Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Need confirmation


  • Please log in to reply
18 replies to this topic

#1 applepieofdeath

applepieofdeath

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:29 PM

Posted 16 October 2016 - 08:14 AM

Hello I have recently been having problems while using Roguekiller by adlice. My computer was acting unusual so I started my routine scans. Roguekiller had several detection but was shutdown in the middle. After several dead-end solutions, I found this thread: http://www.bleepingcomputer.com/forums/t/280407/something-keeps-turning-off-my-anti-virus/ . I followed it and it seems to have worked and Roguekiller is fine now. However many of the links from that thread were either dead or lead to what I assume is a newer, renamed, and in some cases only free-trial version of the programs. I have used all which I could access and again it seems to have worked but due to the process and programs being different I'm not entirely sure. Is there an easy way to confirm?

 

FRST logs:

 

Attached File  FRST.txt   149.34KB   2 downloads

 

Attached File  Addition.txt   93.43KB   3 downloads



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 40,736 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:29 PM

Posted 18 October 2016 - 09:49 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===
Remove this SweetIM tool bar via the Control panel > Programs > Programs and Features.
Internet Explorer Toolbar 4.7 by SweetPacks (HKLM-x32\...\{80F3F10B-A177-4494-93CE-98090D819093}) (Version: 4.7.0008 - SweetIM Technologies Ltd.) <==== ATTENTION
===

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.
 
start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

HKLM\...\Run: [] => [X]
HKLM-x32\...\Run: [] => [X]
ShellIconOverlayIdentifiers: [###MegaShellExtPending] -> {056D528D-CE28-4194-9BA3-BA2E9197FF8C} => C:\ProgramData\MEGAsync\ShellExtX64.dll No File
ShellIconOverlayIdentifiers: [###MegaShellExtSynced] -> {05B38830-F4E9-4329-978B-1DD28605D202} => C:\ProgramData\MEGAsync\ShellExtX64.dll No File
ShellIconOverlayIdentifiers: [###MegaShellExtSyncing] -> {0596C850-7BDD-4C9D-AFDF-873BE6890637} => C:\ProgramData\MEGAsync\ShellExtX64.dll No File
ShellIconOverlayIdentifiers-x32: [###MegaShellExtPending] -> {056D528D-CE28-4194-9BA3-BA2E9197FF8C} => C:\ProgramData\MEGAsync\ShellExtX32.dll No File
ShellIconOverlayIdentifiers-x32: [###MegaShellExtSynced] -> {05B38830-F4E9-4329-978B-1DD28605D202} => C:\ProgramData\MEGAsync\ShellExtX32.dll No File
ShellIconOverlayIdentifiers-x32: [###MegaShellExtSyncing] -> {0596C850-7BDD-4C9D-AFDF-873BE6890637} => C:\ProgramData\MEGAsync\ShellExtX32.dll No File
GroupPolicy: Restriction - Chrome <======= ATTENTION
CHR DefaultSearchKeyword: Default -> trovi.search
CHR Extension: (Chrome Web Store Payments) - C:\Users\applepieofdeath\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-04-21]
CHR HKLM\...\Chrome\Extension: [flliilndjeohchalpbbcdekjklbdgfkk] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [flliilndjeohchalpbbcdekjklbdgfkk] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [ohhcpmplhhiiaoiddkfboafbhiknefdf] - hxxps://clients2.google.com/service/update2/crx
S2 Amsp; "C:\Program Files\Trend Micro\AMSP\coreServiceShell.exe" coreFrameworkHost.exe -m=rb -dt=60000 -ad -bt=0 [X]
S3 InnovativeSolutions_monitor; C:\Program Files (x86)\Common Files\Innovative Solutions\Advanced Uninstaller\InnovativeSolutions_monitor_Svr.exe [X]
U3 uxldypod; C:\Users\applepieofdeath\AppData\Local\Temp\uxldypod.sys [56584 2016-10-16] (GMER) [File not signed]
U3 idsvc; no ImagePath
U2 TMAgent; no ImagePath
C:\Users\applepieofdeath\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda
Task: {238EFAB2-290D-40C7-8149-C70CF41F91D5} - \Microsoft\Windows\Setup\gwx\refreshgwxconfig -> No File <==== ATTENTION
Task: {2C2003D1-1460-4D45-BB96-4609145A247F} - \Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B -> No File <==== ATTENTION
Task: {568EACD5-6E0C-42BE-85ED-8E0C772411EC} - \Microsoft\Windows\Setup\gwx\refreshgwxcontent -> No File <==== ATTENTION
Task: {75842CBD-2810-400F-8DD5-8F59DD22DEAA} - \Microsoft\Windows\Setup\gwx\refreshgwxconfigandcontent -> No File <==== ATTENTION
Task: {7AF65D60-DA32-45E1-8269-C8992BD9270B} - \Microsoft\Windows\Setup\gwx\launchtrayprocess -> No File <==== ATTENTION
Task: {810D47EF-6D2B-4AE7-99F7-DEAE65F75800} - \Microsoft\Windows\Setup\GWXTriggers\OutOfSleep-5d -> No File <==== ATTENTION
Task: {90D5BCE8-FD95-4A0E-AE48-B60659AD2A33} - \Microsoft\Windows\Setup\GWXTriggers\Logon-5d -> No File <==== ATTENTION
Task: {AE719602-B4BA-4B30-BB1B-9D40A783C2FA} - \Microsoft\Windows\Setup\GWXTriggers\OutOfIdle-5d -> No File <==== ATTENTION
Task: {D398B366-8F92-4FFF-904D-8145BB9D5D88} - \Microsoft\Windows\Setup\GWXTriggers\Time-5d -> No File <==== ATTENTION
Task: {EA6EAC66-5856-48D4-A8AB-F4DC2856E5FD} - \Microsoft\Windows\Setup\GWXTriggers\MachineUnlock-5d -> No File <==== ATTENTION
Task: {F627E125-B328-4B16-BCA4-ED5224E52D88} - \Microsoft\Windows\Setup\GWXTriggers\Telemetry-4xd -> No File <==== ATTENTION
AlternateDataStreams: C:\ProgramData\Temp:5C321E34 [105]
AlternateDataStreams: C:\Users\applepieofdeath\Desktop\2015-10-31 21.35.51.jpg:com.dropbox.attributes [410]
AlternateDataStreams: C:\Users\applepieofdeath\Desktop\2016-06-11 16.51.08.jpg:com.dropbox.attributes [868]

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Your version of Shockwave is out-or-date and vulnerable.

Navigate to this page and follow the instructions to get the latest version.
https://www.adobe.com/shockwave/welcome/

Go to Start > Control Panel > Programs and Features and uninstall the old version(s) if present.
Adobe Shockwave Player 12.0 (HKLM-x32\...\Adobe Shockwave Player) (Version: 12.0.2.122 - Adobe Systems, Inc.)
===

Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.

You can manually check your present version and update as recommended.
https://www.java.com/en/download/installed.jsp

Be careful not to install malware posing as Java update!
Important read this blog.
http://blog.trendmicro.com/trendlabs-security-intelligence/malware-poses-as-an-update-for-java-0-day-fix/

Quoted from the page.
"In light of the recent events surrounding Java, users must seriously consider their use of Java. Do they really need it? If yes, make sure that users follow the steps we recommended and get the security update directly from the official oracle website." at:
http://www.oracle.com/technetwork/java/javase/downloads/index.html

How to disable Java in your browsers
http://www.infoworld.com/t/web-browsers/how-disable-java-in-your-browsers-210882

If still present after the update you can remove the old version(s) of Java via the Control Panel > Programs and Features.
Java 8 Update 91 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F83218091F0}) (Version: 8.0.910.14 - Oracle Corporation)

===

Please post the Fixlog.txt and let me know what issues you have with this computer.

#3 applepieofdeath

applepieofdeath
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:29 PM

Posted 18 October 2016 - 10:56 AM

I could not find the Sweet IM toolbar in the program list so that proccess was skipped.

 

The note pad could not save the document as fixlist.txt so text was simply saved as fixlist. document was moved to a folder successfully named fixlist.txt and folder was moved to same file as FRST.

 

log:

 

Fix result of Farbar Recovery Scan Tool (x64) Version: 17-10-2016
Ran by applepieofdeath (19-10-2016 00:38:06) Run:2
Running from C:\Users\applepieofdeath\Desktop\anti-virus\FRST
Loaded Profiles: applepieofdeath (Available Profiles: applepieofdeath & Administrator & DefaultAppPool)
Boot Mode: Normal
==============================================

fixlist content:
*****************

*****************


==== End of Fixlog 00:38:06 ====


Edited by applepieofdeath, 18 October 2016 - 02:13 PM.


#4 nasdaq

nasdaq

  • Malware Response Team
  • 40,736 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:29 PM

Posted 19 October 2016 - 10:25 AM

That did not work as expected.

I have attached the fixlist.txt file download it and place it in the folder where the farbar tool is located.
The run the fix as I have previously suggested.

Attached Files



#5 applepieofdeath

applepieofdeath
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:29 PM

Posted 19 October 2016 - 12:31 PM

Fix result of Farbar Recovery Scan Tool (x64) Version: 17-10-2016
Ran by applepieofdeath (20-10-2016 02:16:01) Run:4
Running from C:\Users\applepieofdeath\Desktop\anti-virus\FRST
Loaded Profiles: applepieofdeath (Available Profiles: applepieofdeath & Administrator & DefaultAppPool)
Boot Mode: Normal
==============================================

fixlist content:
*****************
start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

HKLM\...\Run: [] => [X]
HKLM-x32\...\Run: [] => [X]
ShellIconOverlayIdentifiers: [###MegaShellExtPending] -> {056D528D-CE28-4194-9BA3-BA2E9197FF8C} => C:\ProgramData\MEGAsync\ShellExtX64.dll No File
ShellIconOverlayIdentifiers: [###MegaShellExtSynced] -> {05B38830-F4E9-4329-978B-1DD28605D202} => C:\ProgramData\MEGAsync\ShellExtX64.dll No File
ShellIconOverlayIdentifiers: [###MegaShellExtSyncing] -> {0596C850-7BDD-4C9D-AFDF-873BE6890637} => C:\ProgramData\MEGAsync\ShellExtX64.dll No File
ShellIconOverlayIdentifiers-x32: [###MegaShellExtPending] -> {056D528D-CE28-4194-9BA3-BA2E9197FF8C} => C:\ProgramData\MEGAsync\ShellExtX32.dll No File
ShellIconOverlayIdentifiers-x32: [###MegaShellExtSynced] -> {05B38830-F4E9-4329-978B-1DD28605D202} => C:\ProgramData\MEGAsync\ShellExtX32.dll No File
ShellIconOverlayIdentifiers-x32: [###MegaShellExtSyncing] -> {0596C850-7BDD-4C9D-AFDF-873BE6890637} => C:\ProgramData\MEGAsync\ShellExtX32.dll No File
GroupPolicy: Restriction - Chrome <======= ATTENTION
CHR DefaultSearchKeyword: Default -> trovi.search
CHR Extension: (Chrome Web Store Payments) - C:\Users\applepieofdeath\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-04-21]
CHR HKLM\...\Chrome\Extension: [flliilndjeohchalpbbcdekjklbdgfkk] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [flliilndjeohchalpbbcdekjklbdgfkk] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [ohhcpmplhhiiaoiddkfboafbhiknefdf] - hxxps://clients2.google.com/service/update2/crx
S2 Amsp; "C:\Program Files\Trend Micro\AMSP\coreServiceShell.exe" coreFrameworkHost.exe -m=rb -dt=60000 -ad -bt=0 [X]
S3 InnovativeSolutions_monitor; C:\Program Files (x86)\Common Files\Innovative Solutions\Advanced Uninstaller\InnovativeSolutions_monitor_Svr.exe [X]
U3 uxldypod; C:\Users\applepieofdeath\AppData\Local\Temp\uxldypod.sys [56584 2016-10-16] (GMER) [File not signed]
U3 idsvc; no ImagePath
U2 TMAgent; no ImagePath
C:\Users\applepieofdeath\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda
Task: {238EFAB2-290D-40C7-8149-C70CF41F91D5} - \Microsoft\Windows\Setup\gwx\refreshgwxconfig -> No File <==== ATTENTION
Task: {2C2003D1-1460-4D45-BB96-4609145A247F} - \Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B -> No File <==== ATTENTION
Task: {568EACD5-6E0C-42BE-85ED-8E0C772411EC} - \Microsoft\Windows\Setup\gwx\refreshgwxcontent -> No File <==== ATTENTION
Task: {75842CBD-2810-400F-8DD5-8F59DD22DEAA} - \Microsoft\Windows\Setup\gwx\refreshgwxconfigandcontent -> No File <==== ATTENTION
Task: {7AF65D60-DA32-45E1-8269-C8992BD9270B} - \Microsoft\Windows\Setup\gwx\launchtrayprocess -> No File <==== ATTENTION
Task: {810D47EF-6D2B-4AE7-99F7-DEAE65F75800} - \Microsoft\Windows\Setup\GWXTriggers\OutOfSleep-5d -> No File <==== ATTENTION
Task: {90D5BCE8-FD95-4A0E-AE48-B60659AD2A33} - \Microsoft\Windows\Setup\GWXTriggers\Logon-5d -> No File <==== ATTENTION
Task: {AE719602-B4BA-4B30-BB1B-9D40A783C2FA} - \Microsoft\Windows\Setup\GWXTriggers\OutOfIdle-5d -> No File <==== ATTENTION
Task: {D398B366-8F92-4FFF-904D-8145BB9D5D88} - \Microsoft\Windows\Setup\GWXTriggers\Time-5d -> No File <==== ATTENTION
Task: {EA6EAC66-5856-48D4-A8AB-F4DC2856E5FD} - \Microsoft\Windows\Setup\GWXTriggers\MachineUnlock-5d -> No File <==== ATTENTION
Task: {F627E125-B328-4B16-BCA4-ED5224E52D88} - \Microsoft\Windows\Setup\GWXTriggers\Telemetry-4xd -> No File <==== ATTENTION
AlternateDataStreams: C:\ProgramData\Temp:5C321E34 [105]
AlternateDataStreams: C:\Users\applepieofdeath\Desktop\2015-10-31 21.35.51.jpg:com.dropbox.attributes [410]
AlternateDataStreams: C:\Users\applepieofdeath\Desktop\2016-06-11 16.51.08.jpg:com.dropbox.attributes [868]

End
*****************

Restore point was successfully created.
Processes closed successfully.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\ => value not found.
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\ => value not found.
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\###MegaShellExtPending => key not found.
HKCR\CLSID\{056D528D-CE28-4194-9BA3-BA2E9197FF8C} => key not found.
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\###MegaShellExtSynced => key not found.
HKCR\CLSID\{05B38830-F4E9-4329-978B-1DD28605D202} => key not found.
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\###MegaShellExtSyncing => key not found.
HKCR\CLSID\{0596C850-7BDD-4C9D-AFDF-873BE6890637} => key not found.
HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\###MegaShellExtPending => key not found.
HKCR\Wow6432Node\CLSID\{056D528D-CE28-4194-9BA3-BA2E9197FF8C} => key not found.
HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\###MegaShellExtSynced => key not found.
HKCR\Wow6432Node\CLSID\{05B38830-F4E9-4329-978B-1DD28605D202} => key not found.
HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\###MegaShellExtSyncing => key not found.
HKCR\Wow6432Node\CLSID\{0596C850-7BDD-4C9D-AFDF-873BE6890637} => key not found.
"C:\WINDOWS\system32\GroupPolicy\Machine" => not found.
Chrome DefaultSearchKeyword => not found.
C:\Users\applepieofdeath\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda => not found
HKLM\SOFTWARE\Google\Chrome\Extensions\flliilndjeohchalpbbcdekjklbdgfkk => key not found.
HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\flliilndjeohchalpbbcdekjklbdgfkk => key not found.
HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\ohhcpmplhhiiaoiddkfboafbhiknefdf => key not found.
Amsp => Unable to stop service.
Amsp => service could not remove
InnovativeSolutions_monitor => service not found.
uxldypod => service not found.
idsvc => service not found.
TMAgent => service not found.
"C:\Users\applepieofdeath\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda" => not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{238EFAB2-290D-40C7-8149-C70CF41F91D5} => key not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\gwx\refreshgwxconfig => key not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{2C2003D1-1460-4D45-BB96-4609145A247F} => key not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B => key not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{568EACD5-6E0C-42BE-85ED-8E0C772411EC} => key not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\gwx\refreshgwxcontent => key not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{75842CBD-2810-400F-8DD5-8F59DD22DEAA} => key not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\gwx\refreshgwxconfigandcontent => key not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{7AF65D60-DA32-45E1-8269-C8992BD9270B} => key not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\gwx\launchtrayprocess => key not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{810D47EF-6D2B-4AE7-99F7-DEAE65F75800} => key not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\OutOfSleep-5d => key not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{90D5BCE8-FD95-4A0E-AE48-B60659AD2A33} => key not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\Logon-5d => key not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{AE719602-B4BA-4B30-BB1B-9D40A783C2FA} => key not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\OutOfIdle-5d => key not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{D398B366-8F92-4FFF-904D-8145BB9D5D88} => key not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\Time-5d => key not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{EA6EAC66-5856-48D4-A8AB-F4DC2856E5FD} => key not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\MachineUnlock-5d => key not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{F627E125-B328-4B16-BCA4-ED5224E52D88} => key not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\Telemetry-4xd => key not found.
"C:\ProgramData\Temp" => ":5C321E34" ADS not found.
"C:\Users\applepieofdeath\Desktop\2015-10-31 21.35.51.jpg" => ":com.dropbox.attributes" ADS not found.
"C:\Users\applepieofdeath\Desktop\2016-06-11 16.51.08.jpg" => ":com.dropbox.attributes" ADS not found.

=========== EmptyTemp: ==========

BITS transfer queue => 0 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => -48 B
Java, Flash, Steam htmlcache => 311503094 B
Windows/system/drivers => 15674683 B
Edge => 2651008 B
Chrome => 9044225 B
Firefox => 394790104 B
Opera => 0 B

Temp, IE cache, history, cookies, recent:
Default => 16674 B
ProgramData => 0 B
Public => 0 B
systemprofile => 0 B
systemprofile32 => 0 B
LocalService => 21325340 B
NetworkService => 246630 B
applepieofdeath => 52810750 B
Administrator => 17999 B
DefaultAppPool => 16674 B

RecycleBin => 0 B
EmptyTemp: => 770.7 MB temporary data Removed.

================================


The system needed a reboot.

==== End of Fixlog 02:18:20 ====

 

Forgot to mention previous issues: inability to complete scan with Roguekiller by adlice (no longer an issue after following instructions from thread mentioned in opening post), slow computer (may be unrelated)



#6 nasdaq

nasdaq

  • Malware Response Team
  • 40,736 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:29 PM

Posted 20 October 2016 - 08:41 AM

Run this cleaning tool.

Temporarily disable your AV program so it does not interfere.
Info on how to disable your security applications How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs - Security Mini-Guides.

Download Zoek tool from here

When the download appears, save to the Desktop.
On the Desktop, right-click the Zoek.exe file and select: Run as Administrator
(Give it a few seconds to appear.)

Next, copy/paste the entire script inside the code box below to the input field of Zoek:
createsrpoint;
autoclean;
emptyclsid;
emptyffcache;
FFdefaults;
emptyiecache;
iedefaults;
emptychrcache;
CHRdefaults;
emptyalltemp;
emptyfolderscheck;delete
ipconfig /flushdns;b
Now...
Close any open Browsers.
Click the Run script button, and wait. It takes a few minutes to run all the script.

When the tool finishes, the zoek-results.log is opened in Notepad.
The log is also found on the systemdrive, normally C:\
If a reboot is needed, the log is opened after the reboot.

Please attach the zoek-results.log in your reply.
===

Also, please provide an update on how the computer is behaving after running the above script.


How is computer running now?

#7 applepieofdeath

applepieofdeath
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:29 PM

Posted 20 October 2016 - 03:53 PM

Zoek.exe v5.0.0.1 Updated 19-September-2016
Tool run by applepieofdeath on 10/21/2016 Fri at  3:21:13.49.
Microsoft Windows 10 Home 10.0.14393  x64
Running in: Normal Mode Internet Access Detected
Launched: C:\Users\applepieofdeath\Desktop\anti-virus\zoek.exe [Scan all users] [Script inserted]

==== System Restore Info ======================

10/21/2016 3:28:33 AM Zoek.exe System Restore Point Created Successfully.

==== Empty Folders Check ======================

C:\PROGRA~2\Amazon deleted successfully
C:\PROGRA~2\Avira deleted successfully
C:\PROGRA~2\iDealshare deleted successfully
C:\PROGRA~2\Malwarebytes' Anti-Malware deleted successfully
C:\PROGRA~2\COMMON~1\Symantec Shared deleted successfully
C:\PROGRA~3\2DBoy deleted successfully
C:\PROGRA~3\Comms deleted successfully
C:\PROGRA~3\SoftwareDistribution deleted successfully
C:\Users\DefaultAppPool\AppData\LocalLow deleted successfully
C:\Users\Administrator\AppData\Local\Programs deleted successfully
C:\Users\applepieofdeath\AppData\Local\ActiveSync deleted successfully
C:\Users\applepieofdeath\AppData\Local\Mega Limited deleted successfully
C:\WINDOWS\serviceprofiles\Localservice\AppData\Local\CrashDumps deleted successfully

==== Deleting CLSID Registry Keys ======================


==== Deleting CLSID Registry Values ======================


==== Deleting Services ======================


==== FireFox Fix ======================

Deleted from C:\Users\ADMINI~1\AppData\Roaming\Mozilla\Firefox\Profiles\t0lk2b26.default\prefs.js:

Added to C:\Users\ADMINI~1\AppData\Roaming\Mozilla\Firefox\Profiles\t0lk2b26.default\prefs.js:
user_pref("browser.startup.homepage", "about:home");
user_pref("browser.newtab.url", "about:newtab");

Deleted from C:\Users\APPLEP~1\AppData\Roaming\Mozilla\Firefox\Profiles\nwc5yez9.default-1451443203899\prefs.js:
user_pref("browser.startup.homepage", "https://www.google.com/?gws_rd=ssl");
user_pref("browser.search.defaultenginename.US", "Google");

Added to C:\Users\APPLEP~1\AppData\Roaming\Mozilla\Firefox\Profiles\nwc5yez9.default-1451443203899\prefs.js:
user_pref("browser.startup.homepage", "about:home");
user_pref("browser.newtab.url", "about:newtab");

Deleted from C:\Users\APPLEP~1\AppData\Roaming\Mozilla\Firefox\Profiles\HlSZTv5Q.default\prefs.js:

Added to C:\Users\APPLEP~1\AppData\Roaming\Mozilla\Firefox\Profiles\HlSZTv5Q.default\prefs.js:
user_pref("browser.startup.homepage", "about:home");
user_pref("browser.newtab.url", "about:newtab");

ProfilePath: C:\Users\ADMINI~1\AppData\Roaming\Mozilla\Firefox\Profiles\t0lk2b26.default

user.js not found
---- FireFox user.js and prefs.js backups ----

prefs_Fri212016_0438_.backup

ProfilePath: C:\Users\APPLEP~1\AppData\Roaming\Mozilla\Firefox\Profiles\nwc5yez9.default-1451443203899

user.js not found
---- FireFox user.js and prefs.js backups ----

prefs_Fri212016_0438_.backup

ProfilePath: C:\Users\APPLEP~1\AppData\Roaming\Mozilla\Firefox\Profiles\HlSZTv5Q.default

user.js not found
---- FireFox user.js and prefs.js backups ----


==== Batch Command(s) Run By Tool======================


==== Deleting Files \ Folders ======================

C:\PROGRA~2\Amazon not found
C:\PROGRA~2\Avira not found
C:\PROGRA~2\iDealshare not found
C:\PROGRA~2\Universal Interactive deleted
C:\PROGRA~2\COMMON~1\DVDVideoSoft\bin deleted
C:\PROGRA~3\Package Cache deleted
C:\Users\applepieofdeath\AppData\Local\Unity deleted
C:\Users\applepieofdeath\AppData\LocalLow\Unity deleted
C:\WINDOWS\wininit.ini deleted
C:\windows\SysNative\GroupPolicy\Machine deleted
C:\windows\SysNative\GroupPolicy\User deleted
C:\windows\SysNative\GroupPolicy\GPT.INI deleted
C:\WINDOWS\Syswow64\GroupPolicy\gpt.ini deleted
C:\Users\APPLEP~1\AppData\Roaming\Mozilla\Firefox\Profiles\nwc5yez9.default-1451443203899\extensions\firefox@mega.co.nz.xpi deleted
C:\PROGRA~3\flashax10.exe deleted
C:\Users\APPLEP~1\AppData\Roaming\Mozilla\Firefox\Profiles\nwc5yez9.default-1451443203899\Yahoo Inc deleted
"C:\WINDOWS\Installer\8434d.msi" deleted
"C:\WINDOWS\Installer\45406f.msi" deleted
"C:\Users\applepieofdeath\AppData\Roaming\LnUljjMlT95v93sNze1a8" deleted

==== Firefox Start and Search pages ======================

ProfilePath: C:\Users\ADMINI~1\AppData\Roaming\Mozilla\Firefox\Profiles\t0lk2b26.default
user_pref("browser.startup.homepage", "about:home");
user_pref("browser.newtab.url", "about:newtab");

ProfilePath: C:\Users\APPLEP~1\AppData\Roaming\Mozilla\Firefox\Profiles\nwc5yez9.default-1451443203899
user_pref("browser.startup.homepage", "about:home");
user_pref("browser.newtab.url", "about:newtab");

ProfilePath: C:\Users\APPLEP~1\AppData\Roaming\Mozilla\Firefox\Profiles\HlSZTv5Q.default
user_pref("browser.startup.homepage", "about:home");
user_pref("browser.newtab.url", "about:newtab");

==== Firefox Extensions Registry ======================

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
"{c2056674-a37f-4b29-9300-2004759d74fe}"="C:\Program Files\Trend Micro\AMSP\module\20013\FxExt\firefoxextension" [10/15/2016 07:03 PM]
[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Mozilla\Firefox\Extensions]
"{22181a4d-af90-4ca3-a569-faed9118d6bc}"="C:\Program Files\Trend Micro\Titanium\UIFramework\Toolbar\firefoxextension" [10/15/2016 07:01 PM]

==== Firefox Extensions ======================

ProfilePath: C:\Users\APPLEP~1\AppData\Roaming\Mozilla\Firefox\Profiles\nwc5yez9.default-1451443203899
- WOT - C:\Users\applepieofdeath\AppData\Roaming\Mozilla\Firefox\Profiles\nwc5yez9.default-1451443203899\extensions\{a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}
- WOT - %ProfilePath%\extensions\{a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}
- Adblock Plus - %ProfilePath%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi

ProfilePath: C:\Users\APPLEP~1\AppData\Roaming\Mozilla\Firefox\Profiles\HlSZTv5Q.default
- Undetermined - %ProfilePath%\extensions\abs@avira.com

AppDir: C:\Program Files (x86)\Mozilla Firefox
- Undetermined - %AppDir%\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}.xpi

==== Firefox Plugins ======================

Profilepath: C:\Users\applepieofdeath\AppData\Roaming\Mozilla\Firefox\Profiles\nwc5yez9.default-1451443203899
66640A55AEFF3819C94E0A8D40D7E0AD    - C:\WINDOWS\SysWOW64\Adobe\Director\np32dsw_1202122.dll -    Shockwave for Director / Shockwave for Director
86C2467018027DFF6ED94F50D9CF1145    - C:\WINDOWS\SysWOW64\Adobe\Director\np32dsw_1225195.dll -    Shockwave for Director / Shockwave for Director
7FB1DC8C464CAFC230E7AD6392AE859B    - C:\WINDOWS\SysWoW64\Macromed\Flash\NPSWF32_23_0_0_162.dll -    Shockwave Flash


==== Chromium Look ======================

Google Chrome Version: 46.0.2490.86

HKEY_LOCAL_MACHINE\SOFTWARE\Google\Chrome\Extensions
ohhcpmplhhiiaoiddkfboafbhiknefdf - No path found[]


==== Set IE to Default ======================

Old Values:
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
"Start Page"="http://go.microsoft.com/fwlink/p/?LinkId=619797&pc=UE01&ocid=UE01DHP"
"Old Start Page"="http://www.google.com"
"Default_Page_URL"="http://www.google.com/ig/redirectdomain?brand=LEND&bmod=LEND"
"Use Search Asst"="yes"
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchUrl]
"Default"="www.google.com"

New Values:
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
"Default_Page_URL"="http://go.microsoft.com/fwlink/?LinkId=69157"
"Start Page"="http://go.microsoft.com/fwlink/p/?LinkId=619797&pc=UE01&ocid=UE01DHP"
"Old Start Page"="http://go.microsoft.com/fwlink/p/?LinkId=619797&pc=UE01&ocid=UE01DHP"
"Use Search Asst"="no"
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchUrl]
"(Default)"="http://search.msn.com/results.asp?q=%s"

==== All HKLM and HKCU SearchScopes ======================

HKLM\SearchScopes "DefaultScope"="{0633EE93-D776-472f-A0FF-E1416B8B2E3A}"
HKLM\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} - http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
HKLM\Wow6432Node\SearchScopes "DefaultScope"="{0633EE93-D776-472f-A0FF-E1416B8B2E3A}"
HKLM\Wow6432Node\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} - http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
HKCU\SearchScopes "DefaultScope"="{0633EE93-D776-472f-A0FF-E1416B8B2E3A}"
HKCU\SearchScopes\{012E1000-F331-11DB-8314-0800200C9A66} - http://www.google.com/search?q={searchTerms}
HKCU\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} - http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IESR02

==== Reset Google Chrome ======================

C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Preferences was reset successfully
C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences was reset successfully
C:\Users\applepieofdeath\AppData\Local\Google\Chrome\User Data\Default\Preferences was reset successfully
C:\Users\applepieofdeath\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences was reset successfully
C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Web Data was reset successfully
C:\Users\applepieofdeath\AppData\Local\Google\Chrome\User Data\Default\Web Data was reset successfully

==== Deleting Registry Keys ======================

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\7286306383AF47A4383362CBE4CE3980 deleted successfully
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\275C743A4B7F3A34DB15FF9C19487FD0 deleted successfully
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\UnityWebPlayer deleted successfully
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{36036827-FA38-4A74-8333-26BC4EEC9308} deleted successfully
HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{A347C572-F7B4-43A3-BD51-FFC99184F70D} deleted successfully
HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\InstallShield_{A347C572-F7B4-43A3-BD51-FFC99184F70D} deleted successfully
HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{80F3F10B-A177-4494-93CE-98090D819093} deleted successfully
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\7286306383AF47A4383362CBE4CE3980 deleted successfully
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\275C743A4B7F3A34DB15FF9C19487FD0 deleted successfully

==== Empty IE Cache ======================

C:\WINDOWS\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
C:\Users\applepieofdeath\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 emptied successfully
C:\Users\applepieofdeath\AppData\Local\Microsoft\Windows\INetCache\Low\Content.IE5 emptied successfully
C:\Users\Default\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
C:\WINDOWS\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 emptied successfully
C:\Users\applepieofdeath\AppData\Local\Microsoft\Windows\INetCache\IE emptied successfully
C:\Users\applepieofdeath\AppData\Local\Microsoft\Windows\INetCache\Low\IE emptied successfully
C:\WINDOWS\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE emptied successfully

==== Empty FireFox Cache ======================

C:\Users\applepieofdeath\AppData\Local\Mozilla\Firefox\Profiles\nwc5yez9.default-1451443203899\cache2 emptied successfully

==== Empty Chrome Cache ======================

C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Cache emptied successfully
C:\Users\applepieofdeath\AppData\Local\Google\Chrome\User Data\Default\Cache emptied successfully

==== Empty All Flash Cache ======================

No Flash Cache Found

==== Empty All Java Cache ======================

Java Cache cleared successfully

==== C:\zoek_backup content ======================

C:\zoek_backup (files=2543 folders=205 672792125 bytes)

==== Empty Temp Folders ======================

C:\WINDOWS\Temp will be emptied at reboot

==== After Reboot ======================

==== Empty Temp Folders ======================

C:\WINDOWS\Temp successfully emptied
C:\Users\APPLEP~1\AppData\Local\Temp successfully emptied

==== Empty Recycle Bin ======================

C:\$RECYCLE.BIN successfully emptied

==== EOF on 10/21/2016 Fri at  5:41:17.50 ======================
 

 

Computer is slightly slow but it's been like that recently even before the other issues mentioned so I assume it's just due to less space.



#8 nasdaq

nasdaq

  • Malware Response Team
  • 40,736 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:29 PM

Posted 21 October 2016 - 09:32 AM


Check your virtual memory settings.

Use the Default as suggested on this page.

http://wccftech.com/manage-windows-10-virtual-memory-and-speed-up-performance/

Any change in the performance of this PC?

#9 applepieofdeath

applepieofdeath
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:29 PM

Posted 21 October 2016 - 02:25 PM

The recommended setting is at 2429 mb while the currently allocated is 12288 mb. Since the site only suggests action if the current is less then the allocated, no action was taken.



#10 nasdaq

nasdaq

  • Malware Response Team
  • 40,736 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:29 PM

Posted 22 October 2016 - 09:23 AM

There could be some remnant items.
====

This may take sometime. Do it when you know you will not need the computer for a few hours.


Please scan your computer with ESET Online Scanner.
  • Click on this link to open ESET Online Scanner in a new window.
    • Click on the Scan Now button to download the esetonlinescanner_enu.exe file. Save it to your Desktop.
    • Close all your programs and browsers.
    • Please disable your antivirus program to avoid potential conflicts, improve the performance and speed up the scan.
    • Double click on esetonlinescanner_enu.exe to start ESET Online Scanner. It will open a window with the Terms of Use.
  • Check mark Download latest version of ESET Online Scanner and click the Accept button.
  • Accept any security warnings that may appear.
  • Under Computer scan settings, check mark Enable detection of potentially unwanted applications.
  • Then click Advanced settings and check mark the following options:
    • Enable detection of potentially unsafe applications
    • Clean threats automatically
  • Click the Scan button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click List Threats.
  • Click Export, and save the file to your Desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Click the Back button.
  • Click the Finish button.
Note: If nothing is found, it will not produce a log.

Please re-enable your antivirus program.

#11 applepieofdeath

applepieofdeath
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:29 PM

Posted 22 October 2016 - 11:23 PM

The scanner has been unsuccessfully run twice now. First time it found 12 infected files before the program stopped working and displayed an error message. Second time it found no infected files but still stopped working and displayed error message. For the second time, the last thing it was shown scanning was something in cobian backup.



#12 nasdaq

nasdaq

  • Malware Response Team
  • 40,736 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:29 PM

Posted 23 October 2016 - 09:08 AM

I do not see any trace of the Cobian program in your logs.

Is it still installed or did you remove it?

Edited by nasdaq, 24 October 2016 - 08:55 AM.


#13 applepieofdeath

applepieofdeath
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:29 PM

Posted 23 October 2016 - 03:36 PM

I did not uninstall it, the backup files are saved on the desktop. However, looking in the program file I only see a program listed as cobian backup 11 gravity with a thumbnail of the cobian icon diagonally red crossed out.


Edited by applepieofdeath, 23 October 2016 - 03:36 PM.


#14 nasdaq

nasdaq

  • Malware Response Team
  • 40,736 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:29 PM

Posted 24 October 2016 - 08:59 AM


looking in the program file I only see a program listed as cobian backup 11 gravity with a thumbnail of the cobian icon diagonally red crossed out.

Can you Right Click on the Program file and run the application?

If not re-install the application.

#15 applepieofdeath

applepieofdeath
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:29 PM

Posted 24 October 2016 - 03:58 PM

I can see and run it if I search for the file and execute it from there but it seems only the uninstaller shows up when looking for it from control panel>programs>programs and feature.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users