windows\CurrentVersion\SettingSync\Namespace\PackageState\XIMADINC.MagicPuzzles_np8fj6akx2czy-0]
[HKEY_USERS\S-1-5-21-2468009334-3132239489-2760357183-1001\Software\Microsoft\Windows\CurrentVersion\SettingSync\Namespace\WindowsPackageSettings\Notifications-XIMADINC.MagicPuzzles_np8fj6akx2czy]
[HKEY_USERS\S-1-5-21-2468009334-3132239489-2760357183-1001\Software\Microsoft\Windows\CurrentVersion\SettingSync\Namespace\WindowsPackageSettings\XIMADINC.MagicPuzzles_np8fj6akx2czy]
[HKEY_USERS\S-1-5-21-2468009334-3132239489-2760357183-1001\Software\Microsoft\Windows\CurrentVersion\SettingSync\SyncData\CollectionStaging\packagestate-ximadinc.magicpuzzles_np8fj6akx2czy-0]
[HKEY_USERS\S-1-5-21-2468009334-3132239489-2760357183-1001\Software\Microsoft\Windows\CurrentVersion\SettingSync\SyncData\Namespace\packagestate\ximadinc.magicpuzzles_np8fj6akx2czy-0]
[HKEY_USERS\S-1-5-21-2468009334-3132239489-2760357183-1001\Software\Microsoft\Windows\CurrentVersion\SettingSync\SyncData\Namespace\windowspackagesettings\notifications-ximadinc.magicpuzzles_np8fj6akx2czy]
[HKEY_USERS\S-1-5-21-2468009334-3132239489-2760357183-1001\Software\Microsoft\Windows\CurrentVersion\SettingSync\SyncData\Namespace\windowspackagesettings\ximadinc.magicpuzzles_np8fj6akx2czy]
[HKEY_USERS\S-1-5-21-2468009334-3132239489-2760357183-1001\Software\Microsoft\Windows\CurrentVersion\SettingSync\SyncData\RemoteCollectionInfo\packagestate-ximadinc.magicpuzzles_np8fj6akx2czy-0]
[HKEY_USERS\S-1-5-21-2468009334-3132239489-2760357183-1001\Software\Microsoft\Windows\CurrentVersion\SettingSync\SyncData\RemoteNamespace\packagestate\ximadinc.magicpuzzles_np8fj6akx2czy-0]
[HKEY_USERS\S-1-5-21-2468009334-3132239489-2760357183-1001\Software\Microsoft\Windows\CurrentVersion\SettingSync\SyncData\RemoteNamespace\windowspackagesettings\notifications-ximadinc.magicpuzzles_np8fj6akx2czy]
[HKEY_USERS\S-1-5-21-2468009334-3132239489-2760357183-1001\Software\Microsoft\Windows\CurrentVersion\SettingSync\SyncData\RemoteNamespace\windowspackagesettings\ximadinc.magicpuzzles_np8fj6akx2czy]
[HKEY_USERS\S-1-5-21-2468009334-3132239489-2760357183-1001\Software\Classes\ActivatableClasses\Package\XIMADINC.MagicPuzzles_2.0.1.3_x64__np8fj6akx2czy\Server\App.AppX9jhj80mnh3hxzwbh4qn4vjzejraet18s.mca]
"AppUserModelId"="XIMADINC.MagicPuzzles_np8fj6akx2czy!App"
[HKEY_USERS\S-1-5-21-2468009334-3132239489-2760357183-1001\Software\Classes\ActivatableClasses\Package\XIMADINC.MagicPuzzles_2.0.1.3_x64__np8fj6akx2czy\Server\App.AppXkmy3yqvsf2skt667a8jgrspqc109gedr.mca]
"AppUserModelId"="XIMADINC.MagicPuzzles_np8fj6akx2czy!App"
[HKEY_USERS\S-1-5-21-2468009334-3132239489-2760357183-1001\Software\Classes\ActivatableClasses\Package\XIMADINC.MagicPuzzles_2.0.1.3_x64__np8fj6akx2czy\Server\BackgroundTaskHost.1]
"AppUserModelId"="XIMADINC.MagicPuzzles_np8fj6akx2czy!App"
[HKEY_USERS\S-1-5-21-2468009334-3132239489-2760357183-1001\Software\Classes\ActivatableClasses\Package\XIMADINC.MagicPuzzles_2.0.1.3_x64__np8fj6akx2czy\Server\BackgroundTransferHost.1]
"AppUserModelId"="XIMADINC.MagicPuzzles_np8fj6akx2czy!App"
[HKEY_USERS\S-1-5-21-2468009334-3132239489-2760357183-1001\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-166147703-3434557569-430813684-24347586-762040324-4165616823-3486463592]
"Moniker"="ximadinc.magicpuzzles_np8fj6akx2czy"
[HKEY_USERS\S-1-5-21-2468009334-3132239489-2760357183-1001\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\ximadinc.magicpuzzles_np8fj6akx2czy]
[HKEY_USERS\S-1-5-21-2468009334-3132239489-2760357183-1001\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\ximadinc.magicpuzzles_np8fj6akx2czy\Internet Settings\Cache\Extensible Cache\BackgroundTransferApi]
"CachePath"="%USERPROFILE%\AppData\Local\Packages\ximadinc.magicpuzzles_np8fj6akx2czy\AC\INetHistory\BackgroundTransferApi"
[HKEY_USERS\S-1-5-21-2468009334-3132239489-2760357183-1001\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\ximadinc.magicpuzzles_np8fj6akx2czy\Internet Settings\Cache\Extensible Cache\BackgroundTransferApiGroup]
"CachePath"="%USERPROFILE%\AppData\Local\Packages\ximadinc.magicpuzzles_np8fj6akx2czy\AC\INetHistory\BackgroundTransferApiGroup"
[HKEY_USERS\S-1-5-21-2468009334-3132239489-2760357183-1001\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Repository\Families\XIMADINC.MagicPuzzles_np8fj6akx2czy]
[HKEY_USERS\S-1-5-21-2468009334-3132239489-2760357183-1001\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\XIMADINC.MagicPuzzles_np8fj6akx2czy]
[HKEY_USERS\S-1-5-21-2468009334-3132239489-2760357183-1001\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\XIMADINC.MagicPuzzles_np8fj6akx2czy\PackageStateRoamingCollectionId]
"CollectionId"="XIMADINC.MagicPuzzles_np8fj6akx2czy-0"
[HKEY_USERS\S-1-5-21-2468009334-3132239489-2760357183-1001\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\XIMADINC.MagicPuzzles_np8fj6akx2czy\SplashScreen\XIMADINC.MagicPuzzles_np8fj6akx2czy!App]
[HKEY_USERS\S-1-5-21-2468009334-3132239489-2760357183-1001_Classes\ActivatableClasses\Package\XIMADINC.MagicPuzzles_2.0.1.3_x64__np8fj6akx2czy\Server\App.AppX9jhj80mnh3hxzwbh4qn4vjzejraet18s.mca]
"AppUserModelId"="XIMADINC.MagicPuzzles_np8fj6akx2czy!App"
[HKEY_USERS\S-1-5-21-2468009334-3132239489-2760357183-1001_Classes\ActivatableClasses\Package\XIMADINC.MagicPuzzles_2.0.1.3_x64__np8fj6akx2czy\Server\App.AppXkmy3yqvsf2skt667a8jgrspqc109gedr.mca]
"AppUserModelId"="XIMADINC.MagicPuzzles_np8fj6akx2czy!App"
[HKEY_USERS\S-1-5-21-2468009334-3132239489-2760357183-1001_Classes\ActivatableClasses\Package\XIMADINC.MagicPuzzles_2.0.1.3_x64__np8fj6akx2czy\Server\BackgroundTaskHost.1]
"AppUserModelId"="XIMADINC.MagicPuzzles_np8fj6akx2czy!App"
[HKEY_USERS\S-1-5-21-2468009334-3132239489-2760357183-1001_Classes\ActivatableClasses\Package\XIMADINC.MagicPuzzles_2.0.1.3_x64__np8fj6akx2czy\Server\BackgroundTransferHost.1]
"AppUserModelId"="XIMADINC.MagicPuzzles_np8fj6akx2czy!App"
[HKEY_USERS\S-1-5-21-2468009334-3132239489-2760357183-1001_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-166147703-3434557569-430813684-24347586-762040324-4165616823-3486463592]
"Moniker"="ximadinc.magicpuzzles_np8fj6akx2czy"
[HKEY_USERS\S-1-5-21-2468009334-3132239489-2760357183-1001_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\ximadinc.magicpuzzles_np8fj6akx2czy]
[HKEY_USERS\S-1-5-21-2468009334-3132239489-2760357183-1001_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\ximadinc.magicpuzzles_np8fj6akx2czy\Internet Settings\Cache\Extensible Cache\BackgroundTransferApi]
"CachePath"="%USERPROFILE%\AppData\Local\Packages\ximadinc.magicpuzzles_np8fj6akx2czy\AC\INetHistory\BackgroundTransferApi"
[HKEY_USERS\S-1-5-21-2468009334-3132239489-2760357183-1001_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\ximadinc.magicpuzzles_np8fj6akx2czy\Internet Settings\Cache\Extensible Cache\BackgroundTransferApiGroup]
"CachePath"="%USERPROFILE%\AppData\Local\Packages\ximadinc.magicpuzzles_np8fj6akx2czy\AC\INetHistory\BackgroundTransferApiGroup"
[HKEY_USERS\S-1-5-21-2468009334-3132239489-2760357183-1001_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Repository\Families\XIMADINC.MagicPuzzles_np8fj6akx2czy]
[HKEY_USERS\S-1-5-21-2468009334-3132239489-2760357183-1001_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\XIMADINC.MagicPuzzles_np8fj6akx2czy]
[HKEY_USERS\S-1-5-21-2468009334-3132239489-2760357183-1001_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\XIMADINC.MagicPuzzles_np8fj6akx2czy\PackageStateRoamingCollectionId]
"CollectionId"="XIMADINC.MagicPuzzles_np8fj6akx2czy-0"
[HKEY_USERS\S-1-5-21-2468009334-3132239489-2760357183-1001_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\XIMADINC.MagicPuzzles_np8fj6akx2czy\SplashScreen\XIMADINC.MagicPuzzles_np8fj6akx2czy!App]

====== End of Search ======



#10 Caramello222

Caramello222
  • Topic Starter

  • Members
  • 145 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:06:14 AM

Posted 01 November 2015 - 01:23 PM

I also did the same scan on another app that Super Anti-spyware keeps finding a lot of tracking cookies in, it's Microsoft Mahjong.

Farbar Recovery Scan Tool (x64) Version:31-10-2015
Ran by Floretta (2015-11-01 13:17:20)
Running from C:\Users\Floretta\Desktop
Boot Mode: Normal

================== Search Registry: "MICROSOFT.MICROSOFTMAHJONG_8WEKYB3D8BBWE" ===========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SVDEn\SquareTiles\SquareTile7]
"AppId"="Microsoft.MicrosoftMahjong_8wekyb3d8bbwe!MicrosoftMahjong"
[HKEY_LOCAL_MACHINE\SYSTEM\Setup\Upgrade\Appx\Applications\Microsoft.MicrosoftMahjong_8wekyb3d8bbwe]
[HKEY_LOCAL_MACHINE\SYSTEM\Setup\Upgrade\Appx\AppxAllUserStore\DownlevelInstalled\S-1-5-21-2468009334-3132239489-2760357183-1001\Microsoft.MicrosoftMahjong_8wekyb3d8bbwe]
[HKEY_LOCAL_MACHINE\SYSTEM\Setup\Upgrade\Appx\AppxAllUserStore\Staged\Microsoft.MicrosoftMahjong_8wekyb3d8bbwe]
[HKEY_USERS\S-1-5-21-2468009334-3132239489-2760357183-1001\Software\Microsoft\Windows\CurrentVersion\ApplicationView\Microsoft.MicrosoftMahjong_8wekyb3d8bbwe!MicrosoftMahjong]
[HKEY_USERS\S-1-5-21-2468009334-3132239489-2760357183-1001\Software\Microsoft\Windows\CurrentVersion\AppSync\Sync\Microsoft.MicrosoftMahjong_8wekyb3d8bbwe]
[HKEY_USERS\S-1-5-21-2468009334-3132239489-2760357183-1001\Software\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\Notifications\BackgroundCapability\S-1-15-2-2481395877-3904904754-2872837976-1880937080-3242436791-3293372984-3327460953\MicrosoftMahjong.AppXdawdbcp9x2jysj8sbq3nt85g4m0reyrc.mca]
"AppUserModelId"="Microsoft.MicrosoftMahjong_8wekyb3d8bbwe!MicrosoftMahjong"
[HKEY_USERS\S-1-5-21-2468009334-3132239489-2760357183-1001\Software\Microsoft\Windows\CurrentVersion\SettingSync\Namespace\WindowsPackageSettings\Microsoft.MicrosoftMahjong_8wekyb3d8bbwe]
[HKEY_USERS\S-1-5-21-2468009334-3132239489-2760357183-1001\Software\Microsoft\Windows\CurrentVersion\SettingSync\Namespace\WindowsPackageSettings\Notifications-Microsoft.MicrosoftMahjong_8wekyb3d8bbwe]
[HKEY_USERS\S-1-5-21-2468009334-3132239489-2760357183-1001\Software\Microsoft\Windows\CurrentVersion\SettingSync\SyncData\Namespace\packagestate\microsoft.microsoftmahjong_8wekyb3d8bbwe-0]
[HKEY_USERS\S-1-5-21-2468009334-3132239489-2760357183-1001\Software\Microsoft\Windows\CurrentVersion\SettingSync\SyncData\Namespace\windowspackagesettings\microsoft.microsoftmahjong_8wekyb3d8bbwe]
[HKEY_USERS\S-1-5-21-2468009334-3132239489-2760357183-1001\Software\Microsoft\Windows\CurrentVersion\SettingSync\SyncData\Namespace\windowspackagesettings\notifications-microsoft.microsoftmahjong_8wekyb3d8bbwe]
[HKEY_USERS\S-1-5-21-2468009334-3132239489-2760357183-1001\Software\Microsoft\Windows\CurrentVersion\SettingSync\SyncData\RemoteCollectionInfo\packagestate-microsoft.microsoftmahjong_8wekyb3d8bbwe-0]
[HKEY_USERS\S-1-5-21-2468009334-3132239489-2760357183-1001\Software\Microsoft\Windows\CurrentVersion\SettingSync\SyncData\RemoteNamespace\packagestate\microsoft.microsoftmahjong_8wekyb3d8bbwe-0]
[HKEY_USERS\S-1-5-21-2468009334-3132239489-2760357183-1001\Software\Microsoft\Windows\CurrentVersion\SettingSync\SyncData\RemoteNamespace\windowspackagesettings\microsoft.microsoftmahjong_8wekyb3d8bbwe]
[HKEY_USERS\S-1-5-21-2468009334-3132239489-2760357183-1001\Software\Microsoft\Windows\CurrentVersion\SettingSync\SyncData\RemoteNamespace\windowspackagesettings\notifications-microsoft.microsoftmahjong_8wekyb3d8bbwe]
[HKEY_USERS\S-1-5-21-2468009334-3132239489-2760357183-1001\Software\Classes\ActivatableClasses\Package\Microsoft.MicrosoftMahjong_2.5.1508.1801_x86__8wekyb3d8bbwe\Server\BackgroundTaskHost.1]
"AppUserModelId"="Microsoft.MicrosoftMahjong_8wekyb3d8bbwe!MicrosoftMahjong"
[HKEY_USERS\S-1-5-21-2468009334-3132239489-2760357183-1001\Software\Classes\ActivatableClasses\Package\Microsoft.MicrosoftMahjong_2.5.1508.1801_x86__8wekyb3d8bbwe\Server\BackgroundTransferHost.1]
"AppUserModelId"="Microsoft.MicrosoftMahjong_8wekyb3d8bbwe!MicrosoftMahjong"
[HKEY_USERS\S-1-5-21-2468009334-3132239489-2760357183-1001\Software\Classes\ActivatableClasses\Package\Microsoft.MicrosoftMahjong_2.5.1508.1801_x86__8wekyb3d8bbwe\Server\MicrosoftMahjong.AppXa4y7rssjhymk50sxq86ggtj617487xgv.mca]
"AppUserModelId"="Microsoft.MicrosoftMahjong_8wekyb3d8bbwe!MicrosoftMahjong"
[HKEY_USERS\S-1-5-21-2468009334-3132239489-2760357183-1001\Software\Classes\ActivatableClasses\Package\Microsoft.MicrosoftMahjong_2.5.1508.1801_x86__8wekyb3d8bbwe\Server\MicrosoftMahjong.AppXjhcy0kcdbf976z3xkpqyaq3jpqksz0xh.mca]
"AppUserModelId"="Microsoft.MicrosoftMahjong_8wekyb3d8bbwe!MicrosoftMahjong"
[HKEY_USERS\S-1-5-21-2468009334-3132239489-2760357183-1001\Software\Classes\AppXw4rfqps8zpryft47pgt2rh27hkb0zntv\Application]
"AppUserModelID"="Microsoft.MicrosoftMahjong_8wekyb3d8bbwe!MicrosoftMahjong"
[HKEY_USERS\S-1-5-21-2468009334-3132239489-2760357183-1001\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-2481395877-3904904754-2872837976-1880937080-3242436791-3293372984-3327460953]
"Moniker"="microsoft.microsoftmahjong_8wekyb3d8bbwe"
[HKEY_USERS\S-1-5-21-2468009334-3132239489-2760357183-1001\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftmahjong_8wekyb3d8bbwe]
[HKEY_USERS\S-1-5-21-2468009334-3132239489-2760357183-1001\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftmahjong_8wekyb3d8bbwe\Internet Settings\Cache\Extensible Cache\DOMStore]
"CachePath"="%USERPROFILE%\AppData\Local\Packages\microsoft.microsoftmahjong_8wekyb3d8bbwe\AC\Microsoft\Internet Explorer\DOMStore"
[HKEY_USERS\S-1-5-21-2468009334-3132239489-2760357183-1001\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Repository\Families\Microsoft.MicrosoftMahjong_8wekyb3d8bbwe]
[HKEY_USERS\S-1-5-21-2468009334-3132239489-2760357183-1001\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.MicrosoftMahjong_8wekyb3d8bbwe]
[HKEY_USERS\S-1-5-21-2468009334-3132239489-2760357183-1001\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.MicrosoftMahjong_8wekyb3d8bbwe\PackageStateRoamingCollectionId]
"CollectionId"="Microsoft.MicrosoftMahjong_8wekyb3d8bbwe-0"
[HKEY_USERS\S-1-5-21-2468009334-3132239489-2760357183-1001\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.MicrosoftMahjong_8wekyb3d8bbwe\SplashScreen\Microsoft.MicrosoftMahjong_8wekyb3d8bbwe!MicrosoftMahjong]
[HKEY_USERS\S-1-5-21-2468009334-3132239489-2760357183-1001_Classes\ActivatableClasses\Package\Microsoft.MicrosoftMahjong_2.5.1508.1801_x86__8wekyb3d8bbwe\Server\BackgroundTaskHost.1]
"AppUserModelId"="Microsoft.MicrosoftMahjong_8wekyb3d8bbwe!MicrosoftMahjong"
[HKEY_USERS\S-1-5-21-2468009334-3132239489-2760357183-1001_Classes\ActivatableClasses\Package\Microsoft.MicrosoftMahjong_2.5.1508.1801_x86__8wekyb3d8bbwe\Server\BackgroundTransferHost.1]
"AppUserModelId"="Microsoft.MicrosoftMahjong_8wekyb3d8bbwe!MicrosoftMahjong"
[HKEY_USERS\S-1-5-21-2468009334-3132239489-2760357183-1001_Classes\ActivatableClasses\Package\Microsoft.MicrosoftMahjong_2.5.1508.1801_x86__8wekyb3d8bbwe\Server\MicrosoftMahjong.AppXa4y7rssjhymk50sxq86ggtj617487xgv.mca]
"AppUserModelId"="Microsoft.MicrosoftMahjong_8wekyb3d8bbwe!MicrosoftMahjong"
[HKEY_USERS\S-1-5-21-2468009334-3132239489-2760357183-1001_Classes\ActivatableClasses\Package\Microsoft.MicrosoftMahjong_2.5.1508.1801_x86__8wekyb3d8bbwe\Server\MicrosoftMahjong.AppXjhcy0kcdbf976z3xkpqyaq3jpqksz0xh.mca]
"AppUserModelId"="Microsoft.MicrosoftMahjong_8wekyb3d8bbwe!MicrosoftMahjong"
[HKEY_USERS\S-1-5-21-2468009334-3132239489-2760357183-1001_Classes\AppXw4rfqps8zpryft47pgt2rh27hkb0zntv\Application]
"AppUserModelID"="Microsoft.MicrosoftMahjong_8wekyb3d8bbwe!MicrosoftMahjong"
[HKEY_USERS\S-1-5-21-2468009334-3132239489-2760357183-1001_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-2481395877-3904904754-2872837976-1880937080-3242436791-3293372984-3327460953]
"Moniker"="microsoft.microsoftmahjong_8wekyb3d8bbwe"
[HKEY_USERS\S-1-5-21-2468009334-3132239489-2760357183-1001_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftmahjong_8wekyb3d8bbwe]
[HKEY_USERS\S-1-5-21-2468009334-3132239489-2760357183-1001_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftmahjong_8wekyb3d8bbwe\Internet Settings\Cache\Extensible Cache\DOMStore]
"CachePath"="%USERPROFILE%\AppData\Local\Packages\microsoft.microsoftmahjong_8wekyb3d8bbwe\AC\Microsoft\Internet Explorer\DOMStore"
[HKEY_USERS\S-1-5-21-2468009334-3132239489-2760357183-1001_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Repository\Families\Microsoft.MicrosoftMahjong_8wekyb3d8bbwe]
[HKEY_USERS\S-1-5-21-2468009334-3132239489-2760357183-1001_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.MicrosoftMahjong_8wekyb3d8bbwe]
[HKEY_USERS\S-1-5-21-2468009334-3132239489-2760357183-1001_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.MicrosoftMahjong_8wekyb3d8bbwe\PackageStateRoamingCollectionId]
"CollectionId"="Microsoft.MicrosoftMahjong_8wekyb3d8bbwe-0"
[HKEY_USERS\S-1-5-21-2468009334-3132239489-2760357183-1001_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.MicrosoftMahjong_8wekyb3d8bbwe\SplashScreen\Microsoft.MicrosoftMahjong_8wekyb3d8bbwe!MicrosoftMahjong]

====== End of Search ======



#11 nasdaq

nasdaq

  • Malware Response Team
  • 40,238 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:14 AM

Posted 01 November 2015 - 02:09 PM

Lets try something else.

Remove everything that will be found by this tool. If the Item is required it will be replaced.

--RogueKiller--
  • Download & SAVE to your Desktop Download RogueKiller
  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or Windows 7, right-click and select "Run as Administrator to start"
  • For Windows XP, double-click to start.
  • Wait until Prescan has finished ...
  • When instructed Click on "Scan" button
  • Wait until the Status box shows "Scan Finished"
  • Click on "Report"
  • Click on Export TXT button save the file as RogueReport.txt
  • The file RogueReport.txt will be saved in the desktop.
  • Close the program.
  • Open the file with Notepad and Copy/paste the content into your next reply.
<<<>>>

Temporarily disable your AV program so it does not interfere.
Info on how to disable your security applications How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs - Security Mini-Guides.

Download Zeok tool from here

When the download appears, save to the Desktop.
On the Desktop, right-click the Zoek.exe file and select: Run as Administrator
(Give it a few seconds to appear.)

Next, copy/paste the entire script inside the code box below to the input field of Zoek:
createsrpoint;
autoclean;
emptyalltemp;
ipconfig /flushdns;b
Now...
Close any open Browsers.
Click the Run script button, and wait. It takes a few minutes to run all the script.

When the tool finishes, the zoek-results.log is opened in Notepad.
The log is also found on the systemdrive, normally C:\
If a reboot is needed, the log is opened after the reboot.

Please attach the zoek-results.log in your reply.

Also, please provide an update on how the computer is behaving after running the above script.

===

#12 Caramello222

Caramello222
  • Topic Starter

  • Members
  • 145 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:06:14 AM

Posted 01 November 2015 - 07:41 PM

I've run into a problem with Rogue Killer, after updating to the newest version. I'm getting an error message 'Anti-Rootkit driver failed to load with error [20]. Please contact us for more info. On their site I see I'm not the only one but I'm searching for someone who has received a response on how to fix the problem. When I find the solution I'll let you know.

Q: It will still run a scan after the error [20] message, would you like me to post that result anyway? 


Edited by Caramello222, 01 November 2015 - 07:46 PM.


#13 Caramello222

Caramello222
  • Topic Starter

  • Members
  • 145 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:06:14 AM

Posted 02 November 2015 - 12:23 AM

I had to restart my computer to get the Rogue Killer Anti-Rootkit Driver to load because an unknown program was running, here is the scan results.

RogueKiller V10.11.3.0 (x64) [Oct 26 2015] (Free) by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/software/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 8.1 (6.3.9600) 64 bits version
Started in : Normal mode
User : Floretta [Administrator]
Started from : C:\Users\Floretta\Desktop\RogueKillerX64.exe
Mode : Scan -- Date : 11/01/2015 20:56:32

¤¤¤ Processes : 0 ¤¤¤

¤¤¤ Registry : 2 ¤¤¤
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-2468009334-3132239489-2760357183-1001\Software\Microsoft\Internet Explorer\Main | Start Page : https://soundcloud.com/you/sets  -> Found
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-2468009334-3132239489-2760357183-1001\Software\Microsoft\Internet Explorer\Main | Start Page : https://soundcloud.com/you/sets  -> Found

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 2 ¤¤¤
[PUP][Folder] C:\ProgramData\{4A268D42-77A5-4E91-AE73-470ED3BD9CA8} -> Found
[PUP][Folder] C:\ProgramData\{ECA9D0D4-7782-4B7F-96E2-FDB0CF0A57D5} -> Found

¤¤¤ Hosts File : 0 [Too big!] ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0:  +++++
--- User ---
[MBR] c2a85036c14f4420a8e0e40215c5f9f2
[BSP] 5bef15c36d8798fe98372410787d35b1 : Empty|VT.Unknown MBR Code
Partition table:
0 - [SYSTEM][MAN-MOUNT] Basic data partition | Offset (sectors): 2048 | Size: 1023 MB
1 - [MAN-MOUNT] EFI system partition | Offset (sectors): 2097152 | Size: 360 MB
2 - [MAN-MOUNT] Microsoft reserved partition | Offset (sectors): 2834432 | Size: 128 MB
3 - Basic data partition | Offset (sectors): 3096576 | Size: 456483 MB
4 - [SYSTEM][MAN-MOUNT]  | Offset (sectors): 937973760 | Size: 450 MB
5 - [SYSTEM][MAN-MOUNT]  | Offset (sectors): 938895360 | Size: 350 MB
6 - [SYSTEM] Basic data partition | Offset (sectors): 939612160 | Size: 18140 MB
User = LL1 ... OK
User = LL2 ... OK

 

Deletion was successful. Here is the Zoek results.

 

Zoek.exe v5.0.0.1 Updated 01-November-2015
Tool run by Floretta on Sun 11/01/2015 at 21:40:00.08.
Microsoft Windows 8.1 6.3.9600  x64
Running in: Normal Mode Internet Access Detected
Launched: C:\Users\Floretta\Desktop\zoek.exe [Scan all users] [Script inserted]

==== System Restore Info ======================

11/1/2015 9:43:54 PM Zoek.exe System Restore Point Created Successfully.

==== Empty Folders Check ======================

C:\PROGRA~2\Zemana AntiMalware deleted successfully
C:\PROGRA~3\abelhadigital.com deleted successfully
C:\PROGRA~3\Malwarebytes' Anti-Malware (portable) deleted successfully
C:\Users\Floretta\AppData\Local\PackageStaging deleted successfully
C:\Users\Floretta\AppData\Local\VirtualStore deleted successfully

==== Deleting CLSID Registry Keys ======================

==== Deleting CLSID Registry Values ======================

==== Deleting Services ======================

==== Batch Command(s) Run By Tool======================

==== Deleting Files \ Folders ======================

C:\PROGRA~2\Zemana AntiMalware not found
C:\PROGRA~3\Malwarebytes' Anti-Malware (portable) not found
C:\PROGRA~3\Package Cache deleted
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Shopping and Services deleted
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Search.lnk deleted
C:\WINDOWS\SysNative\config\systemprofile\Searches deleted

==== Chromium Look ======================

==== Set IE to Default ======================

Old Values:
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
"Start Page"="http://go.microsoft.com/fwlink/p/?LinkId=255141"

New Values:
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
"Start Page"="http://go.microsoft.com/fwlink/p/?LinkId=255141"

==== All HKCU SearchScopes ======================

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes
"DefaultScope"="{0633EE93-D776-472f-A0FF-E1416B8B2E3A}"
{012E1000-F331-11DB-8314-0800200C9A66} Google  Url="http://www.google.com/search?q={searchTerms}"
{0633EE93-D776-472f-A0FF-E1416B8B2E3A} Bing  Url="http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IESR02"
{D944BB61-2E34-4DBF-A683-47E505C587DC} Unknown  Url="Not_Found"

==== Deleting CLSID Registry Keys ======================

HKEY_USERS\S-1-5-21-2468009334-3132239489-2760357183-1001\Software\Microsoft\Internet Explorer\SearchScopes\{D944BB61-2E34-4DBF-A683-47E505C587DC} deleted successfully
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{D944BB61-2E34-4DBF-A683-47E505C587DC} deleted successfully
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{D944BB61-2E34-4DBF-A683-47E505C587DC} deleted successfully

==== Deleting CLSID Registry Values ======================

==== Empty IE Cache ======================

C:\WINDOWS\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
C:\Users\Floretta\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 emptied successfully
C:\Users\Floretta\AppData\Local\Microsoft\Windows\INetCache\Low\Content.IE5 emptied successfully
C:\WINDOWS\sysWoW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 emptied successfully
C:\WINDOWS\sysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 emptied successfully
C:\Users\Floretta\AppData\Local\Microsoft\Windows\INetCache\IE emptied successfully
C:\Users\Floretta\AppData\Local\Microsoft\Windows\INetCache\Low\IE emptied successfully
C:\WINDOWS\sysWoW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE emptied successfully

==== Empty FireFox Cache ======================

No FireFox Profiles found

==== Empty Chrome Cache ======================

No Chrome User Data found

==== Empty All Flash Cache ======================

Flash Cache Emptied Successfully

==== Empty All Java Cache ======================

No Java Cache Found

==== C:\zoek_backup content ======================

C:\zoek_backup (files=29 folders=32 28182063 bytes)

==== Empty Temp Folders ======================

C:\Users\Default\AppData\Local\Temp emptied successfully
C:\Users\Default User\AppData\Local\Temp emptied successfully
C:\Users\Floretta\AppData\Local\Temp will be emptied at reboot
C:\WINDOWS\serviceprofiles\networkservice\AppData\Local\Temp emptied successfully
C:\WINDOWS\serviceprofiles\Localservice\AppData\Local\Temp emptied successfully
C:\WINDOWS\Temp will be emptied at reboot

==== After Reboot ======================

==== Empty Temp Folders ======================

C:\WINDOWS\Temp successfully emptied
C:\Users\Floretta\AppData\Local\Temp successfully emptied

==== Empty Recycle Bin ======================

C:\$RECYCLE.BIN successfully emptied

==== EOF on Sun 11/01/2015 at 22:16:18.79 ======================

 

I'm still checking to see if the same issues are present, but so far I still see unknown account group user (S-1-15-2-3873129616-3864902477-3117653462-838095904-2337665935-1018217662-2152729480) with full control, no inheritance, and applies to 'this folder, subfolders and files. I don't know if it's common to have an unknown group user account with full permissions in appdata. But it doesn't sound like it's a good thing especially since Rogue Killer removed the same account but with different numbers at the end as a PUM. I don't know exactly what that means but I'm worried about this unknown account having permissions through out all the apps in appdata and at the end of the paths there are a lot of files with a very long line of numbers or numbers and lower case letters that lack detail information in properties. I'll attach a pic of what I mean. Yeah I still have plenty of adware. I've lost 2gb and it seems like someone is mad about the scans because now 57% of memory is being used. I've never seen it that high before. The path is C:\Users\Floretta\AppData\Local\Packages\XIMADINC.MagicPuzzles_np8fj6akx2czy\AC\Microsoft\CryptnetUrlCache\Content. The part that is bold and underlined is at the end of all the apps but some a little different there are a lot of _8wekyb3d8bbwe and _cw5nlh2txyewy. I really hope what is in the pics is simply me being paranoid or lack of computer knowledge, not malware?

 

Attached File  NoDetails.PNG   8.53KB   0 downloads

Attached File  Strange.PNG   44.9KB   0 downloads

 

C:\Users\Floretta\AppData\Local\Packages

Attached File  Odd.PNG   78.92KB   0 downloads


Edited by Caramello222, 02 November 2015 - 12:45 AM.


#14 nasdaq

nasdaq

  • Malware Response Team
  • 40,238 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:14 AM

Posted 02 November 2015 - 09:22 AM

The path is C:\Users\Floretta\AppData\Local\Packages\XIMADINC.MagicPuzzles_np8fj6akx2czy\AC\Microsoft\CryptnetUrlCache\Content.


The folder XIMADINC.MagicPuzzles_np8fj6akx2czy was created by MagicPuzzles.

This CryptnetUrl Microsoft\CryptnetUrlCache\Content is normal.

Check it out.
http://www.pcreview.co.uk/threads/cryptneturlcache-what-is-it.3873492/

===

 

I'm still checking to see if the same issues are present, but so far I still see unknown account group user (S-1-15-2-3873129616-3864902477-3117653462-838095904-2337665935-1018217662-2152729480) with full control, no inheritance


This look normal for Windows 8.

http://answers.microsoft.com/en-us/ie/forum/ie9-windows_7/account-unknown-s-1-15-2-1/74b45b08-5691-4388-b437-c6b9e70792d7

Check the s-1-15-2 keys on this link.
https://msdn.microsoft.com/en-us/library/cc980032.aspx

===

#15 Caramello222

Caramello222
  • Topic Starter

  • Members
  • 145 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:06:14 AM

Posted 02 November 2015 - 01:21 PM

Thank you for the info, I understand.


Edited by Caramello222, 02 November 2015 - 01:47 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users