Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

My Online banking was hacked.


  • Please log in to reply
20 replies to this topic

#1 kelly2

kelly2

  • Members
  • 61 posts
  • OFFLINE
  •  
  • Local time:03:28 PM

Posted 19 June 2016 - 08:29 PM

I just recently had my bank account compromised, I'm posting a copy showing a transaction from Paypal attempting a transfer of money into a fake PP account, I've had to open a new bank account and would like to have my computer cleaned up and safe again for online banking, I have an Asus X551M Laptop with Windows 8.1 with Bing, 64 bit operating system.

 

TransactionsMayJune2016a.jpg



BC AdBot (Login to Remove)

 


#2 kelly2

kelly2
  • Topic Starter

  • Members
  • 61 posts
  • OFFLINE
  •  
  • Local time:03:28 PM

Posted 19 June 2016 - 08:31 PM

We've been working on the problem for awhile in the Security forum here: http://www.bleepingcomputer.com/forums/t/617103/online-banking-attempted-theft/



#3 kelly2

kelly2
  • Topic Starter

  • Members
  • 61 posts
  • OFFLINE
  •  
  • Local time:03:28 PM

Posted 21 June 2016 - 08:51 PM

I'm bumping this in the hopes of a clean safe computer for my online banking at the end of this month.



#4 shelf life

shelf life

  • Malware Response Team
  • 2,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:02:28 PM

Posted 22 June 2016 - 04:22 PM

Ok you ran some malware tools in the previous post. Can you scan and post a FRST log as a starting point and we will go from there to check for any malware on board your machine.

Maybe run another tool if needed. See step six in the link below about downloading and posting a FRST log in your next reply. Iam usually only on this site once or twice per day so you may not get a response back form me until the following day.

​Link: http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/


How Can I Reduce My Risk to Malware?


#5 kelly2

kelly2
  • Topic Starter

  • Members
  • 61 posts
  • OFFLINE
  •  
  • Local time:03:28 PM

Posted 22 June 2016 - 09:21 PM

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 20-06-2016 01
Ran by  (administrator) on  (22-06-2016 18:41:00)
Running from C:\Users\\Desktop
Loaded Profiles:  (Available Profiles: )
Platform: Windows 8.1 Connected (Update) (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: IE)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(ASUSTek Computer Inc.) C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\AsLdrSrv.exe
(ASUS) C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe
(ASUS Cloud Corporation) C:\Program Files (x86)\ASUS\WebStorage\2.1.11.399\AsusWSWinService.exe
(ASUS) C:\Program Files (x86)\ASUS\ASUS GIFTBOX Desktop\ASUSGiftBoxDesktop.exe
(Intel® Corporation) C:\Program Files\Intel\TXE Components\TCS\HeciServer.exe
(Malwarebytes) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe
(Malwarebytes) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe
(ASUSTek Computer Inc.) C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControl.exe
(ASUSTek Computer Inc.) C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\KBFiltr.exe
(Malwarebytes) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe
(IvoSoft) C:\Program Files\Classic Shell\ClassicStartMenu.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Zemana Ltd.) C:\Program Files (x86)\Zemana AntiMalware\ZAM.exe
(Zemana Ltd.) C:\Program Files (x86)\Zemana AntiMalware\ZAM.exe
(ASUSTek Computer Inc.) C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe
(ASUSTek Computer Inc.) C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe
(WildTangent) C:\Program Files (x86)\WildTangent Games\App\GamesAppIntegrationService.exe
(Google Inc.) C:\Program Files (x86)\Google\Update\1.3.30.3\GoogleCrashHandler.exe
(Google Inc.) C:\Program Files (x86)\Google\Update\1.3.30.3\GoogleCrashHandler64.exe
(Nenad Hrg SoftwareOK) C:\Users\\AppData\Local\Temp\Temp1_DesktopOK.zip\DesktopOK.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe

==================== Registry (Whitelisted) ===========================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [Classic Start Menu] => C:\Program Files\Classic Shell\ClassicStartMenu.exe [161984 2014-04-20] (IvoSoft)
HKLM\...\Run: [ZAM] => C:\Program Files (x86)\Zemana AntiMalware\ZAM.exe [13653232 2016-06-16] (Zemana Ltd.)
HKLM-x32\...\Run: [WebStorage] => C:\Program Files (x86)\ASUS\WebStorage\2.1.11.399\ASUSWSLoader.exe [63296 2014-08-19] ()
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
HKU\S-1-5-21-2934532118-2444790120-273890532-1001\...\Run: [Pinger] => "C:\Program Files (x86)\Pinger\Pinger.exe"
HKU\S-1-5-21-2934532118-2444790120-273890532-1001\...\Run: [FreeAC] => C:\Program Files (x86)\FreeAlarmClock\FreeAlarmClock.exe [3015072 2016-01-19] (Comfort Software Group)
HKU\S-1-5-21-2934532118-2444790120-273890532-1001\...\Run: [CCleaner Monitoring] => C:\Program Files\CCleaner\CCleaner64.exe [8722136 2016-06-01] (Piriform Ltd)
HKU\S-1-5-21-2934532118-2444790120-273890532-1001\...\Run: [CCleaner] => C:\Program Files\CCleaner\CCleaner64.exe [8722136 2016-06-01] (Piriform Ltd)
HKU\S-1-5-21-2934532118-2444790120-273890532-1001\Control Panel\Desktop\\SCRNSAVE.EXE -> C:\Windows\WLXPGSS.SCR [322248 2014-03-31] (Microsoft Corporation)
ShellIconOverlayIdentifiers: [!AsusWSShellExt_B] -> {6D4133E5-0742-4ADC-8A8C-9303440F7191} => C:\Program Files (x86)\Common Files\AWS\2.1.11.399\ASUSWSShellExt64.dll [2013-06-25] (ASUS Cloud Corporation.)
ShellIconOverlayIdentifiers: [!AsusWSShellExt_O] -> {64174815-8D98-4CE6-8646-4C039977D809} => C:\Program Files (x86)\Common Files\AWS\2.1.11.399\ASUSWSShellExt64.dll [2013-06-25] (ASUS Cloud Corporation.)
ShellIconOverlayIdentifiers: [!AsusWSShellExt_U] -> {1C5AB7B1-0B38-4EC4-9093-7FD277E2AF4E} => C:\Program Files (x86)\Common Files\AWS\2.1.11.399\ASUSWSShellExt64.dll [2013-06-25] (ASUS Cloud Corporation.)
ShellIconOverlayIdentifiers: [ShareOverlay] -> {594D4122-1F87-41E2-96C7-825FB4796516} => C:\Program Files\Classic Shell\ClassicExplorer64.dll [2014-04-20] (IvoSoft)
ShellIconOverlayIdentifiers-x32: [ShareOverlay] -> {594D4122-1F87-41E2-96C7-825FB4796516} => C:\Program Files\Classic Shell\ClassicExplorer32.dll [2014-04-20] (IvoSoft)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Tcpip\Parameters: [DhcpNameServer] 192.168.1.1 64.251.68.9 72.2.44.2
Tcpip\..\Interfaces\{9B81ED85-36E3-499A-B495-F64B14B0D94C}: [DhcpNameServer] 192.168.1.1 64.251.68.9 72.2.44.2

Internet Explorer:
==================
BHO: ExplorerBHO Class -> {449D0D6E-2412-4E61-B68F-1CB625CD9E52} -> C:\Program Files\Classic Shell\ClassicExplorer64.dll [2014-04-20] (IvoSoft)
BHO: ClassicIEBHO Class -> {EA801577-E6AD-4BD5-8F71-4BE0154331A4} -> C:\Program Files\Classic Shell\ClassicIEDLL_64.dll [2014-04-20] (IvoSoft)
BHO-x32: ExplorerBHO Class -> {449D0D6E-2412-4E61-B68F-1CB625CD9E52} -> C:\Program Files\Classic Shell\ClassicExplorer32.dll [2014-04-20] (IvoSoft)
BHO-x32: ClassicIEBHO Class -> {EA801577-E6AD-4BD5-8F71-4BE0154331A4} -> C:\Program Files\Classic Shell\ClassicIEDLL_32.dll [2014-04-20] (IvoSoft)
Toolbar: HKLM - Classic Explorer Bar - {553891B7-A0D5-4526-BE18-D3CE461D6310} - C:\Program Files\Classic Shell\ClassicExplorer64.dll [2014-04-20] (IvoSoft)
Toolbar: HKLM-x32 - Classic Explorer Bar - {553891B7-A0D5-4526-BE18-D3CE461D6310} - C:\Program Files\Classic Shell\ClassicExplorer32.dll [2014-04-20] (IvoSoft)

FireFox:
========
FF ProfilePath: C:\Users\\AppData\Roaming\Mozilla\Firefox\Profiles\0yfra2t2.default
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_17_0_0_134.dll [2015-04-09] ()
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_17_0_0_134.dll [2015-04-09] ()
FF Plugin-x32: @Google.com/GoogleEarthPlugin -> C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll [2015-05-21] (Google)
FF Plugin-x32: @microsoft.com/WLPG,version=16.4.3528.0331 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [2014-03-31] (Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.30.3\npGoogleUpdate3.dll [2016-05-10] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.30.3\npGoogleUpdate3.dll [2016-05-10] (Google Inc.)
FF Plugin-x32: @WildTangent.com/GamesAppPresenceDetector,Version=1.0 -> C:\Program Files (x86)\WildTangent Games\App\BrowserIntegration\Registered\0\NP_wtapp.dll [2013-08-05] ()
FF Extension: Disconnect - C:\Users\\AppData\Roaming\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\2.0@disconnect.me [2015-04-02] [not signed]
FF Extension: Disconnect Search - C:\Users\\AppData\Roaming\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\search@disconnect.me [2015-04-02] [not signed]
FF Extension: Adblock Plus - C:\Users\jeff\AppData\Roaming\Mozilla\Firefox\Profiles\0yfra2t2.default\Extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2016-04-29]

Chrome:
=======
CHR Profile: C:\Users\\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Slides) - C:\Users\\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2016-05-21]
CHR Extension: (Google Docs) - C:\Users\\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2016-05-21]
CHR Extension: (Google Drive) - C:\Users\\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2016-05-21]
CHR Extension: (YouTube) - C:\Users\\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2016-05-21]
CHR Extension: (Google Sheets) - C:\Users\\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2016-05-21]
CHR Extension: (Google Docs Offline) - C:\Users\\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2016-05-21]
CHR Extension: (Disconnect Search) - C:\Users\\AppData\Local\Google\Chrome\User Data\Default\Extensions\hmobfennjmjnkdbklhcnnfbhfibedgkk [2016-05-21]
CHR Extension: (Disconnect) - C:\Users\\AppData\Local\Google\Chrome\User Data\Default\Extensions\jeoacafpbcihiomhlakheieifhpjdfeo [2016-05-21]
CHR Extension: (Chrome Web Store Payments) - C:\Users\\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-05-21]
CHR Extension: (Gmail) - C:\Users\\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2016-05-21]
CHR HKLM-x32\...\Chrome\Extension: [hmobfennjmjnkdbklhcnnfbhfibedgkk] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [jeoacafpbcihiomhlakheieifhpjdfeo] - hxxps://clients2.google.com/service/update2/crx

==================== Services (Whitelisted) ========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 Asus WebStorage Windows Service; C:\Program Files (x86)\ASUS\WebStorage\2.1.11.399\AsusWSWinService.exe [71168 2014-08-19] (ASUS Cloud Corporation) [File not signed]
R2 ASUSGiftBoxDekstop; C:\Program Files (x86)\ASUS\ASUS GIFTBOX Desktop\ASUSGIFTBOXDesktop.exe [315704 2015-07-20] (ASUS)
S3 Disconnect Desktop Updater; C:\Program Files (x86)\Disconnect\Disconnect Desktop\Disconnect Desktop Updater.exe [358400 2015-02-27] (Disconnect)
R2 GamesAppIntegrationService; C:\Program Files (x86)\WildTangent Games\App\GamesAppIntegrationService.exe [227904 2014-04-24] (WildTangent)
R2 Intel® Capability Licensing Service Interface; C:\Program Files\Intel\TXE Components\TCS\HeciServer.exe [733696 2013-07-01] (Intel® Corporation) [File not signed]
S3 Intel® Capability Licensing Service TCP IP Interface; C:\Program Files\Intel\TXE Components\TCS\SocketHeciServer.exe [822232 2013-07-01] (Intel® Corporation)
R2 MBAMScheduler; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe [1513784 2015-10-05] (Malwarebytes)
R2 MBAMService; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [1135416 2015-10-05] (Malwarebytes)
S3 OpenVPNService; C:\Program Files (x86)\Disconnect\Disconnect Desktop\openvpn\bin\openvpnserv.exe [32568 2014-08-07] (The OpenVPN Project)
S3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [366520 2015-02-03] (Microsoft Corporation)
S2 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [23792 2015-02-03] (Microsoft Corporation)
R2 ZAMSvc; C:\Program Files (x86)\Zemana AntiMalware\ZAM.exe [13653232 2016-06-16] (Zemana Ltd.)

===================== Drivers (Whitelisted) ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R3 ATP; C:\Windows\System32\drivers\AsusTP.sys [71952 2014-03-31] (ASUS Corporation)
S0 ebdrv; C:\Windows\System32\drivers\evbda.sys [3357024 2013-08-22] (Broadcom Corporation)
R3 kbfiltr; C:\Windows\System32\drivers\kbfiltr.sys [17280 2012-08-05] ( )
R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [25816 2015-10-05] (Malwarebytes)
R3 MBAMSwissArmy; C:\Windows\system32\drivers\MBAMSwissArmy.sys [192216 2016-06-22] (Malwarebytes)
R3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [64216 2015-10-05] (Malwarebytes Corporation)
R0 MBI; C:\Windows\System32\drivers\MBI.sys [29464 2013-10-27] (Intel Corporation)
R3 TXEIx64; C:\Windows\System32\drivers\TXEIx64.sys [88592 2014-01-15] (Intel Corporation)
S3 WdBoot; C:\Windows\system32\drivers\WdBoot.sys [44024 2015-02-03] (Microsoft Corporation)
S3 WdFilter; C:\Windows\system32\drivers\WdFilter.sys [264000 2015-02-03] (Microsoft Corporation)
S3 WdNisDrv; C:\Windows\System32\Drivers\WdNisDrv.sys [114496 2015-02-03] (Microsoft Corporation)
R1 ZAM; C:\Windows\System32\drivers\zam64.sys [203680 2016-06-12] (Zemana Ltd.)
R1 ZAM_Guard; C:\Windows\System32\drivers\zamguard64.sys [203680 2016-06-12] (Zemana Ltd.)
U0 Compbatt; no ImagePath
U2 ERSvc; no ImagePath
U2 IAStorDataMgrsvc; no ImagePath
S1 MpKsle3ec6f1b; \??\C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{DA7FFCE8-9108-4666-8B9A-783B8619FA81}\MpKsle3ec6f1b.sys [X]
U0 msahci; system32\drivers\msahci.sys [X]
U2 NIHardwareService; no ImagePath
U2 NVSvc; no ImagePath
U2 Parvdm; no ImagePath
U2 srService; no ImagePath

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-06-22 18:41 - 2016-06-22 18:41 - 00013344 _____ C:\Users\\Desktop\FRST.txt
2016-06-22 18:40 - 2016-06-22 18:41 - 00000000 ____D C:\FRST
2016-06-22 18:39 - 2016-06-22 18:39 - 02387456 _____ (Farbar) C:\Users\\Desktop\FRST64.exe
2016-06-19 20:01 - 2016-06-19 20:01 - 00002053 _____ C:\Users\\Desktop\My Online banking was hacked. - Virus, Trojan, Spyware, and Malware Removal Logs.url
2016-06-18 17:09 - 2016-06-18 17:14 - 00002788 _____ C:\Windows\System32\Tasks\CCleanerSkipUAC
2016-06-18 17:09 - 2016-06-18 17:09 - 00000836 _____ C:\Users\Public\Desktop\CCleaner.lnk
2016-06-18 17:09 - 2016-06-18 17:09 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\CCleaner
2016-06-18 17:09 - 2016-06-18 17:09 - 00000000 ____D C:\Program Files\CCleaner
2016-06-18 17:06 - 2016-06-18 17:06 - 06893008 _____ (Piriform Ltd) C:\Users\\Desktop\ccsetup518.exe
2016-06-18 13:31 - 2016-06-18 13:31 - 00000952 _____ C:\Users\Public\Desktop\Removal Tool.lnk
2016-06-18 13:31 - 2016-06-18 13:31 - 00000000 ____D C:\Users\\AppData\Roaming\9-lab
2016-06-18 13:31 - 2016-06-18 13:31 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\9-lab Removal Tool
2016-06-18 13:31 - 2016-06-18 13:31 - 00000000 ____D C:\ProgramData\9-lab
2016-06-18 13:31 - 2016-06-18 13:31 - 00000000 ____D C:\Program Files\9-lab
2016-06-18 13:27 - 2016-06-18 13:28 - 06466144 _____ C:\Users\\Desktop\rmtool-setup-x64.exe
2016-06-16 21:31 - 2016-06-16 21:31 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Zemana AntiMalware
2016-06-16 21:25 - 2016-06-16 21:25 - 00009758 ____R C:\Pre_Scan_16_06_2016_21_25_52.txt
2016-06-16 20:16 - 2016-06-16 21:26 - 00000000 ____D C:\Pre_Scan
2016-06-16 20:11 - 2016-06-16 20:12 - 03449360 _____ (SosVirus) C:\Users\\Desktop\Pre_Scan.exe
2016-06-16 19:58 - 2016-06-16 19:58 - 00000658 _____ C:\RstHosts.txt
2016-06-16 19:56 - 2016-06-16 19:56 - 00353632 _____ C:\Users\\Desktop\rsthosts_2.0.exe
2016-06-16 19:31 - 2016-06-16 19:32 - 06155264 _____ (SosVirus) C:\Users\\Downloads\adsfix_3_15.06.2016.1 (1).exe
2016-06-16 19:28 - 2016-06-16 19:29 - 06155264 _____ (SosVirus) C:\Users\\Downloads\adsfix_3_15.06.2016.1.exe
2016-06-16 19:19 - 2016-06-16 19:33 - 00000000 ____D C:\AdsFix
2016-06-13 20:07 - 2016-06-13 20:07 - 00000000 ____D C:\Users\\AppData\Local\ESET
2016-06-13 20:05 - 2016-06-13 20:07 - 06858912 _____ (ESET spol. s r.o.) C:\Users\\Downloads\esetonlinescanner_enu.exe
2016-06-13 00:38 - 2016-06-13 00:38 - 00001518 _____ C:\Users\\Documents\ApplianceRepairInfoAndWebsites.txt
2016-06-12 18:02 - 2016-06-12 18:02 - 00001116 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2016-06-12 16:37 - 2016-06-22 18:41 - 03866578 _____ C:\Windows\ZAM.krnl.trace
2016-06-12 16:37 - 2016-06-22 18:41 - 00429235 _____ C:\Windows\ZAM_Guard.krnl.trace
2016-06-12 16:37 - 2016-06-16 21:31 - 00001090 _____ C:\Users\Public\Desktop\Zemana AntiMalware.lnk
2016-06-12 16:37 - 2016-06-16 21:31 - 00000000 ____D C:\Program Files (x86)\Zemana AntiMalware
2016-06-12 16:37 - 2016-06-12 16:37 - 00203680 _____ (Zemana Ltd.) C:\Windows\system32\Drivers\zamguard64.sys
2016-06-12 16:37 - 2016-06-12 16:37 - 00203680 _____ (Zemana Ltd.) C:\Windows\system32\Drivers\zam64.sys
2016-06-12 16:37 - 2016-06-12 16:37 - 00000000 ____D C:\Users\\AppData\Local\Zemana
2016-06-12 16:29 - 2016-06-12 17:26 - 00358293 _____ C:\Users\\ZHPCleaner.exe
2016-06-12 16:28 - 2016-06-12 17:26 - 00000000 ____D C:\Users\\AppData\Roaming\ZHP
2016-06-11 21:41 - 2016-06-11 21:41 - 00290304 _____ (Microsoft Corporation) C:\Windows\SysWOW64\subinacl.exe
2016-06-11 21:41 - 2016-06-11 21:41 - 00000000 ____D C:\Program Files (x86)\Adware Removal Tool by TSA
2016-06-11 21:31 - 2016-06-11 21:31 - 00000634 _____ C:\Users\\Documents\Junkware Removal Tool (JRT) by Malwarebytes.txt
2016-06-11 18:04 - 2016-06-11 18:04 - 00001226 _____ C:\Users\\Documents\AdwareCleanerScan1MineWinfoRemoved.txt
2016-06-11 17:54 - 2016-06-11 17:57 - 00000000 ____D C:\AdwCleaner
2016-06-11 17:50 - 2016-06-11 17:51 - 03677248 _____ C:\Users\\Downloads\adwcleaner_5.119.exe
2016-06-09 16:29 - 2016-06-11 18:00 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2016-06-07 20:11 - 2016-06-07 20:11 - 00000017 _____ C:\Users\\AppData\Local\resmon.resmoncfg
2016-05-30 21:46 - 2016-05-30 21:46 - 00000217 _____ C:\Users\\Documents\INSTAGRAM.txt
2016-05-24 16:46 - 2016-06-18 17:14 - 00003476 _____ C:\Windows\System32\Tasks\ASUS Live Update1

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-06-22 18:33 - 2015-03-08 19:25 - 00000000 ____D C:\Users\\AppData\Roaming\ClassicShell
2016-06-22 17:42 - 2014-03-18 02:47 - 00863592 _____ C:\Windows\system32\PerfStringBackup.INI
2016-06-22 17:42 - 2013-08-22 06:36 - 00000000 ____D C:\Windows\Inf
2016-06-22 16:28 - 2015-03-14 23:14 - 00192216 _____ (Malwarebytes) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2016-06-22 01:08 - 2015-03-14 21:33 - 00000000 ___RD C:\Users\\Documents\Messages ToSavedToUSBJune22nd2016
2016-06-18 20:11 - 2015-03-30 16:09 - 00024953 _____ C:\Users\\Documents\~OlallaTempsLastSavedToUSBJune20th2016.txt
2016-06-18 18:05 - 2015-03-03 10:31 - 00003598 _____ C:\Windows\System32\Tasks\Optimize Start Menu Cache Files-S-1-5-21-2934532118-2444790120-273890532-1001
2016-06-18 17:29 - 2015-03-03 10:25 - 00000000 ____D C:\Users\
2016-06-18 17:26 - 2015-03-19 00:44 - 00000922 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2016-06-18 17:26 - 2015-03-19 00:44 - 00000918 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2016-06-18 17:26 - 2013-08-22 07:45 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2016-06-18 17:22 - 2015-03-25 19:30 - 00000000 ____D C:\Users\\Tracing
2016-06-18 17:18 - 2014-09-27 15:29 - 00000000 ____D C:\Windows\Panther
2016-06-18 17:15 - 2015-05-13 12:35 - 00003384 _____ C:\Windows\System32\Tasks\Update Checker
2016-06-18 17:14 - 2015-05-13 12:36 - 00003466 _____ C:\Windows\System32\Tasks\ASUS Live Update2
2016-06-18 17:14 - 2015-03-25 19:10 - 00003178 _____ C:\Windows\System32\Tasks\Microsoft OneDrive Auto Update Task-S-1-5-21-2934532118-2444790120-273890532-1001
2016-06-18 17:14 - 2015-03-24 13:06 - 00003610 _____ C:\Windows\System32\Tasks\Disconnect Desktop Updater
2016-06-18 17:14 - 2015-03-19 00:44 - 00003896 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA
2016-06-18 17:14 - 2015-03-19 00:44 - 00003660 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore
2016-06-18 17:14 - 2014-12-13 01:57 - 00003596 _____ C:\Windows\System32\Tasks\Optimize Start Menu Cache Files-S-1-5-21-2934532118-2444790120-273890532-500
2016-06-18 17:14 - 2014-12-13 01:56 - 00003268 _____ C:\Windows\System32\Tasks\AsusVibeSchedule
2016-06-18 17:14 - 2014-12-13 01:55 - 00003028 _____ C:\Windows\System32\Tasks\ASUS USB Charger Plus
2016-06-18 17:14 - 2014-12-13 01:55 - 00002988 _____ C:\Windows\System32\Tasks\ASUS Splendid ACMON
2016-06-18 17:14 - 2014-12-13 01:51 - 00003564 _____ C:\Windows\System32\Tasks\ATK Package 36D18D69AFC3
2016-06-18 17:14 - 2014-12-13 01:46 - 00003540 _____ C:\Windows\System32\Tasks\ASUS Smart Gesture Launcher
2016-06-18 17:14 - 2014-12-13 01:42 - 00003140 _____ C:\Windows\System32\Tasks\RtHDVBg
2016-06-18 17:14 - 2014-12-13 01:42 - 00003134 _____ C:\Windows\System32\Tasks\RTKCPL
2016-06-18 14:59 - 2015-03-03 10:28 - 00000093 _____ C:\Users\\AppData\Roaming\sp_data.sys
2016-06-17 19:39 - 2016-05-21 22:43 - 00002217 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
2016-06-17 19:39 - 2016-05-21 22:43 - 00002205 _____ C:\Users\Public\Desktop\Google Chrome.lnk
2016-06-16 21:27 - 2013-08-22 06:25 - 00262144 ___SH C:\Windows\system32\config\BBI
2016-06-16 19:19 - 2013-08-22 08:36 - 00000000 ____D C:\Windows\Web
2016-06-12 18:02 - 2015-03-14 23:13 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2016-06-12 18:02 - 2015-03-14 23:13 - 00000000 ____D C:\Program Files (x86)\Malwarebytes Anti-Malware
2016-06-11 18:00 - 2016-01-27 00:01 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2016-06-11 01:59 - 2015-03-09 21:21 - 00000000 ____D C:\Users\\Documents\ResumeSavedToDiscFeb2015
2016-06-11 00:36 - 2015-03-16 23:37 - 00002176 _____ C:\Users\\Desktop\~WebsiteUsernamesLastSavedToUSBApril13th2016 - Shortcut.lnk
2016-06-02 23:57 - 2015-03-19 00:43 - 00000000 ____D C:\Users\\AppData\Local\Google
2016-06-01 20:51 - 2015-03-09 21:21 - 00000000 ____D C:\Users\\Documents\MyVideosSavedToDiscFeb18th2015
2016-05-28 22:33 - 2016-05-21 12:05 - 00001247 _____ C:\Users\\Documents\Insurance Places Weekend Hours.txt

==================== Files in the root of some directories =======

2015-03-03 10:28 - 2016-06-18 14:59 - 0000093 _____ () C:\Users\\AppData\Roaming\sp_data.sys
2016-06-07 20:11 - 2016-06-07 20:11 - 0000017 _____ () C:\Users\\AppData\Local\resmon.resmoncfg
2014-12-13 01:42 - 2014-12-13 01:42 - 0000000 ____H () C:\ProgramData\DP45977C.lfl
2014-09-27 15:54 - 2012-09-07 04:40 - 0000256 _____ () C:\ProgramData\SetStretch.cmd
2014-09-27 15:54 - 2009-07-22 03:04 - 0024576 _____ () C:\ProgramData\SetStretch.exe
2014-09-27 15:54 - 2012-09-07 04:37 - 0000103 _____ () C:\ProgramData\SetStretch.VBS

Files to move or delete:
====================
C:\Users\\ZHPCleaner.exe

==================== Bamital & volsnap =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2016-06-21 18:08

==================== End of FRST.txt ============================



#6 kelly2

kelly2
  • Topic Starter

  • Members
  • 61 posts
  • OFFLINE
  •  
  • Local time:03:28 PM

Posted 22 June 2016 - 09:22 PM

Additional scan result of Farbar Recovery Scan Tool (x64) Version: 20-06-2016 01
Ran by  (2016-06-22 18:42:24)
Running from C:\Users\\Desktop
Windows 8.1 Connected (Update) (X64) (2015-03-03 17:24:53)
Boot Mode: Normal
==========================================================

==================== Accounts: =============================

Administrator (S-1-5-21-2934532118-2444790120-273890532-500 - Administrator - Disabled)
Guest (S-1-5-21-2934532118-2444790120-273890532-501 - Limited - Disabled)
 (S-1-5-21-2934532118-2444790120-273890532-1001 - Administrator - Enabled) => C:\Users\

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: Windows Defender (Disabled - Out of date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: Windows Defender (Disabled - Out of date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

==================== Installed Programs ======================

(Only the adware programs with "Hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

9-lab Removal Tool (HKLM-x32\...\9-lab Removal Tool) (Version:  - )
Adobe Flash Player 17 NPAPI (HKLM-x32\...\Adobe Flash Player NPAPI) (Version: 17.0.0.134 - Adobe Systems Incorporated)
Any Video Converter 5.7.8 (HKLM-x32\...\Any Video Converter_is1) (Version:  - Any-Video-Converter.com)
ASUS GIFTBOX Desktop (HKLM-x32\...\{4701E5AB-AF91-4D40-8F18-358CC80E4E5B}) (Version: 1.1.6 - ASUS)
ASUS Live Update (HKLM-x32\...\{FA540E67-095C-4A1B-97BA-4D547DEC9AF4}) (Version: 3.3.4 - ASUS)
ASUS Screen Saver (HKLM-x32\...\{0FBEEDF8-30FA-4FA3-B31F-C9C7E7E8DFA2}) (Version: 1.0.3 - ASUS)
ASUS Smart Gesture (HKLM-x32\...\{4D3286A6-F6AB-498A-82A4-E4F040529F3D}) (Version: 2.2.14 - ASUS)
ASUS Splendid Video Enhancement Technology (HKLM-x32\...\{0969AF05-4FF6-4C00-9406-43599238DE0D}) (Version: 3.01.0003 - ASUS)
ASUS USB Charger Plus (HKLM-x32\...\{A859E3E5-C62F-4BFA-AF1D-2B95E03166AF}) (Version: 3.1.9 - ASUS)
AsusVibe2.0 (HKLM-x32\...\Asus Vibe2.0) (Version: 2.0.12.311 - ASUSTEK)
ATK Package (HKLM-x32\...\{AB5C933E-5C7D-4D30-B314-9C83A49B94BE}) (Version: 1.0.0034 - ASUS)
Canon MP520 series (HKLM\...\{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_MP520_series) (Version:  - )
Canon Utilities CameraWindow DC 8 (HKLM-x32\...\CameraWindowDC) (Version: 8.10.4.24 - Canon Inc.)
CCleaner (HKLM\...\CCleaner) (Version: 5.18 - Piriform)
Classic Shell (HKLM\...\{840C85B7-D3D6-4143-9AF9-DAE80FD54CFC}) (Version: 4.1.0 - IvoSoft)
D3DX10 (x32 Version: 15.4.2368.0902 - Microsoft) Hidden
Device Setup (HKLM-x32\...\{1F07F2C7-596F-4F34-B805-2C61A3E50E5A}) (Version: 1.0.18 - ASUSTek Computer Inc.)
Disconnect Desktop (HKLM-x32\...\Disconnect Desktop 1.0.5) (Version: 1.0.5 - Disconnect)
Disconnect Desktop (x32 Version: 1.0.5 - Disconnect) Hidden
Free Alarm Clock (HKLM-x32\...\{8ED5A2F1-338F-4608-8AF7-BCD1ADC1E1F7}_is1) (Version: 4.0.1.0 - Comfort Software Group)
Google Chrome (HKLM-x32\...\Google Chrome) (Version: 51.0.2704.103 - Google Inc.)
Google Earth (HKLM-x32\...\{817750FA-EC6A-485D-9901-0683AE6FFDF1}) (Version: 7.1.5.1557 - Google)
Google Update Helper (x32 Version: 1.3.30.3 - Google Inc.) Hidden
Intel® Processor Graphics (HKLM-x32\...\{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}) (Version: 10.18.10.3355 - Intel Corporation)
Intel® Sideband Fabric Device Driver (HKLM-x32\...\C5A8BC6E-723A-4C0F-96E1-C426D1A4BCA9) (Version: 1.0.0.1002 - Intel Corporation)
Intel® Trusted Execution Engine (HKLM\...\{176E2755-0A17-42C6-88E2-192AB2131278}) (Version: 1.0.0.1064 - Intel Corporation)
IrfanView (remove only) (HKLM-x32\...\IrfanView) (Version: 4.37 - Irfan Skiljan)
Malwarebytes Anti-Malware version 2.2.0.1024 (HKLM-x32\...\Malwarebytes Anti-Malware_is1) (Version: 2.2.0.1024 - Malwarebytes)
Microsoft OneDrive (HKU\S-1-5-21-2934532118-2444790120-273890532-1001\...\OneDriveSetup.exe) (Version: 17.3.6390.0509 - Microsoft Corporation)
Microsoft SQL Server 2005 Compact Edition [ENU] (HKLM-x32\...\{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}) (Version: 3.1.0000 - Microsoft Corporation)
Movie Maker (x32 Version: 16.4.3528.0331 - Microsoft Corporation) Hidden
Mozilla Firefox 47.0 (x86 en-US) (HKLM-x32\...\Mozilla Firefox 47.0 (x86 en-US)) (Version: 47.0 - Mozilla)
Mozilla Maintenance Service (HKLM-x32\...\MozillaMaintenanceService) (Version: 47.0.0.5999 - Mozilla)
Next Video Converter version 4.0.3 (HKLM-x32\...\{752EC6FD-1CEB-409B-AEF5-A297943102EA}_is1) (Version: 4.0.3 - NextVideoSoft Inc.)
OpenVPN 2.3.4-I603  (HKLM-x32\...\OpenVPN) (Version: 2.3.4-I603 - )
PIXresizer (HKLM-x32\...\PIXresizer_is1) (Version: 2.0.8 - Bluefive software)
Ralink RT2860 Wireless LAN Card (HKLM-x32\...\{8FC4F1DD-F7FD-4766-804D-3C8FF1D309B0}) (Version: 5.0.46.0 - Ralink)
Realtek Card Reader (HKLM-x32\...\{5BC2B5AB-80DE-4E83-B8CF-426902051D0A}) (Version: 6.2.9200.27040 - Realtek Semiconductor Corp.)
Realtek Ethernet Controller Driver (HKLM-x32\...\{8833FFB6-5B0C-4764-81AA-06DFEED9A476}) (Version: 8.29.314.2014 - Realtek)
Realtek High Definition Audio Driver (HKLM-x32\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.7235 - Realtek Semiconductor Corp.)
TAP-Windows 9.21.0 (HKLM\...\TAP-Windows) (Version: 9.21.0 - )
Update Installer for WildTangent Games App (x32 Version:  - WildTangent) Hidden
WebStorage (HKLM-x32\...\WebStorage) (Version: 2.1.11.399 - ASUS Cloud Corporation)
WildTangent Games App (HKLM-x32\...\{70B446D1-E03B-4ab0-9B3C-0832142C9AA8}.WildTangent Games App-asus) (Version: 4.0.11.14 - WildTangent)
Windows Driver Package - ASUS (ATP) Mouse  (03/17/2014 1.0.0.207) (HKLM\...\AA2CC56D4BBEE037DC99871F5F6551133D2A0CC3) (Version: 03/17/2014 1.0.0.207 - ASUS)
Windows Live Essentials (HKLM-x32\...\WinLiveSuite) (Version: 16.4.3528.0331 - Microsoft Corporation)
WinFlash (HKLM-x32\...\{8F21291E-0444-4B1D-B9F9-4370A73E346D}) (Version: 2.42.0 - ASUS)
Zemana AntiMalware (HKLM-x32\...\{8F0CD7D1-42F3-4195-95CD-833578D45057}_is1) (Version: 2.21.15 - Zemana Ltd.)

==================== Custom CLSID (Whitelisted): ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

CustomCLSID: HKU\S-1-5-21-2934532118-2444790120-273890532-1001_Classes\CLSID\{162C6FB5-44D3-435B-903D-E613FA093FB5}\InprocServer32 -> C:\Users\\AppData\Local\Microsoft\OneDrive\17.3.6390.0509\amd64\FileCoAuthLib64.dll ()
CustomCLSID: HKU\S-1-5-21-2934532118-2444790120-273890532-1001_Classes\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}\localserver32 -> C:\Users\\AppData\Local\Microsoft\OneDrive\17.3.6390.0509\FileCoAuth.exe (Microsoft Corporation)

==================== Scheduled Tasks (Whitelisted) =============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

Task: {00FD9794-764F-4B21-B455-917ADEEB0C29} - System32\Tasks\Disconnect Desktop Updater => C:\Program Files (x86)\Disconnect\Disconnect Desktop\Disconnect Desktop Updater.exe [2015-02-27] (Disconnect)
Task: {042B781A-B1B7-474C-B02E-FCB0E3CBE0FA} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2015-03-19] (Google Inc.)
Task: {07F5E50F-FD72-459D-AD37-DEE6B40A766F} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2015-03-19] (Google Inc.)
Task: {131C11D1-2DDD-4F77-90EA-C6EEFED01FAD} - System32\Tasks\ASUS Live Update2 => C:\Program Files (x86)\ASUS\ASUS Live Update\LiveUpdate.exe [2015-03-23] (ASUSTeK Computer Inc.)
Task: {2C912F8E-D630-4515-B2D3-463B77DA67E1} - System32\Tasks\ASUS Live Update1 => C:\Program Files (x86)\ASUS\ASUS Live Update\LiveUpdate.exe [2015-03-23] (ASUSTeK Computer Inc.)
Task: {5F893314-DC0C-4E59-904F-B13C35C510EB} - System32\Tasks\Update Checker => C:\Program Files (x86)\ASUS\ASUS Live Update\UpdateChecker.exe [2015-02-12] ()
Task: {8EB1F65E-423B-4FF8-B27F-BBF79D44E215} - System32\Tasks\AsusVibeSchedule => C:\Program Files (x86)\Asus\AsusVibe\AsusVibeLauncher.exe [2013-11-04] ()
Task: {92EF51AC-D6D0-418C-9F86-185866D6000E} - System32\Tasks\ATK Package 36D18D69AFC3 => C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\SimAppExec.exe [2014-01-14] (ASUSTek Computer Inc.)
Task: {ABDD456E-B1CE-4CDC-8B4E-FAC3B8927CAB} - System32\Tasks\CCleanerSkipUAC => C:\Program Files\CCleaner\CCleaner.exe [2016-06-01] (Piriform Ltd)
Task: {B4C4BE3D-43B0-48E2-9278-38782C610FE2} - System32\Tasks\ASUS Splendid ACMON => C:\Program Files (x86)\ASUS\Splendid\ACMON.exe [2014-04-02] (ASUS)
Task: {BC2E5590-76BD-4B0D-A729-3382CF5BE640} - System32\Tasks\RtHDVBg => C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe [2014-04-14] (Realtek Semiconductor)
Task: {BEB223EF-E50E-4983-B2A9-772E1C3C6993} - System32\Tasks\ASUS Smart Gesture Launcher => C:\Program Files (x86)\ASUS\ASUS Smart Gesture\AsTPCenter\x64\AsusTPLauncher.exe [2014-03-31] (AsusTek)
Task: {D255D33A-12DD-4ABD-8198-40DA3FF38FE1} - System32\Tasks\RTKCPL => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [2014-04-10] (Realtek Semiconductor)
Task: {D566FE38-28E0-4A7A-85F3-A28B46B75789} - System32\Tasks\ASUS USB Charger Plus => C:\Program Files (x86)\ASUS\USBChargerPlus\USBChargerPlus.exe [2014-03-27] (ASUSTek Computer Inc.)
Task: {DBEEAF37-4859-40A3-8C61-D6EE6397D937} - System32\Tasks\Microsoft OneDrive Auto Update Task-S-1-5-21-2934532118-2444790120-273890532-1001 => C:\Users\\AppData\Local\Microsoft\OneDrive\OneDrive.exe [2016-05-13] (Microsoft Corporation)
Task: {EE858591-D700-41CE-9582-6EE89D729D09} - System32\Tasks\ASUS\ASUS Product Register Service => C:\Program Files (x86)\ASUS\APRP\aprp.exe [2014-09-02] (ASUSTek Computer Inc.)

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

Task: C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe

==================== Shortcuts =============================

(The entries could be listed to be restored or removed.)

==================== Loaded Modules (Whitelisted) ==============

==================== Alternate Data Streams (Whitelisted) =========

(If an entry is included in the fixlist, only the ADS will be removed.)

==================== Safe Mode (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcpltsvc => ""=""
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mcpltsvc => ""=""

==================== Association (Whitelisted) ===============

(If an entry is included in the fixlist, the registry item will be restored to default or removed.)

==================== Internet Explorer trusted/restricted ===============

(If an entry is included in the fixlist, it will be removed from the registry.)

==================== Hosts content: ===============================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2013-08-22 06:25 - 2016-06-16 21:38 - 00000824 ____A C:\Windows\system32\Drivers\etc\hosts

==================== Other Areas ============================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-2934532118-2444790120-273890532-1001\Control Panel\Desktop\\Wallpaper -> C:\Users\\Pictures\Glen Canyon Utah1c.jpg
DNS Servers: 192.168.1.1 - 64.251.68.9
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
Windows Firewall is disabled.

==================== MSCONFIG/TASK MANAGER disabled items ==

(Currently there is no automatic fix for this section.)

HKLM\...\StartupApproved\Run: => "HotKeysCmds"
HKLM\...\StartupApproved\Run: => "IgfxTray"
HKLM\...\StartupApproved\Run32: => "WebStorage"
HKLM\...\StartupApproved\Run32: => "ZAM"
HKU\S-1-5-21-2934532118-2444790120-273890532-1001\...\StartupApproved\Run: => "FreeAC"
HKU\S-1-5-21-2934532118-2444790120-273890532-1001\...\StartupApproved\Run: => "Pinger"

==================== FirewallRules (Whitelisted) ===============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

FirewallRules: [vm-monitoring-nb-session] => (Allow) LPort=139
FirewallRules: [{4263962F-2517-4142-8F85-2AF05EBABECC}] => (Allow) C:\Program Files\Common Files\mcafee\platform\McSvcHost\McSvHost.exe
FirewallRules: [{2F2499DF-634F-45C4-8FEB-4799C14D94C3}] => (Allow) C:\Program Files (x86)\Disconnect\Disconnect Desktop\\openvpn\bin\openvpn.exe
FirewallRules: [{18BB89FD-BA98-45C9-BFCE-4110C2EFD87D}] => (Allow) C:\Program Files (x86)\Disconnect\Disconnect Desktop\\openvpn\bin\openvpnserv.exe
FirewallRules: [{AEC4C76B-7F31-4290-8AEB-BC1C9FB81057}] => (Allow) C:\Users\jeff\AppData\Local\Microsoft\SkyDrive\SkyDrive.exe
FirewallRules: [{EED3F9A5-8446-4853-9ABE-9424EBF06961}] => (Allow) C:\Program Files (x86)\Windows Live\Contacts\wlcomm.exe
FirewallRules: [{3391E8A0-4597-4CB9-931F-F2D2859D95DF}] => (Allow) LPort=2869
FirewallRules: [{BE1D247A-7BEE-460F-A127-C6B4E98C8948}] => (Allow) LPort=1900
FirewallRules: [{7DE7E2EA-0481-47ED-B0C2-1D66799BDF87}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [{DFA08FC8-6898-41CD-9EE5-CDB69BC4288A}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [TCP Query User{A8064AE8-6CBA-412B-A1EC-D72343F79773}C:\Users\\AppData\Local\Microsoft\Windows\INetCache\IE\YN7UJVO4\adsfix_3_15.06.2016.1.exe] => (Allow) C:\Users\\AppData\Local\Microsoft\Windows\INetCache\IE\YN7UJVO4\adsfix_3_15.06.2016.1.exe
FirewallRules: [UDP Query User{8012CD5F-78FA-489A-B2C4-2168ADE624EB}C:\Users\\AppData\Local\Microsoft\Windows\INetCache\IE\YN7UJVO4\adsfix_3_15.06.2016.1.exe] => (Allow) C:\Users\\AppData\Local\Microsoft\Windows\INetCache\IE\YN7UJVO4\adsfix_3_15.06.2016.1.exe
FirewallRules: [TCP Query User{A8064AE8-6CBA-412B-A1EC-D72343F79773}C:\Users\\Downloads\adsfix_3_15.06.2016.1.exe] => (Allow) C:\Users\\Downloads\adsfix_3_15.06.2016.1.exe
FirewallRules: [UDP Query User{8012CD5F-78FA-489A-B2C4-2168ADE624EB}C:\Users\\Downloads\adsfix_3_15.06.2016.1.exe] => (Allow) C:\Users\\Downloads\adsfix_3_15.06.2016.1.exe
FirewallRules: [TCP Query User{A8064AE8-6CBA-412B-A1EC-D72343F79773}C:\Users\\Downloads\adsfix_3_15.06.2016.1 (1).exe] => (Allow) C:\Users\\Downloads\adsfix_3_15.06.2016.1 (1).exe
FirewallRules: [UDP Query User{8012CD5F-78FA-489A-B2C4-2168ADE624EB}C:\Users\\Downloads\adsfix_3_15.06.2016.1 (1).exe] => (Allow) C:\Users\\Downloads\adsfix_3_15.06.2016.1 (1).exe
FirewallRules: [TCP Query User{A80137C5-6CBA-412B-A1EC-D75758F79773}C:\Users\\Desktop\pre-scan_6_13.06.2016.1.exe] => (Allow) C:\Users\\Desktop\pre-scan_6_13.06.2016.1.exe
FirewallRules: [UDP Query User{8086F52E-78FA-489A-B2C4-2651DAE624EB}C:\Users\\Desktop\pre-scan_6_13.06.2016.1.exe] => (Allow) C:\Users\\Desktop\pre-scan_6_13.06.2016.1.exe
FirewallRules: [{26AC97CB-C835-4731-9C89-FC8C78CA0688}] => (Allow) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
StandardProfile\AuthorizedApplications: [C:\Users\\AppData\Local\Microsoft\Windows\INetCache\IE\YN7UJVO4\adsfix_3_15.06.2016.1.exe] => Enabled:adsfix_3_15.06.2016.1
StandardProfile\AuthorizedApplications: [C:\Users\\Downloads\adsfix_3_15.06.2016.1.exe] => Enabled:adsfix_3_15.06.2016.1
StandardProfile\AuthorizedApplications: [C:\Users\\Downloads\adsfix_3_15.06.2016.1 (1).exe] => Enabled:adsfix_3_15.06.2016.1 (1)
StandardProfile\AuthorizedApplications: [C:\Users\\Desktop\pre-scan_6_13.06.2016.1.exe] => Enabled:pre-scan_6_13.06.2016.1

==================== Restore Points =========================

06-06-2016 23:41:32 Scheduled Checkpoint
11-06-2016 21:22:28 JRT Pre-Junkware Removal
21-06-2016 19:00:46 Scheduled Checkpoint

==================== Faulty Device Manager Devices =============

Name: Dell 3333dn
Description: Dell 3333dn
Class Guid: {6bdd1fc6-810f-11d0-bec7-08002be2092f}
Manufacturer: Dell
Service: usbscan
Problem: : This device cannot start. (Code10)
Resolution: Device failed to start. Click "Update Driver" to update the drivers for this device.
On the "General Properties" tab of the device, click "Troubleshoot" to start the troubleshooting wizard.

Name: Microphone (Realtek High Definition Audio)
Description: Audio Endpoint
Class Guid: {c166523c-fe0c-4a94-a586-f1a80cfbbf3e}
Manufacturer: Microsoft
Service:
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.

==================== Event log errors: =========================

Application errors:
==================
Error: (06/16/2016 09:31:23 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: svchost.exe_stisvc, version: 6.3.9600.17415, time stamp: 0x54504177
Faulting module name: ntdll.dll, version: 6.3.9600.17736, time stamp: 0x550f4336
Exception code: 0xc0000008
Fault offset: 0x000000000009310a
Faulting process id: 0x6c4
Faulting application start time: 0xsvchost.exe_stisvc0
Faulting application path: svchost.exe_stisvc1
Faulting module path: svchost.exe_stisvc2
Report Id: svchost.exe_stisvc3
Faulting package full name: svchost.exe_stisvc4
Faulting package-relative application ID: svchost.exe_stisvc5

Error: (06/15/2016 09:12:48 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: UpdateChecker.exe, version: 0.0.0.0, time stamp: 0x54dc4378
Faulting module name: OLEAUT32.dll, version: 6.3.9600.17560, time stamp: 0x5493ae73
Exception code: 0xc0000005
Fault offset: 0x00005410
Faulting process id: 0x12d4
Faulting application start time: 0xUpdateChecker.exe0
Faulting application path: UpdateChecker.exe1
Faulting module path: UpdateChecker.exe2
Report Id: UpdateChecker.exe3
Faulting package full name: UpdateChecker.exe4
Faulting package-relative application ID: UpdateChecker.exe5

Error: (06/10/2016 12:22:06 AM) (Source: Application Hang) (EventID: 1002) (User: )
Description: The program explorer.exe version 6.3.9600.17667 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.

Process ID: 6dfc

Start Time: 01d18271c330537f

Termination Time: 0

Application Path: C:\Windows\explorer.exe

Report Id: 009879bd-2edc-11e6-826b-f079594db6bd

Faulting package full name:

Faulting package-relative application ID:

Error: (06/08/2016 01:39:01 AM) (Source: Application Hang) (EventID: 1002) (User: )
Description: The program IEXPLORE.EXE version 11.0.9600.17416 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.

Process ID: be0c

Start Time: 01d1c15f29d76fde

Termination Time: 1663

Application Path: C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Report Id: 6da60c63-2d54-11e6-826b-f079594db6bd

Faulting package full name:

Faulting package-relative application ID:

Error: (05/23/2016 10:13:24 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: The program firefox.exe version 46.0.1.5966 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.

Process ID: 9d08

Start Time: 01d1b5791308cf29

Termination Time: 242

Application Path: C:\Program Files (x86)\Mozilla Firefox\firefox.exe

Report Id: 37db4a88-216e-11e6-826b-f079594db6bd

Faulting package full name:

Faulting package-relative application ID:

Error: (05/21/2016 10:30:02 AM) (Source: Application Hang) (EventID: 1002) (User: )
Description: The program Time.exe version 6.3.9600.16480 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.

Process ID: 5d20

Start Time: 01d15cb0b70062c9

Termination Time: 4294967295

Application Path: C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_6.3.9654.20335_x64__8wekyb3d8bbwe\Time.exe

Report Id: 848a2096-1f53-11e6-826b-f079594db6bd

Faulting package full name: Microsoft.WindowsAlarms_6.3.9654.20335_x64__8wekyb3d8bbwe

Faulting package-relative application ID: App

Error: (05/12/2016 12:32:38 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: IEXPLORE.EXE, version: 11.0.9600.17416, time stamp: 0x5452eed9
Faulting module name: igd10iumd32.dll, version: 10.18.10.3355, time stamp: 0x52839b37
Exception code: 0xc0000005
Fault offset: 0x00078dc7
Faulting process id: 0xa804
Faulting application start time: 0xIEXPLORE.EXE0
Faulting application path: IEXPLORE.EXE1
Faulting module path: IEXPLORE.EXE2
Report Id: IEXPLORE.EXE3
Faulting package full name: IEXPLORE.EXE4
Faulting package-relative application ID: IEXPLORE.EXE5

Error: (05/12/2016 12:11:38 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: The program IEXPLORE.EXE version 11.0.9600.17416 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.

Process ID: a5f4

Start Time: 01d1ac81a47466af

Termination Time: 477

Application Path: C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Report Id: 4b55de7e-1875-11e6-826b-f079594db6bd

Faulting package full name:

Faulting package-relative application ID:

Error: (05/11/2016 03:59:54 PM) (Source: Application Hang) (EventID: 1002) (User: )
Description: The program IEXPLORE.EXE version 11.0.9600.17416 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.

Process ID: a2b8

Start Time: 01d1abd7128ec579

Termination Time: 237

Application Path: C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Report Id: 0d929e05-17cc-11e6-826b-f079594db6bd

Faulting package full name:

Faulting package-relative application ID:

Error: (03/22/2016 12:55:50 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application name: IEXPLORE.EXE, version: 11.0.9600.17416, time stamp: 0x5452eed9
Faulting module name: ntdll.dll, version: 6.3.9600.17736, time stamp: 0x550f42c2
Exception code: 0xc00000fd
Fault offset: 0x00043432
Faulting process id: 0x8460
Faulting application start time: 0xIEXPLORE.EXE0
Faulting application path: IEXPLORE.EXE1
Faulting module path: IEXPLORE.EXE2
Report Id: IEXPLORE.EXE3
Faulting package full name: IEXPLORE.EXE4
Faulting package-relative application ID: IEXPLORE.EXE5

System errors:
=============
Error: (06/22/2016 05:50:01 PM) (Source: DCOM) (EventID: 10010) (User: )
Description: {1B1F472E-3221-4826-97DB-2C2324D389AE}

Error: (06/22/2016 05:49:31 PM) (Source: DCOM) (EventID: 10010) (User: )
Description: {BF6C1E47-86EC-4194-9CE5-13C15DCB2001}

Error: (06/21/2016 07:04:08 PM) (Source: DCOM) (EventID: 10010) (User: )
Description: {1B1F472E-3221-4826-97DB-2C2324D389AE}

Error: (06/21/2016 07:03:38 PM) (Source: DCOM) (EventID: 10010) (User: )
Description: {BF6C1E47-86EC-4194-9CE5-13C15DCB2001}

Error: (06/21/2016 06:09:01 PM) (Source: DCOM) (EventID: 10010) (User: )
Description: {1B1F472E-3221-4826-97DB-2C2324D389AE}

Error: (06/21/2016 06:08:31 PM) (Source: DCOM) (EventID: 10010) (User: )
Description: {BF6C1E47-86EC-4194-9CE5-13C15DCB2001}

Error: (06/20/2016 06:37:28 PM) (Source: DCOM) (EventID: 10010) (User: )
Description: {BF6C1E47-86EC-4194-9CE5-13C15DCB2001}

Error: (06/20/2016 06:36:50 PM) (Source: DCOM) (EventID: 10010) (User: )
Description: {1B1F472E-3221-4826-97DB-2C2324D389AE}

Error: (06/20/2016 05:49:28 PM) (Source: Schannel) (EventID: 4119) (User: NT AUTHORITY)
Description: A fatal alert was received from the remote endpoint. The TLS protocol defined fatal alert code is 20.

Error: (06/19/2016 06:43:09 PM) (Source: DCOM) (EventID: 10010) (User: )
Description: {BF6C1E47-86EC-4194-9CE5-13C15DCB2001}

CodeIntegrity:
===================================
  Date: 2016-06-18 17:28:13.896
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume4\Program Files\Windows Defender\MsMpEng.exe because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

  Date: 2016-06-16 21:29:47.741
  Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume4\Program Files\Windows Defender\MsMpEng.exe because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

==================== Memory info ===========================

Processor: Intel® Celeron® CPU N2840 @ 2.16GHz
Percentage of memory in use: 40%
Total physical RAM: 3982.68 MB
Available physical RAM: 2378.61 MB
Total Virtual: 5390.68 MB
Available Virtual: 3491.25 MB

==================== Drives ================================

Drive c: (OS) (Fixed) (Total:186.3 GB) (Free:128.37 GB) NTFS ==>[system with boot components (obtained from drive)]
Drive d: (Data) (Fixed) (Total:258.34 GB) (Free:258.22 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (Size: 465.8 GB) (Disk ID: 543DAE44)

Partition: GPT.

==================== End of Addition.txt ============================



#7 shelf life

shelf life

  • Malware Response Team
  • 2,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:02:28 PM

Posted 23 June 2016 - 05:25 PM

Ok, thanks for the info. We will use FRST to remove some items and you should be good to go.

 

Copy/paste whats below into notepad and save it as fixlist.txt in the same location that you have FRST.

Start FRST like before except this time click on the Fix button once. Machine may reboot to finish the process. Upon reboot it will display a fixlog.txt that you can copy/paste in your reply.

2015-03-03 10:28 - 2016-06-18 14:59 - 0000093 _____ () C:\Users\\AppData\Roaming\sp_data.sys
2016-06-07 20:11 - 2016-06-07 20:11 - 0000017 _____ () C:\Users\\AppData\Local\resmon.resmoncfg
2014-12-13 01:42 - 2014-12-13 01:42 - 0000000 ____H () C:\ProgramData\DP45977C.lfl
2014-09-27 15:54 - 2012-09-07 04:40 - 0000256 _____ () C:\ProgramData\SetStretch.cmd
2014-09-27 15:54 - 2009-07-22 03:04 - 0024576 _____ () C:\ProgramData\SetStretch.exe
2014-09-27 15:54 - 2012-09-07 04:37 - 0000103 _____ () C:\ProgramData\SetStretch.VBS
C:\ProgramData\SetStretch.cmd
C:\ProgramData\SetStretch.exe
C:\ProgramData\SetStretch.VBS
EMPTY TEMP:

In Windows 8, Windows Defender is your anitvirus app. Of course you dont have to use it as your AV if you install another AV. I dont see another one installed. Is your Windows Defender turned on and up to date?

 

http://www.eightforums.com/tutorials/21962-windows-defender-turn-off-windows-8-a.html


How Can I Reduce My Risk to Malware?


#8 kelly2

kelly2
  • Topic Starter

  • Members
  • 61 posts
  • OFFLINE
  •  
  • Local time:03:28 PM

Posted 23 June 2016 - 10:30 PM

Thank you shelf life.

 

Before I begin, on the logs I've posted I've removed my name from between the 2 backward slashes after "Users" I'm still a little paranoid about security, should I still include those entries (name included) when I do the fix ?

 

I've turned off both the Windows Defender and the firewall for the FRST scan, I may need some help turning Defender back on later since it doesn't show an option for that when I click on it.



#9 shelf life

shelf life

  • Malware Response Team
  • 2,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:02:28 PM

Posted 24 June 2016 - 07:54 AM

Run the script below instead just to make sure we get rid of the other items. You can run both scripts below one at a time and we will see if the one modified works, if not we can remove it another way. So just like above:

 

Copy/paste whats below into notepad and save it as fixlist.txt in the same location that you have FRST.

Start FRST like before except this time click on the Fix button once. Machine may reboot to finish the process. Upon reboot it will display a fixlog.txt that you can copy/paste in your reply.

2014-12-13 01:42 - 2014-12-13 01:42 - 0000000 ____H () C:\ProgramData\DP45977C.lfl
2014-09-27 15:54 - 2012-09-07 04:40 - 0000256 _____ () C:\ProgramData\SetStretch.cmd
2014-09-27 15:54 - 2009-07-22 03:04 - 0024576 _____ () C:\ProgramData\SetStretch.exe
2014-09-27 15:54 - 2012-09-07 04:37 - 0000103 _____ () C:\ProgramData\SetStretch.VBS
C:\ProgramData\SetStretch.cmd
C:\ProgramData\SetStretch.exe
C:\ProgramData\SetStretch.VBS
EMPTY TEMP:

Heres the second one to try, might work since everything else is the same. We will see, so just like above using FRST:

2015-03-03 10:28 - 2016-06-18 14:59 - 0000093 _____ () C:\Users\\AppData\Roaming\sp_data.sys
2016-06-07 20:11 - 2016-06-07 20:11 - 0000017 _____ () C:\Users\\AppData\Local\resmon.resmoncfg

How Can I Reduce My Risk to Malware?


#10 kelly2

kelly2
  • Topic Starter

  • Members
  • 61 posts
  • OFFLINE
  •  
  • Local time:03:28 PM

Posted 24 June 2016 - 05:52 PM

The first script.

 

Fix result of Farbar Recovery Scan Tool (x64) Version: 20-06-2016 01
Ran by jeff (2016-06-24 15:41:48) Run:1
Running from C:\Users\jeff\Desktop
Loaded Profiles: jeff (Available Profiles: jeff)
Boot Mode: Normal
==============================================

fixlist content:
*****************
2014-12-13 01:42 - 2014-12-13 01:42 - 0000000 ____H () C:\ProgramData\DP45977C.lfl
2014-09-27 15:54 - 2012-09-07 04:40 - 0000256 _____ () C:\ProgramData\SetStretch.cmd
2014-09-27 15:54 - 2009-07-22 03:04 - 0024576 _____ () C:\ProgramData\SetStretch.exe
2014-09-27 15:54 - 2012-09-07 04:37 - 0000103 _____ () C:\ProgramData\SetStretch.VBS
C:\ProgramData\SetStretch.cmd
C:\ProgramData\SetStretch.exe
C:\ProgramData\SetStretch.VBS
EMPTY TEMP:
*****************

C:\ProgramData\DP45977C.lfl => moved successfully
C:\ProgramData\SetStretch.cmd => moved successfully
C:\ProgramData\SetStretch.exe => moved successfully
C:\ProgramData\SetStretch.VBS => moved successfully
"C:\ProgramData\SetStretch.cmd" => not found.
"C:\ProgramData\SetStretch.exe" => not found.
"C:\ProgramData\SetStretch.VBS" => not found.

=========== EmptyTemp: ==========

BITS transfer queue => 12582912 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 56933050 B
Java, Flash, Steam htmlcache => 1873 B
Windows/system/drivers => 37868752 B
Edge => 0 B
Chrome => 299008 B
Firefox => 394033877 B
Opera => 0 B

Temp, IE cache, history, cookies, recent:
Default => 0 B
ProgramData => 0 B
Public => 0 B
systemprofile => 128 B
systemprofile32 => 0 B
LocalService => 0 B
NetworkService => 0 B
jeff => 173107796 B

RecycleBin => 3575 B
EmptyTemp: => 643.6 MB temporary data Removed.

================================

The system needed a reboot.

==== End of Fixlog 15:42:14 ====



#11 kelly2

kelly2
  • Topic Starter

  • Members
  • 61 posts
  • OFFLINE
  •  
  • Local time:03:28 PM

Posted 24 June 2016 - 05:58 PM

And the 2nd script, I think...

 

Fix result of Farbar Recovery Scan Tool (x64) Version: 20-06-2016 01
Ran by jeff (2016-06-24 15:54:49) Run:2
Running from C:\Users\jeff\Desktop
Loaded Profiles: jeff (Available Profiles: jeff)
Boot Mode: Normal
==============================================

fixlist content:
*****************
2015-03-03 10:28 - 2016-06-18 14:59 - 0000093 _____ () C:\Users\\AppData\Roaming\sp_data.sys
2016-06-07 20:11 - 2016-06-07 20:11 - 0000017 _____ () C:\Users\\AppData\Local\resmon.resmoncfg
*****************

"C:\Users\\AppData\Roaming\sp_data.sys" => not found.
"C:\Users\\AppData\Local\resmon.resmoncfg" => not found.

==== End of Fixlog 15:54:49 ====



#12 shelf life

shelf life

  • Malware Response Team
  • 2,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:02:28 PM

Posted 25 June 2016 - 08:24 AM

Looks like the first one worked ok. The second one, the two items not found. You can delete them manually if they are there. First you can get Windows to show all files. Some files are hidden by default. see link:

http://www.sevenforums.com/tutorials/394-hidden-files-folders-show-hide.html

​Last using explorer navigate to the locations below. Did you get Windows Defender turned back on?

C:\Users\\AppData\Roaming and delete sp_data.sys

C:\Users\\AppData\Local and delete resmon.resmoncfg


How Can I Reduce My Risk to Malware?


#13 kelly2

kelly2
  • Topic Starter

  • Members
  • 61 posts
  • OFFLINE
  •  
  • Local time:03:28 PM

Posted 25 June 2016 - 09:52 PM

I've set folder options to show hidden files and looked in a bunch of places but those two items are not showing up.

 

It seems like Windows Defender turns itself off if it detects another AV program. during this whole process I've run CCleaner, RM Tool, RST Host, Zemana, Malwarebytes and Pre Scan, do I remove all these now ?



#14 shelf life

shelf life

  • Malware Response Team
  • 2,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:02:28 PM

Posted 26 June 2016 - 09:54 AM

ok thanks for the info. We will consider them gone then, It was the items in the first script you ran that i was more concerned about and that one worked.

Look like you used several tools in your earlier post.  Iam not familiar with some of them.

 

The only ones I would keep is Malwarebytes. Note the free version dosnt run in the background, a scan must be started manually, Its only for Malware, its not a antivirus, And you can keep CCleaner which is useful for clearing out temp files, logs etc

 

You can uninstall the tools from the add/remove programs panel. FRST wont be in there, that you can just delete the icon, the logs and the FRST folder in root drive C. Adwcleaner, once started has a uninstall button you can click.

 

 

Windows Defender turns itself off if it detects another AV program

I dont think anything you have installed is a antivirus, anitmalware yes but not AV.

Uninstall what you can from the add/remove panel, reboot machine then turn Defender on if its still disabled and make sure it stays on.


How Can I Reduce My Risk to Malware?


#15 kelly2

kelly2
  • Topic Starter

  • Members
  • 61 posts
  • OFFLINE
  •  
  • Local time:03:28 PM

Posted 27 June 2016 - 02:01 AM

I think I've removed everything with exception of your recommendations, Malwarebytes and CCleaner, I'm having a few issues with getting Windows Defender back up and running, when I try it keeps giving me this...WindowsDefenderWontStart.jpg






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users