Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Mal/HckPk-A, Rootkit.HiddenFile, Browser Windows Open from strange websites


  • This topic is locked This topic is locked
7 replies to this topic

#1 Glycerine

Glycerine

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:01:15 PM

Posted 17 September 2016 - 11:26 AM

Hi There,

 

Here are some results of some tools that I have used along with more symptoms.

 

System: Windows 8.1 X64
 
Symptoms: Computer is very sluggish, fan is always racing, Computer takes 15 minutes to start up, In the middle of browsing, whole tabs will just pop up and display random content. Sorry If I provided too much info. Just trying to provide as much information to you so you can best assist me.
 
1) One Tab that just popped up was "www.GetTVStreamNow.com"
 
2) Another Tab that popped up one time was "WWW.BestApplicationDownloads.com" that said "Please Install Flash Player"
 
3) Both times the tabs popped up, I got a message from my ESET that said,"Address has Been Blocked," address: http://ak.imgfarm.com/images/download/offsiteJS/offsite.min.js?v=2
 
4) One Time I went to Log in to my Webmail and on the log-in page it had an icon for Facebook and said "Connect Using Facebook," I typed in my credentials to log in and the page refreshed with the message,"Facebook Connect is not supported with this product."
 
5) I always get messages "The Recycle Bin on C:/ is corrupted. Do you want to empty the Recycle Bin for this Drive?"
 
6) With Comodo Cleaning Essentials, A scan was done, it said I had a "Rootkit.hiddenFile" and then listed the five files in the picture.
 
7) Sophos Virus Removal tool stated it could not open the following files and that I had Virus Mal/HckPk-A. It said that it would clean it up, however, it then says that it can't be cleaned.
 
2016-09-17 14:34:57.779 Could not open C:\hiberfil.sys
2016-09-17 14:34:59.255 Could not open C:\pagefile.sys
2016-09-17 14:42:52.279 >>> Virus 'Mal/HckPk-A' found in file C:\ProgramData\Microsoft\Windows Defender\LocalCopy\{95DCAB72-91B5-C614-9B41-BFA4BE292BCE}-tdsskiller.exe\FILE:0000
2016-09-17 14:42:52.279 Disinfection not offered
2016-09-17 14:43:19.323 Could not open C:\swapfile.sys
2016-09-17 14:43:20.402 Could not open C:\System Volume Information\{0d70dde0-7537-11e6-bf22-f01faf0ad82d}{3808876b-c176-4e48-b7ae-04046e6cc752}
2016-09-17 14:43:20.403 Could not open C:\System Volume Information\{3808876b-c176-4e48-b7ae-04046e6cc752}
2016-09-17 14:43:20.403 Could not open C:\System Volume Information\{5f5133e5-6f10-11e6-bf22-f01faf0ad82d}{3808876b-c176-4e48-b7ae-04046e6cc752}
2016-09-17 14:43:20.404 Could not open C:\System Volume Information\{5f514ac9-6f10-11e6-bf22-f01faf0ad82d}{3808876b-c176-4e48-b7ae-04046e6cc752}
2016-09-17 14:43:20.404 Could not open C:\System Volume Information\{64904721-7c2e-11e6-bf23-f01faf0ad82d}{3808876b-c176-4e48-b7ae-04046e6cc752}
2016-09-17 14:43:20.404 Could not open C:\System Volume Information\{ee8f5c2f-7602-11e6-bf23-f01faf0ad82d}{3808876b-c176-4e48-b7ae-04046e6cc752}
2016-09-17 14:46:26.240 Could not open C:\Users\SayItAintSo\AppData\Local\Google\Chrome\User Data\Default\Current Session
2016-09-17 14:59:36.383 Could not open C:\Windows\System32\catroot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb
2016-09-17 14:59:36.383 Could not open C:\Windows\System32\catroot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb
2016-09-17 14:59:39.503 Could not open C:\Windows\System32\config\BBI
2016-09-17 14:59:39.737 Could not open C:\Windows\System32\config\RegBack\DEFAULT
2016-09-17 14:59:39.739 Could not open C:\Windows\System32\config\RegBack\SAM
2016-09-17 14:59:39.740 Could not open C:\Windows\System32\config\RegBack\SECURITY
2016-09-17 14:59:39.741 Could not open C:\Windows\System32\config\RegBack\SOFTWARE
2016-09-17 14:59:39.742 Could not open C:\Windows\System32\config\RegBack\SYSTEM
2016-09-17 15:17:37.064 The following items will be cleaned up:
2016-09-17 15:17:37.064 Mal/HckPk-A
 
 
8) A scan with HitmanPro found this:
 
 C:\Users\SayItAintSo\Desktop\CCE\FRST-OlderVersion\FRST64.exe
      Size . . . . . . . : 2,370,560 bytes
      Age  . . . . . . . : 273.9 days (2015-12-18 07:27:18)
      Entropy  . . . . . : 7.6
      SHA-256  . . . . . : CF3E0F241FD2441C60F7D4DCDCB824ABEC73CC5B6DAEDD01804B696922691629
      Needs elevation  . : Yes
      Fuzzy  . . . . . . : 22.0
         Program has no publisher information but prompts the user for permission elevation.
         Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
         Authors name is missing in version info. This is not common to most programs.
         Version control is missing. This file is probably created by an individual. This is not typical for most programs.
 
   C:\Users\SayItAintSo\Desktop\PraxisScoreReports\FRST64.exe
      Size . . . . . . . : 2,169,856 bytes
      Age  . . . . . . . : 410.9 days (2015-08-03 07:23:56)
      Entropy  . . . . . : 7.5
      SHA-256  . . . . . : A56919AD9BE13E05E709A8C675F8727E340FEE89F2E18B85A3034CB66173C2AB
      Needs elevation  . : Yes
      Fuzzy  . . . . . . : 22.0
         Program has no publisher information but prompts the user for permission elevation.
         Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
         Authors name is missing in version info. This is not common to most programs.
         Version control is missing. This file is probably created by an individual. This is not typical for most programs.
 
   C:\WINDOWS\System32\drivers\iwdbus.sys
      Size . . . . . . . : 27,032 bytes
      Age  . . . . . . . : 777.5 days (2014-08-01 16:25:47)
      Entropy  . . . . . : 6.4
      SHA-256  . . . . . : A76DEA9F09E3B2F18D3B646A0DD39E2773EC62E2F3C55421BA61C12190D78C1C
      Product  . . . . . : Intel® WiDi Solution
      Publisher  . . . . : Intel Corporation
      Description  . . . : Intel® WiDi Solution
      Version  . . . . . : 4.5.52.0
      Copyright  . . . . : Copyright © 2013-2013, Intel Corporation.  All rights reserved.
      RSA Key Size . . . : 1024
      Service  . . . . . : iwdbus
      LanguageID . . . . : 1033
      Authenticode . . . : Invalid
      Fuzzy  . . . . . . : 25.0
         Program is altered or corrupted since it was code signed by its author. This is typical for malware and pirated software.
         Starts automatically as a service during system bootup.
         The file is located in a folder that contains core operating system files from Windows. This is not typical for most programs and is only common to system tools, drivers and hacking utilities.
         The file is a device driver. Device drivers run as trusted (highly privileged) code.
      Startup HKLM\SYSTEM\CurrentControlSet\Services\iwdbus\
 
   C:\WINDOWS\system32\IntelWiDiAAC64.dll
      Size . . . . . . . : 4,011,168 bytes
      Age  . . . . . . . : 716.4 days (2014-10-01 19:54:28)
      Entropy  . . . . . : 6.7
      SHA-256  . . . . . : FDA28EB840687CD7DB533CF34BEB25352BD6F86ABF1E904D3EAB8B180E50A0A6
      Product  . . . . . : Intel® WiDi
      Publisher  . . . . : Intel Corporation
      Description  . . . : Intel AAC
      Version  . . . . . : 4.5.57.0
      Copyright  . . . . : Copyright © 2013-2013, Intel Corporation.  All rights reserved.
      RSA Key Size . . . : 1024
      LanguageID . . . . : 1033
      Authenticode . . . : Invalid
      Fuzzy  . . . . . . : 22.0
         Program is altered or corrupted since it was code signed by its author. This is typical for malware and pirated software.
         The file is located in a folder that contains core operating system files from Windows. This is not typical for most programs and is only common to system tools, drivers and hacking utilities.
 
   C:\WINDOWS\system32\IntelWiDiAudioFilter64.dll
      Size . . . . . . . : 646,304 bytes
      Age  . . . . . . . : 716.4 days (2014-10-01 19:54:28)
      Entropy  . . . . . : 5.6
      SHA-256  . . . . . : F7EB5262561F159ABA2B186E68A8AC8CD847828B87429CA0C2D299EBE788DB17
      Product  . . . . . : Intel® WiDi
      Publisher  . . . . : Intel Corporation
      Description  . . . : Audio Source Filter.
      Version  . . . . . : 4.5.57.0
      Copyright  . . . . : Copyright © 2013-2013, Intel Corporation.  All rights reserved.
      RSA Key Size . . . : 1024
      LanguageID . . . . : 1033
      Authenticode . . . : Invalid
      Fuzzy  . . . . . . : 22.0
         Program is altered or corrupted since it was code signed by its author. This is typical for malware and pirated software.
         The file is located in a folder that contains core operating system files from Windows. This is not typical for most programs and is only common to system tools, drivers and hacking utilities.
 
   C:\WINDOWS\system32\IntelWiDiDDEAgent64.dll
      Size . . . . . . . : 177,824 bytes
      Age  . . . . . . . : 716.4 days (2014-10-01 19:54:28)
      Entropy  . . . . . : 6.0
      SHA-256  . . . . . : 342B24557B419BA667B5BC5D51D7EB7080BF75F91792B6CF4AF10D5BE1431204
      Product  . . . . . : Intel® WiDi
      Publisher  . . . . : Intel Corporation
      Description  . . . : IntelWiDiDDEAgent.dll COM object.
      Version  . . . . . : 4.5.57.0
      Copyright  . . . . : Copyright © 2013-2013, Intel Corporation.  All rights reserved.
      RSA Key Size . . . : 1024
      LanguageID . . . . : 1033
      Authenticode . . . : Invalid
      Fuzzy  . . . . . . : 22.0
         Program is altered or corrupted since it was code signed by its author. This is typical for malware and pirated software.
         The file is located in a folder that contains core operating system files from Windows. This is not typical for most programs and is only common to system tools, drivers and hacking utilities.
 
   C:\WINDOWS\system32\IntelWiDiLogServer64.dll
      Size . . . . . . . : 94,368 bytes
      Age  . . . . . . . : 716.4 days (2014-10-01 19:54:28)
      Entropy  . . . . . : 6.1
      SHA-256  . . . . . : 63B0EFAEFC91524AB404442488CA344D9853E07E51D8974EB0C6CD34AE74A1A6
      Product  . . . . . : Intel® WiDi
      Publisher  . . . . : Intel Corporation
      Description  . . . : Logging Server
      Version  . . . . . : 4.5.57.0
      Copyright  . . . . : Copyright © 2013-2013, Intel Corporation.  All rights reserved.
      RSA Key Size . . . : 1024
      LanguageID . . . . : 1033
      Authenticode . . . : Invalid
      Fuzzy  . . . . . . : 22.0
         Program is altered or corrupted since it was code signed by its author. This is typical for malware and pirated software.
         The file is located in a folder that contains core operating system files from Windows. This is not typical for most programs and is only common to system tools, drivers and hacking utilities.
 
   C:\WINDOWS\system32\IntelWiDiMCUMD64.dll
      Size . . . . . . . : 128,672 bytes
      Age  . . . . . . . : 716.4 days (2014-10-01 19:54:28)
      Entropy  . . . . . : 6.3
      SHA-256  . . . . . : 066FB9F5C5B4308C31AC62B33A9388F77AA90793CAB896DFD00D1ED539FAE871
      Product  . . . . . : Intel® WiDi
      Publisher  . . . . : Intel Corporation
      Description  . . . : IntelWiDiMCUMD.dll
      Version  . . . . . : 4.5.57.0
      Copyright  . . . . : Copyright © 2013-2013, Intel Corporation.  All rights reserved.
      RSA Key Size . . . : 1024
      LanguageID . . . . : 1033
      Authenticode . . . : Invalid
      Fuzzy  . . . . . . : 22.0
         Program is altered or corrupted since it was code signed by its author. This is typical for malware and pirated software.
         The file is located in a folder that contains core operating system files from Windows. This is not typical for most programs and is only common to system tools, drivers and hacking utilities.
 
   C:\WINDOWS\system32\IntelWiDiMux64.dll
      Size . . . . . . . : 603,296 bytes
      Age  . . . . . . . : 716.4 days (2014-10-01 19:54:28)
      Entropy  . . . . . : 6.4
      SHA-256  . . . . . : 47EC692BF4B79364F7753E17637133F1141A31CCA91B9B9E10F0E5DED0F2804D
      Product  . . . . . : Intel® WiDi
      Publisher  . . . . : Intel Corporation
      Description  . . . : Intel® TS Mux / Network Renderer
      Version  . . . . . : 4.5.57.0
      Copyright  . . . . : Copyright © 2013-2013, Intel Corporation.  All rights reserved.
      RSA Key Size . . . : 1024
      LanguageID . . . . : 1033
      Authenticode . . . : Invalid
      Fuzzy  . . . . . . : 22.0
         Program is altered or corrupted since it was code signed by its author. This is typical for malware and pirated software.
         The file is located in a folder that contains core operating system files from Windows. This is not typical for most programs and is only common to system tools, drivers and hacking utilities.
 
   C:\WINDOWS\system32\IntelWiDiSecureSourceFilter64.dll
      Size . . . . . . . : 1,455,776 bytes
      Age  . . . . . . . : 716.4 days (2014-10-01 19:54:28)
      Entropy  . . . . . : 5.7
      SHA-256  . . . . . : 4CCB3432150E051D990FB2A657F50BEF905B425E2ED7BE8172CFB89DABEE4BA9
      Product  . . . . . : Intel® WiDi
      Publisher  . . . . : Intel Corporation
      Description  . . . : Secure Video Source Filter.
      Version  . . . . . : 4.5.57.0
      Copyright  . . . . : Copyright © 2013-2013, Intel Corporation.  All rights reserved.
      RSA Key Size . . . : 1024
      LanguageID . . . . : 1033
      Authenticode . . . : Invalid
      Fuzzy  . . . . . . : 22.0
         Program is altered or corrupted since it was code signed by its author. This is typical for malware and pirated software.
         The file is located in a folder that contains core operating system files from Windows. This is not typical for most programs and is only common to system tools, drivers and hacking utilities.
 
   C:\WINDOWS\system32\IntelWiDiSilenceFilter64.dll
      Size . . . . . . . : 344,736 bytes
      Age  . . . . . . . : 716.4 days (2014-10-01 19:54:28)
      Entropy  . . . . . : 6.4
      SHA-256  . . . . . : BA014241596AF3775A7DC3981017FA58A632F47D4BDFD1365D956B53071A94E4
      Product  . . . . . : Intel® WiDi
      Publisher  . . . . : Intel Corporation
      Description  . . . : Silence Audio Filter.
      Version  . . . . . : 4.5.57.0
      Copyright  . . . . : Copyright © 2013-2013, Intel Corporation.  All rights reserved.
      RSA Key Size . . . : 1024
      LanguageID . . . . : 1033
      Authenticode . . . : Invalid
      Fuzzy  . . . . . . : 22.0
         Program is altered or corrupted since it was code signed by its author. This is typical for malware and pirated software.
         The file is located in a folder that contains core operating system files from Windows. This is not typical for most programs and is only common to system tools, drivers and hacking utilities.
 
   C:\WINDOWS\system32\IntelWiDiUtils64.dll
      Size . . . . . . . : 210,592 bytes
      Age  . . . . . . . : 716.4 days (2014-10-01 19:54:30)
      Entropy  . . . . . : 6.3
      SHA-256  . . . . . : C1CD971AD38E4245B95000802CEE0CD1A58B7031BF6A5F20968F2DA980258335
      Product  . . . . . : Intel® WiDi
      Publisher  . . . . : Intel Corporation
      Description  . . . : Platform Detection Library
      Version  . . . . . : 4.5.57.0
      Copyright  . . . . : Copyright © 2013-2013, Intel Corporation.  All rights reserved.
      RSA Key Size . . . : 1024
      LanguageID . . . . : 1033
      Authenticode . . . : Invalid
      Fuzzy  . . . . . . : 22.0
         Program is altered or corrupted since it was code signed by its author. This is typical for malware and pirated software.
         The file is located in a folder that contains core operating system files from Windows. This is not typical for most programs and is only common to system tools, drivers and hacking utilities.
 
   C:\WINDOWS\system32\IntelWiDiWinNextAgent64.dll
      Size . . . . . . . : 793,248 bytes
      Age  . . . . . . . : 716.4 days (2014-10-01 19:54:30)
      Entropy  . . . . . : 6.2
      SHA-256  . . . . . : 14928386C4CB2B7E2501B0B057E23953A857C526D0F8392659371168973F9E92
      Product  . . . . . : Intel® WiDi
      Publisher  . . . . : Intel Corporation
      Description  . . . : IntelWiDiWinNextAgent.dll COM object.
      Version  . . . . . : 4.5.57.0
      Copyright  . . . . : Copyright © 2013-2013, Intel Corporation.  All rights reserved.
      RSA Key Size . . . : 1024
      LanguageID . . . . : 1033
      Authenticode . . . : Invalid
      Fuzzy  . . . . . . : 22.0
         Program is altered or corrupted since it was code signed by its author. This is typical for malware and pirated software.
         The file is located in a folder that contains core operating system files from Windows. This is not typical for most programs and is only common to system tools, drivers and hacking utilities.
 
 
Cookies _____________________________________________________________________
 
   C:\Users\SayItAintSo\AppData\Local\Google\Chrome\User Data\Default\Cookies:ads.masslive.com
   C:\Users\SayItAintSo\AppData\Local\Google\Chrome\User Data\Default\Cookies:doubleclick.net
 
9) My Windows Firewall has a bunch of strange-named rules that I never created:
 
[TW5EXRhGPgKhmL] SSDP Server All Yes Allow No C:\WINDOWS\system32\svchost.exe Any    Local subnet     UDP
 
      1900                 Any              Any                 Any                                           Any                                  Any                                     Any
 
[TW9rUnBxKOr4i9] UPnP Server All Yes Allow No C:\WINDOWS\system32\svchost.exe Any    Local subnet     TCP
 
      2869                 Any              Any                 Any                                           Any                                  Any                                     Any
 
[TWHoBSQUzGbuRb][in] DNS client UDP All Yes Allow No C:\WINDOWS\system32\svchost.exe Any     DNS servers     UDP
 
      Any                   53              Any                 Any                                           Any                                  Any                                     Any
 
[TWHoBSQUzGbuRb][in] LLMNR-UDP (client) All Yes Allow No C:\WINDOWS\system32\svchost.exe Any     Local subnet     UDP
 
      Any                  5355              Any                 Any                                           Any                                  Any                                     Any
 
[TWHoBSQUzGbuRb][in] LLMNR-UDP (server) All Yes Allow No C:\WINDOWS\system32\svchost.exe Any     Local subnet     UDP
 
      5355                  Any              Any                 Any                                           Any                                  Any                                     Any
 
[TWLQJmE6sCt2KA][in] DHCP IPv4 client All Yes Allow No C:\WINDOWS\system32\svchost.exe Any     Local subnet     UDP
 
        68                    67              Any                 Any                                           Any                                  Any                                     Any
 
10) Rogue KillerX64  scan says:
 
¤¤¤ Registry : 4 ¤¤¤
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MFE_RR (\??\C:\Users\SAYITA~1\AppData\Local\Temp\mfe_rr.sys) -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MFE_RR (\??\C:\Users\SAYITA~1\AppData\Local\Temp\mfe_rr.sys) -> Found
[PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-1728614643-3146882776-3930629701-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_TrackProgs : 0  -> Found
[PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-1728614643-3146882776-3930629701-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_TrackProgs : 0  -> Found
 
¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: Hitachi HTS545050A7E380 +++++
--- User ---
[MBR] 87a8aea02a02b5824a36e48436682153
[BSP] 5f098a2ac3604136421232d5f9139081 : Windows Vista/7/8|VT.Unknown MBR Code
Partition table:
0 - [MAN-MOUNT] EFI system partition | Offset (sectors): 2048 | Size: 500 MB
1 - [SYSTEM][MAN-MOUNT] Basic data partition | Offset (sectors): 1026048 | Size: 40 MB
2 - [MAN-MOUNT] Microsoft reserved partition | Offset (sectors): 1107968 | Size: 128 MB
3 - [SYSTEM][MAN-MOUNT] Basic data partition | Offset (sectors): 1370112 | Size: 500 MB
4 - Basic data partition | Offset (sectors): 2394112 | Size: 463367 MB
5 - [SYSTEM][MAN-MOUNT]  | Offset (sectors): 951369728 | Size: 450 MB
6 - [SYSTEM][MAN-MOUNT] Microsoft recovery partition | Offset (sectors): 952291328 | Size: 11953 MB
User = LL1 ... OK
User = LL2 ... OK
 
 
Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 17-09-2016
Ran by SayItAintSo (administrator) on LIVINGROOM-PC (17-09-2016 11:44:27)
Running from C:\Users\SayItAintSo\Desktop
Loaded Profiles: SayItAintSo (Available Profiles: SayItAintSo & BeverlyHills & .NET v4.5 & DefaultAppPool & .NET v4.5 Classic)
Platform: Windows 8.1 (Update) (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: Chrome)
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(ESET) C:\Program Files\ESET\ESET Smart Security\ekrn.exe
(Intel Corporation) C:\Windows\System32\igfxCUIService.exe
(Apple Inc.) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\Framework\Common\avgsvca.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Microsoft Corporation) C:\Program Files\Microsoft Office 15\ClientX64\officeclicktorun.exe
(Microsoft Corporation) C:\Windows\System32\mqsvc.exe
(www.shadowexplorer.com) C:\Program Files (x86)\ShadowExplorer\sesvc.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
(Zemana Ltd.) C:\Program Files (x86)\Zemana AntiMalware\ZAM.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(ESET) C:\Program Files\ESET\ESET Smart Security\egui.exe
(Microsoft Corporation) C:\Windows\System32\alg.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe
(Intel Corporation) C:\Windows\System32\igfxEM.exe
(Intel Corporation) C:\Windows\System32\igfxHK.exe
(Intel Corporation) C:\Windows\System32\igfxTray.exe
(Apple Inc.) C:\Program Files\iTunes\iTunesHelper.exe
(Apple Inc.) C:\Program Files\iPod\bin\iPodService.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Corporation) C:\Windows\FileManager\PhotosApp.exe
() C:\Users\SayItAintSo\Desktop\RogueKillerX64 (1).exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Microsoft Corporation) C:\Windows\ImmersiveControlPanel\SystemSettings.exe
 
 
==================== Registry (Whitelisted) ===========================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [Logitech Download Assistant] => C:\Windows\System32\LogiLDA.dll [3933496 2012-09-20] (Logitech, Inc.)
HKLM\...\Run: [ZAM] => C:\Program Files (x86)\Zemana AntiMalware\ZAM.exe [13624048 2016-09-02] (Zemana Ltd.)
HKLM\...\Run: [iTunesHelper] => C:\Program Files\iTunes\iTunesHelper.exe [176952 2016-03-19] (Apple Inc.)
HKU\S-1-5-21-1728614643-3146882776-3930629701-1001\...\Run: [CCleaner Monitoring] => C:\Program Files\CCleaner\CCleaner64.exe [8641240 2016-02-12] (Piriform Ltd)
HKU\S-1-5-21-1728614643-3146882776-3930629701-1001\...\Policies\Explorer: [NoSetActiveDesktop] 0
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} =>  No File
BootExecute: autocheck autochk * sdnclean64.exe
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
Hosts: 127.0.0.1 localhost
Tcpip\Parameters: [DhcpNameServer] 75.75.75.75 75.75.76.76
Tcpip\..\Interfaces\{5F0A5604-E0D9-4842-A499-53FE5F1B935A}: [DhcpNameServer] 75.75.75.75 75.75.76.76
Tcpip\..\Interfaces\{F1E4A23A-AE5D-4AEA-8A37-3B164516667B}: [DhcpNameServer] 192.168.1.1
 
Internet Explorer:
==================
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome
HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome
HKU\S-1-5-21-1728614643-3146882776-3930629701-1001\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\S-1-5-21-1728614643-3146882776-3930629701-1001\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome
URLSearchHook: [S-1-5-21-1728614643-3146882776-3930629701-1001] ATTENTION => Default URLSearchHook is missing
SearchScopes: HKLM -> DefaultScope value is missing
SearchScopes: HKLM-x32 -> DefaultScope value is missing
BHO: Skype for Business Browser Helper -> {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} -> C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX64\Microsoft Office\Office15\OCHelper.dll [2016-07-12] (Microsoft Corporation)
BHO: CIESpeechBHO Class -> {8D10F6C4-0E01-4BD4-8601-11AC1FDF8126} -> C:\Program Files (x86)\Dell Wireless\Bluetooth Suite\IEPlugIn.dll [2012-12-28] (Qualcomm Atheros Commnucations)
BHO: Microsoft SkyDrive Pro Browser Helper -> {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} -> C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX64\Microsoft Office\Office15\GROOVEEX.DLL [2016-07-05] (Microsoft Corporation)
Toolbar: HKU\S-1-5-21-1728614643-3146882776-3930629701-1001 -> No Name - {1DAC0C53-7D23-4AB3-856A-B04D98CD982A} -  No File
Toolbar: HKU\S-1-5-21-1728614643-3146882776-3930629701-1001 -> No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} -  No File
DPF: HKLM {7530BFB8-7293-4D34-9923-61A11451AFC5} hxxp://download.eset.com/special/eos/OnlineScanner.cab
Handler-x32: osf - {D924BDC6-C83A-4BD5-90D0-095128A113D1} - C:\Program Files\Microsoft Office 15\root\Office15\MSOSB.DLL [2016-06-28] (Microsoft Corporation)
 
FireFox:
========
FF ProfilePath: C:\Users\SayItAintSo\AppData\Roaming\Mozilla\Firefox\Profiles\ca5agpks.default
FF DefaultSearchEngine.US: Google
FF Plugin: @adobe.com/FlashPlayer -> C:\WINDOWS\system32\Macromed\Flash\NPSWF64_23_0_0_162.dll [2016-09-13] ()
FF Plugin: @videolan.org/vlc,version=2.1.5 -> C:\Program Files\VideoLAN\VLC\npvlc.dll [2016-06-01] (VideoLAN)
FF Plugin: @videolan.org/vlc,version=2.2.2 -> C:\Program Files\VideoLAN\VLC\npvlc.dll [2016-06-01] (VideoLAN)
FF Plugin: @videolan.org/vlc,version=2.2.4 -> C:\Program Files\VideoLAN\VLC\npvlc.dll [2016-06-01] (VideoLAN)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\WINDOWS\SysWOW64\Macromed\Flash\NPSWF32_23_0_0_162.dll [2016-09-13] ()
FF Plugin-x32: @Apple.com/iTunes,version=1.0 -> C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll [2016-03-08] ()
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\Program Files\Microsoft Office 15\root\Office15\NPSPWRAP.DLL [2016-06-28] (Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.31.5\npGoogleUpdate3.dll [2016-07-28] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.31.5\npGoogleUpdate3.dll [2016-07-28] (Google Inc.)
FF Plugin-x32: gamesys.co.uk/VirginGeolocationPlugin -> C:\Program Files (x86)\Virgin Casino GeoLocation\BrowserPlugin\npGeolocationPlugin.dll [No File]
FF Extension: (Firefox Hotfix) - C:\Users\SayItAintSo\AppData\Roaming\Mozilla\Firefox\Profiles\ca5agpks.default\Extensions\firefox-hotfix@mozilla.org.xpi [2016-09-11]
FF Extension: (Flashblock) - C:\Users\SayItAintSo\AppData\Roaming\Mozilla\Firefox\Profiles\ca5agpks.default\Extensions\{3d7eb24f-2740-49df-8937-200b1cc08f8a} [2016-04-08]
FF Extension: (NoScript) - C:\Users\SayItAintSo\AppData\Roaming\Mozilla\Firefox\Profiles\ca5agpks.default\Extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}.xpi [2016-08-28]
FF Extension: (Adblock Plus) - C:\Users\SayItAintSo\AppData\Roaming\Mozilla\Firefox\Profiles\ca5agpks.default\Extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2016-04-28]
FF Extension: (DownThemAll!) - C:\Users\SayItAintSo\AppData\Roaming\Mozilla\Firefox\Profiles\ca5agpks.default\Extensions\{DDC359D1-844A-42a7-9AA1-88A850A938A8}.xpi [2016-09-17]
FF HKLM-x32\...\Thunderbird\Extensions: [msktbird@mcafee.com] - C:\Program Files\McAfee\MSK => not found
 
Chrome: 
=======
CHR Profile: C:\Users\SayItAintSo\AppData\Local\Google\Chrome\User Data\Default [2016-09-17]
CHR Extension: (Google Slides) - C:\Users\SayItAintSo\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2016-03-12]
CHR Extension: (Google Docs) - C:\Users\SayItAintSo\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2016-03-12]
CHR Extension: (Google Drive) - C:\Users\SayItAintSo\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2016-03-12]
CHR Extension: (Admin Tools) - C:\Users\SayItAintSo\AppData\Local\Google\Chrome\User Data\Default\Extensions\bigmfjdfngafahnkjchgobejppekainl [2016-03-12]
CHR Extension: (YouTube) - C:\Users\SayItAintSo\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2016-03-12]
CHR Extension: (Chrome Connectivity Diagnostics) - C:\Users\SayItAintSo\AppData\Local\Google\Chrome\User Data\Default\Extensions\eemlkeanncmjljgehlbplemhmdmalhdc [2016-03-12]
CHR Extension: (Google Sheets) - C:\Users\SayItAintSo\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2016-03-12]
CHR Extension: (Google Docs Offline) - C:\Users\SayItAintSo\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2016-03-16]
CHR Extension: (Open Port Check Tool) - C:\Users\SayItAintSo\AppData\Local\Google\Chrome\User Data\Default\Extensions\lefghalnfhaklfbndadklndcndabkadb [2016-03-12]
CHR Extension: (Chrome Web Store Payments) - C:\Users\SayItAintSo\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-04-04]
CHR Extension: (Gmail) - C:\Users\SayItAintSo\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2016-03-12]
CHR Extension: (Chrome Media Router) - C:\Users\SayItAintSo\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2016-08-30]
CHR HKLM\...\Chrome\Extension: [hkhkiakolggnnicallabhkobalpeplpi] - <no Path/update_url>
CHR HKLM\...\Chrome\Extension: [iikflkcanblccfahdhdonehdalibjnif] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [hkhkiakolggnnicallabhkobalpeplpi] - <no Path/update_url>
CHR HKLM-x32\...\Chrome\Extension: [iikflkcanblccfahdhdonehdalibjnif] - hxxps://clients2.google.com/service/update2/crx
 
==================== Services (Whitelisted) ========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 Apple Mobile Device Service; C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe [83768 2016-03-02] (Apple Inc.)
S4 AtherosSvc; C:\Program Files (x86)\Dell Wireless\Bluetooth Suite\AdminService.exe [226944 2012-12-28] (Qualcomm Atheros Commnucations) [File not signed]
R2 avgsvc; C:\Program Files (x86)\AVG\Framework\Common\avgsvca.exe [1045928 2016-02-18] (AVG Technologies CZ, s.r.o.)
R2 ClickToRunSvc; C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe [3189488 2016-07-05] (Microsoft Corporation)
R2 ekrn; C:\Program Files\ESET\ESET Smart Security\ekrn.exe [2779136 2016-08-23] (ESET)
R2 igfxCUIService1.0.0.0; C:\Windows\system32\igfxCUIService.exe [319376 2014-10-01] (Intel Corporation)
R2 sesvc; C:\Program Files (x86)\ShadowExplorer\sesvc.exe [9216 2013-01-02] (www.shadowexplorer.com) [File not signed]
S3 vmicvss; C:\Windows\System32\ICSvc.dll [524800 2014-11-21] (Microsoft Corporation)
S3 WdNisSvc; C:\Program Files\Windows Defender\NisSrv.exe [366552 2015-07-07] (Microsoft Corporation)
S3 WinDefend; C:\Program Files\Windows Defender\MsMpEng.exe [23824 2015-07-07] (Microsoft Corporation)
R2 ZAMSvc; C:\Program Files (x86)\Zemana AntiMalware\ZAM.exe [13624048 2016-09-02] (Zemana Ltd.)
S3 ZAtheros Wlan Agent; C:\Program Files (x86)\Dell Wireless\Ath_WlanAgent.exe [81536 2012-12-26] (Atheros) [File not signed]
 
===================== Drivers (Whitelisted) ==========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
S3 DellRbtn; C:\Windows\System32\drivers\DellRbtn.sys [10752 2013-01-24] (OSR Open Systems Resources, Inc.)
R1 eamonm; C:\Windows\System32\DRIVERS\eamonm.sys [263296 2016-08-23] (ESET)
S0 ebdrv; C:\Windows\System32\drivers\evbda.sys [3357024 2013-08-22] (Broadcom Corporation)
R0 edevmon; C:\Windows\System32\DRIVERS\edevmon.sys [199680 2016-04-13] (ESET)
S0 eelam; C:\Windows\System32\DRIVERS\eelam.sys [15488 2016-08-23] (ESET)
R1 ehdrv; C:\Windows\system32\DRIVERS\ehdrv.sys [197288 2016-08-23] (ESET)
R2 ekbdflt; C:\Windows\system32\DRIVERS\ekbdflt.sys [153248 2016-08-23] (ESET)
R1 epfw; C:\Windows\system32\DRIVERS\epfw.sys [208552 2016-08-23] (ESET)
R1 EpfwLWF; C:\Windows\system32\DRIVERS\EpfwLWF.sys [61608 2016-08-23] (ESET)
R0 epfwwfp; C:\Windows\System32\DRIVERS\epfwwfp.sys [84640 2016-08-23] (ESET)
R1 epp64; C:\EEK1\bin\epp64.sys [138504 2016-03-12] (Emsisoft GmbH)
U5 NdisImPlatform; C:\Windows\System32\Drivers\NdisImPlatform.sys [126464 2014-11-21] (Microsoft Corporation)
S0 raeehd; no ImagePath
S3 SmbDrv; C:\Windows\System32\drivers\Smb_driver_AMDASF.sys [28040 2012-12-21] (Synaptics Incorporated)
R3 SmbDrvI; C:\Windows\system32\DRIVERS\Smb_driver_Intel.sys [32136 2012-12-21] (Synaptics Incorporated)
U3 TrueSight; C:\Windows\System32\drivers\TrueSight.sys [28272 2016-09-17] ()
S3 WdBoot; C:\Windows\system32\drivers\WdBoot.sys [44560 2015-07-07] (Microsoft Corporation)
S3 WdFilter; C:\Windows\system32\drivers\WdFilter.sys [270168 2015-07-07] (Microsoft Corporation)
S3 WdNisDrv; C:\Windows\System32\Drivers\WdNisDrv.sys [114520 2015-07-07] (Microsoft Corporation)
R1 ZAM; C:\WINDOWS\System32\drivers\zam64.sys [203680 2016-09-08] (Zemana Ltd.)
R1 ZAM_Guard; C:\WINDOWS\System32\drivers\zamguard64.sys [203680 2016-09-08] (Zemana Ltd.)
S3 MBAMSwissArmy; \??\C:\WINDOWS\system32\drivers\MBAMSwissArmy.sys [X]
S3 MFE_RR; \??\C:\Users\SAYITA~1\AppData\Local\Temp\mfe_rr.sys [X]
 
==================== NetSvcs (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== One Month Created files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2016-09-17 11:44 - 2016-09-17 11:44 - 00016320 _____ C:\Users\SayItAintSo\Desktop\FRST.txt
2016-09-17 11:41 - 2016-09-17 11:41 - 02399232 _____ (Farbar) C:\Users\SayItAintSo\Desktop\FRST64.exe
2016-09-17 10:16 - 2016-09-17 10:16 - 00002775 _____ C:\Users\Public\Desktop\Sophos Virus Removal Tool.lnk
2016-09-17 10:16 - 2016-09-17 10:16 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Sophos
2016-09-17 10:06 - 2016-09-17 10:06 - 00000000 ___HD C:\WINDOWS\system32\GroupPolicy
2016-09-17 09:34 - 2016-09-17 09:35 - 152664536 _____ (Sophos Limited) C:\Users\SayItAintSo\Desktop\Sophos Virus Removal Tool (1).exe
2016-09-17 09:30 - 2016-09-17 09:31 - 25210440 _____ C:\Users\SayItAintSo\Desktop\RogueKillerX64 (1).exe
2016-09-17 03:47 - 2016-09-17 03:47 - 00016979 _____ C:\Users\SayItAintSo\Desktop\Jonston jackie 201609170317080311.pdf
2016-09-17 03:38 - 2016-09-17 03:38 - 00000337 _____ C:\Users\SayItAintSo\Desktop\URLforcomcastloginthatsupportsfacebook.txt
2016-09-15 07:01 - 2016-09-15 07:01 - 04756636 _____ C:\Users\SayItAintSo\Desktop\ap-calculus-ab-and-bc-course-and-exam-description.pdf
2016-09-10 13:52 - 2016-09-10 13:52 - 00026477 _____ C:\Users\SayItAintSo\Desktop\DABOMB.dpl
2016-09-08 16:31 - 2016-09-08 16:31 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Zemana AntiMalware
2016-09-08 16:26 - 2016-09-08 16:26 - 00001767 _____ C:\Users\Public\Desktop\iTunes.lnk
2016-09-08 16:26 - 2016-09-08 16:26 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\iTunes
2016-09-08 16:25 - 2016-09-08 16:25 - 00002535 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Apple Software Update.lnk
2016-09-08 16:25 - 2016-09-08 16:25 - 00000000 ____D C:\WINDOWS\System32\Tasks\Apple
2016-09-08 16:25 - 2016-09-08 16:25 - 00000000 ____D C:\Program Files\Bonjour
2016-09-08 16:25 - 2016-09-08 16:25 - 00000000 ____D C:\Program Files (x86)\Bonjour
2016-09-08 16:25 - 2016-09-08 16:25 - 00000000 ____D C:\Program Files (x86)\Apple Software Update
2016-09-08 16:24 - 2016-09-08 16:26 - 00000000 ____D C:\Program Files\Common Files\Apple
2016-09-08 16:23 - 2016-09-08 16:23 - 00000000 ____H C:\WINDOWS\system32\Drivers\Msft_User_WpdMtpDr_01_11_00.Wdf
2016-09-02 18:09 - 2016-09-03 02:43 - 00000000 ____D C:\Users\SayItAintSo\Desktop\Lydia
2016-09-02 03:53 - 2016-09-02 03:59 - 00000000 ____D C:\Users\SayItAintSo\Desktop\NEWSAT
2016-09-02 01:46 - 2016-09-17 06:12 - 00000000 ___RD C:\Users\SayItAintSo\Desktop\hhMyPicturesMe
2016-08-29 03:00 - 2016-08-29 06:28 - 00000000 ___RD C:\Users\SayItAintSo\Desktop\NEWResumesAndCoverLetters
2016-08-23 13:06 - 2016-08-23 13:06 - 00153248 _____ (ESET) C:\WINDOWS\system32\Drivers\ekbdflt.sys
 
==================== One Month Modified files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2016-09-17 11:44 - 2015-12-18 07:42 - 00112714 _____ C:\WINDOWS\ZAM.krnl.trace
2016-09-17 11:44 - 2015-12-18 07:42 - 00079087 _____ C:\WINDOWS\ZAM_Guard.krnl.trace
2016-09-17 11:44 - 2015-03-21 23:49 - 00000000 ____D C:\FRST
2016-09-17 11:10 - 2016-03-12 03:53 - 00000934 _____ C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job
2016-09-17 11:05 - 2013-08-22 11:36 - 00000000 ____D C:\WINDOWS\AppReadiness
2016-09-17 11:01 - 2015-10-06 19:10 - 00000830 _____ C:\WINDOWS\Tasks\Adobe Flash Player Updater.job
2016-09-17 10:20 - 2014-12-16 07:57 - 00003598 _____ C:\WINDOWS\System32\Tasks\Optimize Start Menu Cache Files-S-1-5-21-1728614643-3146882776-3930629701-1001
2016-09-17 09:37 - 2015-02-21 03:51 - 00028272 _____ C:\WINDOWS\system32\Drivers\TrueSight.sys
2016-09-17 09:04 - 2016-07-07 04:54 - 00000000 ____D C:\Users\SayItAintSo\Desktop\BleepingComputer
2016-09-17 08:35 - 2014-11-21 04:44 - 01270418 _____ C:\WINDOWS\system32\PerfStringBackup.INI
2016-09-17 08:35 - 2013-08-22 09:36 - 00000000 ____D C:\WINDOWS\Inf
2016-09-17 08:15 - 2016-04-24 02:16 - 00000000 ____D C:\Users\SayItAintSo\Desktop\baseballsplits
2016-09-17 07:47 - 2015-01-15 08:32 - 00000000 ___RD C:\Users\BeverlyHills\Desktop\Vids
2016-09-17 07:23 - 2015-10-10 03:24 - 00000000 ____D C:\Users\SayItAintSo\Desktop\CCE
2016-09-17 07:16 - 2016-03-12 03:53 - 00000930 _____ C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job
2016-09-17 07:16 - 2015-12-29 06:29 - 00000375 _____ C:\WINDOWS\system32\Drivers\etc\hosts.ics
2016-09-17 07:15 - 2013-08-22 10:45 - 00000006 ____H C:\WINDOWS\Tasks\SA.DAT
2016-09-17 07:14 - 2013-08-22 09:25 - 00524288 ___SH C:\WINDOWS\system32\config\BBI
2016-09-17 06:13 - 2015-12-29 08:25 - 00000000 ____D C:\Users\SayItAintSo\AppData\Roaming\www.shadowexplorer.com
2016-09-17 06:12 - 2015-05-23 02:45 - 00000000 ___RD C:\Users\SayItAintSo\Desktop\ProfessssionalPortfolio32New
2016-09-17 06:10 - 2016-04-04 11:32 - 00000000 ____D C:\Users\SayItAintSo\Desktop\networkinterfacesview-x64
2016-09-17 05:04 - 2016-06-25 07:41 - 00000000 ___RD C:\Users\SayItAintSo\Desktop\SecurityToolsJuly2016
2016-09-16 22:11 - 2016-03-12 03:54 - 00002217 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
2016-09-16 22:11 - 2016-03-12 03:54 - 00002205 _____ C:\Users\Public\Desktop\Google Chrome.lnk
2016-09-14 04:53 - 2013-08-22 11:36 - 00000000 ___HD C:\Program Files\WindowsApps
2016-09-13 18:01 - 2015-10-06 19:10 - 00003718 _____ C:\WINDOWS\System32\Tasks\Adobe Flash Player Updater
2016-09-13 18:01 - 2013-08-22 11:36 - 00000000 ____D C:\WINDOWS\SysWOW64\Macromed
2016-09-13 18:01 - 2013-08-22 11:36 - 00000000 ____D C:\WINDOWS\system32\Macromed
2016-09-13 17:27 - 2014-12-16 10:06 - 144199024 _____ (Microsoft Corporation) C:\WINDOWS\system32\MRT.exe
2016-09-12 12:59 - 2015-04-09 23:23 - 00000000 ____D C:\Users\SayItAintSo\Desktop\cce_2.5.242177.201_x64
2016-09-10 13:03 - 2015-10-29 02:45 - 00000000 ___RD C:\Users\SayItAintSo\Desktop\PlayPictures2
2016-09-09 11:42 - 2016-08-10 09:02 - 00000000 ____D C:\Users\SayItAintSo\Desktop\Playlistss
2016-09-08 16:35 - 2015-03-18 23:46 - 00000000 ____D C:\Users\SayItAintSo\AppData\Local\CrashDumps
2016-09-08 16:31 - 2016-08-08 11:22 - 00203680 _____ (Zemana Ltd.) C:\WINDOWS\system32\Drivers\zamguard64.sys
2016-09-08 16:31 - 2016-08-08 11:22 - 00203680 _____ (Zemana Ltd.) C:\WINDOWS\system32\Drivers\zam64.sys
2016-09-08 16:31 - 2016-08-08 11:22 - 00001090 _____ C:\Users\Public\Desktop\Zemana AntiMalware.lnk
2016-09-08 16:31 - 2015-12-18 07:41 - 00000000 ____D C:\Program Files (x86)\Zemana AntiMalware
2016-09-08 16:26 - 2016-04-06 10:01 - 00000000 ____D C:\Program Files\iTunes
2016-09-08 16:26 - 2016-04-06 10:01 - 00000000 ____D C:\Program Files\iPod
2016-09-08 16:26 - 2016-04-06 10:01 - 00000000 ____D C:\Program Files (x86)\iTunes
2016-09-08 16:26 - 2015-10-25 10:43 - 00000000 ____D C:\ProgramData\Apple Computer
2016-09-08 16:24 - 2015-10-25 10:36 - 00000000 ____D C:\ProgramData\Apple
2016-08-23 14:21 - 2015-03-29 12:58 - 00000000 ____D C:\Users\SayItAintSo
2016-08-23 14:19 - 2016-08-02 06:33 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2016-08-23 14:19 - 2015-01-13 00:50 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2016-08-23 13:06 - 2016-04-13 13:31 - 00263296 _____ (ESET) C:\WINDOWS\system32\Drivers\eamonm.sys
2016-08-23 13:06 - 2016-04-13 13:31 - 00208552 _____ (ESET) C:\WINDOWS\system32\Drivers\epfw.sys
2016-08-23 13:06 - 2016-04-13 13:31 - 00197288 _____ (ESET) C:\WINDOWS\system32\Drivers\ehdrv.sys
2016-08-23 13:06 - 2016-04-13 13:31 - 00084640 _____ (ESET) C:\WINDOWS\system32\Drivers\epfwwfp.sys
2016-08-23 13:06 - 2016-04-13 13:31 - 00061608 _____ (ESET) C:\WINDOWS\system32\Drivers\EpfwLWF.sys
2016-08-23 13:06 - 2016-04-13 13:31 - 00015488 _____ (ESET) C:\WINDOWS\system32\Drivers\eelam.sys
2016-08-21 04:25 - 2016-08-08 10:24 - 00001035 _____ C:\Users\SayItAintSo\Desktop\PotPlayer 64 bit.lnk
2016-08-19 06:48 - 2013-08-22 11:36 - 00000000 ____D C:\ProgramData\regid.1991-06.com.microsoft
2016-08-19 06:47 - 2016-06-28 05:05 - 00000000 ____D C:\Program Files\Microsoft Office 15
2016-08-19 05:10 - 2015-03-10 00:14 - 00000000 ____D C:\Users\SayItAintSo\AppData\Local\ElevatedDiagnostics
 
==================== Files in the root of some directories =======
 
2016-08-10 09:54 - 2016-08-10 09:54 - 0990339 _____ () C:\Users\SayItAintSo\AppData\Local\ars.cache
2016-08-10 09:54 - 2016-08-10 09:54 - 0763314 _____ () C:\Users\SayItAintSo\AppData\Local\census.cache
2015-07-13 19:00 - 2016-05-05 01:08 - 0004608 _____ () C:\Users\SayItAintSo\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2016-08-10 09:35 - 2016-08-10 09:35 - 0000036 _____ () C:\Users\SayItAintSo\AppData\Local\housecall.guid.cache
2015-03-26 15:03 - 2015-03-26 15:03 - 0000017 _____ () C:\Users\SayItAintSo\AppData\Local\resmon.resmoncfg
2016-08-10 09:45 - 2016-08-10 10:13 - 0000010 _____ () C:\Users\SayItAintSo\AppData\Local\sponge.last.runtime.cache
2014-12-26 08:21 - 2014-12-26 08:21 - 0000032 _____ () C:\ProgramData\Temp.log
2013-05-10 02:20 - 2013-05-10 02:20 - 0000119 _____ () C:\ProgramData\{1FBF6C24-C1fD-4101-A42B-0C564F9E8E79}.log
2013-05-10 02:15 - 2013-05-10 02:17 - 0000106 _____ () C:\ProgramData\{2A87D48D-3FDF-41fd-97CD-A1E370EFFFE2}.log
2013-05-10 02:17 - 2013-05-10 02:18 - 0000111 _____ () C:\ProgramData\{B0B4F6D2-F2AE-451A-9496-6F2F6A897B32}.log
2013-05-10 02:15 - 2013-05-10 02:15 - 0000107 _____ () C:\ProgramData\{C59C179C-668D-49A9-B6EA-0121CCFC1243}.log
2013-05-10 02:18 - 2013-05-10 02:20 - 0000108 _____ () C:\ProgramData\{DEC235ED-58A4-4517-A278-C41E8DAEAB3B}.log
 
Some files in TEMP:
====================
C:\Users\SayItAintSo\AppData\Local\Temp\dllnt_dump.dll
 
 
==================== Bamital & volsnap =================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\WINDOWS\system32\winlogon.exe => File is digitally signed
C:\WINDOWS\system32\wininit.exe => File is digitally signed
C:\WINDOWS\explorer.exe => File is digitally signed
C:\WINDOWS\SysWOW64\explorer.exe => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\SysWOW64\svchost.exe => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll => File is digitally signed
C:\WINDOWS\SysWOW64\User32.dll => File is digitally signed
C:\WINDOWS\system32\userinit.exe => File is digitally signed
C:\WINDOWS\SysWOW64\userinit.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\dnsapi.dll => File is digitally signed
C:\WINDOWS\SysWOW64\dnsapi.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed
 
 
LastRegBack: 2016-09-17 08:29
 
==================== End of FRST.txt ============================
 

Attached Files



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 40,238 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:15 PM

Posted 18 September 2016 - 08:27 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Reset your recycle bin to the original default.
http://www.thewindowsclub.com/recycle-bin-is-corrupted-windows
===

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.
 
start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} =>  No File
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
URLSearchHook: [S-1-5-21-1728614643-3146882776-3930629701-1001] ATTENTION => Default URLSearchHook is missing
SearchScopes: HKLM -> DefaultScope value is missing
SearchScopes: HKLM-x32 -> DefaultScope value is missing
Toolbar: HKU\S-1-5-21-1728614643-3146882776-3930629701-1001 -> No Name - {1DAC0C53-7D23-4AB3-856A-B04D98CD982A} -  No File
Toolbar: HKU\S-1-5-21-1728614643-3146882776-3930629701-1001 -> No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} -  No File
FF Plugin-x32: gamesys.co.uk/VirginGeolocationPlugin -> C:\Program Files (x86)\Virgin Casino GeoLocation\BrowserPlugin\npGeolocationPlugin.dll [No File]
FF HKLM-x32\...\Thunderbird\Extensions: [msktbird@mcafee.com] - C:\Program Files\McAfee\MSK => not found
CHR Extension: (Chrome Web Store Payments) - C:\Users\SayItAintSo\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-04-04]
CHR HKLM\...\Chrome\Extension: [hkhkiakolggnnicallabhkobalpeplpi] - <no Path/update_url>
CHR HKLM-x32\...\Chrome\Extension: [hkhkiakolggnnicallabhkobalpeplpi] - <no Path/update_url>
S0 raeehd; no ImagePath
S3 MBAMSwissArmy; \??\C:\WINDOWS\system32\drivers\MBAMSwissArmy.sys [X]
S3 MFE_RR; \??\C:\Users\SAYITA~1\AppData\Local\Temp\mfe_rr.sys [X]
C:\Users\SayItAintSo\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda
AlternateDataStreams: C:\Sysmon.exe:BDU [1]

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Reset Chrome...
Open Google Chrome, click on menu icon google-chrome-setting-icon.png which is located right side top of the google chrome.
 
Click "Settings" then "Show advanced settings" at the bottom of the screen.
 
Click "Reset browser settings" button.
 
Clear your cache and cookies
https://support.google.com/chromebook/answer/183083?hl=en

Restart Chrome.
===

Temporarily disable your AV program so it does not interfere.
Info on how to disable your security applications How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs - Security Mini-Guides.

Download Zeok tool from here

When the download appears, save to the Desktop.
On the Desktop, right-click the Zoek.exe file and select: Run as Administrator
(Give it a few seconds to appear.)

Next, copy/paste the entire script inside the code box below to the input field of Zoek:
createsrpoint;
autoclean;
emptyclsid;
emptyffcache;
FFdefaults;
emptyiecache;
iedefaults;
emptychrcache;
CHRdefaults;
emptyalltemp;
emptyfolderscheck;delete
ipconfig /flushdns;b
Now...
Close any open Browsers.
Click the Run script button, and wait. It takes a few minutes to run all the script.

When the tool finishes, the zoek-results.log is opened in Notepad.
The log is also found on the systemdrive, normally C:\
If a reboot is needed, the log is opened after the reboot.

Please attach the zoek-results.log in your reply.
===

Also, please provide an update on how the computer is behaving after running the above script.

#3 Glycerine

Glycerine
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:01:15 PM

Posted 21 September 2016 - 02:49 PM

Attached File  WebCertificateWarningfromESET.JPG   28.57KB   2 downloadsAttached File  GotAlertWhileRunningZOEK.JPG   29.43KB   1 downloadsHi Nasdaq,

 

Thanks for your assistance. So far, it appears better; however, there are certain sites that I go on where I get an ESET Alert that says, "The Certificate used by this server has been marked as untrustworthy and the connection is not safe." I have attached a screenshot of the warning. The site is fangraphs.com, a very popular website that I have been visiting for years with no problems. Also, there are some sites that I visit like fangraphs.com that run a lot of scripts. These scripts never seem to stop and I can't page up and down, or do anything. It is also at these sites, where it seems like there is non-stop scripting, where whole tabs in my browser seem to just pop up with downloads and sites that I have never even heard of or been to.

 

Also, I have attached a picture of a notification that I got while running ZOEK. I don't know if it is important but I thought that you might want to take a look at it.

 

Lastly, I am still getting inundated with ads, that seem to prevent me from paging up and down on the web page with the ads.What do you think? I have attached the fixlog and the Zoek log for your perusal.

 

Thanks again and I really appreciate your help.

 

Fix result of Farbar Recovery Scan Tool (x64) Version: 20-09-2016
Ran by SayItAintSo (20-09-2016 18:40:56) Run:1
Running from C:\Users\SayItAintSo\Desktop
Loaded Profiles: SayItAintSo (Available Profiles: SayItAintSo & BeverlyHills & .NET v4.5 & DefaultAppPool & .NET v4.5 Classic)
Boot Mode: Normal
==============================================
 
fixlist content:
*****************
start
 
CreateRestorePoint:
EmptyTemp:
CloseProcesses:
 
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} =>  No File
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
URLSearchHook: [S-1-5-21-1728614643-3146882776-3930629701-1001] ATTENTION => Default URLSearchHook is missing
SearchScopes: HKLM -> DefaultScope value is missing
SearchScopes: HKLM-x32 -> DefaultScope value is missing
Toolbar: HKU\S-1-5-21-1728614643-3146882776-3930629701-1001 -> No Name - {1DAC0C53-7D23-4AB3-856A-B04D98CD982A} -  No File
Toolbar: HKU\S-1-5-21-1728614643-3146882776-3930629701-1001 -> No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} -  No File
FF Plugin-x32: gamesys.co.uk/VirginGeolocationPlugin -> C:\Program Files (x86)\Virgin Casino GeoLocation\BrowserPlugin\npGeolocationPlugin.dll [No File]
FF HKLM-x32\...\Thunderbird\Extensions: [msktbird@mcafee.com] - C:\Program Files\McAfee\MSK => not found
CHR Extension: (Chrome Web Store Payments) - C:\Users\SayItAintSo\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-04-04]
CHR HKLM\...\Chrome\Extension: [hkhkiakolggnnicallabhkobalpeplpi] - <no Path/update_url>
CHR HKLM-x32\...\Chrome\Extension: [hkhkiakolggnnicallabhkobalpeplpi] - <no Path/update_url>
S0 raeehd; no ImagePath
S3 MBAMSwissArmy; \??\C:\WINDOWS\system32\drivers\MBAMSwissArmy.sys [X]
S3 MFE_RR; \??\C:\Users\SAYITA~1\AppData\Local\Temp\mfe_rr.sys [X]
C:\Users\SayItAintSo\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda
AlternateDataStreams: C:\Sysmon.exe:BDU [1]
 
End
*****************
 
Restore point was successfully created.
Processes closed successfully.
"HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\00avast" => key removed successfully
HKCR\CLSID\{472083B0-C522-11CF-8763-00608CC02F24} => key not found. 
"HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer" => key removed successfully
Could not restore Default URLSearchHook.
HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value restored successfully
HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value restored successfully
HKU\S-1-5-21-1728614643-3146882776-3930629701-1001\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{1DAC0C53-7D23-4AB3-856A-B04D98CD982A} => value removed successfully
HKCR\CLSID\{1DAC0C53-7D23-4AB3-856A-B04D98CD982A} => key not found. 
HKU\S-1-5-21-1728614643-3146882776-3930629701-1001\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} => value removed successfully
"HKCR\CLSID\{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}" => key removed successfully
"HKLM\Software\Wow6432Node\MozillaPlugins\gamesys.co.uk/VirginGeolocationPlugin" => key removed successfully
HKLM\Software\Wow6432Node\Mozilla\Thunderbird\Extensions\\msktbird@mcafee.com => value removed successfully
C:\Users\SayItAintSo\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda => moved successfully
"HKLM\SOFTWARE\Google\Chrome\Extensions\hkhkiakolggnnicallabhkobalpeplpi" => key removed successfully
"HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\hkhkiakolggnnicallabhkobalpeplpi" => key removed successfully
raeehd => service removed successfully
MBAMSwissArmy => service removed successfully
MFE_RR => service removed successfully
"C:\Users\SayItAintSo\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda" => not found.
C:\Sysmon.exe => ":BDU" ADS removed successfully.
 
=========== EmptyTemp: ==========
 
BITS transfer queue => 8388608 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 84932859 B
Java, Flash, Steam htmlcache => 645 B
Windows/system/drivers => 131193212 B
Edge => 0 B
Chrome => 899365317 B
Firefox => 11595604 B
Opera => 0 B
 
Temp, IE cache, history, cookies, recent:
Default => 0 B
ProgramData => 0 B
Public => 0 B
systemprofile => 0 B
systemprofile32 => 128 B
LocalService => 325452 B
NetworkService => 35464 B
SayItAintSo => 4764335 B
BeverlyHills => 1106874 B
.NET v4.5 => 0 B
DefaultAppPool => 0 B
.NET v4.5 Classic => 0 B
 
RecycleBin => 0 B
EmptyTemp: => 1.1 GB temporary data Removed.
 
================================
 
 
The system needed a reboot.
 

==== End of Fixlog 18:42:12 ==== 

 

 
Zoek.exe v5.0.0.1 Updated 19-September-2016
Tool run by SayItAintSo on Tue 09/20/2016 at 19:01:02.84.
Microsoft Windows 8.1 6.3.9600  x64
Running in: Normal Mode Internet Access Detected
Launched: C:\Users\SayItAintSo\Desktop\zoek (1).exe [Scan all users] [Script inserted] 
 
==== Older Logs ======================
 
C:\zoek-results2016-03-26-154331.log 1393 bytes
 
==== System Restore Info ======================
 
9/20/2016 7:03:28 PM Zoek.exe System Restore Point Created Successfully.
 
==== Empty Folders Check ======================
 
C:\PROGRA~2\Panda Security deleted successfully
C:\PROGRA~2\COMMON~1\Symantec Shared deleted successfully
C:\Program Files\Bitdefender deleted successfully
C:\Program Files\HitmanPro deleted successfully
C:\Program Files\NoVirusThanks deleted successfully
C:\Program Files\Reason deleted successfully
C:\Program Files\SUPERAntiSpyware deleted successfully
C:\PROGRA~3\Malwarebytes' Anti-Malware (portable) deleted successfully
C:\PROGRA~3\OpenDNS deleted successfully
C:\Users\BeverlyHills\AppData\Roaming\Panda Security deleted successfully
C:\Users\BeverlyHills\AppData\Roaming\TinyWall deleted successfully
C:\Users\SayItAintSo\AppData\Roaming\Panda Security deleted successfully
C:\Users\SayItAintSo\AppData\Roaming\WinPatrol deleted successfully
C:\Users\BeverlyHills\AppData\Local\VirtualStore deleted successfully
C:\Users\SayItAintSo\AppData\Local\Adobe deleted successfully
C:\Users\SayItAintSo\AppData\Local\Comodo deleted successfully
C:\Users\SayItAintSo\AppData\Local\EmieBrowserModeList deleted successfully
C:\Users\SayItAintSo\AppData\Local\EmieSiteList deleted successfully
C:\Users\SayItAintSo\AppData\Local\EmieUserList deleted successfully
C:\Users\SayItAintSo\AppData\Local\Windows Live deleted successfully
 
==== Deleting CLSID Registry Keys ======================
 
HKEY_USERS\S-1-5-21-1728614643-3146882776-3930629701-1001\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA} deleted successfully
HKEY_USERS\S-1-5-21-1728614643-3146882776-3930629701-1001\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA} deleted successfully
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA} deleted successfully
HKEY_CLASSES_ROOT\CLSID\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA} deleted successfully
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA} deleted successfully
 
==== Deleting CLSID Registry Values ======================
 
 
==== Deleting Services ======================
 
 
==== FireFox Fix ======================
 
Deleted from C:\Users\BEVERL~1\AppData\Roaming\Mozilla\Firefox\Profiles\3b8ord1k.default\prefs.js:
user_pref("browser.startup.homepage", "http://espn.go.com/boston/");
user_pref("browser.search.defaultenginename", "Google");
user_pref("browser.search.defaultenginename.US", "Google");
user_pref("browser.search.suggest.enabled", false);
 
Added to C:\Users\BEVERL~1\AppData\Roaming\Mozilla\Firefox\Profiles\3b8ord1k.default\prefs.js:
user_pref("browser.startup.homepage", "about:home");
user_pref("browser.newtab.url", "about:newtab");
 
Deleted from C:\Users\SAYITA~1\AppData\Roaming\Mozilla\Firefox\Profiles\ca5agpks.default\prefs.js:
user_pref("browser.search.defaultenginename.US", "Google");
 
Added to C:\Users\SAYITA~1\AppData\Roaming\Mozilla\Firefox\Profiles\ca5agpks.default\prefs.js:
user_pref("browser.startup.homepage", "about:home");
user_pref("browser.newtab.url", "about:newtab");
 
ProfilePath: C:\Users\BEVERL~1\AppData\Roaming\Mozilla\Firefox\Profiles\3b8ord1k.default
 
user.js not found
---- Lines yahoo removed from prefs.js ----
user_pref("browser.uitour.treatment.srch-chg-treatment", "firstrun_yahooDefault");
---- FireFox user.js and prefs.js backups ---- 
 
prefs_20160920_0724_.backup
 
ProfilePath: C:\Users\SAYITA~1\AppData\Roaming\Mozilla\Firefox\Profiles\ca5agpks.default
 
user.js not found
---- Lines yahoo removed from prefs.js ----
user_pref("browser.uitour.treatment.srch-chg-treatment", "firstrun_yahooDefault");
---- FireFox user.js and prefs.js backups ---- 
 
prefs_20160920_0724_.backup
 
==== Batch Command(s) Run By Tool======================
 
 
==== Deleting Files \ Folders ======================
 
C:\PROGRA~2\Panda Security not found
C:\PROGRA~3\Malwarebytes' Anti-Malware (portable) not found
C:\accesschk.exe deleted
C:\AccessEnum.exe deleted
C:\ADExplorer.exe deleted
C:\ADInsight.exe deleted
C:\adrestore.exe deleted
C:\Autologon.exe deleted
C:\autoruns.exe deleted
C:\autorunsc.exe deleted
C:\Bginfo.exe deleted
C:\Cacheset.exe deleted
C:\Clockres.exe deleted
C:\Contig.exe deleted
C:\Coreinfo.exe deleted
C:\ctrl2cap.exe deleted
C:\Dbgview.exe deleted
C:\Desktops.exe deleted
C:\disk2vhd.exe deleted
C:\diskext.exe deleted
C:\Diskmon.exe deleted
C:\DiskView.exe deleted
C:\du.exe deleted
C:\efsdump.exe deleted
C:\FindLinks.exe deleted
C:\handle.exe deleted
C:\hex2dec.exe deleted
C:\junction.exe deleted
C:\ldmdump.exe deleted
C:\Listdlls.exe deleted
C:\livekd.exe deleted
C:\LoadOrd.exe deleted
C:\logonsessions.exe deleted
C:\movefile.exe deleted
C:\ntfsinfo.exe deleted
C:\pagedfrg.exe deleted
C:\pendmoves.exe deleted
C:\pipelist.exe deleted
C:\portmon.exe deleted
C:\procdump.exe deleted
C:\procexp.exe deleted
C:\Procmon.exe deleted
C:\PsExec.exe deleted
C:\psfile.exe deleted
C:\PsGetsid.exe deleted
C:\PsInfo.exe deleted
C:\pskill.exe deleted
C:\pslist.exe deleted
C:\PsLoggedon.exe deleted
C:\psloglist.exe deleted
C:\pspasswd.exe deleted
C:\psping.exe deleted
C:\PsService.exe deleted
C:\psshutdown.exe deleted
C:\pssuspend.exe deleted
C:\RAMMap.exe deleted
C:\RegDelNull.exe deleted
C:\regjump.exe deleted
C:\RootkitRevealer.exe deleted
C:\ru.exe deleted
C:\sdelete.exe deleted
C:\ShareEnum.exe deleted
C:\ShellRunas.exe deleted
C:\sigcheck.exe deleted
C:\streams.exe deleted
C:\strings.exe deleted
C:\sync.exe deleted
C:\Sysmon.exe deleted
C:\Tcpvcon.exe deleted
C:\vmmap.exe deleted
C:\Volumeid.exe deleted
C:\whois.exe deleted
C:\Winobj.exe deleted
C:\ZoomIt.exe deleted
C:\PROGRA~3\InstallMate deleted
C:\PROGRA~3\Package Cache deleted
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Search.lnk deleted
C:\WINDOWS\wininit.ini deleted
C:\windows\SysNative\GroupPolicy\Machine deleted
C:\windows\SysNative\GroupPolicy\User deleted
C:\windows\SysNative\GroupPolicy\gpt.ini deleted
C:\Users\SAYITA~1\AppData\Roaming\Mozilla\Firefox\Profiles\ca5agpks.default\jetpack deleted
 
==== Orphaned Tasks deleted from Registry ======================
 
Dell Digital Delivery Service One-Time Delayed Start deleted
 
==== Firefox Start and Search pages ======================
 
ProfilePath: C:\Users\BEVERL~1\AppData\Roaming\Mozilla\Firefox\Profiles\3b8ord1k.default
user_pref("browser.startup.homepage", "about:home");
user_pref("browser.newtab.url", "about:newtab");
 
ProfilePath: C:\Users\SAYITA~1\AppData\Roaming\Mozilla\Firefox\Profiles\ca5agpks.default
user_pref("browser.startup.homepage", "about:home");
user_pref("browser.newtab.url", "about:newtab");
 
==== Firefox Extensions ======================
 
ProfilePath: C:\Users\SAYITA~1\AppData\Roaming\Mozilla\Firefox\Profiles\ca5agpks.default
- Flashblock - %ProfilePath%\extensions\{3d7eb24f-2740-49df-8937-200b1cc08f8a}
- Firefox Hotfix - %ProfilePath%\extensions\firefox-hotfix@mozilla.org.xpi
- NoScript - %ProfilePath%\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}.xpi
- Adblock Plus - %ProfilePath%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi
- DownThemAll - %ProfilePath%\extensions\{DDC359D1-844A-42a7-9AA1-88A850A938A8}.xpi
 
AppDir: C:\Program Files (x86)\Mozilla Firefox
- Undetermined - %AppDir%\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}.xpi
 
==== Firefox Plugins ======================
 
Profilepath: C:\Users\SayItAintSo\AppData\Roaming\Mozilla\Firefox\Profiles\ca5agpks.default
18CF51689186AEB9D1D149AEB0E92D03 - C:\Program Files\Microsoft Office 15\root\Office15\NPSPWRAP.DLL - Microsoft Office 2013
7FB1DC8C464CAFC230E7AD6392AE859B - C:\WINDOWS\SysWOW64\Macromed\Flash\NPSWF32_23_0_0_162.dll - Shockwave Flash
 
 
==== Chromium Look ======================
 
HKEY_LOCAL_MACHINE\SOFTWARE\Google\Chrome\Extensions
iikflkcanblccfahdhdonehdalibjnif - No path found[]
 
Google Voice Search Hotword (Beta) - BeverlyHills\AppData\Local\Google\Chrome\User Data\Default\Extensions\bepbmhgboaologfdajaanbcjmnhjmhfn
Admin Tools - SayItAintSo\AppData\Local\Google\Chrome\User Data\Default\Extensions\bigmfjdfngafahnkjchgobejppekainl
Open Port Check Tool - SayItAintSo\AppData\Local\Google\Chrome\User Data\Default\Extensions\lefghalnfhaklfbndadklndcndabkadb
Chrome Media Router - SayItAintSo\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm
 
==== Set IE to Default ======================
 
Old Values:
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
 
New Values:
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
 
==== All HKLM and HKCU SearchScopes ======================
 
HKLM\SearchScopes "DefaultScope"="{0633EE93-D776-472f-A0FF-E1416B8B2E3A}"
HKLM\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} - http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
HKLM\SearchScopes\{FB137D49-8D7C-4C63-A690-F87BF3670197} - http://www.bing.com/search?q={searchTerms}&form=IE10TR&src=IE10TR&pc=MDDCJS
HKLM\Wow6432Node\SearchScopes "DefaultScope"="{0633EE93-D776-472f-A0FF-E1416B8B2E3A}"
HKLM\Wow6432Node\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} - http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
HKCU\SearchScopes "DefaultScope"="{0633EE93-D776-472f-A0FF-E1416B8B2E3A}"
HKCU\SearchScopes\{012E1000-F331-11DB-8314-0800200C9A66} - http://www.google.com/search?q={searchTerms}
HKCU\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} - http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IESR02
 
==== Reset Google Chrome ======================
 
C:\Users\BeverlyHills\AppData\Local\Google\Chrome\User Data\Default\Preferences was reset successfully
C:\Users\BeverlyHills\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences was reset successfully
C:\Users\SayItAintSo\AppData\Local\Google\Chrome\User Data\Default\Preferences was reset successfully
C:\Users\SayItAintSo\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences was reset successfully
C:\Users\BeverlyHills\AppData\Local\Google\Chrome\User Data\Default\Web Data was reset successfully
C:\Users\SayItAintSo\AppData\Local\Google\Chrome\User Data\Default\Web Data was reset successfully
C:\Users\SayItAintSo\AppData\Local\Google\Chrome\User Data\Default\Web Data-journal was reset successfully
 
==== Empty IE Cache ======================
 
C:\WINDOWS\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
C:\Users\SayItAintSo\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 emptied successfully
C:\WINDOWS\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 emptied successfully
C:\Users\SayItAintSo\AppData\Local\Microsoft\Windows\INetCache\IE emptied successfully
C:\WINDOWS\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE emptied successfully
 
==== Empty FireFox Cache ======================
 
No FireFox Cache found
 
==== Empty Chrome Cache ======================
 
C:\Users\BeverlyHills\AppData\Local\Google\Chrome\User Data\Default\Cache emptied successfully
C:\Users\SayItAintSo\AppData\Local\Google\Chrome\User Data\Default\Cache emptied successfully
 
==== Empty All Flash Cache ======================
 
Flash Cache Emptied Successfully
 
==== Empty All Java Cache ======================
 
No Java Cache Found
 
==== C:\zoek_backup content ======================
 
 
==== Empty Temp Folders ======================
 
C:\Users\.NET v4.5\AppData\Local\Temp emptied successfully
C:\Users\.NET v4.5 Classic\AppData\Local\Temp emptied successfully
C:\Users\BeverlyHills\AppData\Local\Temp emptied successfully
C:\Users\Default\AppData\Local\Temp emptied successfully
C:\Users\Default User\AppData\Local\Temp emptied successfully
C:\Users\DefaultAppPool\AppData\Local\Temp emptied successfully
C:\Users\SayItAintSo\AppData\Local\Temp will be emptied at reboot
C:\Users\NETV4~1.5\AppData\Local\Temp emptied successfully
C:\Users\NETV4~1.5C~\AppData\Local\Temp emptied successfully
C:\WINDOWS\sysWoW64\config\systemprofile\AppData\Local\Temp emptied successfully
C:\WINDOWS\serviceprofiles\networkservice\AppData\Local\Temp emptied successfully
C:\WINDOWS\serviceprofiles\Localservice\AppData\Local\Temp emptied successfully
C:\WINDOWS\Temp will be emptied at reboot
 
==== After Reboot ======================
 
==== Empty Temp Folders ======================
 
C:\WINDOWS\Temp successfully emptied
C:\Users\SAYITA~1\AppData\Local\Temp successfully emptied
 
==== Empty Recycle Bin ======================
 
C:\$RECYCLE.BIN successfully emptied
 
==== EOF on Tue 09/20/2016 at 19:33:17.13 ======================
 
 


#4 nasdaq

nasdaq

  • Malware Response Team
  • 40,238 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:15 PM

Posted 22 September 2016 - 08:42 AM



The file Folderchk.vbs is used by the Zoek tool.
You do not have a file association for the .VBS extention.
That is good. I know that the file used by Zoek is good. However association the .VBS to an application/program can be dangerous.
Malware can be carried by some .vbs files.

p.s. .vbs files are from an application created by a Visual Basic program.

---

I got no Certificate warning when I went to fangraphs.com.
Make sure your Time and Date are correct on your computer.

As for the Scripts try this fix
https://www.webbie.org.uk/scriptingErrors.htm

Keep me posted.

#5 Glycerine

Glycerine
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:01:15 PM

Posted 26 September 2016 - 10:42 PM

Attached File  Non-stop Ads.JPG   124.33KB   2 downloadsAttached File  problem1.JPG   43.97KB   2 downloadsAttached File  Problem2.JPG   42.15KB   2 downloadsHi Nasdaq,

 

I still get inundated with ads. (See Attached example). I get warnings all the time that an application is trying to communicate with the network. (See attached example). I get other warnings like the attached warning all the time. Is that normal?

 

I will be on a webpage and all of a sudden the wheel on the browser tab will start spinning and A whole new advertisement page will replace the page that I was looking at?

 

I have many unsigned programs, when I try to run filechecker, (SFC), it says the operation can't be completed.

 

I have an enormous amount of start-up files that I have never heard of, and that is probably why it takes my computer forever to boot.

 

What about these problems that I listed in my initial post. Are they anything to worry about? Why can't I open certain files?

 

6) With Comodo Cleaning Essentials, A scan was done, it said I had a "Rootkit.hiddenFile" and then listed the five files in the picture.
 
7) Sophos Virus Removal tool stated it could not open the following files and that I had Virus Mal/HckPk-A. It said that it would clean it up, however, it then says that it can't be cleaned.
 
2016-09-17 14:34:57.779 Could not open C:\hiberfil.sys
2016-09-17 14:34:59.255 Could not open C:\pagefile.sys
2016-09-17 14:42:52.279 >>> Virus 'Mal/HckPk-A' found in file C:\ProgramData\Microsoft\Windows Defender\LocalCopy\{95DCAB72-91B5-C614-9B41-BFA4BE292BCE}-tdsskiller.exe\FILE:0000
2016-09-17 14:42:52.279 Disinfection not offered
2016-09-17 14:43:19.323 Could not open C:\swapfile.sys
2016-09-17 14:43:20.402 Could not open C:\System Volume Information\{0d70dde0-7537-11e6-bf22-f01faf0ad82d}{3808876b-c176-4e48-b7ae-04046e6cc752}
2016-09-17 14:43:20.403 Could not open C:\System Volume Information\{3808876b-c176-4e48-b7ae-04046e6cc752}
2016-09-17 14:43:20.403 Could not open C:\System Volume Information\{5f5133e5-6f10-11e6-bf22-f01faf0ad82d}{3808876b-c176-4e48-b7ae-04046e6cc752}
2016-09-17 14:43:20.404 Could not open C:\System Volume Information\{5f514ac9-6f10-11e6-bf22-f01faf0ad82d}{3808876b-c176-4e48-b7ae-04046e6cc752}
2016-09-17 14:43:20.404 Could not open C:\System Volume Information\{64904721-7c2e-11e6-bf23-f01faf0ad82d}{3808876b-c176-4e48-b7ae-04046e6cc752}
2016-09-17 14:43:20.404 Could not open C:\System Volume Information\{ee8f5c2f-7602-11e6-bf23-f01faf0ad82d}{3808876b-c176-4e48-b7ae-04046e6cc752}
2016-09-17 14:46:26.240 Could not open C:\Users\SayItAintSo\AppData\Local\Google\Chrome\User Data\Default\Current Session
2016-09-17 14:59:36.383 Could not open C:\Windows\System32\catroot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb
2016-09-17 14:59:36.383 Could not open C:\Windows\System32\catroot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb
2016-09-17 14:59:39.503 Could not open C:\Windows\System32\config\BBI
2016-09-17 14:59:39.737 Could not open C:\Windows\System32\config\RegBack\DEFAULT
2016-09-17 14:59:39.739 Could not open C:\Windows\System32\config\RegBack\SAM
2016-09-17 14:59:39.740 Could not open C:\Windows\System32\config\RegBack\SECURITY
2016-09-17 14:59:39.741 Could not open C:\Windows\System32\config\RegBack\SOFTWARE
2016-09-17 14:59:39.742 Could not open C:\Windows\System32\config\RegBack\SYSTEM

 

Lastly, is it normal for my hard drive to have seven partitions? I have never partitioned my hard drive. Did my computer just arrive in that state?

 

I would greatly appreciate your insight on these issues.

 

Thank you,

Glycerine



#6 nasdaq

nasdaq

  • Malware Response Team
  • 40,238 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:15 PM

Posted 27 September 2016 - 09:48 AM

2016-09-17 14:42:52.279 >>> Virus 'Mal/HckPk-A' found in file C:\ProgramData\Microsoft\Windows Defender\LocalCopy\{95DCAB72-91B5-C614-9B41-BFA4BE292BCE}-tdsskiller.exe\FILE:0000
The TDSSKiller tool is not a virus. It's a false positive.

---

The other Folder and files are part of the Operating system.
Nothing to worry about.

==

If you reinstall Eset the default file will be provided.

==
Remove and reinstall Chrome.

Remove Chrome using the the instructions on this page.
https://support.google.com/chrome/answer/95319?hl=en

Before you do Export your Bookmarks
Chrome will export your bookmarks as a HTML file, which you can then import into another browser.

Re-install Chrome and the Bookmarks.

If you want to save all your settings refer to this page.
Follow the instructions before removing Chrome.
http://juan2geek.com/how-to-backup-and-restore-entire-google-chrome-setting/
<<<>>>

Let me know what problem persists.

#7 Glycerine

Glycerine
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:01:15 PM

Posted 04 October 2016 - 02:20 PM

Attached File  Bleepingproblem1.JPG   23.71KB   1 downloadsAttached File  I had a page about baseball up and it morphed into this.JPG   62.61KB   2 downloadsAttached File  problem2 (2).JPG   26.17KB   1 downloadsHi Nasdaq,

 

I was on baseball-reference.com and all of a sudden the attached Comcast survey replaced the page that I was looking at on baseball-reference.com. Stuff like that happens a lot. That cannot be normal. If it is normal, how do I prevent it?

 

Attached are also two warnings from my ESET about the server certificate is revoked. My time and Date are correct. Whose server are they referring to? the one that is providing the webpage or the one on my end?

 

Lastly, in my certificate store, I have tons of expired/invalid certificates that are "Trusted." How did this happen and can I fix it?

 

thanks,

Glycerine 



#8 nasdaq

nasdaq

  • Malware Response Team
  • 40,238 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:15 PM

Posted 05 October 2016 - 09:17 AM


Disable Eset notification.

http://support.eset.com/kb2148/?locale=en_US

Let me know if it helps.
===

Invalid certificates can be deleted.
https://technet.microsoft.com/en-us/library/cc772354(v=ws.11).aspx

You can Google this string for additional information.
can i delete expired/invalid certificates

===

If you are a Comcast subscriber I would askl them if the survey is genuine.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users