Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Juno Email Redirects


  • This topic is locked This topic is locked
33 replies to this topic

#1 riley45

riley45

  • Members
  • 138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:47 PM

Posted 05 May 2016 - 01:18 PM

I have 64-bit ASUS PC with Windows 8.1 and Internet Explorer 11.  I use Juno email (which is web-based), and I typically have my Juno email account open when I am doing work on the Internet.  I also have a pop-up blocker enabled on my internet browser.

 

Over the past couple of weeks, I have had several instances where my Juno email webpage automatically redirects to a page indicating either that my Adobe Flash Player needs to be updated or that I have accessed a potentially unsecure website which needs permission from me to proceed.  These redirect instances occur, on average, once every couple of days.  In all such instances, I was able to prevent any execution of malware on my PC from these rogue webpages by immediately invoking Task Manager utility on my PC to close my internet browser.  In one such instance, my antivirus software (Norton) automatically quarantined and removed the rogue flash player executable file from my PC.

 

Following each of these instances, I ran a scan with Malwarebytes (Free Edition) which revealed no malicious files on my PC.

 

Nevertheless, I would like to stop getting these periodic redirects when my Juno email webpage is open, and I want to make sure that there is no hidden malware on my PC.

 

I ran the Farbar Recovery Security Tool.  The contents of the FRST.txt file are shown below, and the Addition.txt file is attached.

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:06-05-2016 01

Ran by knemlick (administrator) on KENPC (05-05-2016 13:46:15)

Running from C:\Users\knemlick\Desktop

Loaded Profiles: knemlick (Available Profiles: knemlick)

Platform: Windows 8.1 (X64) Language: English (United States)

Internet Explorer Version 11 (Default browser: IE)

Boot Mode: Normal

Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(AMD) C:\Windows\System32\atiesrxx.exe

(Microsoft Corporation) C:\Windows\System32\wlanext.exe

(Advanced Micro Devices, Inc.) C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe

(ASUS Cloud Corporation) C:\Program Files (x86)\ASUS\WebStorage\2.0.3.226\AsusWSWinService.exe

(Realtek Semiconductor Corporation) C:\Program Files (x86)\Realtek\Realtek Bluetooth\AvrcpService.exe

() C:\Program Files (x86)\Realtek\Realtek Bluetooth\BTDevMgr.exe

(Microsoft Corporation) C:\Program Files\Microsoft Office 15\ClientX64\officeclicktorun.exe

(Symantec Corporation) C:\Program Files (x86)\Norton Security Suite\Engine\22.6.0.142\n360.exe

() C:\Program Files\CyberLink\Shared files\RichVideo64.exe

() C:\Program Files (x86)\ASUS\AXSP\1.00.19\atkexComSvc.exe

(MAGIX AG) C:\Program Files (x86)\Common Files\MAGIX Services\Database\bin\FABS.exe

(AMD) C:\Windows\System32\atieclxx.exe

(ASUSTeK Computer Inc.) C:\Program Files (x86)\ASUS\ASUS Manager\AsHKService.exe

() C:\Program Files (x86)\ASUS\ASUS Manager\PC Cleanup\SecureDeleteBackground.exe

(ASUSTeK) C:\Program Files (x86)\ASUS\ASUS Manager\Power Manager\Power Manager_background.exe

(Symantec Corporation) C:\Program Files (x86)\Norton Security Suite\Engine\22.6.0.142\n360.exe

(Realtek Semiconductor Corporation) C:\Program Files (x86)\Realtek\Realtek Bluetooth\BTServer.exe

(Microsoft Corporation) C:\Windows\System32\SkyDrive.exe

(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe

(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe

(Microsoft Corporation) C:\Program Files\Microsoft Office 15\root\office15\onenotem.exe

(Advanced Micro Devices Inc.) C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe

(CyberLink Corp.) C:\Program Files (x86)\CyberLink\PowerDVD10\PDVD10Serv.exe

(Microsoft Corporation) C:\Windows\System32\GWX\GWX.exe

(ATI Technologies Inc.) C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe

(Adobe Systems Incorporated) C:\Windows\System32\Macromed\Flash\FlashUtil_ActiveX.exe

(Microsoft Corporation) C:\Windows\SysWOW64\wbem\WmiPrvSE.exe

(Microsoft Corporation) C:\Windows\System32\SettingSyncHost.exe

(ASUS Cloud Corporation) C:\Program Files (x86)\ASUS\WebStorage\2.0.3.226\AsusWSPanel.exe

(Microsoft Corporation) C:\Program Files\Microsoft Office 15\root\office15\WINWORD.EXE

(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe

 

==================== Registry (Whitelisted) ===========================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [RTHDVCPL] => C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe [7199448 2013-09-05] (Realtek Semiconductor)

HKLM\...\Run: [RtHDVBg] => C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe [1321688 2013-08-30] (Realtek Semiconductor)

HKLM\...\Run: [BtServer] => C:\Program Files (x86)\REALTEK\Realtek Bluetooth\BTServer.exe [280576 2013-09-25] (Realtek Semiconductor Corporation)

HKLM-x32\...\Run: [ASUSPRP] => C:\Program Files (x86)\ASUS\APRP\APRP.EXE [3216032 2014-04-25] (ASUSTek Computer Inc.)

HKLM-x32\...\Run: [WebStorage] => C:\Program Files (x86)\ASUS\WebStorage\2.0.3.226\ASUSWSLoader.exe [63296 2013-08-16] ()

HKLM-x32\...\Run: [StartCCC] => C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\amd64\CLIStart.exe [766208 2013-08-19] (Advanced Micro Devices, Inc.)

HKLM-x32\...\Run: [RemoteControl10] => C:\Program Files (x86)\CyberLink\PowerDVD10\PDVD10Serv.exe [95192 2013-03-08] (CyberLink Corp.)

HKU\S-1-5-21-3351969478-1937094124-811777867-1002\...\Run: [Zoom] => 0

ShellIconOverlayIdentifiers: [ OverlayExcluded] -> {4433A54A-1AC8-432F-90FC-85F045CF383C} => C:\Program Files (x86)\Norton Security Suite\Engine64\22.6.0.142\buShell.dll [2016-02-18] (Symantec Corporation)

ShellIconOverlayIdentifiers: [ OverlayPending] -> {F17C0B1E-EF8E-4AD4-8E1B-7D7E8CB23225} => C:\Program Files (x86)\Norton Security Suite\Engine64\22.6.0.142\buShell.dll [2016-02-18] (Symantec Corporation)

ShellIconOverlayIdentifiers: [ OverlayProtected] -> {476D0EA3-80F9-48B5-B70B-05E677C9C148} => C:\Program Files (x86)\Norton Security Suite\Engine64\22.6.0.142\buShell.dll [2016-02-18] (Symantec Corporation)

ShellIconOverlayIdentifiers: [!AsusWSShellExt_B] -> {6D4133E5-0742-4ADC-8A8C-9303440F7191} => C:\Program Files (x86)\Common Files\AWS\2.0.3.226\ASUSWSShellExt64.dll [2013-06-25] (ASUS Cloud Corporation.)

ShellIconOverlayIdentifiers: [!AsusWSShellExt_O] -> {64174815-8D98-4CE6-8646-4C039977D809} => C:\Program Files (x86)\Common Files\AWS\2.0.3.226\ASUSWSShellExt64.dll [2013-06-25] (ASUS Cloud Corporation.)

ShellIconOverlayIdentifiers: [!AsusWSShellExt_U] -> {1C5AB7B1-0B38-4EC4-9093-7FD277E2AF4E} => C:\Program Files (x86)\Common Files\AWS\2.0.3.226\ASUSWSShellExt64.dll [2013-06-25] (ASUS Cloud Corporation.)

Startup: C:\Users\knemlick\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk [2016-02-29]

ShortcutTarget: ERUNT AutoBackup.lnk -> C:\Program Files (x86)\ERUNT\AUTOBACK.EXE ()

Startup: C:\Users\knemlick\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Send to OneNote.lnk [2016-02-29]

ShortcutTarget: Send to OneNote.lnk -> C:\Program Files\Microsoft Office 15\root\office15\onenotem.exe (Microsoft Corporation)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Tcpip\Parameters: [DhcpNameServer] 75.75.75.75 75.75.76.76

Tcpip\..\Interfaces\{26BE4CCA-DD37-4358-8535-07EBE3858AAC}: [DhcpNameServer] 75.75.75.75 75.75.76.76

Tcpip\..\Interfaces\{8E18BFBB-B2D7-4C9D-A0AE-8A1C7A3A925A}: [DhcpNameServer] 192.168.1.1

Internet Explorer:

==================

HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = about:blank

HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://google.com

HKU\S-1-5-21-3351969478-1937094124-811777867-1002\Software\Microsoft\Internet Explorer\Main,Search Bar = hxxp://search.msn.com/spbasic.htm

SearchScopes: HKLM -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =

SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =

SearchScopes: HKLM-x32 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =

SearchScopes: HKLM-x32 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =

BHO: Skype for Business Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX64\Microsoft Office\Office15\OCHelper.dll [2016-03-15] (Microsoft Corporation)

BHO: Norton Identity Protection -> {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} -> C:\Program Files (x86)\Norton Security Suite\Engine64\22.6.0.142\coIEPlg.dll [2016-02-21] (Symantec Corporation)

BHO: Microsoft SkyDrive Pro Browser Helper -> {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} -> C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX64\Microsoft Office\Office15\GROOVEEX.DLL [2016-04-19] (Microsoft Corporation)

BHO-x32: Norton Identity Protection -> {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} -> C:\Program Files (x86)\Norton Security Suite\Engine\22.6.0.142\coIEPlg.dll [2016-02-21] (Symantec Corporation)

Toolbar: HKLM - Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton Security Suite\Engine64\22.6.0.142\coIEPlg.dll [2016-02-21] (Symantec Corporation)

Toolbar: HKLM-x32 - Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton Security Suite\Engine\22.6.0.142\coIEPlg.dll [2016-02-21] (Symantec Corporation)

Toolbar: HKU\S-1-5-21-3351969478-1937094124-811777867-1002 -> Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton Security Suite\Engine64\22.6.0.142\coIEPlg.dll [2016-02-21] (Symantec Corporation)

DPF: HKLM-x32 {166B1BCA-3F9C-11CF-8075-444553540000} hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

DPF: HKLM-x32 {7530BFB8-7293-4D34-9923-61A11451AFC5} hxxp://download.eset.com/special/eos/OnlineScanner.cab

Handler-x32: osf - {D924BDC6-C83A-4BD5-90D0-095128A113D1} - C:\Program Files\Microsoft Office 15\root\Office15\MSOSB.DLL [2015-02-03] (Microsoft Corporation)

FireFox:

========

FF Plugin-x32: @adobe.com/ShockwavePlayer -> C:\Windows\SysWOW64\Adobe\Director\np32dsw_1213153.dll [2014-06-24] (Adobe Systems, Inc.)

FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\Program Files\Microsoft Office 15\root\Office15\NPSPWRAP.DLL [2014-11-10] (Microsoft Corporation)

FF Plugin-x32: @microsoft.com/WLPG,version=16.4.3522.0110 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [2014-01-10] (Microsoft Corporation)

FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\nppdf32.dll [2015-12-18] (Adobe Systems Inc.)

FF Plugin HKU\S-1-5-21-3351969478-1937094124-811777867-1002: @zoom.us/ZoomVideoPlugin -> C:\Users\knemlick\AppData\Roaming\Zoom\bin\npzoomplugin.dll [2016-01-11] (Zoom Video Communications, Inc.)

FF HKLM\...\Firefox\Extensions: [{C1A2A613-35F1-4FCF-B27F-2840527B6556}] - C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_22.5.2.15\coFFAddon

FF Extension: Norton Identity Safe - C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_22.5.2.15\coFFAddon [2016-03-22]

FF HKLM-x32\...\Firefox\Extensions: [{C1A2A613-35F1-4FCF-B27F-2840527B6556}] - C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_22.5.2.15\coFFAddon

Chrome:

=======

CHR HKLM\...\Chrome\Extension: [cjabmdjcfcfdmffimndhafhblfmpjdpe] - C:\Program Files (x86)\Norton Security Suite\Engine\22.6.0.142\Exts\Chrome.crx [2016-03-14]

CHR HKLM\...\Chrome\Extension: [iikflkcanblccfahdhdonehdalibjnif] - hxxps://clients2.google.com/service/update2/crx

CHR HKLM-x32\...\Chrome\Extension: [cjabmdjcfcfdmffimndhafhblfmpjdpe] - C:\Program Files (x86)\Norton Security Suite\Engine\22.6.0.142\Exts\Chrome.crx [2016-03-14]

CHR HKLM-x32\...\Chrome\Extension: [iikflkcanblccfahdhdonehdalibjnif] - hxxps://clients2.google.com/service/update2/crx

==================== Services (Whitelisted) ========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 AMD FUEL Service; C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [344064 2013-08-19] (Advanced Micro Devices, Inc.) [File not signed]

R2 asComSvc; C:\Program Files (x86)\ASUS\AXSP\1.00.19\atkexComSvc.exe [920736 2013-11-06] ()

R2 Asus WebStorage Windows Service; C:\Program Files (x86)\ASUS\WebStorage\2.0.3.226\AsusWSWinService.exe [71680 2013-08-16] (ASUS Cloud Corporation) [File not signed]

R2 AvrcpService; C:\Program Files (x86)\REALTEK\Realtek Bluetooth\AvrcpService.exe [35328 2013-05-07] (Realtek Semiconductor Corporation) [File not signed]

R2 BTDevManager; C:\Program Files (x86)\REALTEK\Realtek Bluetooth\BTDevMgr.exe [59392 2013-09-26] () [File not signed]

R2 ClickToRunSvc; C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe [2829552 2016-03-08] (Microsoft Corporation)

R2 Fabs; C:\Program Files (x86)\Common Files\MAGIX Services\Database\bin\FABS.exe [1858048 2012-01-23] (MAGIX AG) [File not signed]

S3 FirebirdServerMAGIXInstance; C:\Program Files (x86)\Common Files\MAGIX Services\Database\bin\fbserver.exe [2702848 2011-04-26] (MAGIX®) [File not signed]

R2 N360; C:\Program Files (x86)\Norton Security Suite\Engine\22.6.0.142\N360.exe [289080 2016-02-26] (Symantec Corporation)

R2 RichVideo64; C:\Program Files\CyberLink\Shared files\RichVideo64.exe [390632 2012-04-24] ()

S3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [366552 2015-07-07] (Microsoft Corporation)

S3 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [23824 2015-07-07] (Microsoft Corporation)

===================== Drivers (Whitelisted) ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R1 AsIO; C:\Windows\SysWow64\drivers\AsIO.sys [15232 2012-08-22] ()

R0 assdv2; C:\Windows\System32\Drivers\assdv2.sys [21816 2013-12-05] ()

R1 AsUpIO; C:\Windows\SysWow64\drivers\AsUpIO.sys [14464 2010-08-03] ()

R3 AtiHDAudioService; C:\Windows\system32\drivers\AtihdWB6.sys [138240 2013-06-22] (Advanced Micro Devices)

R1 BHDrvx64; C:\Program Files (x86)\Norton Security Suite\NortonData\22.5.2.15\Definitions\BASHDefs\20160502.001\BHDrvx64.sys [1766640 2016-03-09] (Symantec Corporation)

R1 ccSet_N360; C:\Windows\system32\drivers\N360x64\1606000.08E\ccSetx64.sys [173808 2015-07-10] (Symantec Corporation)

S0 ebdrv; C:\Windows\System32\drivers\evbda.sys [3357024 2013-08-22] (Broadcom Corporation)

R1 eeCtrl; C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys [497392 2016-05-04] (Symantec Corporation)

U3 EraserUtilDrv11521; C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilDrv11521.sys [156912 2016-05-04] (Symantec Corporation)

R3 EraserUtilRebootDrv; C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [157520 2015-11-17] (Symantec Corporation)

R1 IDSVia64; C:\Program Files (x86)\Norton Security Suite\NortonData\22.5.2.15\Definitions\IPSDefs\20160503.001\IDSvia64.sys [767224 2016-02-13] (Symantec Corporation)

R3 NAVENG; C:\Program Files (x86)\Norton Security Suite\NortonData\22.5.2.15\Definitions\VirusDefs\20160504.036\ENG64.SYS [138488 2015-10-27] (Symantec Corporation)

R3 NAVEX15; C:\Program Files (x86)\Norton Security Suite\NortonData\22.5.2.15\Definitions\VirusDefs\20160504.036\EX64.SYS [2148080 2015-10-27] (Symantec Corporation)

R3 RtkBtFilter; C:\Windows\system32\DRIVERS\RtkBtfilter.sys [548056 2013-09-05] (Realtek Semiconductor Corporation)

R3 RTWlanE; C:\Windows\system32\DRIVERS\rtwlane.sys [2944216 2013-08-21] (Realtek Semiconductor Corporation )

R1 SRTSP; C:\Windows\System32\Drivers\N360x64\1606000.08E\SRTSP64.SYS [928504 2016-02-23] (Symantec Corporation)

R1 SRTSPX; C:\Windows\system32\drivers\N360x64\1606000.08E\SRTSPX64.SYS [50936 2015-07-10] (Symantec Corporation)

R0 SymEFASI; C:\Windows\System32\drivers\N360x64\1606000.08E\SYMEFASI64.SYS [1621232 2016-02-23] (Symantec Corporation)

S0 SymELAM; C:\Windows\System32\drivers\N360x64\1606000.08E\SymELAM.sys [24192 2015-07-10] (Symantec Corporation)

R3 SymEvent; C:\Windows\system32\Drivers\SYMEVENT64x86.SYS [111344 2015-08-04] (Symantec Corporation)

R1 SymIRON; C:\Windows\system32\drivers\N360x64\1606000.08E\Ironx64.SYS [295664 2016-02-23] (Symantec Corporation)

R1 SymNetS; C:\Windows\System32\Drivers\N360x64\1606000.08E\SYMNETS.SYS [577768 2016-02-23] (Symantec Corporation)

U3 TrueSight; C:\Windows\System32\drivers\TrueSight.sys [35064 2015-08-17] ()

S3 WdBoot; C:\Windows\system32\drivers\WdBoot.sys [44560 2015-07-07] (Microsoft Corporation)

S3 WdFilter; C:\Windows\system32\drivers\WdFilter.sys [270168 2015-07-07] (Microsoft Corporation)

S3 WdNisDrv; C:\Windows\System32\Drivers\WdNisDrv.sys [114520 2015-07-07] (Microsoft Corporation)

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

 

==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-05-05 13:46 - 2016-05-05 13:46 - 00016131 _____ C:\Users\knemlick\Desktop\FRST.txt

2016-05-05 13:44 - 2016-05-05 13:45 - 02379776 _____ (Farbar) C:\Users\knemlick\Desktop\FRST64.exe

2016-05-04 20:16 - 2016-05-04 20:16 - 01072354 _____ C:\Users\knemlick\Documents\Tuesday Talmud 05102016.pdf

2016-05-04 20:15 - 2016-05-04 20:15 - 06462523 _____ C:\Users\knemlick\Documents\IMG_1046.MOV

2016-05-03 00:52 - 2016-05-03 00:52 - 03922434 _____ C:\Users\knemlick\Documents\kosher wine wsj article.pdf

2016-04-29 20:10 - 2016-04-29 20:10 - 04275704 _____ C:\Users\knemlick\Documents\coins.pdf

2016-04-29 15:10 - 2016-04-29 15:12 - 00219988 _____ C:\TDSSKiller.3.1.0.9_29.04.2016_15.10.10_log.txt

2016-04-29 15:09 - 2016-04-29 15:09 - 04727984 _____ (Kaspersky Lab ZAO) C:\Users\knemlick\Desktop\tdsskiller.exe

2016-04-26 11:02 - 2016-04-26 11:03 - 00851993 _____ C:\Users\knemlick\Documents\Tuesday Talmud 05032016.pdf

2016-04-25 15:46 - 2016-04-26 14:25 - 00080734 _____ C:\Users\knemlick\Documents\Gerling Pension 07-2016 Offer.xlsx

2016-04-13 08:59 - 2016-03-15 18:00 - 00561952 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\cng.sys

2016-04-13 08:59 - 2016-03-15 09:14 - 01441792 _____ (Microsoft Corporation) C:\Windows\system32\lsasrv.dll

2016-04-13 08:59 - 2016-03-11 09:48 - 00833024 _____ (Microsoft Corporation) C:\Windows\system32\samsrv.dll

2016-04-13 08:59 - 2016-03-10 13:22 - 00201728 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mrxsmb20.sys

2016-04-13 08:59 - 2016-03-10 13:21 - 00401920 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mrxsmb.sys

2016-04-13 08:59 - 2016-03-10 13:20 - 00284672 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mrxsmb10.sys

2016-04-13 08:59 - 2016-03-10 12:44 - 00445440 _____ (Microsoft Corporation) C:\Windows\system32\certcli.dll

2016-04-13 08:59 - 2016-03-10 12:16 - 00324096 _____ (Microsoft Corporation) C:\Windows\SysWOW64\certcli.dll

2016-04-13 08:59 - 2016-03-10 12:03 - 00111616 _____ (Microsoft Corporation) C:\Windows\system32\samlib.dll

2016-04-13 08:59 - 2016-03-10 11:48 - 00064512 _____ (Microsoft Corporation) C:\Windows\SysWOW64\samlib.dll

2016-04-13 08:59 - 2016-02-02 13:16 - 00112640 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\rasl2tp.sys

2016-04-13 08:59 - 2016-01-21 14:35 - 00952928 _____ (Microsoft Corporation) C:\Windows\system32\mfmp4srcsnk.dll

2016-04-13 08:59 - 2016-01-21 13:42 - 00786152 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mfmp4srcsnk.dll

2016-04-13 08:58 - 2016-03-30 19:54 - 25817600 _____ (Microsoft Corporation) C:\Windows\system32\mshtml.dll

2016-04-13 08:58 - 2016-03-30 19:31 - 02892800 _____ (Microsoft Corporation) C:\Windows\system32\iertutil.dll

2016-04-13 08:58 - 2016-03-30 19:28 - 00571904 _____ (Microsoft Corporation) C:\Windows\system32\vbscript.dll

2016-04-13 08:58 - 2016-03-30 19:25 - 06052352 _____ (Microsoft Corporation) C:\Windows\system32\jscript9.dll

2016-04-13 08:58 - 2016-03-30 19:17 - 00817664 _____ (Microsoft Corporation) C:\Windows\system32\jscript.dll

2016-04-13 08:58 - 2016-03-30 19:03 - 20352512 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll

2016-04-13 08:58 - 2016-03-30 18:56 - 00145408 _____ (Microsoft Corporation) C:\Windows\system32\iepeers.dll

2016-04-13 08:58 - 2016-03-30 18:56 - 00092160 _____ (Microsoft Corporation) C:\Windows\system32\mshtmled.dll

2016-04-13 08:58 - 2016-03-30 18:55 - 00315392 _____ (Microsoft Corporation) C:\Windows\system32\dxtrans.dll

2016-04-13 08:58 - 2016-03-30 18:53 - 00496640 _____ (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll

2016-04-13 08:58 - 2016-03-30 18:51 - 02285056 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll

2016-04-13 08:58 - 2016-03-30 18:50 - 01032704 _____ (Microsoft Corporation) C:\Windows\system32\inetcomm.dll

2016-04-13 08:58 - 2016-03-30 18:45 - 00663552 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll

2016-04-13 08:58 - 2016-03-30 18:45 - 00262144 _____ (Microsoft Corporation) C:\Windows\system32\webcheck.dll

2016-04-13 08:58 - 2016-03-30 18:43 - 00806400 _____ (Microsoft Corporation) C:\Windows\system32\msfeeds.dll

2016-04-13 08:58 - 2016-03-30 18:43 - 00725504 _____ (Microsoft Corporation) C:\Windows\system32\ie4uinit.exe

2016-04-13 08:58 - 2016-03-30 18:43 - 00379392 _____ (Microsoft Corporation) C:\Windows\system32\iedkcs32.dll

2016-04-13 08:58 - 2016-03-30 18:42 - 02131968 _____ (Microsoft Corporation) C:\Windows\system32\inetcpl.cpl

2016-04-13 08:58 - 2016-03-30 18:39 - 15415808 _____ (Microsoft Corporation) C:\Windows\system32\ieframe.dll

2016-04-13 08:58 - 2016-03-30 18:30 - 04611072 _____ (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll

2016-04-13 08:58 - 2016-03-30 18:30 - 02596864 _____ (Microsoft Corporation) C:\Windows\system32\wininet.dll

2016-04-13 08:58 - 2016-03-30 18:30 - 00279040 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dxtrans.dll

2016-04-13 08:58 - 2016-03-30 18:30 - 00128000 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iepeers.dll

2016-04-13 08:58 - 2016-03-30 18:27 - 00880128 _____ (Microsoft Corporation) C:\Windows\SysWOW64\inetcomm.dll

2016-04-13 08:58 - 2016-03-30 18:24 - 00230400 _____ (Microsoft Corporation) C:\Windows\SysWOW64\webcheck.dll

2016-04-13 08:58 - 2016-03-30 18:23 - 02056192 _____ (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl

2016-04-13 08:58 - 2016-03-30 18:23 - 00693248 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll

2016-04-13 08:58 - 2016-03-30 18:23 - 00330752 _____ (Microsoft Corporation) C:\Windows\SysWOW64\iedkcs32.dll

2016-04-13 08:58 - 2016-03-30 18:21 - 13811712 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll

2016-04-13 08:58 - 2016-03-30 18:18 - 01547264 _____ (Microsoft Corporation) C:\Windows\system32\urlmon.dll

2016-04-13 08:58 - 2016-03-30 18:06 - 00800768 _____ (Microsoft Corporation) C:\Windows\system32\ieapfltr.dll

2016-04-13 08:58 - 2016-03-30 18:05 - 02121216 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll

2016-04-13 08:58 - 2016-03-30 18:02 - 01311744 _____ (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll

2016-04-13 08:58 - 2016-03-30 18:00 - 00710144 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ieapfltr.dll

2016-04-13 08:52 - 2016-04-02 08:26 - 01386496 _____ (Microsoft Corporation) C:\Windows\system32\appraiser.dll

2016-04-13 08:52 - 2016-04-02 08:26 - 01169408 _____ (Microsoft Corporation) C:\Windows\system32\aeinv.dll

2016-04-13 08:52 - 2016-03-03 11:47 - 02345472 _____ (Microsoft Corporation) C:\Windows\system32\msxml3.dll

2016-04-13 08:52 - 2016-03-03 11:33 - 01556992 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msxml3.dll

2016-04-13 08:52 - 2016-03-02 20:39 - 01661576 _____ (Microsoft Corporation) C:\Windows\system32\ole32.dll

2016-04-13 08:52 - 2016-03-02 20:39 - 01212248 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ole32.dll

2016-04-13 08:52 - 2016-02-05 09:46 - 01455104 _____ (Microsoft Corporation) C:\Windows\system32\VSSVC.exe

2016-04-13 08:52 - 2016-02-03 10:14 - 00080896 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\IPMIDrv.sys

2016-04-13 08:52 - 2016-02-02 12:51 - 00162304 _____ (Microsoft Corporation) C:\Windows\system32\WsmAuto.dll

2016-04-13 08:52 - 2016-02-02 12:19 - 00144384 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WsmAuto.dll

2016-04-13 08:52 - 2016-02-02 12:01 - 00031744 _____ (Microsoft Corporation) C:\Windows\system32\WsmAgent.dll

2016-04-13 08:52 - 2016-02-02 11:51 - 02609152 _____ (Microsoft Corporation) C:\Windows\system32\WsmSvc.dll

2016-04-13 08:52 - 2016-02-02 11:48 - 00285184 _____ (Microsoft Corporation) C:\Windows\system32\WsmWmiPl.dll

2016-04-13 08:52 - 2016-02-02 11:46 - 00026112 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WsmAgent.dll

2016-04-13 08:52 - 2016-02-02 11:41 - 02170880 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WsmSvc.dll

2016-04-13 08:52 - 2016-02-02 11:39 - 00236032 _____ (Microsoft Corporation) C:\Windows\SysWOW64\WsmWmiPl.dll

2016-04-13 08:52 - 2016-01-27 10:18 - 00817664 _____ (Microsoft Corporation) C:\Windows\system32\rpcss.dll

2016-04-13 08:51 - 2016-04-04 01:35 - 00046768 _____ (Microsoft Corporation) C:\Windows\system32\CompatTelRunner.exe

2016-04-13 08:51 - 2016-03-29 09:05 - 04175872 _____ (Microsoft Corporation) C:\Windows\system32\win32k.sys

2016-04-13 08:51 - 2016-03-28 08:21 - 00698368 _____ (Microsoft Corporation) C:\Windows\system32\generaltel.dll

2016-04-13 08:51 - 2016-03-28 08:21 - 00499200 _____ (Microsoft Corporation) C:\Windows\system32\devinv.dll

2016-04-13 08:51 - 2016-03-28 08:21 - 00279040 _____ (Microsoft Corporation) C:\Windows\system32\invagent.dll

2016-04-13 08:51 - 2016-03-28 08:21 - 00215040 _____ (Microsoft Corporation) C:\Windows\system32\aepic.dll

2016-04-13 08:51 - 2016-03-28 08:21 - 00076800 _____ (Microsoft Corporation) C:\Windows\system32\acmigration.dll

2016-04-13 08:51 - 2016-03-10 14:19 - 07452512 _____ (Microsoft Corporation) C:\Windows\system32\ntoskrnl.exe

2016-04-13 08:51 - 2016-03-10 14:17 - 01663192 _____ (Microsoft Corporation) C:\Windows\system32\winload.efi

2016-04-13 08:51 - 2016-03-10 14:17 - 01523216 _____ (Microsoft Corporation) C:\Windows\system32\winload.exe

2016-04-13 08:51 - 2016-03-10 14:17 - 01490128 _____ (Microsoft Corporation) C:\Windows\system32\winresume.efi

2016-04-13 08:51 - 2016-03-10 14:17 - 01358960 _____ (Microsoft Corporation) C:\Windows\system32\winresume.exe

2016-04-13 08:51 - 2016-03-10 14:17 - 01133752 _____ (Microsoft Corporation) C:\Windows\system32\KernelBase.dll

2016-04-13 08:51 - 2016-03-10 12:48 - 00862720 _____ (Microsoft Corporation) C:\Windows\SysWOW64\KernelBase.dll

2016-04-13 08:51 - 2016-03-10 12:43 - 00161280 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msorcl32.dll

2016-04-13 08:51 - 2016-03-10 11:55 - 00166400 _____ (Microsoft Corporation) C:\Windows\system32\mtxoci.dll

2016-04-13 08:51 - 2016-03-10 11:42 - 00116736 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mtxoci.dll

2016-04-13 08:51 - 2016-03-03 11:13 - 00059392 _____ (Microsoft Corporation) C:\Windows\system32\basesrv.dll

2016-04-13 08:51 - 2016-02-08 20:31 - 22365472 _____ (Microsoft Corporation) C:\Windows\system32\shell32.dll

2016-04-13 08:51 - 2016-02-08 20:31 - 19794896 _____ (Microsoft Corporation) C:\Windows\SysWOW64\shell32.dll

2016-04-13 08:51 - 2016-02-08 20:31 - 02757616 _____ (Microsoft Corporation) C:\Windows\explorer.exe

2016-04-13 08:51 - 2016-02-08 20:31 - 02412576 _____ (Microsoft Corporation) C:\Windows\SysWOW64\explorer.exe

2016-04-13 08:51 - 2016-02-08 20:31 - 00273264 _____ (Microsoft Corporation) C:\Windows\system32\SystemSettingsAdminFlows.exe

2016-04-13 08:51 - 2016-02-08 15:55 - 02712576 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ExplorerFrame.dll

2016-04-13 08:51 - 2016-02-08 15:15 - 02551808 _____ (Microsoft Corporation) C:\Windows\SysWOW64\themecpl.dll

2016-04-13 08:51 - 2016-02-08 15:02 - 01197056 _____ (Microsoft Corporation) C:\Windows\SysWOW64\usercpl.dll

2016-04-13 08:51 - 2016-02-08 14:48 - 12879360 _____ (Microsoft Corporation) C:\Windows\SysWOW64\twinui.dll

2016-04-13 08:51 - 2016-02-08 14:43 - 00524288 _____ (Microsoft Corporation) C:\Windows\SysWOW64\SettingSyncHost.exe

2016-04-13 08:51 - 2016-02-08 14:40 - 00539648 _____ (Microsoft Corporation) C:\Windows\SysWOW64\hgcpl.dll

2016-04-13 08:51 - 2016-02-08 14:39 - 00305152 _____ (Microsoft Corporation) C:\Windows\SysWOW64\stobject.dll

2016-04-13 08:51 - 2016-02-08 14:37 - 00141312 _____ (Microsoft Corporation) C:\Windows\SysWOW64\SettingMonitor.dll

2016-04-13 08:51 - 2016-02-08 14:35 - 00954880 _____ (Microsoft Corporation) C:\Windows\SysWOW64\twinui.appcore.dll

2016-04-13 08:51 - 2016-02-08 14:34 - 00667648 _____ (Microsoft Corporation) C:\Windows\SysWOW64\SettingSyncCore.dll

2016-04-13 08:51 - 2016-02-08 14:33 - 00520192 _____ (Microsoft Corporation) C:\Windows\SysWOW64\SettingSync.dll

2016-04-13 08:51 - 2016-02-08 13:50 - 03120640 _____ (Microsoft Corporation) C:\Windows\system32\ExplorerFrame.dll

2016-04-13 08:51 - 2016-02-08 12:55 - 02592256 _____ (Microsoft Corporation) C:\Windows\system32\themecpl.dll

2016-04-13 08:51 - 2016-02-08 12:33 - 01278464 _____ (Microsoft Corporation) C:\Windows\system32\usercpl.dll

2016-04-13 08:51 - 2016-02-08 12:12 - 14466560 _____ (Microsoft Corporation) C:\Windows\system32\twinui.dll

2016-04-13 08:51 - 2016-02-08 12:02 - 00653824 _____ (Microsoft Corporation) C:\Windows\system32\SettingSyncHost.exe

2016-04-13 08:51 - 2016-02-08 12:00 - 00599552 _____ (Microsoft Corporation) C:\Windows\system32\hgcpl.dll

2016-04-13 08:51 - 2016-02-08 11:58 - 00336384 _____ (Microsoft Corporation) C:\Windows\system32\stobject.dll

2016-04-13 08:51 - 2016-02-08 11:55 - 00173056 _____ (Microsoft Corporation) C:\Windows\system32\SettingMonitor.dll

2016-04-13 08:51 - 2016-02-08 11:53 - 02171904 _____ (Microsoft Corporation) C:\Windows\system32\SystemSettingsAdminFlowUI.dll

2016-04-13 08:51 - 2016-02-08 11:53 - 01348096 _____ (Microsoft Corporation) C:\Windows\system32\AppXDeploymentServer.dll

2016-04-13 08:51 - 2016-02-08 11:50 - 01220096 _____ (Microsoft Corporation) C:\Windows\system32\twinui.appcore.dll

2016-04-13 08:51 - 2016-02-08 11:50 - 00841728 _____ (Microsoft Corporation) C:\Windows\system32\SettingSyncCore.dll

2016-04-13 08:51 - 2016-02-08 11:48 - 00655872 _____ (Microsoft Corporation) C:\Windows\system32\SettingSync.dll

2016-04-13 08:51 - 2016-02-08 11:47 - 02819584 _____ (Microsoft Corporation) C:\Windows\system32\SettingsHandlers.dll

2016-04-13 08:51 - 2016-02-08 11:44 - 00955392 _____ (Microsoft Corporation) C:\Windows\system32\AppXDeploymentExtensions.dll

2016-04-13 08:51 - 2016-02-06 18:05 - 00551256 ____C (Microsoft Corporation) C:\Windows\system32\Drivers\vhdmp.sys

2016-04-13 08:51 - 2016-02-06 17:41 - 00316760 ____C (Microsoft Corporation) C:\Windows\system32\Drivers\volsnap.sys

2016-04-13 08:51 - 2016-02-05 14:07 - 00378712 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\storport.sys

2016-04-13 08:51 - 2016-02-05 10:11 - 00845312 _____ (Microsoft Corporation) C:\Windows\system32\BFE.DLL

2016-04-13 08:51 - 2016-02-05 10:11 - 00422400 _____ (Microsoft Corporation) C:\Windows\system32\FWPUCLNT.DLL

2016-04-13 08:51 - 2016-02-05 10:07 - 00272384 _____ (Microsoft Corporation) C:\Windows\SysWOW64\FWPUCLNT.DLL

2016-04-13 08:51 - 2016-02-05 10:02 - 01083904 _____ (Microsoft Corporation) C:\Windows\system32\IKEEXT.DLL

2016-04-13 08:51 - 2016-02-04 13:07 - 00222720 _____ (Microsoft Corporation) C:\Windows\system32\dhcpsapi.dll

2016-04-13 08:51 - 2016-02-04 12:35 - 00142848 _____ (Microsoft Corporation) C:\Windows\SysWOW64\dhcpsapi.dll

2016-04-13 08:51 - 2016-02-04 11:23 - 00713216 _____ (Microsoft Corporation) C:\Windows\system32\nshwfp.dll

2016-04-13 08:51 - 2016-02-04 11:22 - 00561664 _____ (Microsoft Corporation) C:\Windows\SysWOW64\nshwfp.dll

2016-04-13 08:51 - 2016-02-03 10:11 - 01673728 _____ (Microsoft Corporation) C:\Windows\system32\workfolderssvc.dll

2016-04-13 08:51 - 2016-02-02 12:18 - 01574912 _____ (Microsoft Corporation) C:\Windows\system32\wbengine.exe

2016-04-13 08:51 - 2016-02-02 12:15 - 00787456 _____ (Microsoft Corporation) C:\Windows\system32\WorkfoldersControl.dll

2016-04-13 08:51 - 2016-01-31 12:17 - 00779264 _____ (Microsoft Corporation) C:\Windows\system32\WindowsAnytimeUpgradeui.exe

2016-04-13 08:51 - 2016-01-26 14:15 - 00072024 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\vpci.sys

2016-04-13 08:51 - 2016-01-22 00:22 - 02487296 _____ (Microsoft Corporation) C:\Windows\system32\storagewmi.dll

2016-04-13 08:51 - 2016-01-22 00:11 - 01482240 _____ (Microsoft Corporation) C:\Windows\SysWOW64\storagewmi.dll

2016-04-13 08:51 - 2016-01-20 17:40 - 00099672 ____C (Microsoft Corporation) C:\Windows\system32\Drivers\disk.sys

2016-04-13 08:51 - 2014-11-07 21:38 - 00166912 _____ (Microsoft Corporation) C:\Windows\system32\AppxAllUserStore.dll

2016-04-13 08:51 - 2014-11-07 21:17 - 00143360 _____ (Microsoft Corporation) C:\Windows\SysWOW64\AppxAllUserStore.dll

2016-04-06 17:27 - 2016-04-06 17:27 - 00145028 _____ C:\Users\knemlick\Documents\SKMBT_60116040615500.pdf

2016-04-06 14:57 - 2016-04-06 14:57 - 00144072 _____ C:\Users\knemlick\Documents\Order of the Seder.pdf

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-05-05 13:46 - 2014-09-05 22:12 - 00000000 ____D C:\FRST

2016-05-05 13:25 - 2014-09-06 13:28 - 00192216 _____ (Malwarebytes) C:\Windows\system32\Drivers\MBAMSwissArmy.sys

2016-05-05 11:27 - 2015-04-16 15:17 - 00000000 ____D C:\Windows\system32\appraiser

2016-05-05 11:27 - 2013-08-22 10:20 - 00000000 ____D C:\Windows\CbsTemp

2016-05-05 10:17 - 2014-09-08 06:51 - 00000000 ___DO C:\Users\knemlick\OneDrive

2016-05-04 20:28 - 2014-08-30 21:30 - 00043520 _____ C:\Users\knemlick\Documents\Tutoring Income.xlr

2016-05-03 23:22 - 2014-09-08 07:09 - 00000000 ____D C:\Users\knemlick\AppData\Local\Packages

2016-05-03 23:22 - 2014-08-30 15:01 - 00000000 ____D C:\Users\knemlick\Documents\GMHS 7500

2016-05-03 17:58 - 2014-11-10 14:19 - 00000000 ____D C:\Program Files\Microsoft Office 15

2016-05-03 17:58 - 2013-08-22 10:36 - 00000000 ____D C:\ProgramData\regid.1991-06.com.microsoft

2016-05-03 11:31 - 2014-08-20 11:36 - 00000426 _____ C:\Windows\BRWMARK.INI

2016-05-03 09:41 - 2014-08-30 14:57 - 00000000 ____D C:\Users\knemlick\Documents\Taxes

2016-05-02 17:42 - 2014-08-30 21:30 - 00131584 _____ C:\Users\knemlick\Documents\Tutoring Clients.xlr

2016-05-02 16:45 - 2013-08-22 09:45 - 00000006 ____H C:\Windows\Tasks\SA.DAT

2016-05-01 20:49 - 2014-09-15 23:21 - 00000000 ____D C:\Users\knemlick\AppData\Local\CrashDumps

2016-04-30 23:31 - 2013-08-22 10:36 - 00000000 ____D C:\Windows\system32\NDF

2016-04-29 15:04 - 2014-09-08 07:26 - 00512184 _____ C:\Windows\ntbtlog.txt

2016-04-29 14:52 - 2013-08-22 08:25 - 00262144 ___SH C:\Windows\system32\config\BBI

2016-04-29 13:08 - 2014-08-16 00:01 - 00003598 _____ C:\Windows\System32\Tasks\Optimize Start Menu Cache Files-S-1-5-21-3351969478-1937094124-811777867-1002

2016-04-29 08:16 - 2013-08-22 10:36 - 00000000 ___HD C:\Program Files\WindowsApps

2016-04-29 08:16 - 2013-08-22 10:36 - 00000000 ____D C:\Windows\AppReadiness

2016-04-28 14:16 - 2016-02-08 14:01 - 00000000 ____D C:\Users\knemlick\Documents\DJ Fosu

2016-04-26 09:41 - 2013-08-22 08:25 - 00262144 ___SH C:\Windows\system32\config\ELAM

2016-04-26 09:34 - 2013-08-22 10:36 - 00000000 ____D C:\Windows\LiveKernelReports

2016-04-24 14:26 - 2016-01-08 01:05 - 00000000 ____D C:\Users\knemlick\Documents\Barbara Kitchener Dissertation

2016-04-23 08:48 - 2013-08-22 08:36 - 00000000 ____D C:\Windows\Inf

2016-04-17 10:08 - 2014-08-15 23:55 - 00000000 ____D C:\Users\knemlick

2016-04-15 23:54 - 2014-10-07 20:58 - 00000000 ____D C:\Users\knemlick\AppData\Local\ElevatedDiagnostics

2016-04-14 08:59 - 2013-08-22 10:36 - 00000000 ____D C:\Windows\rescache

2016-04-13 11:46 - 2013-08-22 09:44 - 00569528 _____ C:\Windows\system32\FNTCACHE.DAT

2016-04-13 09:53 - 2013-08-22 10:36 - 00000000 ___RD C:\Windows\ToastData

2016-04-13 09:04 - 2014-08-15 22:57 - 00000000 ____D C:\Windows\system32\MRT

2016-04-13 09:03 - 2014-08-15 22:57 - 135176864 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe

2016-04-13 08:49 - 2016-01-13 09:07 - 00177488 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\ksecpkg.sys

2016-04-13 08:47 - 2016-03-09 08:28 - 01737080 _____ (Microsoft Corporation) C:\Windows\system32\ntdll.dll

2016-04-13 08:47 - 2016-03-09 08:28 - 01501488 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntdll.dll

2016-04-13 08:47 - 2016-03-09 08:28 - 00246784 _____ (Microsoft Corporation) C:\Windows\system32\microsoft-windows-system-events.dll

2016-04-08 18:20 - 2014-08-30 15:01 - 00000000 ____D C:\Users\knemlick\Documents\GMHS 7508

2016-04-05 16:53 - 2014-08-16 00:14 - 00829944 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe

2016-04-05 16:53 - 2014-08-16 00:14 - 00176632 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl

==================== Files in the root of some directories =======

2014-08-15 23:55 - 2016-05-05 10:17 - 4616277 _____ () C:\Users\knemlick\AppData\Local\BTServer.log

2014-04-25 17:30 - 2014-04-25 17:30 - 0000000 ____H () C:\ProgramData\DP45977C.lfl

==================== Bamital & volsnap =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\system32\winlogon.exe => File is digitally signed

C:\Windows\system32\wininit.exe => File is digitally signed

C:\Windows\explorer.exe => File is digitally signed

C:\Windows\SysWOW64\explorer.exe => File is digitally signed

C:\Windows\system32\svchost.exe => File is digitally signed

C:\Windows\SysWOW64\svchost.exe => File is digitally signed

C:\Windows\system32\services.exe => File is digitally signed

C:\Windows\system32\User32.dll => File is digitally signed

C:\Windows\SysWOW64\User32.dll => File is digitally signed

C:\Windows\system32\userinit.exe => File is digitally signed

C:\Windows\SysWOW64\userinit.exe => File is digitally signed

C:\Windows\system32\rpcss.dll => File is digitally signed

C:\Windows\system32\dnsapi.dll => File is digitally signed

C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed

C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed

 

LastRegBack: 2016-04-26 10:41

==================== End of FRST.txt ============================

 

 

 

 



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 38,957 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:47 PM

Posted 06 May 2016 - 06:52 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Your FRST log is clean.

Please run the following tools.

Download Malwarebytes' Anti-Malware from Here

Double-click mbam-setup-2.X.X.XXXX.exe to install the application (X's are the current version number).
  • Make sure a checkmark is placed next to Launch Malwarebytes' Anti-Malware, then click Finish.
  • Once MBAM opens, when it says Your databases are out of date, click the Fix Now button.
  • Click the Settings tab at the top, and then in the left column, select Detections and Protections, and if not already checked place a checkmark in the selection box for Scan for rootkits.
  • Click the Scan tab at the top of the program window, select Threat Scan and click the Scan Now button.
  • If you receive a message that updates are available, click the Update Now button (the update will be downloaded, installed, and the scan will start).
  • The scan may take some time to finish,so please be patient.
  • If potential threats are detected, ensure that Quarantine is selected as the Action for all the listed items, and click the Apply Actions button.
  • While still on the Scan tab, click the link for View detailed log, and in the window that opens click the Export button, select Text file (*.txt), and save the log to your Desktop.
  • The log is automatically saved by MBAM and can also be viewed by clicking the History tab and then selecting Application Logs.
POST THE LOG FOR MY REVIEW.

Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.

===

Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Click the LogFile button and the report will open in Notepad.
IMPORTANT
  • If you click the Clean button all items listed in the report will be removed.
If you find some false positive items or programs that you wish to keep, Close the AdwCleaner windows.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Check off the element(s) you wish to keep.
  • Click on the Clean button follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleanerCx.txt (x is a number).
===

p.s.
The Addition.txt file was not attached.
You can try again or paste the contents in your next reply for my review.

Let me know if the problem persists.

#3 riley45

riley45
  • Topic Starter

  • Members
  • 138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:47 PM

Posted 06 May 2016 - 08:45 AM

Attached File  Addition.txt   26.4KB   5 downloadsI ran the Malwarebytes and AdwCleaner scans per your instructions.  Malwarebytes found no threats, while AdwCleaner found to malicious registry keys which I asked to be removed.

 

Below are the contents of the Malwarebytes Protection Log and Scan Log files, along with the contents of the AdwCleaner Logfile.  I am also attaching the FRST Addition.txt file to this reply.

 

Malwarebytes Anti-Malware

www.malwarebytes.org

 

Update, 5/6/2016 8:50 AM, SYSTEM, KENPC, Manual, Remediation Database, 2016.2.12.1, 2016.5.4.1,

Update, 5/6/2016 8:50 AM, SYSTEM, KENPC, Manual, Rootkit Database, 2016.2.8.1, 2016.4.17.1,

Update, 5/6/2016 8:50 AM, SYSTEM, KENPC, Manual, Domain Database, 2016.2.16.8, 2016.5.6.3,

Update, 5/6/2016 8:50 AM, SYSTEM, KENPC, Manual, Malware Database, 2016.2.16.6, 2016.5.6.3,

Update, 5/6/2016 8:50 AM, SYSTEM, KENPC, Manual, IP Database, 2016.2.8.1, 2016.5.6.1,

Scan, 5/6/2016 9:10 AM, SYSTEM, KENPC, Manual, Start:5/6/2016 8:52 AM, Duration:18 min 46 sec, Threat Scan, Completed, 0 Malware Detections, 0 Non-Malware Detections,

(end)

 

Malwarebytes Anti-Malware

www.malwarebytes.org

Scan Date: 5/6/2016

Scan Time: 8:52 AM

Logfile: Malwarebytes Scan Log 05-06-2016.txt

Administrator: Yes

Version: 2.2.1.1043

Malware Database: v2016.05.06.03

Rootkit Database: v2016.04.17.01

License: Free

Malware Protection: Disabled

Malicious Website Protection: Disabled

Self-protection: Disabled

OS: Windows 8.1

CPU: x64

File System: NTFS

User: knemlick

Scan Type: Threat Scan

Result: Completed

Objects Scanned: 332148

Time Elapsed: 18 min, 46 sec

Memory: Enabled

Startup: Enabled

Filesystem: Enabled

Archives: Enabled

Rootkits: Enabled

Heuristics: Enabled

PUP: Enabled

PUM: Enabled

Processes: 0

(No malicious items detected)

Modules: 0

(No malicious items detected)

Registry Keys: 0

(No malicious items detected)

Registry Values: 0

(No malicious items detected)

Registry Data: 0

(No malicious items detected)

Folders: 0

(No malicious items detected)

Files: 0

(No malicious items detected)

Physical Sectors: 0

(No malicious items detected)

 

(end)

 

 

# AdwCleaner v5.032 - Logfile created 06/02/2016 at 16:07:49

# Updated 31/01/2016 by Xplode

# Database : 2016-02-05.1 [Server]

# Operating system : Windows 8.1 (x64)

# Username : knemlick - KENPC

# Running from : C:\Users\knemlick\Desktop\AdwCleaner.exe

# Option : Cleaning

# Support : http://toolslib.net/forum

***** [ Services ] *****

 

***** [ Folders ] *****

 

***** [ Files ] *****

 

***** [ DLLs ] *****

 

***** [ Shortcuts ] *****

 

***** [ Scheduled tasks ] *****

 

***** [ Registry ] *****

[-] Key Deleted : HKLM\SOFTWARE\Classes\Record\{425E7597-03A2-338D-B72A-0E51FFE77A7E}

[-] Key Deleted : HKLM\SOFTWARE\Classes\Record\{915BB7D5-082E-3B91-B1E0-45B5FDE01F24}

[-] Key Deleted : HKLM\SOFTWARE\Classes\Record\{2009AF2F-5786-3067-8799-B97F7832FDD6}

[-] Key Deleted : HKLM\SOFTWARE\Classes\Record\{FB2E65F4-5687-33EF-9BBF-4E3C9C98D3B9}

[-] Value Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID [{8E56A02B-46FE-4490-B169-F16E5231533B}]

[-] Key Deleted : HKCU\Software\WeatherAlerts

[!] Key Not Deleted : HKU\S-1-5-21-3351969478-1937094124-811777867-1002\Software\WeatherAlerts

[-] Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\dotomi.com

[-] Value Deleted : HKU\S-1-5-21-3351969478-1937094124-811777867-1002\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run [Browser Infrastructure Helper]

***** [ Web browsers ] *****

 

*************************

:: "Tracing" keys removed

:: Winsock settings cleared

########## EOF - C:\AdwCleaner\AdwCleaner[C1].txt - [1540 bytes] ##########

# AdwCleaner v5.115 - Logfile created 06/05/2016 at 09:30:58

# Updated 01/05/2016 by Xplode

# Database : 2016-05-04.2 [Server]

# Operating system : Windows 8.1 (X64)

# Username : knemlick - KENPC

# Running from : C:\Users\knemlick\Desktop\adwcleaner_5.115.exe

# Option : Clean

# Support : http://toolslib.net/forum

***** [ Services ] *****

 

***** [ Folders ] *****

 

***** [ Files ] *****

 

***** [ DLLs ] *****

 

***** [ WMI ] *****

 

***** [ Shortcuts ] *****

 

***** [ Scheduled tasks ] *****

 

***** [ Registry ] *****

[-] Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\adbabylon.com

[-] Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\cdn.adbabylon.com

***** [ Web browsers ] *****

 

*************************

:: "Tracing" keys deleted

:: Winsock settings cleared

*************************

C:\AdwCleaner\AdwCleaner[C1].txt - [2530 bytes] - [06/02/2016 16:07:49]

C:\AdwCleaner\AdwCleaner[S1].txt - [2504 bytes] - [06/02/2016 16:06:04]

########## EOF - C:\AdwCleaner\AdwCleaner[C1].txt - [2676 bytes] ##########

 



#4 nasdaq

nasdaq

  • Malware Response Team
  • 38,957 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:47 PM

Posted 06 May 2016 - 09:53 AM

Looking good.

If the problem persists run this online scan.

There could be some remnant items.

Run an online scan with Eset (easiest with Internet Explorer): http://www.eset.com/onlinescan/
To shorten the scanning time disable your antivirus program while scanning.

Select Enable detection of potentially unwanted applications.
Click Advanced Settings.

Select:
Scan Archives
Scan for potentially unsafe applications
Enable Anti-Stealth Technology


Click Start.

When the scan is finished, click on List of found threats and then Export to text file. Copy the content of the text file and paste its content in your reply.

This may take awhile, run it when you know you will not need the computer for an hour or two.
<<<>>>

If all is well.

To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/

#5 riley45

riley45
  • Topic Starter

  • Members
  • 138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:47 PM

Posted 06 May 2016 - 01:56 PM

I ran the ESET scanner.  Here is the list of threats that it found.

 

C:\$RECYCLE.BIN\S-1-5-21-3351969478-1937094124-811777867-1002\$RHQFLX9.xBAD JS/Toolbar.Crossrider.C potentially unwanted application

C:\$RECYCLE.BIN\S-1-5-21-3351969478-1937094124-811777867-1002\$RW70GFU.zip JS/Toolbar.Crossrider.C potentially unwanted application

C:\$RECYCLE.BIN\S-1-5-21-3351969478-1937094124-811777867-1002\$RX28RZU.xBAD JS/Toolbar.Crossrider.C potentially unwanted application



#6 nasdaq

nasdaq

  • Malware Response Team
  • 38,957 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:47 PM

Posted 07 May 2016 - 07:24 AM

Is your issue with the e-mail persisting?

#7 riley45

riley45
  • Topic Starter

  • Members
  • 138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:47 PM

Posted 08 May 2016 - 06:48 PM

The issue with my email appears to be fixed, as I have not gotten any redirects in the past couple of days.

 

Is there anything else that I need to run or do on my PC?



#8 riley45

riley45
  • Topic Starter

  • Members
  • 138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:47 PM

Posted 08 May 2016 - 10:11 PM

I just had another incident where my Juno email webpage automatically redirected to rogue webpage saying that my Adobe Flash Player was out of date and needed to be updated.  Although I was able to close my internet browser to prevent any execution of malware, it appears that the infection is still not completely removed from my PC. 

 

Please advise what I should do next.



#9 nasdaq

nasdaq

  • Malware Response Team
  • 38,957 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:47 PM

Posted 09 May 2016 - 07:36 AM

There could be some remnant items.

Run an online scan with Eset (easiest with Internet Explorer): http://www.eset.com/onlinescan/
To shorten the scanning time disable your antivirus program while scanning.

Select Enable detection of potentially unwanted applications.
Click Advanced Settings.

Select:
Scan Archives
Scan for potentially unsafe applications
Enable Anti-Stealth Technology


Click Start.

When the scan is finished, click on List of found threats and then Export to text file. Copy the content of the text file and paste its content in your reply.

This may take awhile, run it when you know you will not need the computer for an hour or two.
<<<>>>

Keep me posted.

#10 riley45

riley45
  • Topic Starter

  • Members
  • 138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:47 PM

Posted 09 May 2016 - 09:04 AM

I ran the ESET scanner again.  Here is the list of threats that it found.

 

C:\$RECYCLE.BIN\S-1-5-21-3351969478-1937094124-811777867-1002\$RHQFLX9.xBAD JS/Toolbar.Crossrider.C potentially unwanted application deleted

C:\$RECYCLE.BIN\S-1-5-21-3351969478-1937094124-811777867-1002\$RW70GFU.zip JS/Toolbar.Crossrider.C potentially unwanted application deleted

C:\$RECYCLE.BIN\S-1-5-21-3351969478-1937094124-811777867-1002\$RX28RZU.xBAD JS/Toolbar.Crossrider.C potentially unwanted application deleted



#11 nasdaq

nasdaq

  • Malware Response Team
  • 38,957 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:47 PM

Posted 09 May 2016 - 12:58 PM

These are items that ware in your Recycle bin.

Temporarily disable your AV program so it does not interfere.
Info on how to disable your security applications How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs - Security Mini-Guides.

Download Zeok tool from here

When the download appears, save to the Desktop.
On the Desktop, right-click the Zoek.exe file and select: Run as Administrator
(Give it a few seconds to appear.)

Next, copy/paste the entire script inside the code box below to the input field of Zoek:
createsrpoint;
autoclean;
emptyalltemp;
ipconfig /flushdns;b
firefoxlook; 
chromelook; 
Now...
Close any open Browsers.
Click the Run script button, and wait. It takes a few minutes to run all the script.

When the tool finishes, the zoek-results.log is opened in Notepad.
The log is also found on the systemdrive, normally C:\
If a reboot is needed, the log is opened after the reboot.

Please attach the zoek-results.log in your reply.

Edited by nasdaq, 09 May 2016 - 12:58 PM.


#12 riley45

riley45
  • Topic Starter

  • Members
  • 138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:47 PM

Posted 09 May 2016 - 01:38 PM

I ran the Zoek tool per your instructions.  Here are the contents of the resulting log file:

 

Zoek.exe v5.0.0.1 Updated 31-December-2015
Tool run by knemlick on Mon 05/09/2016 at 14:14:30.59.
Microsoft Windows 8.1 6.3.9600  x64
Running in: Normal Mode Internet Access Detected
Launched: C:\Users\knemlick\Desktop\zoek.exe [Scan all users] [Script inserted]

==== System Restore Info ======================

5/9/2016 2:16:40 PM Zoek.exe System Restore Point Created Successfully.

==== Empty Folders Check ======================

C:\Users\knemlick\AppData\Local\EmieBrowserModeList deleted successfully
C:\Users\knemlick\AppData\Local\EmieSiteList deleted successfully
C:\Users\knemlick\AppData\Local\EmieUserList deleted successfully

==== Deleting CLSID Registry Keys ======================

HKEY_USERS\S-1-5-21-3351969478-1937094124-811777867-1002\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{214D45C8-242D-489E-B485-A4F394ADAEA} deleted successfully
HKEY_USERS\S-1-5-21-3351969478-1937094124-811777867-1002\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{718BF1BE-D618-4766-A7DC-C6EFEE954021} deleted successfully
HKEY_USERS\S-1-5-21-3351969478-1937094124-811777867-1002\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{98539FE6-81F5-450F-ABF9-8C39675EBF7} deleted successfully

==== Deleting CLSID Registry Values ======================

==== Deleting Services ======================

==== Batch Command(s) Run By Tool======================

==== Deleting Files \ Folders ======================

C:\install.exe deleted
C:\found.000 deleted
C:\PROGRA~3\Package Cache deleted
C:\Users\knemlick\AppData\Local\BTServer.log deleted
C:\Users\knemlick\AppData\LocalLow\{8E56A02B-46FE-4490-B169-F16E5231533B} deleted
C:\windows\SysNative\GroupPolicy\User deleted
C:\Windows\Syswow64\GroupPolicy\gpt.ini deleted

==== Firefox Extensions Registry ======================

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
"{C1A2A613-35F1-4FCF-B27F-2840527B6556}"="C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_22.5.2.15\coFFAddon" [03/22/2016 06:01 PM]
[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Mozilla\Firefox\Extensions]
"{C1A2A613-35F1-4FCF-B27F-2840527B6556}"="C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_22.5.2.15\coFFAddon" [03/22/2016 06:01 PM]

==== Chromium Look ======================

HKEY_LOCAL_MACHINE\SOFTWARE\Google\Chrome\Extensions
cjabmdjcfcfdmffimndhafhblfmpjdpe - C:\Program Files (x86)\Norton Security Suite\Engine\22.6.0.142\Exts\Chrome.crx[02/21/2016 01:41 AM]
iikflkcanblccfahdhdonehdalibjnif - No path found[]

==== Set IE to Default ======================

Old Values:
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
"Start Page"="http://www.google.com/"

New Values:
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
"Start Page"="http://www.google.com/"

==== All HKLM and HKCU SearchScopes ======================

HKLM\SearchScopes "DefaultScope"="{0633EE93-D776-472f-A0FF-E1416B8B2E3A}"
HKLM\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} - No_Url_Value
HKLM\Wow6432Node\SearchScopes "DefaultScope"="{0633EE93-D776-472f-A0FF-E1416B8B2E3A}"
HKLM\Wow6432Node\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} - No_Url_Value
HKCU\SearchScopes "DefaultScope"="{0633EE93-D776-472f-A0FF-E1416B8B2E3A}"
HKCU\SearchScopes\{012E1000-F331-11DB-8314-0800200C9A66} - http://www.google.com/search?q={searchTerms}
HKCU\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} - http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IESR02

==== Deleting Registry Keys ======================

HKEY_CURRENT_USER\Software\Microsoft\Installer\Products\363FB0CBBA367FF4E81FEAD0F717B142 deleted successfully

==== Empty IE Cache ======================

C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
C:\Users\knemlick\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 emptied successfully
C:\Users\knemlick\AppData\Local\Microsoft\Windows\INetCache\Low\Content.IE5 emptied successfully
C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 emptied successfully
C:\Windows\sysWoW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 emptied successfully
C:\Windows\sysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 emptied successfully
C:\Users\knemlick\AppData\Local\Microsoft\Windows\INetCache\IE emptied successfully
C:\Users\knemlick\AppData\Local\Microsoft\Windows\INetCache\Low\IE emptied successfully
C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE emptied successfully
C:\Windows\sysWoW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE emptied successfully

==== Empty FireFox Cache ======================

No FireFox Profiles found

==== Empty Chrome Cache ======================

No Chrome User Data found

==== Empty All Flash Cache ======================

Flash Cache Emptied Successfully

==== Empty All Java Cache ======================

No Java Cache Found

==== C:\zoek_backup content ======================

C:\zoek_backup (files=14 folders=11 12795149 bytes)

==== Empty Temp Folders ======================

C:\Users\Default\AppData\Local\Temp emptied successfully
C:\Users\Default User\AppData\Local\Temp emptied successfully
C:\Users\knemlick\AppData\Local\Temp will be emptied at reboot
C:\Windows\serviceprofiles\networkservice\AppData\Local\Temp emptied successfully
C:\Windows\serviceprofiles\Localservice\AppData\Local\Temp emptied successfully
C:\Windows\Temp will be emptied at reboot

==== After Reboot ======================

==== Empty Temp Folders ======================

C:\Windows\Temp successfully emptied
C:\Users\knemlick\AppData\Local\Temp successfully emptied

==== Empty Recycle Bin ======================

C:\$RECYCLE.BIN successfully emptied

==== EOF on Mon 05/09/2016 at 14:33:55.22 ======================



#13 nasdaq

nasdaq

  • Malware Response Team
  • 38,957 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:47 PM

Posted 10 May 2016 - 06:45 AM

Not sure if your problem is solved.
It it happens again please let me know what you are doing at the time it happens.

#14 riley45

riley45
  • Topic Starter

  • Members
  • 138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:47 PM

Posted 10 May 2016 - 01:37 PM

I just had another redirect from my Juno email webpage to the rogue Adobe Flash Payer webpage.  The name of the latter webpage was www.ahbaipizzahut.com.  My Norton Antivirus software detected the file flashplayer[1].exe, and automatically removed it.  Below is Norton's log containing information about this removed threat. 

 

As a point of information, when the redirect occurred, I had several other webpage windows open along with my Juno email.  All of these webpages were safe sites that I regularly visit.  At the time of the redirect, I was away from my computer for a few minutes while I was reading the newspaper. 

 

Filename: flashplayer[1].exe
Threat name: Suspicious.Cloud.7.EPFull Path: c:\users\knemlick\appdata\local\microsoft\windows\inetcache\low\ie\89lxa11t\flashplayer[1].exe

____________________________

____________________________

On computers as of 
5/10/2016 at 2:22:17 PM

Last Used 
5/10/2016 at 2:24:17 PM

Startup Item 
No

Launched 
No

Threat type: Heuristic Virus. Detection of a threat based on malware heuristics.

____________________________

flashplayer[1].exe Threat name: Suspicious.Cloud.7.EP
Locate

Very Few Users
Fewer than 5 users in the Norton Community have used this file.

Very New
This file was released less than 1 week  ago.

High
This file risk is high.

____________________________

https://ahbaipizzahut.com/9881237613114/9881237613114/146290438157786/FlashPlayer.exe
Downloaded File flashplayer[1].exe Threat name: Suspicious.Cloud.7.EP
 from ahbaipizzahut.com
Source: External Media

flashplayer[1].exe

____________________________

File Actions

File: c:\users\knemlick\appdata\local\microsoft\windows\inetcache\low\ie\89lxa11t\ flashplayer[1].exe Removed
____________________________

File Thumbprint - SHA:
8c4a7a882cbe8b2adce2ef3c60908d51edccc539aeda59e489540c2a2f2670ae
File Thumbprint - MD5:
Not available



#15 nasdaq

nasdaq

  • Malware Response Team
  • 38,957 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:47 PM

Posted 11 May 2016 - 07:19 AM



--RogueKiller--
  • Download & SAVE to your Desktop Download RogueKiller
  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or above, right-click the program file and select "Run as Administrator"
  • Accept the user agreements.
  • Execute the scan and wait until it has finished.
  • If a Windows opens to explain what [PUM's] are, read about it.
  • Click the RoguKiller icon on your taksbar to return to the report.
  • Click open the Report
  • Click Export TXT button
  • Save the file as ReportRogue.txt
  • Click the Remove button to delete the items in RED
  • Click Finish and close the program.
  • Locate the ReportRogue.txt file on your Desktop and copy/paste the contents in your next.
=======


ttLR1ki.jpg
  • Download OTL to your desktop.
  • Right-click and Run as Administrator on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Check the boxes beside LOP Check and Purity Check.
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt.
      Note:These logs can be located in the OTL. folder on you C:\ drive if they fail to open automatically.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply. You may need two posts to fit them both in.
----------




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users