Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With: Windows 10 Activation Alert Enter a Product Key


  • This topic is locked This topic is locked
27 replies to this topic

#16 JohnnyVega

JohnnyVega
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:05:19 AM

Posted 07 November 2016 - 05:51 PM

The first method must've worked correctly, because I restarted after merging, then searched my registry for microleaves and got no results.

 

Before searching, that same .NET popup appeared and I clicked Quit. Then I ran Malwarebytes normally and it detected no threats.

 

So I restarted again to see if anything would pop up again, and this time I got the full screen scam again. I ran Chameleon again before ending its process and it still detected no threats.

 

Its process name in task manager's Apps tab shows as PowerSaver (32bit). In the Details tab, there are 2 processes both called PowerSaver.exe.

 

I searched my registry for caphyon, the other keyword with the microleaves search, and got 3 results below.

 

================== Search Registry: "caphyon" ===========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Caphyon]
[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Caphyon]
[HKEY_USERS\.DEFAULT\Software\Caphyon]
 
====== End of Search ======


BC AdBot (Login to Remove)

 


#17 nasdaq

nasdaq

  • Malware Response Team
  • 39,527 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:19 AM

Posted 08 November 2016 - 10:31 AM

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.
 
start


CreateRestorePoint:
EmptyTemp:
CloseProcesses:

start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

DeleteKey: HKEY_LOCAL_MACHINE\SOFTWARE\Caphyon\Advanced Installer\LZMA\{438465C5-D78D-4958-B31D-60374B5042F4}
DeleteKey: HKEY_LOCAL_MACHINE\SOFTWARE\Caphyon\Advanced Installer\LZMA\{DBABED16-1BB7-4805-B24B-7424A372AB0F}
DeleteKey: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\5C564834D87D85943BD10673B405244F\SourceList
DeleteKey: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\61DEBABD7BB150842BB447423A27BAF0\SourceList
DeleteKey: HKEY_LOCAL_MACHINE\SOFTWARE\Microleaves
DeleteKey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders
DeleteKey: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microleaves
DeleteKey: HKEY_USERS\.DEFAULT\Software\Caphyon\Advanced Updater\{2A0F7B3A-FB2A-4341-971D-81339E206BF1}
DeleteKey: HKEY_USERS\.DEFAULT\Software\Caphyon\Advanced Updater\{91557C37-225D-4901-8A5E-2DA8F14E24D5
DeleteKey: HKEY_LOCAL_MACHINE\SOFTWARE\Caphyon
DeleteKey: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Caphyon
DeleteKey: HKEY_USERS\.DEFAULT\Software\Caphyon

End

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

If the problem persists.

We will check your BIOS and Master boot record.

Read carefully and follow these steps.
TDSS
  • Download TDSSKiller and save it to your Desktop.
  • Doubleclick on TDSSKiller.exe to run the application.
  • Then click on Start Scan.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.

    TDSSKillerSuspicious-1.png
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • Important: Do NOT change the default action on your own unless instructed by a malware Helper! Doing so may render your computer unbootable.
    TDSSKillerMal-1.png
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.

    TDSSKillerCompleted.png
  • If no reboot is required, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.
===

Download http://public.avast.com/~gmerek/aswMBR.exe (aswMBR.exe) to your desktop. Double click the aswMBR.exe to run it.
aswMBRScan.gif
  • Click the "Scan" button to start scan.
  • Upon completion of the scan, click Save log, and save it to your desktop. (Note - do not select any Fix at this time) <- IMPORTANT
  • Please paste the contents of that log in your next reply.
  • There shall also be a file on your desktop named MBR.dat. Right click that file and select Send To>Compressed (zipped) folder. Please attach that zipped file in your next reply.
    ===

    Wait for further instructions.


#18 JohnnyVega

JohnnyVega
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:05:19 AM

Posted 08 November 2016 - 05:27 PM

Here's the fixlog:

 

Fix result of Farbar Recovery Scan Tool (x64) Version: 04-11-2016
Ran by Matthew (08-11-2016 14:23:00) Run:2
Running from C:\Users\Matthew\Downloads
Loaded Profiles: Matthew & Mom & Dad (Available Profiles: Matthew & Lindsay & Mom & Dad)
Boot Mode: Normal
==============================================
 
fixlist content:
*****************
start
 
 
CreateRestorePoint:
EmptyTemp:
CloseProcesses:
 
start
 
CreateRestorePoint:
EmptyTemp:
CloseProcesses:
 
DeleteKey: HKEY_LOCAL_MACHINE\SOFTWARE\Caphyon\Advanced Installer\LZMA\{438465C5-D78D-4958-B31D-60374B5042F4}
DeleteKey: HKEY_LOCAL_MACHINE\SOFTWARE\Caphyon\Advanced Installer\LZMA\{DBABED16-1BB7-4805-B24B-7424A372AB0F}
DeleteKey: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\5C564834D87D85943BD10673B405244F\SourceList
DeleteKey: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\61DEBABD7BB150842BB447423A27BAF0\SourceList
DeleteKey: HKEY_LOCAL_MACHINE\SOFTWARE\Microleaves
DeleteKey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders
DeleteKey: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microleaves
DeleteKey: HKEY_USERS\.DEFAULT\Software\Caphyon\Advanced Updater\{2A0F7B3A-FB2A-4341-971D-81339E206BF1}
DeleteKey: HKEY_USERS\.DEFAULT\Software\Caphyon\Advanced Updater\{91557C37-225D-4901-8A5E-2DA8F14E24D5
DeleteKey: HKEY_LOCAL_MACHINE\SOFTWARE\Caphyon
DeleteKey: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Caphyon
DeleteKey: HKEY_USERS\.DEFAULT\Software\Caphyon
 
End
 
End
*****************
 
Restore point was successfully created.
Processes closed successfully.
Restore point was successfully created.
Processes closed successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Caphyon\Advanced Installer\LZMA\{438465C5-D78D-4958-B31D-60374B5042F4} => key removed successfully
HKEY_LOCAL_MACHINE\SOFTWARE\Caphyon\Advanced Installer\LZMA\{DBABED16-1BB7-4805-B24B-7424A372AB0F} => key removed successfully
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\5C564834D87D85943BD10673B405244F\SourceList => could not remove key.: incorrect path. 
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\61DEBABD7BB150842BB447423A27BAF0\SourceList => could not remove key.: incorrect path. 
HKEY_LOCAL_MACHINE\SOFTWARE\Microleaves => could not remove key. ErrorCode: 0xC000000D
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders => could not remove key.: incorrect path. 
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microleaves => could not remove key. ErrorCode: 0xC000000D
HKEY_USERS\.DEFAULT\Software\Caphyon\Advanced Updater\{2A0F7B3A-FB2A-4341-971D-81339E206BF1} => could not remove key.: incorrect path. 
HKEY_USERS\.DEFAULT\Software\Caphyon\Advanced Updater\{91557C37-225D-4901-8A5E-2DA8F14E24D5 => could not remove key. ErrorCode: 0xC000000D
HKEY_LOCAL_MACHINE\SOFTWARE\Caphyon => key removed successfully
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Caphyon => key removed successfully
HKEY_USERS\.DEFAULT\Software\Caphyon => key removed successfully
 
=========== EmptyTemp: ==========
 
BITS transfer queue => 0 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 27665827 B
Java, Flash, Steam htmlcache => 0 B
Windows/system/drivers => 567907570 B
Edge => 0 B
Chrome => 297069056 B
Firefox => 13498579 B
Opera => 0 B
 
Temp, IE cache, history, cookies, recent:
Default => 0 B
ProgramData => 0 B
Public => 0 B
systemprofile => 0 B
systemprofile32 => 0 B
LocalService => 7316972 B
NetworkService => 6418 B
Matthew => 482810 B
Lindsay => 0 B
Mom & Dad => 4921538 B
 
RecycleBin => 2591 B
EmptyTemp: => 876.3 MB temporary data Removed.
 
================================
 
 
The system needed a reboot.
 
==== End of Fixlog 14:27:24 ====
 
After restarting, my desktop loaded and I got a permission window for Zemana to make changes to my computer. I thought it needed to open to quarantine a real-time threat, so I clicked yes. Then the full screen scam appeared. I'm not sure if this was a coincidence, because it usually appears after desktop loading, or if me clicking yes caused it and it was impersonating Zemana.
 
I think the scam screen only shows up on my user account. If I power on the computer and log on to a different user account, the scam doesn't appear. And then if I switch user to mine, it immediately opens on the scam before even showing the desktop.
 
TDSSKiller scan found no threats.
 
aswMBR log:
 
aswMBR version 1.0.1.2252 Copyright© 2014 AVAST Software
Run date: 2016-11-08 14:41:38
-----------------------------
14:41:38.305    OS Version: Windows x64 6.2.9200 
14:41:38.305    Number of processors: 4 586 0x3C03
14:41:38.305    ComputerName: HARVEY  UserName: 
14:42:17.984    Initialize success
14:42:18.219    VM: initialized successfully
14:42:18.219    VM: Intel CPU BiosDisabled 
14:44:33.207    AVAST engine defs: 16110804
14:44:39.932    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\00000030
14:44:39.932    Disk 0 Vendor: ST1000DM003-1ER162 HP51 Size: 953869MB BusType: 11
14:44:40.244    Disk 0 MBR read successfully
14:44:40.244    Disk 0 MBR scan
14:44:40.276    Disk 0 unknown MBR code
14:44:40.276    Disk 0 Partition 1 00     EE          GPT           2097151 MB offset 1
14:44:40.494    Disk 0 scanning C:\WINDOWS\system32\drivers
14:45:14.202    Service scanning
14:45:50.435    Modules scanning
14:45:50.442    Disk 0 trace - called modules:
14:45:50.474    ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys storport.sys hal.dll iaStorA.sys 
14:45:50.955    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xffffd38cdf2a2060]
14:45:50.955    3 CLASSPNP.SYS[fffff80c01075efb] -> nt!IofCallDriver -> [0xffffd38cdc1c7260]
14:45:50.971    5 ACPI.sys[fffff80c006b4571] -> nt!IofCallDriver -> [0xffffd38cdc1d3040]
14:45:50.986    7 ACPI.sys[fffff80c006b4571] -> nt!IofCallDriver -> \Device\00000030[0xffffd38cdc1ce060]
14:46:25.488    AVAST engine scan C:\WINDOWS
14:46:44.861    AVAST engine scan C:\WINDOWS\system32
14:53:12.018    AVAST engine scan C:\WINDOWS\system32\drivers
14:53:36.129    AVAST engine scan C:\Users\Matthew
15:20:43.174    AVAST engine scan C:\ProgramData
15:23:27.157    Disk 0 statistics 2116526/0/0 @ 0.62 MB/s
15:23:27.173    Scan finished successfully
15:24:15.546    Disk 0 MBR has been saved successfully to "C:\Users\Matthew\Desktop\MBR.dat"
15:24:15.546    The log file has been saved successfully to "C:\Users\Matthew\Desktop\aswMBR.txt"

 

Attached Files

  • Attached File  MBR.zip   143bytes   0 downloads


#19 nasdaq

nasdaq

  • Malware Response Team
  • 39,527 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:19 AM

Posted 09 November 2016 - 11:05 AM

The BIOS is clean.


A program at startup can be called from many keys as can be seen in this article.
https://www.symantec.com/connect/articles/most-common-registry-key-check-while-dealing-virus-issue

Lets check these keys to start with.

SystemLook.exe
SystemLook_x64.exe
  • Double-click SystemLook.exe/SystemLook_x64.exe
  • to run it.
  • Copy and paste the content of the following bold text into the main textfield:
  • :reg
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders /sub
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders /sub
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\User Shell Folders /subHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\Shell Folders
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
  • Note: The log can also be found on your Desktop entitled SystemLook.txt.
  • ===



#20 JohnnyVega

JohnnyVega
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:05:19 AM

Posted 09 November 2016 - 02:24 PM

SystemLook 30.07.11 by jpshortstuff
Log created at 12:24 on 09/11/2016 by Matthew
Administrator - Elevation successful
 
========== reg ==========
 
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"!Do not use this registry key"="Use the SHGetFolderPath or SHGetKnownFolderPath function instead"
"AppData"="C:\Users\Matthew\AppData\Roaming"
"Local AppData"="C:\Users\Matthew\AppData\Local"
"{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}"="C:\Users\Matthew\AppData\Roaming\Microsoft\Windows\Libraries"
"My Video"="C:\Users\Matthew\Videos"
"My Pictures"="C:\Users\Matthew\Pictures"
"Desktop"="C:\Users\Matthew\Desktop"
"History"="C:\Users\Matthew\AppData\Local\Microsoft\Windows\History"
"NetHood"="C:\Users\Matthew\AppData\Roaming\Microsoft\Windows\Network Shortcuts"
"{56784854-C6CB-462B-8169-88E350ACB882}"="C:\Users\Matthew\Contacts"
"{00BCFC5A-ED94-4E48-96A1-3F6217F21990}"="C:\Users\Matthew\AppData\Local\Microsoft\Windows\RoamingTiles"
"Cookies"="C:\Users\Matthew\AppData\Local\Microsoft\Windows\INetCookies"
"Favorites"="C:\Users\Matthew\Favorites"
"SendTo"="C:\Users\Matthew\AppData\Roaming\Microsoft\Windows\SendTo"
"Start Menu"="C:\Users\Matthew\AppData\Roaming\Microsoft\Windows\Start Menu"
"My Music"="C:\Users\Matthew\Music"
"Programs"="C:\Users\Matthew\AppData\Roaming\Microsoft\Windows\Start Menu\Programs"
"Recent"="C:\Users\Matthew\AppData\Roaming\Microsoft\Windows\Recent"
"CD Burning"="C:\Users\Matthew\AppData\Local\Microsoft\Windows\Burn\Burn"
"PrintHood"="C:\Users\Matthew\AppData\Roaming\Microsoft\Windows\Printer Shortcuts"
"{7D1D3A04-DEBB-4115-95CF-2F29DA2920DA}"="C:\Users\Matthew\Searches"
"{374DE290-123F-4565-9164-39C4925E467B}"="C:\Users\Matthew\Downloads"
"{A520A1A4-1780-4FF6-BD18-167343C5AF16}"="C:\Users\Matthew\AppData\LocalLow"
"Startup"="C:\Users\Matthew\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup"
"Administrative Tools"="C:\Users\Matthew\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools"
"Personal"="C:\Users\Matthew\Documents"
"{BFB9D5E0-C6A9-404C-B2B2-AE6DB6AF4968}"="C:\Users\Matthew\Links"
"Cache"="C:\Users\Matthew\AppData\Local\Microsoft\Windows\INetCache"
"Templates"="C:\Users\Matthew\AppData\Roaming\Microsoft\Windows\Templates"
"{4C5C32FF-BB9D-43B0-B5B4-2D72E54EAAA4}"="C:\Users\Matthew\Saved Games"
"Fonts"="C:\WINDOWS\Fonts"
 
 
-= EOF =-


#21 nasdaq

nasdaq

  • Malware Response Team
  • 39,527 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:19 AM

Posted 10 November 2016 - 09:41 AM


My previous fix was not correct. Only the First registry key was searched.

Please repeat my previous Systemlook search with the following.

:reg
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders /sub
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders /sub
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\User Shell Folders /sub
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\Shell Folders /sub


#22 JohnnyVega

JohnnyVega
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:05:19 AM

Posted 10 November 2016 - 03:05 PM

SystemLook 30.07.11 by jpshortstuff
Log created at 13:05 on 10/11/2016 by Matthew
Administrator - Elevation successful
 
========== reg ==========
 
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"!Do not use this registry key"="Use the SHGetFolderPath or SHGetKnownFolderPath function instead"
"AppData"="C:\Users\Matthew\AppData\Roaming"
"Local AppData"="C:\Users\Matthew\AppData\Local"
"{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}"="C:\Users\Matthew\AppData\Roaming\Microsoft\Windows\Libraries"
"My Video"="C:\Users\Matthew\Videos"
"My Pictures"="C:\Users\Matthew\Pictures"
"Desktop"="C:\Users\Matthew\Desktop"
"History"="C:\Users\Matthew\AppData\Local\Microsoft\Windows\History"
"NetHood"="C:\Users\Matthew\AppData\Roaming\Microsoft\Windows\Network Shortcuts"
"{56784854-C6CB-462B-8169-88E350ACB882}"="C:\Users\Matthew\Contacts"
"{00BCFC5A-ED94-4E48-96A1-3F6217F21990}"="C:\Users\Matthew\AppData\Local\Microsoft\Windows\RoamingTiles"
"Cookies"="C:\Users\Matthew\AppData\Local\Microsoft\Windows\INetCookies"
"Favorites"="C:\Users\Matthew\Favorites"
"SendTo"="C:\Users\Matthew\AppData\Roaming\Microsoft\Windows\SendTo"
"Start Menu"="C:\Users\Matthew\AppData\Roaming\Microsoft\Windows\Start Menu"
"My Music"="C:\Users\Matthew\Music"
"Programs"="C:\Users\Matthew\AppData\Roaming\Microsoft\Windows\Start Menu\Programs"
"Recent"="C:\Users\Matthew\AppData\Roaming\Microsoft\Windows\Recent"
"CD Burning"="C:\Users\Matthew\AppData\Local\Microsoft\Windows\Burn\Burn"
"PrintHood"="C:\Users\Matthew\AppData\Roaming\Microsoft\Windows\Printer Shortcuts"
"{7D1D3A04-DEBB-4115-95CF-2F29DA2920DA}"="C:\Users\Matthew\Searches"
"{374DE290-123F-4565-9164-39C4925E467B}"="C:\Users\Matthew\Downloads"
"{A520A1A4-1780-4FF6-BD18-167343C5AF16}"="C:\Users\Matthew\AppData\LocalLow"
"Startup"="C:\Users\Matthew\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup"
"Administrative Tools"="C:\Users\Matthew\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools"
"Personal"="C:\Users\Matthew\Documents"
"{BFB9D5E0-C6A9-404C-B2B2-AE6DB6AF4968}"="C:\Users\Matthew\Links"
"Cache"="C:\Users\Matthew\AppData\Local\Microsoft\Windows\INetCache"
"Templates"="C:\Users\Matthew\AppData\Roaming\Microsoft\Windows\Templates"
"{4C5C32FF-BB9D-43B0-B5B4-2D72E54EAAA4}"="C:\Users\Matthew\Saved Games"
"Fonts"="C:\WINDOWS\Fonts"
 
 
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders]
"AppData"="%USERPROFILE%\AppData\Roaming"
"Desktop"="%USERPROFILE%\Desktop"
"Favorites"="%USERPROFILE%\Favorites"
"History"="%USERPROFILE%\AppData\Local\Microsoft\Windows\History"
"Local AppData"="%USERPROFILE%\AppData\Local"
"My Music"="%USERPROFILE%\Music"
"My Pictures"="%USERPROFILE%\Pictures"
"My Video"="%USERPROFILE%\Videos"
"NetHood"="%USERPROFILE%\AppData\Roaming\Microsoft\Windows\Network Shortcuts"
"Personal"="%USERPROFILE%\Documents"
"PrintHood"="%USERPROFILE%\AppData\Roaming\Microsoft\Windows\Printer Shortcuts"
"Programs"="%USERPROFILE%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs"
"Recent"="%USERPROFILE%\AppData\Roaming\Microsoft\Windows\Recent"
"SendTo"="%USERPROFILE%\AppData\Roaming\Microsoft\Windows\SendTo"
"Start Menu"="%USERPROFILE%\AppData\Roaming\Microsoft\Windows\Start Menu"
"Startup"="%USERPROFILE%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup"
"Templates"="%USERPROFILE%\AppData\Roaming\Microsoft\Windows\Templates"
"{374DE290-123F-4565-9164-39C4925E467B}"="%USERPROFILE%\Downloads"
"Cache"="C:\Users\Matthew\AppData\Local\Microsoft\Windows\INetCache"
"Cookies"="C:\Users\Matthew\AppData\Local\Microsoft\Windows\INetCookies"
 
 
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\User Shell Folders]
"Common AppData"="%ProgramData%"
"Common Desktop"="%PUBLIC%\Desktop"
"Common Documents"="%PUBLIC%\Documents"
"Common Programs"="%ProgramData%\Microsoft\Windows\Start Menu\Programs"
"Common Start Menu"="%ProgramData%\Microsoft\Windows\Start Menu"
"Common Startup"="%ProgramData%\Microsoft\Windows\Start Menu\Programs\Startup"
"Common Templates"="%ProgramData%\Microsoft\Windows\Templates"
"CommonMusic"="%PUBLIC%\Music"
"CommonPictures"="%PUBLIC%\Pictures"
"CommonVideo"="%PUBLIC%\Videos"
"{3D644C9B-1FB8-4f30-9B45-F670235F79C0}"="%PUBLIC%\Downloads"
 
 
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\Shell Folders]
"Common Administrative Tools"="C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools"
"Common AppData"="C:\ProgramData"
"Common Desktop"="C:\Users\Public\Desktop"
"Common Documents"="C:\Users\Public\Documents"
"Common Programs"="C:\ProgramData\Microsoft\Windows\Start Menu\Programs"
"Common Start Menu"="C:\ProgramData\Microsoft\Windows\Start Menu"
"Common Startup"="C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup"
"Common Templates"="C:\ProgramData\Microsoft\Windows\Templates"
"CommonMusic"="C:\Users\Public\Music"
"CommonPictures"="C:\Users\Public\Pictures"
"CommonVideo"="C:\Users\Public\Videos"
"OEM Links"="C:\ProgramData\OEM\Links"
 
 
-= EOF =-


#23 nasdaq

nasdaq

  • Malware Response Team
  • 39,527 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:19 AM

Posted 11 November 2016 - 09:12 AM



Nothing suspicious. Lets check the User accounts.

:reg
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /sub
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce /sub
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices /sub


Do this search and post the log.

#24 JohnnyVega

JohnnyVega
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:05:19 AM

Posted 11 November 2016 - 04:14 PM

SystemLook 30.07.11 by jpshortstuff
Log created at 14:13 on 11/11/2016 by Matthew
Administrator - Elevation successful
 
========== reg ==========
 
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
(No values found)
 
 
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce]
(No values found)
 
 
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices]
(Unable to open key - key not found)
 
-= EOF =-


#25 nasdaq

nasdaq

  • Malware Response Team
  • 39,527 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:19 AM

Posted 12 November 2016 - 10:13 AM


Well I'm out of suggestions.

I suggest you create a new profile and delete the corrupted one.

If you need help you can contact an expert in the Windows 10 forum.
http://www.bleepingcomputer.com/forums/f/229/windows-10-support/

Good luck.

#26 JohnnyVega

JohnnyVega
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:05:19 AM

Posted 12 November 2016 - 07:37 PM

Since it was a program that executed on startup, I checked the list in task manager, and attached a screenshot of them. PowerSaver is there. Are any of the other programs harmful?

 

I chose to see the file location of PowerSaver and attached a screenshot. Would simply moving the Windows Apps folder to the recycle bin solve the problem, and have my computer threat-free? The PowerSaver folder is the only one inside the Windows Apps folder. I assume both were created when I first got infected.

Attached Files



#27 nasdaq

nasdaq

  • Malware Response Team
  • 39,527 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:19 AM

Posted 13 November 2016 - 10:19 AM

Delete the PowerSaver folder not theWindows Apps\ folder.

#28 JohnnyVega

JohnnyVega
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:05:19 AM

Posted 13 November 2016 - 08:49 PM

Thank you for generously volunteering your time to help me and others on this wonderful website.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users