Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Concerned about ZeroAccess and/or possibly a keylogger.


  • This topic is locked This topic is locked
8 replies to this topic

#1 dotsdfe

dotsdfe

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:14 PM

Posted 30 November 2016 - 01:23 AM

I'm very much computer illiterate, so please bear with me. But my situation is this: Lately I've had a few issues come up with passwords seemingly being hacked across different sites and games. I changed my password and another potential issue came up today. The new password was totally new and I only provided it within the game client, yet my account had a password reset triggered for suspicious activity, so I worry that it may have been compromised.

 

I asked on another forum and was directed here as well as given a few programs to try. I haven't gone through all of them just yet due to being busy around the house, but I did a Malware Bytes scan, which did not detect any issues. I then did scan with RKill, and received this result:

 

 

 

 

Rkill 2.8.4 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2016 BleepingComputer.com
More Information about Rkill can be found at this link:
 http://www.bleepingcomputer.com/forums/topic308364.html

Program started at: 11/29/2016 11:44:01 PM in x64 mode.
Windows Version: Windows 7 Home Premium Service Pack 1

Checking for Windows services to stop:

 * No malware services found to stop.

Checking for processes to terminate:

 * No malware processes found to kill.

Checking Registry for malware related settings:

 * No issues found in the Registry.

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks:

 * Windows Defender Disabled

   [HKLM\SOFTWARE\Microsoft\Windows Defender]
   "DisableAntiSpyware" = dword:00000001

 * Windows Firewall Disabled

   [HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
   "EnableFirewall" = dword:00000000

 * ALERT: ZEROACCESS rootkit symptoms found!

     * C:\Users\Shawn\AppData\Local\{02815385-b3dc-aa2c-a083-2e509dc82d52}\ [ZA Dir]
     * C:\Users\Shawn\AppData\Local\{02815385-b3dc-aa2c-a083-2e509dc82d52}\@ [ZA File]
     * C:\Users\Shawn\AppData\Local\{02815385-b3dc-aa2c-a083-2e509dc82d52}\L\ [ZA Dir]
     * C:\Users\Shawn\AppData\Local\{02815385-b3dc-aa2c-a083-2e509dc82d52}\U\ [ZA Dir]
     * C:\Windows\Installer\{02815385-b3dc-aa2c-a083-2e509dc82d52}\ [ZA Dir]
     * C:\Windows\Installer\{02815385-b3dc-aa2c-a083-2e509dc82d52}\@ [ZA File]
     * C:\Windows\Installer\{02815385-b3dc-aa2c-a083-2e509dc82d52}\L\ [ZA Dir]
     * C:\Windows\Installer\{02815385-b3dc-aa2c-a083-2e509dc82d52}\U\ [ZA Dir]
     * C:\Windows\Installer\{02815385-b3dc-aa2c-a083-2e509dc82d52}\U\00000001.@ [ZA File]
     * C:\Windows\Installer\{02815385-b3dc-aa2c-a083-2e509dc82d52}\U\80000000.@ [ZA File]

Checking Windows Service Integrity:

 * Windows Defender (WinDefend) is not Running.
   Startup Type set to: Manual

 * Windows Update (wuauserv) is not Running.
   Startup Type set to: Disabled

Searching for Missing Digital Signatures:

 * No issues found.

Checking HOSTS File:

 * No issues found.

Program finished at: 11/29/2016 11:57:21 PM
Execution time: 0 hours(s), 13 minute(s), and 19 seconds(s)
 

 

 

 

 

 

 

 

So, the ZeroAccess issue seems really concerning to me. I put on another Malware Bytes scan before I left earlier, just in case it would pick something else up, but it came up clean once again. I googled the ZeroAccess issue but most of the responses that I found were personalized programs that offered solutions, but they all seemed self-serving and I couldn't verify the validity of any of them.

 

Based on the results from RKill and Malwarebytes, should I be concerned? Is there another program that I should run to specifically take care of this issue? Or could this issue be a false flag based on files after all?

 

I apologize for the wordiness and the uncertainty, but I'm really out of my element here and I'm very concerned that I have something nasty - either a keylogger or ZeroAccess, or both. Would it be possible to get a second opinion and further assistance?

 

 

 

EDIT/UPDATE: I manually located the files mentioned in the RKill report. Both contained two folders named L and U respectively, and a system process known as @. I've scanned each file individually and most of them came up clean, except for two malicious files that came up in one of the folders in the Windows Installer version of the folder. One was named as a "Backdoor Generic" and one was "Luhe Sirefef" according to AVG. I removed both using AVG and reset my computer. However, RKill still provided the same result as before and flagged those two folders, despite every other file in them appearing clean. Could I delete those folders entirely? Or is there something else that I could do to scan more thoroughly?


Edited by dotsdfe, 30 November 2016 - 03:11 AM.


BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 40,190 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:14 AM

Posted 02 December 2016 - 10:21 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

--RogueKiller--
  • Download & SAVE to your Desktop Download RogueKiller
  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or above, right-click the program file and select "Run as Administrator"
  • Accept the user agreements.
  • Execute the scan and wait until it has finished.
  • If a Windows opens to explain what [PUM's] are, read about it.
  • Click the RoguKiller icon on your taksbar to return to the report.
  • Click open the Report
  • Click Export TXT button
  • Save the file as ReportRogue.txt
  • Click the Remove button to delete the items in RED
  • Click Finish and close the program.
  • Locate the ReportRogue.txt file on your Desktop and copy/paste the contents in your next.
=======

Download the version of this tool for your operating system.
Farbar Recovery Scan Tool (64 bit)
Farbar Recovery Scan Tool (32 bit)
and save it to a folder on your computer's Desktop.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

How to attach a file to your reply:
In the Reply section in the bottom of the topic Click the "more reply Options" button.
attachlogs.png

Attach the file.
Select the "Choose a File" navigate to the location of the File.
Click the file you wish to Attach.

Click the Add reply button.
===

Please post the logs.
1 - ReportRogue.txt
2 - FRST
3 - Addition.txt

Let me know what problem persists.

#3 dotsdfe

dotsdfe
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:14 PM

Posted 05 December 2016 - 03:39 AM

Just a quick update to say that I've been very very busy all weekend and haven't had time to run things just yet. I felt bad for not checking in after being responded to, but I'm hoping to have time to run the scans tomorrow evening and to be able to respond further. Sorry again about the delay.



#4 dotsdfe

dotsdfe
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:14 PM

Posted 07 December 2016 - 06:48 PM

ReportRogue:

 

RogueKiller V12.8.4.0 (x64) [Dec  5 2016] (Free) by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/download/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Shawn [Administrator]
Started from : C:\Program Files\RogueKiller\RogueKiller64.exe
Mode : Scan -- Date : 12/07/2016 03:11:14 (Duration : 01:33:28)

¤¤¤ Processes : 0 ¤¤¤

¤¤¤ Registry : 21 ¤¤¤
[PUP] (X64) HKEY_CLASSES_ROOT\dnUpdate -> Found
[PUP] (X86) HKEY_LOCAL_MACHINE\Software\AVG Secure Search -> Found
[PUP] (X86) HKEY_LOCAL_MACHINE\Software\AVG Security Toolbar -> Found
[PUP] (X86) HKEY_LOCAL_MACHINE\Software\MetaStream -> Found
[PUP] (X86) HKEY_LOCAL_MACHINE\Software\Viewpoint -> Found
[PUP] (X64) HKEY_USERS\.DEFAULT\Software\IGearSettings -> Found
[PUP] (X86) HKEY_USERS\.DEFAULT\Software\IGearSettings -> Found
[PUP] (X64) HKEY_USERS\S-1-5-21-3035285257-1660607583-71384102-1001\Software\AVG SafeGuard toolbar -> Found
[PUP] (X64) HKEY_USERS\S-1-5-21-3035285257-1660607583-71384102-1001\Software\YahooPartnerToolbar -> Found
[PUP] (X86) HKEY_USERS\S-1-5-21-3035285257-1660607583-71384102-1001\Software\AVG SafeGuard toolbar -> Found
[PUP] (X86) HKEY_USERS\S-1-5-21-3035285257-1660607583-71384102-1001\Software\YahooPartnerToolbar -> Found
[PUP] (X64) HKEY_USERS\S-1-5-18\Software\IGearSettings -> Found
[PUP] (X86) HKEY_USERS\S-1-5-18\Software\IGearSettings -> Found
[PUP] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\SoftwareUpdUtility -> Found
[PUP] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\ViewpointMediaPlayer -> Found
[Suspicious.Path] (X64) HKEY_USERS\S-1-5-21-3035285257-1660607583-71384102-1001\Software\Microsoft\Windows\CurrentVersion\Run | ROC_ROC_APR2013_AV : C:\Users\Shawn\AppData\Roaming\AVG April 2013 Campaign\AVG-Secure-Search-Update.exe /PROMPT --mid 5922d70d304b47d6aba9b1a22fe0794d-57d58ba62ee19ae9955d03c6897507ade28290f5 --CMPID ROC_APR2013_AV [-] -> Found
[Suspicious.Path] (X64) HKEY_USERS\S-1-5-21-3035285257-1660607583-71384102-1001\Software\Microsoft\Windows\CurrentVersion\Run | AVG-Secure-Search-Update_0913a : C:\Users\Shawn\AppData\Roaming\AVG 0913a Campaign\AVG-Secure-Search-Update-0913a.exe /PROMPT --mid 5922d70d304b47d6aba9b1a22fe0794d-57d58ba62ee19ae9955d03c6897507ade28290f5 --CMPID 0913a [-] -> Found
[Suspicious.Path] (X64) HKEY_USERS\S-1-5-21-3035285257-1660607583-71384102-1001\Software\Microsoft\Windows\CurrentVersion\Run | AIM for Windows : "C:\Users\Shawn\AppData\Local\AOL\AIM\aim.exe" [x] -> Found
[Suspicious.Path] (X86) HKEY_USERS\S-1-5-21-3035285257-1660607583-71384102-1001\Software\Microsoft\Windows\CurrentVersion\Run | ROC_ROC_APR2013_AV : C:\Users\Shawn\AppData\Roaming\AVG April 2013 Campaign\AVG-Secure-Search-Update.exe /PROMPT --mid 5922d70d304b47d6aba9b1a22fe0794d-57d58ba62ee19ae9955d03c6897507ade28290f5 --CMPID ROC_APR2013_AV [-] -> Found
[Suspicious.Path] (X86) HKEY_USERS\S-1-5-21-3035285257-1660607583-71384102-1001\Software\Microsoft\Windows\CurrentVersion\Run | AVG-Secure-Search-Update_0913a : C:\Users\Shawn\AppData\Roaming\AVG 0913a Campaign\AVG-Secure-Search-Update-0913a.exe /PROMPT --mid 5922d70d304b47d6aba9b1a22fe0794d-57d58ba62ee19ae9955d03c6897507ade28290f5 --CMPID 0913a [-] -> Found
[Suspicious.Path] (X86) HKEY_USERS\S-1-5-21-3035285257-1660607583-71384102-1001\Software\Microsoft\Windows\CurrentVersion\Run | AIM for Windows : "C:\Users\Shawn\AppData\Local\AOL\AIM\aim.exe" [x] -> Found

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 7 ¤¤¤
[PUP][Folder] C:\ProgramData\Viewpoint -> Found
[Root.ZeroAccess][Folder] C:\Windows\Installer\{02815385-b3dc-aa2c-a083-2e509dc82d52}\L -> Found
[Root.ZeroAccess][Folder] C:\Windows\Installer\{02815385-b3dc-aa2c-a083-2e509dc82d52}\U -> Found
[Root.ZeroAccess][Folder] C:\Users\Shawn\AppData\Local\{02815385-b3dc-aa2c-a083-2e509dc82d52}\L -> Found
[Root.ZeroAccess][Folder] C:\Users\Shawn\AppData\Local\{02815385-b3dc-aa2c-a083-2e509dc82d52}\U -> Found
[PUP][Folder] C:\ProgramData\Viewpoint -> Found
[PUP][Folder] C:\Program Files (x86)\Viewpoint -> Found

¤¤¤ WMI : 0 ¤¤¤

¤¤¤ Hosts File : 0 ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤

¤¤¤ Web browsers : 3 ¤¤¤
[PUM.HomePage][Firefox:Config] 5qn7jiux.default : user_pref("browser.startup.homepage", "http://www.gamefaqs.com/"); -> Found
[PUM.SearchEngine][Firefox:Config] 5qn7jiux.default : user_pref("browser.search.selectedEngine", "Wikipedia (en)"); -> Found
[PUM.SearchEngine][Firefox:Config] 5qn7jiux.default : user_pref("browser.search.defaultenginename", "Wikipedia (en)"); -> Found

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: SAMSUNG HM250HI +++++
--- User ---
[MBR] 1f3747f276df3e86c3699f050e04898e
[BSP] 1d3dbd27465810c433249e71141074e9 : HP MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 199 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 409600 | Size: 221660 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
2 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 454369280 | Size: 16511 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
3 - [XXXXXX] FAT32-LBA (0xc) [VISIBLE] Offset (sectors): 488183808 | Size: 103 MB
User = LL1 ... OK
User = LL2 ... OK
 

 

 

FRST:

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 07-12-2016
Ran by Shawn (administrator) on SHAWN-HP (07-12-2016 16:31:43)
Running from C:\Users\Shawn\Desktop\FRST
Loaded Profiles: Shawn (Available Profiles: Shawn)
Platform: Windows 7 Home Premium Service Pack 1 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\Av\avgrsa.exe
(Andrea Electronics Corporation) C:\Program Files\Realtek\Audio\HDA\AERTSr64.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\Av\avgidsagenta.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\Framework\Common\avgsvca.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\Av\avgwdsvca.exe
(Hewlett-Packard Company) C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe
(Hewlett-Packard Development Company, L.P.) C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe
(Microsoft Corporation) C:\Program Files\Microsoft LifeCam\MSCamS64.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
(AOL Inc.) C:\Program Files (x86)\AIM7\aim.exe
(Hewlett-Packard Development Company, L.P.) C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe
(Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\Av\avgui.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\Framework\Common\avguix.exe
(Microsoft Corporation) C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
(Microsoft Corporation) C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\Av\avgnsa.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\Av\avgemca.exe
(Microsoft Corporation) C:\Program Files (x86)\Common Files\microsoft shared\Virtualization Handler\CVHSVC.EXE
(Hewlett-Packard Company) C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe
(Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Hewlett-Packard Company) C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Main.exe
(Hewlett-Packard Company) C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe
(Realtek Semiconductor Corp.) C:\Program Files\Realtek\RtVOsd\RtVOsdService.exe
(Realtek Semiconductor Corp.) C:\Program Files\Realtek\RtVOsd\RtVOsd.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\Av\avgcsrva.exe
(Microsoft Corporation) C:\Windows\System32\taskmgr.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe

==================== Registry (Whitelisted) ====================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [SynTPEnh] => C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2097960 2010-04-22] (Synaptics Incorporated)
HKLM\...\Run: [RTHDVCPL] => C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe [6245408 2010-05-25] (Realtek Semiconductor)
HKLM\...\Run: [HPWirelessAssistant] => C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Main.exe [363064 2010-06-18] (Hewlett-Packard Company)
HKLM-x32\...\Run: [Adobe ARM] => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [958576 2013-04-04] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Adobe Reader Speed Launcher] => C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe [41056 2013-05-08] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [HP Quick Launch] => C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe [586296 2010-11-09] (Hewlett-Packard Development Company, L.P.)
HKLM-x32\...\Run: [AvgUi] => C:\Program Files (x86)\AVG\Framework\Common\avguirna.exe [240400 2016-12-01] (AVG Technologies CZ, s.r.o.)
HKLM-x32\...\Run: [AVG_UI] => C:\Program Files (x86)\AVG\Framework\Common\avguirna.exe [240400 2016-12-01] (AVG Technologies CZ, s.r.o.)
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [587288 2016-09-22] (Oracle Corporation)
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
HKU\S-1-5-21-3035285257-1660607583-71384102-1001\...\Run: [ROC_ROC_APR2013_AV] => C:\Users\Shawn\AppData\Roaming\AVG April 2013 Campaign\AVG-Secure-Search-Update.exe /PROMPT --mid 5922d70d304b47d6aba9b1a22fe0794d-57d58ba62ee19ae9955d03c6897507ade28290f5 --CMPID ROC_APR2013_AV
HKU\S-1-5-21-3035285257-1660607583-71384102-1001\...\Run: [AVG-Secure-Search-Update_0913a] => C:\Users\Shawn\AppData\Roaming\AVG 0913a Campaign\AVG-Secure-Search-Update-0913a.exe /PROMPT --mid 5922d70d304b47d6aba9b1a22fe0794d-57d58ba62ee19ae9955d03c6897507ade28290f5 --CMPID 0913a
HKU\S-1-5-21-3035285257-1660607583-71384102-1001\...\Run: [Skype] => C:\Program Files (x86)\Skype\Phone\Skype.exe [26424960 2016-06-28] (Skype Technologies S.A.)
HKU\S-1-5-21-3035285257-1660607583-71384102-1001\...\Run: [AIM for Windows] => "C:\Users\Shawn\AppData\Local\AOL\AIM\aim.exe"
HKU\S-1-5-21-3035285257-1660607583-71384102-1001\...\Run: [AIM] => C:\Program Files (x86)\AIM7\aim.exe [4321112 2011-05-03] (AOL Inc.)
HKU\S-1-5-21-3035285257-1660607583-71384102-1001\...\Run: [Google Update] => C:\Users\Shawn\AppData\Local\Google\Update\GoogleUpdate.exe [107848 2015-02-06] (Google Inc.)
HKU\S-1-5-21-3035285257-1660607583-71384102-1001\...\MountPoints2: F - F:\LaunchU3.exe -a
HKU\S-1-5-21-3035285257-1660607583-71384102-1001\...\MountPoints2: {113c7827-d963-11e0-bf04-60eb690490be} - F:\LaunchU3.exe -a
HKU\S-1-5-18\...\RunOnce: [SPReview] => C:\Windows\System32\SPReview\SPReview.exe [301568 2013-03-21] (Microsoft Corporation)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Tcpip\Parameters: [DhcpNameServer] 192.168.1.1
Tcpip\..\Interfaces\{A9E69046-4B35-4ED2-BFB6-2CF003180388}: [DhcpNameServer] 192.168.1.1

Internet Explorer:
==================
HKU\S-1-5-21-3035285257-1660607583-71384102-1001\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://g.msn.com/HPNOT/1
HKU\S-1-5-21-3035285257-1660607583-71384102-1001\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://g.msn.com/HPNOT/1
SearchScopes: HKLM -> DefaultScope {BEC24F06-A6AD-4D5D-8587-438E7F0769B9} URL = hxxp://www.bing.com/search?q={searchTerms}&form=HPNTDF&pc=HPNTDF&src=IE-SearchBox
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKLM -> {307A19EB-E7CB-46D5-A061-090835837710} URL = hxxp://search.yahoo.com/search?p={searchTerms}&ei={inputEncoding}&fr=chr-hp-psg&type=HPNTDF
SearchScopes: HKLM -> {BEC24F06-A6AD-4D5D-8587-438E7F0769B9} URL = hxxp://www.bing.com/search?q={searchTerms}&form=HPNTDF&pc=HPNTDF&src=IE-SearchBox
SearchScopes: HKLM -> {C3067EDE-8AE5-4BCE-9E48-588739E428BD} URL = hxxp://www.ask.com/web?q={searchterms}&l=dis&o=ushpl
SearchScopes: HKLM -> {EA373C8E-EF07-4453-AF2C-C32CD3FF3EBA} URL = hxxp://en.wikipedia.org/wiki/Special:Search?search={searchTerms}
SearchScopes: HKLM-x32 -> DefaultScope {BEC24F06-A6AD-4D5D-8587-438E7F0769B9} URL = hxxp://www.bing.com/search?q={searchTerms}&form=HPNTDF&pc=HPNTDF&src=IE-SearchBox
SearchScopes: HKLM-x32 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKLM-x32 -> {307A19EB-E7CB-46D5-A061-090835837710} URL = hxxp://search.yahoo.com/search?p={searchTerms}&ei={inputEncoding}&fr=chr-hp-psg&type=HPNTDF
SearchScopes: HKLM-x32 -> {BEC24F06-A6AD-4D5D-8587-438E7F0769B9} URL = hxxp://www.bing.com/search?q={searchTerms}&form=HPNTDF&pc=HPNTDF&src=IE-SearchBox
SearchScopes: HKLM-x32 -> {C3067EDE-8AE5-4BCE-9E48-588739E428BD} URL = hxxp://www.ask.com/web?q={searchterms}&l=dis&o=ushpl
SearchScopes: HKLM-x32 -> {EA373C8E-EF07-4453-AF2C-C32CD3FF3EBA} URL = hxxp://en.wikipedia.org/wiki/Special:Search?search={searchTerms}
SearchScopes: HKU\S-1-5-21-3035285257-1660607583-71384102-1001 -> DefaultScope {BEC24F06-A6AD-4D5D-8587-438E7F0769B9} URL = hxxp://www.bing.com/search?q={searchTerms}&form=HPNTDF&pc=HPNTDF&src=IE-SearchBox
SearchScopes: HKU\S-1-5-21-3035285257-1660607583-71384102-1001 -> {307A19EB-E7CB-46D5-A061-090835837710} URL = hxxp://search.yahoo.com/search?p={searchTerms}&ei={inputEncoding}&fr=chr-hp-psg&type=HPNTDF
SearchScopes: HKU\S-1-5-21-3035285257-1660607583-71384102-1001 -> {BEC24F06-A6AD-4D5D-8587-438E7F0769B9} URL = hxxp://www.bing.com/search?q={searchTerms}&form=HPNTDF&pc=HPNTDF&src=IE-SearchBox
SearchScopes: HKU\S-1-5-21-3035285257-1660607583-71384102-1001 -> {C3067EDE-8AE5-4BCE-9E48-588739E428BD} URL = hxxp://www.ask.com/web?q={searchterms}&l=dis&o=ushpl
SearchScopes: HKU\S-1-5-21-3035285257-1660607583-71384102-1001 -> {EA373C8E-EF07-4453-AF2C-C32CD3FF3EBA} URL = hxxp://en.wikipedia.org/wiki/Special:Search?search={searchTerms}
BHO: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2011-03-28] (Microsoft Corp.)
BHO-x32: Adobe PDF Link Helper -> {18DF081C-E8AD-4283-A596-FA578C2EBDC3} -> C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2013-05-08] (Adobe Systems Incorporated)
BHO-x32: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre1.8.0_111\bin\ssv.dll [2016-10-30] (Oracle Corporation)
BHO-x32: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2011-03-28] (Microsoft Corp.)
BHO-x32: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre1.8.0_111\bin\jp2ssv.dll [2016-10-30] (Oracle Corporation)
Handler-x32: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll [2016-02-01] (Skype Technologies)

FireFox:
========
FF ProfilePath: C:\Users\Shawn\AppData\Roaming\Mozilla\Firefox\Profiles\5qn7jiux.default [2016-12-07]
FF user.js: detected! => C:\Users\Shawn\AppData\Roaming\Mozilla\Firefox\Profiles\5qn7jiux.default\user.js [2016-03-23]
FF DefaultSearchEngine: Mozilla\Firefox\Profiles\5qn7jiux.default -> Wikipedia (en)
FF DefaultSearchEngine.US: Mozilla\Firefox\Profiles\5qn7jiux.default -> Wikipedia (en)
FF SelectedSearchEngine: Mozilla\Firefox\Profiles\5qn7jiux.default -> Wikipedia (en)
FF Homepage: Mozilla\Firefox\Profiles\5qn7jiux.default -> hxxp://www.gamefaqs.com/
FF Session Restore: Mozilla\Firefox\Profiles\5qn7jiux.default -> is enabled.
FF Extension: (HDI V2) - C:\Users\Shawn\AppData\Roaming\Mozilla\Firefox\Profiles\5qn7jiux.default\Extensions\Aatif@gmail.com [2012-09-26] [not signed]
FF Extension: (GTK+ Native) - C:\Users\Shawn\AppData\Roaming\Mozilla\Firefox\Profiles\5qn7jiux.default\Extensions\gtknativecontrols@example.net.xpi [2012-06-07] [not signed]
FF Extension: (Session Manager) - C:\Users\Shawn\AppData\Roaming\Mozilla\Firefox\Profiles\5qn7jiux.default\Extensions\{1280606b-2510-4fe0-97ef-9b5a22eafe30}.xpi [2016-03-18]
FF Extension: (Linkification) - C:\Users\Shawn\AppData\Roaming\Mozilla\Firefox\Profiles\5qn7jiux.default\Extensions\{35106bca-6c78-48c7-ac28-56df30b51d2a}.xpi [2016-04-27]
FF Extension: (GameFOX) - C:\Users\Shawn\AppData\Roaming\Mozilla\Firefox\Profiles\5qn7jiux.default\Extensions\{6dd0bdba-0a02-429e-b595-87a7dfdca7a1} [2012-10-12] [not signed]
FF Extension: (Adblock Plus) - C:\Users\Shawn\AppData\Roaming\Mozilla\Firefox\Profiles\5qn7jiux.default\Extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2016-11-23]
FF SearchPlugin: C:\Users\Shawn\AppData\Roaming\Mozilla\Firefox\Profiles\5qn7jiux.default\searchplugins\tardis-en.xml [2011-02-26]
FF Extension: (Java Console) - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0033-ABCDEFFEDCBA} [2016-11-17] [not signed]
FF Extension: (Java Console) - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0035-ABCDEFFEDCBA} [2016-11-17] [not signed]
FF Extension: (Java Console) - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0037-ABCDEFFEDCBA} [2016-11-17] [not signed]
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_23_0_0_207.dll [2016-11-11] ()
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.40728.0\npctrl.dll [2015-07-28] ( Microsoft Corporation)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_23_0_0_207.dll [2016-11-11] ()
FF Plugin-x32: @adobe.com/ShockwavePlayer -> C:\Windows\SysWOW64\Adobe\Director\np32dsw.dll [2010-05-05] (Adobe Systems, Inc.)
FF Plugin-x32: @java.com/DTPlugin,version=11.111.2 -> C:\Program Files (x86)\Java\jre1.8.0_111\bin\dtplugin\npDeployJava1.dll [2016-10-30] (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=11.111.2 -> C:\Program Files (x86)\Java\jre1.8.0_111\bin\plugin2\npjp2.dll [2016-10-30] (Oracle Corporation)
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.40728.0\npctrl.dll [2015-07-28] ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MICROS~3\Office14\NPSPWRAP.DLL [2010-03-24] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3502.0922 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [2012-03-08] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3508.1109 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [2012-03-08] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3538.0513 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [2012-03-08] (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3555.0308 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [2012-03-08] (Microsoft Corporation)
FF Plugin-x32: @pandonetworks.com/PandoWebPlugin -> C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll [No File]
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.31.5\npGoogleUpdate3.dll [2016-07-28] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.31.5\npGoogleUpdate3.dll [2016-07-28] (Google Inc.)
FF Plugin-x32: @viewpoint.com/VMP -> C:\Program Files (x86)\Viewpoint\Viewpoint Media Player\npViewpoint.dll [No File]
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll [2013-05-08] (Adobe Systems Inc.)
FF Plugin HKU\S-1-5-21-3035285257-1660607583-71384102-1001: @talk.google.com/GoogleTalkPlugin -> C:\Users\Shawn\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll [2015-12-08] (Google)
FF Plugin HKU\S-1-5-21-3035285257-1660607583-71384102-1001: @talk.google.com/O1DPlugin -> C:\Users\Shawn\AppData\Roaming\Mozilla\plugins\npo1d.dll [2015-12-08] (Google)
FF Plugin HKU\S-1-5-21-3035285257-1660607583-71384102-1001: @tools.google.com/Google Update;version=3 -> C:\Users\Shawn\AppData\Local\Google\Update\1.3.31.5\npGoogleUpdate3.dll [2016-07-28] (Google Inc.)
FF Plugin HKU\S-1-5-21-3035285257-1660607583-71384102-1001: @tools.google.com/Google Update;version=9 -> C:\Users\Shawn\AppData\Local\Google\Update\1.3.31.5\npGoogleUpdate3.dll [2016-07-28] (Google Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\np-mswmp.dll [2007-04-10] (Microsoft Corporation)
FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\nppdf32.dll [2013-05-08] (Adobe Systems Inc.)
FF Plugin ProgramFiles/Appdata: C:\Users\Shawn\AppData\Roaming\mozilla\plugins\npgoogletalk.dll [2015-12-08] (Google)
FF Plugin ProgramFiles/Appdata: C:\Users\Shawn\AppData\Roaming\mozilla\plugins\npo1d.dll [2015-12-08] (Google)

Chrome:
=======
CHR DefaultProfile: Default
CHR Profile: C:\Users\Shawn\AppData\Local\Google\Chrome\User Data\Default [2016-12-05]
CHR Extension: (Google Slides) - C:\Users\Shawn\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2015-03-05]
CHR Extension: (Google Docs) - C:\Users\Shawn\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2015-03-05]
CHR Extension: (Google Drive) - C:\Users\Shawn\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2015-10-27]
CHR Extension: (YouTube) - C:\Users\Shawn\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2015-09-27]
CHR Extension: (Google Search) - C:\Users\Shawn\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2015-10-30]
CHR Extension: (Google Sheets) - C:\Users\Shawn\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2015-03-05]
CHR Extension: (Google Docs Offline) - C:\Users\Shawn\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2016-03-19]
CHR Extension: (AdBlock) - C:\Users\Shawn\AppData\Local\Google\Chrome\User Data\Default\Extensions\gighmmpiobklfepjocnamgkkbiglidom [2016-11-25]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Shawn\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-04-02]
CHR Extension: (Gmail) - C:\Users\Shawn\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2015-03-28]
CHR Extension: (Chrome Media Router) - C:\Users\Shawn\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2016-10-26]

==================== Services (Whitelisted) ====================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S3 AvgAMPS; C:\Program Files (x86)\AVG\Av\avgamps.exe [647864 2016-11-02] (AVG Technologies CZ, s.r.o.)
R2 AVGIDSAgent; C:\Program Files (x86)\AVG\Av\avgidsagenta.exe [5337696 2016-11-02] (AVG Technologies CZ, s.r.o.)
R2 avgsvc; C:\Program Files (x86)\AVG\Framework\Common\avgsvca.exe [1146128 2016-12-01] (AVG Technologies CZ, s.r.o.)
R2 avgwd; C:\Program Files (x86)\AVG\Av\avgwdsvca.exe [727512 2016-11-02] (AVG Technologies CZ, s.r.o.)
R2 RtVOsdService; C:\Program Files\Realtek\RtVOsd\RtVOsdService.exe [315392 2010-04-19] (Realtek Semiconductor Corp.) [File not signed]
S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-26] (Microsoft Corporation)

===================== Drivers (Whitelisted) ======================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R1 Avgdiska; C:\Windows\System32\DRIVERS\avgdiska.sys [163072 2016-05-13] (AVG Technologies CZ, s.r.o.)
R1 AVGIDSDriver; C:\Windows\System32\DRIVERS\avgidsdrivera.sys [312576 2016-10-17] (AVG Technologies CZ, s.r.o.)
R0 AVGIDSHA; C:\Windows\System32\DRIVERS\avgidsha.sys [267008 2016-10-05] (AVG Technologies CZ, s.r.o.)
R1 Avgldx64; C:\Windows\System32\DRIVERS\avgldx64.sys [267520 2016-10-19] (AVG Technologies CZ, s.r.o.)
R0 Avgloga; C:\Windows\System32\DRIVERS\avgloga.sys [360736 2016-02-16] (AVG Technologies CZ, s.r.o.)
R0 Avgmfx64; C:\Windows\System32\DRIVERS\avgmfx64.sys [254208 2016-09-26] (AVG Technologies CZ, s.r.o.)
R0 Avgrkx64; C:\Windows\System32\DRIVERS\avgrkx64.sys [52992 2016-06-01] (AVG Technologies CZ, s.r.o.)
R1 Avgtdia; C:\Windows\System32\DRIVERS\avgtdia.sys [299264 2016-07-27] (AVG Technologies CZ, s.r.o.)
R0 Avguniva; C:\Windows\System32\DRIVERS\avguniva.sys [77056 2016-06-20] (AVG Technologies CZ, s.r.o.)
S3 VX6000; C:\Windows\System32\DRIVERS\VX6000Xp.sys [2143600 2010-05-20] (Microsoft Corporation
)

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-12-07 04:48 - 2016-12-07 04:48 - 00010906 _____ C:\Users\Shawn\Desktop\ReportRogue.txt
2016-12-07 03:11 - 2016-12-07 03:11 - 00028272 _____ C:\Windows\system32\Drivers\TrueSight.sys
2016-12-07 02:25 - 2016-12-07 16:31 - 00000000 ____D C:\FRST
2016-12-07 02:23 - 2016-12-07 16:31 - 00000000 ____D C:\Users\Shawn\Desktop\FRST
2016-12-07 02:22 - 2016-12-07 04:50 - 00000000 ____D C:\ProgramData\RogueKiller
2016-12-07 02:22 - 2016-12-07 02:22 - 00000858 _____ C:\Users\Public\Desktop\RogueKiller.lnk
2016-12-07 02:22 - 2016-12-07 02:22 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\RogueKiller
2016-12-07 02:22 - 2016-12-07 02:22 - 00000000 ____D C:\Program Files\RogueKiller
2016-12-07 02:18 - 2016-12-07 02:21 - 34190992 _____ (Adlice Software ) C:\Users\Shawn\Downloads\setup(1).exe
2016-12-02 11:08 - 2016-12-02 11:08 - 00000000 ____D C:\Users\Shawn\AppData\Local\CEF
2016-11-30 02:11 - 2016-11-30 02:11 - 00000984 _____ C:\Users\Public\Desktop\AVG.lnk
2016-11-30 02:00 - 2016-11-30 02:00 - 01106888 _____ (Bleeping Computer, LLC) C:\Users\Shawn\Downloads\rkill64.exe
2016-11-30 01:58 - 2016-11-30 01:58 - 00000000 ____D C:\Users\Shawn\Desktop\Weird icons
2016-11-29 20:25 - 2016-11-30 02:11 - 00003446 _____ C:\Users\Shawn\Desktop\Rkill.txt
2016-11-29 20:24 - 2016-11-29 20:24 - 02030536 _____ (Bleeping Computer, LLC) C:\Users\Shawn\Downloads\rkill.exe
2016-11-18 04:06 - 2016-12-07 13:18 - 00000000 ____D C:\Users\Shawn\AppData\LocalLow\Mozilla
2016-11-17 19:42 - 2016-11-30 18:46 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2016-11-11 04:28 - 2016-11-11 04:28 - 00000000 _____ C:\Windows\SysWOW64\shoEE6B.tmp

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-12-07 16:04 - 2015-03-05 14:53 - 00000898 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2016-12-07 15:52 - 2015-02-06 20:05 - 00000908 _____ C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3035285257-1660607583-71384102-1001UA.job
2016-12-07 15:05 - 2010-11-28 23:12 - 00000000 ____D C:\Users\Shawn\AppData\Roaming\SoftGrid Client
2016-12-07 12:59 - 2009-07-13 22:45 - 00026192 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2016-12-07 12:59 - 2009-07-13 22:45 - 00026192 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2016-12-07 12:58 - 2014-12-11 01:39 - 00000000 ____D C:\Users\Shawn\AppData\Local\Battle.net
2016-12-07 12:57 - 2014-12-11 01:38 - 00000000 ____D C:\Program Files (x86)\Battle.net
2016-12-07 12:48 - 2011-10-09 21:24 - 00000000 ____D C:\Users\Shawn\AppData\Roaming\Skype
2016-12-07 12:45 - 2010-12-02 11:14 - 00000000 ____D C:\ProgramData\MFAData
2016-12-07 12:43 - 2015-03-05 14:53 - 00000894 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2016-12-07 12:43 - 2009-07-13 23:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2016-12-07 04:48 - 2012-01-11 13:10 - 00000000 __SHD C:\Users\Shawn\AppData\Local\{02815385-b3dc-aa2c-a083-2e509dc82d52}
2016-12-07 01:32 - 2016-10-11 01:40 - 00000000 ____D C:\Users\Shawn\Desktop\Writing stuff
2016-12-06 18:52 - 2015-02-06 20:05 - 00000856 _____ C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3035285257-1660607583-71384102-1001Core.job
2016-12-06 17:10 - 2016-09-20 22:19 - 00003600 _____ C:\Windows\System32\Tasks\AVG EUpdate Task
2016-12-05 21:09 - 2012-03-09 21:02 - 00003186 _____ C:\Windows\System32\Tasks\HPCeeScheduleForShawn
2016-12-05 21:09 - 2012-03-09 21:02 - 00000332 _____ C:\Windows\Tasks\HPCeeScheduleForShawn.job
2016-12-04 03:14 - 2016-09-21 15:53 - 00012845 _____ C:\Users\Shawn\Desktop\S33.xlsx
2016-12-01 13:40 - 2012-06-07 09:27 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2016-11-30 17:35 - 2014-12-11 16:27 - 00000000 ____D C:\Program Files (x86)\Hearthstone
2016-11-30 14:54 - 2010-11-28 20:47 - 00000000 ____D C:\Users\Shawn\Desktop\New folder
2016-11-30 02:11 - 2015-12-03 12:41 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AVG Zen
2016-11-30 01:08 - 2015-12-04 12:48 - 00000000 ____D C:\Users\Shawn\AppData\Local\Avg
2016-11-30 01:05 - 2015-11-14 13:26 - 00192216 _____ (Malwarebytes) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2016-11-24 02:14 - 2016-07-25 17:00 - 00000000 ____D C:\Users\Shawn\Desktop\Edgic
2016-11-14 19:08 - 2015-03-05 14:58 - 00002195 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
2016-11-14 12:55 - 2009-07-13 23:13 - 00783464 _____ C:\Windows\system32\PerfStringBackup.INI
2016-11-14 12:55 - 2009-07-13 21:20 - 00000000 ____D C:\Windows\inf
2016-11-11 14:18 - 2014-10-15 11:18 - 00000000 ____D C:\Users\Shawn\AppData\Local\Adobe
2016-11-11 14:17 - 2012-03-29 10:05 - 00796352 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2016-11-11 14:17 - 2012-03-29 10:05 - 00000000 ____D C:\Windows\system32\Macromed
2016-11-11 14:17 - 2011-06-21 09:21 - 00142528 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2016-11-11 14:17 - 2010-07-10 20:29 - 00000000 ____D C:\Windows\SysWOW64\Macromed

==================== Files in the root of some directories =======

2012-04-08 01:16 - 2012-04-26 23:33 - 0007597 _____ () C:\Users\Shawn\AppData\Local\Resmon.ResmonCfg
2016-08-08 17:04 - 2016-08-08 17:04 - 0000000 _____ () C:\Users\Shawn\AppData\Local\{4ACA2373-D55C-4E16-93D4-79644EF8C476}
2015-08-07 11:15 - 2015-08-07 11:15 - 0000000 _____ () C:\Users\Shawn\AppData\Local\{5002BBB1-B362-4B26-814B-382179AFE93F}
2010-07-08 02:37 - 2010-07-08 02:37 - 0000032 _____ () C:\ProgramData\{051B9612-4D82-42AC-8C63-CD2DCEDC1CB3}.log
2010-07-10 21:51 - 2010-07-10 21:51 - 0000109 _____ () C:\ProgramData\{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}.log
2010-07-08 02:37 - 2010-07-08 02:37 - 0000032 _____ () C:\ProgramData\{23F3DA62-2D9E-4A69-B8D5-BE8E9E148092}.log
2010-07-10 21:44 - 2010-07-10 21:45 - 0000105 _____ () C:\ProgramData\{40BF1E83-20EB-11D8-97C5-0009C5020658}.log
2010-07-08 02:36 - 2010-07-08 02:36 - 0000032 _____ () C:\ProgramData\{4FC670EB-5F02-4B07-90DB-022B86BFEFD0}.log
2010-07-08 02:37 - 2010-07-08 02:37 - 0000032 _____ () C:\ProgramData\{9867824A-C86D-4A83-8F3C-E7A86BE0AFD3}.log
2010-07-10 21:43 - 2010-07-10 21:44 - 0000107 _____ () C:\ProgramData\{C59C179C-668D-49A9-B6EA-0121CCFC1243}.log
2010-07-10 21:45 - 2010-07-10 21:51 - 0000110 _____ () C:\ProgramData\{CB099890-1D5F-11D5-9EA9-0050BAE317E1}.log
2010-07-08 02:37 - 2010-07-08 02:37 - 0000105 _____ () C:\ProgramData\{d36dd326-7280-11d8-97c8-000129760cbe}.log

ZeroAccess:
C:\Windows\Installer\{02815385-b3dc-aa2c-a083-2e509dc82d52}
C:\Windows\Installer\{02815385-b3dc-aa2c-a083-2e509dc82d52}\@

ZeroAccess:
C:\Users\Shawn\AppData\Local\{02815385-b3dc-aa2c-a083-2e509dc82d52}
C:\Users\Shawn\AppData\Local\{02815385-b3dc-aa2c-a083-2e509dc82d52}\@

Files to move or delete:
====================
C:\Users\Shawn\jagex_runescape_preferences.dat
C:\Users\Shawn\jagex_runescape_preferences2.dat


Some files in TEMP:
====================
C:\Users\Shawn\AppData\Local\Temp\1pnrwbze.dll
C:\Users\Shawn\AppData\Local\Temp\AOLUserShell.dll
C:\Users\Shawn\AppData\Local\Temp\avguirn_081144909401.exe
C:\Users\Shawn\AppData\Local\Temp\avguirn_081233667546.exe
C:\Users\Shawn\AppData\Local\Temp\avguirn_081512870953.exe
C:\Users\Shawn\AppData\Local\Temp\avguirn_08153582550.exe
C:\Users\Shawn\AppData\Local\Temp\avguirn_081923842622.exe
C:\Users\Shawn\AppData\Local\Temp\avguirn_082062045340.exe
C:\Users\Shawn\AppData\Local\Temp\avguirn_082110315342.exe
C:\Users\Shawn\AppData\Local\Temp\avguirn_08384038991.exe
C:\Users\Shawn\AppData\Local\Temp\avguirn_0839581681.exe
C:\Users\Shawn\AppData\Local\Temp\avguirn_08618346557.exe
C:\Users\Shawn\AppData\Local\Temp\avguirn_08667807241.exe
C:\Users\Shawn\AppData\Local\Temp\cmllrknr.dll
C:\Users\Shawn\AppData\Local\Temp\ComponentMgr.dll
C:\Users\Shawn\AppData\Local\Temp\dllnt_dump.dll
C:\Users\Shawn\AppData\Local\Temp\Exec.exe
C:\Users\Shawn\AppData\Local\Temp\Extract.exe
C:\Users\Shawn\AppData\Local\Temp\GUR200D.exe
C:\Users\Shawn\AppData\Local\Temp\GUR644D.exe
C:\Users\Shawn\AppData\Local\Temp\GUR6C8D.exe
C:\Users\Shawn\AppData\Local\Temp\GURB74D.exe
C:\Users\Shawn\AppData\Local\Temp\GURD71C.exe
C:\Users\Shawn\AppData\Local\Temp\GURF140.exe
C:\Users\Shawn\AppData\Local\Temp\HPHelpUpdater.exe
C:\Users\Shawn\AppData\Local\Temp\HPQSi.exe
C:\Users\Shawn\AppData\Local\Temp\InstallFlashPlayer.exe
C:\Users\Shawn\AppData\Local\Temp\install_flashplayer14x32au_mssd_aaa_aih.exe
C:\Users\Shawn\AppData\Local\Temp\install_flashplayer15x32au_mssd_aaa_aih.exe
C:\Users\Shawn\AppData\Local\Temp\JpegReader.dll
C:\Users\Shawn\AppData\Local\Temp\jre-6u22-windows-i586-iftw-rv.exe
C:\Users\Shawn\AppData\Local\Temp\jre-6u23-windows-i586-iftw-rv.exe
C:\Users\Shawn\AppData\Local\Temp\jre-6u24-windows-i586-iftw-rv.exe
C:\Users\Shawn\AppData\Local\Temp\jre-6u26-windows-i586-iftw-rv.exe
C:\Users\Shawn\AppData\Local\Temp\jre-6u29-windows-i586-iftw-rv.exe
C:\Users\Shawn\AppData\Local\Temp\jre-6u31-windows-i586-iftw-rv.exe
C:\Users\Shawn\AppData\Local\Temp\jre-6u33-windows-i586-iftw.exe
C:\Users\Shawn\AppData\Local\Temp\jre-6u35-windows-i586-iftw.exe
C:\Users\Shawn\AppData\Local\Temp\jre-6u37-windows-i586-iftw.exe
C:\Users\Shawn\AppData\Local\Temp\jre-6u39-windows-i586-iftw.exe
C:\Users\Shawn\AppData\Local\Temp\jre-7u15-windows-i586-iftw.exe
C:\Users\Shawn\AppData\Local\Temp\jre-7u17-windows-i586-iftw.exe
C:\Users\Shawn\AppData\Local\Temp\jre-7u21-windows-i586-iftw.exe
C:\Users\Shawn\AppData\Local\Temp\jre-7u25-windows-i586-iftw.exe
C:\Users\Shawn\AppData\Local\Temp\jre-7u45-windows-i586-iftw.exe
C:\Users\Shawn\AppData\Local\Temp\jre-7u51-windows-i586-iftw.exe
C:\Users\Shawn\AppData\Local\Temp\jre-7u55-windows-i586-iftw.exe
C:\Users\Shawn\AppData\Local\Temp\jre-7u65-windows-i586-iftw.exe
C:\Users\Shawn\AppData\Local\Temp\jre-7u67-windows-i586-iftw.exe
C:\Users\Shawn\AppData\Local\Temp\jre-7u71-windows-i586-iftw.exe
C:\Users\Shawn\AppData\Local\Temp\jre-8u101-windows-au.exe
C:\Users\Shawn\AppData\Local\Temp\jre-8u111-windows-au.exe
C:\Users\Shawn\AppData\Local\Temp\jre-8u31-windows-au.exe
C:\Users\Shawn\AppData\Local\Temp\jre-8u65-windows-au.exe
C:\Users\Shawn\AppData\Local\Temp\jre-8u66-windows-au.exe
C:\Users\Shawn\AppData\Local\Temp\jre-8u71-windows-au.exe
C:\Users\Shawn\AppData\Local\Temp\jre-8u73-windows-au.exe
C:\Users\Shawn\AppData\Local\Temp\jre-8u77-windows-au.exe
C:\Users\Shawn\AppData\Local\Temp\jre-8u91-windows-au.exe
C:\Users\Shawn\AppData\Local\Temp\Lifecam3.0.204.0.exe
C:\Users\Shawn\AppData\Local\Temp\MSN9643.exe
C:\Users\Shawn\AppData\Local\Temp\Mts3Reader.dll
C:\Users\Shawn\AppData\Local\Temp\n0dlet3f.dll
C:\Users\Shawn\AppData\Local\Temp\Resource.exe
C:\Users\Shawn\AppData\Local\Temp\SceneComponent.dll
C:\Users\Shawn\AppData\Local\Temp\SkypeSetup.exe
C:\Users\Shawn\AppData\Local\Temp\sp50843.exe.exe
C:\Users\Shawn\AppData\Local\Temp\SP51650.exe
C:\Users\Shawn\AppData\Local\Temp\SP51976.exe
C:\Users\Shawn\AppData\Local\Temp\sp52110.exe.exe
C:\Users\Shawn\AppData\Local\Temp\sp54373.exe
C:\Users\Shawn\AppData\Local\Temp\sp54620.exe
C:\Users\Shawn\AppData\Local\Temp\SreeDMMX.dll
C:\Users\Shawn\AppData\Local\Temp\SWFView.dll
C:\Users\Shawn\AppData\Local\Temp\swt-win32-3349.dll
C:\Users\Shawn\AppData\Local\Temp\ucthrpjm.dll
C:\Users\Shawn\AppData\Local\Temp\uiyuagi3.dll
C:\Users\Shawn\AppData\Local\Temp\UninstallHPSA.exe
C:\Users\Shawn\AppData\Local\Temp\UninstallHPTCA.exe
C:\Users\Shawn\AppData\Local\Temp\vcredist_x64.exe
C:\Users\Shawn\AppData\Local\Temp\VMPVideo.dll
C:\Users\Shawn\AppData\Local\Temp\VMPVideo2.dll
C:\Users\Shawn\AppData\Local\Temp\{3F8CF7EE-3EA8-4147-BC00-6CC17A05483F}-52.0.2743.116_51.0.2704.103_chrome_updater.exe
C:\Users\Shawn\AppData\Local\Temp\{607F1FF5-4749-41F3-93D8-81E75C7F5DE5}-52.0.2743.116_51.0.2704.103_chrome_updater.exe
C:\Users\Shawn\AppData\Local\Temp\{9DC01161-091E-4E0B-9B03-D49AAAB6DDF4}-54.0.2840.71_chrome_installer.exe
C:\Users\Shawn\AppData\Local\Temp\{F1D6A74C-C065-4AF6-A519-CCB6A6D82F22}-52.0.2743.116_51.0.2704.103_chrome_updater.exe


==================== Bamital & volsnap ======================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2016-12-04 14:59

==================== End of FRST.txt ============================

 

 

 

 

 

Attached File  Addition.txt   29.6KB   1 downloads

 

 

 

 

The impression that I'm getting is that the main issue is in the Windows Installer folder that RKill initially picked up on. RogueKiller cleared it out except for the remaining file named "@" - should I be concerned about that file, or should I leave it be?

 

Most of the other issues mentioned on both scans seem to be extra programs that came with my laptop or things that I have installed, I think?



#5 nasdaq

nasdaq

  • Malware Response Team
  • 40,190 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:14 AM

Posted 08 December 2016 - 09:43 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Run the RogueKiller tool and delete everything that was identified.

Restart the computer normally.

===

Execute this fix.

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.
 
start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

SearchScopes: HKLM -> {C3067EDE-8AE5-4BCE-9E48-588739E428BD} URL = hxxp://www.ask.com/web?q={searchterms}&l=dis&o=ushpl
SearchScopes: HKLM-x32 -> {C3067EDE-8AE5-4BCE-9E48-588739E428BD} URL = hxxp://www.ask.com/web?q={searchterms}&l=dis&o=ushpl
SearchScopes: HKU\S-1-5-21-3035285257-1660607583-71384102-1001 -> {C3067EDE-8AE5-4BCE-9E48-588739E428BD} URL = hxxp://www.ask.com/web?q={searchterms}&l=dis&o=ushpl
FF user.js: detected! => C:\Users\Shawn\AppData\Roaming\Mozilla\Firefox\Profiles\5qn7jiux.default\user.js [2016-03-23]
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @pandonetworks.com/PandoWebPlugin -> C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll [No File]
FF Plugin-x32: @viewpoint.com/VMP -> C:\Program Files (x86)\Viewpoint\Viewpoint Media Player\npViewpoint.dll [No File]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Shawn\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-04-02]
CHR Extension: (Chrome Media Router) - C:\Users\Shawn\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2016-10-26]
CustomCLSID: HKU\S-1-5-21-3035285257-1660607583-71384102-1001_Classes\CLSID\{590C4387-5EBD-4D46-8A84-CD0BA2EF2856}\InprocServer32 -> C:\Users\Shawn\AppData\Local\Google\Update\1.3.30.3\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-3035285257-1660607583-71384102-1001_Classes\CLSID\{5C8C2A98-6133-4EBA-BBCC-34D9EA01FC2E}\InprocServer32 -> C:\Users\Shawn\AppData\Local\Google\Update\1.3.28.1\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-3035285257-1660607583-71384102-1001_Classes\CLSID\{78550997-5DEF-4A8A-BAF9-D5774E87AC98}\InprocServer32 -> C:\Users\Shawn\AppData\Local\Google\Update\1.3.28.13\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-3035285257-1660607583-71384102-1001_Classes\CLSID\{793EE463-1304-471C-ADF1-68C2FFB01247}\InprocServer32 -> C:\Users\Shawn\AppData\Local\Google\Update\1.3.29.5\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-3035285257-1660607583-71384102-1001_Classes\CLSID\{C3BC25C0-FCD3-4F01-AFDD-41373F017C9A}\InprocServer32 -> C:\Users\Shawn\AppData\Local\Google\Update\1.3.26.9\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-3035285257-1660607583-71384102-1001_Classes\CLSID\{CC182BE1-84CE-4A57-B85C-FD4BBDF78CB2}\InprocServer32 -> C:\Users\Shawn\AppData\Local\Google\Update\1.3.29.1\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-3035285257-1660607583-71384102-1001_Classes\CLSID\{D1EDC4F5-7F4D-4B12-906A-614ECF66DDAF}\InprocServer32 -> C:\Users\Shawn\AppData\Local\Google\Update\1.3.28.15\psuser_64.dll => No File
Task: {B31B00A9-5C9B-49F4-9AA8-72FA34F0EC1B} - System32\Tasks\ROC_REG_JAN_DELETE => C:\ProgramData\AVG January 2013 Campaign\ROC.exe [2013-01-16] ()
Task: C:\Windows\Tasks\ROC_REG_JAN_DELETE.job => C:\ProgramData\AVG January 2013 Campaign\ROC.exe
C:\Windows\SysWOW64\shoEE6B.tmp
C:\Windows\Installer\{02815385-b3dc-aa2c-a083-2e509dc82d52}
C:\Windows\Installer\{02815385-b3dc-aa2c-a083-2e509dc82d52}\@
C:\Users\Shawn\AppData\Local\{02815385-b3dc-aa2c-a083-2e509dc82d52}
C:\Users\Shawn\AppData\Local\{02815385-b3dc-aa2c-a083-2e509dc82d52}\@
C:\ProgramData\AVG January 2013 Campaign
reboot:

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

How is the computer running now?
===

p.s.

For your added security I suggest that you update the following programs.
Do it later when all is well.

JAVA

You can manually check your present version and update as recommended.
https://www.java.com/en/download/installed.jsp

Be careful not to install malware posing as Java update!
Important read this blog.
http://blog.trendmicro.com/trendlabs-security-intelligence/malware-poses-as-an-update-for-java-0-day-fix/

Quoted from the page.
"In light of the recent events surrounding Java, users must seriously consider their use of Java. Do they really need it? If yes, make sure that users follow the steps we recommended and get the security update directly from the official oracle website." at:
http://www.oracle.com/technetwork/java/javase/downloads/index.html

How to disable Java in your browsers
http://www.infoworld.com/t/web-browsers/how-disable-java-in-your-browsers-210882
===

ADOBE READER
http://get.adobe.com/reader/
Before your download I suggest you unckeck the box on the top right "Yes, install McAfee Security Scan Plus - optional" this is not required if you are not a McAfee subscriber. While the installation is in progress you can also deny the installation of any other programs that may be suggested.
<<<>>>

ADOBE FLASH PLAYER

Go to this page with Firefox or Opera to download the current version for your browser:
https://get.adobe.com/flashplayer/

Note:
Flash Player is pre-installed in Google Chrome and updates automatically!
Flash Player is pre-installed in IE/Hedge and updates automatically!
===

ADOBE SHOCKWARE

Navigate to this page and follow the instructions to get the latest version.
https://www.adobe.com/shockwave/welcome/

=====

ADOBE AIR

Navigate to this page and follow the instructions to get the latest version.
https://get.adobe.com/air/
===

When the updates are completed and you have restarted the computer remove what remains of these versions via the Control Panel > Programs > Programs and Features.
Adobe AIR (HKLM-x32\...\Adobe AIR) (Version: 1.5.0.7220 - Adobe Systems Inc.)
Adobe Flash Player 19 ActiveX (HKLM-x32\...\Adobe Flash Player ActiveX) (Version: 19.0.0.185 - Adobe Systems Incorporated)
Adobe Reader 9.5.5 MUI (HKLM-x32\...\{AC76BA86-7AD7-FFFF-7B44-A91000000001}) (Version: 9.5.5 - Adobe Systems Incorporated)
Adobe Shockwave Player 11.5 (HKLM-x32\...\{9ECF7817-DB11-4FBA-9DF1-296A578D513A}) (Version: 11.5.7.609 - Adobe Systems, Inc)
Java 8 Update 111 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F32180111F0}) (Version: 8.0.1110.14 - Oracle Corporation)


Please post the Roguekiller log and the Fixlog.txt.

How is the computer running now?

#6 dotsdfe

dotsdfe
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:14 PM

Posted 11 December 2016 - 03:55 PM

RogueKiller V12.8.4.0 (x64) [Dec  5 2016] (Free) by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/download/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Shawn [Administrator]
Started from : C:\Program Files\RogueKiller\RogueKiller64.exe
Mode : Scan -- Date : 12/10/2016 16:24:27 (Duration : 01:36:11)

¤¤¤ Processes : 0 ¤¤¤

¤¤¤ Registry : 21 ¤¤¤
[PUP] (X64) HKEY_CLASSES_ROOT\dnUpdate -> Found
[PUP] (X86) HKEY_LOCAL_MACHINE\Software\AVG Secure Search -> Found
[PUP] (X86) HKEY_LOCAL_MACHINE\Software\AVG Security Toolbar -> Found
[PUP] (X86) HKEY_LOCAL_MACHINE\Software\MetaStream -> Found
[PUP] (X86) HKEY_LOCAL_MACHINE\Software\Viewpoint -> Found
[PUP] (X64) HKEY_USERS\.DEFAULT\Software\IGearSettings -> Found
[PUP] (X86) HKEY_USERS\.DEFAULT\Software\IGearSettings -> Found
[PUP] (X64) HKEY_USERS\S-1-5-21-3035285257-1660607583-71384102-1001\Software\AVG SafeGuard toolbar -> Found
[PUP] (X64) HKEY_USERS\S-1-5-21-3035285257-1660607583-71384102-1001\Software\YahooPartnerToolbar -> Found
[PUP] (X86) HKEY_USERS\S-1-5-21-3035285257-1660607583-71384102-1001\Software\AVG SafeGuard toolbar -> Found
[PUP] (X86) HKEY_USERS\S-1-5-21-3035285257-1660607583-71384102-1001\Software\YahooPartnerToolbar -> Found
[PUP] (X64) HKEY_USERS\S-1-5-18\Software\IGearSettings -> Found
[PUP] (X86) HKEY_USERS\S-1-5-18\Software\IGearSettings -> Found
[PUP] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\SoftwareUpdUtility -> Found
[PUP] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\ViewpointMediaPlayer -> Found
[Suspicious.Path] (X64) HKEY_USERS\S-1-5-21-3035285257-1660607583-71384102-1001\Software\Microsoft\Windows\CurrentVersion\Run | ROC_ROC_APR2013_AV : C:\Users\Shawn\AppData\Roaming\AVG April 2013 Campaign\AVG-Secure-Search-Update.exe /PROMPT --mid 5922d70d304b47d6aba9b1a22fe0794d-57d58ba62ee19ae9955d03c6897507ade28290f5 --CMPID ROC_APR2013_AV [-] -> Found
[Suspicious.Path] (X64) HKEY_USERS\S-1-5-21-3035285257-1660607583-71384102-1001\Software\Microsoft\Windows\CurrentVersion\Run | AVG-Secure-Search-Update_0913a : C:\Users\Shawn\AppData\Roaming\AVG 0913a Campaign\AVG-Secure-Search-Update-0913a.exe /PROMPT --mid 5922d70d304b47d6aba9b1a22fe0794d-57d58ba62ee19ae9955d03c6897507ade28290f5 --CMPID 0913a [-] -> Found
[Suspicious.Path] (X64) HKEY_USERS\S-1-5-21-3035285257-1660607583-71384102-1001\Software\Microsoft\Windows\CurrentVersion\Run | AIM for Windows : "C:\Users\Shawn\AppData\Local\AOL\AIM\aim.exe" [x] -> Found
[Suspicious.Path] (X86) HKEY_USERS\S-1-5-21-3035285257-1660607583-71384102-1001\Software\Microsoft\Windows\CurrentVersion\Run | ROC_ROC_APR2013_AV : C:\Users\Shawn\AppData\Roaming\AVG April 2013 Campaign\AVG-Secure-Search-Update.exe /PROMPT --mid 5922d70d304b47d6aba9b1a22fe0794d-57d58ba62ee19ae9955d03c6897507ade28290f5 --CMPID ROC_APR2013_AV [-] -> Found
[Suspicious.Path] (X86) HKEY_USERS\S-1-5-21-3035285257-1660607583-71384102-1001\Software\Microsoft\Windows\CurrentVersion\Run | AVG-Secure-Search-Update_0913a : C:\Users\Shawn\AppData\Roaming\AVG 0913a Campaign\AVG-Secure-Search-Update-0913a.exe /PROMPT --mid 5922d70d304b47d6aba9b1a22fe0794d-57d58ba62ee19ae9955d03c6897507ade28290f5 --CMPID 0913a [-] -> Found
[Suspicious.Path] (X86) HKEY_USERS\S-1-5-21-3035285257-1660607583-71384102-1001\Software\Microsoft\Windows\CurrentVersion\Run | AIM for Windows : "C:\Users\Shawn\AppData\Local\AOL\AIM\aim.exe" [x] -> Found

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ WMI : 0 ¤¤¤

¤¤¤ Hosts File : 0 ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤

¤¤¤ Web browsers : 3 ¤¤¤
[PUM.HomePage][Firefox:Config] 5qn7jiux.default : user_pref("browser.startup.homepage", "http://www.gamefaqs.com/"); -> Found
[PUM.SearchEngine][Firefox:Config] 5qn7jiux.default : user_pref("browser.search.selectedEngine", "Wikipedia (en)"); -> Found
[PUM.SearchEngine][Firefox:Config] 5qn7jiux.default : user_pref("browser.search.defaultenginename", "Wikipedia (en)"); -> Found

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: SAMSUNG HM250HI +++++
--- User ---
[MBR] 1f3747f276df3e86c3699f050e04898e
[BSP] 1d3dbd27465810c433249e71141074e9 : HP MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 199 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 409600 | Size: 221660 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
2 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 454369280 | Size: 16511 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
3 - [XXXXXX] FAT32-LBA (0xc) [VISIBLE] Offset (sectors): 488183808 | Size: 103 MB
User = LL1 ... OK
User = LL2 ... OK
 

 

 

 

 

 

 

 

 

Fix result of Farbar Recovery Scan Tool (x64) Version: 07-12-2016
Ran by Shawn (11-12-2016 14:01:10) Run:1
Running from C:\Users\Shawn\Desktop\FRST
Loaded Profiles: Shawn (Available Profiles: Shawn)
Boot Mode: Normal
==============================================

fixlist content:
*****************
start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

SearchScopes: HKLM -> {C3067EDE-8AE5-4BCE-9E48-588739E428BD} URL = hxxp://www.ask.com/web?q={searchterms}&l=dis&o=ushpl
SearchScopes: HKLM-x32 -> {C3067EDE-8AE5-4BCE-9E48-588739E428BD} URL = hxxp://www.ask.com/web?q={searchterms}&l=dis&o=ushpl
SearchScopes: HKU\S-1-5-21-3035285257-1660607583-71384102-1001 -> {C3067EDE-8AE5-4BCE-9E48-588739E428BD} URL = hxxp://www.ask.com/web?q={searchterms}&l=dis&o=ushpl
FF user.js: detected! => C:\Users\Shawn\AppData\Roaming\Mozilla\Firefox\Profiles\5qn7jiux.default\user.js [2016-03-23]
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @pandonetworks.com/PandoWebPlugin -> C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll [No File]
FF Plugin-x32: @viewpoint.com/VMP -> C:\Program Files (x86)\Viewpoint\Viewpoint Media Player\npViewpoint.dll [No File]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Shawn\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-04-02]
CHR Extension: (Chrome Media Router) - C:\Users\Shawn\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2016-10-26]
CustomCLSID: HKU\S-1-5-21-3035285257-1660607583-71384102-1001_Classes\CLSID\{590C4387-5EBD-4D46-8A84-CD0BA2EF2856}\InprocServer32 -> C:\Users\Shawn\AppData\Local\Google\Update\1.3.30.3\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-3035285257-1660607583-71384102-1001_Classes\CLSID\{5C8C2A98-6133-4EBA-BBCC-34D9EA01FC2E}\InprocServer32 -> C:\Users\Shawn\AppData\Local\Google\Update\1.3.28.1\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-3035285257-1660607583-71384102-1001_Classes\CLSID\{78550997-5DEF-4A8A-BAF9-D5774E87AC98}\InprocServer32 -> C:\Users\Shawn\AppData\Local\Google\Update\1.3.28.13\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-3035285257-1660607583-71384102-1001_Classes\CLSID\{793EE463-1304-471C-ADF1-68C2FFB01247}\InprocServer32 -> C:\Users\Shawn\AppData\Local\Google\Update\1.3.29.5\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-3035285257-1660607583-71384102-1001_Classes\CLSID\{C3BC25C0-FCD3-4F01-AFDD-41373F017C9A}\InprocServer32 -> C:\Users\Shawn\AppData\Local\Google\Update\1.3.26.9\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-3035285257-1660607583-71384102-1001_Classes\CLSID\{CC182BE1-84CE-4A57-B85C-FD4BBDF78CB2}\InprocServer32 -> C:\Users\Shawn\AppData\Local\Google\Update\1.3.29.1\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-3035285257-1660607583-71384102-1001_Classes\CLSID\{D1EDC4F5-7F4D-4B12-906A-614ECF66DDAF}\InprocServer32 -> C:\Users\Shawn\AppData\Local\Google\Update\1.3.28.15\psuser_64.dll => No File
Task: {B31B00A9-5C9B-49F4-9AA8-72FA34F0EC1B} - System32\Tasks\ROC_REG_JAN_DELETE => C:\ProgramData\AVG January 2013 Campaign\ROC.exe [2013-01-16] ()
Task: C:\Windows\Tasks\ROC_REG_JAN_DELETE.job => C:\ProgramData\AVG January 2013 Campaign\ROC.exe
C:\Windows\SysWOW64\shoEE6B.tmp
C:\Windows\Installer\{02815385-b3dc-aa2c-a083-2e509dc82d52}
C:\Windows\Installer\{02815385-b3dc-aa2c-a083-2e509dc82d52}\@
C:\Users\Shawn\AppData\Local\{02815385-b3dc-aa2c-a083-2e509dc82d52}
C:\Users\Shawn\AppData\Local\{02815385-b3dc-aa2c-a083-2e509dc82d52}\@
C:\ProgramData\AVG January 2013 Campaign
reboot:

End
*****************

Restore point was successfully created.
Processes closed successfully.
"HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{C3067EDE-8AE5-4BCE-9E48-588739E428BD}" => key removed successfully
HKCR\CLSID\{C3067EDE-8AE5-4BCE-9E48-588739E428BD} => key not found.
"HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{C3067EDE-8AE5-4BCE-9E48-588739E428BD}" => key removed successfully
HKCR\Wow6432Node\CLSID\{C3067EDE-8AE5-4BCE-9E48-588739E428BD} => key not found.
"HKU\S-1-5-21-3035285257-1660607583-71384102-1001\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{C3067EDE-8AE5-4BCE-9E48-588739E428BD}" => key removed successfully
HKCR\CLSID\{C3067EDE-8AE5-4BCE-9E48-588739E428BD} => key not found.
C:\Users\Shawn\AppData\Roaming\Mozilla\Firefox\Profiles\5qn7jiux.default\user.js => moved successfully
C:\Users\Shawn\AppData\Roaming\Mozilla\Firefox\Profiles\5qn7jiux.default\user.js => not found.
"HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE" => key removed successfully
"HKLM\Software\Wow6432Node\MozillaPlugins\@microsoft.com/GENUINE" => key removed successfully
"HKLM\Software\Wow6432Node\MozillaPlugins\@pandonetworks.com/PandoWebPlugin" => key removed successfully
"HKLM\Software\Wow6432Node\MozillaPlugins\@viewpoint.com/VMP" => key removed successfully
C:\Users\Shawn\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda => moved successfully
C:\Users\Shawn\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm => moved successfully
"HKU\S-1-5-21-3035285257-1660607583-71384102-1001_Classes\CLSID\{590C4387-5EBD-4D46-8A84-CD0BA2EF2856}" => key removed successfully
"HKU\S-1-5-21-3035285257-1660607583-71384102-1001_Classes\CLSID\{5C8C2A98-6133-4EBA-BBCC-34D9EA01FC2E}" => key removed successfully
"HKU\S-1-5-21-3035285257-1660607583-71384102-1001_Classes\CLSID\{78550997-5DEF-4A8A-BAF9-D5774E87AC98}" => key removed successfully
"HKU\S-1-5-21-3035285257-1660607583-71384102-1001_Classes\CLSID\{793EE463-1304-471C-ADF1-68C2FFB01247}" => key removed successfully
"HKU\S-1-5-21-3035285257-1660607583-71384102-1001_Classes\CLSID\{C3BC25C0-FCD3-4F01-AFDD-41373F017C9A}" => key removed successfully
"HKU\S-1-5-21-3035285257-1660607583-71384102-1001_Classes\CLSID\{CC182BE1-84CE-4A57-B85C-FD4BBDF78CB2}" => key removed successfully
"HKU\S-1-5-21-3035285257-1660607583-71384102-1001_Classes\CLSID\{D1EDC4F5-7F4D-4B12-906A-614ECF66DDAF}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{B31B00A9-5C9B-49F4-9AA8-72FA34F0EC1B}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{B31B00A9-5C9B-49F4-9AA8-72FA34F0EC1B}" => key removed successfully
C:\Windows\System32\Tasks\ROC_REG_JAN_DELETE => moved successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\ROC_REG_JAN_DELETE" => key removed successfully
C:\Windows\Tasks\ROC_REG_JAN_DELETE.job => moved successfully
C:\Windows\SysWOW64\shoEE6B.tmp => moved successfully
C:\Windows\Installer\{02815385-b3dc-aa2c-a083-2e509dc82d52} => moved successfully
"C:\Windows\Installer\{02815385-b3dc-aa2c-a083-2e509dc82d52}\@" => not found.
C:\Users\Shawn\AppData\Local\{02815385-b3dc-aa2c-a083-2e509dc82d52} => moved successfully
"C:\Users\Shawn\AppData\Local\{02815385-b3dc-aa2c-a083-2e509dc82d52}\@" => not found.
C:\ProgramData\AVG January 2013 Campaign => moved successfully

=========== EmptyTemp: ==========

BITS transfer queue => 0 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 40450824 B
Java, Flash, Steam htmlcache => 1134 B
Windows/system/drivers => 1549779637 B
Edge => 0 B
Chrome => 11944299 B
Firefox => 464821701 B
Opera => 0 B

Temp, IE cache, history, cookies, recent:
Users => 0 B
Default => 66228 B
Public => 0 B
ProgramData => 0 B
systemprofile => 86158507 B
systemprofile32 => 75574 B
LocalService => 132244 B
NetworkService => 80618 B

 

 

 

 

 

 

 

 

FRST hit a snag in that it locked up entirely near the end and I was eventually forced to close the program. I waited for some time but it seemed to be frozen entirely - I couldn't move it, the bar was stuck, and the memory wouldn't change. I waited for around 20 minutes just to be absolutely safe, but it definitely seemed locked up. It still created the log anyway.

 

Though with that said, I'm concerned that it couldn't find the @ file - that's the one that I'm really on the fence about. But it seems to have deleted it regardless? I went back and checked for the file location and it seems to be outright gone. Is it supposed to be gone?

 

 

I'll update those programs once we're sure that the ZeroAccess stuff is gone for sure. Thanks for the advice!


Edited by dotsdfe, 11 December 2016 - 03:57 PM.


#7 nasdaq

nasdaq

  • Malware Response Team
  • 40,190 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:14 AM

Posted 12 December 2016 - 08:42 AM

Run the Farbar tool one more time. Post the FRST log for my review.

Let me know if you have any issues with the computer.

#8 dotsdfe

dotsdfe
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:14 PM

Posted 16 December 2016 - 04:04 PM

Fix result of Farbar Recovery Scan Tool (x64) Version: 07-12-2016
Ran by Shawn (16-12-2016 14:22:04) Run:2
Running from C:\Users\Shawn\Desktop\FRST
Loaded Profiles: Shawn (Available Profiles: Shawn)
Boot Mode: Normal
==============================================

fixlist content:
*****************
start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

SearchScopes: HKLM -> {C3067EDE-8AE5-4BCE-9E48-588739E428BD} URL = hxxp://www.ask.com/web?q={searchterms}&l=dis&o=ushpl
SearchScopes: HKLM-x32 -> {C3067EDE-8AE5-4BCE-9E48-588739E428BD} URL = hxxp://www.ask.com/web?q={searchterms}&l=dis&o=ushpl
SearchScopes: HKU\S-1-5-21-3035285257-1660607583-71384102-1001 -> {C3067EDE-8AE5-4BCE-9E48-588739E428BD} URL = hxxp://www.ask.com/web?q={searchterms}&l=dis&o=ushpl
FF user.js: detected! => C:\Users\Shawn\AppData\Roaming\Mozilla\Firefox\Profiles\5qn7jiux.default\user.js [2016-03-23]
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @pandonetworks.com/PandoWebPlugin -> C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll [No File]
FF Plugin-x32: @viewpoint.com/VMP -> C:\Program Files (x86)\Viewpoint\Viewpoint Media Player\npViewpoint.dll [No File]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Shawn\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-04-02]
CHR Extension: (Chrome Media Router) - C:\Users\Shawn\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2016-10-26]
CustomCLSID: HKU\S-1-5-21-3035285257-1660607583-71384102-1001_Classes\CLSID\{590C4387-5EBD-4D46-8A84-CD0BA2EF2856}\InprocServer32 -> C:\Users\Shawn\AppData\Local\Google\Update\1.3.30.3\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-3035285257-1660607583-71384102-1001_Classes\CLSID\{5C8C2A98-6133-4EBA-BBCC-34D9EA01FC2E}\InprocServer32 -> C:\Users\Shawn\AppData\Local\Google\Update\1.3.28.1\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-3035285257-1660607583-71384102-1001_Classes\CLSID\{78550997-5DEF-4A8A-BAF9-D5774E87AC98}\InprocServer32 -> C:\Users\Shawn\AppData\Local\Google\Update\1.3.28.13\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-3035285257-1660607583-71384102-1001_Classes\CLSID\{793EE463-1304-471C-ADF1-68C2FFB01247}\InprocServer32 -> C:\Users\Shawn\AppData\Local\Google\Update\1.3.29.5\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-3035285257-1660607583-71384102-1001_Classes\CLSID\{C3BC25C0-FCD3-4F01-AFDD-41373F017C9A}\InprocServer32 -> C:\Users\Shawn\AppData\Local\Google\Update\1.3.26.9\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-3035285257-1660607583-71384102-1001_Classes\CLSID\{CC182BE1-84CE-4A57-B85C-FD4BBDF78CB2}\InprocServer32 -> C:\Users\Shawn\AppData\Local\Google\Update\1.3.29.1\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-3035285257-1660607583-71384102-1001_Classes\CLSID\{D1EDC4F5-7F4D-4B12-906A-614ECF66DDAF}\InprocServer32 -> C:\Users\Shawn\AppData\Local\Google\Update\1.3.28.15\psuser_64.dll => No File
Task: {B31B00A9-5C9B-49F4-9AA8-72FA34F0EC1B} - System32\Tasks\ROC_REG_JAN_DELETE => C:\ProgramData\AVG January 2013 Campaign\ROC.exe [2013-01-16] ()
Task: C:\Windows\Tasks\ROC_REG_JAN_DELETE.job => C:\ProgramData\AVG January 2013 Campaign\ROC.exe
C:\Windows\SysWOW64\shoEE6B.tmp
C:\Windows\Installer\{02815385-b3dc-aa2c-a083-2e509dc82d52}
C:\Windows\Installer\{02815385-b3dc-aa2c-a083-2e509dc82d52}\@
C:\Users\Shawn\AppData\Local\{02815385-b3dc-aa2c-a083-2e509dc82d52}
C:\Users\Shawn\AppData\Local\{02815385-b3dc-aa2c-a083-2e509dc82d52}\@
C:\ProgramData\AVG January 2013 Campaign
reboot:

End
*****************

Restore point was successfully created.
Processes closed successfully.
HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{C3067EDE-8AE5-4BCE-9E48-588739E428BD} => key not found.
HKCR\CLSID\{C3067EDE-8AE5-4BCE-9E48-588739E428BD} => key not found.
HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{C3067EDE-8AE5-4BCE-9E48-588739E428BD} => key not found.
HKCR\Wow6432Node\CLSID\{C3067EDE-8AE5-4BCE-9E48-588739E428BD} => key not found.
HKU\S-1-5-21-3035285257-1660607583-71384102-1001\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{C3067EDE-8AE5-4BCE-9E48-588739E428BD} => key not found.
HKCR\CLSID\{C3067EDE-8AE5-4BCE-9E48-588739E428BD} => key not found.
C:\Users\Shawn\AppData\Roaming\Mozilla\Firefox\Profiles\5qn7jiux.default\user.js => not found.
C:\Users\Shawn\AppData\Roaming\Mozilla\Firefox\Profiles\5qn7jiux.default\user.js => not found.
HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE => key not found.
HKLM\Software\Wow6432Node\MozillaPlugins\@microsoft.com/GENUINE => key not found.
HKLM\Software\Wow6432Node\MozillaPlugins\@pandonetworks.com/PandoWebPlugin => key not found.
HKLM\Software\Wow6432Node\MozillaPlugins\@viewpoint.com/VMP => key not found.
C:\Users\Shawn\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda => not found
C:\Users\Shawn\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm => moved successfully
HKU\S-1-5-21-3035285257-1660607583-71384102-1001_Classes\CLSID\{590C4387-5EBD-4D46-8A84-CD0BA2EF2856} => key not found.
HKU\S-1-5-21-3035285257-1660607583-71384102-1001_Classes\CLSID\{5C8C2A98-6133-4EBA-BBCC-34D9EA01FC2E} => key not found.
HKU\S-1-5-21-3035285257-1660607583-71384102-1001_Classes\CLSID\{78550997-5DEF-4A8A-BAF9-D5774E87AC98} => key not found.
HKU\S-1-5-21-3035285257-1660607583-71384102-1001_Classes\CLSID\{793EE463-1304-471C-ADF1-68C2FFB01247} => key not found.
HKU\S-1-5-21-3035285257-1660607583-71384102-1001_Classes\CLSID\{C3BC25C0-FCD3-4F01-AFDD-41373F017C9A} => key not found.
HKU\S-1-5-21-3035285257-1660607583-71384102-1001_Classes\CLSID\{CC182BE1-84CE-4A57-B85C-FD4BBDF78CB2} => key not found.
HKU\S-1-5-21-3035285257-1660607583-71384102-1001_Classes\CLSID\{D1EDC4F5-7F4D-4B12-906A-614ECF66DDAF} => key not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{B31B00A9-5C9B-49F4-9AA8-72FA34F0EC1B} => key not found.
C:\Windows\System32\Tasks\ROC_REG_JAN_DELETE => not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\ROC_REG_JAN_DELETE => key not found.
C:\Windows\Tasks\ROC_REG_JAN_DELETE.job => not found.
"C:\Windows\SysWOW64\shoEE6B.tmp" => not found.
"C:\Windows\Installer\{02815385-b3dc-aa2c-a083-2e509dc82d52}" => not found.
"C:\Windows\Installer\{02815385-b3dc-aa2c-a083-2e509dc82d52}\@" => not found.
"C:\Users\Shawn\AppData\Local\{02815385-b3dc-aa2c-a083-2e509dc82d52}" => not found.
"C:\Users\Shawn\AppData\Local\{02815385-b3dc-aa2c-a083-2e509dc82d52}\@" => not found.
"C:\ProgramData\AVG January 2013 Campaign" => not found.

=========== EmptyTemp: ==========

BITS transfer queue => 0 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 43000602 B
Java, Flash, Steam htmlcache => 1004 B
Windows/system/drivers => 1473292 B
Edge => 0 B
Chrome => 11886307 B
Firefox => 386032118 B
Opera => 0 B

Temp, IE cache, history, cookies, recent:
Users => 0 B
Default => 0 B
Public => 0 B
ProgramData => 0 B
systemprofile => 128 B
systemprofile32 => 128 B
LocalService => 0 B
NetworkService => 0 B
Shawn => 556530119 B

RecycleBin => 35327444 B
EmptyTemp: => 986.3 MB temporary data Removed.

================================


The system needed a reboot.

==== End of Fixlog 14:27:19 ====

 

 

 

 

 

 

 

 

It completed this time. From what I'm seeing, the Zero Access stuff may be gone? I hope, at least.

 

 

I do have a few additional questions, if that's alright:

 

-Based on what the scans found, do you think that what I had included a keylogger? My initial concern came from having issues with my passwords, so I wasn't sure how that would have come about and if the files that were found related to passwords or not.

 

-How does one acquire the Zero Access stuff? I was a little bit surprised to see something like that on my laptop. I always associated malware and stuff like that with downloading torrents, but I mainly use my laptop to casually browse and play a few casual games. The seediest things that I do are occasionally saving pictures off of Tumblr, or download Word files from students. Is there anything that I should avoid in the future to minimize the risk of future infections?



#9 nasdaq

nasdaq

  • Malware Response Team
  • 40,190 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:12:14 AM

Posted 17 December 2016 - 07:55 AM

It's impossible to find out how or where you got infected.

To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users