Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Suspected persistent low level malware or rootkit!


  • This topic is locked This topic is locked
12 replies to this topic

#1 dfz

dfz

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:18 AM

Posted 07 July 2016 - 11:47 AM

I have had months of sleepless nights trying to fix it myself, I'm a linux sysadmin by day for a datacentre(vocus) here in my local city, So a problem like this is NOT meant to have me stumped.
Because of my linux knowledge and lack of windows admin knowledge, I've had alot of conflicting stories, I've heard that it could be as bad as my realtek rom's being reflashed to gain control, down to my SSD's firmware being hijacked so that when installing new windows (All windows installs from official discs show it as a WinPE build (winblue) in the ToS you get when installing.)
Symptoms are hard to notice now as I don't know how many devices are infected or what actually is infected.
.. I've held off asking for help due to my background and other friends that do work at the binary level, saying that my dual bios gigabyte motherboard has had its backup flashed over. 
(I really didn't want to say all above, but its all I've got for details.. other than, when first infected months ago (i believe) I had a wireshark box in the house and the computer was trying to be accessed on port 139 and the fact the computer seems to bloat into the 4-8gb of winsxs files on a fresh install even when not connected to the ethernet.)
 
I could go much further with information but, due to how this works I think its best we start from a 'somewhat' fresh slate. This has had some serious impact on my life, especially as a technician.
I have forum notifications on and will happily answer everything and anything.
 
Currently I have the graphics card out of the computer and have been running Win10 with MBAE and ESET smart security 9 for a few months. I've just refrained from putting any passwords not covered by 2FA in.. and no gaming or steam obviously :(
 
I am an open book and I highly appreciate any help, will happily donate to help my own area out! Please help me escape from this hell..
 
Logs as per requested by the preparation tutorial for malware/trojan/rootkit threads.
....

Attached File  FRST.txt   54.26KB   13 downloads

Attached File  Addition.txt   38.73KB   11 downloads
Mod Edit:  Merged posts - Hamluis.
[Couldn't edit above post to add information] (Quick note: Whoever gets the time to reply, I can happily do this process from a fresh windows install if that makes it easier to compare whats default and what isn't) (Twin-Headed referred me here, as I help weekly in the IRC channels for BC / wilders and of course others - but he hasn't had the time to look into something like this yet, So I'm here in the forums on my knees praying to the bytecode gods)  :smash:

Edited by hamluis, 11 July 2016 - 01:23 PM.


BC AdBot (Login to Remove)

 


#2 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,628 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:18 PM

Posted 12 July 2016 - 11:50 AM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

step1.gif In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/619187 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

step2.gifIf you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new FRST log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download FRST by Farbar from the following link if you no longer have it available and save it to your destop.

    FRST Download Link

  • When you go to the above page, there will be 32-bit and 64-bit downloads available. Please click on the appropriate one for your version of Windows. If you are unsure as to whether your Windows is 32-bit or 64-bit, please see this tutorial.
  • Double click on the FRST icon and allow it to run.
  • Agree to the usage agreement and FRST will open. Do not make any changes and click on the Scan button.
  • Notepad will open with the results.
  • Post the new logs as explained in the prep guide.
  • Close the program window, and delete the program from your desktop.


As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 dfz

dfz
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:18 AM

Posted 12 July 2016 - 12:38 PM

1) I feel my description may only hinder the process, as I have quite a bit of knowledge in the area, but most is on unix, I feel it would be too conflicting coming to my own conclusions, Though, if requested again, I will happily give what I can of a run-down.(e.g one symptom seems to be that it can create looped services and users after inspecting the machine through a spare LPS live dvd). It's very possible the infection is along the lines of the AutoIt programming framework/app, as I'm usually coding/testing/obfuscating that type of work and it seems to have happened around the time I was getting some stuff from the nulled forums.. A very helpful resource; but sadly also where PUP's and rootkits are shared, sold and made.
I won't speculate any further at the moment. Though I will add at any point, like I said in my original post, I am happy to do this with a fresh windows install; or alike.

2) Added scans to the bottom.

3) Have multiple official Windows install discs, Including Win 7 and Win 8.1

4) Awesome, Really anxious to see the resolve if possible; as its been impacting my real life, not just online.. So I will be happily awaiting a reply from the response team! :')

Thankyou for your time!

Fresh logs:
Attached File  FRST.txt   54.43KB   1 downloads
Attached File  Addition.txt   40.22KB   1 downloads


Edited by dfz, 12 July 2016 - 12:39 PM.


#4 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,617 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:08:18 PM

Posted 13 July 2016 - 01:21 PM

Greetings dfz and :welcome: to BleepingComputer's Virus/Trojan/Spyware/Malware Removal forum.

My name is Oh My! and I am here to help you! Now that we are "friends" please call me Gary.

If you would allow me to call you by your first name I would prefer to do that.

===================================================

Ground Rules:
  • First, I would like to inform you that most of us here at Bleeping Computer offer our expert assistance out of the goodness of our hearts. Please try to match our commitment to you with your patience toward us. If this was easy we would never have met.
  • Please do not run any tools or take any steps other than those I will provide for you while we work on your computer together. I need to be certain about the state of your computer in order to provide appropriate and effective steps for you to take. Most often "well intentioned" (and usually panic driven!) independent efforts can make things much worse for both of us. If at any point you would prefer to take your own steps please let me know, I will not be offended. I would be happy to focus on the many others who are waiting in line for assistance.
  • Please perform all steps in the order they are listed in each set of instructions. Some steps may be a bit complicated. If things are not clear, be sure to stop and let me know. We need to work on this together with confidence.
  • Please copy and paste all logs into your post unless directed otherwise. Please do not re-run any programs I suggest. If you encounter problems simply stop and tell me.
  • When you post your reply, use the Replytopic.jpg button instead.
  • In the upper right hand corner of the topic you will see the Followtopic.jpg button. Click on this then choose Immediate E-Mail notification and then Proceed and you will be sent an email once I have posted a response.
  • If you do not reply to your topic after 5 days we assume it has been abandoned and I will close it.
  • When your computer is clean I will alert you of such. I will also provide for you detailed information about how you can combat future infections.
  • I would like to remind you to make no further changes to your computer unless I direct you to do so.
===================================================

Now that I am assisting you, you can expect that I will be very responsive to your situation. If you are able, I would request you check this thread at least once per day so that we can try to resolve your issues effectively and efficiently. If you are going to be delayed please be considerate and post that information so that I know you are still with me. Unfortunately, there are many people waiting to be assisted and not enough of us at BleepingComputer to go around. I appreciate your understanding and diligence.

Thank you for your patience thus far. I am not seeing anything suspicious except for one file I will take a closer look at in the report after running a FRST fix. At first glance I don't think I will be able to provide meaningful assistance but we will see.

Could you please provide the link to the Topic with Twin-Headed.

Please consider and do this.

===================================================

Peer to Peer (P2P) Warning

--------------------

Going over your logs I noticed that you have evidence of P2P downloads. It is pretty much certain that if you continue to use P2P programs, you will get infected again.
  • Avoid gaming sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs.
  • They are a security risk which can make your computer susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites.
  • Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users.
  • The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications.
If you are still leaning toward using this program, please take a look at this information about Ransomware which can be delivered via P2P file transfers. The newest variation of Ransomware can make it impossible to recover the files this malicious software encrypts. In other words, you will probably lose most if not all of your valuable information, including pictures. In addition it has recently been reported that P2P downloads may be tracked resulting in your IP address being monitored by copyright authorities.

===================================================

Farbar's Recovery Scan Tool - Run Fix in Normal or Safe Mode

--------------------
  • Press the Windows key Windows_Logo_key.gif + r on your keyboard at the same time. Type in notepad and press Enter
  • Click Format and check Word Wrap
  • Please copy and paste the contents of the below code box into the open notepad and save it to your Desktop as fixlist.txt. If FRST.exe is not on your Deskptop please move it to that location. (<<<Important)
CreateRestorePoint:
CloseProcesses:
ShellIconOverlayIdentifiers: [ OneDrive1] -> {BBACC218-34EA-4666-9D7A-C78F2274A524}
ShellIconOverlayIdentifiers: [ OneDrive2] -> {5AB7172C-9C11-405C-8DD5-AF20F3606282}
ShellIconOverlayIdentifiers: [ OneDrive3] -> {A78ED123-AB77-406B-9962-2A5D9D2F7F30}
ShellIconOverlayIdentifiers: [ OneDrive4] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A}
ShellIconOverlayIdentifiers: [ OneDrive5] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}
ShellIconOverlayIdentifiers-x32: [ OneDrive1] -> {BBACC218-34EA-4666-9D7A-C78F2274A524}
ShellIconOverlayIdentifiers-x32: [ OneDrive2] -> {5AB7172C-9C11-405C-8DD5-AF20F3606282}
ShellIconOverlayIdentifiers-x32: [ OneDrive3] -> {A78ED123-AB77-406B-9962-2A5D9D2F7F30}
ShellIconOverlayIdentifiers-x32: [ OneDrive4] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A}
ShellIconOverlayIdentifiers-x32: [ OneDrive5] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}
S3 SbieDrv; \??\C:\Program Files\Sandboxie\SbieDrv.sys [X]
S3 vmci; \SystemRoot\System32\drivers\vmci.sys [X]
S3 VMnetAdapter; \SystemRoot\system32\DRIVERS\vmnetadapter.sys [X]
S1 ZAM; \??\C:\WINDOWS\System32\drivers\zam64.sys [X]
CHR HKLM\...\Chrome\Extension: [ngpampappnmepgilojfohadhhmbhlaek] - C:\Program Files (x86)\Internet Download Manager\IDMGCExt.crx <not found>
FF HKU\S-1-5-21-3261477738-2894924231-4276839988-1001\...\SeaMonkey\Extensions: [mozilla_cc2@internetdownloadmanager.com] - C:\Program Files (x86)\Internet Download Manager\idmmzcc2.xpi => not found
Task: {05DC24A4-E481-4895-A21F-1C49B3844B6A} - \Microsoft\Windows\Setup\GWXTriggers\Logon-URT
Task: {2BE2DAB1-0514-4033-BD48-8EFC2E74B925} - \Microsoft\Windows\Setup\GWXTriggers\MachineUnlock-5d
Task: {4A6437A4-965B-4040-A2E3-E2D8A248B86B} - \Microsoft\Windows\Setup\GWXTriggers\ScheduleUpgradeTime
Task: {5A69E373-24EB-4BEF-BBB3-FBCFF6BDDF75} - \Microsoft\Windows\Setup\gwx\refreshgwxcontent
Task: {642542A4-2716-450B-BCC6-B53D8270B490} - \Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B
Task: {73098CDF-D11E-4E53-9A0B-4517186E9805} - \Microsoft\Windows\Setup\gwx\refreshgwxconfigandcontent
Task: {86FAFA83-E2A0-4C05-A0E9-F687AF3C0FE7} - \Microsoft\Windows\Setup\gwx\launchtrayprocess
Task: {8C9F4F67-795B-4788-A533-F6A17152B21B} - \Microsoft\Windows\Setup\GWXTriggers\OutOfIdle-5d
Task: {9C411E11-ECF9-49C9-BF99-27C683834B1D} - \Microsoft\Windows\Setup\gwx\refreshgwxconfig
Task: {A1C306A2-1DE2-45FE-A2B9-D21F49BC5DC7} - \Microsoft\Windows\Setup\GWXTriggers\OutOfSleep-5d
Task: {A2E3DE10-03A9-4A02-9857-3F259BBE3724} - \Microsoft\Windows\Setup\GWXTriggers\Time-5d
Task: {CDBA32EE-47B0-435C-ADDC-F8F345C9676B} - \Microsoft\Windows\Setup\GWXTriggers\ScheduleUpgradeReminderTime
Task: {F4D39711-0FF4-432E-AA15-31B3E6D63FFE} - \Microsoft\Windows\Setup\GWXTriggers\Logon-5d
File: C:\Users\dfz\AppData\Local\Temp\s3.exe
  • Launch FRST and press the Fix button just once and wait, the program will automatically launch fixlist.txt.
  • The tool will create a log on the desktop called Fixlog.txt. Please copy and paste the contents of the file in your reply.
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • Twin Headed link
  • Fixlog

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#5 dfz

dfz
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:18 AM

Posted 13 July 2016 - 01:48 PM

Hey there, Really do appreciate the help, Nice to meet you Gary; Feel free to call me Matt if you'd like from now on! :) - Quick note regarding p2p software, Its unrelated, I definitely understand what you are trying to say in the generic sense, but my transmission client is mainly used to manage and seed university unix distros that are in development, etc. It's quite popular in Australia as a legitimate download source. Thanks for checking though.
I cannot stress enough how much getting this fixed means to me and I've already happily donated to the frivolous law suite the site is facing.

Regarding, Twin Headed, there's sadly nothing to link, We've just had multiple in-depth conversations about it because I help out in the help IRC's for bleeping and wilders, But when I got to the point of realizing I couldn't fix myself, He didn't have time for quite a while to look as indepth as he would have liked.

Details:
Did exactly as instructed, Used the fixlist supplied, Seem to have 'worked as you wanted' as it gave a confirmation at the end and a reboot notification, I rebooted immediately.
Small details you might want, As soon as it started to restart, it went to a 'Configuring Windows Updates' screen, With a very noticeable hangtime, slowly went to 30% then restarted, the same screen came up on reboot and I believe started at 30%. Definitely was slow as I'm running an SSD in quite a nice PC. But its obviously possible we can just put that down to the fact it was doing modifications.. Hopefully the ones we want!

EDIT: I should add that although I have said it was a slow cycle.. No program has successfully removed things like FRST has (Have had elevated privledges problems, etc), I know this may only be the beginning but very happily, seem to be on the right course.
I have added a screenshot of the temp folder AFTER the restart, as you showed interest in s3.exe - The random lettered file appeared instantly on reboot (as you can see by the timelines) - Just wanted you to have as much insight as possible Attached File  temp.png   296.75KB   0 downloads
 

Scan:
Fix result of Farbar Recovery Scan Tool (x64) Version: 13-07-2016 01
Ran by dfz (2016-07-14 02:35:56) Run:1
Running from C:\Users\dfz\Downloads\Watched + Misc
Loaded Profiles: dfz (Available Profiles: dfz)
Boot Mode: Normal
==============================================
 
fixlist content:
*****************
CreateRestorePoint:
CloseProcesses:
ShellIconOverlayIdentifiers: [ OneDrive1] -> {BBACC218-34EA-4666-9D7A-C78F2274A524}
ShellIconOverlayIdentifiers: [ OneDrive2] -> {5AB7172C-9C11-405C-8DD5-AF20F3606282}
ShellIconOverlayIdentifiers: [ OneDrive3] -> {A78ED123-AB77-406B-9962-2A5D9D2F7F30}
ShellIconOverlayIdentifiers: [ OneDrive4] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A}
ShellIconOverlayIdentifiers: [ OneDrive5] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}
ShellIconOverlayIdentifiers-x32: [ OneDrive1] -> {BBACC218-34EA-4666-9D7A-C78F2274A524}
ShellIconOverlayIdentifiers-x32: [ OneDrive2] -> {5AB7172C-9C11-405C-8DD5-AF20F3606282}
ShellIconOverlayIdentifiers-x32: [ OneDrive3] -> {A78ED123-AB77-406B-9962-2A5D9D2F7F30}
ShellIconOverlayIdentifiers-x32: [ OneDrive4] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A}
ShellIconOverlayIdentifiers-x32: [ OneDrive5] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}
S3 SbieDrv; \??\C:\Program Files\Sandboxie\SbieDrv.sys [X]
S3 vmci; \SystemRoot\System32\drivers\vmci.sys [X]
S3 VMnetAdapter; \SystemRoot\system32\DRIVERS\vmnetadapter.sys [X]
S1 ZAM; \??\C:\WINDOWS\System32\drivers\zam64.sys [X]
CHR HKLM\...\Chrome\Extension: [ngpampappnmepgilojfohadhhmbhlaek] - C:\Program Files (x86)\Internet Download Manager\IDMGCExt.crx <not found>
FF HKU\S-1-5-21-3261477738-2894924231-4276839988-1001\...\SeaMonkey\Extensions: [mozilla_cc2@internetdownloadmanager.com] - C:\Program Files (x86)\Internet Download Manager\idmmzcc2.xpi => not found
Task: {05DC24A4-E481-4895-A21F-1C49B3844B6A} - \Microsoft\Windows\Setup\GWXTriggers\Logon-URT
Task: {2BE2DAB1-0514-4033-BD48-8EFC2E74B925} - \Microsoft\Windows\Setup\GWXTriggers\MachineUnlock-5d
Task: {4A6437A4-965B-4040-A2E3-E2D8A248B86B} - \Microsoft\Windows\Setup\GWXTriggers\ScheduleUpgradeTime
Task: {5A69E373-24EB-4BEF-BBB3-FBCFF6BDDF75} - \Microsoft\Windows\Setup\gwx\refreshgwxcontent
Task: {642542A4-2716-450B-BCC6-B53D8270B490} - \Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B
Task: {73098CDF-D11E-4E53-9A0B-4517186E9805} - \Microsoft\Windows\Setup\gwx\refreshgwxconfigandcontent
Task: {86FAFA83-E2A0-4C05-A0E9-F687AF3C0FE7} - \Microsoft\Windows\Setup\gwx\launchtrayprocess
Task: {8C9F4F67-795B-4788-A533-F6A17152B21B} - \Microsoft\Windows\Setup\GWXTriggers\OutOfIdle-5d
Task: {9C411E11-ECF9-49C9-BF99-27C683834B1D} - \Microsoft\Windows\Setup\gwx\refreshgwxconfig
Task: {A1C306A2-1DE2-45FE-A2B9-D21F49BC5DC7} - \Microsoft\Windows\Setup\GWXTriggers\OutOfSleep-5d
Task: {A2E3DE10-03A9-4A02-9857-3F259BBE3724} - \Microsoft\Windows\Setup\GWXTriggers\Time-5d
Task: {CDBA32EE-47B0-435C-ADDC-F8F345C9676B} - \Microsoft\Windows\Setup\GWXTriggers\ScheduleUpgradeReminderTime
Task: {F4D39711-0FF4-432E-AA15-31B3E6D63FFE} - \Microsoft\Windows\Setup\GWXTriggers\Logon-5d
File: C:\Users\dfz\AppData\Local\Temp\s3.exe
*****************
 
Error: (0) Failed to create a restore point.
Processes closed successfully.
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ShellIconOverlayIdentifiers: [ OneDrive1] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} => key not found. 
HKCR\CLSID\ShellIconOverlayIdentifiers: [ OneDrive1] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} => key not found. 
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ShellIconOverlayIdentifiers: [ OneDrive2] -> {5AB7172C-9C11-405C-8DD5-AF20F3606282} => key not found. 
HKCR\CLSID\ShellIconOverlayIdentifiers: [ OneDrive2] -> {5AB7172C-9C11-405C-8DD5-AF20F3606282} => key not found. 
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ShellIconOverlayIdentifiers: [ OneDrive3] -> {A78ED123-AB77-406B-9962-2A5D9D2F7F30} => key not found. 
HKCR\CLSID\ShellIconOverlayIdentifiers: [ OneDrive3] -> {A78ED123-AB77-406B-9962-2A5D9D2F7F30} => key not found. 
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ShellIconOverlayIdentifiers: [ OneDrive4] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} => key not found. 
HKCR\CLSID\ShellIconOverlayIdentifiers: [ OneDrive4] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} => key not found. 
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ShellIconOverlayIdentifiers: [ OneDrive5] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} => key not found. 
HKCR\CLSID\ShellIconOverlayIdentifiers: [ OneDrive5] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} => key not found. 
HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ShellIconOverlayIdentifiers-x32: [ OneDrive1] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} => key not found. 
HKCR\Wow6432Node\CLSID\ShellIconOverlayIdentifiers-x32: [ OneDrive1] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} => key not found. 
HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ShellIconOverlayIdentifiers-x32: [ OneDrive2] -> {5AB7172C-9C11-405C-8DD5-AF20F3606282} => key not found. 
HKCR\Wow6432Node\CLSID\ShellIconOverlayIdentifiers-x32: [ OneDrive2] -> {5AB7172C-9C11-405C-8DD5-AF20F3606282} => key not found. 
HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ShellIconOverlayIdentifiers-x32: [ OneDrive3] -> {A78ED123-AB77-406B-9962-2A5D9D2F7F30} => key not found. 
HKCR\Wow6432Node\CLSID\ShellIconOverlayIdentifiers-x32: [ OneDrive3] -> {A78ED123-AB77-406B-9962-2A5D9D2F7F30} => key not found. 
HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ShellIconOverlayIdentifiers-x32: [ OneDrive4] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} => key not found. 
HKCR\Wow6432Node\CLSID\ShellIconOverlayIdentifiers-x32: [ OneDrive4] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} => key not found. 
HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ShellIconOverlayIdentifiers-x32: [ OneDrive5] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} => key not found. 
HKCR\Wow6432Node\CLSID\ShellIconOverlayIdentifiers-x32: [ OneDrive5] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} => key not found. 
SbieDrv => service removed successfully
vmci => service removed successfully
VMnetAdapter => service removed successfully
ZAM => service removed successfully
"HKLM\SOFTWARE\Google\Chrome\Extensions\ngpampappnmepgilojfohadhhmbhlaek" => key removed successfully
HKU\S-1-5-21-3261477738-2894924231-4276839988-1001\Software\Mozilla\SeaMonkey\Extensions\\mozilla_cc2@internetdownloadmanager.com => value removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{05DC24A4-E481-4895-A21F-1C49B3844B6A}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{05DC24A4-E481-4895-A21F-1C49B3844B6A}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{2BE2DAB1-0514-4033-BD48-8EFC2E74B925}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{2BE2DAB1-0514-4033-BD48-8EFC2E74B925}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{4A6437A4-965B-4040-A2E3-E2D8A248B86B}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{4A6437A4-965B-4040-A2E3-E2D8A248B86B}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{5A69E373-24EB-4BEF-BBB3-FBCFF6BDDF75}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{5A69E373-24EB-4BEF-BBB3-FBCFF6BDDF75}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{642542A4-2716-450B-BCC6-B53D8270B490}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{642542A4-2716-450B-BCC6-B53D8270B490}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{73098CDF-D11E-4E53-9A0B-4517186E9805}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{73098CDF-D11E-4E53-9A0B-4517186E9805}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{86FAFA83-E2A0-4C05-A0E9-F687AF3C0FE7}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{86FAFA83-E2A0-4C05-A0E9-F687AF3C0FE7}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{8C9F4F67-795B-4788-A533-F6A17152B21B}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{8C9F4F67-795B-4788-A533-F6A17152B21B}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{9C411E11-ECF9-49C9-BF99-27C683834B1D}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{9C411E11-ECF9-49C9-BF99-27C683834B1D}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{A1C306A2-1DE2-45FE-A2B9-D21F49BC5DC7}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{A1C306A2-1DE2-45FE-A2B9-D21F49BC5DC7}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{A2E3DE10-03A9-4A02-9857-3F259BBE3724}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{A2E3DE10-03A9-4A02-9857-3F259BBE3724}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{CDBA32EE-47B0-435C-ADDC-F8F345C9676B}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{CDBA32EE-47B0-435C-ADDC-F8F345C9676B}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{F4D39711-0FF4-432E-AA15-31B3E6D63FFE}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{F4D39711-0FF4-432E-AA15-31B3E6D63FFE}" => key removed successfully
 
========================= File: C:\Users\dfz\AppData\Local\Temp\s3.exe ========================
 
File not signed
MD5: C2EAB0BF142300C6BCF108BCC8EE2020
Creation and modification date: 2016-07-05 12:21 - 2016-07-14 00:12
Size: 0492544
Attributes: ----A
Company Name: 
Internal Name: 
Original Name: 
Product: 
Description: 
File Version: 
Product Version: 
Copyright: 
 
====== End of File: ======
 
 
 
The system needed a reboot.
 
==== End of Fixlog 02:36:26 ====

Awaiting further instructions, will not do anything other than use my browser.


Edited by dfz, 13 July 2016 - 02:01 PM.


#6 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,617 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:08:18 PM

Posted 13 July 2016 - 04:25 PM

Greetings Matt.

The s3.exe file is apparently clean but I would like to remove it anyway.

The 2 "random" file names in your screen shot are legitimate and related to SQLite database.

Please do this.

===================================================

Farbar's Recovery Scan Tool - Run Fix in Normal or Safe Mode

--------------------
  • Press the Windows key Windows_Logo_key.gif + r on your keyboard at the same time. Type in notepad and press Enter
  • Please copy and paste the contents of the below code box into the open notepad and save it as fixlist.txt in the same location/folder as FRST.exe (<<<Important)
C:\Users\dfz\AppData\Local\Temp\s3.exe
emptytemp:
  • Right click on FRST.exe, select Run as administrator then press the Fix button
  • When completed he tool will create a log on the desktop called Fixlog.txt. Please copy and paste the contents of the file in your reply.
===================================================

Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it. :thumbsup2:
  • Fixlog

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#7 dfz

dfz
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:18 AM

Posted 13 July 2016 - 04:47 PM

First of all, thankyou for the extremely prompt responses in the steps Gary.

I have done as you asked, I ran FRST(FRST wanted to update and I allowed it, please advise if it was a wrong decision) - in admin mode with your commands.
 

Fix result of Farbar Recovery Scan Tool (x64) Version: 13-07-2016 02
Ran by dfz (2016-07-14 05:41:23) Run:2
Running from C:\Users\dfz\Downloads\Watched + Misc
Loaded Profiles: dfz (Available Profiles: dfz)
Boot Mode: Normal
==============================================
 
fixlist content:
*****************
C:\Users\dfz\AppData\Local\Temp\s3.exe
emptytemp:
*****************
 
C:\Users\dfz\AppData\Local\Temp\s3.exe => moved successfully
 
=========== EmptyTemp: ==========
 
BITS transfer queue => 0 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 18150515 B
Java, Flash, Steam htmlcache => 26037859 B
Windows/system/drivers => 608 B
Edge => 0 B
Chrome => 369875673 B
Firefox => 7922465 B
Opera => 0 B
 
Temp, IE cache, history, cookies, recent:
Default => 0 B
ProgramData => 0 B
Public => 0 B
systemprofile => 0 B
systemprofile32 => 0 B
LocalService => 2450 B
NetworkService => 0 B
dfz => 166161574 B
 
RecycleBin => 0 B
EmptyTemp: => 560.9 MB temporary data Removed.
 
================================
 
 
The system needed a reboot.
 
==== End of Fixlog 05:41:31 ====

Edit: I have forgot to mention I have done multiple wipes of my SSD with secure erase in parted magic live, with multiple windows re-installs, before I gave up months ago. (Sorry, abit late for this information, I had just read through the posts and realized I forgot to mention it.

And again, a belated thankyou for your continued time.

Double edit: Sorry! .. Was going to mention that again, I had a look at the temp folder after the commands and a restart, I see a 7464.tmp.node with some very suspicious wording if opened through notepad ++ or alike. Inbetween all the encoding breaks like NUL.
Reading a byte passes the end of the buffer.    Reading two bytes passes the end of the buffer. Reading three bytes passes the end of the buffer.   Reading four bytes passes the end of the buffer.    List doesn't end with a tail marker, but it must!   Reading sequence past the end of the buffer.    nil null    %lf Invalid float encoded.  Unable to decode big ints larger than 8 bytes   %llu    -%llu   Unable to convert big int to string Failed to uncompresss compressed item   node    id  creation    serial  mod fun arity   Unpacking beyond the end of the buffer  Unsupported erlang term type identifier found   Out of memory   Unknown error   Attempting to unpack a non-object.  Zero length buffer. pack    unpack  ..\js\erlpack.cc    erlpack incorrect header check  unknown compression method  invalid window size unknown header flags set    header crc mismatch invalid block type  invalid stored block lengths    too many length or distance symbols invalid code lengths set    invalid bit length repeat   invalid code -- missing end-of-block    invalid literal/lengths set invalid distances set   invalid literal/length code invalid distance code   invalid distance too far back   incorrect data check    incorrect length check  ` ?GetFunction@FunctionTemplate@v8@@QAE?AV?$Local@VFunction@v8@@@2@XZ E?New@FunctionTemplate@v8@@SA?AV?$Local@VFunctionTemplate@v8@@@2@PAVIsolate@2@P6AXABV?$FunctionCallbackInfo@VValue@v8@@@2@@ZV?$Local@VValue@v8@@@2@V?$Local@VSignature@v8@@@2@H@Z  º?Error@Exception@v8@@SA?AV?$Local@VValue@v8@@@2@V?$Local@VString@v8@@@2@@Z  u?NewFromUtf8@String@v8@@SA?AV?$MaybeLocal@VString@v8@@@2@PAVIsolate@2@PBDW4NewStringType@2@H@Z  ©?WriteUtf8@String@v8@@QBEHPADHPAHH@Z  ü?Length@String@v8@@QBEHXZ 0?New@Array@v8@@SA?AV?$Local@VArray@v8@@@2@PAVIsolate@2@H@Z  ù?Length@Array@v8@@QBEIXZ  ?CreateHandle@HandleScope@v8@@KAPAPAVObject@internal@2@PAVIsolate@42@PAV342@@Z  Œ?CreateHandle@HandleScope@v8@@CAPAPAVObject@internal@2@PAVHeapObject@42@PAV342@@Z \??1HandleScope@v8@@QAE@XZ à ??0HandleScope@v8@@QAE@PAVIsolate@1@@Z  P?New@Number@v8@@SA?AV?$Local@VNumber@v8@@@2@PAVIsolate@2@N@Z  2?SlowGetInternalField@Object@v8@@AAE?AV?$Local@VValue@v8@@@2@H@Z  R?New@Object@v8@@SA?AV?$Local@VObject@v8@@@2@PAVIsolate@2@@Z ?SetInternalField@Object@v8@@QAEXHV?$Local@VValue@v8@@@2@@Z 9?GetOwnPropertyNames@Object@v8@@QAE?AV?$MaybeLocal@VArray@v8@@@2@V?$Local@VContext@v8@@@2@@Z  Ý?Get@Object@v8@@QAE?AV?$MaybeLocal@VValue@v8@@@2@V?$Local@VContext@v8@@@2@V?$Local@VValue@v8@@@2@@Z Ú?Get@Object@v8@@QAE?AV?$Local@VValue@v8@@@2@I@Z ã?Set@Object@v8@@QAE_NV?$Local@VValue@v8@@@2@0@Z â?Set@Object@v8@@QAE_NIV?$Local@VValue@v8@@@2@@Z ?SetInternalFieldCount@ObjectTemplate@v8@@QAEXH@Z {?NewInstance@ObjectTemplate@v8@@QAE?AV?$MaybeLocal@VObject@v8@@@2@V?$Local@VContext@v8@@@2@@Z T?New@ObjectTemplate@v8@@SA?AV?$Local@VObjectTemplate@v8@@@2@PAVIsolate@2@V?$Local@VFunctionTemplate@v8@@@2@@Z s?NewFromUnsigned@Integer@v8@@SA?AV?$Local@VInteger@v8@@@2@PAVIsolate@2@I@Z  L?New@Integer@v8@@SA?AV?$Local@VInteger@v8@@@2@PAVIsolate@2@H@Z  f?ThrowException@Isolate@v8@@QAE?AV?$Local@VValue@v8@@@2@V32@@Z  õ?GetCurrentContext@Isolate@v8@@QAE?AV?$Local@VContext@v8@@@2@XZ ô?GetCurrent@Isolate@v8@@SAPAV12@XZ  ñ?GetContents@ArrayBuffer@v8@@QAE?AVContents@12@XZ Ž?Value@External@v8@@QBEPAXXZ  >?New@External@v8@@SA?AV?$Local@VExternal@v8@@@2@PAVIsolate@2@PAX@Z  }?ToString@Value@v8@@QBE?AV?$Local@VString@v8@@@2@XZ node.dll  PGetLastError  3HeapFree  /HeapAlloc ÀGetStdHandle  >GetFileType cGetModuleFileNameW  fGetModuleHandleExW  àWriteConsoleW !EncodePointer þ DecodePointer gIsDebuggerPresent mIsProcessorFeaturePresent 6HeapReAlloc ÈGetCommandLineA GetCurrentThreadId  @RaiseException  ­RtlUnwind ¢GetProcessHeap  QExitProcess GetProcAddress  ÑMultiByteToWideChar ÍWideCharToMultiByte áWriteFile %EnterCriticalSection  ¢LeaveCriticalSection  úOutputDebugStringW  §LoadLibraryExW  8HeapSize  ‚UnhandledExceptionFilter  CSetUnhandledExceptionFilter SetLastError  HInitializeCriticalSectionAndSpinCount RSleep  GetCurrentProcess aTerminateProcess  sTlsAlloc  uTlsGetValue vTlsSetValue tTlsFree ¾GetStartupInfoW gGetModuleHandleW  rIsValidCodePage ¤GetACP  †GetOEMCP  ³GetCPInfo DeleteCriticalSection bGetModuleFileNameA  -QueryPerformanceCounter 
Then also some XML coding right near the bottom.
<assembly xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'>
  <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
    <security>
      <requestedPrivileges>
        <requestedExecutionLevel level='asInvoker' uiAccess='false' />
      </requestedPrivileges>
    </security>
  </trustInfo>
</assembly>

Apologies if this is normal windows behavior.


Edited by dfz, 13 July 2016 - 05:07 PM.


#8 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,617 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:08:18 PM

Posted 13 July 2016 - 06:28 PM

Greetings Matt.

Your computer is clean. It appears you are looking for something that isn't there and I really don't have anything else I can offer that will ease your mind.
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#9 dfz

dfz
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:18 AM

Posted 13 July 2016 - 06:43 PM

Well, thats great to hear, like I said in my original post, I've been huddled up in unix for too long so misunderstanding windows files was a sad conclusion, I must have fixed it during a wipe and then following my own confirmation bias, kept being worried.
Is there any chance of giving a percentage that you are sure I'm fine? (Feel free to just confirm again that the computer is clean, sorry for paranoia) (I just really want to make sure, as I've taken many machines off the network and havent even started a brand new laptop I brought as I was worried of it being spread across our LAN) I guess I'm pressing on this due to so much advice that this was hardware based, though, I know myself that is incredibly rare unless being targetted. I will happily take your next response as your best opinion and sorry if you feel I have wasted any of your time, As I said earlier, I have donated to the insane lawsuit you guys are facing, though if you accept personal donations, Please PM or reply and I feel more than obliged to donate to you directly.

I have a problem with walls of text, sorry for that aswell. 

One last thing, Is MBAE and ESET Smart Security 9 (Paid) a decent enough combination to avoid most things on windows in the future? I know that the single most important step is common sense in downloading and visiting sites. (For Chrome security/blocking, I use uBlock Origin with all suggested filters, HTTPS everywhere and WOT).


Thankyou Gary.


Edited by dfz, 13 July 2016 - 06:45 PM.


#10 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,617 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:08:18 PM

Posted 13 July 2016 - 07:03 PM

Greetings Matt.

Based on the steps you have taken in the past and the current state of your computer I am quite certain it is clean. Sometimes we allow our worries to lead our conclusions and because of the complex nature of computers and programming language legitimate items may look suspicious when, in fact, we simply don't have the ability to completely understand all that we see.

You have not wasted my time at all. This is what we are here for, to assist people in cleaning their computers or determining their computer is clean, as is yours.

I greatly appreciate your willingness to support BleepingComputer and your offer to support me personally. I prefer to help people for free and I trust you are not offended by my declining your generous offer.

Please allow me to provide some information for you to review to address your concern about keeping your computer clean going forward.

Now that your computer is running well it is my great pleasure to proclaim to you the Good News!

===================================================

All Clean!

--------------

Your machine appears to be clean and we will now remove the tools used and logs created during our steps. Please do this.

===================================================

Delfix by Xplode

--------------------
  • Download Delfix and save it to your Desktop
  • Double click the icon
  • Place checkmarks in:

Remove disinfection tools
Create registry backup
Purge system restore

  • Click Run
===================================================

You may delete any additional programs or logs on your computer which were not automatically removed by Delfix. Simply delete the log files or desktop icons. If we used Emsisoft Emergency Kit just delete the icon on your desktop and the C:\EEK folder.

Please take the time to read below on how to secure the machine and take the necessary steps to keep it clean :thumbsup:

Lawrence Abrams, the founder of BleepingComputer.com, has developed an excellent tutorial which will provide you with the information you need to know to keep your computer secure and clean. Please take the time to read:In addition, here are some more links you might find of interest:Thank you for placing your trust in BleepingComputer. It was a pleasure serving you. OhMy_done.gif
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#11 dfz

dfz
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:18 AM

Posted 13 July 2016 - 07:12 PM

No really, it was my pleasure.. You have incredible understanding and patience I've come to realize looking at other threads and how you dealt with this.

I will continue to help in IRC for linux issues and I've got a real interest in learning the methodology you guys use and helping out further.

Following all the steps above and checking the tutorials linked. Feel free to lock this up!
Very glad to hear what you've had to say, I'll stop with the intensive appraise and let you get back to helping others (or.. you know, enjoying some free time :P)

Great conclusion, great help.. Great day!  :bananas: 
 



#12 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,617 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:08:18 PM

Posted 13 July 2016 - 09:08 PM

Thanks Matt, I appreciate your kind words.

Gary
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#13 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,617 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:08:18 PM

Posted 13 July 2016 - 09:08 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users