Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I might have downloaded an infected .rar file


  • Please log in to reply
13 replies to this topic

#1 MrSeeker

MrSeeker

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:12:10 PM

Posted 19 September 2016 - 09:26 PM

boopme sent me here.

 

I have a Windows 7 laptop.

 

I don't know what's happening with my laptop. It's been an utter mess for the past month now. I think I might have downloaded an infected .rar file. First I went to the "Am I infected?" forum and boopme tried to help me and then he told me to come here. But before I made this post I tried following the steps in the "it may not be malware" guide. But unfortunately that has not helped.

 

My laptop has had all kinds of different problems over these last 5 weeks. They seem to keep changing. It will be one problem for a few days and then it will be a different problem for the next few days. Right now my laptop is VERY slow to start and once it finally does, nothing seems to work or if something does work it takes forever. In fact, I have to make this post from a different computer.

 

I ran Check Disk about 7 or 8 times over these past few weeks and each time I ran it it would find errors and fix them. It would even say "the volume is clean" after it finished. Every time after I ran Check Disk my laptop seemed to run fairly smooth but then the next day it would go right back to a slow grind. If you want I can post the Check Disk results.

 

I even did a clean boot and my laptop was still slow.

 

My Windows Update hasn't been working right for the past several months now so I thought that might be the cause of some of these problems so I disabled it in Services.

 

Also for some reason my System Restore will not save restore points. Every time I make a restore point they keep getting erased.

 

Right now I can only get my laptop to do anything in Safe Mode so can I run FRST in Safe Mode with networking?

 

 



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 39,883 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:10 PM

Posted 20 September 2016 - 09:59 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Run this Zoek tool in Safe mode is normal mode is not availabe.

Temporarily disable your AV program so it does not interfere.
Info on how to disable your security applications How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs - Security Mini-Guides.

Download Zeok tool from here

When the download appears, save to the Desktop.
On the Desktop, right-click the Zoek.exe file and select: Run as Administrator
(Give it a few seconds to appear.)

Next, copy/paste the entire script inside the code box below to the input field of Zoek:
createsrpoint;
autoclean;
emptyalltemp;
ipconfig /flushdns;b
Now...
Close any open Browsers.
Click the Run script button, and wait. It takes a few minutes to run all the script.

When the tool finishes, the zoek-results.log is opened in Notepad.
The log is also found on the systemdrive, normally C:\
If a reboot is needed, the log is opened after the reboot.

Please attach the zoek-results.log in your reply.

Also, please provide an update on how the computer is behaving after running the above script.

===

After a restart of the computer run this tool in normal mode, if not do it in Safe mode.

Download the version of this tool for your operating system.
Farbar Recovery Scan Tool (64 bit)
Farbar Recovery Scan Tool (32 bit)
and save it to a folder on your computer's Desktop.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

How to attach a file to your reply:
In the Reply section in the bottom of the topic Click the "more reply Options" button.
attachlogs.png

Attach the file.
Select the "Choose a File" navigate to the location of the File.
Click the file you wish to Attach.

Click the Add reply button.
===


Please post the logs.

Let me know what problems persists.

#3 MrSeeker

MrSeeker
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:12:10 PM

Posted 20 September 2016 - 09:44 PM

Hello nasdaq, thank you for your quick response.

 

Well unfortunately, my laptop is still having the same problems.

After I ran zoek nothing changed.

And after I ran FRST my laptop still has the same problems as before.

 

Here are my results:

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 20-09-2016
Ran by Jeff (administrator) on JCOMP2 (20-09-2016 19:57:59)
Running from C:\Users\Jeff\Desktop
Loaded Profiles: Jeff (Available Profiles: Jeff & UpdatusUser)
Platform: Windows 7 Home Premium Service Pack 1 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: FF)
Boot Mode: Safe Mode (with Networking)
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
 
 
==================== Registry (Whitelisted) ===========================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [fspuip] => C:\Program Files\FSP\fspuip.exe [4055552 2010-11-08] (Sentelic Corporation)
HKLM\...\Run: [COMODO Internet Security] => C:\Program Files\COMODO\COMODO Internet Security\cistray.exe [1610936 2016-07-11] (COMODO)
HKLM\...\Run: [AtherosBtStack] => C:\Program Files (x86)\Atheros\Bluetooth Suite\BtvStack.exe [613024 2010-09-27] (Atheros Commnucations)
HKLM\...\Run: [AthBtTray] => C:\Program Files (x86)\Atheros\Bluetooth Suite\AthBtTray.exe [379040 2010-09-27] (Atheros Commnucations)
HKLM\...\Run: [AmIcoSinglun64] => C:\Program Files (x86)\AmIcoSingLun\AmIcoSinglun64.exe [323584 2009-09-22] (Alcor Micro Corp.)
HKLM\...\Run: [AdobeAAMUpdater-1.0] => C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe [508128 2016-07-01] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [QuickTime Task] => "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
HKLM-x32\...\Run: [NUSB3MON] => C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe [113288 2010-04-26] (Renesas Electronics Corporation)
HKLM-x32\...\Run: [DivXUpdate] => "C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW
HKLM-x32\...\Run: [CanonSolutionMenuEx] => C:\Program Files (x86)\Canon\Solution Menu EX\CNSEMAIN.EXE [1185112 2010-04-02] (CANON INC.)
HKLM-x32\...\Run: [AveoKeySti] => "C:\Program Files (x86)\\AVEO\AVEO_UVC_FILTER_DRIVER_KIT\AveoSTI.exe"
HKLM-x32\...\Run: [APSDaemon] => C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [59720 2013-04-21] (Apple Inc.)
HKLM-x32\...\Run: [AvastUI.exe] => C:\Program Files\AVAST Software\Avast\AvastUI.exe [7408312 2016-06-27] (AVAST Software)
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
HKU\S-1-5-21-1906881716-3229558287-3348084575-1001\...\Run: [RESTART_STICKY_NOTES] => C:\Windows\System32\StikyNot.exe [427520 2009-07-13] (Microsoft Corporation)
AppInit_DLLs: C:\Windows\system32\nvinitx.dll => C:\Windows\system32\nvinitx.dll [245432 2012-12-03] (NVIDIA Corporation)
AppInit_DLLs-x32: C:\Windows\SysWOW64\nvinit.dll => C:\Windows\SysWOW64\nvinit.dll [201136 2012-12-03] (NVIDIA Corporation)
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\AVAST Software\Avast\ashShA64.dll [2016-05-10] (AVAST Software)
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\aveosti.exe.lnk [2011-08-02]
ShortcutTarget: aveosti.exe.lnk -> C:\Program Files (x86)\AVEO\AVEO UVC Filter Driver Kit\AveoSTI.exe ()
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
Tcpip\Parameters: [DhcpNameServer] 75.114.81.1 75.114.81.2 192.168.1.1
Tcpip\..\Interfaces\{DD1843D9-6B5B-4FB7-B589-286CBF765920}: [DhcpNameServer] 75.114.81.1 75.114.81.2 192.168.1.1
 
Internet Explorer:
==================
HKU\S-1-5-21-1906881716-3229558287-3348084575-1001\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.msn.com/
HKU\S-1-5-21-1906881716-3229558287-3348084575-1001\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.msn.com
SearchScopes: HKLM -> DefaultScope {21A51130-7285-49FE-B3F6-2385CC71CDEA} URL = hxxp://www.bing.com/search?q={searchTerms}&form=MNMTDF&pc=MANM&src=IE-SearchBox
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKLM -> {21A51130-7285-49FE-B3F6-2385CC71CDEA} URL = hxxp://www.bing.com/search?q={searchTerms}&form=MNMTDF&pc=MANM&src=IE-SearchBox
SearchScopes: HKLM-x32 -> DefaultScope {21A51130-7285-49FE-B3F6-2385CC71CDEA} URL = hxxp://www.bing.com/search?q={searchTerms}&form=MNMTDF&pc=MANM&src=IE-SearchBox
SearchScopes: HKLM-x32 -> {21A51130-7285-49FE-B3F6-2385CC71CDEA} URL = hxxp://www.bing.com/search?q={searchTerms}&form=MNMTDF&pc=MANM&src=IE-SearchBox
SearchScopes: HKU\S-1-5-21-1906881716-3229558287-3348084575-1001 -> DefaultScope {012E1000-F331-11DB-8314-0800200C9A66} URL = hxxp://www.google.com/search?q={searchTerms}
SearchScopes: HKU\S-1-5-21-1906881716-3229558287-3348084575-1001 -> {012E1000-F331-11DB-8314-0800200C9A66} URL = hxxp://www.google.com/search?q={searchTerms}
BHO: avast! Online Security -> {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} -> C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll [2016-05-10] (AVAST Software)
BHO-x32: No Name -> {5C255C8A-E604-49b4-9D64-90988571CECB} -> No File
BHO-x32: CIESpeechBHO Class -> {8D10F6C4-0E01-4BD4-8601-11AC1FDF8126} -> C:\Program Files (x86)\Atheros\Bluetooth Suite\IEPlugIn.dll [2010-09-27] (Atheros Commnucations)
BHO-x32: avast! Online Security -> {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} -> C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll [2016-05-10] (AVAST Software)
BHO-x32: Windows Live Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2009-01-22] (Microsoft Corporation)
Toolbar: HKLM - avast! Online Security - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} -  No File
Toolbar: HKLM - No Name - {CC1A175A-E45B-41ED-A30C-C9B1D7A0C02F} -  No File
DPF: HKLM-x32 {1E54D648-B804-468d-BC78-4AFFED8E262F} hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab
DPF: HKLM-x32 {D27CDB6E-AE6D-11CF-96B8-444553540000} hxxp://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
Handler-x32: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files (x86)\Windows Live\Messenger\msgrapp.14.0.8117.0416.dll [2010-04-17] (Microsoft Corporation)
Handler-x32: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files (x86)\Windows Live\Messenger\msgrapp.14.0.8117.0416.dll [2010-04-17] (Microsoft Corporation)
 
FireFox:
========
FF ProfilePath: C:\Users\Jeff\AppData\Roaming\Mozilla\Firefox\Profiles\4eytaqzv.default
FF DefaultSearchEngine: Google
FF DefaultSearchEngine.US: Google
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_22_0_0_209.dll [2016-07-21] ()
FF Plugin: @java.com/DTPlugin,version=10.5.0 -> C:\Windows\system32\npDeployJava1.dll [2012-07-03] (Oracle Corporation)
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.50428.0\npctrl.dll [2016-04-27] ( Microsoft Corporation)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_22_0_0_209.dll [2016-07-21] ()
FF Plugin-x32: @divx.com/DivX VOD Helper,version=1.0.0 -> C:\Program Files (x86)\DivX\DivX OVS Helper\npovshelper.dll [2014-05-22] (DivX, LLC.)
FF Plugin-x32: @divx.com/DivX Web Player Plug-In,version=1.0.0 -> C:\Program Files (x86)\DivX\DivX Web Player\npdivx32.dll [2016-08-08] (DivX, LLC)
FF Plugin-x32: @java.com/DTPlugin,version=10.9.2 -> C:\Windows\SysWOW64\npDeployJava1.dll [2012-09-24] (Oracle Corporation)
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.50428.0\npctrl.dll [2016-07-08] ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MIF5BA~1\Office14\NPSPWRAP.DLL [2010-03-24] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=14.0.8117.0416 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [2010-04-17] (Microsoft Corporation)
FF Plugin-x32: @nvidia.com/3DVision -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll [2012-12-01] (NVIDIA Corporation)
FF Plugin-x32: @nvidia.com/3DVisionStreaming -> C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll [2012-12-01] (NVIDIA Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.31.5\npGoogleUpdate3.dll [2016-07-28] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.31.5\npGoogleUpdate3.dll [2016-07-28] (Google Inc.)
FF Plugin-x32: @videolan.org/vlc,version=2.0.7 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2016-06-01] (VideoLAN)
FF Plugin-x32: @videolan.org/vlc,version=2.1.3 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2016-06-01] (VideoLAN)
FF Plugin-x32: @videolan.org/vlc,version=2.1.5 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2016-06-01] (VideoLAN)
FF Plugin-x32: @videolan.org/vlc,version=2.2.1 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2016-06-01] (VideoLAN)
FF Plugin-x32: @videolan.org/vlc,version=2.2.4 -> C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll [2016-06-01] (VideoLAN)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll [2016-06-23] (Adobe Systems Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\nppdf32.dll [2016-06-23] (Adobe Systems Inc.)
FF SearchPlugin: C:\Users\Jeff\AppData\Roaming\Mozilla\Firefox\Profiles\4eytaqzv.default\searchplugins\dictionary.xml [2012-08-30]
FF Extension: (Firefox Hotfix) - C:\Users\Jeff\AppData\Roaming\Mozilla\Firefox\Profiles\4eytaqzv.default\Extensions\firefox-hotfix@mozilla.org.xpi [2016-09-09]
FF Extension: (Video DownloadHelper) - C:\Users\Jeff\AppData\Roaming\Mozilla\Firefox\Profiles\4eytaqzv.default\Extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}.xpi [2016-08-03]
FF Extension: (Adblock Plus) - C:\Users\Jeff\AppData\Roaming\Mozilla\Firefox\Profiles\4eytaqzv.default\Extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2016-04-28]
FF HKLM\...\Firefox\Extensions: [wrc@avast.com] - C:\Program Files\AVAST Software\Avast\WebRep\FF
FF Extension: (Avast Online Security) - C:\Program Files\AVAST Software\Avast\WebRep\FF [2016-09-19]
FF HKLM-x32\...\Firefox\Extensions: [wrc@avast.com] - C:\Program Files\AVAST Software\Avast\WebRep\FF
FF HKLM-x32\...\Firefox\Extensions: [sp@avast.com] - C:\Program Files\AVAST Software\Avast\SafePrice\FF
FF Extension: (Avast SafePrice) - C:\Program Files\AVAST Software\Avast\SafePrice\FF [2016-09-19]
 
Chrome: 
=======
CHR Profile: C:\Users\Jeff\AppData\Local\Google\Chrome\User Data\Default [2016-09-20]
CHR Extension: (Google Docs) - C:\Users\Jeff\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2015-03-26]
CHR Extension: (Google Drive) - C:\Users\Jeff\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2015-10-28]
CHR Extension: (YouTube) - C:\Users\Jeff\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2015-09-24]
CHR Extension: (Google Cast) - C:\Users\Jeff\AppData\Local\Google\Chrome\User Data\Default\Extensions\boadgeojelhgndaghljhdicfkmllpafd [2016-09-20]
CHR Extension: (Adblock Plus) - C:\Users\Jeff\AppData\Local\Google\Chrome\User Data\Default\Extensions\cfhdojbkjhnklbpkdaibdccddilifddb [2016-08-23]
CHR Extension: (Google Search) - C:\Users\Jeff\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2015-10-30]
CHR Extension: (Google Docs Offline) - C:\Users\Jeff\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2016-04-11]
CHR Extension: (Avast Online Security) - C:\Users\Jeff\AppData\Local\Google\Chrome\User Data\Default\Extensions\gomekmidlodglbbmalcneegieacbdmki [2016-08-04]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Jeff\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-04-13]
CHR Extension: (Gmail) - C:\Users\Jeff\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2015-04-23]
CHR Extension: (Chrome Media Router) - C:\Users\Jeff\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2016-09-15]
CHR Profile: C:\Users\Jeff\AppData\Local\Google\Chrome\User Data\Guest Profile [2015-01-19] <==== ATTENTION
CHR HKLM-x32\...\Chrome\Extension: [gomekmidlodglbbmalcneegieacbdmki] - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChrome.crx [2016-05-10]
 
==================== Services (Whitelisted) ========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
S2 AdobeActiveFileMonitor12.0; C:\Program Files (x86)\Adobe\Elements 12 Organizer\PhotoshopElementsFileAgent.exe [181152 2013-09-03] (Adobe Systems Incorporated)
S2 AGSService; C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGSService.exe [2159320 2016-08-22] (Adobe Systems, Incorporated)
S2 ASLDRService; C:\Program Files (x86)\PHotkey\ASLDRSrv.exe [104968 2009-12-18] ()
S2 Atheros Bt&Wlan Coex Agent; C:\Program Files (x86)\Atheros\Ath_CoexAgent.exe [151552 2010-05-24] (Atheros) [File not signed]
S2 AtherosSvc; C:\Program Files (x86)\Atheros\Bluetooth Suite\adminservice.exe [52896 2010-09-27] (Atheros Commnucations) [File not signed]
S2 avast! Antivirus; C:\Program Files\AVAST Software\Avast\AvastSvc.exe [243296 2016-05-10] (AVAST Software)
S2 cmdAgent; C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe [5817256 2016-07-12] (COMODO)
S3 cmdvirth; C:\Program Files\COMODO\COMODO Internet Security\cmdvirth.exe [2271928 2016-07-12] (COMODO)
S2 GFNEXSrv; C:\Program Files (x86)\PHotkey\GFNEXSrv.exe [159752 2010-10-06] ()
S3 IDriverT; C:\Program Files (x86)\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe [69632 2005-11-14] (Macrovision Corporation) [File not signed]
S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-27] (Microsoft Corporation)
 
===================== Drivers (Whitelisted) ==========================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
S2 aswHwid; C:\Windows\system32\drivers\aswHwid.sys [37656 2016-05-10] (AVAST Software)
R1 aswKbd; C:\Windows\system32\drivers\aswKbd.sys [37144 2016-05-10] (AVAST Software)
S2 aswMonFlt; C:\Windows\system32\drivers\aswMonFlt.sys [107792 2016-05-10] (AVAST Software)
R1 aswRdr; C:\Windows\system32\drivers\aswRdr2.sys [103064 2016-05-10] (AVAST Software)
S0 aswRvrt; C:\Windows\System32\Drivers\aswRvrt.sys [74544 2016-05-10] (AVAST Software)
S1 aswSnx; C:\Windows\system32\drivers\aswSnx.sys [1070904 2016-05-10] (AVAST Software)
S1 aswSP; C:\Windows\system32\drivers\aswSP.sys [465792 2016-05-10] (AVAST Software)
S2 aswStm; C:\Windows\system32\drivers\aswStm.sys [166432 2016-05-10] (AVAST Software)
S0 aswVmm; C:\Windows\System32\Drivers\aswVmm.sys [292704 2016-08-05] (AVAST Software)
R1 cmderd; C:\Windows\System32\DRIVERS\cmderd.sys [31648 2016-07-10] (COMODO)
S1 cmdGuard; C:\Windows\System32\DRIVERS\cmdguard.sys [829600 2016-07-10] (COMODO)
R1 cmdHlp; C:\Windows\System32\DRIVERS\cmdhlp.sys [56472 2016-07-10] (COMODO)
S3 ebdrv; C:\Windows\system32\drivers\evbda.sys [3286016 2009-06-10] (Broadcom Corporation)
R1 inspect; C:\Windows\System32\DRIVERS\inspect.sys [116248 2016-07-10] (COMODO)
S2 PEGAGFN; C:\Program Files (x86)\PHotkey\PEGAGFN.sys [14344 2009-09-11] (PEGATRON)
R0 PxHlpa64; C:\Windows\System32\drivers\PxHlpa64.sys [56336 2013-07-19] (Corel Corporation)
S3 cpuz135; \??\C:\Windows\TEMP\cpuz135\cpuz135_x64.sys [X]
 
==================== NetSvcs (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== One Month Created files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2016-09-20 19:57 - 2016-09-20 20:00 - 00016550 _____ C:\Users\Jeff\Desktop\FRST.txt
2016-09-20 19:57 - 2016-09-20 19:57 - 00000000 ____D C:\FRST
2016-09-20 19:50 - 2016-09-20 19:50 - 02402816 _____ (Farbar) C:\Users\Jeff\Desktop\FRST64.exe
2016-09-20 18:32 - 2016-09-20 18:32 - 00000000 ___RD C:\Users\Jeff\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\BT Devices
2016-09-20 17:53 - 2016-09-20 14:49 - 00024064 _____ C:\Windows\zoek-delete.exe
2016-09-20 17:34 - 2016-09-20 17:34 - 00000088 _____ C:\folders.txt
2016-09-20 15:30 - 2016-09-20 19:28 - 00000000 ____D C:\zoek
2016-09-20 14:28 - 2016-09-20 15:31 - 00000000 ____D C:\zoek_backup
2016-09-20 14:28 - 2016-09-20 14:28 - 01309184 _____ C:\Users\Jeff\Desktop\zoek.exe
2016-09-19 04:25 - 2016-09-19 04:25 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AVAST Software
2016-09-19 04:08 - 2016-05-10 16:01 - 00398152 _____ (AVAST Software) C:\Windows\system32\aswBoot.exe
2016-09-13 01:46 - 2016-09-13 01:46 - 00002834 _____ C:\Users\Jeff\Downloads\exported-list.pdf
2016-09-11 02:45 - 2016-09-11 02:50 - 00028220 _____ C:\Users\Jeff\Desktop\chkdsk 9-11.txt
2016-09-09 15:04 - 2016-09-09 15:04 - 00005148 _____ C:\Users\Jeff\Desktop\chkdsk 9-9 no.2.txt
2016-09-09 14:41 - 2016-09-09 14:41 - 00017692 _____ C:\Users\Jeff\Desktop\chkdsk 9-9.txt
2016-09-08 22:25 - 2016-09-08 22:25 - 00186880 _____ C:\Users\Jeff\Desktop\sfcdetails.txt
2016-09-08 22:01 - 2016-09-08 22:01 - 00000083 _____ C:\Users\Jeff\Desktop\sfc command.txt
2016-09-07 03:45 - 2016-09-07 03:45 - 00023030 _____ C:\Users\Jeff\Desktop\chkdsk 9-7.txt
2016-09-03 02:35 - 2016-09-03 17:35 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2016-09-03 01:10 - 2016-09-20 19:43 - 02023298 _____ C:\Windows\ntbtlog.txt
2016-08-26 01:23 - 2016-08-26 04:55 - 00192216 _____ (Malwarebytes) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2016-08-26 01:22 - 2016-08-26 01:22 - 00140672 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbamchameleon.sys
2016-08-26 01:22 - 2016-08-26 01:22 - 00064896 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys
2016-08-26 01:22 - 2016-08-26 01:22 - 00027008 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbam.sys
2016-08-26 01:22 - 2016-08-26 01:22 - 00001106 _____ C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2016-08-26 01:22 - 2016-08-26 01:22 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2016-08-26 01:22 - 2016-08-26 01:22 - 00000000 ____D C:\ProgramData\Malwarebytes
2016-08-26 01:22 - 2016-08-26 01:22 - 00000000 ____D C:\Program Files (x86)\Malwarebytes Anti-Malware
2016-08-26 01:09 - 2016-08-26 01:09 - 22851472 _____ (Malwarebytes ) C:\Users\Jeff\Downloads\mbam-setup-2.2.1.1043.exe
2016-08-26 00:33 - 2016-08-26 00:33 - 03826240 _____ C:\Users\Jeff\Downloads\AdwCleaner (1).exe
2016-08-24 00:17 - 2016-08-24 00:17 - 00000000 ____D C:\Program Files (x86)\ESET
2016-08-23 23:26 - 2016-08-23 23:26 - 01610560 _____ (Malwarebytes) C:\Users\Jeff\Downloads\JRT.exe
2016-08-23 23:12 - 2016-08-26 00:49 - 00000000 ____D C:\AdwCleaner
2016-08-23 22:52 - 2016-08-23 23:09 - 00034292 _____ C:\Users\Jeff\Downloads\MTB.txt
2016-08-23 22:39 - 2016-08-23 22:39 - 00892416 _____ (Farbar) C:\Users\Jeff\Downloads\MiniToolBox.exe
 
==================== One Month Modified files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2016-09-20 19:03 - 2016-08-19 07:23 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2016-09-20 18:35 - 2009-07-14 00:45 - 00028928 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2016-09-20 18:35 - 2009-07-14 00:45 - 00028928 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2016-09-20 18:34 - 2012-07-10 02:47 - 00004182 _____ C:\Windows\System32\Tasks\avast! Emergency Update
2016-09-20 18:32 - 2011-08-02 16:38 - 00000035 _____ C:\Users\Public\Documents\AtherosServiceConfig.ini
2016-09-20 18:29 - 2012-09-28 03:50 - 00000894 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2016-09-20 18:28 - 2011-08-02 16:23 - 00000000 ____D C:\ProgramData\NVIDIA
2016-09-20 18:28 - 2009-07-14 01:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2016-09-20 18:15 - 2014-08-23 17:29 - 00000000 ____D C:\Users\Jeff\AppData\Local\Adobe
2016-09-20 17:56 - 2015-09-03 04:12 - 00000008 __RSH C:\ProgramData\ntuser.pol
2016-09-20 15:31 - 2009-07-13 23:20 - 00000000 ___HD C:\Windows\system32\GroupPolicy
2016-09-20 15:31 - 2009-07-13 23:20 - 00000000 ____D C:\Windows\SysWOW64\GroupPolicy
2016-09-20 14:43 - 2011-08-12 02:35 - 00000000 ____D C:\ProgramData\TEMP
2016-09-19 04:25 - 2016-03-23 16:37 - 00003874 _____ C:\Windows\System32\Tasks\SafeZone scheduled Autoupdate 1458765416
2016-09-19 04:25 - 2014-11-25 17:49 - 00001882 _____ C:\Users\Public\Desktop\Avast Free Antivirus.lnk
2016-09-19 03:52 - 2009-07-14 01:08 - 00032578 _____ C:\Windows\Tasks\SCHEDLGU.TXT
2016-09-18 19:39 - 2014-03-05 19:36 - 00000000 ____D C:\Program Files (x86)\Opera
2016-09-18 19:26 - 2015-07-21 20:25 - 00000000 ____D C:\Windows\pss
2016-09-18 17:20 - 2009-07-14 01:13 - 00152634 _____ C:\Windows\system32\PerfStringBackup.INI
2016-09-18 17:20 - 2009-07-13 23:20 - 00000000 ____D C:\Windows\inf
2016-09-17 19:21 - 2015-07-19 18:50 - 00000892 _____ C:\Windows\Tasks\Adobe Flash Player PPAPI Notifier.job
2016-09-17 19:10 - 2016-08-19 03:47 - 00000000 _____ C:\Windows\SysWOW64\last.dump
2016-09-16 17:15 - 2011-08-11 22:49 - 00000000 ____D C:\Users\Jeff\Documents\Bluetooth Folder
2016-09-14 21:15 - 2014-03-05 19:18 - 00002195 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
2016-09-14 21:15 - 2014-03-05 19:18 - 00002183 _____ C:\Users\Public\Desktop\Google Chrome.lnk
2016-09-14 04:55 - 2015-04-20 18:42 - 00007600 _____ C:\Users\Jeff\AppData\Local\Resmon.ResmonCfg
2016-09-14 02:41 - 2014-12-25 17:35 - 00004476 _____ C:\Windows\System32\Tasks\Adobe Acrobat Update Task
2016-09-09 20:35 - 2011-12-20 22:28 - 00000000 ____D C:\Program Files (x86)\Steam
2016-09-09 16:24 - 2013-06-17 22:45 - 00000000 ____D C:\Users\Jeff\AppData\Roaming\vlc
2016-09-08 15:34 - 2014-06-03 22:51 - 00003842 _____ C:\Windows\System32\Tasks\Opera scheduled Autoupdate 1394062575
2016-09-06 02:21 - 2011-08-12 22:49 - 00000000 ____D C:\Windows\Minidump
2016-09-05 17:44 - 2015-11-30 03:12 - 00000000 ____D C:\Users\Jeff\Downloads\New folder (25)
2016-09-05 16:53 - 2012-09-28 03:49 - 00000000 ____D C:\Users\Jeff\AppData\Local\Google
2016-09-04 05:20 - 2015-08-14 01:24 - 00000000 ____D C:\Users\Jeff\AppData\LocalLow\boost_interprocess
2016-09-03 17:35 - 2012-04-26 02:09 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2016-09-03 04:19 - 2016-01-02 03:10 - 00003640 _____ C:\Windows\System32\Tasks\DivXUpdate
2016-09-03 04:19 - 2012-11-11 00:45 - 00000000 ____D C:\Program Files (x86)\DivX
2016-09-03 04:19 - 2011-09-03 22:49 - 00000000 ____D C:\ProgramData\DivX
2016-08-27 20:53 - 2011-08-11 22:49 - 00000000 ____D C:\Users\Jeff
2016-08-23 21:50 - 2009-07-13 23:20 - 00000000 ____D C:\Windows\system32\NDF
2016-08-23 20:21 - 2012-09-28 03:50 - 00000000 ____D C:\Program Files (x86)\Google
 
==================== Files in the root of some directories =======
 
2014-02-22 02:25 - 2015-06-24 23:39 - 0558080 _____ () C:\Users\Jeff\AppData\Roaming\SharedSettings.ccs
2015-04-20 18:42 - 2016-09-14 04:55 - 0007600 _____ () C:\Users\Jeff\AppData\Local\Resmon.ResmonCfg
 
==================== Bamital & volsnap =================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed
 
 
LastRegBack: 2016-09-07 02:38
 
==================== End of FRST.txt ============================

Attached Files


Edited by MrSeeker, 20 September 2016 - 09:59 PM.


#4 nasdaq

nasdaq

  • Malware Response Team
  • 39,883 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:10 PM

Posted 21 September 2016 - 09:47 AM



Remove Avast using their removal tool.
https://www.avast.com/uninstall-utility
===

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.
 
start

EmptyTemp:
CloseProcesses:

BHO-x32: No Name -> {5C255C8A-E604-49b4-9D64-90988571CECB} -> No File
Toolbar: HKLM - avast! Online Security - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} -  No File
Toolbar: HKLM - No Name - {CC1A175A-E45B-41ED-A30C-C9B1D7A0C02F} -  No File
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
CHR Extension: (Avast Online Security) - C:\Users\Jeff\AppData\Local\Google\Chrome\User Data\Default\Extensions\gomekmidlodglbbmalcneegieacbdmki [2016-08-04]
CHR HKLM-x32\...\Chrome\Extension: [gomekmidlodglbbmalcneegieacbdmki] - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChrome.crx [2016-05-10]
S3 cpuz135; \??\C:\Windows\TEMP\cpuz135\cpuz135_x64.sys [X]
CustomCLSID: HKU\S-1-5-21-1906881716-3229558287-3348084575-1001_Classes\CLSID\{590C4387-5EBD-4D46-8A84-CD0BA2EF2856}\InprocServer32 -> C:\Users\Jeff\AppData\Local\Google\Update\1.3.30.3\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-1906881716-3229558287-3348084575-1001_Classes\CLSID\{78550997-5DEF-4A8A-BAF9-D5774E87AC98}\InprocServer32 -> C:\Users\Jeff\AppData\Local\Google\Update\1.3.28.13\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-1906881716-3229558287-3348084575-1001_Classes\CLSID\{793EE463-1304-471C-ADF1-68C2FFB01247}\InprocServer32 -> C:\Users\Jeff\AppData\Local\Google\Update\1.3.29.5\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-1906881716-3229558287-3348084575-1001_Classes\CLSID\{CC182BE1-84CE-4A57-B85C-FD4BBDF78CB2}\InprocServer32 -> C:\Users\Jeff\AppData\Local\Google\Update\1.3.29.2\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-1906881716-3229558287-3348084575-1001_Classes\CLSID\{D1EDC4F5-7F4D-4B12-906A-614ECF66DDAF}\InprocServer32 -> C:\Users\Jeff\AppData\Local\Google\Update\1.3.28.15\psuser_64.dll => No File

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Let me know what problem persists.

#5 MrSeeker

MrSeeker
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:12:10 PM

Posted 22 September 2016 - 12:08 AM

nasdaq, I don't know what happened but after I ran the fix a bunch of my downloads are now GONE. About 80% of the folders in my Downloads (everything from e - z) has just disappeared. And many other items in my Downloads folder as well. That had to have been a good 10 - 15 GB's worth of files. Pictures, videos, comic books, music, all kinds of stuff.
 
And my laptop is still completely messed up.
 
I'm starting to panic a little :(
 
 
Fix result of Farbar Recovery Scan Tool (x64) Version: 21-09-2016
Ran by Jeff (21-09-2016 23:07:05) Run:1
Running from C:\Users\Jeff\Desktop
Loaded Profiles: Jeff (Available Profiles: Jeff & UpdatusUser)
Boot Mode: Safe Mode (with Networking)
==============================================
 
fixlist content:
*****************
start
 
EmptyTemp:
CloseProcesses:
 
BHO-x32: No Name -> {5C255C8A-E604-49b4-9D64-90988571CECB} -> No File
Toolbar: HKLM - avast! Online Security - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} -  No File
Toolbar: HKLM - No Name - {CC1A175A-E45B-41ED-A30C-C9B1D7A0C02F} -  No File
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
CHR Extension: (Avast Online Security) - C:\Users\Jeff\AppData\Local\Google\Chrome\User Data\Default\Extensions\gomekmidlodglbbmalcneegieacbdmki [2016-08-04]
CHR HKLM-x32\...\Chrome\Extension: [gomekmidlodglbbmalcneegieacbdmki] - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChrome.crx [2016-05-10]
S3 cpuz135; \??\C:\Windows\TEMP\cpuz135\cpuz135_x64.sys [X]
CustomCLSID: HKU\S-1-5-21-1906881716-3229558287-3348084575-1001_Classes\CLSID\{590C4387-5EBD-4D46-8A84-CD0BA2EF2856}\InprocServer32 -> C:\Users\Jeff\AppData\Local\Google\Update\1.3.30.3\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-1906881716-3229558287-3348084575-1001_Classes\CLSID\{78550997-5DEF-4A8A-BAF9-D5774E87AC98}\InprocServer32 -> C:\Users\Jeff\AppData\Local\Google\Update\1.3.28.13\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-1906881716-3229558287-3348084575-1001_Classes\CLSID\{793EE463-1304-471C-ADF1-68C2FFB01247}\InprocServer32 -> C:\Users\Jeff\AppData\Local\Google\Update\1.3.29.5\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-1906881716-3229558287-3348084575-1001_Classes\CLSID\{CC182BE1-84CE-4A57-B85C-FD4BBDF78CB2}\InprocServer32 -> C:\Users\Jeff\AppData\Local\Google\Update\1.3.29.2\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-1906881716-3229558287-3348084575-1001_Classes\CLSID\{D1EDC4F5-7F4D-4B12-906A-614ECF66DDAF}\InprocServer32 -> C:\Users\Jeff\AppData\Local\Google\Update\1.3.28.15\psuser_64.dll => No File
 
End
*****************
 
Processes closed successfully.
"HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}" => key removed successfully
HKCR\Wow6432Node\CLSID\{5C255C8A-E604-49b4-9D64-90988571CECB} => key not found. 
HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\\{318A227B-5E9F-45bd-8999-7F8F10CA4CF5} => value removed successfully
"HKCR\CLSID\{318A227B-5E9F-45bd-8999-7F8F10CA4CF5}" => key removed successfully
HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\\{CC1A175A-E45B-41ED-A30C-C9B1D7A0C02F} => value removed successfully
HKCR\CLSID\{CC1A175A-E45B-41ED-A30C-C9B1D7A0C02F} => key not found. 
"HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE" => key removed successfully
"HKLM\Software\Wow6432Node\MozillaPlugins\@microsoft.com/GENUINE" => key removed successfully
C:\Users\Jeff\AppData\Local\Google\Chrome\User Data\Default\Extensions\gomekmidlodglbbmalcneegieacbdmki => not found
HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\gomekmidlodglbbmalcneegieacbdmki => key not found. 
"C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChrome.crx" => not found.
cpuz135 => service removed successfully
"HKU\S-1-5-21-1906881716-3229558287-3348084575-1001_Classes\CLSID\{590C4387-5EBD-4D46-8A84-CD0BA2EF2856}" => key removed successfully
"HKU\S-1-5-21-1906881716-3229558287-3348084575-1001_Classes\CLSID\{78550997-5DEF-4A8A-BAF9-D5774E87AC98}" => key removed successfully
"HKU\S-1-5-21-1906881716-3229558287-3348084575-1001_Classes\CLSID\{793EE463-1304-471C-ADF1-68C2FFB01247}" => key removed successfully
"HKU\S-1-5-21-1906881716-3229558287-3348084575-1001_Classes\CLSID\{CC182BE1-84CE-4A57-B85C-FD4BBDF78CB2}" => key removed successfully
"HKU\S-1-5-21-1906881716-3229558287-3348084575-1001_Classes\CLSID\{D1EDC4F5-7F4D-4B12-906A-614ECF66DDAF}" => key removed successfully
 
=========== EmptyTemp: ==========
 
BITS transfer queue => 0 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 56029053 B
Java, Flash, Steam htmlcache => 460500157 B
Windows/system/drivers => 336337 B
Edge => 0 B
Chrome => 103204299 B
Firefox => 179839309 B
Opera => 27829092 B
 
Temp, IE cache, history, cookies, recent:
Default => 0 B
Public => 0 B
ProgramData => 0 B
systemprofile => 33253 B
systemprofile32 => 33685 B
LocalService => 0 B
NetworkService => 0 B
UpdatusUser => 0 B
Jeff => 23313893 B
UpdatusUser => 0 B
 
RecycleBin => 0 B
EmptyTemp: => 811.7 MB temporary data Removed.
 
================================
 
 
The system needed a reboot.
 
==== End of Fixlog 00:03:12 ====

Edited by MrSeeker, 22 September 2016 - 12:36 AM.


#6 nasdaq

nasdaq

  • Malware Response Team
  • 39,883 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:10 PM

Posted 22 September 2016 - 10:34 AM

I did not touch your Download folder.
I hope it's not the work of the malware as you previously stated.

Also for some reason my System Restore will not save restore points. Every time I make a restore point they keep getting erased.



Can you please run the Farbar tool one more time and post the FRST and Addition.txt files for my review.

#7 MrSeeker

MrSeeker
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:12:10 PM

Posted 22 September 2016 - 01:21 PM

I'm a little bit worried about running that scan again and creating those logs because I read that if something has indeed been deleted then you should try not to use the computer as much as possible because everytime the computer writes to the hard drive your chances of recovering deleted data will diminish (if I had to use a data recovery program). I'm writing this post from someone else's computer.

 

Do you think that maybe those folders and files have now been made "hidden"?

 

Or maybe they have just simply been moved to some obscure folder and I just have to find them?

 

I also read that it might be a messed up Windows profile or maybe two profiles have now been created?

 

It's a little strange because like I said I think I must have lost around 10 or 15 GBs worth of files BUT when I looked at my C drive it showed that I had only cleared an extra 4 or 5 GBs. It went from 58 GBs of free space to 63 GBs of free space. I don't know. Maybe the files I lost only really added up to 5 GBs and not 10. I'm just not really sure.



#8 nasdaq

nasdaq

  • Malware Response Team
  • 39,883 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:10 PM

Posted 23 September 2016 - 09:06 AM


Make sure you can see all.

Unhide files/folders Windows 7.
How To:
http://windows.microsoft.com/en-ca/windows/show-hidden-files#show-hidden-files=windows-7
<<<>>>

Running this search will only create a small .txt file.

Search filenames you know you had.

In the search box you can use the global search [ * ] tag.

Example:

abc*.*

or

*.png

Please run the Farbar Recovery Scan Tool. Enter xxxxx in the Search Box and hit the File Search button.

Any luck.

===

Did you check your Recycle bin?

This may also help.
Recover lost or deleted files
https://support.microsoft.com/en-us/help/17119/windows-7-recover-lost-deleted-files

===

This tool may also help.

Recover your deleted files quickly and easily.
https://www.piriform.com/recuva

If successful undelete just a few files.
If the files are not deleted after an hour or so you can continue

Keep me posted.

#9 MrSeeker

MrSeeker
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:12:10 PM

Posted 24 September 2016 - 08:47 PM

Ok, Great news. My files have NOT been deleted. In fact, they haven't even been moved. They're still there in my Downloads folder but for some strange reason they are hidden. I have went through the Folder Options to unhide everything but for some reason they still remain hidden. I can find them when I search for them in the start menu. They show up; right where they're supposed to be in the Downloads folder. I can even open them too. But whenever I try to access the Downloads folder itself then those missing files remain hidden.

 

It's interesting because every file and folder in my Downloads folder that begins with the letters A - D is still visible as normal. But every file and folder that begins with the letters E - Z is hidden.

 

I read that this might have happened because the file and folder attributes have been changed somehow. For example, maybe they now have the system attribute and the hidden attribute turned on. Maybe this was caused by malware or a virus.

 

And unfortunately, my laptop is still very slow and just not functioning correctly.

 

I'm not really sure what I should do next. I would like to copy all my Downloads to my external hard drive but I'm afraid that if my laptop is infected with malware or a virus then I might transfer that virus to my external hard drive as well. I don't know, should I try to fix the file and folder attributes first or should we just go ahead and try to eliminate the malware first or should I go ahead and backup all my files to my external hard drive first?


Edited by MrSeeker, 24 September 2016 - 09:00 PM.


#10 nasdaq

nasdaq

  • Malware Response Team
  • 39,883 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:10 PM

Posted 25 September 2016 - 09:06 AM

Use this command to unhide System files.

attrib -s -h

How to is explained here.
http://www.howtogeek.com/104825/make-a-super-hidden-folder-in-windows-without-any-extra-software/

As show on the example on the link.
attrib -s -h C:\Users\Taylor Gibb\Desktop\Top Secret

Ensure the you use the absolute path of a folder or file on your system

===

This Windows repair tool can possibly help also.

Please Download Tweaking.com - Windows Repair from Here


  • Install and then run the program
  • Execute the instructions on Step 1 Important
  • Click Next on Step 2 Optional, do the Pre Scan skip Step 3 and 4 Optional for now.
  • On Step 5 Backup System Restore Do a Registry backup. When you have completed this click Next
  • Click Repairs - Open Repairs in the bottom right corner
  • Uncheck the All repair button then select just the item(s) listed below

  • 01 - Repair Registry Permissions
    02 - Reset File Permissions (2)
    .. 02.01 File Permissions C:\
    .. 02.02 File Permissions D:\  <- Optional
    10 - Remove Policies Set By Infections
    16 - Unhide Non System Files (2)
    .. 16.01 Unhide C:\
    .. 16.02 Unhide D:\ <- Optional
    26 - Restore Important Windows Services
    
    
  • Click the Start button and let the process run to completion. Copy any error messages into Notepad, Save it on your Desktop. ( Reboot if asked to do so)
  • Please copy and paste the Contents of this file on your next reply.

  • ===

    Restart the computer normally.

    How is the computer running now?

    =======================


#11 MrSeeker

MrSeeker
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:12:10 PM

Posted 27 September 2016 - 02:26 PM

Using that command to change the attributes did not help. I even tried adding /s and /d and that didn't help either. I've checked all my file permissions and the ownership of my files. I even checked the registry values using regedit and that also appears to be ok. But yet my files are still hidden when I try to access them directly through my Downloads folder. Maybe running Check Disk again would fix it? Someone else said it worked for them.

 

I'm kind of worried because I've been reading that this MIGHT mean that my hard drive is about to fail.

 

nasdaq, I have a few questions for you:

 

1. Should I try running Check Disk again to unhide my files?

 

2. So do you think my laptop is possibly infected with a virus or malware or has my operating system just gotten screwed up somehow?

 

3. IF it is infected, then is there a possibility I could infect my EXTERNAL hard drive if I try to copy my files to it?

 

Because before I do anything else, I would like to go ahead and copy all my downloaded files to my external hard drive.



#12 nasdaq

nasdaq

  • Malware Response Team
  • 39,883 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:10 PM

Posted 28 September 2016 - 09:30 AM


Lets check this first.

The Super Hidden file function may be enable.
Refer to this topic.

http://ccm.net/faq/14094-windows-7-display-the-super-hidden-files

If the SuperHidden is set to 1 change it to 0 [Zero]

#13 MrSeeker

MrSeeker
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:12:10 PM

Posted 28 September 2016 - 11:46 PM

No, that did not work either.



#14 nasdaq

nasdaq

  • Malware Response Team
  • 39,883 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:10 PM

Posted 29 September 2016 - 08:46 AM

Run a check this again.

If you can copy just of the the hidden files you say it's there to a flash drive and see if you cab then change to hidden status.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users